diff options
Diffstat (limited to 'include')
| -rw-r--r-- | include/afl-fuzz.h | 95 | ||||
| -rw-r--r-- | include/alloc-inl.h | 6 | ||||
| -rw-r--r-- | include/android-ashmem.h | 4 | ||||
| -rw-r--r-- | include/cmplog.h | 5 | ||||
| -rw-r--r-- | include/common.h | 16 | ||||
| -rw-r--r-- | include/config.h | 15 | ||||
| -rw-r--r-- | include/debug.h | 5 | ||||
| -rw-r--r-- | include/forkserver.h | 48 | ||||
| -rw-r--r-- | include/list.h | 2 | ||||
| -rw-r--r-- | include/sharedmem.h | 5 | ||||
| -rw-r--r-- | include/types.h | 2 |
11 files changed, 138 insertions, 65 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 56135d0e..87e6dcff 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -195,19 +195,6 @@ enum { }; -/* Execution status fault codes */ - -enum { - - /* 00 */ FAULT_NONE, - /* 01 */ FAULT_TMOUT, - /* 02 */ FAULT_CRASH, - /* 03 */ FAULT_ERROR, - /* 04 */ FAULT_NOINST, - /* 05 */ FAULT_NOBITS - -}; - #define operator_num 16 #define swarm_num 5 #define period_core 500000 @@ -331,7 +318,8 @@ typedef struct afl_env_vars { u8 afl_skip_cpufreq, afl_exit_when_done, afl_no_affinity, afl_skip_bin_check, afl_dumb_forksrv, afl_import_first, afl_custom_mutator_only, afl_no_ui, afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one, - afl_bench_until_crash, afl_debug_child_output, afl_autoresume; + afl_bench_until_crash, afl_debug_child_output, afl_autoresume, + afl_cal_fast; u8 *afl_tmpdir, *afl_post_library, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_skip_crashes, @@ -339,6 +327,13 @@ typedef struct afl_env_vars { } afl_env_vars_t; +struct afl_pass_stat { + + u8 total; + u8 faileds; + +}; + typedef struct afl_state { /* Position of this state in the global states list */ @@ -353,14 +348,14 @@ typedef struct afl_state { /* MOpt: Lots of globals, but mostly for the status UI and other things where it really makes no sense to haul them around as function parameters. */ - u64 limit_time_puppet, orig_hit_cnt_puppet, last_limit_time_start, - tmp_pilot_time, total_pacemaker_time, total_puppet_find, temp_puppet_find, - most_time_key, most_time, most_execs_key, most_execs, old_hit_count, - force_ui_update; + u64 orig_hit_cnt_puppet, last_limit_time_start, tmp_pilot_time, + total_pacemaker_time, total_puppet_find, temp_puppet_find, most_time_key, + most_time, most_execs_key, most_execs, old_hit_count, force_ui_update; MOpt_globals_t mopt_globals_core, mopt_globals_pilot; - s32 SPLICE_CYCLES_puppet, limit_time_sig, key_puppet, key_module; + s32 limit_time_puppet, SPLICE_CYCLES_puppet, limit_time_sig, key_puppet, + key_module; double w_init, w_end, w_now; @@ -425,7 +420,6 @@ typedef struct afl_state { use_splicing, /* Recombine input files? */ dumb_mode, /* Run in non-instrumented mode? */ score_changed, /* Scoring for favorites changed? */ - kill_signal, /* Signal that killed the child */ resuming_fuzz, /* Resuming an older fuzzing job? */ timeout_given, /* Specific timeout given? */ not_on_tty, /* stdout is not a tty */ @@ -439,7 +433,6 @@ typedef struct afl_state { no_arith, /* Skip most arithmetic ops */ shuffle_queue, /* Shuffle input queue? */ bitmap_changed, /* Time to update bitmap? */ - qemu_mode, /* Running in QEMU mode? */ unicorn_mode, /* Running in Unicorn mode? */ use_wine, /* Use WINE with QEMU mode */ skip_requested, /* Skip request, via SIGUSR1 */ @@ -450,11 +443,11 @@ typedef struct afl_state { fast_cal, /* Try to calibrate faster? */ disable_trim; /* Never trim in fuzz_one */ - u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */ - virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */ - virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */ + u8 *virgin_bits, /* Regions yet untouched by fuzzing */ + *virgin_tmout, /* Bits we haven't seen in tmouts */ + *virgin_crash; /* Bits we haven't seen in crashes */ - u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */ + u8 *var_bytes; /* Bytes that appear to be variable */ volatile u8 stop_soon, /* Ctrl-C pressed? */ clear_screen; /* Window resized? */ @@ -481,7 +474,6 @@ typedef struct afl_state { total_tmouts, /* Total number of timeouts */ unique_tmouts, /* Timeouts with unique signatures */ unique_hangs, /* Hangs with unique signatures */ - total_execs, /* Total execve() calls */ last_crash_execs, /* Exec counter at last crash */ queue_cycle, /* Queue round counter */ cycles_wo_finds, /* Cycles without any new paths */ @@ -543,7 +535,7 @@ typedef struct afl_state { *queue_top, /* Top of the list */ *q_prev100; /* Previous 100 marker */ - struct queue_entry *top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ + struct queue_entry **top_rated; /* Top entries for bitmap bytes */ struct extra_data *extras; /* Extra tokens to fuzz with */ u32 extras_cnt; /* Total number of tokens read */ @@ -559,8 +551,8 @@ typedef struct afl_state { /* CmpLog */ - char *cmplog_binary; - s32 cmplog_child_pid, cmplog_fsrv_pid; + char * cmplog_binary; + afl_forkserver_t cmplog_fsrv; /* cmplog has its own little forkserver */ /* Custom mutators */ struct custom_mutator *mutator; @@ -569,6 +561,9 @@ typedef struct afl_state { s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; u32 cmplog_prev_timed_out; + struct afl_pass_stat *pass_stats; + struct cmp_map * orig_cmp_map; + u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ @@ -577,7 +572,9 @@ typedef struct afl_state { u32 document_counter; #endif - /* statis file */ + void *maybe_add_auto; + + /* statistics file */ double last_bitmap_cvg, last_stability, last_eps; /* plot file saves from last run */ @@ -587,9 +584,9 @@ typedef struct afl_state { u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs; double stats_avg_exec; - u8 clean_trace[MAP_SIZE]; - u8 clean_trace_custom[MAP_SIZE]; - u8 first_trace[MAP_SIZE]; + u8 *clean_trace; + u8 *clean_trace_custom; + u8 *first_trace; /*needed for afl_fuzz_one */ // TODO: see which we can reuse @@ -611,6 +608,9 @@ typedef struct afl_state { u8 * ex_buf; size_t ex_size; + /* this is a fixed buffer of size map_size that can be used by any function if they do not call another function */ + u8 * map_tmp_buf; + } afl_state_t; /* A global pointer to all instances is needed (for now) for signals to arrive @@ -797,7 +797,7 @@ struct custom_mutator { }; -void afl_state_init(afl_state_t *); +void afl_state_init(afl_state_t *, uint32_t map_size); void afl_state_deinit(afl_state_t *); void read_afl_environment(afl_state_t *, char **); @@ -811,6 +811,7 @@ u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 *in_buf); /* Python */ #ifdef USE_PYTHON +void load_custom_mutator_py(afl_state_t *, char *); void finalize_py_module(void *); size_t pre_save_py(void *, u8 *, size_t, u8 **); @@ -838,20 +839,19 @@ u32 calculate_score(afl_state_t *, struct queue_entry *); /* Bitmap */ -void read_bitmap(afl_state_t *, u8 *); void write_bitmap(afl_state_t *); -u32 count_bits(u8 *); -u32 count_bytes(u8 *); -u32 count_non_255_bytes(u8 *); +u32 count_bits(afl_state_t *, u8 *); +u32 count_bytes(afl_state_t *, u8 *); +u32 count_non_255_bytes(afl_state_t *, u8 *); #ifdef WORD_SIZE_64 -void simplify_trace(u64 *); -void classify_counts(u64 *); +void simplify_trace(afl_state_t *, u64 *); +void classify_counts(afl_forkserver_t *); #else -void simplify_trace(u32 *); -void classify_counts(u32 *); +void simplify_trace(afl_state_t *, u32 *); +void classify_counts(afl_forkserver_t *); #endif void init_count_class16(void); -void minimize_bits(u8 *, u8 *); +void minimize_bits(afl_state_t *, u8 *, u8 *); #ifndef SIMPLE_FILES u8 *describe_op(afl_state_t *, u8); #endif @@ -862,7 +862,7 @@ u8 has_new_bits(afl_state_t *, u8 *); void load_extras_file(afl_state_t *, u8 *, u32 *, u32 *, u32); void load_extras(afl_state_t *, u8 *); -void maybe_add_auto(afl_state_t *, u8 *, u32); +void maybe_add_auto(void *, u8 *, u32); void save_auto(afl_state_t *); void load_auto(afl_state_t *); void destroy_extras(afl_state_t *); @@ -876,8 +876,8 @@ void show_init_stats(afl_state_t *); /* Run */ -u8 run_target(afl_state_t *, u32); -void write_to_testcase(afl_state_t *, void *, u32); +fsrv_run_result_t fuzz_run_target(afl_state_t *, afl_forkserver_t *fsrv, u32); +void write_to_testcase(afl_state_t *, void *, u32); u8 calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8); void sync_fuzzers(afl_state_t *); u8 trim_case(afl_state_t *, struct queue_entry *, u8 *); @@ -920,8 +920,7 @@ void save_cmdline(afl_state_t *, u32, char **); /* CmpLog */ -void init_cmplog_forkserver(afl_state_t *afl); -u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len); +u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len); /* RedQueen */ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, diff --git a/include/alloc-inl.h b/include/alloc-inl.h index 89889cc5..d16e84bb 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -85,7 +85,7 @@ static inline void *DFL_ck_alloc_nozero(u32 size) { - u8 *ret; + void *ret; if (!size) return NULL; @@ -127,7 +127,7 @@ static inline void DFL_ck_free(void *mem) { static inline void *DFL_ck_realloc(void *orig, u32 size) { - u8 *ret; + void *ret; if (!size) { @@ -182,7 +182,7 @@ static inline u8 *DFL_ck_strdup(u8 *str) { static inline void *DFL_ck_memdup(void *mem, u32 size) { - u8 *ret; + void *ret; if (!mem || !size) return NULL; diff --git a/include/android-ashmem.h b/include/android-ashmem.h index 3a0b9969..6fdcb1ba 100644 --- a/include/android-ashmem.h +++ b/include/android-ashmem.h @@ -26,6 +26,8 @@ #ifndef _ANDROID_ASHMEM_H #define _ANDROID_ASHMEM_H +#ifdef __ANDROID__ + #include <fcntl.h> #include <linux/shm.h> #include <linux/ashmem.h> @@ -103,5 +105,7 @@ static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) { } +#endif /* __ANDROID__ */ + #endif diff --git a/include/cmplog.h b/include/cmplog.h index 36f8f2c5..74e6a3bb 100644 --- a/include/cmplog.h +++ b/include/cmplog.h @@ -29,6 +29,7 @@ #define _AFL_CMPLOG_H #include "config.h" +#include "forkserver.h" #define CMP_MAP_W 65536 #define CMP_MAP_H 256 @@ -74,5 +75,9 @@ struct cmp_map { }; +/* Execs the child */ + +void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv); + #endif diff --git a/include/common.h b/include/common.h index c9436e81..70ff0744 100644 --- a/include/common.h +++ b/include/common.h @@ -51,6 +51,16 @@ char * get_afl_env(char *env); extern u8 be_quiet; extern u8 *doc_path; /* path to documentation dir */ +/* Find binary, used by analyze, showmap, tmin + @returns the path, allocating the string */ + +u8 *find_binary(u8 *fname); + +/* Read a bitmap from file fname to memory + This is for the -B option again. */ + +void read_bitmap(u8 *fname, u8 *map, size_t len); + /* Get unix time in milliseconds */ u64 get_cur_time(void); @@ -99,9 +109,13 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms); /* Wrapper for select() and read(), reading exactly len bytes. Returns the time passed to read. + stop_soon should point to a variable indicating ctrl+c was pressed. If the wait times out, returns timeout_ms + 1; Returns 0 if an error occurred (fd closed, signal, ...); */ -u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms); +u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, + volatile u8 *stop_soon_p); + +u32 get_map_size(); #endif diff --git a/include/config.h b/include/config.h index 6b50be60..1de9973b 100644 --- a/include/config.h +++ b/include/config.h @@ -28,7 +28,7 @@ /* Version string: */ // c = release, d = volatile github dev, e = experimental branch -#define VERSION "++2.63c" +#define VERSION "++2.64c" /****************************************************** * * @@ -201,8 +201,8 @@ (first value), and to keep in memory as candidates. The latter should be much higher than the former. */ -#define USE_AUTO_EXTRAS 50 -#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10) +#define USE_AUTO_EXTRAS 128 +#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 64) /* Scaling factor for the effector map used to skip some of the more expensive deterministic steps. The actual divisor is set to @@ -400,5 +400,14 @@ #endif #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ +/* Extended forkserver option values */ + +#define FS_OPT_ENABLED 0x8f000001 +#define FS_OPT_MAPSIZE 0x40000000 +#define FS_OPT_SNAPSHOT 0x20000000 +#define FS_OPT_AUTODICT 0x10000000 +#define FS_OPT_GET_MAPSIZE(x) (((x & 0x00fffffe) >> 1) + 1) +#define FS_OPT_SET_MAPSIZE(x) (x <= 1 || x > 0x1000000 ? 0 : ((x - 1) << 1)) + #endif /* ! _HAVE_CONFIG_H */ diff --git a/include/debug.h b/include/debug.h index ff2845f9..4cce56b5 100644 --- a/include/debug.h +++ b/include/debug.h @@ -28,6 +28,11 @@ #include "types.h" #include "config.h" +/* __FUNCTION__ is non-iso */ +#ifdef __func__ +#define __FUNCTION__ __func__ +#endif + /******************* * Terminal colors * *******************/ diff --git a/include/forkserver.h b/include/forkserver.h index 5d1bd2cf..18a287ad 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -29,7 +29,9 @@ #define __AFL_FORKSERVER_H #include <stdio.h> +#include <stdbool.h> +#include "types.h" typedef struct afl_forkserver { /* a program that includes afl-forkserver needs to define these */ @@ -50,26 +52,60 @@ typedef struct afl_forkserver { fsrv_ctl_fd, /* Fork server control pipe (write) */ fsrv_st_fd; /* Fork server status pipe (read) */ + u8 no_unlink; /* do not unlink cur_input */ + u32 exec_tmout; /* Configurable exec timeout (ms) */ + u32 map_size; /* map size used by the target */ + u32 snapshot; /* is snapshot feature used */ u64 mem_limit; /* Memory cap for child (MB) */ + u64 total_execs; /* How often run_target was called */ + u8 *out_file, /* File to fuzz, if any */ - *target_path; /* Path of the target */ + *target_path; /* Path of the target */ FILE *plot_file; /* Gnuplot output file */ - u8 child_timed_out; /* Traced process timed out? */ + /* Note: lat_run_timed_out is u32 to send it to the child as 4 byte array */ + u32 last_run_timed_out; /* Traced process timed out? */ + + u8 last_kill_signal; /* Signal that killed the child */ u8 use_fauxsrv; /* Fauxsrv for non-forking targets? */ - u32 prev_timed_out; /* if prev forkserver run timed out */ + u8 qemu_mode; /* if running in qemu mode or not */ + + char *cmplog_binary; /* the name of the cmplog binary */ + + /* Function to kick off the forkserver child */ + void (*init_child_func)(struct afl_forkserver *fsrv, char **argv); + + u8 *function_opt; /* for autodictionary: afl ptr */ + + void (*function_ptr)(void *afl_tmp, u8 *mem, u32 len); } afl_forkserver_t; +typedef enum fsrv_run_result { + + /* 00 */ FSRV_RUN_OK = 0, + /* 01 */ FSRV_RUN_TMOUT, + /* 02 */ FSRV_RUN_CRASH, + /* 03 */ FSRV_RUN_ERROR, + /* 04 */ FSRV_RUN_NOINST, + /* 05 */ FSRV_RUN_NOBITS, + +} fsrv_run_result_t; + void afl_fsrv_init(afl_forkserver_t *fsrv); -void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv); -void afl_fsrv_deinit(afl_forkserver_t *fsrv); -void afl_fsrv_killall(); +void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from); +void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, + volatile u8 *stop_soon_p, u8 debug_child_output); +void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len); +fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, + volatile u8 *stop_soon_p); +void afl_fsrv_killall(void); +void afl_fsrv_deinit(afl_forkserver_t *fsrv); #ifdef __APPLE__ #define MSG_FORK_ON_APPLE \ diff --git a/include/list.h b/include/list.h index e93b4e8f..bb985c4f 100644 --- a/include/list.h +++ b/include/list.h @@ -50,7 +50,7 @@ typedef struct list_element { typedef struct list { element_t element_prealloc_buf[LIST_PREALLOC_SIZE]; - u32 element_prealloc_count; + s32 element_prealloc_count; } list_t; diff --git a/include/sharedmem.h b/include/sharedmem.h index 57ab6cf0..066a9904 100644 --- a/include/sharedmem.h +++ b/include/sharedmem.h @@ -28,6 +28,8 @@ #ifndef __AFL_SHAREDMEM_H #define __AFL_SHAREDMEM_H +#include "types.h" + typedef struct sharedmem { // extern unsigned char *trace_bits; @@ -44,8 +46,7 @@ typedef struct sharedmem { u8 *map; /* shared memory region */ - size_t size_alloc; /* actual allocated size */ - size_t size_used; /* in use by shmem app */ + size_t map_size; /* actual allocated size */ int cmplog_mode; struct cmp_map *cmp_map; diff --git a/include/types.h b/include/types.h index da95cb39..f2a12953 100644 --- a/include/types.h +++ b/include/types.h @@ -46,7 +46,7 @@ typedef uint32_t u32; */ -#ifdef __x86_64__ +#if defined(__x86_64__) || defined(__aarch64__) typedef unsigned long long u64; #else typedef uint64_t u64; |