1 files changed, 65 insertions, 6 deletions

diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c
index 3a0584e4..b96ca7f4 100644
--- a/llvm_mode/afl-llvm-rt.o.c
+++ b/llvm_mode/afl-llvm-rt.o.c
@@ -74,10 +74,12 @@ u8 __afl_area_initial[MAP_INITIAL_SIZE];
 #else
 u8                  __afl_area_initial[MAP_SIZE];
 #endif
-u8 *__afl_area_ptr = __afl_area_initial;
-u8 *__afl_dictionary;
-u8 *__afl_fuzz_ptr;
-u32 __afl_fuzz_len;
+u8 * __afl_area_ptr = __afl_area_initial;
+u8 * __afl_dictionary;
+u8 * __afl_fuzz_ptr;
+u32  __afl_fuzz_len;
+u32  __afl_fuzz_len_dummy;
+u32 *__afl_fuzz_len_shmem = &__afl_fuzz_len_dummy;
 
 u32 __afl_final_loc;
 u32 __afl_map_size = MAP_SIZE;
@@ -164,6 +166,9 @@ static void __afl_map_shm_fuzz() {
 
   }
 
+  __afl_fuzz_len_shmem = (u32 *)mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE,
+                                     MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+
 }
 
 /* SHM setup. */
@@ -443,9 +448,35 @@ static void __afl_start_snapshots(void) {
 
     }
 
-    __afl_fuzz_len = (was_killed >> 8);
+    *__afl_fuzz_len_shmem = __afl_fuzz_len = (was_killed >> 8);
     was_killed = (was_killed & 0xff);
 
+  #ifdef _AFL_DOCUMENT_MUTATIONS
+    if (__afl_fuzz_ptr) {
+
+      static uint32_t counter = 0;
+      char            fn[32];
+      sprintf(fn, "%09u:forkserver", counter);
+      s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+      if (fd_doc >= 0) {
+
+        if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) {
+
+          fprintf(stderr, "write of mutation file failed: %s\n", fn);
+          unlink(fn);
+
+        }
+
+        close(fd_doc);
+
+      }
+
+      counter++;
+
+    }
+
+  #endif
+
     /* If we stopped the child in persistent mode, but there was a race
        condition and afl-fuzz already issued SIGKILL, write off the old
        process. */
@@ -620,9 +651,35 @@ static void __afl_start_forkserver(void) {
 
     }
 
-    __afl_fuzz_len = (was_killed >> 8);
+    *__afl_fuzz_len_shmem = __afl_fuzz_len = (was_killed >> 8);
     was_killed = (was_killed & 0xff);
 
+#ifdef _AFL_DOCUMENT_MUTATIONS
+    if (__afl_fuzz_ptr) {
+
+      static uint32_t counter = 0;
+      char            fn[32];
+      sprintf(fn, "%09u:forkserver", counter);
+      s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+      if (fd_doc >= 0) {
+
+        if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) {
+
+          fprintf(stderr, "write of mutation file failed: %s\n", fn);
+          unlink(fn);
+
+        }
+
+        close(fd_doc);
+
+      }
+
+      counter++;
+
+    }
+
+#endif
+
     /* If we stopped the child in persistent mode, but there was a race
        condition and afl-fuzz already issued SIGKILL, write off the old
        process. */
@@ -719,6 +776,8 @@ int __afl_persistent_loop(unsigned int max_cnt) {
 
       raise(SIGSTOP);
 
+      __afl_fuzz_len = *__afl_fuzz_len_shmem;
+
       __afl_area_ptr[0] = 1;
       memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T));