diff options
Diffstat (limited to 'src/afl-fuzz-mutators.c')
| -rw-r--r-- | src/afl-fuzz-mutators.c | 184 |
1 files changed, 94 insertions, 90 deletions
diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index b31e678b..b41d4d2b 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -25,25 +25,24 @@ #include "afl-fuzz.h" -void load_custom_mutator(const char*); +void load_custom_mutator(afl_state_t*, const char*); #ifdef USE_PYTHON -void load_custom_mutator_py(const char*); +void load_custom_mutator_py(afl_state_t*, const char*); #endif -void setup_custom_mutator(void) { +void setup_custom_mutator(afl_state_t *afl) { /* Try mutator library first */ u8* fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY"); if (fn) { - - if (limit_time_sig) + if (afl->limit_time_sig) FATAL( "MOpt and custom mutator are mutually exclusive. We accept pull " "requests that integrates MOpt with the optional mutators " "(custom/radamsa/redquenn/...)."); - load_custom_mutator(fn); + load_custom_mutator(afl, fn); return; @@ -55,16 +54,16 @@ void setup_custom_mutator(void) { if (module_name) { - if (limit_time_sig) + if (afl->limit_time_sig) FATAL( "MOpt and Python mutator are mutually exclusive. We accept pull " "requests that integrates MOpt with the optional mutators " "(custom/radamsa/redquenn/...)."); - if (init_py_module(module_name)) + if (init_py_module(afl, module_name)) FATAL("Failed to initialize Python module"); - load_custom_mutator_py(module_name); + load_custom_mutator_py(afl, module_name); } @@ -75,82 +74,81 @@ void setup_custom_mutator(void) { } -void destroy_custom_mutator(void) { +void destroy_custom_mutator(afl_state_t *afl) { - if (mutator) { + if (afl->mutator) { - if (mutator->dh) - dlclose(mutator->dh); + if (afl->mutator->dh) + dlclose(afl->mutator->dh); else { /* Python mutator */ #ifdef USE_PYTHON - finalize_py_module(); + finalize_py_module(afl); #endif } - ck_free(mutator); - + ck_free(afl->mutator); } } -void load_custom_mutator(const char* fn) { +void load_custom_mutator(afl_state_t *afl, const char *fn) { void* dh; - mutator = ck_alloc(sizeof(struct custom_mutator)); + afl->mutator = ck_alloc(sizeof(struct custom_mutator)); - mutator->name = fn; + afl->mutator->name = fn; ACTF("Loading custom mutator library from '%s'...", fn); dh = dlopen(fn, RTLD_NOW); if (!dh) FATAL("%s", dlerror()); - mutator->dh = dh; + afl->mutator->dh = dh; /* Mutator */ /* "afl_custom_init", optional for backward compatibility */ - mutator->afl_custom_init = dlsym(dh, "afl_custom_init"); - if (!mutator->afl_custom_init) WARNF("Symbol 'afl_custom_init' not found."); + afl->mutator->afl_custom_init = dlsym(dh, "afl_custom_init"); + if (!afl->mutator->afl_custom_init) WARNF("Symbol 'afl_custom_init' not found."); /* "afl_custom_fuzz" or "afl_custom_mutator", required */ - mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz"); - if (!mutator->afl_custom_fuzz) { + afl->mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz"); + if (!afl->mutator->afl_custom_fuzz) { /* Try "afl_custom_mutator" for backward compatibility */ WARNF("Symbol 'afl_custom_fuzz' not found. Try 'afl_custom_mutator'."); - mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_mutator"); - if (!mutator->afl_custom_fuzz) + afl->mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_mutator"); + if (!afl->mutator->afl_custom_fuzz) FATAL("Symbol 'afl_custom_mutator' not found."); } /* "afl_custom_pre_save", optional */ - mutator->afl_custom_pre_save = dlsym(dh, "afl_custom_pre_save"); - if (!mutator->afl_custom_pre_save) + afl->mutator->afl_custom_pre_save = dlsym(dh, "afl_custom_pre_save"); + if (!afl->mutator->afl_custom_pre_save) WARNF("Symbol 'afl_custom_pre_save' not found."); u8 notrim = 0; /* "afl_custom_init_trim", optional */ - mutator->afl_custom_init_trim = dlsym(dh, "afl_custom_init_trim"); - if (!mutator->afl_custom_init_trim) + afl->mutator->afl_custom_init_trim = dlsym(dh, "afl_custom_init_trim"); + if (!afl->mutator->afl_custom_init_trim) WARNF("Symbol 'afl_custom_init_trim' not found."); /* "afl_custom_trim", optional */ - mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim"); - if (!mutator->afl_custom_trim) WARNF("Symbol 'afl_custom_trim' not found."); + afl->mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim"); + if (!afl->mutator->afl_custom_trim) WARNF("Symbol 'afl_custom_trim' not found."); /* "afl_custom_post_trim", optional */ - mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim"); - if (!mutator->afl_custom_post_trim) + afl->mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim"); + if (!afl->mutator->afl_custom_post_trim) WARNF("Symbol 'afl_custom_post_trim' not found."); if (notrim) { - mutator->afl_custom_init_trim = NULL; - mutator->afl_custom_trim = NULL; - mutator->afl_custom_post_trim = NULL; + afl->mutator->afl_custom_init_trim = NULL; + afl->mutator->afl_custom_trim = NULL; + afl->mutator->afl_custom_post_trim = NULL; WARNF( "Custom mutator does not implement all three trim APIs, standard " "trimming will be used."); @@ -158,34 +156,35 @@ void load_custom_mutator(const char* fn) { } /* "afl_custom_havoc_mutation", optional */ - mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation"); - if (!mutator->afl_custom_havoc_mutation) + afl->mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation"); + if (!afl->mutator->afl_custom_havoc_mutation) WARNF("Symbol 'afl_custom_havoc_mutation' not found."); /* "afl_custom_havoc_mutation", optional */ - mutator->afl_custom_havoc_mutation_probability = + afl->mutator->afl_custom_havoc_mutation_probability = dlsym(dh, "afl_custom_havoc_mutation_probability"); - if (!mutator->afl_custom_havoc_mutation_probability) + if (!afl->mutator->afl_custom_havoc_mutation_probability) WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found."); /* "afl_custom_queue_get", optional */ - mutator->afl_custom_queue_get = dlsym(dh, "afl_custom_queue_get"); - if (!mutator->afl_custom_queue_get) + afl->mutator->afl_custom_queue_get = dlsym(dh, "afl_custom_queue_get"); + if (!afl->mutator->afl_custom_queue_get) WARNF("Symbol 'afl_custom_queue_get' not found."); /* "afl_custom_queue_new_entry", optional */ - mutator->afl_custom_queue_new_entry = dlsym(dh, "afl_custom_queue_new_entry"); - if (!mutator->afl_custom_queue_new_entry) + afl->mutator->afl_custom_queue_new_entry = dlsym(dh, "afl_custom_queue_new_entry"); + if (!afl->mutator->afl_custom_queue_new_entry) WARNF("Symbol 'afl_custom_queue_new_entry' not found"); OKF("Custom mutator '%s' installed successfully.", fn); /* Initialize the custom mutator */ - if (mutator->afl_custom_init) mutator->afl_custom_init(UR(0xFFFFFFFF)); + if (afl->mutator->afl_custom_init) + afl->mutator->afl_custom_init(afl, UR(afl, 0xFFFFFFFF)); } -u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf) { +u8 trim_case_custom(afl_state_t *afl, struct queue_entry* q, u8* in_buf) { static u8 tmp[64]; static u8 clean_trace[MAP_SIZE]; @@ -194,18 +193,18 @@ u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf) { u32 trim_exec = 0; u32 orig_len = q->len; - stage_name = tmp; - bytes_trim_in += q->len; + afl->stage_name = tmp; + afl->bytes_trim_in += q->len; /* Initialize trimming in the custom mutator */ - stage_cur = 0; - stage_max = mutator->afl_custom_init_trim(in_buf, q->len); + afl->stage_cur = 0; + afl->stage_max = afl->mutator->afl_custom_init_trim(afl, in_buf, q->len); - if (not_on_tty && debug) - SAYF("[Custom Trimming] START: Max %d iterations, %u bytes", stage_max, + if (afl->not_on_tty && afl->debug) + SAYF("[Custom Trimming] START: Max %d iterations, %u bytes", afl->stage_max, q->len); - while (stage_cur < stage_max) { + while (afl->stage_cur < afl->stage_max) { sprintf(tmp, "ptrim %s", DI(trim_exec)); @@ -214,26 +213,26 @@ u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf) { u8* retbuf = NULL; size_t retlen = 0; - mutator->afl_custom_trim(&retbuf, &retlen); + afl->mutator->afl_custom_trim(afl, &retbuf, &retlen); if (retlen > orig_len) FATAL( "Trimmed data returned by custom mutator is larger than original " "data"); - write_to_testcase(retbuf, retlen); + write_to_testcase(afl, retbuf, retlen); - fault = run_target(argv, exec_tmout); - ++trim_execs; + fault = run_target(afl, afl->fsrv.exec_tmout); + ++afl->trim_execs; - if (stop_soon || fault == FAULT_ERROR) { + if (afl->stop_soon || fault == FAULT_ERROR) { free(retbuf); goto abort_trimming; } - cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); if (cksum == q->exec_cksum) { @@ -246,24 +245,24 @@ u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf) { if (!needs_write) { needs_write = 1; - memcpy(clean_trace, trace_bits, MAP_SIZE); + memcpy(clean_trace, afl->fsrv.trace_bits, MAP_SIZE); } /* Tell the custom mutator that the trimming was successful */ - stage_cur = mutator->afl_custom_post_trim(1); + afl->stage_cur = afl->mutator->afl_custom_post_trim(afl, 1); - if (not_on_tty && debug) + if (afl->not_on_tty && afl->debug) SAYF("[Custom Trimming] SUCCESS: %d/%d iterations (now at %u bytes)", - stage_cur, stage_max, q->len); + afl->stage_cur, afl->stage_max, q->len); } else { /* Tell the custom mutator that the trimming was unsuccessful */ - stage_cur = mutator->afl_custom_post_trim(0); - if (not_on_tty && debug) - SAYF("[Custom Trimming] FAILURE: %d/%d iterations", stage_cur, - stage_max); + afl->stage_cur = afl->mutator->afl_custom_post_trim(afl, 0); + if (afl->not_on_tty && afl->debug) + SAYF("[Custom Trimming] FAILURE: %d/%d iterations", afl->stage_cur, + afl->stage_max); } @@ -271,11 +270,11 @@ u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf) { /* Since this can be slow, update the screen every now and then. */ - if (!(trim_exec++ % stats_update_freq)) show_stats(); + if (!(trim_exec++ % afl->stats_update_freq)) show_stats(afl); } - if (not_on_tty && debug) + if (afl->not_on_tty && afl->debug) SAYF("[Custom Trimming] DONE: %u bytes -> %u bytes", orig_len, q->len); /* If we have made changes to in_buf, we also need to update the on-disk @@ -294,60 +293,65 @@ u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf) { ck_write(fd, in_buf, q->len, q->fname); close(fd); - memcpy(trace_bits, clean_trace, MAP_SIZE); - update_bitmap_score(q); + memcpy(afl->fsrv.trace_bits, clean_trace, MAP_SIZE); + update_bitmap_score(afl, q); } abort_trimming: - bytes_trim_out += q->len; + afl->bytes_trim_out += q->len; return fault; } #ifdef USE_PYTHON -void load_custom_mutator_py(const char* module_name) { +void load_custom_mutator_py(afl_state_t *afl, const char* module_name) { + + PyObject **py_functions = afl->py_functions; - mutator = ck_alloc(sizeof(struct custom_mutator)); + afl->mutator = ck_alloc(sizeof(struct custom_mutator)); - mutator->name = module_name; + afl->mutator->name = module_name; ACTF("Loading Python mutator library from '%s'...", module_name); - if (py_functions[PY_FUNC_INIT]) mutator->afl_custom_init = init_py; + if (py_functions[PY_FUNC_INIT]) + afl->mutator->afl_custom_init = init_py; /* "afl_custom_fuzz" should not be NULL, but the interface of Python mutator is quite different from the custom mutator. */ - mutator->afl_custom_fuzz = fuzz_py; + afl->mutator->afl_custom_fuzz = fuzz_py; if (py_functions[PY_FUNC_PRE_SAVE]) - mutator->afl_custom_pre_save = pre_save_py; + afl->mutator->afl_custom_pre_save = pre_save_py; if (py_functions[PY_FUNC_INIT_TRIM]) - mutator->afl_custom_init_trim = init_trim_py; + afl->mutator->afl_custom_init_trim = init_trim_py; if (py_functions[PY_FUNC_POST_TRIM]) - mutator->afl_custom_post_trim = post_trim_py; - - if (py_functions[PY_FUNC_TRIM]) mutator->afl_custom_trim = trim_py; + afl->mutator->afl_custom_post_trim = post_trim_py; + if (py_functions[PY_FUNC_TRIM]) + afl->mutator->afl_custom_trim = trim_py; + if (py_functions[PY_FUNC_HAVOC_MUTATION]) - mutator->afl_custom_havoc_mutation = havoc_mutation_py; - + afl->mutator->afl_custom_havoc_mutation = havoc_mutation_py; + if (py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY]) - mutator->afl_custom_havoc_mutation_probability = - havoc_mutation_probability_py; + afl->mutator->afl_custom_havoc_mutation_probability = + havoc_mutation_probability_py; if (py_functions[PY_FUNC_QUEUE_GET]) - mutator->afl_custom_queue_get = queue_get_py; + afl->mutator->afl_custom_queue_get = queue_get_py; if (py_functions[PY_FUNC_QUEUE_NEW_ENTRY]) - mutator->afl_custom_queue_new_entry = queue_new_entry_py; + afl->mutator->afl_custom_queue_new_entry = queue_new_entry_py; OKF("Python mutator '%s' installed successfully.", module_name); /* Initialize the custom mutator */ - if (mutator->afl_custom_init) mutator->afl_custom_init(UR(0xFFFFFFFF)); + if (afl->mutator->afl_custom_init) + afl->mutator->afl_custom_init(afl, UR(afl, 0xFFFFFFFF)); } |