diff options
Diffstat (limited to 'src/afl-fuzz-one.c')
| -rw-r--r-- | src/afl-fuzz-one.c | 324 |
1 files changed, 170 insertions, 154 deletions
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 92210c8b..cc150cfe 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -31,7 +31,7 @@ int select_algorithm(afl_state_t *afl) { int i_puppet, j_puppet; - double sele = ((double)(UR(afl, 10000)) * 0.0001); + double sele = ((double)(rand_below(afl, 10000)) * 0.0001); j_puppet = 0; for (i_puppet = 0; i_puppet < operator_num; ++i_puppet) { @@ -67,9 +67,9 @@ static u32 choose_block_len(afl_state_t *afl, u32 limit) { u32 min_value, max_value; u32 rlim = MIN(afl->queue_cycle, 3); - if (!afl->run_over10m) rlim = 1; + if (unlikely(!afl->run_over10m)) rlim = 1; - switch (UR(afl, rlim)) { + switch (rand_below(afl, rlim)) { case 0: min_value = 1; @@ -83,7 +83,7 @@ static u32 choose_block_len(afl_state_t *afl, u32 limit) { default: - if (UR(afl, 10)) { + if (rand_below(afl, 10)) { min_value = HAVOC_BLK_MEDIUM; max_value = HAVOC_BLK_LARGE; @@ -99,7 +99,7 @@ static u32 choose_block_len(afl_state_t *afl, u32 limit) { if (min_value >= limit) min_value = 1; - return min_value + UR(afl, MIN(max_value, limit) - min_value + 1); + return min_value + rand_below(afl, MIN(max_value, limit) - min_value + 1); } @@ -356,7 +356,7 @@ u8 fuzz_one_original(afl_state_t *afl) { #else - if (afl->mutator && afl->mutator->afl_custom_queue_get) { + if (unlikely(afl->mutator) && unlikely(afl->mutator->afl_custom_queue_get)) { /* The custom mutator will decide to skip this test case or not. */ @@ -365,7 +365,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } - if (afl->pending_favored) { + if (likely(afl->pending_favored)) { /* If we have any favored, non-fuzzed new arrivals in the queue, possibly skip to them at the expense of already-fuzzed or non-favored @@ -373,7 +373,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (((afl->queue_cur->was_fuzzed > 0 || afl->queue_cur->fuzz_level > 0) || !afl->queue_cur->favored) && - UR(afl, 100) < SKIP_TO_NEW_PROB) + rand_below(afl, 100) < SKIP_TO_NEW_PROB) return 1; } else if (!afl->dumb_mode && !afl->queue_cur->favored && @@ -387,11 +387,11 @@ u8 fuzz_one_original(afl_state_t *afl) { if (afl->queue_cycle > 1 && (afl->queue_cur->fuzz_level == 0 || afl->queue_cur->was_fuzzed)) { - if (UR(afl, 100) < SKIP_NFAV_NEW_PROB) return 1; + if (rand_below(afl, 100) < SKIP_NFAV_NEW_PROB) return 1; } else { - if (UR(afl, 100) < SKIP_NFAV_OLD_PROB) return 1; + if (rand_below(afl, 100) < SKIP_NFAV_OLD_PROB) return 1; } @@ -399,7 +399,7 @@ u8 fuzz_one_original(afl_state_t *afl) { #endif /* ^IGNORE_FINDS */ - if (afl->not_on_tty) { + if (unlikely(afl->not_on_tty)) { ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", afl->current_entry, afl->queued_paths, afl->unique_crashes); @@ -411,13 +411,13 @@ u8 fuzz_one_original(afl_state_t *afl) { fd = open(afl->queue_cur->fname, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", afl->queue_cur->fname); + if (unlikely(fd < 0)) PFATAL("Unable to open '%s'", afl->queue_cur->fname); len = afl->queue_cur->len; orig_in = in_buf = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); - if (orig_in == MAP_FAILED) + if (unlikely(orig_in == MAP_FAILED)) PFATAL("Unable to mmap '%s' with len %d", afl->queue_cur->fname, len); close(fd); @@ -436,7 +436,7 @@ u8 fuzz_one_original(afl_state_t *afl) { * CALIBRATION (only if failed earlier on) * *******************************************/ - if (afl->queue_cur->cal_failed) { + if (unlikely(afl->queue_cur->cal_failed)) { u8 res = FAULT_TMOUT; @@ -445,11 +445,12 @@ u8 fuzz_one_original(afl_state_t *afl) { res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); - if (res == FAULT_ERROR) FATAL("Unable to execute target application"); + if (unlikely(res == FAULT_ERROR)) + FATAL("Unable to execute target application"); } - if (afl->stop_soon || res != afl->crash_mode) { + if (unlikely(afl->stop_soon) || res != afl->crash_mode) { ++afl->cur_skipped_paths; goto abandon_entry; @@ -466,9 +467,10 @@ u8 fuzz_one_original(afl_state_t *afl) { u8 res = trim_case(afl, afl->queue_cur, in_buf); - if (res == FAULT_ERROR) FATAL("Unable to execute target application"); + if (unlikely(res == FAULT_ERROR)) + FATAL("Unable to execute target application"); - if (afl->stop_soon) { + if (unlikely(afl->stop_soon)) { ++afl->cur_skipped_paths; goto abandon_entry; @@ -491,9 +493,9 @@ u8 fuzz_one_original(afl_state_t *afl) { orig_perf = perf_score = calculate_score(afl, afl->queue_cur); - if (perf_score == 0) goto abandon_entry; + if (unlikely(perf_score == 0)) goto abandon_entry; - if (afl->use_radamsa > 1) goto radamsa_stage; + if (unlikely(afl->use_radamsa > 1)) goto radamsa_stage; if (afl->shm.cmplog_mode) { @@ -1401,7 +1403,7 @@ skip_interest: map. */ if ((afl->extras_cnt > MAX_DET_EXTRAS && - UR(afl, afl->extras_cnt) >= MAX_DET_EXTRAS) || + rand_below(afl, afl->extras_cnt) >= MAX_DET_EXTRAS) || afl->extras[j].len > len - i || !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) || !memchr(eff_map + EFF_APOS(i), 1, @@ -1549,8 +1551,8 @@ custom_mutator_stage: * CUSTOM MUTATORS * *******************/ - if (!afl->mutator) goto havoc_stage; - if (!afl->mutator->afl_custom_fuzz) goto havoc_stage; + if (likely(!afl->mutator)) goto havoc_stage; + if (likely(!afl->mutator->afl_custom_fuzz)) goto havoc_stage; afl->stage_name = "custom mutator"; afl->stage_short = "custom"; @@ -1573,7 +1575,7 @@ custom_mutator_stage: /* Pick a random other queue entry for passing to external API */ do { - tid = UR(afl, afl->queued_paths); + tid = rand_below(afl, afl->queued_paths); } while (tid == afl->current_entry && afl->queued_paths > 1); @@ -1603,7 +1605,7 @@ custom_mutator_stage: /* Read the additional testcase into a new buffer. */ fd = open(target->fname, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", target->fname); + if (unlikely(fd < 0)) PFATAL("Unable to open '%s'", target->fname); new_buf = ck_alloc_nozero(target->len); ck_read(fd, new_buf, target->len, target->fname); close(fd); @@ -1649,7 +1651,7 @@ custom_mutator_stage: afl->stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_CUSTOM_MUTATOR] += afl->stage_max; - if (afl->custom_only) { + if (likely(afl->custom_only)) { /* Skip other stages */ ret_val = 0; @@ -1679,8 +1681,8 @@ havoc_stage: perf_score = orig_perf; - snprintf(afl->stage_name_buf64, 64, "splice %u", splice_cycle); - afl->stage_name = afl->stage_name_buf64; + snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "splice %u", splice_cycle); + afl->stage_name = afl->stage_name_buf; afl->stage_short = "splice"; afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100; @@ -1713,34 +1715,35 @@ havoc_stage: for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { - u32 use_stacking = 1 << (1 + UR(afl, HAVOC_STACK_POW2)); + u32 use_stacking = 1 << (1 + rand_below(afl, HAVOC_STACK_POW2)); afl->stage_cur_val = use_stacking; for (i = 0; i < use_stacking; ++i) { - if (stacked_custom && UR(afl, 100) < stacked_custom_prob) { + if (stacked_custom && rand_below(afl, 100) < stacked_custom_prob) { temp_len = afl->mutator->afl_custom_havoc_mutation(afl, &out_buf, temp_len, MAX_FILE); } - switch (UR(afl, 15 + ((afl->extras_cnt + afl->a_extras_cnt) ? 2 : 0))) { + switch (rand_below( + afl, 15 + ((afl->extras_cnt + afl->a_extras_cnt) ? 2 : 0))) { case 0: /* Flip a single bit somewhere. Spooky! */ - FLIP_BIT(out_buf, UR(afl, temp_len << 3)); + FLIP_BIT(out_buf, rand_below(afl, temp_len << 3)); break; case 1: /* Set byte to interesting value. */ - out_buf[UR(afl, temp_len)] = - interesting_8[UR(afl, sizeof(interesting_8))]; + out_buf[rand_below(afl, temp_len)] = + interesting_8[rand_below(afl, sizeof(interesting_8))]; break; case 2: @@ -1749,15 +1752,15 @@ havoc_stage: if (temp_len < 2) break; - if (UR(afl, 2)) { + if (rand_below(afl, 2)) { - *(u16 *)(out_buf + UR(afl, temp_len - 1)) = - interesting_16[UR(afl, sizeof(interesting_16) >> 1)]; + *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) = + interesting_16[rand_below(afl, sizeof(interesting_16) >> 1)]; } else { - *(u16 *)(out_buf + UR(afl, temp_len - 1)) = - SWAP16(interesting_16[UR(afl, sizeof(interesting_16) >> 1)]); + *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) = SWAP16( + interesting_16[rand_below(afl, sizeof(interesting_16) >> 1)]); } @@ -1769,15 +1772,15 @@ havoc_stage: if (temp_len < 4) break; - if (UR(afl, 2)) { + if (rand_below(afl, 2)) { - *(u32 *)(out_buf + UR(afl, temp_len - 3)) = - interesting_32[UR(afl, sizeof(interesting_32) >> 2)]; + *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) = + interesting_32[rand_below(afl, sizeof(interesting_32) >> 2)]; } else { - *(u32 *)(out_buf + UR(afl, temp_len - 3)) = - SWAP32(interesting_32[UR(afl, sizeof(interesting_32) >> 2)]); + *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) = SWAP32( + interesting_32[rand_below(afl, sizeof(interesting_32) >> 2)]); } @@ -1787,14 +1790,14 @@ havoc_stage: /* Randomly subtract from byte. */ - out_buf[UR(afl, temp_len)] -= 1 + UR(afl, ARITH_MAX); + out_buf[rand_below(afl, temp_len)] -= 1 + rand_below(afl, ARITH_MAX); break; case 5: /* Randomly add to byte. */ - out_buf[UR(afl, temp_len)] += 1 + UR(afl, ARITH_MAX); + out_buf[rand_below(afl, temp_len)] += 1 + rand_below(afl, ARITH_MAX); break; case 6: @@ -1803,16 +1806,16 @@ havoc_stage: if (temp_len < 2) break; - if (UR(afl, 2)) { + if (rand_below(afl, 2)) { - u32 pos = UR(afl, temp_len - 1); + u32 pos = rand_below(afl, temp_len - 1); - *(u16 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); + *(u16 *)(out_buf + pos) -= 1 + rand_below(afl, ARITH_MAX); } else { - u32 pos = UR(afl, temp_len - 1); - u16 num = 1 + UR(afl, ARITH_MAX); + u32 pos = rand_below(afl, temp_len - 1); + u16 num = 1 + rand_below(afl, ARITH_MAX); *(u16 *)(out_buf + pos) = SWAP16(SWAP16(*(u16 *)(out_buf + pos)) - num); @@ -1827,16 +1830,16 @@ havoc_stage: if (temp_len < 2) break; - if (UR(afl, 2)) { + if (rand_below(afl, 2)) { - u32 pos = UR(afl, temp_len - 1); + u32 pos = rand_below(afl, temp_len - 1); - *(u16 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); + *(u16 *)(out_buf + pos) += 1 + rand_below(afl, ARITH_MAX); } else { - u32 pos = UR(afl, temp_len - 1); - u16 num = 1 + UR(afl, ARITH_MAX); + u32 pos = rand_below(afl, temp_len - 1); + u16 num = 1 + rand_below(afl, ARITH_MAX); *(u16 *)(out_buf + pos) = SWAP16(SWAP16(*(u16 *)(out_buf + pos)) + num); @@ -1851,16 +1854,16 @@ havoc_stage: if (temp_len < 4) break; - if (UR(afl, 2)) { + if (rand_below(afl, 2)) { - u32 pos = UR(afl, temp_len - 3); + u32 pos = rand_below(afl, temp_len - 3); - *(u32 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); + *(u32 *)(out_buf + pos) -= 1 + rand_below(afl, ARITH_MAX); } else { - u32 pos = UR(afl, temp_len - 3); - u32 num = 1 + UR(afl, ARITH_MAX); + u32 pos = rand_below(afl, temp_len - 3); + u32 num = 1 + rand_below(afl, ARITH_MAX); *(u32 *)(out_buf + pos) = SWAP32(SWAP32(*(u32 *)(out_buf + pos)) - num); @@ -1875,16 +1878,16 @@ havoc_stage: if (temp_len < 4) break; - if (UR(afl, 2)) { + if (rand_below(afl, 2)) { - u32 pos = UR(afl, temp_len - 3); + u32 pos = rand_below(afl, temp_len - 3); - *(u32 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); + *(u32 *)(out_buf + pos) += 1 + rand_below(afl, ARITH_MAX); } else { - u32 pos = UR(afl, temp_len - 3); - u32 num = 1 + UR(afl, ARITH_MAX); + u32 pos = rand_below(afl, temp_len - 3); + u32 num = 1 + rand_below(afl, ARITH_MAX); *(u32 *)(out_buf + pos) = SWAP32(SWAP32(*(u32 *)(out_buf + pos)) + num); @@ -1899,7 +1902,7 @@ havoc_stage: why not. We use XOR with 1-255 to eliminate the possibility of a no-op. */ - out_buf[UR(afl, temp_len)] ^= 1 + UR(afl, 255); + out_buf[rand_below(afl, temp_len)] ^= 1 + rand_below(afl, 255); break; case 11 ... 12: { @@ -1916,7 +1919,7 @@ havoc_stage: del_len = choose_block_len(afl, temp_len - 1); - del_from = UR(afl, temp_len - del_len + 1); + del_from = rand_below(afl, temp_len - del_len + 1); memmove(out_buf + del_from, out_buf + del_from + del_len, temp_len - del_from - del_len); @@ -1933,14 +1936,14 @@ havoc_stage: /* Clone bytes (75%) or insert a block of constant bytes (25%). */ - u8 actually_clone = UR(afl, 4); + u8 actually_clone = rand_below(afl, 4); u32 clone_from, clone_to, clone_len; u8 *new_buf; if (actually_clone) { clone_len = choose_block_len(afl, temp_len); - clone_from = UR(afl, temp_len - clone_len + 1); + clone_from = rand_below(afl, temp_len - clone_len + 1); } else { @@ -1949,7 +1952,7 @@ havoc_stage: } - clone_to = UR(afl, temp_len); + clone_to = rand_below(afl, temp_len); new_buf = ck_alloc_nozero(temp_len + clone_len); @@ -1963,7 +1966,8 @@ havoc_stage: memcpy(new_buf + clone_to, out_buf + clone_from, clone_len); else memset(new_buf + clone_to, - UR(afl, 2) ? UR(afl, 256) : out_buf[UR(afl, temp_len)], + rand_below(afl, 2) ? rand_below(afl, 256) + : out_buf[rand_below(afl, temp_len)], clone_len); /* Tail */ @@ -1989,10 +1993,10 @@ havoc_stage: copy_len = choose_block_len(afl, temp_len - 1); - copy_from = UR(afl, temp_len - copy_len + 1); - copy_to = UR(afl, temp_len - copy_len + 1); + copy_from = rand_below(afl, temp_len - copy_len + 1); + copy_to = rand_below(afl, temp_len - copy_len + 1); - if (UR(afl, 4)) { + if (rand_below(afl, 4)) { if (copy_from != copy_to) memmove(out_buf + copy_to, out_buf + copy_from, copy_len); @@ -2000,7 +2004,8 @@ havoc_stage: } else memset(out_buf + copy_to, - UR(afl, 2) ? UR(afl, 256) : out_buf[UR(afl, temp_len)], + rand_below(afl, 2) ? rand_below(afl, 256) + : out_buf[rand_below(afl, temp_len)], copy_len); break; @@ -2014,18 +2019,18 @@ havoc_stage: /* Overwrite bytes with an extra. */ - if (!afl->extras_cnt || (afl->a_extras_cnt && UR(afl, 2))) { + if (!afl->extras_cnt || (afl->a_extras_cnt && rand_below(afl, 2))) { /* No user-specified extras or odds in our favor. Let's use an auto-detected one. */ - u32 use_extra = UR(afl, afl->a_extras_cnt); + u32 use_extra = rand_below(afl, afl->a_extras_cnt); u32 extra_len = afl->a_extras[use_extra].len; u32 insert_at; if (extra_len > temp_len) break; - insert_at = UR(afl, temp_len - extra_len + 1); + insert_at = rand_below(afl, temp_len - extra_len + 1); memcpy(out_buf + insert_at, afl->a_extras[use_extra].data, extra_len); @@ -2033,13 +2038,13 @@ havoc_stage: /* No auto extras or odds in our favor. Use the dictionary. */ - u32 use_extra = UR(afl, afl->extras_cnt); + u32 use_extra = rand_below(afl, afl->extras_cnt); u32 extra_len = afl->extras[use_extra].len; u32 insert_at; if (extra_len > temp_len) break; - insert_at = UR(afl, temp_len - extra_len + 1); + insert_at = rand_below(afl, temp_len - extra_len + 1); memcpy(out_buf + insert_at, afl->extras[use_extra].data, extra_len); } @@ -2050,15 +2055,15 @@ havoc_stage: case 16: { - u32 use_extra, extra_len, insert_at = UR(afl, temp_len + 1); + u32 use_extra, extra_len, insert_at = rand_below(afl, temp_len + 1); u8 *new_buf; /* Insert an extra. Do the same dice-rolling stuff as for the previous case. */ - if (!afl->extras_cnt || (afl->a_extras_cnt && UR(afl, 2))) { + if (!afl->extras_cnt || (afl->a_extras_cnt && rand_below(afl, 2))) { - use_extra = UR(afl, afl->a_extras_cnt); + use_extra = rand_below(afl, afl->a_extras_cnt); extra_len = afl->a_extras[use_extra].len; if (temp_len + extra_len >= MAX_FILE) break; @@ -2074,7 +2079,7 @@ havoc_stage: } else { - use_extra = UR(afl, afl->extras_cnt); + use_extra = rand_below(afl, afl->extras_cnt); extra_len = afl->extras[use_extra].len; if (temp_len + extra_len >= MAX_FILE) break; @@ -2182,7 +2187,7 @@ retry_splicing: do { - tid = UR(afl, afl->queued_paths); + tid = rand_below(afl, afl->queued_paths); } while (tid == afl->current_entry); @@ -2214,7 +2219,7 @@ retry_splicing: fd = open(target->fname, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", target->fname); + if (unlikely(fd < 0)) PFATAL("Unable to open '%s'", target->fname); new_buf = ck_alloc_nozero(target->len); @@ -2237,7 +2242,7 @@ retry_splicing: /* Split somewhere between the first and last differing byte. */ - split_at = f_diff + UR(afl, l_diff - f_diff); + split_at = f_diff + rand_below(afl, l_diff - f_diff); /* Do the thing. */ @@ -2263,7 +2268,7 @@ retry_splicing: radamsa_stage: - if (!afl->use_radamsa || !afl->radamsa_mutate_ptr) goto abandon_entry; + if (likely(!afl->use_radamsa || !afl->radamsa_mutate_ptr)) goto abandon_entry; afl->stage_name = "radamsa"; afl->stage_short = "radamsa"; @@ -2391,7 +2396,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { cases. */ if ((afl->queue_cur->was_fuzzed || !afl->queue_cur->favored) && - UR(afl, 100) < SKIP_TO_NEW_PROB) + rand_below(afl, 100) < SKIP_TO_NEW_PROB) return 1; } else if (!afl->dumb_mode && !afl->queue_cur->favored && @@ -2404,11 +2409,11 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->queue_cycle > 1 && !afl->queue_cur->was_fuzzed) { - if (UR(afl, 100) < SKIP_NFAV_NEW_PROB) return 1; + if (rand_below(afl, 100) < SKIP_NFAV_NEW_PROB) return 1; } else { - if (UR(afl, 100) < SKIP_NFAV_OLD_PROB) return 1; + if (rand_below(afl, 100) < SKIP_NFAV_OLD_PROB) return 1; } @@ -3407,7 +3412,7 @@ skip_interest: map. */ if ((afl->extras_cnt > MAX_DET_EXTRAS && - UR(afl, afl->extras_cnt) >= MAX_DET_EXTRAS) || + rand_below(afl, afl->extras_cnt) >= MAX_DET_EXTRAS) || afl->extras[j].len > len - i || !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) || !memchr(eff_map + EFF_APOS(i), 1, @@ -3573,9 +3578,9 @@ pacemaker_fuzzing: perf_score = orig_perf; - snprintf(afl->stage_name_buf64, 64, MOpt_globals.splice_stageformat, - splice_cycle); - afl->stage_name = afl->stage_name_buf64; + snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, + MOpt_globals.splice_stageformat, splice_cycle); + afl->stage_name = afl->stage_name_buf; afl->stage_short = MOpt_globals.splice_stagenameshort; afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100; @@ -3594,7 +3599,8 @@ pacemaker_fuzzing: afl->orig_hit_cnt_puppet = afl->queued_paths + afl->unique_crashes; afl->last_limit_time_start = get_cur_time(); afl->SPLICE_CYCLES_puppet = - (UR(afl, SPLICE_CYCLES_puppet_up - SPLICE_CYCLES_puppet_low + 1) + + (rand_below( + afl, SPLICE_CYCLES_puppet_up - SPLICE_CYCLES_puppet_low + 1) + SPLICE_CYCLES_puppet_low); } @@ -3623,9 +3629,9 @@ pacemaker_fuzzing: } else { perf_score = orig_perf; - snprintf(afl->stage_name_buf64, 64, MOpt_globals.splice_stageformat, - splice_cycle); - afl->stage_name = afl->stage_name_buf64; + snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, + MOpt_globals.splice_stageformat, splice_cycle); + afl->stage_name = afl->stage_name_buf; afl->stage_short = MOpt_globals.splice_stagenameshort; afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100; @@ -3642,7 +3648,7 @@ pacemaker_fuzzing: for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { - u32 use_stacking = 1 << (1 + UR(afl, HAVOC_STACK_POW2)); + u32 use_stacking = 1 << (1 + rand_below(afl, HAVOC_STACK_POW2)); afl->stage_cur_val = use_stacking; @@ -3658,13 +3664,13 @@ pacemaker_fuzzing: case 0: /* Flip a single bit somewhere. Spooky! */ - FLIP_BIT(out_buf, UR(afl, temp_len << 3)); + FLIP_BIT(out_buf, rand_below(afl, temp_len << 3)); MOpt_globals.cycles_v2[STAGE_FLIP1] += 1; break; case 1: if (temp_len < 2) break; - temp_len_puppet = UR(afl, (temp_len << 3) - 1); + temp_len_puppet = rand_below(afl, (temp_len << 3) - 1); FLIP_BIT(out_buf, temp_len_puppet); FLIP_BIT(out_buf, temp_len_puppet + 1); MOpt_globals.cycles_v2[STAGE_FLIP2] += 1; @@ -3672,7 +3678,7 @@ pacemaker_fuzzing: case 2: if (temp_len < 2) break; - temp_len_puppet = UR(afl, (temp_len << 3) - 3); + temp_len_puppet = rand_below(afl, (temp_len << 3) - 3); FLIP_BIT(out_buf, temp_len_puppet); FLIP_BIT(out_buf, temp_len_puppet + 1); FLIP_BIT(out_buf, temp_len_puppet + 2); @@ -3682,55 +3688,57 @@ pacemaker_fuzzing: case 3: if (temp_len < 4) break; - out_buf[UR(afl, temp_len)] ^= 0xFF; + out_buf[rand_below(afl, temp_len)] ^= 0xFF; MOpt_globals.cycles_v2[STAGE_FLIP8] += 1; break; case 4: if (temp_len < 8) break; - *(u16 *)(out_buf + UR(afl, temp_len - 1)) ^= 0xFFFF; + *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) ^= 0xFFFF; MOpt_globals.cycles_v2[STAGE_FLIP16] += 1; break; case 5: if (temp_len < 8) break; - *(u32 *)(out_buf + UR(afl, temp_len - 3)) ^= 0xFFFFFFFF; + *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) ^= 0xFFFFFFFF; MOpt_globals.cycles_v2[STAGE_FLIP32] += 1; break; case 6: - out_buf[UR(afl, temp_len)] -= 1 + UR(afl, ARITH_MAX); - out_buf[UR(afl, temp_len)] += 1 + UR(afl, ARITH_MAX); + out_buf[rand_below(afl, temp_len)] -= + 1 + rand_below(afl, ARITH_MAX); + out_buf[rand_below(afl, temp_len)] += + 1 + rand_below(afl, ARITH_MAX); MOpt_globals.cycles_v2[STAGE_ARITH8] += 1; break; case 7: /* Randomly subtract from word, random endian. */ if (temp_len < 8) break; - if (UR(afl, 2)) { + if (rand_below(afl, 2)) { - u32 pos = UR(afl, temp_len - 1); - *(u16 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); + u32 pos = rand_below(afl, temp_len - 1); + *(u16 *)(out_buf + pos) -= 1 + rand_below(afl, ARITH_MAX); } else { - u32 pos = UR(afl, temp_len - 1); - u16 num = 1 + UR(afl, ARITH_MAX); + u32 pos = rand_below(afl, temp_len - 1); + u16 num = 1 + rand_below(afl, ARITH_MAX); *(u16 *)(out_buf + pos) = SWAP16(SWAP16(*(u16 *)(out_buf + pos)) - num); } /* Randomly add to word, random endian. */ - if (UR(afl, 2)) { + if (rand_below(afl, 2)) { - u32 pos = UR(afl, temp_len - 1); - *(u16 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); + u32 pos = rand_below(afl, temp_len - 1); + *(u16 *)(out_buf + pos) += 1 + rand_below(afl, ARITH_MAX); } else { - u32 pos = UR(afl, temp_len - 1); - u16 num = 1 + UR(afl, ARITH_MAX); + u32 pos = rand_below(afl, temp_len - 1); + u16 num = 1 + rand_below(afl, ARITH_MAX); *(u16 *)(out_buf + pos) = SWAP16(SWAP16(*(u16 *)(out_buf + pos)) + num); @@ -3742,15 +3750,15 @@ pacemaker_fuzzing: case 8: /* Randomly subtract from dword, random endian. */ if (temp_len < 8) break; - if (UR(afl, 2)) { + if (rand_below(afl, 2)) { - u32 pos = UR(afl, temp_len - 3); - *(u32 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); + u32 pos = rand_below(afl, temp_len - 3); + *(u32 *)(out_buf + pos) -= 1 + rand_below(afl, ARITH_MAX); } else { - u32 pos = UR(afl, temp_len - 3); - u32 num = 1 + UR(afl, ARITH_MAX); + u32 pos = rand_below(afl, temp_len - 3); + u32 num = 1 + rand_below(afl, ARITH_MAX); *(u32 *)(out_buf + pos) = SWAP32(SWAP32(*(u32 *)(out_buf + pos)) - num); @@ -3758,15 +3766,15 @@ pacemaker_fuzzing: /* Randomly add to dword, random endian. */ // if (temp_len < 4) break; - if (UR(afl, 2)) { + if (rand_below(afl, 2)) { - u32 pos = UR(afl, temp_len - 3); - *(u32 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); + u32 pos = rand_below(afl, temp_len - 3); + *(u32 *)(out_buf + pos) += 1 + rand_below(afl, ARITH_MAX); } else { - u32 pos = UR(afl, temp_len - 3); - u32 num = 1 + UR(afl, ARITH_MAX); + u32 pos = rand_below(afl, temp_len - 3); + u32 num = 1 + rand_below(afl, ARITH_MAX); *(u32 *)(out_buf + pos) = SWAP32(SWAP32(*(u32 *)(out_buf + pos)) + num); @@ -3778,23 +3786,25 @@ pacemaker_fuzzing: case 9: /* Set byte to interesting value. */ if (temp_len < 4) break; - out_buf[UR(afl, temp_len)] = - interesting_8[UR(afl, sizeof(interesting_8))]; + out_buf[rand_below(afl, temp_len)] = + interesting_8[rand_below(afl, sizeof(interesting_8))]; MOpt_globals.cycles_v2[STAGE_INTEREST8] += 1; break; case 10: /* Set word to interesting value, randomly choosing endian. */ if (temp_len < 8) break; - if (UR(afl, 2)) { + if (rand_below(afl, 2)) { - *(u16 *)(out_buf + UR(afl, temp_len - 1)) = - interesting_16[UR(afl, sizeof(interesting_16) >> 1)]; + *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) = + interesting_16[rand_below(afl, + sizeof(interesting_16) >> 1)]; } else { - *(u16 *)(out_buf + UR(afl, temp_len - 1)) = SWAP16( - interesting_16[UR(afl, sizeof(interesting_16) >> 1)]); + *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) = + SWAP16(interesting_16[rand_below( + afl, sizeof(interesting_16) >> 1)]); } @@ -3806,15 +3816,17 @@ pacemaker_fuzzing: if (temp_len < 8) break; - if (UR(afl, 2)) { + if (rand_below(afl, 2)) { - *(u32 *)(out_buf + UR(afl, temp_len - 3)) = - interesting_32[UR(afl, sizeof(interesting_32) >> 2)]; + *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) = + interesting_32[rand_below(afl, + sizeof(interesting_32) >> 2)]; } else { - *(u32 *)(out_buf + UR(afl, temp_len - 3)) = SWAP32( - interesting_32[UR(afl, sizeof(interesting_32) >> 2)]); + *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) = + SWAP32(interesting_32[rand_below( + afl, sizeof(interesting_32) >> 2)]); } @@ -3827,7 +3839,7 @@ pacemaker_fuzzing: why not. We use XOR with 1-255 to eliminate the possibility of a no-op. */ - out_buf[UR(afl, temp_len)] ^= 1 + UR(afl, 255); + out_buf[rand_below(afl, temp_len)] ^= 1 + rand_below(afl, 255); MOpt_globals.cycles_v2[STAGE_RANDOMBYTE] += 1; break; @@ -3845,7 +3857,7 @@ pacemaker_fuzzing: del_len = choose_block_len(afl, temp_len - 1); - del_from = UR(afl, temp_len - del_len + 1); + del_from = rand_below(afl, temp_len - del_len + 1); memmove(out_buf + del_from, out_buf + del_from + del_len, temp_len - del_from - del_len); @@ -3863,14 +3875,14 @@ pacemaker_fuzzing: /* Clone bytes (75%) or insert a block of constant bytes (25%). */ - u8 actually_clone = UR(afl, 4); + u8 actually_clone = rand_below(afl, 4); u32 clone_from, clone_to, clone_len; u8 *new_buf; if (actually_clone) { clone_len = choose_block_len(afl, temp_len); - clone_from = UR(afl, temp_len - clone_len + 1); + clone_from = rand_below(afl, temp_len - clone_len + 1); } else { @@ -3879,7 +3891,7 @@ pacemaker_fuzzing: } - clone_to = UR(afl, temp_len); + clone_to = rand_below(afl, temp_len); new_buf = ck_alloc_nozero(temp_len + clone_len); @@ -3893,7 +3905,9 @@ pacemaker_fuzzing: memcpy(new_buf + clone_to, out_buf + clone_from, clone_len); else memset(new_buf + clone_to, - UR(afl, 2) ? UR(afl, 256) : out_buf[UR(afl, temp_len)], + rand_below(afl, 2) + ? rand_below(afl, 256) + : out_buf[rand_below(afl, temp_len)], clone_len); /* Tail */ @@ -3920,10 +3934,10 @@ pacemaker_fuzzing: copy_len = choose_block_len(afl, temp_len - 1); - copy_from = UR(afl, temp_len - copy_len + 1); - copy_to = UR(afl, temp_len - copy_len + 1); + copy_from = rand_below(afl, temp_len - copy_len + 1); + copy_to = rand_below(afl, temp_len - copy_len + 1); - if (UR(afl, 4)) { + if (rand_below(afl, 4)) { if (copy_from != copy_to) memmove(out_buf + copy_to, out_buf + copy_from, copy_len); @@ -3931,7 +3945,8 @@ pacemaker_fuzzing: } else memset(out_buf + copy_to, - UR(afl, 2) ? UR(afl, 256) : out_buf[UR(afl, temp_len)], + rand_below(afl, 2) ? rand_below(afl, 256) + : out_buf[rand_below(afl, temp_len)], copy_len); MOpt_globals.cycles_v2[STAGE_OverWrite75] += 1; break; @@ -4041,7 +4056,7 @@ pacemaker_fuzzing: do { - tid = UR(afl, afl->queued_paths); + tid = rand_below(afl, afl->queued_paths); } while (tid == afl->current_entry); @@ -4096,7 +4111,7 @@ pacemaker_fuzzing: /* Split somewhere between the first and last differing byte. */ - split_at = f_diff + UR(afl, l_diff - f_diff); + split_at = f_diff + rand_below(afl, l_diff - f_diff); /* Do the thing. */ @@ -4120,7 +4135,8 @@ pacemaker_fuzzing: if (splice_cycle >= afl->SPLICE_CYCLES_puppet) afl->SPLICE_CYCLES_puppet = - (UR(afl, SPLICE_CYCLES_puppet_up - SPLICE_CYCLES_puppet_low + 1) + + (rand_below( + afl, SPLICE_CYCLES_puppet_up - SPLICE_CYCLES_puppet_low + 1) + SPLICE_CYCLES_puppet_low); afl->splicing_with = -1; |