aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/afl-analyze.c60
-rw-r--r--src/afl-as.c2
-rw-r--r--src/afl-cc.c81
-rw-r--r--src/afl-common.c391
-rw-r--r--src/afl-forkserver.c104
-rw-r--r--src/afl-fuzz-bitmap.c8
-rw-r--r--src/afl-fuzz-extras.c2
-rw-r--r--src/afl-fuzz-init.c57
-rw-r--r--src/afl-fuzz-mutators.c2
-rw-r--r--src/afl-fuzz-one.c21
-rw-r--r--src/afl-fuzz-queue.c20
-rw-r--r--src/afl-fuzz-run.c18
-rw-r--r--src/afl-fuzz-state.c7
-rw-r--r--src/afl-fuzz-stats.c9
-rw-r--r--src/afl-fuzz.c99
-rw-r--r--src/afl-sharedmem.c12
-rw-r--r--src/afl-showmap.c63
-rw-r--r--src/afl-tmin.c62
18 files changed, 439 insertions, 579 deletions
diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index d46ecb8d..e106cd31 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -212,7 +212,7 @@ static s32 write_to_file(u8 *path, u8 *mem, u32 len) {
unlink(path); /* Ignore errors */
- ret = open(path, O_RDWR | O_CREAT | O_EXCL, 0600);
+ ret = open(path, O_RDWR | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (ret < 0) { PFATAL("Unable to create '%s'", path); }
@@ -822,38 +822,7 @@ static void set_up_environment(void) {
if (qemu_mode) {
- u8 *qemu_preload = getenv("QEMU_SET_ENV");
- u8 *afl_preload = getenv("AFL_PRELOAD");
- u8 *buf;
-
- s32 i, afl_preload_size = strlen(afl_preload);
- for (i = 0; i < afl_preload_size; ++i) {
-
- if (afl_preload[i] == ',') {
-
- PFATAL(
- "Comma (',') is not allowed in AFL_PRELOAD when -Q is "
- "specified!");
-
- }
-
- }
-
- if (qemu_preload) {
-
- buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
- qemu_preload, afl_preload, afl_preload);
-
- } else {
-
- buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
- afl_preload, afl_preload);
-
- }
-
- setenv("QEMU_SET_ENV", buf, 1);
-
- ck_free(buf);
+ /* afl-qemu-trace takes care of converting AFL_PRELOAD. */
} else {
@@ -1079,31 +1048,6 @@ int main(int argc, char **argv_orig, char **envp) {
if (optind == argc || !in_file) { usage(argv[0]); }
- if (qemu_mode && getenv("AFL_USE_QASAN")) {
-
- u8 *preload = getenv("AFL_PRELOAD");
- u8 *libqasan = get_libqasan_path(argv_orig[0]);
-
- if (!preload) {
-
- setenv("AFL_PRELOAD", libqasan, 0);
-
- } else {
-
- u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2);
- strcpy(result, libqasan);
- strcat(result, " ");
- strcat(result, preload);
-
- setenv("AFL_PRELOAD", result, 1);
- ck_free(result);
-
- }
-
- ck_free(libqasan);
-
- }
-
map_size = get_map_size();
use_hex_offsets = !!get_afl_env("AFL_ANALYZE_HEX");
diff --git a/src/afl-as.c b/src/afl-as.c
index 7de267a3..aebd0ac8 100644
--- a/src/afl-as.c
+++ b/src/afl-as.c
@@ -280,7 +280,7 @@ static void add_instrumentation(void) {
}
- outfd = open(modified_file, O_WRONLY | O_EXCL | O_CREAT, 0600);
+ outfd = open(modified_file, O_WRONLY | O_EXCL | O_CREAT, DEFAULT_PERMISSION);
if (outfd < 0) { PFATAL("Unable to write to '%s'", modified_file); }
diff --git a/src/afl-cc.c b/src/afl-cc.c
index 44654de0..80fc0742 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -590,6 +590,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
#if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0)
#ifdef __ANDROID__
cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard";
+ instrument_mode != INSTRUMENT_LLVMNATIVE;
#else
if (have_instr_list) {
@@ -599,6 +600,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
"-fsanitize-coverage-allow/denylist, you can use "
"AFL_LLVM_ALLOWLIST/AFL_LLMV_DENYLIST instead.\n");
cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard";
+ instrument_mode = INSTRUMENT_LLVMNATIVE;
} else {
@@ -618,6 +620,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
"Using unoptimized trace-pc-guard, upgrade to llvm 10.0.1+ for "
"enhanced version.\n");
cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard";
+ instrument_mode = INSTRUMENT_LLVMNATIVE;
#else
FATAL("pcguard instrumentation requires llvm 4.0.1+");
#endif
@@ -682,19 +685,49 @@ static void edit_params(u32 argc, char **argv, char **envp) {
/* Detect stray -v calls from ./configure scripts. */
+ u8 skip_next = 0;
while (--argc) {
u8 *cur = *(++argv);
+ if (skip_next) {
+
+ skip_next = 0;
+ continue;
+
+ }
+
if (!strncmp(cur, "--afl", 5)) continue;
if (lto_mode && !strncmp(cur, "-fuse-ld=", 9)) continue;
if (lto_mode && !strncmp(cur, "--ld-path=", 10)) continue;
if (!strncmp(cur, "-fno-unroll", 11)) continue;
if (strstr(cur, "afl-compiler-rt") || strstr(cur, "afl-llvm-rt")) continue;
- if (!strcmp(cur, "-Wl,-z,defs") || !strcmp(cur, "-Wl,--no-undefined"))
+ if (!strcmp(cur, "-Wl,-z,defs") || !strcmp(cur, "-Wl,--no-undefined") ||
+ !strcmp(cur, "--no-undefined")) {
+
continue;
- if (!strncmp(cur, "-fsanitize=fuzzer-", strlen("-fsanitize=fuzzer-")) ||
- !strncmp(cur, "-fsanitize-coverage", strlen("-fsanitize-coverage"))) {
+
+ }
+
+ if (!strcmp(cur, "-z")) {
+
+ u8 *param = *(argv + 1);
+ if (!strcmp(param, "defs")) {
+
+ skip_next = 1;
+ continue;
+
+ }
+
+ }
+
+ if ((!strncmp(cur, "-fsanitize=fuzzer-", strlen("-fsanitize=fuzzer-")) ||
+ !strncmp(cur, "-fsanitize-coverage", strlen("-fsanitize-coverage"))) &&
+ (strncmp(cur, "sanitize-coverage-allow",
+ strlen("sanitize-coverage-allow")) &&
+ strncmp(cur, "sanitize-coverage-deny",
+ strlen("sanitize-coverage-deny")) &&
+ instrument_mode != INSTRUMENT_LLVMNATIVE)) {
if (!be_quiet) { WARNF("Found '%s' - stripping!", cur); }
continue;
@@ -962,18 +995,24 @@ static void edit_params(u32 argc, char **argv, char **envp) {
switch (bit_mode) {
case 0:
- cc_params[cc_par_cnt++] =
- alloc_printf("%s/afl-compiler-rt.o", obj_path);
+ if (!shared_linking)
+ cc_params[cc_par_cnt++] =
+ alloc_printf("%s/afl-compiler-rt.o", obj_path);
if (lto_mode)
cc_params[cc_par_cnt++] =
alloc_printf("%s/afl-llvm-rt-lto.o", obj_path);
break;
case 32:
- cc_params[cc_par_cnt++] =
- alloc_printf("%s/afl-compiler-rt-32.o", obj_path);
- if (access(cc_params[cc_par_cnt - 1], R_OK))
- FATAL("-m32 is not supported by your compiler");
+ if (!shared_linking) {
+
+ cc_params[cc_par_cnt++] =
+ alloc_printf("%s/afl-compiler-rt-32.o", obj_path);
+ if (access(cc_params[cc_par_cnt - 1], R_OK))
+ FATAL("-m32 is not supported by your compiler");
+
+ }
+
if (lto_mode) {
cc_params[cc_par_cnt++] =
@@ -986,10 +1025,15 @@ static void edit_params(u32 argc, char **argv, char **envp) {
break;
case 64:
- cc_params[cc_par_cnt++] =
- alloc_printf("%s/afl-compiler-rt-64.o", obj_path);
- if (access(cc_params[cc_par_cnt - 1], R_OK))
- FATAL("-m64 is not supported by your compiler");
+ if (!shared_linking) {
+
+ cc_params[cc_par_cnt++] =
+ alloc_printf("%s/afl-compiler-rt-64.o", obj_path);
+ if (access(cc_params[cc_par_cnt - 1], R_OK))
+ FATAL("-m64 is not supported by your compiler");
+
+ }
+
if (lto_mode) {
cc_params[cc_par_cnt++] =
@@ -1009,12 +1053,12 @@ static void edit_params(u32 argc, char **argv, char **envp) {
alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path);
#endif
+ }
+
#if defined(USEMMAP) && !defined(__HAIKU__)
- cc_params[cc_par_cnt++] = "-lrt";
+ cc_params[cc_par_cnt++] = "-lrt";
#endif
- }
-
#endif
cc_params[cc_par_cnt] = NULL;
@@ -1220,6 +1264,7 @@ int main(int argc, char **argv, char **envp) {
} else if (strcasecmp(ptr, "LLVMNATIVE") == 0 ||
+ strcasecmp(ptr, "NATIVE") == 0 ||
strcasecmp(ptr, "LLVM-NATIVE") == 0) {
compiler_mode = LLVM;
@@ -1632,8 +1677,8 @@ int main(int argc, char **argv, char **envp) {
"of afl-cc.\n\n");
#if LLVM_MAJOR > 10 || (LLVM_MAJOR == 10 && LLVM_MINOR > 0)
- #define NATIVE_MSG \
- " NATIVE: use llvm's native PCGUARD instrumentation (less " \
+ #define NATIVE_MSG \
+ " LLVM-NATIVE: use llvm's native PCGUARD instrumentation (less " \
"performant)\n"
#else
#define NATIVE_MSG ""
diff --git a/src/afl-common.c b/src/afl-common.c
index 9f6eb564..37b4788c 100644
--- a/src/afl-common.c
+++ b/src/afl-common.c
@@ -149,9 +149,14 @@ void argv_cpy_free(char **argv) {
char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
- if (!unlikely(own_loc)) { FATAL("BUG: param own_loc is NULL"); }
+ if (unlikely(getenv("AFL_QEMU_CUSTOM_BIN"))) {
- u8 *tmp, *cp = NULL, *rsl, *own_copy;
+ WARNF(
+ "AFL_QEMU_CUSTOM_BIN is enabled. "
+ "You must run your target under afl-qemu-trace on your own!");
+ return argv;
+
+ }
char **new_argv = ck_alloc(sizeof(char *) * (argc + 4));
if (unlikely(!new_argv)) { FATAL("Illegal amount of arguments specified"); }
@@ -164,70 +169,8 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
/* Now we need to actually find the QEMU binary to put in argv[0]. */
- tmp = getenv("AFL_PATH");
-
- if (tmp) {
-
- cp = alloc_printf("%s/afl-qemu-trace", tmp);
-
- if (access(cp, X_OK)) { FATAL("Unable to find '%s'", tmp); }
-
- *target_path_p = new_argv[0] = cp;
- return new_argv;
-
- }
-
- own_copy = ck_strdup(own_loc);
- rsl = strrchr(own_copy, '/');
-
- if (rsl) {
-
- *rsl = 0;
-
- cp = alloc_printf("%s/afl-qemu-trace", own_copy);
- ck_free(own_copy);
-
- if (!access(cp, X_OK)) {
-
- *target_path_p = new_argv[0] = cp;
- return new_argv;
-
- }
-
- } else {
-
- ck_free(own_copy);
-
- }
-
- if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) {
-
- if (cp) { ck_free(cp); }
- *target_path_p = new_argv[0] = ck_strdup(BIN_PATH "/afl-qemu-trace");
-
- return new_argv;
-
- }
-
- SAYF("\n" cLRD "[-] " cRST
- "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be "
- "built\n"
- " separately by following the instructions in "
- "qemu_mode/README.md. "
- "If you\n"
- " already have the binary installed, you may need to specify "
- "AFL_PATH in the\n"
- " environment.\n\n"
-
- " Of course, even without QEMU, afl-fuzz can still work with "
- "binaries that are\n"
- " instrumented at compile time with afl-gcc. It is also possible to "
- "use it as a\n"
- " traditional non-instrumented fuzzer by specifying '-n' in the "
- "command "
- "line.\n");
-
- FATAL("Failed to locate 'afl-qemu-trace'.");
+ *target_path_p = new_argv[0] = find_afl_binary(own_loc, "afl-qemu-trace");
+ return new_argv;
}
@@ -235,10 +178,6 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
- if (!unlikely(own_loc)) { FATAL("BUG: param own_loc is NULL"); }
-
- u8 *tmp, *cp = NULL, *rsl, *own_copy;
-
char **new_argv = ck_alloc(sizeof(char *) * (argc + 3));
if (unlikely(!new_argv)) { FATAL("Illegal amount of arguments specified"); }
@@ -249,152 +188,10 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
/* Now we need to actually find the QEMU binary to put in argv[0]. */
- tmp = getenv("AFL_PATH");
-
- if (tmp) {
-
- cp = alloc_printf("%s/afl-qemu-trace", tmp);
-
- if (access(cp, X_OK)) { FATAL("Unable to find '%s'", tmp); }
-
- ck_free(cp);
-
- cp = alloc_printf("%s/afl-wine-trace", tmp);
-
- if (access(cp, X_OK)) { FATAL("Unable to find '%s'", tmp); }
-
- *target_path_p = new_argv[0] = cp;
- return new_argv;
-
- }
-
- own_copy = ck_strdup(own_loc);
- rsl = strrchr(own_copy, '/');
-
- if (rsl) {
-
- *rsl = 0;
-
- cp = alloc_printf("%s/afl-qemu-trace", own_copy);
-
- if (cp && !access(cp, X_OK)) {
-
- ck_free(cp);
-
- cp = alloc_printf("%s/afl-wine-trace", own_copy);
-
- if (!access(cp, X_OK)) {
-
- *target_path_p = new_argv[0] = cp;
- return new_argv;
-
- }
-
- }
-
- ck_free(own_copy);
-
- } else {
-
- ck_free(own_copy);
-
- }
-
- u8 *ncp = BIN_PATH "/afl-qemu-trace";
-
- if (!access(ncp, X_OK)) {
-
- ncp = BIN_PATH "/afl-wine-trace";
-
- if (!access(ncp, X_OK)) {
-
- *target_path_p = new_argv[0] = ck_strdup(ncp);
- return new_argv;
-
- }
-
- }
-
- SAYF("\n" cLRD "[-] " cRST
- "Oops, unable to find the '%s' binary. The binary must be "
- "built\n"
- " separately by following the instructions in "
- "qemu_mode/README.md. "
- "If you\n"
- " already have the binary installed, you may need to specify "
- "AFL_PATH in the\n"
- " environment.\n\n"
-
- " Of course, even without QEMU, afl-fuzz can still work with "
- "binaries that are\n"
- " instrumented at compile time with afl-gcc. It is also possible to "
- "use it as a\n"
- " traditional non-instrumented fuzzer by specifying '-n' in the "
- "command "
- "line.\n",
- ncp);
-
- FATAL("Failed to locate '%s'.", ncp);
-
-}
-
-/* Get libqasan path. */
-
-u8 *get_libqasan_path(u8 *own_loc) {
-
- if (!unlikely(own_loc)) { FATAL("BUG: param own_loc is NULL"); }
-
- u8 *tmp, *cp = NULL, *rsl, *own_copy;
-
- tmp = getenv("AFL_PATH");
-
- if (tmp) {
-
- cp = alloc_printf("%s/libqasan.so", tmp);
-
- if (access(cp, X_OK)) { FATAL("Unable to find '%s'", tmp); }
-
- return cp;
-
- }
-
- own_copy = ck_strdup(own_loc);
- rsl = strrchr(own_copy, '/');
-
- if (rsl) {
-
- *rsl = 0;
-
- cp = alloc_printf("%s/libqasan.so", own_copy);
- ck_free(own_copy);
-
- if (!access(cp, X_OK)) { return cp; }
-
- } else {
-
- ck_free(own_copy);
-
- }
-
- if (!access(AFL_PATH "/libqasan.so", X_OK)) {
-
- if (cp) { ck_free(cp); }
-
- return ck_strdup(AFL_PATH "/libqasan.so");
-
- }
-
- SAYF("\n" cLRD "[-] " cRST
- "Oops, unable to find the 'libqasan.so' binary. The binary must be "
- "built\n"
- " separately by following the instructions in "
- "qemu_mode/libqasan/README.md. "
- "If you\n"
- " already have the binary installed, you may need to specify "
- "AFL_PATH in the\n"
- " environment.\n");
-
- FATAL("Failed to locate 'libqasan.so'.");
+ u8 *tmp = find_afl_binary(own_loc, "afl-qemu-trace");
+ ck_free(tmp);
+ *target_path_p = new_argv[0] = find_afl_binary(own_loc, "afl-wine-trace");
+ return new_argv;
}
@@ -488,6 +285,70 @@ u8 *find_binary(u8 *fname) {
}
+u8 *find_afl_binary(u8 *own_loc, u8 *fname) {
+
+ u8 *afl_path = NULL, *target_path, *own_copy;
+
+ if ((afl_path = getenv("AFL_PATH"))) {
+
+ target_path = alloc_printf("%s/%s", afl_path, fname);
+ if (!access(target_path, X_OK)) {
+
+ return target_path;
+
+ } else {
+
+ ck_free(target_path);
+
+ }
+
+ }
+
+ if (own_loc) {
+
+ own_copy = ck_strdup(own_loc);
+ u8 *rsl = strrchr(own_copy, '/');
+
+ if (rsl) {
+
+ *rsl = 0;
+
+ target_path = alloc_printf("%s/%s", own_copy, fname);
+ ck_free(own_copy);
+
+ if (!access(target_path, X_OK)) {
+
+ return target_path;
+
+ } else {
+
+ ck_free(target_path);
+
+ }
+
+ } else {
+
+ ck_free(own_copy);
+
+ }
+
+ }
+
+ target_path = alloc_printf("%s/%s", BIN_PATH, fname);
+ if (!access(target_path, X_OK)) {
+
+ return target_path;
+
+ } else {
+
+ ck_free(target_path);
+
+ }
+
+ return find_binary(fname);
+
+}
+
/* Parses the kill signal environment variable, FATALs on error.
If the env is not set, sets the env to default_signal for the signal handlers
and returns the default_signal. */
@@ -757,6 +618,98 @@ char *get_afl_env(char *env) {
}
+bool extract_and_set_env(u8 *env_str) {
+
+ if (!env_str) { return false; }
+
+ bool ret = false; // return false by default
+
+ u8 *p = ck_strdup(env_str);
+ u8 *end = p + strlen((char *)p);
+ u8 *rest = p;
+
+ u8 closing_sym = ' ';
+ u8 c;
+
+ size_t num_pairs = 0;
+
+ while (rest < end) {
+
+ while (*rest == ' ') {
+
+ rest++;
+
+ }
+
+ if (rest + 1 >= end) break;
+
+ u8 *key = rest;
+ // env variable names may not start with numbers or '='
+ if (*key == '=' || (*key >= '0' && *key <= '9')) { goto free_and_return; }
+
+ while (rest < end && *rest != '=' && *rest != ' ') {
+
+ c = *rest;
+ // lowercase is bad but we may still allow it
+ if ((c < 'A' || c > 'Z') && (c < 'a' || c > 'z') &&
+ (c < '0' || c > '9') && c != '_') {
+
+ goto free_and_return;
+
+ }
+
+ rest++;
+
+ }
+
+ if (*rest != '=') { goto free_and_return; }
+
+ *rest = '\0'; // done with variable name
+
+ rest += 1;
+ if (rest >= end || *rest == ' ') { goto free_and_return; }
+
+ u8 *val = rest;
+ if (*val == '\'' || *val == '"') {
+
+ closing_sym = *val;
+ val += 1;
+ rest += 1;
+ if (rest >= end) { goto free_and_return; }
+
+ } else {
+
+ closing_sym = ' ';
+
+ }
+
+ while (rest < end && *rest != closing_sym) {
+
+ rest++;
+
+ }
+
+ if (closing_sym != ' ' && *rest != closing_sym) { goto free_and_return; }
+
+ *rest = '\0'; // done with variable value
+
+ rest += 1;
+ if (rest < end && *rest != ' ') { goto free_and_return; }
+
+ num_pairs++;
+
+ setenv(key, val, 1);
+
+ }
+
+ if (num_pairs) { ret = true; }
+
+free_and_return:
+ ck_free(p);
+ return ret;
+
+}
+
/* Read mask bitmap from file. This is for the -B option. */
void read_bitmap(u8 *fname, u8 *map, size_t len) {
@@ -1123,7 +1076,7 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms) {
/* Reads the map size from ENV */
u32 get_map_size(void) {
- uint32_t map_size = 8000000; // a very large default map
+ uint32_t map_size = DEFAULT_SHMEM_SIZE;
char * ptr;
if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) {
@@ -1151,7 +1104,7 @@ FILE *create_ffile(u8 *fn) {
s32 fd;
FILE *f;
- fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION);
if (fd < 0) { PFATAL("Unable to create '%s'", fn); }
@@ -1169,7 +1122,7 @@ s32 create_file(u8 *fn) {
s32 fd;
- fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION);
if (fd < 0) { PFATAL("Unable to create '%s'", fn); }
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 68995388..c2d552cd 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -809,7 +809,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
"have a\n"
" restrictive memory limit configured, this is expected; please "
"read\n"
- " %s/notes_for_asan.md for help.\n",
+ " %s/notes_for_asan.md for help and run with '-m 0'.\n",
doc_path);
} else if (!fsrv->mem_limit) {
@@ -817,18 +817,21 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
SAYF("\n" cLRD "[-] " cRST
"Whoops, the target binary crashed suddenly, "
"before receiving any input\n"
- " from the fuzzer! There are several probable explanations:\n\n"
-
- " - The target binary requires a large map and crashes before "
- "reporting.\n"
- " Set a high value (e.g. AFL_MAP_SIZE=8000000) or use "
- "AFL_DEBUG=1 to see the\n"
- " message from the target binary\n\n"
-
- " - The binary is just buggy and explodes entirely on its own. "
- "If so, you\n"
- " need to fix the underlying problem or find a better "
- "replacement.\n\n"
+ " from the fuzzer! You can try the following:\n\n"
+
+ " - The target binary crashes because necessary runtime "
+ "conditions it needs\n"
+ " are not met. Try to:\n"
+ " 1. Run again with AFL_DEBUG=1 set and check the output of "
+ "the target\n"
+ " binary for clues.\n"
+ " 2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and "
+ "analyze the\n"
+ " generated core dump.\n\n"
+
+ " - Possibly the target requires a huge coverage map and has "
+ "CTORS.\n"
+ " Retry with setting AFL_MAP_SIZE=10000000.\n\n"
MSG_FORK_ON_APPLE
@@ -844,13 +847,17 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
SAYF("\n" cLRD "[-] " cRST
"Whoops, the target binary crashed suddenly, "
"before receiving any input\n"
- " from the fuzzer! There are several probable explanations:\n\n"
-
- " - The target binary requires a large map and crashes before "
- "reporting.\n"
- " Set a high value (e.g. AFL_MAP_SIZE=8000000) or use "
- "AFL_DEBUG=1 to see the\n"
- " message from the target binary\n\n"
+ " from the fuzzer! You can try the following:\n\n"
+
+ " - The target binary crashes because necessary runtime "
+ "conditions it needs\n"
+ " are not met. Try to:\n"
+ " 1. Run again with AFL_DEBUG=1 set and check the output of "
+ "the target\n"
+ " binary for clues.\n"
+ " 2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and "
+ "analyze the\n"
+ " generated core dump.\n\n"
" - The current memory limit (%s) is too restrictive, causing "
"the\n"
@@ -868,13 +875,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
" estimate the required amount of virtual memory for the "
"binary.\n\n"
- " - The binary is just buggy and explodes entirely on its own. "
- "If so, you\n"
- " need to fix the underlying problem or find a better "
- "replacement.\n\n"
-
MSG_FORK_ON_APPLE
+ " - Possibly the target requires a huge coverage map and has "
+ "CTORS.\n"
+ " Retry with setting AFL_MAP_SIZE=10000000.\n\n"
+
" - Less likely, there is a horrible bug in the fuzzer. If other "
"options\n"
" fail, poke <afl-users@googlegroups.com> for troubleshooting "
@@ -903,7 +909,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
"with ASAN and\n"
" you have a restrictive memory limit configured, this is "
"expected; please\n"
- " read %s/notes_for_asan.md for help.\n",
+ " read %s/notes_for_asan.md for help and run with '-m 0'.\n",
doc_path);
} else if (!fsrv->mem_limit) {
@@ -911,10 +917,22 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
SAYF("\n" cLRD "[-] " cRST
"Hmm, looks like the target binary terminated before we could complete"
" a\n"
- "handshake with the injected code.\n"
- "Most likely the target has a huge coverage map, retry with setting"
- " the\n"
- "environment variable AFL_MAP_SIZE=8000000\n"
+ "handshake with the injected code. You can try the following:\n\n"
+
+ " - The target binary crashes because necessary runtime conditions "
+ "it needs\n"
+ " are not met. Try to:\n"
+ " 1. Run again with AFL_DEBUG=1 set and check the output of the "
+ "target\n"
+ " binary for clues.\n"
+ " 2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and "
+ "analyze the\n"
+ " generated core dump.\n\n"
+
+ " - Possibly the target requires a huge coverage map and has "
+ "CTORS.\n"
+ " Retry with setting AFL_MAP_SIZE=10000000.\n\n"
+
"Otherwise there is a horrible bug in the fuzzer.\n"
"Poke <afl-users@googlegroups.com> for troubleshooting tips.\n");
@@ -926,14 +944,23 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
"\n" cLRD "[-] " cRST
"Hmm, looks like the target binary terminated "
"before we could complete a\n"
- " handshake with the injected code. There are %s probable "
- "explanations:\n\n"
+ " handshake with the injected code. You can try the following:\n\n"
"%s"
- " - Most likely the target has a huge coverage map, retry with "
- "setting the\n"
- " environment variable AFL_MAP_SIZE=8000000\n\n"
+ " - The target binary crashes because necessary runtime conditions "
+ "it needs\n"
+ " are not met. Try to:\n"
+ " 1. Run again with AFL_DEBUG=1 set and check the output of the "
+ "target\n"
+ " binary for clues.\n"
+ " 2. Run again with AFL_DEBUG=1 and 'ulimit -c unlimited' and "
+ "analyze the\n"
+ " generated core dump.\n\n"
+
+ " - Possibly the target requires a huge coverage map and has "
+ "CTORS.\n"
+ " Retry with setting AFL_MAP_SIZE=10000000.\n\n"
" - The current memory limit (%s) is too restrictive, causing an "
"OOM\n"
@@ -958,7 +985,6 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
"options\n"
" fail, poke <afl-users@googlegroups.com> for troubleshooting "
"tips.\n",
- getenv(DEFER_ENV_VAR) ? "three" : "two",
getenv(DEFER_ENV_VAR)
? " - You are using deferred forkserver, but __AFL_INIT() is "
"never\n"
@@ -1038,12 +1064,14 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
if (unlikely(fsrv->no_unlink)) {
- fd = open(fsrv->out_file, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ fd = open(fsrv->out_file, O_WRONLY | O_CREAT | O_TRUNC,
+ DEFAULT_PERMISSION);
} else {
unlink(fsrv->out_file); /* Ignore errors. */
- fd = open(fsrv->out_file, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ fd = open(fsrv->out_file, O_WRONLY | O_CREAT | O_EXCL,
+ DEFAULT_PERMISSION);
}
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
index 4ed59364..3d0228db 100644
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@@ -42,7 +42,7 @@ void write_bitmap(afl_state_t *afl) {
afl->bitmap_changed = 0;
snprintf(fname, PATH_MAX, "%s/fuzz_bitmap", afl->out_dir);
- fd = open(fname, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ fd = open(fname, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION);
if (fd < 0) { PFATAL("Unable to open '%s'", fname); }
@@ -407,7 +407,7 @@ static void write_crash_readme(afl_state_t *afl) {
sprintf(fn, "%s/crashes/README.txt", afl->out_dir);
- fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
/* Do not die on errors here - that would be impolite. */
@@ -509,7 +509,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
alloc_printf("%s/queue/id_%06u", afl->out_dir, afl->queued_paths);
#endif /* ^!SIMPLE_FILES */
- fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", queue_fn); }
ck_write(fd, mem, len, queue_fn);
close(fd);
@@ -783,7 +783,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
/* If we're here, we apparently want to save the crash or hang
test case, too. */
- fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", fn); }
ck_write(fd, mem, len, fn);
close(fd);
diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c
index 52100fa1..6091db15 100644
--- a/src/afl-fuzz-extras.c
+++ b/src/afl-fuzz-extras.c
@@ -731,7 +731,7 @@ void save_auto(afl_state_t *afl) {
alloc_printf("%s/queue/.state/auto_extras/auto_%06u", afl->out_dir, i);
s32 fd;
- fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION);
if (fd < 0) { PFATAL("Unable to create '%s'", fn); }
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index ca2f75f1..70a49a6b 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -152,7 +152,8 @@ void bind_to_free_cpu(afl_state_t *afl) {
do {
- if ((lockfd = open(lockfile, O_RDWR | O_CREAT | O_EXCL, 0600)) < 0) {
+ if ((lockfd = open(lockfile, O_RDWR | O_CREAT | O_EXCL,
+ DEFAULT_PERMISSION)) < 0) {
if (first) {
@@ -1219,7 +1220,7 @@ static void link_or_copy(u8 *old_path, u8 *new_path) {
sfd = open(old_path, O_RDONLY);
if (sfd < 0) { PFATAL("Unable to open '%s'", old_path); }
- dfd = open(new_path, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ dfd = open(new_path, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (dfd < 0) { PFATAL("Unable to create '%s'", new_path); }
tmp = ck_alloc(64 * 1024);
@@ -1812,9 +1813,13 @@ static void handle_existing_out_dir(afl_state_t *afl) {
}
- fn = alloc_printf("%s/plot_data", afl->out_dir);
- if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; }
- ck_free(fn);
+ if (!afl->in_place_resume) {
+
+ fn = alloc_printf("%s/plot_data", afl->out_dir);
+ if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; }
+ ck_free(fn);
+
+ }
fn = alloc_printf("%s/cmdline", afl->out_dir);
if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; }
@@ -2008,17 +2013,35 @@ void setup_dirs_fds(afl_state_t *afl) {
/* Gnuplot output file. */
tmp = alloc_printf("%s/plot_data", afl->out_dir);
- int fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600);
- if (fd < 0) { PFATAL("Unable to create '%s'", tmp); }
- ck_free(tmp);
- afl->fsrv.plot_file = fdopen(fd, "w");
- if (!afl->fsrv.plot_file) { PFATAL("fdopen() failed"); }
+ if (!afl->in_place_resume) {
+
+ int fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
+ if (fd < 0) { PFATAL("Unable to create '%s'", tmp); }
+ ck_free(tmp);
+
+ afl->fsrv.plot_file = fdopen(fd, "w");
+ if (!afl->fsrv.plot_file) { PFATAL("fdopen() failed"); }
+
+ fprintf(
+ afl->fsrv.plot_file,
+ "# unix_time, cycles_done, cur_path, paths_total, "
+ "pending_total, pending_favs, map_size, unique_crashes, "
+ "unique_hangs, max_depth, execs_per_sec, total_execs, edges_found\n");
+
+ } else {
+
+ int fd = open(tmp, O_WRONLY | O_CREAT, DEFAULT_PERMISSION);
+ if (fd < 0) { PFATAL("Unable to create '%s'", tmp); }
+ ck_free(tmp);
+
+ afl->fsrv.plot_file = fdopen(fd, "w");
+ if (!afl->fsrv.plot_file) { PFATAL("fdopen() failed"); }
+
+ fseek(afl->fsrv.plot_file, 0, SEEK_END);
+
+ }
- fprintf(afl->fsrv.plot_file,
- "# unix_time, cycles_done, cur_path, paths_total, "
- "pending_total, pending_favs, map_size, unique_crashes, "
- "unique_hangs, max_depth, execs_per_sec, total_execs, edges_found\n");
fflush(afl->fsrv.plot_file);
/* ignore errors */
@@ -2035,7 +2058,7 @@ void setup_cmdline_file(afl_state_t *afl, char **argv) {
/* Store the command line to reproduce our findings */
tmp = alloc_printf("%s/cmdline", afl->out_dir);
- fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (fd < 0) { PFATAL("Unable to create '%s'", tmp); }
ck_free(tmp);
@@ -2070,7 +2093,8 @@ void setup_stdio_file(afl_state_t *afl) {
unlink(afl->fsrv.out_file); /* Ignore errors */
- afl->fsrv.out_fd = open(afl->fsrv.out_file, O_RDWR | O_CREAT | O_EXCL, 0600);
+ afl->fsrv.out_fd =
+ open(afl->fsrv.out_file, O_RDWR | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (afl->fsrv.out_fd < 0) {
@@ -2592,6 +2616,7 @@ void check_binary(afl_state_t *afl, u8 *fname) {
}
if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode ||
+ (afl->fsrv.qemu_mode && getenv("AFL_QEMU_CUSTOM_BIN")) ||
afl->non_instrumented_mode) {
return;
diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c
index 80df6d08..a47b4f5f 100644
--- a/src/afl-fuzz-mutators.c
+++ b/src/afl-fuzz-mutators.c
@@ -465,7 +465,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf,
unlink(q->fname); /* ignore errors */
- fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); }
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index c73e394a..4e8154cd 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -5119,14 +5119,23 @@ pacemaker_fuzzing:
/* Update afl->pending_not_fuzzed count if we made it through the
calibration cycle and have not seen this entry before. */
+ /*
+ // TODO FIXME: I think we need this plus need an -L -1 check
+ if (!afl->stop_soon && !afl->queue_cur->cal_failed &&
+ (afl->queue_cur->was_fuzzed == 0 || afl->queue_cur->fuzz_level == 0)
+ && !afl->queue_cur->disabled) {
- // if (!afl->stop_soon && !afl->queue_cur->cal_failed &&
- // !afl->queue_cur->was_fuzzed) {
+ if (!afl->queue_cur->was_fuzzed) {
- // afl->queue_cur->was_fuzzed = 1;
- // --afl->pending_not_fuzzed;
- // if (afl->queue_cur->favored) --afl->pending_favored;
- // }
+ --afl->pending_not_fuzzed;
+ afl->queue_cur->was_fuzzed = 1;
+ if (afl->queue_cur->favored) { --afl->pending_favored; }
+
+ }
+
+ }
+
+ */
orig_in = NULL;
diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index b2f88205..e5f51a6c 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -249,7 +249,7 @@ void mark_as_det_done(afl_state_t *afl, struct queue_entry *q) {
snprintf(fn, PATH_MAX, "%s/queue/.state/deterministic_done/%s", afl->out_dir,
strrchr(q->fname, '/') + 1);
- fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (fd < 0) { PFATAL("Unable to create '%s'", fn); }
close(fd);
@@ -272,7 +272,7 @@ void mark_as_variable(afl_state_t *afl, struct queue_entry *q) {
if (symlink(ldest, fn)) {
- s32 fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ s32 fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (fd < 0) { PFATAL("Unable to create '%s'", fn); }
close(fd);
@@ -300,7 +300,7 @@ void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) {
s32 fd;
- fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (fd < 0) { PFATAL("Unable to create '%s'", fn); }
close(fd);
@@ -680,13 +680,17 @@ void cull_queue(afl_state_t *afl) {
}
- afl->top_rated[i]->favored = 1;
- ++afl->queued_favored;
+ if (!afl->top_rated[i]->favored) {
- if (afl->top_rated[i]->fuzz_level == 0 ||
- !afl->top_rated[i]->was_fuzzed) {
+ afl->top_rated[i]->favored = 1;
+ ++afl->queued_favored;
- ++afl->pending_favored;
+ if (afl->top_rated[i]->fuzz_level == 0 ||
+ !afl->top_rated[i]->was_fuzzed) {
+
+ ++afl->pending_favored;
+
+ }
}
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 0b84a542..83133dad 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -83,7 +83,8 @@ write_to_testcase(afl_state_t *afl, void *mem, u32 len) {
afl->document_counter++,
describe_op(afl, 0, NAME_MAX - strlen("000000000:")));
- if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600)) >= 0) {
+ if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION)) >=
+ 0) {
if (write(doc_fd, mem, len) != len)
PFATAL("write to mutation file failed: %s", fn);
@@ -247,12 +248,14 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
if (unlikely(afl->no_unlink)) {
- fd = open(afl->fsrv.out_file, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ fd = open(afl->fsrv.out_file, O_WRONLY | O_CREAT | O_TRUNC,
+ DEFAULT_PERMISSION);
} else {
unlink(afl->fsrv.out_file); /* Ignore errors. */
- fd = open(afl->fsrv.out_file, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ fd = open(afl->fsrv.out_file, O_WRONLY | O_CREAT | O_EXCL,
+ DEFAULT_PERMISSION);
}
@@ -564,7 +567,8 @@ void sync_fuzzers(afl_state_t *afl) {
/* document the attempt to sync to this instance */
sprintf(qd_synced_path, "%s/.synced/%s.last", afl->out_dir, sd_ent->d_name);
- id_fd = open(qd_synced_path, O_RDWR | O_CREAT | O_TRUNC, 0600);
+ id_fd =
+ open(qd_synced_path, O_RDWR | O_CREAT | O_TRUNC, DEFAULT_PERMISSION);
if (id_fd >= 0) close(id_fd);
/* Skip anything that doesn't have a queue/ subdirectory. */
@@ -587,7 +591,7 @@ void sync_fuzzers(afl_state_t *afl) {
sprintf(qd_synced_path, "%s/.synced/%s", afl->out_dir, sd_ent->d_name);
- id_fd = open(qd_synced_path, O_RDWR | O_CREAT, 0600);
+ id_fd = open(qd_synced_path, O_RDWR | O_CREAT, DEFAULT_PERMISSION);
if (id_fd < 0) { PFATAL("Unable to create '%s'", qd_synced_path); }
@@ -851,7 +855,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
if (unlikely(afl->no_unlink)) {
- fd = open(q->fname, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ fd = open(q->fname, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION);
if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); }
@@ -866,7 +870,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
} else {
unlink(q->fname); /* ignore errors */
- fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); }
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index 3d36e712..0ddf8cf3 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -433,6 +433,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
afl->afl_env.afl_kill_signal =
(u8 *)get_afl_env(afl_environment_variables[i]);
+ } else if (!strncmp(env, "AFL_TARGET_ENV",
+
+ afl_environment_variable_len)) {
+
+ afl->afl_env.afl_target_env =
+ (u8 *)get_afl_env(afl_environment_variables[i]);
+
}
} else {
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index 99059a2d..2c814d90 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -391,10 +391,11 @@ void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
fprintf(afl->fsrv.plot_file,
"%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f, %llu, "
"%u\n",
- get_cur_time() / 1000, afl->queue_cycle - 1, afl->current_entry,
- afl->queued_paths, afl->pending_not_fuzzed, afl->pending_favored,
- bitmap_cvg, afl->unique_crashes, afl->unique_hangs, afl->max_depth,
- eps, afl->plot_prev_ed, t_bytes); /* ignore errors */
+ (afl->prev_run_time + get_cur_time() - afl->start_time),
+ afl->queue_cycle - 1, afl->current_entry, afl->queued_paths,
+ afl->pending_not_fuzzed, afl->pending_favored, bitmap_cvg,
+ afl->unique_crashes, afl->unique_hangs, afl->max_depth, eps,
+ afl->plot_prev_ed, t_bytes); /* ignore errors */
fflush(afl->fsrv.plot_file);
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 64e4b869..d70ffd31 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -223,6 +223,7 @@ static void usage(u8 *argv0, int more_help) {
"AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module\n"
"AFL_QUIET: suppress forkserver status messages\n"
"AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n"
+ "AFL_TARGET_ENV: pass extra environment variables to target\n"
"AFL_SHUFFLE_QUEUE: reorder the input queue randomly on startup\n"
"AFL_SKIP_BIN_CHECK: skip the check, if the target is an executable\n"
"AFL_SKIP_CPUFREQ: do not warn about variable cpu clocking\n"
@@ -1022,32 +1023,6 @@ int main(int argc, char **argv_orig, char **envp) {
}
- if (afl->fsrv.qemu_mode && getenv("AFL_USE_QASAN")) {
-
- u8 *preload = getenv("AFL_PRELOAD");
- u8 *libqasan = get_libqasan_path(argv_orig[0]);
-
- if (!preload) {
-
- setenv("AFL_PRELOAD", libqasan, 0);
-
- } else {
-
- u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2);
- strcpy(result, libqasan);
- strcat(result, " ");
- strcat(result, preload);
-
- setenv("AFL_PRELOAD", result, 1);
- ck_free(result);
-
- }
-
- afl->afl_env.afl_preload = (u8 *)getenv("AFL_PRELOAD");
- ck_free(libqasan);
-
- }
-
if (afl->fsrv.mem_limit && afl->shm.cmplog_mode) afl->fsrv.mem_limit += 260;
OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" "
@@ -1312,38 +1287,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->fsrv.qemu_mode) {
- u8 *qemu_preload = getenv("QEMU_SET_ENV");
- u8 *afl_preload = getenv("AFL_PRELOAD");
- u8 *buf;
-
- s32 j, afl_preload_size = strlen(afl_preload);
- for (j = 0; j < afl_preload_size; ++j) {
-
- if (afl_preload[j] == ',') {
-
- PFATAL(
- "Comma (',') is not allowed in AFL_PRELOAD when -Q is "
- "specified!");
-
- }
-
- }
-
- if (qemu_preload) {
-
- buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
- qemu_preload, afl_preload, afl_preload);
-
- } else {
-
- buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
- afl_preload, afl_preload);
-
- }
-
- setenv("QEMU_SET_ENV", buf, 1);
-
- ck_free(buf);
+ /* afl-qemu-trace takes care of converting AFL_PRELOAD. */
} else {
@@ -1360,6 +1304,13 @@ int main(int argc, char **argv_orig, char **envp) {
}
+ if (afl->afl_env.afl_target_env &&
+ !extract_and_set_env(afl->afl_env.afl_target_env)) {
+
+ FATAL("Bad value of AFL_TARGET_ENV");
+
+ }
+
save_cmdline(afl, argc, argv);
fix_up_banner(afl, argv[optind]);
@@ -1584,21 +1535,21 @@ int main(int argc, char **argv_orig, char **envp) {
if (!afl->non_instrumented_mode && !afl->fsrv.qemu_mode &&
!afl->unicorn_mode) {
- if (map_size <= 8000000 && !afl->non_instrumented_mode &&
+ if (map_size <= DEFAULT_SHMEM_SIZE && !afl->non_instrumented_mode &&
!afl->fsrv.qemu_mode && !afl->unicorn_mode) {
- afl->fsrv.map_size = 8000000; // dummy temporary value
- setenv("AFL_MAP_SIZE", "8000000", 1);
+ afl->fsrv.map_size = DEFAULT_SHMEM_SIZE; // dummy temporary value
+ char vbuf[16];
+ snprintf(vbuf, sizeof(vbuf), "%u", DEFAULT_SHMEM_SIZE);
+ setenv("AFL_MAP_SIZE", vbuf, 1);
}
u32 new_map_size = afl_fsrv_get_mapsize(
&afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child);
- // only reinitialize when it makes sense
- if ((map_size < new_map_size ||
- (new_map_size != MAP_SIZE && new_map_size < map_size &&
- map_size - new_map_size > MAP_SIZE))) {
+ // only reinitialize if the map needs to be larger than what we have.
+ if (map_size < new_map_size) {
OKF("Re-initializing maps to %u bytes", new_map_size);
@@ -1627,8 +1578,6 @@ int main(int argc, char **argv_orig, char **envp) {
}
- afl->fsrv.map_size = map_size;
-
}
if (afl->cmplog_binary) {
@@ -1641,11 +1590,15 @@ int main(int argc, char **argv_orig, char **envp) {
afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary;
afl->cmplog_fsrv.init_child_func = cmplog_exec_child;
- if (map_size <= 8000000 && !afl->non_instrumented_mode &&
- !afl->fsrv.qemu_mode && !afl->unicorn_mode) {
+ if ((map_size <= DEFAULT_SHMEM_SIZE ||
+ afl->cmplog_fsrv.map_size < map_size) &&
+ !afl->non_instrumented_mode && !afl->fsrv.qemu_mode &&
+ !afl->unicorn_mode) {
- afl->cmplog_fsrv.map_size = 8000000; // dummy temporary value
- setenv("AFL_MAP_SIZE", "8000000", 1);
+ afl->cmplog_fsrv.map_size = MAX(map_size, (u32)DEFAULT_SHMEM_SIZE);
+ char vbuf[16];
+ snprintf(vbuf, sizeof(vbuf), "%u", afl->cmplog_fsrv.map_size);
+ setenv("AFL_MAP_SIZE", vbuf, 1);
}
@@ -1686,10 +1639,6 @@ int main(int argc, char **argv_orig, char **envp) {
afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon,
afl->afl_env.afl_debug_child);
- } else {
-
- afl->cmplog_fsrv.map_size = new_map_size;
-
}
OKF("Cmplog forkserver successfully started");
diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c
index 3241a130..fbb8e65d 100644
--- a/src/afl-sharedmem.c
+++ b/src/afl-sharedmem.c
@@ -162,8 +162,8 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
snprintf(shm->g_shm_file_path, L_tmpnam, "/afl_%d_%ld", getpid(), random());
/* create the shared memory segment as if it was a file */
- shm->g_shm_fd =
- shm_open(shm->g_shm_file_path, O_CREAT | O_RDWR | O_EXCL, 0600);
+ shm->g_shm_fd = shm_open(shm->g_shm_file_path, O_CREAT | O_RDWR | O_EXCL,
+ DEFAULT_PERMISSION);
if (shm->g_shm_fd == -1) { PFATAL("shm_open() failed"); }
/* configure the size of the shared memory segment */
@@ -202,7 +202,8 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
/* create the shared memory segment as if it was a file */
shm->cmplog_g_shm_fd =
- shm_open(shm->cmplog_g_shm_file_path, O_CREAT | O_RDWR | O_EXCL, 0600);
+ shm_open(shm->cmplog_g_shm_file_path, O_CREAT | O_RDWR | O_EXCL,
+ DEFAULT_PERMISSION);
if (shm->cmplog_g_shm_fd == -1) { PFATAL("shm_open() failed"); }
/* configure the size of the shared memory segment */
@@ -241,13 +242,14 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
#else
u8 *shm_str;
- shm->shm_id = shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | 0600);
+ shm->shm_id =
+ shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION);
if (shm->shm_id < 0) { PFATAL("shmget() failed"); }
if (shm->cmplog_mode) {
shm->cmplog_shm_id = shmget(IPC_PRIVATE, sizeof(struct cmp_map),
- IPC_CREAT | IPC_EXCL | 0600);
+ IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION);
if (shm->cmplog_shm_id < 0) {
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index 0fc76193..077c9248 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -252,7 +252,7 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) {
} else {
unlink(outfile); /* Ignore errors */
- fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (fd < 0) { PFATAL("Unable to create '%s'", outfile); }
}
@@ -599,38 +599,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
if (fsrv->qemu_mode) {
- u8 *qemu_preload = getenv("QEMU_SET_ENV");
- u8 *afl_preload = getenv("AFL_PRELOAD");
- u8 *buf;
-
- s32 i, afl_preload_size = strlen(afl_preload);
- for (i = 0; i < afl_preload_size; ++i) {
-
- if (afl_preload[i] == ',') {
-
- PFATAL(
- "Comma (',') is not allowed in AFL_PRELOAD when -Q is "
- "specified!");
-
- }
-
- }
-
- if (qemu_preload) {
-
- buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
- qemu_preload, afl_preload, afl_preload);
-
- } else {
-
- buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
- afl_preload, afl_preload);
-
- }
-
- setenv("QEMU_SET_ENV", buf, 1);
-
- ck_free(buf);
+ /* afl-qemu-trace takes care of converting AFL_PRELOAD. */
} else {
@@ -946,31 +915,6 @@ int main(int argc, char **argv_orig, char **envp) {
if (optind == argc || !out_file) { usage(argv[0]); }
- if (fsrv->qemu_mode && getenv("AFL_USE_QASAN")) {
-
- u8 *preload = getenv("AFL_PRELOAD");
- u8 *libqasan = get_libqasan_path(argv_orig[0]);
-
- if (!preload) {
-
- setenv("AFL_PRELOAD", libqasan, 0);
-
- } else {
-
- u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2);
- strcpy(result, libqasan);
- strcat(result, " ");
- strcat(result, preload);
-
- setenv("AFL_PRELOAD", result, 1);
- ck_free(result);
-
- }
-
- ck_free(libqasan);
-
- }
-
if (in_dir) {
if (!out_file && !collect_coverage)
@@ -1175,7 +1119,8 @@ int main(int argc, char **argv_orig, char **envp) {
unlink(stdin_file);
atexit(at_exit_handler);
fsrv->out_file = stdin_file;
- fsrv->out_fd = open(stdin_file, O_RDWR | O_CREAT | O_EXCL, 0600);
+ fsrv->out_fd =
+ open(stdin_file, O_RDWR | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (fsrv->out_fd < 0) { PFATAL("Unable to create '%s'", out_file); }
if (arg_offset && use_argv[arg_offset] != stdin_file) {
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index 6d04c652..fc974262 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -244,7 +244,7 @@ static s32 write_to_file(u8 *path, u8 *mem, u32 len) {
unlink(path); /* Ignore errors */
- ret = open(path, O_RDWR | O_CREAT | O_EXCL, 0600);
+ ret = open(path, O_RDWR | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (ret < 0) { PFATAL("Unable to create '%s'", path); }
@@ -666,7 +666,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
unlink(out_file);
fsrv->out_file = out_file;
- fsrv->out_fd = open(out_file, O_RDWR | O_CREAT | O_EXCL, 0600);
+ fsrv->out_fd = open(out_file, O_RDWR | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (fsrv->out_fd < 0) { PFATAL("Unable to create '%s'", out_file); }
@@ -753,38 +753,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
if (fsrv->qemu_mode) {
- u8 *qemu_preload = getenv("QEMU_SET_ENV");
- u8 *afl_preload = getenv("AFL_PRELOAD");
- u8 *buf;
-
- s32 i, afl_preload_size = strlen(afl_preload);
- for (i = 0; i < afl_preload_size; ++i) {
-
- if (afl_preload[i] == ',') {
-
- PFATAL(
- "Comma (',') is not allowed in AFL_PRELOAD when -Q is "
- "specified!");
-
- }
-
- }
-
- if (qemu_preload) {
-
- buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
- qemu_preload, afl_preload, afl_preload);
-
- } else {
-
- buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
- afl_preload, afl_preload);
-
- }
-
- setenv("QEMU_SET_ENV", buf, 1);
-
- ck_free(buf);
+ /* afl-qemu-trace takes care of converting AFL_PRELOAD. */
} else {
@@ -1079,31 +1048,6 @@ int main(int argc, char **argv_orig, char **envp) {
check_environment_vars(envp);
setenv("AFL_NO_AUTODICT", "1", 1);
- if (fsrv->qemu_mode && getenv("AFL_USE_QASAN")) {
-
- u8 *preload = getenv("AFL_PRELOAD");
- u8 *libqasan = get_libqasan_path(argv_orig[0]);
-
- if (!preload) {
-
- setenv("AFL_PRELOAD", libqasan, 0);
-
- } else {
-
- u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2);
- strcpy(result, libqasan);
- strcat(result, " ");
- strcat(result, preload);
-
- setenv("AFL_PRELOAD", result, 1);
- ck_free(result);
-
- }
-
- ck_free(libqasan);
-
- }
-
/* initialize cmplog_mode */
shm.cmplog_mode = 0;
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-23 02:33:56 +0000