aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/afl-analyze.c4
-rw-r--r--src/afl-common.c4
-rw-r--r--src/afl-forkserver.c22
-rw-r--r--src/afl-fuzz-init.c27
-rw-r--r--src/afl-fuzz-state.c7
-rw-r--r--src/afl-fuzz.c26
-rw-r--r--src/afl-showmap.c19
-rw-r--r--src/afl-tmin.c32
8 files changed, 119 insertions, 22 deletions
diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index c8acebb3..2780deff 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -78,9 +78,9 @@ static u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */
static s32 dev_null_fd = -1; /* FD to /dev/null */
-static u8 edges_only, /* Ignore hit counts? */
+static bool edges_only, /* Ignore hit counts? */
use_hex_offsets, /* Show hex offsets? */
- use_stdin = 1; /* Use stdin for program input? */
+ use_stdin = true; /* Use stdin for program input? */
static volatile u8 stop_soon, /* Ctrl-C pressed? */
child_timed_out; /* Child timed out? */
diff --git a/src/afl-common.c b/src/afl-common.c
index 8cf1a444..ed0b0e53 100644
--- a/src/afl-common.c
+++ b/src/afl-common.c
@@ -46,7 +46,7 @@ u8 be_quiet = 0;
u8 *doc_path = "";
u8 last_intr = 0;
-void detect_file_args(char **argv, u8 *prog_in, u8 *use_stdin) {
+void detect_file_args(char **argv, u8 *prog_in, bool *use_stdin) {
u32 i = 0;
u8 cwd[PATH_MAX];
@@ -63,7 +63,7 @@ void detect_file_args(char **argv, u8 *prog_in, u8 *use_stdin) {
if (!prog_in) { FATAL("@@ syntax is not supported by this tool."); }
- *use_stdin = 0;
+ *use_stdin = false;
if (prog_in[0] != 0) { // not afl-showmap special case
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 01ef1d9e..20117c1d 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -76,8 +76,8 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) {
fsrv->dev_urandom_fd = -1;
/* Settings */
- fsrv->use_stdin = 1;
- fsrv->no_unlink = 0;
+ fsrv->use_stdin = true;
+ fsrv->no_unlink = false;
fsrv->exec_tmout = EXEC_TIMEOUT;
fsrv->init_tmout = EXEC_TIMEOUT * FORK_WAIT_MULT;
fsrv->mem_limit = MEM_LIMIT;
@@ -86,8 +86,11 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) {
/* exec related stuff */
fsrv->child_pid = -1;
fsrv->map_size = get_map_size();
- fsrv->use_fauxsrv = 0;
- fsrv->last_run_timed_out = 0;
+ fsrv->use_fauxsrv = false;
+ fsrv->last_run_timed_out = false;
+
+ fsrv->uses_crash_exitcode = false;
+ fsrv->uses_asan = false;
fsrv->init_child_func = fsrv_exec_child;
@@ -109,6 +112,8 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) {
fsrv_to->dev_urandom_fd = from->dev_urandom_fd;
fsrv_to->out_fd = from->out_fd; // not sure this is a good idea
fsrv_to->no_unlink = from->no_unlink;
+ fsrv_to->uses_crash_exitcode = from->uses_crash_exitcode;
+ fsrv_to->crash_exitcode = from->crash_exitcode;
// These are forkserver specific.
fsrv_to->out_dir_fd = -1;
@@ -1136,10 +1141,13 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
}
- /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and
- must use a special exit code. */
+ /* MSAN in uses_asan mode uses a special exit code as it doesn't support
+ abort_on_error.
+ On top, a user may specify a custom AFL_CRASH_EXITCODE. Handle both here. */
- if (fsrv->uses_asan && WEXITSTATUS(fsrv->child_status) == MSAN_ERROR) {
+ if ((fsrv->uses_asan && WEXITSTATUS(fsrv->child_status) == MSAN_ERROR) ||
+ (fsrv->uses_crash_exitcode &&
+ WEXITSTATUS(fsrv->child_status) == fsrv->crash_exitcode)) {
fsrv->last_kill_signal = 0;
return FSRV_RUN_CRASH;
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 0360cdb0..6707340b 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -868,7 +868,19 @@ void perform_dry_run(afl_state_t *afl) {
if (skip_crashes) {
- WARNF("Test case results in a crash (skipping)");
+ if (afl->fsrv.uses_crash_exitcode) {
+
+ WARNF(
+ "Test case results in a crash or AFL_CRASH_EXITCODE %d "
+ "(skipping)",
+ (int)(s8)afl->fsrv.crash_exitcode);
+
+ } else {
+
+ WARNF("Test case results in a crash (skipping)");
+
+ }
+
q->cal_failed = CAL_CHANCES;
++cal_failures;
break;
@@ -954,7 +966,18 @@ void perform_dry_run(afl_state_t *afl) {
#undef MSG_ULIMIT_USAGE
#undef MSG_FORK_ON_APPLE
- WARNF("Test case '%s' results in a crash, skipping", fn);
+ if (afl->fsrv.uses_crash_exitcode) {
+
+ WARNF(
+ "Test case '%s' results in a crash or AFL_CRASH_EXITCODE %d, "
+ "skipping",
+ fn, (int)(s8)afl->fsrv.crash_exitcode);
+
+ } else {
+
+ WARNF("Test case '%s' results in a crash, skipping", fn);
+
+ }
/* Remove from fuzzing queue but keep for splicing */
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index 489d4e53..73b94466 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -394,6 +394,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
afl->afl_env.afl_statsd_tags_flavor =
(u8 *)get_afl_env(afl_environment_variables[i]);
+ } else if (!strncmp(env, "AFL_CRASH_EXITCODE",
+
+ afl_environment_variable_len)) {
+
+ afl->afl_env.afl_crash_exitcode =
+ (u8 *)get_afl_env(afl_environment_variables[i]);
+
}
} else {
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index b91d862d..eb5e9307 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -26,6 +26,7 @@
#include "afl-fuzz.h"
#include "cmplog.h"
#include <limits.h>
+#include <stdlib.h>
#ifndef USEMMAP
#include <sys/mman.h>
#include <sys/stat.h>
@@ -165,6 +166,7 @@ static void usage(u8 *argv0, int more_help) {
"AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists\n"
"AFL_BENCH_JUST_ONE: run the target just once\n"
"AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found\n"
+ "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n"
"AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs\n"
"AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators\n"
"AFL_CYCLE_SCHEDULES: after completing a cycle, switch to a different -p schedule\n"
@@ -702,7 +704,7 @@ int main(int argc, char **argv_orig, char **envp) {
case 'N': /* Unicorn mode */
if (afl->no_unlink) { FATAL("Multiple -N options not supported"); }
- afl->fsrv.no_unlink = afl->no_unlink = 1;
+ afl->fsrv.no_unlink = (afl->no_unlink = true);
break;
@@ -1135,6 +1137,23 @@ int main(int argc, char **argv_orig, char **envp) {
}
+ if (afl->afl_env.afl_crash_exitcode) {
+
+ long exitcode = strtol(afl->afl_env.afl_crash_exitcode, NULL, 10);
+ if ((!exitcode && (errno == EINVAL || errno == ERANGE)) ||
+ exitcode < -127 || exitcode > 128) {
+
+ FATAL("Invalid crash exitcode, expected -127 to 128, but got %s",
+ afl->afl_env.afl_crash_exitcode);
+
+ }
+
+ afl->fsrv.uses_crash_exitcode = true;
+ // WEXITSTATUS is 8 bit unsigned
+ afl->fsrv.crash_exitcode = (u8)exitcode;
+
+ }
+
if (afl->non_instrumented_mode == 2 && afl->no_forkserver) {
FATAL("AFL_DUMB_FORKSRV and AFL_NO_FORKSRV are mutually exclusive");
@@ -1486,9 +1505,12 @@ int main(int argc, char **argv_orig, char **envp) {
cull_queue(afl);
- if (!afl->pending_not_fuzzed)
+ if (!afl->pending_not_fuzzed) {
+
FATAL("We need at least on valid input seed that does not crash!");
+ }
+
show_init_stats(afl);
if (unlikely(afl->old_seed_selection)) seek_to = find_start_position(afl);
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index a8e7d3f9..e07e76c8 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -667,6 +667,8 @@ static void usage(u8 *argv0) {
"AFL_CMIN_CRASHES_ONLY: (cmin_mode) only write tuples for crashing "
"inputs\n"
"AFL_CMIN_ALLOW_ANY: (cmin_mode) write tuples for crashing inputs also\n"
+ "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as "
+ "crash\n"
"AFL_DEBUG: enable extra developer output\n"
"AFL_MAP_SIZE: the shared memory size for that target. must be >= the "
"size\n"
@@ -1090,6 +1092,23 @@ int main(int argc, char **argv_orig, char **envp) {
}
+ if (getenv("AFL_CRASH_EXITCODE")) {
+
+ long exitcode = strtol(getenv("AFL_CRASH_EXITCODE"), NULL, 10);
+ if ((!exitcode && (errno == EINVAL || errno == ERANGE)) ||
+ exitcode < -127 || exitcode > 128) {
+
+ FATAL("Invalid crash exitcode, expected -127 to 128, but got %s",
+ getenv("AFL_CRASH_EXITCODE"));
+
+ }
+
+ fsrv->uses_crash_exitcode = true;
+ // WEXITSTATUS is 8 bit unsigned
+ fsrv->crash_exitcode = (u8)exitcode;
+
+ }
+
afl_fsrv_start(fsrv, use_argv, &stop_soon,
(get_afl_env("AFL_DEBUG_CHILD") ||
get_afl_env("AFL_DEBUG_CHILD_OUTPUT"))
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index e4fb068d..b9045551 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -51,6 +51,7 @@
#include <signal.h>
#include <dirent.h>
#include <fcntl.h>
+#include <limits.h>
#include <sys/wait.h>
#include <sys/time.h>
@@ -841,17 +842,17 @@ static void usage(u8 *argv0) {
"For additional tips, please consult %s/README.md.\n\n"
"Environment variables used:\n"
- "TMPDIR: directory to use for temporary input files\n"
- "ASAN_OPTIONS: custom settings for ASAN\n"
- " (must contain abort_on_error=1 and symbolize=0)\n"
- "MSAN_OPTIONS: custom settings for MSAN\n"
- " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n"
+ "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n"
+ "AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)\n"
"AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n"
" the target was compiled for\n"
"AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n"
"AFL_TMIN_EXACT: require execution paths to match for crashing inputs\n"
- "AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)\n"
-
+ "ASAN_OPTIONS: custom settings for ASAN\n"
+ " (must contain abort_on_error=1 and symbolize=0)\n"
+ "MSAN_OPTIONS: custom settings for MSAN\n"
+ " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n"
+ "TMPDIR: directory to use for temporary input files\n"
, argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path);
exit(1);
@@ -1122,6 +1123,23 @@ int main(int argc, char **argv_orig, char **envp) {
}
+ if (getenv("AFL_CRASH_EXITCODE")) {
+
+ long exitcode = strtol(getenv("AFL_CRASH_EXITCODE"), NULL, 10);
+ if ((!exitcode && (errno == EINVAL || errno == ERANGE)) ||
+ exitcode < -127 || exitcode > 128) {
+
+ FATAL("Invalid crash exitcode, expected -127 to 128, but got %s",
+ getenv("AFL_CRASH_EXITCODE"));
+
+ }
+
+ fsrv->uses_crash_exitcode = true;
+ // WEXITSTATUS is 8 bit unsigned
+ fsrv->crash_exitcode = (u8)exitcode;
+
+ }
+
shm_fuzz = ck_alloc(sizeof(sharedmem_t));
/* initialize cmplog_mode */
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-24 15:23:04 +0000