aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/afl-cc.c3
-rw-r--r--src/afl-forkserver.c3
-rw-r--r--src/afl-fuzz-mutators.c12
-rw-r--r--src/afl-fuzz-one.c1
-rw-r--r--src/afl-fuzz-python.c30
-rw-r--r--src/afl-fuzz-redqueen.c12
-rw-r--r--src/afl-fuzz-run.c19
-rw-r--r--src/afl-fuzz-stats.c13
-rw-r--r--src/afl-ld-lto.c2
9 files changed, 79 insertions, 16 deletions
diff --git a/src/afl-cc.c b/src/afl-cc.c
index c3c677b4..6faed538 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -1144,7 +1144,8 @@ static void edit_params(u32 argc, char **argv, char **envp) {
if (!have_pic) { cc_params[cc_par_cnt++] = "-fPIC"; }
- if (!getenv("AFL_LLVM_NO_RPATH")) {
+ if (compiler_mode != GCC_PLUGIN && compiler_mode != GCC &&
+ !getenv("AFL_LLVM_NO_RPATH")) {
// in case LLVM is installed not via a package manager or "make install"
// e.g. compiled download or compiled from github then its ./lib directory
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 9b710733..3f9bfa72 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -679,8 +679,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
}
- fsrv->nyx_runner =
- fsrv->nyx_handlers->nyx_new(nyx_config, fsrv->nyx_bind_cpu_id);
+ fsrv->nyx_runner = fsrv->nyx_handlers->nyx_new(nyx_config, fsrv->nyx_id);
ck_free(workdir_path);
ck_free(outdir_path_absolute);
diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c
index 64dbe7c6..17fb9368 100644
--- a/src/afl-fuzz-mutators.c
+++ b/src/afl-fuzz-mutators.c
@@ -397,6 +397,18 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
}
+ /* "afl_custom_post_run", optional */
+ mutator->afl_custom_post_run = dlsym(dh, "afl_custom_post_run");
+ if (!mutator->afl_custom_post_run) {
+
+ ACTF("optional symbol 'afl_custom_post_run' not found.");
+
+ } else {
+
+ OKF("Found 'afl_custom_post_run'.");
+
+ }
+
/* "afl_custom_queue_new_entry", optional */
mutator->afl_custom_queue_new_entry = dlsym(dh, "afl_custom_queue_new_entry");
if (!mutator->afl_custom_queue_new_entry) {
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index 67dafda8..01e34b69 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -1894,6 +1894,7 @@ custom_mutator_stage:
LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
if (el->afl_custom_fuzz) {
+
havoc_queued = afl->queued_items;
afl->current_custom_fuzz = el;
diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c
index 7dad0770..4c7da774 100644
--- a/src/afl-fuzz-python.c
+++ b/src/afl-fuzz-python.c
@@ -249,6 +249,8 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) {
PyObject_GetAttrString(py_module, "queue_get");
py_functions[PY_FUNC_FUZZ_SEND] =
PyObject_GetAttrString(py_module, "fuzz_send");
+ py_functions[PY_FUNC_POST_RUN] =
+ PyObject_GetAttrString(py_module, "post_run");
py_functions[PY_FUNC_SPLICE_OPTOUT] =
PyObject_GetAttrString(py_module, "splice_optout");
if (py_functions[PY_FUNC_SPLICE_OPTOUT]) { afl->custom_splice_optout = 1; }
@@ -468,6 +470,12 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl,
}
+ if (py_functions[PY_FUNC_POST_RUN]) {
+
+ mutator->afl_custom_post_run = post_run_py;
+
+ }
+
if (py_functions[PY_FUNC_SPLICE_OPTOUT]) {
mutator->afl_custom_splice_optout = splice_optout_py;
@@ -925,6 +933,28 @@ void fuzz_send_py(void *py_mutator, const u8 *buf, size_t buf_size) {
}
+void post_run_py(void *py_mutator) {
+
+ PyObject *py_args, *py_value;
+
+ py_args = PyTuple_New(0);
+ py_value = PyObject_CallObject(
+ ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_POST_RUN], py_args);
+ Py_DECREF(py_args);
+
+ if (py_value != NULL) {
+
+ Py_DECREF(py_value);
+
+ } else {
+
+ PyErr_Print();
+ FATAL("Call failed");
+
+ }
+
+}
+
u8 queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue,
const u8 *filename_orig_queue) {
diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c
index 86e7f1cf..9e9b3822 100644
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@@ -1321,7 +1321,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
} else {
#ifndef WORD_SIZE_64
- if (repl <= 0x00ffffffffffffff {
+ if (repl <= 0x00ffffffffffffff) {
new_val = repl << 8;
u8 scale_len = 0;
@@ -1379,7 +1379,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
new_vall += (scale_len << 2) + 3;
ilen = scale_len + 5;
- if (ilen <= its_len) {
+ if (ilen <= its_len && ilen > 1) {
u8 tmpbuf[32];
memcpy(tmpbuf, buf + idx, ilen);
@@ -1403,7 +1403,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
if (do_call) {
- if (ilen <= its_len) {
+ if (ilen <= its_len && ilen > 1) {
u8 tmpbuf[32];
memcpy(tmpbuf, buf + idx, ilen);
@@ -1421,7 +1421,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
}
- // here we add and subract 1 from the value, but only if it is not an
+ // here we add and subtract 1 from the value, but only if it is not an
// == or != comparison
// Bits: 1 = Equal, 2 = Greater, 4 = Lesser, 8 = Float
// 16 = modified float, 32 = modified integer (modified = wont match
@@ -1906,6 +1906,8 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
#endif
+ if (hshape < 2) { return 0; }
+
for (i = 0; i < loggeds; ++i) {
struct cmp_operands *o = &afl->shm.cmp_map->log[key][i];
@@ -2698,6 +2700,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
hshape = SHAPE_BYTES(h->shape);
+ if (hshape < 2) { return 0; }
+
if (h->hits > CMP_MAP_RTN_H) {
loggeds = CMP_MAP_RTN_H;
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index ac4fb4a9..34a5ff81 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -60,6 +60,23 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) {
fsrv_run_result_t res = afl_fsrv_run_target(fsrv, timeout, &afl->stop_soon);
+ /* If post_run() function is defined in custom mutator, the function will be
+ called each time after AFL++ executes the target program. */
+
+ if (unlikely(afl->custom_mutators_count)) {
+
+ LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
+
+ if (unlikely(el->afl_custom_post_run)) {
+
+ el->afl_custom_post_run(el->data);
+
+ }
+
+ });
+
+ }
+
#ifdef PROFILING
clock_gettime(CLOCK_REALTIME, &spec);
time_spent_start = (spec.tv_sec * 1000000000) + spec.tv_nsec;
@@ -918,7 +935,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
detected, it will still work to some extent, so we don't check for
this. */
- if (q->len < 5) { return 0; }
+ if (unlikely(q->len < 5)) { return 0; }
afl->stage_name = afl->stage_name_buf;
afl->bytes_trim_in += q->len;
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index 66e32e78..deb28b7a 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -288,6 +288,8 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
#ifndef __HAIKU__
if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; }
#endif
+ u64 runtime = afl->prev_run_time + cur_time - afl->start_time;
+ if (!runtime) { runtime = 1; }
fprintf(
f,
@@ -336,17 +338,14 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg,
"target_mode : %s%s%s%s%s%s%s%s%s%s\n"
"command_line : %s\n",
(afl->start_time - afl->prev_run_time) / 1000, cur_time / 1000,
- (afl->prev_run_time + cur_time - afl->start_time) / 1000, (u32)getpid(),
+ runtime / 1000, (u32)getpid(),
afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds,
afl->longest_find_time > cur_time - afl->last_find_time
? afl->longest_find_time / 1000
: ((afl->start_time == 0 || afl->last_find_time == 0)
? 0
: (cur_time - afl->last_find_time) / 1000),
- afl->fsrv.total_execs,
- afl->fsrv.total_execs /
- ((double)(afl->prev_run_time + get_cur_time() - afl->start_time) /
- 1000),
+ afl->fsrv.total_execs, afl->fsrv.total_execs / ((double)(runtime) / 1000),
afl->last_avg_execs_saved, afl->queued_items, afl->queued_favored,
afl->queued_discovered, afl->queued_imported, afl->queued_variable,
afl->max_depth, afl->current_entry, afl->pending_favored,
@@ -1060,7 +1059,7 @@ void show_stats_normal(afl_state_t *afl) {
sprintf(tmp, "%s (%s%s saved)", u_stringify_int(IB(0), afl->total_tmouts),
u_stringify_int(IB(1), afl->saved_tmouts),
- (afl->saved_hangs >= KEEP_UNIQUE_HANG) ? "+" : "");
+ (afl->saved_tmouts >= KEEP_UNIQUE_HANG) ? "+" : "");
SAYF(bSTG bV bSTOP " total tmouts : " cRST "%-20s" bSTG bV "\n", tmp);
@@ -1892,7 +1891,7 @@ void show_stats_pizza(afl_state_t *afl) {
sprintf(tmp, "%s (%s%s saved)", u_stringify_int(IB(0), afl->total_tmouts),
u_stringify_int(IB(1), afl->saved_tmouts),
- (afl->saved_hangs >= KEEP_UNIQUE_HANG) ? "+" : "");
+ (afl->saved_tmouts >= KEEP_UNIQUE_HANG) ? "+" : "");
SAYF(bSTG bV bSTOP " burned pizzas : " cRST "%-20s" bSTG bV
"\n",
diff --git a/src/afl-ld-lto.c b/src/afl-ld-lto.c
index b1e6c848..7ce5de41 100644
--- a/src/afl-ld-lto.c
+++ b/src/afl-ld-lto.c
@@ -278,7 +278,7 @@ int main(int argc, char **argv) {
if (getenv("AFL_LD_PASSTHROUGH") != NULL) passthrough = 1;
if (getenv("AFL_REAL_LD") != NULL) real_ld = getenv("AFL_REAL_LD");
- if (!afl_path || !*afl_path) afl_path = "/usr/local/lib/afl";
+ if (!afl_path || !*afl_path) afl_path = AFL_PATH;
setenv("AFL_LD_CALLER", "1", 1);
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-25 21:54:23 +0000