diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-fuzz-globals.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-mutators.c | 39 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 30 | ||||
| -rw-r--r-- | src/afl-fuzz-python.c | 34 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 6 | ||||
| -rw-r--r-- | src/afl-showmap.c | 5 | ||||
| -rw-r--r-- | src/afl-tmin.c | 42 |
9 files changed, 90 insertions, 77 deletions
diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 87418753..9412463d 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -256,7 +256,7 @@ u8 *cmplog_binary; s32 cmplog_child_pid, cmplog_forksrv_pid; /* Custom mutator */ -struct custom_mutator* mutator; +struct custom_mutator *mutator; /* Interesting values, as per config.h */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 08b6de60..8cabd9eb 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -990,7 +990,7 @@ dir_cleanup_failed: } /* Delete fuzzer output directory if we recognize it as ours, if the fuzzer - is not currently running, and if the last run time isn't too great. + is not currently running, and if the last run time isn't too great. Resume fuzzing if `-` is set as in_dir or if AFL_AUTORESUME is set */ static void handle_existing_out_dir(void) { @@ -1036,10 +1036,11 @@ static void handle_existing_out_dir(void) { fclose(f); - /* Autoresume treats a normal run as in_place_resume if a valid out dir already exists */ + /* Autoresume treats a normal run as in_place_resume if a valid out dir + * already exists */ if (!in_place_resume && autoresume) { - + OKF("Detected prior run with AFL_AUTORESUME set. Resuming."); in_place_resume = 1; diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 28d21636..b31e678b 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -36,6 +36,7 @@ void setup_custom_mutator(void) { u8* fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY"); if (fn) { + if (limit_time_sig) FATAL( "MOpt and custom mutator are mutually exclusive. We accept pull " @@ -45,6 +46,7 @@ void setup_custom_mutator(void) { load_custom_mutator(fn); return; + } /* Try Python module */ @@ -65,6 +67,7 @@ void setup_custom_mutator(void) { load_custom_mutator_py(module_name); } + #else if (getenv("AFL_PYTHON_MODULE")) FATAL("Your AFL binary was built without Python support"); @@ -75,16 +78,20 @@ void setup_custom_mutator(void) { void destroy_custom_mutator(void) { if (mutator) { + if (mutator->dh) dlclose(mutator->dh); else { + /* Python mutator */ #ifdef USE_PYTHON finalize_py_module(); #endif + } ck_free(mutator); + } } @@ -104,8 +111,7 @@ void load_custom_mutator(const char* fn) { /* Mutator */ /* "afl_custom_init", optional for backward compatibility */ mutator->afl_custom_init = dlsym(dh, "afl_custom_init"); - if (!mutator->afl_custom_init) - WARNF("Symbol 'afl_custom_init' not found."); + if (!mutator->afl_custom_init) WARNF("Symbol 'afl_custom_init' not found."); /* "afl_custom_fuzz" or "afl_custom_mutator", required */ mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz"); @@ -133,8 +139,7 @@ void load_custom_mutator(const char* fn) { /* "afl_custom_trim", optional */ mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim"); - if (!mutator->afl_custom_trim) - WARNF("Symbol 'afl_custom_trim' not found."); + if (!mutator->afl_custom_trim) WARNF("Symbol 'afl_custom_trim' not found."); /* "afl_custom_post_trim", optional */ mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim"); @@ -151,14 +156,15 @@ void load_custom_mutator(const char* fn) { "trimming will be used."); } - + /* "afl_custom_havoc_mutation", optional */ mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation"); if (!mutator->afl_custom_havoc_mutation) WARNF("Symbol 'afl_custom_havoc_mutation' not found."); /* "afl_custom_havoc_mutation", optional */ - mutator->afl_custom_havoc_mutation_probability = dlsym(dh, "afl_custom_havoc_mutation_probability"); + mutator->afl_custom_havoc_mutation_probability = + dlsym(dh, "afl_custom_havoc_mutation_probability"); if (!mutator->afl_custom_havoc_mutation_probability) WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found."); @@ -175,8 +181,7 @@ void load_custom_mutator(const char* fn) { OKF("Custom mutator '%s' installed successfully.", fn); /* Initialize the custom mutator */ - if (mutator->afl_custom_init) - mutator->afl_custom_init(UR(0xFFFFFFFF)); + if (mutator->afl_custom_init) mutator->afl_custom_init(UR(0xFFFFFFFF)); } @@ -309,8 +314,7 @@ void load_custom_mutator_py(const char* module_name) { mutator->name = module_name; ACTF("Loading Python mutator library from '%s'...", module_name); - if (py_functions[PY_FUNC_INIT]) - mutator->afl_custom_init = init_py; + if (py_functions[PY_FUNC_INIT]) mutator->afl_custom_init = init_py; /* "afl_custom_fuzz" should not be NULL, but the interface of Python mutator is quite different from the custom mutator. */ @@ -325,14 +329,14 @@ void load_custom_mutator_py(const char* module_name) { if (py_functions[PY_FUNC_POST_TRIM]) mutator->afl_custom_post_trim = post_trim_py; - if (py_functions[PY_FUNC_TRIM]) - mutator->afl_custom_trim = trim_py; - + if (py_functions[PY_FUNC_TRIM]) mutator->afl_custom_trim = trim_py; + if (py_functions[PY_FUNC_HAVOC_MUTATION]) mutator->afl_custom_havoc_mutation = havoc_mutation_py; - + if (py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY]) - mutator->afl_custom_havoc_mutation_probability = havoc_mutation_probability_py; + mutator->afl_custom_havoc_mutation_probability = + havoc_mutation_probability_py; if (py_functions[PY_FUNC_QUEUE_GET]) mutator->afl_custom_queue_get = queue_get_py; @@ -343,8 +347,9 @@ void load_custom_mutator_py(const char* module_name) { OKF("Python mutator '%s' installed successfully.", module_name); /* Initialize the custom mutator */ - if (mutator->afl_custom_init) - mutator->afl_custom_init(UR(0xFFFFFFFF)); + if (mutator->afl_custom_init) mutator->afl_custom_init(UR(0xFFFFFFFF)); } + #endif + diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 1817bd03..c6dbb858 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -359,8 +359,7 @@ u8 fuzz_one_original(char** argv) { /* The custom mutator will decide to skip this test case or not. */ - if (!mutator->afl_custom_queue_get(queue_cur->fname)) - return 1; + if (!mutator->afl_custom_queue_get(queue_cur->fname)) return 1; } @@ -1552,7 +1551,7 @@ custom_mutator_stage: const u32 max_seed_size = MAX_FILE; orig_hit_cnt = queued_paths + unique_crashes; - + for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { struct queue_entry* target; @@ -1597,10 +1596,9 @@ custom_mutator_stage: new_buf = ck_alloc_nozero(target->len); ck_read(fd, new_buf, target->len, target->fname); close(fd); - - size_t mutated_size = mutator->afl_custom_fuzz(&out_buf, len, - new_buf, target->len, - max_seed_size); + + size_t mutated_size = mutator->afl_custom_fuzz(&out_buf, len, new_buf, + target->len, max_seed_size); ck_free(new_buf); @@ -1629,7 +1627,7 @@ custom_mutator_stage: } } - + if (mutated_size < len) out_buf = ck_realloc(out_buf, len); memcpy(out_buf, in_buf, len); @@ -1688,13 +1686,15 @@ havoc_stage: havoc_queued = queued_paths; u8 stacked_custom = (mutator && mutator->afl_custom_havoc_mutation); - u8 stacked_custom_prob = 6; // like one of the default mutations in havoc + u8 stacked_custom_prob = 6; // like one of the default mutations in havoc if (stacked_custom && mutator->afl_custom_havoc_mutation_probability) { stacked_custom_prob = mutator->afl_custom_havoc_mutation_probability(); if (stacked_custom_prob > 100) - FATAL("The probability returned by afl_custom_havoc_mutation_propability has to be in the range 0-100."); + FATAL( + "The probability returned by afl_custom_havoc_mutation_propability " + "has to be in the range 0-100."); } @@ -1708,12 +1708,12 @@ havoc_stage: stage_cur_val = use_stacking; for (i = 0; i < use_stacking; ++i) { - + if (stacked_custom && UR(100) < stacked_custom_prob) { - - temp_len = mutator->afl_custom_havoc_mutation(&out_buf, temp_len, - MAX_FILE); - + + temp_len = + mutator->afl_custom_havoc_mutation(&out_buf, temp_len, MAX_FILE); + } switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 4e72905d..28b101f3 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -80,6 +80,7 @@ int init_py_module(u8* module_name) { py_notrim = 1; } else if ((py_idx >= PY_FUNC_HAVOC_MUTATION) && + (py_idx <= PY_FUNC_QUEUE_NEW_ENTRY)) { // Implenting the havoc and queue API is optional for now @@ -140,6 +141,7 @@ void finalize_py_module() { } void init_py(unsigned int seed) { + PyObject *py_args, *py_value; /* Provide the init function a seed for the Python RNG */ @@ -171,12 +173,13 @@ void init_py(unsigned int seed) { return; } + } size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size, size_t max_size) { - size_t mutated_size; + size_t mutated_size; PyObject *py_args, *py_value; py_args = PyTuple_New(3); @@ -224,8 +227,7 @@ size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size, if (py_value != NULL) { mutated_size = PyByteArray_Size(py_value); - if (buf_size < mutated_size) - *buf = ck_realloc(*buf, mutated_size); + if (buf_size < mutated_size) *buf = ck_realloc(*buf, mutated_size); memcpy(*buf, PyByteArray_AsString(py_value), mutated_size); Py_DECREF(py_value); @@ -242,7 +244,7 @@ size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size, size_t pre_save_py(u8* buf, size_t buf_size, u8** out_buf) { - size_t out_buf_size; + size_t out_buf_size; PyObject *py_args, *py_value; py_args = PyTuple_New(1); py_value = PyByteArray_FromStringAndSize(buf, buf_size); @@ -377,7 +379,7 @@ void trim_py(u8** out_buf, size_t* out_buf_size) { size_t havoc_mutation_py(u8** buf, size_t buf_size, size_t max_size) { - size_t mutated_size; + size_t mutated_size; PyObject *py_args, *py_value; py_args = PyTuple_New(2); @@ -414,9 +416,8 @@ size_t havoc_mutation_py(u8** buf, size_t buf_size, size_t max_size) { if (py_value != NULL) { mutated_size = PyByteArray_Size(py_value); - if (buf_size < mutated_size) - *buf = ck_realloc(*buf, mutated_size); - + if (buf_size < mutated_size) *buf = ck_realloc(*buf, mutated_size); + memcpy(*buf, PyByteArray_AsString(py_value), mutated_size); Py_DECREF(py_value); @@ -436,7 +437,8 @@ u8 havoc_mutation_probability_py(void) { PyObject *py_args, *py_value; py_args = PyTuple_New(0); - py_value = PyObject_CallObject(py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY], py_args); + py_value = PyObject_CallObject( + py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY], py_args); Py_DECREF(py_args); if (py_value != NULL) { @@ -483,7 +485,7 @@ u8 queue_get_py(const u8* filename) { int ret = PyObject_IsTrue(py_value); Py_DECREF(py_value); - + if (ret == -1) { PyErr_Print(); @@ -491,10 +493,10 @@ u8 queue_get_py(const u8* filename) { } - return (u8) ret & 0xFF; + return (u8)ret & 0xFF; } else { - + PyErr_Print(); FATAL("Call failed"); @@ -516,7 +518,7 @@ void queue_new_entry_py(const u8* filename_new_queue, py_value = PyString_FromString(filename_new_queue); #endif if (!py_value) { - + Py_DECREF(py_args); FATAL("Failed to convert arguments"); @@ -534,7 +536,7 @@ void queue_new_entry_py(const u8* filename_new_queue, py_value = PyString_FromString(filename_orig_queue); #endif if (!py_value) { - + Py_DECREF(py_args); FATAL("Failed to convert arguments"); @@ -545,8 +547,8 @@ void queue_new_entry_py(const u8* filename_new_queue, PyTuple_SetItem(py_args, 1, py_value); // Call - py_value = PyObject_CallObject(py_functions[PY_FUNC_QUEUE_NEW_ENTRY], - py_args); + py_value = + PyObject_CallObject(py_functions[PY_FUNC_QUEUE_NEW_ENTRY], py_args); Py_DECREF(py_args); if (py_value == NULL) { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 58985d8b..f0ba2fe8 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -662,7 +662,7 @@ void sync_fuzzers(char** argv) { ck_write(id_fd, &next_min_accept, sizeof(u32), qd_synced_path); -close_sync: + close_sync: close(id_fd); closedir(qd); ck_free(qd_path); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 12c7853c..778ada9a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -119,7 +119,8 @@ static void usage(u8* argv0, int more_help) { " if using QEMU, just use -c 0.\n\n" "Fuzzing behavior settings:\n" - " -N - do not unlink the fuzzing input file (only for devices etc.!)\n" + " -N - do not unlink the fuzzing input file (only for " + "devices etc.!)\n" " -d - quick & dirty mode (skips deterministic steps)\n" " -n - fuzz without instrumentation (dumb mode)\n" " -x dir - optional fuzzer dictionary (see README.md, its really " @@ -752,8 +753,7 @@ int main(int argc, char** argv, char** envp) { if (get_afl_env("AFL_AUTORESUME")) { autoresume = 1; - if (in_place_resume) - SAYF("AFL_AUTORESUME has no effect for '-i -'"); + if (in_place_resume) SAYF("AFL_AUTORESUME has no effect for '-i -'"); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 6075027f..ffdb67e4 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -730,9 +730,8 @@ int main(int argc, char** argv, char** envp) { char** use_argv; doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - - if (getenv("AFL_QUIET") != NULL) - be_quiet = 1; + + if (getenv("AFL_QUIET") != NULL) be_quiet = 1; while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqZQUWbcrh")) > 0) diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 509943ff..31296cb5 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -99,7 +99,6 @@ static volatile u8 stop_soon; /* Ctrl-C pressed? */ static u8 qemu_mode; - /* * forkserver section */ @@ -533,7 +532,7 @@ static u8 run_target(char** argv, u8* mem, u32 len, u8 first_run) { return 0; } - + /* Handle crashing inputs depending on current mode. */ if (WIFSIGNALED(status) || @@ -822,14 +821,15 @@ finalize_all: if (hang_mode) { - SAYF("\n" cGRA " File size reduced by : " cRST - "%0.02f%% (to %u byte%s)\n" cGRA " Characters simplified : " cRST - "%0.02f%%\n" cGRA " Number of execs done : " cRST "%u\n" cGRA - " Fruitless execs : " cRST "termination=%u crash=%u\n\n", - 100 - ((double)in_len) * 100 / orig_len, in_len, in_len == 1 ? "" : "s", - ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), total_execs, - missed_paths, missed_crashes); - return; + SAYF("\n" cGRA " File size reduced by : " cRST + "%0.02f%% (to %u byte%s)\n" cGRA " Characters simplified : " cRST + "%0.02f%%\n" cGRA " Number of execs done : " cRST "%u\n" cGRA + " Fruitless execs : " cRST "termination=%u crash=%u\n\n", + 100 - ((double)in_len) * 100 / orig_len, in_len, + in_len == 1 ? "" : "s", + ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), total_execs, + missed_paths, missed_crashes); + return; } @@ -1146,7 +1146,8 @@ int main(int argc, char** argv, char** envp) { case 'e': if (edges_only) FATAL("Multiple -e options not supported"); - if (hang_mode) FATAL("Edges only and hang mode are mutually exclusive."); + if (hang_mode) + FATAL("Edges only and hang mode are mutually exclusive."); edges_only = 1; break; @@ -1232,12 +1233,13 @@ int main(int argc, char** argv, char** envp) { break; - case 'H': /* Hang Mode */ - + case 'H': /* Hang Mode */ + /* Minimizes a testcase to the minimum that still times out */ if (hang_mode) FATAL("Multipe -H options not supported"); - if (edges_only) FATAL("Edges only and hang mode are mutually exclusive."); + if (edges_only) + FATAL("Edges only and hang mode are mutually exclusive."); hang_mode = 1; break; @@ -1314,14 +1316,18 @@ int main(int argc, char** argv, char** envp) { run_target(use_argv, in_data, in_len, 1); if (hang_mode && !child_timed_out) - FATAL("Target binary did not time out but hang minimization mode " - "(-H) was set (-t %u).", exec_tmout); + FATAL( + "Target binary did not time out but hang minimization mode " + "(-H) was set (-t %u).", + exec_tmout); if (child_timed_out && !hang_mode) - FATAL("Target binary times out (adjusting -t may help). Use -H to minimize a hang."); + FATAL( + "Target binary times out (adjusting -t may help). Use -H to minimize a " + "hang."); if (hang_mode) { - + OKF("Program hangs as expected, minimizing in " cCYA "hang" cRST " mode."); } else if (!crash_mode) { |