diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-analyze.c | 1 | ||||
| -rw-r--r-- | src/afl-cc.c | 4 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 12 | ||||
| -rw-r--r-- | src/afl-fuzz-mutators.c | 39 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 15 | ||||
| -rw-r--r-- | src/afl-fuzz-python.c | 20 | ||||
| -rw-r--r-- | src/afl-fuzz-queue.c | 20 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 7 | ||||
| -rw-r--r-- | src/afl-sharedmem.c | 5 | ||||
| -rw-r--r-- | src/afl-showmap.c | 1 | ||||
| -rw-r--r-- | src/afl-tmin.c | 1 |
14 files changed, 90 insertions, 41 deletions
diff --git a/src/afl-analyze.c b/src/afl-analyze.c index dbf2920f..e19df3ce 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -984,6 +984,7 @@ int main(int argc, char **argv_orig, char **envp) { frida_mode = 1; fsrv.frida_mode = frida_mode; + setenv("AFL_FRIDA_INST_SEED", "0x0", 1); break; diff --git a/src/afl-cc.c b/src/afl-cc.c index 9899f973..244b46d1 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -1921,9 +1921,7 @@ int main(int argc, char **argv, char **envp) { // ptr = instrument_mode_string[instrument_mode]; // } - } else if (instrument_mode == INSTRUMENT_LTO || - - instrument_mode == INSTRUMENT_CLASSIC) { + } else if (instrument_mode == INSTRUMENT_CLASSIC) { lto_mode = 1; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 5e8fb9b5..26a9aaed 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -1105,7 +1105,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { if (getenv("AFL_DEBUG")) { fprintf(stderr, "FS crc: %016llx len: %u\n", - hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), + hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, HASH_CONST), *fsrv->shmem_fuzz_len); fprintf(stderr, "SHM :"); for (u32 i = 0; i < *fsrv->shmem_fuzz_len; i++) diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 0a9242a5..59b1d279 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -560,7 +560,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } /* due to classify counts we have to recalculate the checksum */ - cksum = afl->queue_top->exec_cksum = + afl->queue_top->exec_cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); /* Try to calibrate inline; this also calls update_bitmap_score() when diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 5e4f1585..faa45a4e 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -881,11 +881,7 @@ void perform_dry_run(afl_state_t *afl) { u32 read_len = MIN(q->len, (u32)MAX_FILE); use_mem = afl_realloc(AFL_BUF_PARAM(in), read_len); - if (read(fd, use_mem, read_len) != (ssize_t)read_len) { - - FATAL("Short read from '%s'", q->fname); - - } + ck_read(fd, use_mem, read_len, q->fname); close(fd); @@ -1350,6 +1346,12 @@ void pivot_inputs(afl_state_t *afl) { if (q->passed_det) { mark_as_det_done(afl, q); } + if (afl->custom_mutators_count) { + + run_afl_custom_queue_new_entry(afl, q, q->fname, NULL); + + } + ++id; } diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 79a47744..5332b9fe 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -31,6 +31,45 @@ struct custom_mutator *load_custom_mutator(afl_state_t *, const char *); struct custom_mutator *load_custom_mutator_py(afl_state_t *, char *); #endif +void run_afl_custom_queue_new_entry(afl_state_t *afl, struct queue_entry *q, + u8 *fname, u8 *mother_fname) { + + if (afl->custom_mutators_count) { + + u8 updated = 0; + + LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { + + if (el->afl_custom_queue_new_entry) { + + if (el->afl_custom_queue_new_entry(el->data, fname, mother_fname)) { + + updated = 1; + + } + + } + + }); + + if (updated) { + + struct stat st; + if (stat(fname, &st)) { PFATAL("File %s is gone!", fname); } + if (!st.st_size) { + + FATAL("File %s became empty in custom mutator!", fname); + + } + + q->len = st.st_size; + + } + + } + +} + void setup_custom_mutators(afl_state_t *afl) { /* Try mutator library first */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 7274f679..17749601 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -547,7 +547,11 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->queue_cur->perf_score = orig_perf = perf_score = calculate_score(afl, afl->queue_cur); - if (unlikely(perf_score <= 0)) { goto abandon_entry; } + if (unlikely(perf_score <= 0 && afl->active_paths > 1)) { + + goto abandon_entry; + + } if (unlikely(afl->shm.cmplog_mode && afl->queue_cur->colorized < afl->cmplog_lvl && @@ -3047,7 +3051,11 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { else orig_perf = perf_score = calculate_score(afl, afl->queue_cur); - if (unlikely(perf_score <= 0)) { goto abandon_entry; } + if (unlikely(perf_score <= 0 && afl->active_paths > 1)) { + + goto abandon_entry; + + } if (unlikely(afl->shm.cmplog_mode && afl->queue_cur->colorized < afl->cmplog_lvl && @@ -5241,7 +5249,6 @@ pacemaker_fuzzing: } afl->temp_puppet_find = afl->total_puppet_find; - u64 temp_stage_finds_puppet = 0; for (i = 0; i < operator_num; ++i) { if (MOpt_globals.is_pilot_mode) { @@ -5267,7 +5274,6 @@ pacemaker_fuzzing: MOpt_globals.finds[i] = MOpt_globals.finds_v2[i]; MOpt_globals.cycles[i] = MOpt_globals.cycles_v2[i]; - temp_stage_finds_puppet += MOpt_globals.finds[i]; } /* for i = 0; i < operator_num */ @@ -5329,7 +5335,6 @@ pacemaker_fuzzing: afl->core_operator_finds_puppet_v2[i]; afl->core_operator_cycles_puppet[i] = afl->core_operator_cycles_puppet_v2[i]; - temp_stage_finds_puppet += afl->core_operator_finds_puppet[i]; } diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index bc481b49..e1c879f4 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -817,8 +817,8 @@ u8 queue_get_py(void *py_mutator, const u8 *filename) { } -void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, - const u8 *filename_orig_queue) { +u8 queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, + const u8 *filename_orig_queue) { PyObject *py_args, *py_value; @@ -865,7 +865,21 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_args); Py_DECREF(py_args); - if (py_value == NULL) { + if (py_value != NULL) { + + int ret = PyObject_IsTrue(py_value); + Py_DECREF(py_value); + + if (ret == -1) { + + PyErr_Print(); + FATAL("Failed to convert return value"); + + } + + return (u8)ret & 0xFF; + + } else { PyErr_Print(); FATAL("Call failed"); diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index b759532c..16af2c6b 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -474,24 +474,12 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) { if (afl->custom_mutators_count) { - LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { + /* At the initialization stage, queue_cur is NULL */ + if (afl->queue_cur && !afl->syncing_party) { - if (el->afl_custom_queue_new_entry) { + run_afl_custom_queue_new_entry(afl, q, fname, afl->queue_cur->fname); - u8 *fname_orig = NULL; - - /* At the initialization stage, queue_cur is NULL */ - if (afl->queue_cur && !afl->syncing_party) { - - fname_orig = afl->queue_cur->fname; - - } - - el->afl_custom_queue_new_entry(el->data, fname, fname_orig); - - } - - }); + } } diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index e876beea..4173f4e1 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -220,7 +220,7 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at, fprintf( stderr, "FS crc: %16llx len: %u\n", - hash64(afl->fsrv.shmem_fuzz, *afl->fsrv.shmem_fuzz_len, 0xa5b35705), + hash64(afl->fsrv.shmem_fuzz, *afl->fsrv.shmem_fuzz_len, HASH_CONST), *afl->fsrv.shmem_fuzz_len); fprintf(stderr, "SHM :"); for (u32 i = 0; i < *afl->fsrv.shmem_fuzz_len; i++) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 0c7b6e42..c97427e1 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -339,7 +339,7 @@ static void fasan_check_afl_preload(char *afl_preload) { char * separator = strchr(afl_preload, ':'); size_t first_preload_len = PATH_MAX; char * basename; - char clang_runtime_prefix[] = "libclang_rt.asan-"; + char clang_runtime_prefix[] = "libclang_rt.asan"; if (separator != NULL && (separator - afl_preload) < PATH_MAX) { @@ -1398,6 +1398,9 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver; + check_crash_handling(); + check_cpu_governor(afl); + if (getenv("LD_PRELOAD")) { WARNF( @@ -1498,8 +1501,6 @@ int main(int argc, char **argv_orig, char **envp) { } - check_crash_handling(); - check_cpu_governor(afl); get_core_count(afl); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index fbb8e65d..b2cdac9b 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -244,7 +244,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, shm->shm_id = shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION); - if (shm->shm_id < 0) { PFATAL("shmget() failed"); } + if (shm->shm_id < 0) { PFATAL("shmget() failed, try running afl-system-config"); } if (shm->cmplog_mode) { @@ -254,7 +254,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, if (shm->cmplog_shm_id < 0) { shmctl(shm->shm_id, IPC_RMID, NULL); // do not leak shmem - PFATAL("shmget() failed"); + PFATAL("shmget() failed, try running afl-system-config"); } @@ -325,4 +325,3 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, return shm->map; } - diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 5c899e69..9122cd25 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1035,6 +1035,7 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } fsrv->frida_mode = true; + setenv("AFL_FRIDA_INST_SEED", "0x0", 1); break; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 2d80abe4..792770e0 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1027,6 +1027,7 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } fsrv->frida_mode = 1; + setenv("AFL_FRIDA_INST_SEED", "0x0", 1); break; |