diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-analyze.c | 2 | ||||
| -rw-r--r-- | src/afl-as.c | 6 | ||||
| -rw-r--r-- | src/afl-common.c | 6 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 18 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-cmplog.c | 12 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 151 | ||||
| -rw-r--r-- | src/afl-fuzz-mutators.c | 46 | ||||
| -rw-r--r-- | src/afl-fuzz-python.c | 115 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 44 | ||||
| -rw-r--r-- | src/afl-fuzz-state.c | 7 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 29 | ||||
| -rw-r--r-- | src/afl-gotcpu.c | 56 | ||||
| -rw-r--r-- | src/afl-sharedmem.c | 6 | ||||
| -rw-r--r-- | src/afl-showmap.c | 2 | ||||
| -rw-r--r-- | src/afl-tmin.c | 2 |
16 files changed, 235 insertions, 269 deletions
diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 4e973672..900fbeb1 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -27,7 +27,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/src/afl-as.c b/src/afl-as.c index cf7f8bb6..4809a731 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -79,9 +79,9 @@ static u8 use_64bit = 1; static u8 use_64bit = 0; -#ifdef __APPLE__ -#error "Sorry, 32-bit Apple platforms are not supported." -#endif /* __APPLE__ */ + #ifdef __APPLE__ + #error "Sorry, 32-bit Apple platforms are not supported." + #endif /* __APPLE__ */ #endif /* ^WORD_SIZE_64 */ diff --git a/src/afl-common.c b/src/afl-common.c index d9d57863..808c9812 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -34,7 +34,7 @@ /* Detect @@ in args. */ #ifndef __glibc__ -#include <unistd.h> + #include <unistd.h> #endif #include <limits.h> #include <sys/types.h> @@ -72,11 +72,11 @@ char *afl_environment_variables[] = { "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_LLVM_SKIP_NEVERZERO", "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", - "AFL_NO_UI", "AFL_NO_PYTHON", "AFL_UNTRACER_FILE", + "AFL_NO_UI", "AFL_NO_PYTHON", "AFL_UNTRACER_FILE", "AFL_LLVM_USE_TRACE_PC", "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_MAP_SIZE", "AFL_MAPSIZE", "AFL_PATH", "AFL_PERFORMANCE_FILE", //"AFL_PERSISTENT", // not implemented anymore, so warn additionally - "AFL_POST_LIBRARY", "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV", + "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV", "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS", "AFL_QEMU_DISABLE_CACHE", "AFL_QEMU_PERSISTENT_ADDR", "AFL_QEMU_PERSISTENT_CNT", "AFL_QEMU_PERSISTENT_GPR", "AFL_QEMU_PERSISTENT_HOOK", diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index c1623f22..1c0ba349 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -676,12 +676,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } else if (!fsrv->mem_limit) { SAYF("\n" cLRD "[-] " cRST - "Hmm, looks like the target binary terminated " - "before we could complete a\n" - " handshake with the injected code. Perhaps there is a horrible " - "bug in the\n" - " fuzzer. Poke <afl-users@googlegroups.com> for troubleshooting " - "tips.\n"); + "Hmm, looks like the target binary terminated before we could" + "complete a handshake with the injected code.\n" + "If the target was compiled with afl-clang-lto then recompiling with" + "AFL_LLVM_MAP_DYNAMIC might solve your problem.\n" + "Otherwise there is a horrible bug in the fuzzer.\n" + "Poke <afl-users@googlegroups.com> for troubleshooting tips.\n"); } else { @@ -708,6 +708,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, " estimate the required amount of virtual memory for the " "binary.\n\n" + " - the target was compiled with afl-clang-lto and a constructor " + "was\n" + " instrumented, recompiling with AFL_LLVM_MAP_DYNAMIC might solve " + "your\n" + " problem\n\n" + " - Less likely, there is a horrible bug in the fuzzer. If other " "options\n" " fail, poke <afl-users@googlegroups.com> for troubleshooting " diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index d4966889..ff078319 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -442,7 +442,7 @@ u8 *describe_op(afl_state_t *afl, u8 hnb) { sprintf(ret + strlen(ret), "+%06d", afl->splicing_with); } - + sprintf(ret + strlen(ret), ",time:%llu", get_cur_time() - afl->start_time); sprintf(ret + strlen(ret), ",op:%s", afl->stage_short); diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 9452fa90..faf4dcb7 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -51,18 +51,6 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - if (afl->post_handler) { - - u8 *post_buf = NULL; - - size_t post_len = - afl->post_handler(afl->post_data, out_buf, len, &post_buf); - if (!post_buf || !post_len) { return 0; } - out_buf = post_buf; - len = post_len; - - } - write_to_testcase(afl, out_buf, len); fault = fuzz_run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 32481887..613d1437 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -33,11 +33,11 @@ void bind_to_free_cpu(afl_state_t *afl) { -#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) + #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) cpuset_t * c; -#endif + #endif u8 cpu_used[4096] = {0}; u32 i; @@ -51,7 +51,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -#if defined(__linux__) + #if defined(__linux__) DIR * d; struct dirent *de; d = opendir("/proc"); @@ -112,7 +112,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } closedir(d); -#elif defined(__FreeBSD__) || defined(__DragonFly__) + #elif defined(__FreeBSD__) || defined(__DragonFly__) struct kinfo_proc *procs; size_t nprocs; size_t proccount; @@ -133,7 +133,7 @@ void bind_to_free_cpu(afl_state_t *afl) { for (i = 0; i < proccount; i++) { -#if defined(__FreeBSD__) + #if defined(__FreeBSD__) if (!strcmp(procs[i].ki_comm, "idle")) continue; // fix when ki_oncpu = -1 @@ -143,16 +143,16 @@ void bind_to_free_cpu(afl_state_t *afl) { if (oncpu != -1 && oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 60) cpu_used[oncpu] = 1; -#elif defined(__DragonFly__) + #elif defined(__DragonFly__) if (procs[i].kp_lwp.kl_cpuid < sizeof(cpu_used) && procs[i].kp_lwp.kl_pctcpu > 10) cpu_used[procs[i].kp_lwp.kl_cpuid] = 1; -#endif + #endif } ck_free(procs); -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) struct kinfo_proc2 *procs; size_t nprocs; size_t proccount; @@ -181,15 +181,15 @@ void bind_to_free_cpu(afl_state_t *afl) { } ck_free(procs); -#else -#warning \ - "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus" -#endif + #else + #warning \ + "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus" + #endif size_t cpu_start = 0; try: -#ifndef __ANDROID__ + #ifndef __ANDROID__ for (i = cpu_start; i < afl->cpu_core_count; i++) { if (!cpu_used[i]) { break; } @@ -198,12 +198,12 @@ void bind_to_free_cpu(afl_state_t *afl) { if (i == afl->cpu_core_count) { -#else + #else for (i = afl->cpu_core_count - cpu_start - 1; i > -1; i--) if (!cpu_used[i]) break; if (i == -1) { -#endif + #endif SAYF("\n" cLRD "[-] " cRST "Uh-oh, looks like all %d CPU cores on your system are allocated to\n" @@ -221,16 +221,16 @@ void bind_to_free_cpu(afl_state_t *afl) { afl->cpu_aff = i; -#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) + #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) CPU_ZERO(&c); CPU_SET(i, &c); -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) c = cpuset_create(); if (c == NULL) PFATAL("cpuset_create failed"); cpuset_set(i, c); -#endif + #endif -#if defined(__linux__) + #if defined(__linux__) if (sched_setaffinity(0, sizeof(c), &c)) { if (cpu_start == afl->cpu_core_count) { @@ -246,7 +246,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -#elif defined(__FreeBSD__) || defined(__DragonFly__) + #elif defined(__FreeBSD__) || defined(__DragonFly__) if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) { if (cpu_start == afl->cpu_core_count) @@ -258,7 +258,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { if (cpu_start == afl->cpu_core_count) @@ -271,60 +271,15 @@ if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { } cpuset_destroy(c); -#else -// this will need something for other platforms -// TODO: Solaris/Illumos has processor_bind ... might worth a try -#endif + #else + // this will need something for other platforms + // TODO: Solaris/Illumos has processor_bind ... might worth a try + #endif } #endif /* HAVE_AFFINITY */ -/* Load postprocessor, if available. */ - -void setup_post(afl_state_t *afl) { - - void *dh; - u8 * fn = afl->afl_env.afl_post_library; - u8 tbuf[6]; - u32 tlen = 6; - strncpy(tbuf, "hello", tlen); - - if (!fn) { return; } - - ACTF("Loading postprocessor from '%s'...", fn); - - dh = dlopen(fn, RTLD_NOW); - if (!dh) { FATAL("%s", dlerror()); } - - afl->post_handler = dlsym(dh, "afl_postprocess"); - if (!afl->post_handler) { FATAL("Symbol 'afl_postprocess' not found."); } - afl->post_init = dlsym(dh, "afl_postprocess_init"); - if (!afl->post_init) { FATAL("Symbol 'afl_postprocess_init' not found."); } - afl->post_deinit = dlsym(dh, "afl_postprocess_deinit"); - if (!afl->post_deinit) { - - FATAL("Symbol 'afl_postprocess_deinit' not found."); - - } - - /* Do a quick test. It's better to segfault now than later =) */ - - u8 *post_buf = NULL; - afl->post_data = afl->post_init(afl); - if (!afl->post_data) { FATAL("Could not initialize post handler."); } - - size_t post_len = afl->post_handler(afl->post_data, tbuf, tlen, &post_buf); - if (!post_len || !post_buf) { - - SAYF("Empty return in test post handler for buf=\"hello\\0\"."); - - } - - OKF("Postprocessor installed successfully."); - -} - /* Shuffle an array of pointers. Might be slightly biased. */ static void shuffle_ptrs(afl_state_t *afl, void **ptrs, u32 cnt) { @@ -1375,6 +1330,19 @@ void setup_dirs_fds(afl_state_t *afl) { } + /* + if (afl->is_master) { + + u8 *x = alloc_printf("%s/%s/is_master", afl->sync_dir, afl->sync_id); + int fd = open(x, O_CREAT | O_RDWR, 0644); + if (fd < 0) FATAL("cannot create %s", x); + free(x); + close(fd); + + } + + */ + if (mkdir(afl->out_dir, 0700)) { if (errno != EEXIST) { PFATAL("Unable to create '%s'", afl->out_dir); } @@ -1565,7 +1533,7 @@ void check_crash_handling(void) { until I get a box to test the code. So, for now, we check for crash reporting the awful way. */ -#if !TARGET_OS_IPHONE + #if !TARGET_OS_IPHONE if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return; SAYF( @@ -1583,7 +1551,7 @@ void check_crash_handling(void) { " launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n" " sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n"); -#endif + #endif if (!get_afl_env("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) FATAL("Crash reporter detected"); @@ -1778,26 +1746,26 @@ void get_core_count(afl_state_t *afl) { /* On *BSD systems, we can just use a sysctl to get the number of CPUs. */ -#ifdef __APPLE__ + #ifdef __APPLE__ if (sysctlbyname("hw.logicalcpu", &afl->cpu_core_count, &s, NULL, 0) < 0) return; -#else + #else int s_name[2] = {CTL_HW, HW_NCPU}; if (sysctl(s_name, 2, &afl->cpu_core_count, &s, NULL, 0) < 0) return; -#endif /* ^__APPLE__ */ + #endif /* ^__APPLE__ */ #else -#ifdef HAVE_AFFINITY + #ifdef HAVE_AFFINITY afl->cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN); -#else + #else FILE *f = fopen("/proc/stat", "r"); u8 tmp[1024]; @@ -1809,7 +1777,7 @@ void get_core_count(afl_state_t *afl) { fclose(f); -#endif /* ^HAVE_AFFINITY */ + #endif /* ^HAVE_AFFINITY */ #endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ @@ -1863,14 +1831,6 @@ void fix_up_sync(afl_state_t *afl) { if (afl->dumb_mode) { FATAL("-S / -M and -n are mutually exclusive"); } - if (afl->skip_deterministic) { - - if (afl->force_deterministic) { FATAL("use -S instead of -M -d"); } - // else - // FATAL("-S already implies -d"); - - } - while (*x) { if (!isalnum(*x) && *x != '_' && *x != '-') { @@ -1890,13 +1850,6 @@ void fix_up_sync(afl_state_t *afl) { afl->sync_dir = afl->out_dir; afl->out_dir = x; - if (!afl->force_deterministic) { - - afl->skip_deterministic = 1; - afl->use_splicing = 1; - - } - } /* Handle screen resize (SIGWINCH). */ @@ -2043,7 +1996,11 @@ void check_binary(afl_state_t *afl, u8 *fname) { } - if (afl->afl_env.afl_skip_bin_check || afl->use_wine) { return; } + if (afl->afl_env.afl_skip_bin_check || afl->use_wine || afl->unicorn_mode) { + + return; + + } /* Check for blatant user errors. */ @@ -2102,12 +2059,12 @@ void check_binary(afl_state_t *afl, u8 *fname) { #else -#if !defined(__arm__) && !defined(__arm64__) + #if !defined(__arm__) && !defined(__arm64__) if ((f_data[0] != 0xCF || f_data[1] != 0xFA || f_data[2] != 0xED) && (f_data[0] != 0xCA || f_data[1] != 0xFE || f_data[2] != 0xBA)) FATAL("Program '%s' is not a 64-bit or universal Mach-O binary", afl->fsrv.target_path); -#endif + #endif #endif /* ^!__APPLE__ */ diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 027add49..87cb86fa 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -108,6 +108,9 @@ void setup_custom_mutators(afl_state_t *afl) { #endif + if (afl->post_library_mutator) + list_append(&afl->custom_mutator_list, afl->post_library_mutator); + } void destroy_custom_mutators(afl_state_t *afl) { @@ -117,14 +120,14 @@ void destroy_custom_mutators(afl_state_t *afl) { LIST_FOREACH_CLEAR(&afl->custom_mutator_list, struct custom_mutator, { if (!el->data) { FATAL("Deintializing NULL mutator"); } - el->afl_custom_deinit(el->data); + if (el->afl_custom_deinit) el->afl_custom_deinit(el->data); if (el->dh) dlclose(el->dh); - if (el->pre_save_buf) { + if (el->post_process_buf) { - ck_free(el->pre_save_buf); - el->pre_save_buf = NULL; - el->pre_save_size = 0; + ck_free(el->post_process_buf); + el->post_process_buf = NULL; + el->post_process_size = 0; } @@ -151,7 +154,7 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { /* Mutator */ /* "afl_custom_init", optional for backward compatibility */ mutator->afl_custom_init = dlsym(dh, "afl_custom_init"); - if (!mutator->afl_custom_init) WARNF("Symbol 'afl_custom_init' not found."); + if (!mutator->afl_custom_init) FATAL("Symbol 'afl_custom_init' not found."); /* "afl_custom_fuzz" or "afl_custom_mutator", required */ mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz"); @@ -162,36 +165,41 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_mutator"); if (!mutator->afl_custom_fuzz) - FATAL("Symbol 'afl_custom_mutator' not found."); + WARNF("Symbol 'afl_custom_mutator' not found."); } - /* "afl_custom_pre_save", optional */ - mutator->afl_custom_pre_save = dlsym(dh, "afl_custom_pre_save"); - if (!mutator->afl_custom_pre_save) - WARNF("Symbol 'afl_custom_pre_save' not found."); + /* "afl_custom_deinit", optional for backward compatibility */ + mutator->afl_custom_deinit = dlsym(dh, "afl_custom_deinit"); + if (!mutator->afl_custom_deinit) FATAL("Symbol 'afl_custom_init' not found."); + + /* "afl_custom_post_process", optional */ + mutator->afl_custom_post_process = dlsym(dh, "afl_custom_post_process"); + if (!mutator->afl_custom_post_process) + ACTF("optional symbol 'afl_custom_post_process' not found."); u8 notrim = 0; /* "afl_custom_init_trim", optional */ mutator->afl_custom_init_trim = dlsym(dh, "afl_custom_init_trim"); if (!mutator->afl_custom_init_trim) - WARNF("Symbol 'afl_custom_init_trim' not found."); + ACTF("optional symbol 'afl_custom_init_trim' not found."); /* "afl_custom_trim", optional */ mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim"); - if (!mutator->afl_custom_trim) WARNF("Symbol 'afl_custom_trim' not found."); + if (!mutator->afl_custom_trim) + ACTF("optional symbol 'afl_custom_trim' not found."); /* "afl_custom_post_trim", optional */ mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim"); if (!mutator->afl_custom_post_trim) - WARNF("Symbol 'afl_custom_post_trim' not found."); + ACTF("optional symbol 'afl_custom_post_trim' not found."); if (notrim) { mutator->afl_custom_init_trim = NULL; mutator->afl_custom_trim = NULL; mutator->afl_custom_post_trim = NULL; - WARNF( + ACTF( "Custom mutator does not implement all three trim APIs, standard " "trimming will be used."); @@ -200,23 +208,23 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { /* "afl_custom_havoc_mutation", optional */ mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation"); if (!mutator->afl_custom_havoc_mutation) - WARNF("Symbol 'afl_custom_havoc_mutation' not found."); + ACTF("optional symbol 'afl_custom_havoc_mutation' not found."); /* "afl_custom_havoc_mutation", optional */ mutator->afl_custom_havoc_mutation_probability = dlsym(dh, "afl_custom_havoc_mutation_probability"); if (!mutator->afl_custom_havoc_mutation_probability) - WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found."); + ACTF("optional symbol 'afl_custom_havoc_mutation_probability' not found."); /* "afl_custom_queue_get", optional */ mutator->afl_custom_queue_get = dlsym(dh, "afl_custom_queue_get"); if (!mutator->afl_custom_queue_get) - WARNF("Symbol 'afl_custom_queue_get' not found."); + ACTF("optional symbol 'afl_custom_queue_get' not found."); /* "afl_custom_queue_new_entry", optional */ mutator->afl_custom_queue_new_entry = dlsym(dh, "afl_custom_queue_new_entry"); if (!mutator->afl_custom_queue_new_entry) - WARNF("Symbol 'afl_custom_queue_new_entry' not found"); + ACTF("optional symbol 'afl_custom_queue_new_entry' not found"); OKF("Custom mutator '%s' installed successfully.", fn); diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 832dba06..2044c97d 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -35,11 +35,11 @@ static void *unsupported(afl_state_t *afl, unsigned int seed) { } -/* sorry for this makro... -it just fills in `&py_mutator->something_buf, &py_mutator->something_size`. */ -#define BUF_PARAMS(name) \ - (void **)&((py_mutator_t *)py_mutator)->name##_buf, \ - &((py_mutator_t *)py_mutator)->name##_size + /* sorry for this makro... + it just fills in `&py_mutator->something_buf, &py_mutator->something_size`. */ + #define BUF_PARAMS(name) \ + (void **)&((py_mutator_t *)py_mutator)->name##_buf, \ + &((py_mutator_t *)py_mutator)->name##_size static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, u8 *add_buf, size_t add_buf_size, size_t max_size) { @@ -71,12 +71,12 @@ static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, PyTuple_SetItem(py_args, 1, py_value); -/* max_size */ -#if PY_MAJOR_VERSION >= 3 + /* max_size */ + #if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(max_size); -#else + #else py_value = PyInt_FromLong(max_size); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -118,11 +118,11 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { Py_Initialize(); -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 PyObject *py_name = PyUnicode_FromString(module_name); -#else + #else PyObject *py_name = PyString_FromString(module_name); -#endif + #endif py->py_module = PyImport_Import(py_name); Py_DECREF(py_name); @@ -135,9 +135,15 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { u8 py_notrim = 0, py_idx; /* init, required */ py_functions[PY_FUNC_INIT] = PyObject_GetAttrString(py_module, "init"); + if (!py_functions[PY_FUNC_INIT]) + FATAL("init function not found in python module"); py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "fuzz"); - py_functions[PY_FUNC_PRE_SAVE] = - PyObject_GetAttrString(py_module, "pre_save"); + if (!py_functions[PY_FUNC_FUZZ]) + py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "mutate"); + if (!py_functions[PY_FUNC_FUZZ]) + WARNF("fuzz function not found in python module"); + py_functions[PY_FUNC_POST_PROCESS] = + PyObject_GetAttrString(py_module, "post_process"); py_functions[PY_FUNC_INIT_TRIM] = PyObject_GetAttrString(py_module, "init_trim"); py_functions[PY_FUNC_POST_TRIM] = @@ -152,14 +158,16 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { py_functions[PY_FUNC_QUEUE_NEW_ENTRY] = PyObject_GetAttrString(py_module, "queue_new_entry"); py_functions[PY_FUNC_DEINIT] = PyObject_GetAttrString(py_module, "deinit"); + if (!py_functions[PY_FUNC_DEINIT]) + FATAL("deinit function not found in python module"); for (py_idx = 0; py_idx < PY_FUNC_COUNT; ++py_idx) { if (!py_functions[py_idx] || !PyCallable_Check(py_functions[py_idx])) { - if (py_idx == PY_FUNC_PRE_SAVE) { + if (py_idx == PY_FUNC_POST_PROCESS) { - // Implenting the pre_save API is optional for now + // Implenting the post_process API is optional for now if (PyErr_Occurred()) { PyErr_Print(); } } else if (py_idx >= PY_FUNC_INIT_TRIM && py_idx <= PY_FUNC_TRIM) { @@ -243,11 +251,11 @@ static void init_py(afl_state_t *afl, py_mutator_t *py_mutator, /* Provide the init function a seed for the Python RNG */ py_args = PyTuple_New(1); -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(seed); -#else + #else py_value = PyInt_FromLong(seed); -#endif + #endif if (!py_value) { @@ -301,8 +309,8 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, struct custom_mutator *mutator; mutator = ck_alloc(sizeof(struct custom_mutator)); - mutator->pre_save_buf = NULL; - mutator->pre_save_size = 0; + mutator->post_process_buf = NULL; + mutator->post_process_size = 0; mutator->name = module_name; ACTF("Loading Python mutator library from '%s'...", module_name); @@ -322,9 +330,9 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, is quite different from the custom mutator. */ mutator->afl_custom_fuzz = fuzz_py; - if (py_functions[PY_FUNC_PRE_SAVE]) { + if (py_functions[PY_FUNC_POST_PROCESS]) { - mutator->afl_custom_pre_save = pre_save_py; + mutator->afl_custom_post_process = post_process_py; } @@ -376,7 +384,8 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, } -size_t pre_save_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { +size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, + u8 **out_buf) { size_t py_out_buf_size; PyObject * py_args, *py_value; @@ -387,14 +396,15 @@ size_t pre_save_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { if (!py_value) { Py_DECREF(py_args); - FATAL("Failed to convert arguments in custom pre_save"); + FATAL("Failed to convert arguments in custom post_process"); } PyTuple_SetItem(py_args, 0, py_value); py_value = PyObject_CallObject( - ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_PRE_SAVE], py_args); + ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_POST_PROCESS], + py_args); Py_DECREF(py_args); @@ -402,18 +412,19 @@ size_t pre_save_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { py_out_buf_size = PyByteArray_Size(py_value); - ck_maybe_grow(BUF_PARAMS(pre_save), py_out_buf_size); + ck_maybe_grow(BUF_PARAMS(post_process), py_out_buf_size); - memcpy(py->pre_save_buf, PyByteArray_AsString(py_value), py_out_buf_size); + memcpy(py->post_process_buf, PyByteArray_AsString(py_value), + py_out_buf_size); Py_DECREF(py_value); - *out_buf = py->pre_save_buf; + *out_buf = py->post_process_buf; return py_out_buf_size; } else { PyErr_Print(); - FATAL("Python custom mutator: pre_save call failed."); + FATAL("Python custom mutator: post_process call failed."); } @@ -440,11 +451,11 @@ s32 init_trim_py(void *py_mutator, u8 *buf, size_t buf_size) { if (py_value != NULL) { -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 u32 retcnt = (u32)PyLong_AsLong(py_value); -#else + #else u32 retcnt = PyInt_AsLong(py_value); -#endif + #endif Py_DECREF(py_value); return retcnt; @@ -479,11 +490,11 @@ s32 post_trim_py(void *py_mutator, u8 success) { if (py_value != NULL) { -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 u32 retcnt = (u32)PyLong_AsLong(py_value); -#else + #else u32 retcnt = PyInt_AsLong(py_value); -#endif + #endif Py_DECREF(py_value); return retcnt; @@ -542,12 +553,12 @@ size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size, PyTuple_SetItem(py_args, 0, py_value); -/* max_size */ -#if PY_MAJOR_VERSION >= 3 + /* max_size */ + #if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(max_size); -#else + #else py_value = PyInt_FromLong(max_size); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -624,12 +635,12 @@ u8 queue_get_py(void *py_mutator, const u8 *filename) { py_args = PyTuple_New(1); -// File name -#if PY_MAJOR_VERSION >= 3 + // File name + #if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename); -#else + #else py_value = PyString_FromString(filename); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -674,12 +685,12 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_args = PyTuple_New(2); -// New queue -#if PY_MAJOR_VERSION >= 3 + // New queue + #if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename_new_queue); -#else + #else py_value = PyString_FromString(filename_new_queue); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -693,11 +704,11 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_value = Py_None; if (filename_orig_queue) { -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename_orig_queue); -#else + #else py_value = PyString_FromString(filename_orig_queue); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -724,7 +735,7 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, } -#undef BUF_PARAMS + #undef BUF_PARAMS #endif /* USE_PYTHON */ diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 4a22dad6..bbcd9a99 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -97,10 +97,10 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { - if (el->afl_custom_pre_save) { + if (el->afl_custom_post_process) { new_size = - el->afl_custom_pre_save(el->data, new_mem, new_size, &new_buf); + el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf); } @@ -110,7 +110,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { if (unlikely(!new_buf && (new_size <= 0))) { - FATAL("Custom_pre_save failed (ret: %lu)", (long unsigned)new_size); + FATAL("Custom_post_process failed (ret: %lu)", (long unsigned)new_size); } else if (likely(new_buf)) { @@ -119,7 +119,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { } else { - /* custom mutators do not has a custom_pre_save function */ + /* custom mutators do not has a custom_post_process function */ afl_fsrv_write_to_testcase(&afl->fsrv, mem, len); } @@ -191,7 +191,7 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, u32 handicap, u8 from_queue) { - u8 fault = 0, new_bits = 0, var_detected = 0, + u8 fault = 0, new_bits = 0, var_detected = 0, hnb = 0, first_run = (q->exec_cksum == 0); u64 start_us, stop_us; @@ -236,7 +236,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (q->exec_cksum) { memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size); - u8 hnb = has_new_bits(afl, afl->virgin_bits); + hnb = has_new_bits(afl, afl->virgin_bits); if (hnb > new_bits) { new_bits = hnb; } } @@ -271,11 +271,11 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, } cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - u8 hnb = has_new_bits(afl, afl->virgin_bits); - if (hnb > new_bits) { new_bits = hnb; } - if (q->exec_cksum != cksum) { + hnb = has_new_bits(afl, afl->virgin_bits); + if (hnb > new_bits) { new_bits = hnb; } + if (q->exec_cksum) { u32 i; @@ -401,6 +401,20 @@ void sync_fuzzers(afl_state_t *afl) { } + /* + // a slave only syncs from a master, a master syncs from everyone + if (likely(afl->is_slave)) { + + u8 x = alloc_printf("%s/%s/is_master", afl->sync_dir, sd_ent->d_name); + int res = access(x, F_OK); + free(x); + if (res != 0) + continue; + + } + + */ + /* Skip anything that doesn't have a queue/ subdirectory. */ qd_path = alloc_printf("%s/%s/queue", afl->sync_dir, sd_ent->d_name); @@ -690,18 +704,6 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - if (afl->post_handler) { - - u8 *post_buf = NULL; - - size_t post_len = - afl->post_handler(afl->post_data, out_buf, len, &post_buf); - if (!post_buf || !post_len) { return 0; } - out_buf = post_buf; - len = post_len; - - } - write_to_testcase(afl, out_buf, len); fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 4f5389e3..99863103 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -313,8 +313,10 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl_environment_variable_len)) { - afl->afl_env.afl_post_library = - (u8 *)get_afl_env(afl_environment_variables[i]); + FATAL( + "AFL_POST_LIBRARY is deprecated, use " + "AFL_CUSTOM_MUTATOR_LIBRARY instead, see " + "docs/custom_mutators.md"); } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_LIBRARY", @@ -371,7 +373,6 @@ void read_afl_environment(afl_state_t *afl, char **envp) { void afl_state_deinit(afl_state_t *afl) { - if (afl->post_deinit) { afl->post_deinit(afl->post_data); } if (afl->in_place_resume) { ck_free(afl->in_dir); } if (afl->sync_id) { ck_free(afl->out_dir); } if (afl->pass_stats) { ck_free(afl->pass_stats); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index aaf615e9..8625c37c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -187,7 +187,6 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n" "AFL_NO_UI: switch status screen off\n" "AFL_PATH: path to AFL support binaries\n" - "AFL_POST_LIBRARY: postprocess generated test cases before use as target input\n" "AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module\n" "AFL_QUIET: suppress forkserver status messages\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" @@ -390,7 +389,7 @@ int main(int argc, char **argv_orig, char **envp) { } - afl->force_deterministic = 1; + afl->is_master = 1; } @@ -400,6 +399,9 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); + afl->is_slave = 1; + afl->skip_deterministic = 1; + afl->use_splicing = 1; break; case 'f': /* target file */ @@ -500,12 +502,6 @@ int main(int argc, char **argv_orig, char **envp) { case 'd': /* skip deterministic */ - if (afl->skip_deterministic) { - - FATAL("Multiple -d options not supported"); - - } - afl->skip_deterministic = 1; afl->use_splicing = 1; break; @@ -794,8 +790,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); - if (afl->sync_id && afl->force_deterministic && - afl->afl_env.afl_custom_mutator_only) { + if (afl->sync_id && afl->is_master && afl->afl_env.afl_custom_mutator_only) { WARNF( "Using -M master with the AFL_CUSTOM_MUTATOR_ONLY mutator options will " @@ -853,7 +848,7 @@ int main(int argc, char **argv_orig, char **envp) { } -#if defined(__SANITIZE_ADDRESS__) + #if defined(__SANITIZE_ADDRESS__) if (afl->fsrv.mem_limit) { WARNF("in the ASAN build we disable all memory limits"); @@ -861,7 +856,7 @@ int main(int argc, char **argv_orig, char **envp) { } -#endif + #endif setup_signal_handlers(); check_asan_opts(); @@ -1054,9 +1049,9 @@ int main(int argc, char **argv_orig, char **envp) { get_core_count(afl); -#ifdef HAVE_AFFINITY + #ifdef HAVE_AFFINITY bind_to_free_cpu(afl); -#endif /* HAVE_AFFINITY */ + #endif /* HAVE_AFFINITY */ check_crash_handling(); check_cpu_governor(afl); @@ -1064,8 +1059,6 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.trace_bits = afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->dumb_mode); - setup_post(afl); - if (!afl->in_bitmap) { memset(afl->virgin_bits, 255, afl->fsrv.map_size); } memset(afl->virgin_tmout, 255, afl->fsrv.map_size); memset(afl->virgin_crash, 255, afl->fsrv.map_size); @@ -1352,12 +1345,12 @@ stop_fuzzing: } -#ifdef PROFILING + #ifdef PROFILING SAYF(cYEL "[!] " cRST "Profiling information: %llu ms total work, %llu ns/run\n", time_spent_working / 1000000, time_spent_working / afl->fsrv.total_execs); -#endif + #endif fclose(afl->fsrv.plot_file); destroy_queue(afl); diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index ab7aad5c..43b3196b 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -32,11 +32,11 @@ #define AFL_MAIN #ifndef _GNU_SOURCE -#define _GNU_SOURCE + #define _GNU_SOURCE #endif #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include <stdio.h> #include <stdlib.h> @@ -55,22 +55,22 @@ #if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \ defined(__APPLE__) || defined(__DragonFly__) -#define HAVE_AFFINITY 1 -#if defined(__FreeBSD__) || defined(__DragonFly__) -#include <pthread.h> -#include <pthread_np.h> -#if defined(__FreeBSD__) -#include <sys/cpuset.h> -#endif -#define cpu_set_t cpuset_t -#elif defined(__NetBSD__) -#include <pthread.h> -#include <sched.h> -#elif defined(__APPLE__) -#include <pthread.h> -#include <mach/thread_act.h> -#include <mach/thread_policy.h> -#endif + #define HAVE_AFFINITY 1 + #if defined(__FreeBSD__) || defined(__DragonFly__) + #include <pthread.h> + #include <pthread_np.h> + #if defined(__FreeBSD__) + #include <sys/cpuset.h> + #endif + #define cpu_set_t cpuset_t + #elif defined(__NetBSD__) + #include <pthread.h> + #include <sched.h> + #elif defined(__APPLE__) + #include <pthread.h> + #include <mach/thread_act.h> + #include <mach/thread_policy.h> + #endif #endif /* __linux__ || __FreeBSD__ || __NetBSD__ || __APPLE__ */ /* Get CPU usage in microseconds. */ @@ -163,46 +163,46 @@ int main(int argc, char **argv) { if (!fr) { u32 util_perc; -#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) + #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) cpu_set_t c; CPU_ZERO(&c); CPU_SET(i, &c); -#elif defined(__NetBSD__) + #elif defined(__NetBSD__) cpuset_t *c; c = cpuset_create(); if (c == NULL) PFATAL("cpuset_create failed"); cpuset_set(i, c); -#elif defined(__APPLE__) + #elif defined(__APPLE__) thread_affinity_policy_data_t c = {i}; thread_port_t native_thread = pthread_mach_thread_np(pthread_self()); if (thread_policy_set(native_thread, THREAD_AFFINITY_POLICY, (thread_policy_t)&c, 1) != KERN_SUCCESS) PFATAL("thread_policy_set failed"); -#endif + #endif -#if defined(__FreeBSD__) || defined(__DragonFly__) + #if defined(__FreeBSD__) || defined(__DragonFly__) if (pthread_setaffinity_np(pthread_self(), sizeof(c), &c)) PFATAL("pthread_setaffinity_np failed"); -#endif + #endif -#if defined(__NetBSD__) + #if defined(__NetBSD__) if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) PFATAL("pthread_setaffinity_np failed"); cpuset_destroy(c); -#endif + #endif -#if defined(__linux__) + #if defined(__linux__) if (sched_setaffinity(0, sizeof(c), &c)) { PFATAL("sched_setaffinity failed for cpu %d", i); } -#endif + #endif util_perc = measure_preemption(CTEST_CORE_TRG_MS); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index e024eb18..f5817293 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -27,7 +27,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" @@ -56,8 +56,8 @@ #include <sys/mman.h> #ifndef USEMMAP -#include <sys/ipc.h> -#include <sys/shm.h> + #include <sys/ipc.h> + #include <sys/shm.h> #endif static list_t shm_list = {.element_prealloc_count = 0}; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index ed59f2f5..560c8cf6 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -32,7 +32,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" #include "types.h" diff --git a/src/afl-tmin.c b/src/afl-tmin.c index e15dc72d..091e5177 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -30,7 +30,7 @@ #define AFL_MAIN #ifdef __ANDROID__ -#include "android-ashmem.h" + #include "android-ashmem.h" #endif #include "config.h" |