diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-common.c | 6 | ||||
| -rw-r--r-- | src/afl-forkserver.c | 27 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 8 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 79 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 37 | ||||
| -rw-r--r-- | src/afl-fuzz-queue.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-run.c | 40 | ||||
| -rw-r--r-- | src/afl-fuzz-stats.c | 41 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 60 | ||||
| -rw-r--r-- | src/afl-sharedmem.c | 25 |
10 files changed, 190 insertions, 135 deletions
diff --git a/src/afl-common.c b/src/afl-common.c index a3692756..f4cba573 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -253,7 +253,8 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { "binaries that are\n" " instrumented at compile time with afl-gcc. It is also possible to " "use it as a\n" - " traditional \"dumb\" fuzzer by specifying '-n' in the command " + " traditional non-instrumented fuzzer by specifying '-n' in the " + "command " "line.\n"); FATAL("Failed to locate 'afl-qemu-trace'."); @@ -353,7 +354,8 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { "binaries that are\n" " instrumented at compile time with afl-gcc. It is also possible to " "use it as a\n" - " traditional \"dumb\" fuzzer by specifying '-n' in the command " + " traditional non-instrumented fuzzer by specifying '-n' in the " + "command " "line.\n", ncp); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index a0e08589..0b53d7c0 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -167,7 +167,7 @@ static u32 read_s32_timed(s32 fd, s32 *buf, u32 timeout_ms, } -/* Internal forkserver for dumb_mode=1 and non-forkserver mode runs. +/* Internal forkserver for non_instrumented_mode=1 and non-forkserver mode runs. It execvs for each fork, forwarding exit codes and child pids to afl. */ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { @@ -286,7 +286,7 @@ static void report_error_and_exit(int error) { } -/* Spins up fork server (instrumented mode only). The idea is explained here: +/* Spins up fork server. The idea is explained here: http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html @@ -305,7 +305,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (fsrv->use_fauxsrv) { - /* TODO: Come up with sone nice way to initalize this all */ + /* TODO: Come up with sone nice way to initialize this all */ if (fsrv->init_child_func != fsrv_exec_child) { @@ -454,8 +454,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, rlen = 0; if (fsrv->exec_tmout) { - u32 time_ms = read_s32_timed(fsrv->fsrv_st_fd, &status, - fsrv->exec_tmout * FORK_WAIT_MULT, stop_soon_p); + u32 time_ms = + read_s32_timed(fsrv->fsrv_st_fd, &status, + fsrv->exec_tmout * FORK_WAIT_MULT, stop_soon_p); if (!time_ms) { @@ -505,7 +506,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_SHDMEM_FUZZ) == FS_OPT_SHDMEM_FUZZ) { - if (fsrv->support_shdmen_fuzz) { + if (fsrv->support_shmem_fuzz) { fsrv->use_shdmen_fuzz = 1; if (!be_quiet) { ACTF("Using SHARED MEMORY FUZZING feature."); } @@ -521,6 +522,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } + } else { + + FATAL( + "Target requested sharedmem fuzzing, but we failed to enable " + "it."); + } } @@ -822,10 +829,10 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) { void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { - if (fsrv->shdmem_fuzz) { + if (fsrv->shmem_fuzz) { - memcpy(fsrv->shdmem_fuzz, buf, len); - fsrv->shdmem_fuzz_len = len; + memcpy(fsrv->shmem_fuzz, buf, len); + *fsrv->shmem_fuzz_len = len; } else { @@ -887,8 +894,6 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, MEM_BARRIER(); - if (fsrv->shdmem_fuzz_len) write_value += (fsrv->shdmem_fuzz_len << 8); - /* we have the fork server (or faux server) up and running First, tell it if the previous run timed out. */ diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index ff078319..5b98be9e 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -623,14 +623,14 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { /* Timeouts are not very interesting, but we're still obliged to keep a handful of samples. We use the presence of new bits in the - hang-specific bitmap as a signal of uniqueness. In "dumb" mode, we - just keep everything. */ + hang-specific bitmap as a signal of uniqueness. In "non-instrumented" + mode, we just keep everything. */ ++afl->total_tmouts; if (afl->unique_hangs >= KEEP_UNIQUE_HANG) { return keeping; } - if (likely(!afl->dumb_mode)) { + if (likely(!afl->non_instrumented_mode)) { #ifdef WORD_SIZE_64 simplify_trace(afl, (u64 *)afl->fsrv.trace_bits); @@ -698,7 +698,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (afl->unique_crashes >= KEEP_UNIQUE_CRASH) { return keeping; } - if (likely(!afl->dumb_mode)) { + if (likely(!afl->non_instrumented_mode)) { #ifdef WORD_SIZE_64 simplify_trace(afl, (u64 *)afl->fsrv.trace_bits); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 9349fefe..96d4fc46 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1315,10 +1315,10 @@ dir_cleanup_failed: } -/* If this is a -S slave, ensure a -M master is running, if a master is - running when another master is started then warn */ +/* If this is a -S secondary node, ensure a -M main node is running, + if a main node is running when another main is started, then warn */ -int check_master_exists(afl_state_t *afl) { +int check_main_node_exists(afl_state_t *afl) { DIR * sd; struct dirent *sd_ent; @@ -1337,7 +1337,7 @@ int check_master_exists(afl_state_t *afl) { } - fn = alloc_printf("%s/%s/is_master", afl->sync_dir, sd_ent->d_name); + fn = alloc_printf("%s/%s/is_main_node", afl->sync_dir, sd_ent->d_name); int res = access(fn, F_OK); free(fn); if (res == 0) return 1; @@ -1392,9 +1392,9 @@ void setup_dirs_fds(afl_state_t *afl) { } - if (afl->is_master) { + if (afl->is_main_node) { - u8 *x = alloc_printf("%s/is_master", afl->out_dir); + u8 *x = alloc_printf("%s/is_main_node", afl->out_dir); int fd = open(x, O_CREAT | O_RDWR, 0644); if (fd < 0) FATAL("cannot create %s", x); free(x); @@ -1859,7 +1859,11 @@ void fix_up_sync(afl_state_t *afl) { u8 *x = afl->sync_id; - if (afl->dumb_mode) { FATAL("-S / -M and -n are mutually exclusive"); } + if (afl->non_instrumented_mode) { + + FATAL("-S / -M and -n are mutually exclusive"); + + } while (*x) { @@ -1949,6 +1953,36 @@ static void handle_skipreq(int sig) { } +/* Setup shared map for fuzzing with input via sharedmem */ + +void setup_testcase_shmem(afl_state_t *afl) { + + afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + + // we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR + if ((afl->fsrv.shmem_fuzz_len = + (u32 *)afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(int), 1))) { + +#ifdef USEMMAP + setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); +#else + u8 *shm_str; + shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id); + setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); + ck_free(shm_str); +#endif + afl->fsrv.support_shmem_fuzz = 1; + afl->fsrv.shmem_fuzz = (u8 *)(afl->fsrv.shmem_fuzz_len + sizeof(int)); + + } else { + + ck_free(afl->shm_fuzz); + afl->shm_fuzz = NULL; + + } + +} + /* Do a PATH search and find target binary to see that it exists and isn't a shell script - a common and painful mistake. We also check for a valid ELF header and for evidence of AFL instrumentation. */ @@ -2098,7 +2132,8 @@ void check_binary(afl_state_t *afl, u8 *fname) { #endif /* ^!__APPLE__ */ - if (!afl->fsrv.qemu_mode && !afl->unicorn_mode && !afl->dumb_mode && + if (!afl->fsrv.qemu_mode && !afl->unicorn_mode && + !afl->non_instrumented_mode && !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { SAYF("\n" cLRD "[-] " cRST @@ -2115,8 +2150,8 @@ void check_binary(afl_state_t *afl, u8 *fname) { " mode support. Consult the README.md for tips on how to enable " "this.\n" - " (It is also possible to use afl-fuzz as a traditional, \"dumb\" " - "fuzzer.\n" + " (It is also possible to use afl-fuzz as a traditional, " + "non-instrumented fuzzer.\n" " For that, you can use the -n option - but expect much worse " "results.)\n", doc_path); @@ -2153,30 +2188,8 @@ void check_binary(afl_state_t *afl, u8 *fname) { OKF(cPIN "Persistent mode binary detected."); setenv(PERSIST_ENV_VAR, "1", 1); afl->persistent_mode = 1; - // do not fail if we can not get the fuzzing shared mem - if ((afl->shm_fuzz = calloc(1, sizeof(sharedmem_t)))) { - - // we need to set the dumb mode to not overwrite the SHM_ENV_VAR - if ((afl->fsrv.shdmem_fuzz = afl_shm_init(afl->shm_fuzz, MAX_FILE, 1))) { - -#ifdef USEMMAP - setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1); -#else - u8 *shm_str; - shm_str = alloc_printf("%d", afl->shm_fuzz->shm_id); - setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); - ck_free(shm_str); -#endif - afl->fsrv.support_shdmen_fuzz = 1; - - } else { - - free(afl->shm_fuzz); - afl->shm_fuzz = NULL; - } - - } + afl->shmem_testcase_mode = 1; } else if (getenv("AFL_PERSISTENT")) { diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 56f16b4c..578ac584 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -415,7 +415,7 @@ u8 fuzz_one_original(afl_state_t *afl) { } - } else if (!afl->dumb_mode && !afl->queue_cur->favored && + } else if (!afl->non_instrumented_mode && !afl->queue_cur->favored && afl->queued_paths > 10) { @@ -512,7 +512,8 @@ u8 fuzz_one_original(afl_state_t *afl) { * TRIMMING * ************/ - if (!afl->dumb_mode && !afl->queue_cur->trim_done && !afl->disable_trim) { + if (!afl->non_instrumented_mode && !afl->queue_cur->trim_done && + !afl->disable_trim) { u8 res = trim_case(afl, afl->queue_cur, in_buf); @@ -577,10 +578,10 @@ u8 fuzz_one_original(afl_state_t *afl) { } /* Skip deterministic fuzzing if exec path checksum puts this out of scope - for this master instance. */ + for this main instance. */ - if (afl->master_max && - (afl->queue_cur->exec_cksum % afl->master_max) != afl->master_id - 1) { + if (afl->main_node_max && (afl->queue_cur->exec_cksum % afl->main_node_max) != + afl->main_node_id - 1) { goto custom_mutator_stage; @@ -650,7 +651,7 @@ u8 fuzz_one_original(afl_state_t *afl) { */ - if (!afl->dumb_mode && (afl->stage_cur & 7) == 7) { + if (!afl->non_instrumented_mode && (afl->stage_cur & 7) == 7) { u32 cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); @@ -822,10 +823,10 @@ u8 fuzz_one_original(afl_state_t *afl) { u32 cksum; - /* If in dumb mode or if the file is very short, just flag everything - without wasting time on checksums. */ + /* If in non-instrumented mode or if the file is very short, just flag + everything without wasting time on checksums. */ - if (!afl->dumb_mode && len >= EFF_MIN_LEN) { + if (!afl->non_instrumented_mode && len >= EFF_MIN_LEN) { cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); @@ -2568,7 +2569,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } - } else if (!afl->dumb_mode && !afl->queue_cur->favored && + } else if (!afl->non_instrumented_mode && !afl->queue_cur->favored && afl->queued_paths > 10) { @@ -2660,7 +2661,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { * TRIMMING * ************/ - if (!afl->dumb_mode && !afl->queue_cur->trim_done) { + if (!afl->non_instrumented_mode && !afl->queue_cur->trim_done) { u8 res = trim_case(afl, afl->queue_cur, in_buf); @@ -2730,10 +2731,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { } /* Skip deterministic fuzzing if exec path checksum puts this out of scope - for this master instance. */ + for this main instance. */ - if (afl->master_max && - (afl->queue_cur->exec_cksum % afl->master_max) != afl->master_id - 1) { + if (afl->main_node_max && (afl->queue_cur->exec_cksum % afl->main_node_max) != + afl->main_node_id - 1) { goto havoc_stage; @@ -2803,7 +2804,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { */ - if (!afl->dumb_mode && (afl->stage_cur & 7) == 7) { + if (!afl->non_instrumented_mode && (afl->stage_cur & 7) == 7) { u32 cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); @@ -2975,10 +2976,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { u32 cksum; - /* If in dumb mode or if the file is very short, just flag everything - without wasting time on checksums. */ + /* If in non-instrumented mode or if the file is very short, just flag + everything without wasting time on checksums. */ - if (!afl->dumb_mode && len >= EFF_MIN_LEN) { + if (!afl->non_instrumented_mode && len >= EFF_MIN_LEN) { cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index cfeb6c5e..ea7f57e2 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -303,7 +303,7 @@ void cull_queue(afl_state_t *afl) { u32 i; u8 * temp_v = afl->map_tmp_buf; - if (afl->dumb_mode || !afl->score_changed) { return; } + if (afl->non_instrumented_mode || !afl->score_changed) { return; } afl->score_changed = 0; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 04450363..91a64fba 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -27,6 +27,7 @@ #include "afl-fuzz.h" #include <sys/time.h> #include <signal.h> +#include <limits.h> #include "cmplog.h" @@ -231,13 +232,13 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child_output); - if (afl->fsrv.support_shdmen_fuzz && !afl->fsrv.use_shdmen_fuzz) { + if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shdmen_fuzz) { afl_shm_deinit(afl->shm_fuzz); - free(afl->shm_fuzz); + ck_free(afl->shm_fuzz); afl->shm_fuzz = NULL; - afl->fsrv.support_shdmen_fuzz = 0; - afl->fsrv.shdmem_fuzz = NULL; + afl->fsrv.support_shmem_fuzz = 0; + afl->fsrv.shmem_fuzz = NULL; } @@ -272,7 +273,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (afl->stop_soon || fault != afl->crash_mode) { goto abort_calibration; } - if (!afl->dumb_mode && !afl->stage_cur && + if (!afl->non_instrumented_mode && !afl->stage_cur && !count_bytes(afl, afl->fsrv.trace_bits)) { fault = FSRV_RUN_NOINST; @@ -337,7 +338,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, parent. This is a non-critical problem, but something to warn the user about. */ - if (!afl->dumb_mode && first_run && !fault && !new_bits) { + if (!afl->non_instrumented_mode && first_run && !fault && !new_bits) { fault = FSRV_RUN_NOBITS; @@ -412,17 +413,17 @@ void sync_fuzzers(afl_state_t *afl) { entries++; - // a slave only syncs from a master, a master syncs from everyone - if (likely(afl->is_slave)) { + // secondary nodes only syncs from main, the main node syncs from everyone + if (likely(afl->is_secondary_node)) { - sprintf(qd_path, "%s/%s/is_master", afl->sync_dir, sd_ent->d_name); + sprintf(qd_path, "%s/%s/is_main_node", afl->sync_dir, sd_ent->d_name); int res = access(qd_path, F_OK); - if (unlikely(afl->is_master)) { // an elected temporary master + if (unlikely(afl->is_main_node)) { // an elected temporary main node - if (likely(res == 0)) { // there is another master? downgrade. + if (likely(res == 0)) { // there is another main node? downgrade. - afl->is_master = 0; - sprintf(qd_path, "%s/is_master", afl->out_dir); + afl->is_main_node = 0; + sprintf(qd_path, "%s/is_main_node", afl->out_dir); unlink(qd_path); } @@ -561,16 +562,17 @@ void sync_fuzzers(afl_state_t *afl) { closedir(sd); - // If we are a slave and no master was found to sync then become the master - if (unlikely(synced == 0) && likely(entries) && likely(afl->is_slave)) { + // If we are a secondary and no main was found to sync then become the main + if (unlikely(synced == 0) && likely(entries) && + likely(afl->is_secondary_node)) { - // there is a small race condition here that another slave runs at the same - // time. If so, the first temporary master running again will demote + // there is a small race condition here that another secondary runs at the + // same time. If so, the first temporary main node running again will demote // themselves so this is not an issue u8 path[PATH_MAX]; - afl->is_master = 1; - sprintf(path, "%s/is_master", afl->out_dir); + afl->is_main_node = 1; + sprintf(path, "%s/is_main_node", afl->out_dir); int fd = open(path, O_CREAT | O_RDWR, 0644); if (fd >= 0) { close(fd); } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 014ed34d..1f5552e0 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -103,7 +103,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, "afl_banner : %s\n" "afl_version : " VERSION "\n" - "target_mode : %s%s%s%s%s%s%s%s\n" + "target_mode : %s%s%s%s%s%s%s%s%s\n" "command_line : %s\n", afl->start_time / 1000, cur_time / 1000, (cur_time - afl->start_time) / 1000, (u32)getpid(), @@ -125,11 +125,12 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, #endif t_bytes, afl->var_byte_count, afl->use_banner, afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", - afl->dumb_mode ? " dumb " : "", afl->no_forkserver ? "no_fsrv " : "", - afl->crash_mode ? "crash " : "", + afl->non_instrumented_mode ? " non_instrumented " : "", + afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", afl->persistent_mode ? "persistent " : "", + afl->shmem_testcase_mode ? "shmem_testcase " : "", afl->deferred_mode ? "deferred " : "", - (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->dumb_mode || + (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->non_instrumented_mode || afl->no_forkserver || afl->crash_mode || afl->persistent_mode || afl->deferred_mode) ? "" @@ -137,6 +138,20 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, afl->orig_cmdline); /* ignore errors */ + if (afl->debug) { + + fprintf(f, "virgin_bytes :"); + for (uint32_t i = 0; i < afl->fsrv.map_size; i++) + if (afl->virgin_bits[i] != 0xff) + fprintf(f, " %d[%02x]", i, afl->virgin_bits[i]); + fprintf(f, "\n"); + fprintf(f, "var_bytes :"); + for (uint32_t i = 0; i < afl->fsrv.map_size; i++) + if (afl->var_bytes[i]) fprintf(f, " %d", i); + fprintf(f, "\n"); + + } + fclose(f); } @@ -326,7 +341,7 @@ void show_stats(afl_state_t *afl) { /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ - if (!afl->dumb_mode && afl->cycles_wo_finds > 100 && + if (!afl->non_instrumented_mode && afl->cycles_wo_finds > 100 && !afl->pending_not_fuzzed && afl->afl_env.afl_exit_when_done) { afl->stop_soon = 2; @@ -414,7 +429,7 @@ void show_stats(afl_state_t *afl) { " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA " overall results " bSTG bH2 bH2 bRT "\n"); - if (afl->dumb_mode) { + if (afl->non_instrumented_mode) { strcpy(tmp, cRST); @@ -460,7 +475,7 @@ void show_stats(afl_state_t *afl) { /* We want to warn people about not seeing new paths after a full cycle, except when resuming fuzzing or running in non-instrumented mode. */ - if (!afl->dumb_mode && + if (!afl->non_instrumented_mode && (afl->last_path_time || afl->resuming_fuzz || afl->queue_cycle == 1 || afl->in_bitmap || afl->crash_mode)) { @@ -469,7 +484,7 @@ void show_stats(afl_state_t *afl) { } else { - if (afl->dumb_mode) { + if (afl->non_instrumented_mode) { SAYF(bV bSTOP " last new path : " cPIN "n/a" cRST " (non-instrumented mode) "); @@ -524,8 +539,9 @@ void show_stats(afl_state_t *afl) { t_byte_ratio); SAYF(" map density : %s%-21s" bSTG bV "\n", - t_byte_ratio > 70 ? cLRD - : ((t_bytes < 200 && !afl->dumb_mode) ? cPIN : cRST), + t_byte_ratio > 70 + ? cLRD + : ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST), tmp); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->cur_skipped_paths), @@ -1020,10 +1036,11 @@ void show_init_stats(afl_state_t *afl) { } - /* In dumb mode, re-running every timing out test case with a generous time + /* In non-instrumented mode, re-running every timing out test case with a + generous time limit is very expensive, so let's select a more conservative default. */ - if (afl->dumb_mode && !(afl->afl_env.afl_hang_tmout)) { + if (afl->non_instrumented_mode && !(afl->afl_env.afl_hang_tmout)) { afl->hang_tmout = MIN(EXEC_TIMEOUT, afl->fsrv.exec_tmout * 2 + 100); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e024e9a4..07e1584b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -130,7 +130,7 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { " -N - do not unlink the fuzzing input file (only for " "devices etc.!)\n" " -d - quick & dirty mode (skips deterministic steps)\n" - " -n - fuzz without instrumentation (dumb mode)\n" + " -n - fuzz without instrumentation (non-instrumented mode)\n" " -x dir - optional fuzzer dictionary (see README.md, its really " "good!)\n\n" @@ -379,17 +379,19 @@ int main(int argc, char **argv_orig, char **envp) { *c = 0; - if (sscanf(c + 1, "%u/%u", &afl->master_id, &afl->master_max) != 2 || - !afl->master_id || !afl->master_max || - afl->master_id > afl->master_max || afl->master_max > 1000000) { + if (sscanf(c + 1, "%u/%u", &afl->main_node_id, &afl->main_node_max) != + 2 || + !afl->main_node_id || !afl->main_node_max || + afl->main_node_id > afl->main_node_max || + afl->main_node_max > 1000000) { - FATAL("Bogus master ID passed to -M"); + FATAL("Bogus main node ID passed to -M"); } } - afl->is_master = 1; + afl->is_main_node = 1; } @@ -399,7 +401,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); - afl->is_slave = 1; + afl->is_secondary_node = 1; afl->skip_deterministic = 1; afl->use_splicing = 1; break; @@ -533,14 +535,19 @@ int main(int argc, char **argv_orig, char **envp) { case 'n': /* dumb mode */ - if (afl->dumb_mode) { FATAL("Multiple -n options not supported"); } + if (afl->non_instrumented_mode) { + + FATAL("Multiple -n options not supported"); + + } + if (afl->afl_env.afl_dumb_forksrv) { - afl->dumb_mode = 2; + afl->non_instrumented_mode = 2; } else { - afl->dumb_mode = 1; + afl->non_instrumented_mode = 1; } @@ -556,6 +563,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->fsrv.qemu_mode) { FATAL("Multiple -Q options not supported"); } afl->fsrv.qemu_mode = 1; + afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_QEMU; } @@ -572,6 +580,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->unicorn_mode) { FATAL("Multiple -U options not supported"); } afl->unicorn_mode = 1; + afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_UNICORN; } @@ -582,6 +591,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->use_wine) { FATAL("Multiple -W options not supported"); } afl->fsrv.qemu_mode = 1; afl->use_wine = 1; + afl->shmem_testcase_mode = 1; if (!mem_limit_given) { afl->fsrv.mem_limit = 0; } @@ -790,10 +800,12 @@ int main(int argc, char **argv_orig, char **envp) { OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); - if (afl->sync_id && afl->is_master && afl->afl_env.afl_custom_mutator_only) { + if (afl->sync_id && afl->is_main_node && + afl->afl_env.afl_custom_mutator_only) { WARNF( - "Using -M master with the AFL_CUSTOM_MUTATOR_ONLY mutator options will " + "Using -M main node with the AFL_CUSTOM_MUTATOR_ONLY mutator options " + "will " "result in no deterministic mutations being done!"); } @@ -841,7 +853,7 @@ int main(int argc, char **argv_orig, char **envp) { } - /* randamsa_init installs some signal hadlers, call it before + /* radamsa_init installs some signal handlers, call it before setup_signal_handlers so that AFL++ can then replace those signal handlers */ radamsa_init_ptr(); @@ -871,7 +883,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->dumb_mode) { + if (afl->non_instrumented_mode) { if (afl->crash_mode) { FATAL("-C and -n are mutually exclusive"); } if (afl->fsrv.qemu_mode) { FATAL("-Q and -n are mutually exclusive"); } @@ -954,13 +966,13 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->dumb_mode == 2 && afl->no_forkserver) { + if (afl->non_instrumented_mode == 2 && afl->no_forkserver) { FATAL("AFL_DUMB_FORKSRV and AFL_NO_FORKSRV are mutually exclusive"); } - afl->fsrv.use_fauxsrv = afl->dumb_mode == 1 || afl->no_forkserver; + afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver; if (getenv("LD_PRELOAD")) { @@ -1057,7 +1069,7 @@ int main(int argc, char **argv_orig, char **envp) { check_cpu_governor(afl); afl->fsrv.trace_bits = - afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->dumb_mode); + afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode); if (!afl->in_bitmap) { memset(afl->virgin_bits, 255, afl->fsrv.map_size); } memset(afl->virgin_tmout, 255, afl->fsrv.map_size); @@ -1065,7 +1077,7 @@ int main(int argc, char **argv_orig, char **envp) { init_count_class16(); - if (afl->is_master && check_master_exists(afl) == 1) { + if (afl->is_main_node && check_main_node_exists(afl) == 1) { WARNF("it is wasteful to run more than one master!"); sleep(1); @@ -1074,9 +1086,9 @@ int main(int argc, char **argv_orig, char **envp) { setup_dirs_fds(afl); - if (afl->is_slave && check_master_exists(afl) == 0) { + if (afl->is_secondary_node && check_main_node_exists(afl) == 0) { - WARNF("no -M master found. You need to run one master!"); + WARNF("no -M main node found. You need to run one main instance!"); sleep(5); } @@ -1178,6 +1190,8 @@ int main(int argc, char **argv_orig, char **envp) { check_binary(afl, argv[optind]); + if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } + afl->start_time = get_cur_time(); if (afl->fsrv.qemu_mode) { @@ -1366,10 +1380,10 @@ stop_fuzzing: time_spent_working / afl->fsrv.total_execs); #endif - if (afl->is_master) { + if (afl->is_main_node) { u8 path[PATH_MAX]; - sprintf(path, "%s/is_master", afl->out_dir); + sprintf(path, "%s/is_main_node", afl->out_dir); unlink(path); } @@ -1383,7 +1397,7 @@ stop_fuzzing: if (afl->shm_fuzz) { afl_shm_deinit(afl->shm_fuzz); - free(afl->shm_fuzz); + ck_free(afl->shm_fuzz); } diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index f5817293..63013435 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -96,7 +96,8 @@ void afl_shm_deinit(sharedmem_t *shm) { Returns a pointer to shm->map for ease of use. */ -u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { +u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, + unsigned char non_instrumented_mode) { shm->map_size = map_size; @@ -137,12 +138,12 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { } - /* If somebody is asking us to fuzz instrumented binaries in dumb mode, - we don't want them to detect instrumentation, since we won't be sending - fork server commands. This should be replaced with better auto-detection - later on, perhaps? */ + /* If somebody is asking us to fuzz instrumented binaries in non-instrumented + mode, we don't want them to detect instrumentation, since we won't be + sending fork server commands. This should be replaced with better + auto-detection later on, perhaps? */ - if (!dumb_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1); + if (!non_instrumented_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1); if (shm->map == -1 || !shm->map) PFATAL("mmap() failed"); @@ -164,12 +165,12 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { shm_str = alloc_printf("%d", shm->shm_id); - /* If somebody is asking us to fuzz instrumented binaries in dumb mode, - we don't want them to detect instrumentation, since we won't be sending - fork server commands. This should be replaced with better auto-detection - later on, perhaps? */ + /* If somebody is asking us to fuzz instrumented binaries in non-instrumented + mode, we don't want them to detect instrumentation, since we won't be + sending fork server commands. This should be replaced with better + auto-detection later on, perhaps? */ - if (!dumb_mode) { setenv(SHM_ENV_VAR, shm_str, 1); } + if (!non_instrumented_mode) { setenv(SHM_ENV_VAR, shm_str, 1); } ck_free(shm_str); @@ -177,7 +178,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { shm_str = alloc_printf("%d", shm->cmplog_shm_id); - if (!dumb_mode) { setenv(CMPLOG_SHM_ENV_VAR, shm_str, 1); } + if (!non_instrumented_mode) { setenv(CMPLOG_SHM_ENV_VAR, shm_str, 1); } ck_free(shm_str); |