diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-fuzz-init.c | 8 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 28 | ||||
| -rw-r--r-- | src/afl-fuzz-queue.c | 10 |
3 files changed, 28 insertions, 18 deletions
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 350a3b4c..432e0649 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -961,7 +961,8 @@ void perform_dry_run(afl_state_t *afl) { } /* perform taint gathering on the input seed */ - perform_taint_run(afl, q, q->fname, use_mem, q->len); + if (afl->fsrv.taint_mode) + perform_taint_run(afl, q, q->fname, use_mem, q->len); q = q->next; @@ -1505,6 +1506,11 @@ static void handle_existing_out_dir(afl_state_t *afl) { fn = alloc_printf("%s/taint", afl->out_dir); mkdir(fn, 0755); // ignore errors + + u8 *fn2 = alloc_printf("%s/taint/.input", afl->out_dir); + unlink(fn2); // ignore errors + ck_free(fn2); + if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; } ck_free(fn); diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index ec7c4772..e75c2cec 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -458,26 +458,31 @@ u8 fuzz_one_original(afl_state_t *afl) { } - if (unlikely(afl->fsrv.taint_mode && (afl->queue_cycle % 3))) { + u32 tmp_val; + + if (unlikely(afl->fsrv.taint_mode && + (tmp_val = (afl->queue_cycle % 3)) != 1)) { if (unlikely(afl->queue_cur->cal_failed)) goto abandon_entry; + if (tmp_val == 1 && !afl->queue_cur->taint_bytes_all) goto abandon_entry; + if (tmp_val == 2 && !afl->queue_cur->taint_bytes_new) goto abandon_entry; u32 dst = 0, i; + temp_len = len = afl->queue_cur->len; fd = open(afl->queue_cur->fname, O_RDONLY); afl->taint_src = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); if (fd < 0 || (size_t)afl->taint_src == -1) FATAL("unable to open '%s'", afl->queue_cur->fname); close(fd); + afl->taint_needs_splode = 1; - switch (afl->queue_cycle % 3) { + switch (tmp_val) { - case 0: // do nothing, but cannot happen -> else + case 1: // do nothing, but cannot happen -> else break; - case 1: // fuzz only tainted bytes - if (!afl->queue_cur->taint_bytes_all) goto abandon_entry; - afl->taint_needs_splode = 1; + case 2: // fuzz only tainted bytes fd = open(afl->taint_input_file, O_RDONLY); len = afl->taint_len = afl->queue_cur->taint_bytes_all; @@ -499,9 +504,7 @@ u8 fuzz_one_original(afl_state_t *afl) { break; - case 2: // fuzz only newly tainted bytes - if (!afl->queue_cur->taint_bytes_new) goto abandon_entry; - afl->taint_needs_splode = 1; + case 0: // fuzz only newly tainted bytes fd = open(afl->taint_input_file, O_RDONLY); len = afl->taint_len = afl->queue_cur->taint_bytes_new; @@ -515,7 +518,8 @@ u8 fuzz_one_original(afl_state_t *afl) { fd = open(fn, O_RDWR); afl->taint_map = mmap(0, afl->queue_cur->len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); - if (fd < 0 || (size_t)in_buf == -1) FATAL("unable to open '%s'", fn); + if (fd < 0 || (size_t)in_buf == -1) + FATAL("unable to open '%s' for %u bytes", fn, len); close(fd); ck_free(fn); @@ -526,8 +530,6 @@ u8 fuzz_one_original(afl_state_t *afl) { } - goto havoc_stage; // we let the normal cycles do deterministic mode - if - } else { /* Map the test case into memory. */ @@ -653,6 +655,8 @@ u8 fuzz_one_original(afl_state_t *afl) { if it has gone through deterministic testing in earlier, resumed runs (passed_det). */ + if (afl->taint_needs_splode) goto havoc_stage; + if (likely(afl->queue_cur->passed_det) || likely(afl->skip_deterministic) || likely(perf_score < (afl->queue_cur->depth * 30 <= afl->havoc_max_mult * 100 diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 36ec0896..3ada9d98 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -118,6 +118,9 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname, if (q->fname_taint) { + u8 *save = ck_maybe_grow(BUF_PARAMS(out_scratch), afl->fsrv.map_size); + memcpy(save, afl->taint_fsrv.trace_bits, afl->fsrv.map_size); + afl->taint_fsrv.map_size = plen; // speed :) write_to_testcase(afl, mem, len); if (afl_fsrv_run_target(&afl->taint_fsrv, afl->fsrv.exec_tmout, @@ -214,6 +217,8 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname, } + memcpy(afl->taint_fsrv.trace_bits, save, afl->fsrv.map_size); + } if (!bytes) { @@ -227,11 +232,6 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname, } - } else { - - if (q->taint_bytes_all && !q->taint_bytes_new) - q->taint_bytes_new = q->taint_bytes_all; - } } |