about summary refs log tree commit diff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/afl-fuzz-init.c8
-rw-r--r--src/afl-fuzz-one.c28
-rw-r--r--src/afl-fuzz-queue.c10
3 files changed, 28 insertions, 18 deletions
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 350a3b4c..432e0649 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -961,7 +961,8 @@ void perform_dry_run(afl_state_t *afl) {
     }
 
     /* perform taint gathering on the input seed */
-    perform_taint_run(afl, q, q->fname, use_mem, q->len);
+    if (afl->fsrv.taint_mode)
+      perform_taint_run(afl, q, q->fname, use_mem, q->len);
 
     q = q->next;
 
@@ -1505,6 +1506,11 @@ static void handle_existing_out_dir(afl_state_t *afl) {
 
     fn = alloc_printf("%s/taint", afl->out_dir);
     mkdir(fn, 0755);  // ignore errors
+
+    u8 *fn2 = alloc_printf("%s/taint/.input", afl->out_dir);
+    unlink(fn2);  // ignore errors
+    ck_free(fn2);
+
     if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; }
     ck_free(fn);
 
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index ec7c4772..e75c2cec 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -458,26 +458,31 @@ u8 fuzz_one_original(afl_state_t *afl) {
 
   }
 
-  if (unlikely(afl->fsrv.taint_mode && (afl->queue_cycle % 3))) {
+  u32 tmp_val;
+
+  if (unlikely(afl->fsrv.taint_mode &&
+               (tmp_val = (afl->queue_cycle % 3)) != 1)) {
 
     if (unlikely(afl->queue_cur->cal_failed)) goto abandon_entry;
+    if (tmp_val == 1 && !afl->queue_cur->taint_bytes_all) goto abandon_entry;
+    if (tmp_val == 2 && !afl->queue_cur->taint_bytes_new) goto abandon_entry;
 
     u32 dst = 0, i;
+    temp_len = len = afl->queue_cur->len;
 
     fd = open(afl->queue_cur->fname, O_RDONLY);
     afl->taint_src = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
     if (fd < 0 || (size_t)afl->taint_src == -1)
       FATAL("unable to open '%s'", afl->queue_cur->fname);
     close(fd);
+    afl->taint_needs_splode = 1;
 
-    switch (afl->queue_cycle % 3) {
+    switch (tmp_val) {
 
-      case 0:  // do nothing, but cannot happen -> else
+      case 1:  // do nothing, but cannot happen -> else
         break;
 
-      case 1:  // fuzz only tainted bytes
-        if (!afl->queue_cur->taint_bytes_all) goto abandon_entry;
-        afl->taint_needs_splode = 1;
+      case 2:  // fuzz only tainted bytes
 
         fd = open(afl->taint_input_file, O_RDONLY);
         len = afl->taint_len = afl->queue_cur->taint_bytes_all;
@@ -499,9 +504,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
 
         break;
 
-      case 2:  // fuzz only newly tainted bytes
-        if (!afl->queue_cur->taint_bytes_new) goto abandon_entry;
-        afl->taint_needs_splode = 1;
+      case 0:  // fuzz only newly tainted bytes
 
         fd = open(afl->taint_input_file, O_RDONLY);
         len = afl->taint_len = afl->queue_cur->taint_bytes_new;
@@ -515,7 +518,8 @@ u8 fuzz_one_original(afl_state_t *afl) {
         fd = open(fn, O_RDWR);
         afl->taint_map = mmap(0, afl->queue_cur->len, PROT_READ | PROT_WRITE,
                               MAP_PRIVATE, fd, 0);
-        if (fd < 0 || (size_t)in_buf == -1) FATAL("unable to open '%s'", fn);
+        if (fd < 0 || (size_t)in_buf == -1)
+          FATAL("unable to open '%s' for %u bytes", fn, len);
         close(fd);
         ck_free(fn);
 
@@ -526,8 +530,6 @@ u8 fuzz_one_original(afl_state_t *afl) {
 
     }
 
-    goto havoc_stage;  // we let the normal cycles do deterministic mode - if
-
   } else {
 
     /* Map the test case into memory. */
@@ -653,6 +655,8 @@ u8 fuzz_one_original(afl_state_t *afl) {
      if it has gone through deterministic testing in earlier, resumed runs
      (passed_det). */
 
+  if (afl->taint_needs_splode) goto havoc_stage;
+
   if (likely(afl->queue_cur->passed_det) || likely(afl->skip_deterministic) ||
       likely(perf_score <
              (afl->queue_cur->depth * 30 <= afl->havoc_max_mult * 100
diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c
index 36ec0896..3ada9d98 100644
--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@@ -118,6 +118,9 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
 
   if (q->fname_taint) {
 
+    u8 *save = ck_maybe_grow(BUF_PARAMS(out_scratch), afl->fsrv.map_size);
+    memcpy(save, afl->taint_fsrv.trace_bits, afl->fsrv.map_size);
+
     afl->taint_fsrv.map_size = plen;  // speed :)
     write_to_testcase(afl, mem, len);
     if (afl_fsrv_run_target(&afl->taint_fsrv, afl->fsrv.exec_tmout,
@@ -214,6 +217,8 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
 
     }
 
+    memcpy(afl->taint_fsrv.trace_bits, save, afl->fsrv.map_size);
+
   }
 
   if (!bytes) {
@@ -227,11 +232,6 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
 
     }
 
-  } else {
-
-    if (q->taint_bytes_all && !q->taint_bytes_new)
-      q->taint_bytes_new = q->taint_bytes_all;
-
   }
 
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-17 16:44:19 +0000