From 903b5607bc0eea01aa9872a2a53221a953c7a559 Mon Sep 17 00:00:00 2001 From: Eli Kobrin Date: Wed, 16 Nov 2022 18:19:50 +0300 Subject: Fix argv-fuzz. --- utils/argv_fuzzing/argv-fuzz-inl.h | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index c15c0271..68a0c93d 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -34,6 +34,7 @@ #ifndef _HAVE_ARGV_FUZZ_INL #define _HAVE_ARGV_FUZZ_INL +#include #include #define AFL_INIT_ARGV() \ @@ -63,22 +64,22 @@ static char **afl_init_argv(int *argc) { char *ptr = in_buf; int rc = 0; - if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0) {} - - while (*ptr && rc < MAX_CMDLINE_PAR) { + ssize_t num = 0; + if ((num = read(0, in_buf, MAX_CMDLINE_LEN - 2)) < 0) {} + if (in_buf[num - 1] == '\n') { + in_buf[num - 1] = 0; + } - ret[rc] = ptr; + char delim = ' '; + char *curarg = strtok(ptr, &delim); + while (curarg && rc < MAX_CMDLINE_PAR) { + ret[rc] = curarg; if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++; rc++; - - while (*ptr) - ptr++; - ptr++; - + curarg = strtok(NULL, &delim); } *argc = rc; - return ret; } @@ -87,4 +88,3 @@ static char **afl_init_argv(int *argc) { #undef MAX_CMDLINE_PAR #endif /* !_HAVE_ARGV_FUZZ_INL */ - -- cgit 1.4.1 From 4b7126c46c6171998af8a899dd6c1d3a6f50eb0f Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 17 Nov 2022 10:58:20 +0100 Subject: nits --- GNUmakefile | 3 +-- GNUmakefile.gcc_plugin | 4 ++-- GNUmakefile.llvm | 4 ++-- TODO.md | 3 ++- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index c8f7f35a..56013660 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -91,9 +91,8 @@ ifneq "$(SYS)" "Darwin" #ifeq "$(HAVE_MARCHNATIVE)" "1" # SPECIAL_PERFORMANCE += -march=native #endif - # OS X does not like _FORTIFY_SOURCE=2 ifndef DEBUG - CFLAGS_OPT += -D_FORTIFY_SOURCE=2 + CFLAGS_OPT += -D_FORTIFY_SOURCE=1 endif else # On some odd MacOS system configurations, the Xcode sdk path is not set correctly diff --git a/GNUmakefile.gcc_plugin b/GNUmakefile.gcc_plugin index 17bd825d..28a1a828 100644 --- a/GNUmakefile.gcc_plugin +++ b/GNUmakefile.gcc_plugin @@ -28,14 +28,14 @@ MAN_PATH ?= $(PREFIX)/share/man/man8 VERSION = $(shell grep '^$(HASH)define VERSION ' ./config.h | cut -d '"' -f2) -CFLAGS ?= -O3 -g -funroll-loops -D_FORTIFY_SOURCE=2 +CFLAGS ?= -O3 -g -funroll-loops -D_FORTIFY_SOURCE=1 CFLAGS_SAFE := -Wall -Iinclude -Wno-pointer-sign \ -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \ -DGCC_VERSION=\"$(GCCVER)\" -DGCC_BINDIR=\"$(GCCBINDIR)\" \ -Wno-unused-function override CFLAGS += $(CFLAGS_SAFE) -CXXFLAGS ?= -O3 -g -funroll-loops -D_FORTIFY_SOURCE=2 +CXXFLAGS ?= -O3 -g -funroll-loops -D_FORTIFY_SOURCE=1 CXXEFLAGS := $(CXXFLAGS) -Wall -std=c++11 CC ?= gcc diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 7e090f69..bcbb6d38 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -254,7 +254,7 @@ else AFL_CLANG_DEBUG_PREFIX = endif -CFLAGS ?= -O3 -funroll-loops -fPIC -D_FORTIFY_SOURCE=2 +CFLAGS ?= -O3 -funroll-loops -fPIC -D_FORTIFY_SOURCE=1 CFLAGS_SAFE := -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign \ -I ./include/ -I ./instrumentation/ \ -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \ @@ -274,7 +274,7 @@ ifdef AFL_TRACE_PC $(info Compile option AFL_TRACE_PC is deprecated, just set AFL_LLVM_INSTRUMENT=PCGUARD to activate when compiling targets ) endif -CXXFLAGS ?= -O3 -funroll-loops -fPIC -D_FORTIFY_SOURCE=2 +CXXFLAGS ?= -O3 -funroll-loops -fPIC -D_FORTIFY_SOURCE=1 override CXXFLAGS += -Wall -g -I ./include/ \ -DVERSION=\"$(VERSION)\" -Wno-variadic-macros \ -DLLVM_MINOR=$(LLVM_MINOR) -DLLVM_MAJOR=$(LLVM_MAJOR) diff --git a/TODO.md b/TODO.md index 99d2c419..a6b52ddf 100644 --- a/TODO.md +++ b/TODO.md @@ -2,7 +2,8 @@ ## Should - - better documentation for custom mutators + - support afl_custom_{send,post_process}, persistent and deferred fork + server in afl-showmap - better autodetection of shifting runtime timeout values - Update afl->pending_not_fuzzed for MOpt - afl-plot to support multiple plot_data -- cgit 1.4.1 From 3d07f0ab791565feb904f5897b22ef924fc06a48 Mon Sep 17 00:00:00 2001 From: Eli Kobrin Date: Thu, 17 Nov 2022 14:14:11 +0300 Subject: Handle empty input. --- utils/argv_fuzzing/argv-fuzz-inl.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index 68a0c93d..2ec433e1 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -65,7 +65,10 @@ static char **afl_init_argv(int *argc) { int rc = 0; ssize_t num = 0; - if ((num = read(0, in_buf, MAX_CMDLINE_LEN - 2)) < 0) {} + if ((num = read(0, in_buf, MAX_CMDLINE_LEN - 2)) <= 0) { + *argc = 0; + return ret; + } if (in_buf[num - 1] == '\n') { in_buf[num - 1] = 0; } -- cgit 1.4.1 From 8f9726d4a901880808d46706cdb9024c5d08bb7e Mon Sep 17 00:00:00 2001 From: Eli Kobrin Date: Thu, 17 Nov 2022 17:27:13 +0300 Subject: Fix delim. --- utils/argv_fuzzing/argv-fuzz-inl.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index 2ec433e1..94d4c123 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -73,13 +73,12 @@ static char **afl_init_argv(int *argc) { in_buf[num - 1] = 0; } - char delim = ' '; - char *curarg = strtok(ptr, &delim); + char *curarg = strtok(ptr, " "); while (curarg && rc < MAX_CMDLINE_PAR) { ret[rc] = curarg; if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++; rc++; - curarg = strtok(NULL, &delim); + curarg = strtok(NULL, " "); } *argc = rc; -- cgit 1.4.1 From ba788591dc50ba01088a9e0ed76ae29878eedbdd Mon Sep 17 00:00:00 2001 From: Eli Kobrin Date: Thu, 17 Nov 2022 17:38:45 +0300 Subject: Handle read() error. --- utils/argv_fuzzing/argv-fuzz-inl.h | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index 94d4c123..917c6222 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -34,7 +34,7 @@ #ifndef _HAVE_ARGV_FUZZ_INL #define _HAVE_ARGV_FUZZ_INL -#include +#include #include #define AFL_INIT_ARGV() \ @@ -64,24 +64,27 @@ static char **afl_init_argv(int *argc) { char *ptr = in_buf; int rc = 0; - ssize_t num = 0; - if ((num = read(0, in_buf, MAX_CMDLINE_LEN - 2)) <= 0) { - *argc = 0; - return ret; - } - if (in_buf[num - 1] == '\n') { - in_buf[num - 1] = 0; + ssize_t num = read(0, in_buf, MAX_CMDLINE_LEN - 2); + if (num < 0) { + abort(); } + in_buf[num] = '\0'; + in_buf[num + 1] = '\0'; + + while (*ptr && rc < MAX_CMDLINE_PAR) { - char *curarg = strtok(ptr, " "); - while (curarg && rc < MAX_CMDLINE_PAR) { - ret[rc] = curarg; + ret[rc] = ptr; if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++; rc++; - curarg = strtok(NULL, " "); + + while (*ptr) + ptr++; + ptr++; + } *argc = rc; + return ret; } @@ -90,3 +93,4 @@ static char **afl_init_argv(int *argc) { #undef MAX_CMDLINE_PAR #endif /* !_HAVE_ARGV_FUZZ_INL */ + -- cgit 1.4.1 From ad6a4cf1c2b7089179c77544b9749e72a2dd6d0f Mon Sep 17 00:00:00 2001 From: Your Name Date: Fri, 18 Nov 2022 08:11:26 +0000 Subject: Fix cmplog block ID generation to use hashes rather than bit-shifts --- frida_mode/src/cmplog/cmplog_arm64.c | 5 +---- frida_mode/src/cmplog/cmplog_x64.c | 5 +---- frida_mode/src/cmplog/cmplog_x86.c | 5 +---- 3 files changed, 3 insertions(+), 12 deletions(-) diff --git a/frida_mode/src/cmplog/cmplog_arm64.c b/frida_mode/src/cmplog/cmplog_arm64.c index 5792cbfa..095dc242 100644 --- a/frida_mode/src/cmplog/cmplog_arm64.c +++ b/frida_mode/src/cmplog/cmplog_arm64.c @@ -204,10 +204,7 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, gsize address = context->pc; - register uintptr_t k = (uintptr_t)address; - - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + register uintptr_t k = instrument_get_offset_hash(GUM_ADDRESS(address)); if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) __afl_cmp_map->headers[k].hits = 0; diff --git a/frida_mode/src/cmplog/cmplog_x64.c b/frida_mode/src/cmplog/cmplog_x64.c index 17912648..ce6b8681 100644 --- a/frida_mode/src/cmplog/cmplog_x64.c +++ b/frida_mode/src/cmplog/cmplog_x64.c @@ -188,10 +188,7 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, gsize address = ctx_read_reg(context, X86_REG_RIP); - register uintptr_t k = (uintptr_t)address; - - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 7; + register uintptr_t k = instrument_get_offset_hash(GUM_ADDRESS(address)); if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) __afl_cmp_map->headers[k].hits = 0; diff --git a/frida_mode/src/cmplog/cmplog_x86.c b/frida_mode/src/cmplog/cmplog_x86.c index a3a02457..fa06d611 100644 --- a/frida_mode/src/cmplog/cmplog_x86.c +++ b/frida_mode/src/cmplog/cmplog_x86.c @@ -193,10 +193,7 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1, gsize address = ctx_read_reg(context, X86_REG_EIP); - register uintptr_t k = (uintptr_t)address; - - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + register uintptr_t k = instrument_get_offset_hash(GUM_ADDRESS(address)); if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS) __afl_cmp_map->headers[k].hits = 0; -- cgit 1.4.1 From d7e788a3c0138637147621cc4d6ab8087e0af956 Mon Sep 17 00:00:00 2001 From: kobrineli Date: Fri, 18 Nov 2022 13:35:51 +0300 Subject: Exit on read error. --- utils/argv_fuzzing/argv-fuzz-inl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index 917c6222..e350dd4e 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -66,7 +66,7 @@ static char **afl_init_argv(int *argc) { ssize_t num = read(0, in_buf, MAX_CMDLINE_LEN - 2); if (num < 0) { - abort(); + exit(1); } in_buf[num] = '\0'; in_buf[num + 1] = '\0'; -- cgit 1.4.1 From 26a5bd625ccbd8de4fbc9b5eea263d092bd405e5 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 18 Nov 2022 12:23:18 +0100 Subject: write queue statistics --- docs/Changelog.md | 3 +++ include/afl-fuzz.h | 14 +++++++++++--- include/config.h | 3 ++- src/afl-fuzz-init.c | 4 ++++ src/afl-fuzz-one.c | 37 +++++++++++++++++++++++++++++++++++++ src/afl-fuzz-stats.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ src/afl-fuzz.c | 44 +++++++++++++++++++++++++++++++++++++++----- 7 files changed, 146 insertions(+), 9 deletions(-) diff --git a/docs/Changelog.md b/docs/Changelog.md index c5eb6be3..4df47645 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,6 +9,9 @@ send fuzz data to the target as you need, e.g. via IPC. - cmplog mode now has -l R option for random colorization, thanks to guyf2010 for the PR! + - queue statistics are written every 30 minutes to + out/NAME/queue_data - likely this will be moved to a debug flag + in the future. - afl-showmap/afl-cmin - -t none now translates to -t 120000 (120 seconds) - unicorn_mode updated diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 88646db3..f9dcbf8f 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -169,12 +169,18 @@ struct queue_entry { u32 bitmap_size, /* Number of bits set in bitmap */ fuzz_level, /* Number of fuzzing iterations */ - n_fuzz_entry; /* offset in n_fuzz */ + n_fuzz_entry, /* offset in n_fuzz */ + stats_selected, /* stats: how often selected */ + stats_skipped, /* stats: how often skipped */ + stats_finds, /* stats: # of saved finds */ + stats_crashes, /* stats: # of saved crashes */ + stats_tmouts; /* stats: # of saved timeouts */ u64 exec_us, /* Execution time (us) */ handicap, /* Number of queue cycles behind */ depth, /* Path depth */ - exec_cksum; /* Checksum of the execution trace */ + exec_cksum, /* Checksum of the execution trace */ + stats_mutated; /* stats: # of mutations performed */ u8 *trace_mini; /* Trace bytes, if kept */ u32 tc_ref; /* Trace bytes ref count */ @@ -686,7 +692,8 @@ typedef struct afl_state { u32 plot_prev_qp, plot_prev_pf, plot_prev_pnf, plot_prev_ce, plot_prev_md; u64 plot_prev_qc, plot_prev_uc, plot_prev_uh, plot_prev_ed; - u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs; + u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_queue_ms, + stats_last_ms, stats_last_execs; /* StatsD */ u64 statsd_last_send_ms; @@ -1101,6 +1108,7 @@ void load_stats_file(afl_state_t *); void write_setup_file(afl_state_t *, u32, char **); void write_stats_file(afl_state_t *, u32, double, double, double); void maybe_update_plot_file(afl_state_t *, u32, double, double); +void write_queue_stats(afl_state_t *); void show_stats(afl_state_t *); void show_stats_normal(afl_state_t *); void show_stats_pizza(afl_state_t *); diff --git a/include/config.h b/include/config.h index 22c1a162..b82ead47 100644 --- a/include/config.h +++ b/include/config.h @@ -290,10 +290,11 @@ #define UI_TARGET_HZ 5 -/* Fuzzer stats file and plot update intervals (sec): */ +/* Fuzzer stats file, queue stats and plot update intervals (sec): */ #define STATS_UPDATE_SEC 60 #define PLOT_UPDATE_SEC 5 +#define QUEUE_UPDATE_SEC 1800 /* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index e41d29fd..ed52ca00 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1848,6 +1848,10 @@ static void handle_existing_out_dir(afl_state_t *afl) { } + fn = alloc_printf("%s/queue_data", afl->out_dir); + if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; } + ck_free(fn); + fn = alloc_printf("%s/cmdline", afl->out_dir); if (unlink(fn) && errno != ENOENT) { goto dir_cleanup_failed; } ck_free(fn); diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index ed9e7a81..253e78b6 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -743,6 +743,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP1] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* Two walking bits. */ @@ -775,6 +776,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP2] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* Four walking bits. */ @@ -811,6 +813,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP4] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* Effector map setup. These macros calculate: @@ -919,6 +922,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP8] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* Two walking bytes. */ @@ -962,6 +966,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP16] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; if (len < 4) { goto skip_bitflip; } @@ -1005,6 +1010,7 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP32] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; skip_bitflip: @@ -1097,6 +1103,7 @@ skip_bitflip: afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH8] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* 16-bit arithmetics, both endians. */ @@ -1227,6 +1234,7 @@ skip_bitflip: afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH16] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* 32-bit arithmetics, both endians. */ @@ -1356,6 +1364,7 @@ skip_bitflip: afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH32] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; skip_arith: @@ -1422,6 +1431,7 @@ skip_arith: afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* Setting 16-bit integers, both endians. */ @@ -1510,6 +1520,7 @@ skip_arith: afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; if (len < 4) { goto skip_interest; } @@ -1599,6 +1610,7 @@ skip_arith: afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; skip_interest: @@ -1672,6 +1684,7 @@ skip_interest: afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* Insertion of user-supplied extras. */ @@ -1728,6 +1741,7 @@ skip_interest: afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; skip_user_extras: @@ -1786,6 +1800,7 @@ skip_user_extras: afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* Insertion of auto extras. */ @@ -1842,6 +1857,7 @@ skip_user_extras: afl->stage_finds[STAGE_EXTRAS_AI] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AI] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; skip_extras: @@ -1988,6 +2004,7 @@ custom_mutator_stage: afl->stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_CUSTOM_MUTATOR] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; if (likely(afl->custom_only)) { @@ -2925,11 +2942,13 @@ havoc_stage: afl->stage_finds[STAGE_HAVOC] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_HAVOC] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; } else { afl->stage_finds[STAGE_SPLICE] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_SPLICE] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; } @@ -3411,6 +3430,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP1] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* Two walking bits. */ @@ -3442,6 +3462,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP2] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* Four walking bits. */ @@ -3477,6 +3498,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP4] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* Effector map setup. These macros calculate: @@ -3584,6 +3606,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP8] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* Two walking bytes. */ @@ -3626,6 +3649,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP16] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; if (len < 4) { goto skip_bitflip; } @@ -3668,6 +3692,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP32] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; skip_bitflip: @@ -3758,6 +3783,7 @@ skip_bitflip: afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH8] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* 16-bit arithmetics, both endians. */ @@ -3884,6 +3910,7 @@ skip_bitflip: afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH16] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* 32-bit arithmetics, both endians. */ @@ -4009,6 +4036,7 @@ skip_bitflip: afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH32] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; skip_arith: @@ -4074,6 +4102,7 @@ skip_arith: afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* Setting 16-bit integers, both endians. */ @@ -4160,6 +4189,7 @@ skip_arith: afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; if (len < 4) { goto skip_interest; } @@ -4247,6 +4277,7 @@ skip_arith: afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; skip_interest: @@ -4320,6 +4351,7 @@ skip_interest: afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* Insertion of user-supplied extras. */ @@ -4376,6 +4408,7 @@ skip_interest: afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; skip_user_extras: @@ -4435,6 +4468,7 @@ skip_user_extras: afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; /* Insertion of auto extras. */ @@ -4491,6 +4525,7 @@ skip_user_extras: afl->stage_finds[STAGE_EXTRAS_AI] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AI] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; skip_extras: @@ -5316,11 +5351,13 @@ pacemaker_fuzzing: afl->stage_finds[STAGE_HAVOC] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_HAVOC] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; } else { afl->stage_finds[STAGE_SPLICE] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_SPLICE] += afl->stage_max; + afl->queue_cur->stats_mutated += afl->stage_max; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 61956dc3..ac9ad4db 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -365,6 +365,36 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, } +void write_queue_stats(afl_state_t *afl) { + + FILE *f; + u8 *fn = alloc_printf("%s/queue_data", afl->out_dir); + if ((f = fopen(fn, "w")) != NULL) { + + u32 id; + fprintf(f, + "# filename, length, exec_us, selected, skipped, mutations, finds, " + "crashes, timeouts, bitmap_size, perf_score, weight, colorized, " + "favored, disabled\n"); + for (id = 0; id < afl->queued_items; ++id) { + + struct queue_entry *q = afl->queue_buf[id]; + fprintf(f, "\"%s\",%u,%llu,%u,%u,%llu,%u,%u,%u,%u,%.3f,%.3f,%u,%u,%u\n", + q->fname, q->len, q->exec_us, q->stats_selected, q->stats_skipped, + q->stats_mutated, q->stats_finds, q->stats_crashes, + q->stats_tmouts, q->bitmap_size, q->perf_score, q->weight, + q->colorized, q->favored, q->disabled); + + } + + fclose(f); + + } + + ck_free(fn); + +} + /* Update the plot file if there is a reason to. */ void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, @@ -613,6 +643,16 @@ void show_stats_normal(afl_state_t *afl) { } + /* Every now and then, write queue data. */ + + if (unlikely(afl->force_ui_update || + cur_ms - afl->stats_last_queue_ms > QUEUE_UPDATE_SEC * 1000)) { + + afl->stats_last_queue_ms = cur_ms; + write_queue_stats(afl); + + } + /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ if (unlikely(!afl->non_instrumented_mode && afl->cycles_wo_finds > 100 && @@ -1399,6 +1439,16 @@ void show_stats_pizza(afl_state_t *afl) { } + /* Every now and then, write queue data. */ + + if (unlikely(afl->force_ui_update || + cur_ms - afl->stats_last_queue_ms > QUEUE_UPDATE_SEC * 1000)) { + + afl->stats_last_queue_ms = cur_ms; + write_queue_stats(afl); + + } + /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ if (unlikely(!afl->non_instrumented_mode && afl->cycles_wo_finds > 100 && diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index a81cab7d..7bb9ba2b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2278,7 +2278,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->start_time = get_cur_time(); u32 runs_in_current_cycle = (u32)-1; - u32 prev_queued_items = 0; + u32 prev_queued_items = 0, prev_saved_crashes = 0, prev_saved_tmouts = 0; u8 skipped_fuzz; #ifdef INTROSPECTION @@ -2529,21 +2529,55 @@ int main(int argc, char **argv_orig, char **envp) { } skipped_fuzz = fuzz_one(afl); + ++afl->queue_cur->stats_selected; + if (unlikely(skipped_fuzz)) { + + ++afl->queue_cur->stats_skipped; + + } else { + + if (unlikely(afl->queued_items > prev_queued_items)) { + + afl->queue_cur->stats_finds += afl->queued_items - prev_queued_items; + prev_queued_items = afl->queued_items; + + } + + if (unlikely(afl->saved_crashes > prev_saved_crashes)) { + + afl->queue_cur->stats_crashes += + afl->saved_crashes - prev_saved_crashes; + prev_saved_crashes = afl->saved_crashes; + + } + + if (unlikely(afl->saved_tmouts > prev_saved_tmouts)) { + + afl->queue_cur->stats_tmouts += afl->saved_tmouts - prev_saved_tmouts; + prev_saved_tmouts = afl->saved_tmouts; + + } + + } if (unlikely(!afl->stop_soon && exit_1)) { afl->stop_soon = 2; } if (unlikely(afl->old_seed_selection)) { while (++afl->current_entry < afl->queued_items && - afl->queue_buf[afl->current_entry]->disabled) - ; + afl->queue_buf[afl->current_entry]->disabled) {}; if (unlikely(afl->current_entry >= afl->queued_items || afl->queue_buf[afl->current_entry] == NULL || - afl->queue_buf[afl->current_entry]->disabled)) + afl->queue_buf[afl->current_entry]->disabled)) { + afl->queue_cur = NULL; - else + + } else { + afl->queue_cur = afl->queue_buf[afl->current_entry]; + } + } } while (skipped_fuzz && afl->queue_cur && !afl->stop_soon); -- cgit 1.4.1 From b7c87350cf3481416b782fe19bc56467090ff220 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 18 Nov 2022 17:04:16 +0100 Subject: Make env description extra clear --- docs/env_variables.md | 8 ++++---- unicorn_mode/unicornafl | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/env_variables.md b/docs/env_variables.md index d1c13e15..22a5c386 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -378,10 +378,10 @@ checks or alter some of the more exotic semantics of the tool: valid terminal was detected (for virtual consoles). - Setting `AFL_FORKSRV_INIT_TMOUT` allows you to specify a different timeout - to wait for the forkserver to spin up. The default is the `-t` value times - `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the - default would wait for `1000` milliseconds. Setting a different time here is - useful if the target has a very slow startup time, for example, when doing + to wait for the forkserver to spin up. The specified value is the new timeout, in milliseconds. + The default is the `-t` value times `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the default would wait for `1000` milliseconds. + The `AFL_FORKSRV_INIT_TMOUT` value does not get multiplied. It overwrites the initial timeout afl-fuzz waits for the target to come up with a constant time. + Setting a different time here is useful if the target has a very slow startup time, for example, when doing full-system fuzzing or emulation, but you don't want the actual runs to wait too long for timeouts. diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 6e00ceac..0a31c2b2 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 6e00ceac6fd5627e42e1858c543c84f2fbdaedda +Subproject commit 0a31c2b28bf7037fe8b0ff376521fdbdf28a9efe -- cgit 1.4.1 From ef0921d858be0d54f3ebfe88e361ba54fb9ba69d Mon Sep 17 00:00:00 2001 From: fedotoff Date: Mon, 21 Nov 2022 12:59:23 +0300 Subject: Add CASR as third party tool in docs. --- docs/third_party_tools.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/third_party_tools.md b/docs/third_party_tools.md index 1175d9e5..97f2c362 100644 --- a/docs/third_party_tools.md +++ b/docs/third_party_tools.md @@ -62,3 +62,5 @@ generates builds of debian packages suitable for AFL. * [afl-fid](https://github.com/FoRTE-Research/afl-fid) - a set of tools for working with input data. +* [CASR](https://github.com/ispras/casr) - a set of tools for crash triage and + analysis. -- cgit 1.4.1 From 2c39c51263fd38de50ef41ff30075c1282997e14 Mon Sep 17 00:00:00 2001 From: fedotoff Date: Mon, 21 Nov 2022 15:18:19 +0300 Subject: casr-afl short description in fuzzing_in_depth. --- docs/fuzzing_in_depth.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index a0bf1566..1645ba5c 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -900,6 +900,32 @@ then color-codes the input based on which sections appear to be critical and which are not; while not bulletproof, it can often offer quick insights into complex file formats. +`casr-afl` from [CASR](https://github.com/ispras/casr) tools provides a +straightforward CASR integration with AFL++. While walking through afl +instances, `casr-afl` generates crash reports depending on target binary. For +binary with ASAN `casr-san` is used, otherwise `casr-gdb`. On the next step +report deduplication is done by `casr-cluster`. Finally, reports are triaged +into clusters. Crash reports contain many useful information: severity +(like [exploitable](https://github.com/jfoote/exploitable)), OS and package +versions, command line, stack trace, register values, disassembly, and even +source code fragment where crash appeared. + +**NOTE:** `casr-gdb` and `casr-san` should be in PATH to make `casr-afl` work. +Before using casr-afl, please, follow the installation +[guide](https://github.com/ispras/casr#getting-started). Using `casr-afl` is +very simple: + +```shell +casr-afl -i /path/to/afl/out/dir -o /path/to/casr/out/dir +``` + +Output directory contains subdirectories (cl1...clN) with report clusters. To +view reports you could use `casr-cli` tool: + +```shell +casr-cli /path/to/casr/out/dir/cl1/report.casrep +``` + ## 5. CI fuzzing Some notes on continuous integration (CI) fuzzing - this fuzzing is different to -- cgit 1.4.1 From a16726039f167548da86ce51d0cf4bd1b04e5374 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 21 Nov 2022 13:28:07 +0100 Subject: shorten text --- docs/fuzzing_in_depth.md | 25 +++---------------------- unicorn_mode/unicornafl | 2 +- 2 files changed, 4 insertions(+), 23 deletions(-) diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 1645ba5c..87f31a58 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -900,32 +900,13 @@ then color-codes the input based on which sections appear to be critical and which are not; while not bulletproof, it can often offer quick insights into complex file formats. -`casr-afl` from [CASR](https://github.com/ispras/casr) tools provides a -straightforward CASR integration with AFL++. While walking through afl -instances, `casr-afl` generates crash reports depending on target binary. For -binary with ASAN `casr-san` is used, otherwise `casr-gdb`. On the next step -report deduplication is done by `casr-cluster`. Finally, reports are triaged -into clusters. Crash reports contain many useful information: severity -(like [exploitable](https://github.com/jfoote/exploitable)), OS and package -versions, command line, stack trace, register values, disassembly, and even -source code fragment where crash appeared. - -**NOTE:** `casr-gdb` and `casr-san` should be in PATH to make `casr-afl` work. -Before using casr-afl, please, follow the installation -[guide](https://github.com/ispras/casr#getting-started). Using `casr-afl` is -very simple: - +`casr-afl` from [CASR](https://github.com/ispras/casr) tools provides +comfortable triaging for crashes found by AFL++. Reports are clustered and +contain severity and other information. ```shell casr-afl -i /path/to/afl/out/dir -o /path/to/casr/out/dir ``` -Output directory contains subdirectories (cl1...clN) with report clusters. To -view reports you could use `casr-cli` tool: - -```shell -casr-cli /path/to/casr/out/dir/cl1/report.casrep -``` - ## 5. CI fuzzing Some notes on continuous integration (CI) fuzzing - this fuzzing is different to diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 0a31c2b2..6e00ceac 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 0a31c2b28bf7037fe8b0ff376521fdbdf28a9efe +Subproject commit 6e00ceac6fd5627e42e1858c543c84f2fbdaedda -- cgit 1.4.1 From 4124a272d821629adce648fb37ca1e7f0ce0e84f Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 23 Nov 2022 10:27:30 +0100 Subject: crash fix for queue analysis feature --- src/afl-fuzz.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 7bb9ba2b..976d61e5 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2523,7 +2523,12 @@ int main(int argc, char **argv_orig, char **envp) { } - afl->current_entry = select_next_queue_entry(afl); + do { + + afl->current_entry = select_next_queue_entry(afl); + + } while (unlikely(afl->current_entry >= afl->queued_items)); + afl->queue_cur = afl->queue_buf[afl->current_entry]; } -- cgit 1.4.1 From 9734d0b3c09b3d604941d43fd96454100349d8b1 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 23 Nov 2022 18:18:26 +0000 Subject: Fixes to make things easier to build for ARM --- frida_mode/GNUmakefile | 3 +++ frida_mode/src/instrument/instrument_arm32.c | 10 +++++++++- frida_mode/test/png/GNUmakefile | 14 +++++++------- frida_mode/test/testinstr/GNUmakefile | 3 +++ 4 files changed, 22 insertions(+), 8 deletions(-) diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index 9f2bcd42..ccc4841d 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -191,6 +191,9 @@ all: $(FRIDA_TRACE) $(FRIDA_TRACE_LIB) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QE 32: CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all +arm: + CFLAGS="-marm" LDFLAGS="-marm" ARCH="armhf" TARGET_CC=arm-linux-gnueabihf-gcc TARGET_CXX=arm-linux-gnueabihf-g++ make all + $(BUILD_DIR): mkdir -p $(BUILD_DIR) diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index cb2a322b..84dbb3be 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -273,7 +273,15 @@ void instrument_flush(GumStalkerOutput *output) { gpointer instrument_cur(GumStalkerOutput *output) { - return gum_arm_writer_cur(output->writer.arm); + gpointer curr = NULL; + + if (output->encoding == GUM_INSTRUCTION_SPECIAL) { + curr = gum_thumb_writer_cur(output->writer.thumb); + } else { + curr = gum_arm_writer_cur(output->writer.arm); + } + + return curr; } diff --git a/frida_mode/test/png/GNUmakefile b/frida_mode/test/png/GNUmakefile index 864265e0..86fd1483 100644 --- a/frida_mode/test/png/GNUmakefile +++ b/frida_mode/test/png/GNUmakefile @@ -7,10 +7,10 @@ LIBPNG_BUILD_DIR:=$(BUILD_DIR)libpng/ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ PNGTEST_BUILD_DIR:=$(BUILD_DIR)pngtest/ -LIBZ_FILE:=$(LIBZ_BUILD_DIR)zlib-1.2.12.tar.gz -LIBZ_URL:=http://www.zlib.net/zlib-1.2.12.tar.gz -LIBZ_DIR:=$(LIBZ_BUILD_DIR)zlib-1.2.12/ -LIBZ_PC:=$(ZLIB_DIR)zlib.pc +LIBZ_FILE:=$(LIBZ_BUILD_DIR)zlib-1.2.13.tar.gz +LIBZ_URL:=http://www.zlib.net/zlib-1.2.13.tar.gz +LIBZ_DIR:=$(LIBZ_BUILD_DIR)zlib-1.2.13/ +LIBZ_PC:=$(LIBZ_DIR)zlib.pc LIBZ_LIB:=$(LIBZ_DIR)libz.a LIBPNG_FILE:=$(LIBPNG_BUILD_DIR)libpng-1.2.56.tar.gz @@ -48,7 +48,7 @@ all: $(TEST_BIN) CFLAGS="-m32" LDFLAGS="-m32" make $(TEST_BIN) arm: - ARCH="arm" CC="arm-linux-gnueabihf-gcc" CXX="arm-linux-gnueabihf-g++" make $(TEST_BIN) + CFLAGS="-marm" LDFLAGS="-marm" CC="arm-linux-gnueabihf-gcc" CXX="arm-linux-gnueabihf-g++" make $(TEST_BIN) $(BUILD_DIR): mkdir -p $@ @@ -96,7 +96,7 @@ $(LIBZ_PC): | $(LIBZ_DIR) --static \ --archs="$(ARCH)" -$(LIBZ_LIB): $(LIBZ_PC) +$(LIBZ_LIB): | $(LIBZ_PC) CFLAGS="$(CFLAGS) -fPIC" \ make \ -C $(LIBZ_DIR) \ @@ -133,7 +133,7 @@ png: $(LIBPNG_LIB) ######### TEST ######## -$(TEST_BIN): $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) +$(TEST_BIN): $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) $(LIBZ_LIB) $(CXX) \ $(CFLAGS) \ $(LDFLAGS) \ diff --git a/frida_mode/test/testinstr/GNUmakefile b/frida_mode/test/testinstr/GNUmakefile index 79eee213..ebc0b2dc 100644 --- a/frida_mode/test/testinstr/GNUmakefile +++ b/frida_mode/test/testinstr/GNUmakefile @@ -18,6 +18,9 @@ all: $(TESTINSTBIN) 32: CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all +arm: + CFLAGS="-marm" LDFLAGS="-marm" CC="arm-linux-gnueabihf-gcc" CXX="arm-linux-gnueabihf-g++" make $(TESTINSTBIN) + $(BUILD_DIR): mkdir -p $@ -- cgit 1.4.1 From 32a331ab43095c2493514a9066c30ae7665433e4 Mon Sep 17 00:00:00 2001 From: a-shvedov <60114847+a-shvedov@users.noreply.github.com> Date: Sat, 26 Nov 2022 10:34:14 +0300 Subject: Update README.md --- utils/libtokencap/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/utils/libtokencap/README.md b/utils/libtokencap/README.md index 50104291..8705452c 100644 --- a/utils/libtokencap/README.md +++ b/utils/libtokencap/README.md @@ -47,9 +47,11 @@ by AFL++ in that earlier run. This demonstrates the basic principle: ``` export AFL_TOKEN_FILE=$PWD/temp_output.txt + timeout_sec="5" for i in /queue/id*; do LD_PRELOAD=/path/to/libtokencap.so \ + timeout -s SIGKILL ${timeout_sec} \ /path/to/target/program [...params, including $i...] done -- cgit 1.4.1 From 6dd9764cf6745a74772e93f3e91b83031a872766 Mon Sep 17 00:00:00 2001 From: Your Date: Thu, 1 Dec 2022 18:17:21 +0000 Subject: Bump FRIDA version --- frida_mode/GNUmakefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index ccc4841d..d283c3d7 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -145,7 +145,7 @@ ifndef OS $(error "Operating system unsupported") endif -GUM_DEVKIT_VERSION=16.0.1 +GUM_DEVKIT_VERSION=16.0.6 GUM_DEVKIT_FILENAME=frida-gumjs-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar.xz GUM_DEVKIT_URL="https://github.com/frida/frida/releases/download/$(GUM_DEVKIT_VERSION)/$(GUM_DEVKIT_FILENAME)" -- cgit 1.4.1 From 0885dda767ec29330c57c88f3102d5ee565b645d Mon Sep 17 00:00:00 2001 From: Your Date: Thu, 1 Dec 2022 18:17:21 +0000 Subject: Fix branch suppression for ARM64 --- frida_mode/src/instrument/instrument_arm64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c index c7584a87..39e32b12 100644 --- a/frida_mode/src/instrument/instrument_arm64.c +++ b/frida_mode/src/instrument/instrument_arm64.c @@ -196,7 +196,7 @@ static void instrument_coverage_switch(GumStalkerObserver *self, insn = instrument_disassemble(from_insn); deterministic = instrument_is_deterministic(insn); cs_free(insn, 1); - if (deterministic) { return; } + if (!deterministic) { return; } /* * Since each block is prefixed with a restoration prologue, we need to be -- cgit 1.4.1 From 149366507da1ff8e3e8c4962f3abc6c8fd78b222 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 4 Dec 2022 04:09:12 +0100 Subject: update qemuafl --- qemu_mode/QEMUAFL_VERSION | 2 +- qemu_mode/qemuafl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION index 8d384d31..9c68f02c 100644 --- a/qemu_mode/QEMUAFL_VERSION +++ b/qemu_mode/QEMUAFL_VERSION @@ -1 +1 @@ -fa07ebfff5 +a8af9cbde7 diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index fa07ebff..a8af9cbd 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit fa07ebfff5de3d7a531caf2f9e0306960953a5e7 +Subproject commit a8af9cbde71e333ce72a46f15e655d0b82ed0939 -- cgit 1.4.1 From bf1617d3545b7c37b04ac8ddfdcf33943adf3bd2 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 5 Dec 2022 16:15:29 +0100 Subject: fix warning --- TODO.md | 1 + src/afl-fuzz.c | 12 ++++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/TODO.md b/TODO.md index a6b52ddf..862224f0 100644 --- a/TODO.md +++ b/TODO.md @@ -9,6 +9,7 @@ - afl-plot to support multiple plot_data - parallel builds for source-only targets - get rid of check_binary, replace with more forkserver communication + - first fuzzer should be a main automatically ## Maybe diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 976d61e5..172b9d7a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -501,7 +501,7 @@ int main(int argc, char **argv_orig, char **envp) { s32 opt, auto_sync = 0 /*, user_set_cache = 0*/; u64 prev_queued = 0; - u32 sync_interval_cnt = 0, seek_to = 0, show_help = 0, + u32 sync_interval_cnt = 0, seek_to = 0, show_help = 0, default_output = 1, map_size = get_map_size(); u8 *extras_dir[4]; u8 mem_limit_given = 0, exit_1 = 0, debug = 0, @@ -802,6 +802,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.out_file = ck_strdup(optarg); afl->fsrv.use_stdin = 0; + default_output = 0; break; case 'x': /* dictionary */ @@ -1911,6 +1912,7 @@ int main(int argc, char **argv_orig, char **envp) { if (aa_loc && !afl->fsrv.out_file) { afl->fsrv.use_stdin = 0; + default_output = 0; if (afl->file_extension) { @@ -2154,7 +2156,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.out_file = NULL; afl->fsrv.use_stdin = 0; - if (!afl->unicorn_mode && !afl->fsrv.use_stdin) { + if (!afl->unicorn_mode && !afl->fsrv.use_stdin && !default_output) { WARNF( "You specified -f or @@ on the command line but the target harness " @@ -2306,6 +2308,12 @@ int main(int argc, char **argv_orig, char **envp) { (!afl->queue_cycle && afl->afl_env.afl_import_first)) && afl->sync_id)) { + if (!afl->queue_cycle && afl->afl_env.afl_import_first) { + + OKF("Syncing queues from other fuzzer instances first ..."); + + } + sync_fuzzers(afl); } -- cgit 1.4.1 From e02753fd7db85a7f110927d7a8522df42408627f Mon Sep 17 00:00:00 2001 From: David Carlier Date: Wed, 7 Dec 2022 19:48:20 +0000 Subject: Silent more deprecation warning for clang 15 and onwards --- GNUmakefile.llvm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index bcbb6d38..d6e45d29 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -276,7 +276,7 @@ endif CXXFLAGS ?= -O3 -funroll-loops -fPIC -D_FORTIFY_SOURCE=1 override CXXFLAGS += -Wall -g -I ./include/ \ - -DVERSION=\"$(VERSION)\" -Wno-variadic-macros \ + -DVERSION=\"$(VERSION)\" -Wno-variadic-macros -Wno-deprecated-copy-with-dtor \ -DLLVM_MINOR=$(LLVM_MINOR) -DLLVM_MAJOR=$(LLVM_MAJOR) ifneq "$(shell $(LLVM_CONFIG) --includedir) 2> /dev/null" "" -- cgit 1.4.1 From 85b44bb73025b41d9b9a8b0aaf742f073621a98b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 12 Dec 2022 18:35:05 +0100 Subject: add cmplog envs --- include/envs.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/envs.h b/include/envs.h index 68d83f8c..f4cdf390 100644 --- a/include/envs.h +++ b/include/envs.h @@ -124,7 +124,9 @@ static char *afl_environment_variables[] = { "AFL_LLVM_ALLOWLIST", "AFL_LLVM_DENYLIST", "AFL_LLVM_BLOCKLIST", + "AFL_CMPLOG", "AFL_LLVM_CMPLOG", + "AFL_GCC_CMPLOG", "AFL_LLVM_INSTRIM", "AFL_LLVM_CALLER", "AFL_LLVM_CTX", -- cgit 1.4.1 From e26c173041b185d7ea37aa923cca3ec4aed51b1b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 13 Dec 2022 09:13:52 +0100 Subject: code format --- frida_mode/src/instrument/instrument_arm32.c | 4 ++++ utils/argv_fuzzing/argv-fuzz-inl.h | 4 +--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c index 84dbb3be..51f78a35 100644 --- a/frida_mode/src/instrument/instrument_arm32.c +++ b/frida_mode/src/instrument/instrument_arm32.c @@ -276,9 +276,13 @@ gpointer instrument_cur(GumStalkerOutput *output) { gpointer curr = NULL; if (output->encoding == GUM_INSTRUCTION_SPECIAL) { + curr = gum_thumb_writer_cur(output->writer.thumb); + } else { + curr = gum_arm_writer_cur(output->writer.arm); + } return curr; diff --git a/utils/argv_fuzzing/argv-fuzz-inl.h b/utils/argv_fuzzing/argv-fuzz-inl.h index e350dd4e..ec22c53b 100644 --- a/utils/argv_fuzzing/argv-fuzz-inl.h +++ b/utils/argv_fuzzing/argv-fuzz-inl.h @@ -65,9 +65,7 @@ static char **afl_init_argv(int *argc) { int rc = 0; ssize_t num = read(0, in_buf, MAX_CMDLINE_LEN - 2); - if (num < 0) { - exit(1); - } + if (num < 1) { _exit(1); } in_buf[num] = '\0'; in_buf[num + 1] = '\0'; -- cgit 1.4.1 From e30c20cd28786a75ce195fb672bd7dd190690f01 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 16 Dec 2022 20:44:49 +0000 Subject: fix Solaris/Illumos build --- GNUmakefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GNUmakefile b/GNUmakefile index 56013660..6b55635f 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -102,7 +102,7 @@ endif ifeq "$(SYS)" "SunOS" CFLAGS_OPT += -Wno-format-truncation - LDFLAGS = -lkstat -lrt + LDFLAGS = -lkstat -lrt -lsocket -lnsl endif ifdef STATIC -- cgit 1.4.1 From 96f05c7f6978fbc7648c0ae86b3827e0f9e6d467 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 20 Dec 2022 10:21:36 +0100 Subject: fix fork server timeout in afl-showmap --- src/afl-showmap.c | 60 +++++++++++++++++++++++++++---------------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 93339a8f..d85c28d9 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -1233,6 +1233,36 @@ int main(int argc, char **argv_orig, char **envp) { } + if (getenv("AFL_FORKSRV_INIT_TMOUT")) { + + s32 forksrv_init_tmout = atoi(getenv("AFL_FORKSRV_INIT_TMOUT")); + if (forksrv_init_tmout < 1) { + + FATAL("Bad value specified for AFL_FORKSRV_INIT_TMOUT"); + + } + + fsrv->init_tmout = (u32)forksrv_init_tmout; + + } + + if (getenv("AFL_CRASH_EXITCODE")) { + + long exitcode = strtol(getenv("AFL_CRASH_EXITCODE"), NULL, 10); + if ((!exitcode && (errno == EINVAL || errno == ERANGE)) || + exitcode < -127 || exitcode > 128) { + + FATAL("Invalid crash exitcode, expected -127 to 128, but got %s", + getenv("AFL_CRASH_EXITCODE")); + + } + + fsrv->uses_crash_exitcode = true; + // WEXITSTATUS is 8 bit unsigned + fsrv->crash_exitcode = (u8)exitcode; + + } + if (in_dir) { (void)check_binary_signatures(fsrv->target_path); } shm_fuzz = ck_alloc(sizeof(sharedmem_t)); @@ -1365,36 +1395,6 @@ int main(int argc, char **argv_orig, char **envp) { } - if (getenv("AFL_FORKSRV_INIT_TMOUT")) { - - s32 forksrv_init_tmout = atoi(getenv("AFL_FORKSRV_INIT_TMOUT")); - if (forksrv_init_tmout < 1) { - - FATAL("Bad value specified for AFL_FORKSRV_INIT_TMOUT"); - - } - - fsrv->init_tmout = (u32)forksrv_init_tmout; - - } - - if (getenv("AFL_CRASH_EXITCODE")) { - - long exitcode = strtol(getenv("AFL_CRASH_EXITCODE"), NULL, 10); - if ((!exitcode && (errno == EINVAL || errno == ERANGE)) || - exitcode < -127 || exitcode > 128) { - - FATAL("Invalid crash exitcode, expected -127 to 128, but got %s", - getenv("AFL_CRASH_EXITCODE")); - - } - - fsrv->uses_crash_exitcode = true; - // WEXITSTATUS is 8 bit unsigned - fsrv->crash_exitcode = (u8)exitcode; - - } - afl_fsrv_start(fsrv, use_argv, &stop_soon, (get_afl_env("AFL_DEBUG_CHILD") || get_afl_env("AFL_DEBUG_CHILD_OUTPUT")) -- cgit 1.4.1 From 0165ca8c6c485e36fe8e5fc6182ebeba2100932b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 20 Dec 2022 13:36:56 +0100 Subject: hide queue introspection behind define --- include/afl-fuzz.h | 8 ++++-- src/afl-fuzz-one.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++ src/afl-fuzz-stats.c | 7 +++++ src/afl-fuzz.c | 9 +++++-- 4 files changed, 94 insertions(+), 4 deletions(-) diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index f9dcbf8f..ea83aaca 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -169,12 +169,16 @@ struct queue_entry { u32 bitmap_size, /* Number of bits set in bitmap */ fuzz_level, /* Number of fuzzing iterations */ - n_fuzz_entry, /* offset in n_fuzz */ + n_fuzz_entry /* offset in n_fuzz */ +#ifdef INTROSPECTION + , stats_selected, /* stats: how often selected */ stats_skipped, /* stats: how often skipped */ stats_finds, /* stats: # of saved finds */ stats_crashes, /* stats: # of saved crashes */ - stats_tmouts; /* stats: # of saved timeouts */ + stats_tmouts /* stats: # of saved timeouts */ +#endif + ; u64 exec_us, /* Execution time (us) */ handicap, /* Number of queue cycles behind */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 253e78b6..9931820a 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -743,7 +743,9 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP1] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* Two walking bits. */ @@ -776,7 +778,9 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP2] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* Four walking bits. */ @@ -813,7 +817,9 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP4] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* Effector map setup. These macros calculate: @@ -922,7 +928,9 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP8] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* Two walking bytes. */ @@ -966,7 +974,9 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP16] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif if (len < 4) { goto skip_bitflip; } @@ -1010,7 +1020,9 @@ u8 fuzz_one_original(afl_state_t *afl) { afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP32] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif skip_bitflip: @@ -1103,7 +1115,9 @@ skip_bitflip: afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH8] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* 16-bit arithmetics, both endians. */ @@ -1234,7 +1248,9 @@ skip_bitflip: afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH16] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* 32-bit arithmetics, both endians. */ @@ -1364,7 +1380,9 @@ skip_bitflip: afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH32] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif skip_arith: @@ -1431,7 +1449,9 @@ skip_arith: afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* Setting 16-bit integers, both endians. */ @@ -1520,7 +1540,9 @@ skip_arith: afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif if (len < 4) { goto skip_interest; } @@ -1610,7 +1632,9 @@ skip_arith: afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif skip_interest: @@ -1684,7 +1708,9 @@ skip_interest: afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* Insertion of user-supplied extras. */ @@ -1741,7 +1767,9 @@ skip_interest: afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif skip_user_extras: @@ -1800,7 +1828,9 @@ skip_user_extras: afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* Insertion of auto extras. */ @@ -1857,7 +1887,9 @@ skip_user_extras: afl->stage_finds[STAGE_EXTRAS_AI] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AI] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif skip_extras: @@ -2004,7 +2036,9 @@ custom_mutator_stage: afl->stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_CUSTOM_MUTATOR] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif if (likely(afl->custom_only)) { @@ -2942,13 +2976,17 @@ havoc_stage: afl->stage_finds[STAGE_HAVOC] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_HAVOC] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif } else { afl->stage_finds[STAGE_SPLICE] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_SPLICE] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif } @@ -3430,7 +3468,9 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP1] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* Two walking bits. */ @@ -3462,7 +3502,9 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP2] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* Four walking bits. */ @@ -3498,7 +3540,9 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP4] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* Effector map setup. These macros calculate: @@ -3606,7 +3650,9 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP8] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* Two walking bytes. */ @@ -3649,7 +3695,9 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP16] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif if (len < 4) { goto skip_bitflip; } @@ -3692,7 +3740,9 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { afl->stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_FLIP32] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif skip_bitflip: @@ -3783,7 +3833,9 @@ skip_bitflip: afl->stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH8] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* 16-bit arithmetics, both endians. */ @@ -3910,7 +3962,9 @@ skip_bitflip: afl->stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH16] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* 32-bit arithmetics, both endians. */ @@ -4036,7 +4090,9 @@ skip_bitflip: afl->stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ARITH32] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif skip_arith: @@ -4102,7 +4158,9 @@ skip_arith: afl->stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST8] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* Setting 16-bit integers, both endians. */ @@ -4189,7 +4247,9 @@ skip_arith: afl->stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST16] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif if (len < 4) { goto skip_interest; } @@ -4277,7 +4337,9 @@ skip_arith: afl->stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_INTEREST32] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif skip_interest: @@ -4351,7 +4413,9 @@ skip_interest: afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* Insertion of user-supplied extras. */ @@ -4408,7 +4472,9 @@ skip_interest: afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif skip_user_extras: @@ -4468,7 +4534,9 @@ skip_user_extras: afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif /* Insertion of auto extras. */ @@ -4525,7 +4593,9 @@ skip_user_extras: afl->stage_finds[STAGE_EXTRAS_AI] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AI] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif skip_extras: @@ -5351,13 +5421,17 @@ pacemaker_fuzzing: afl->stage_finds[STAGE_HAVOC] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_HAVOC] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif } else { afl->stage_finds[STAGE_SPLICE] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_SPLICE] += afl->stage_max; +#ifdef INTROSPECTION afl->queue_cur->stats_mutated += afl->stage_max; +#endif } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index ac9ad4db..87e149de 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -365,6 +365,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, } +#ifdef INTROSPECTION void write_queue_stats(afl_state_t *afl) { FILE *f; @@ -395,6 +396,8 @@ void write_queue_stats(afl_state_t *afl) { } +#endif + /* Update the plot file if there is a reason to. */ void maybe_update_plot_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, @@ -649,7 +652,9 @@ void show_stats_normal(afl_state_t *afl) { cur_ms - afl->stats_last_queue_ms > QUEUE_UPDATE_SEC * 1000)) { afl->stats_last_queue_ms = cur_ms; +#ifdef INTROSPECTION write_queue_stats(afl); +#endif } @@ -1445,7 +1450,9 @@ void show_stats_pizza(afl_state_t *afl) { cur_ms - afl->stats_last_queue_ms > QUEUE_UPDATE_SEC * 1000)) { afl->stats_last_queue_ms = cur_ms; +#ifdef INTROSPECTION write_queue_stats(afl); +#endif } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 172b9d7a..efef5523 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2279,8 +2279,10 @@ int main(int argc, char **argv_orig, char **envp) { // real start time, we reset, so this works correctly with -V afl->start_time = get_cur_time(); - u32 runs_in_current_cycle = (u32)-1; - u32 prev_queued_items = 0, prev_saved_crashes = 0, prev_saved_tmouts = 0; + #ifdef INTROSPECTION + u32 prev_saved_crashes = 0, prev_saved_tmouts = 0; + #endif + u32 prev_queued_items = 0, runs_in_current_cycle = (u32)-1; u8 skipped_fuzz; #ifdef INTROSPECTION @@ -2542,6 +2544,7 @@ int main(int argc, char **argv_orig, char **envp) { } skipped_fuzz = fuzz_one(afl); + #ifdef INTROSPECTION ++afl->queue_cur->stats_selected; if (unlikely(skipped_fuzz)) { @@ -2573,6 +2576,8 @@ int main(int argc, char **argv_orig, char **envp) { } + #endif + if (unlikely(!afl->stop_soon && exit_1)) { afl->stop_soon = 2; } if (unlikely(afl->old_seed_selection)) { -- cgit 1.4.1