From 4f3b5f8adc35dae3f6c4e6c733ce54ff8aace420 Mon Sep 17 00:00:00 2001 From: MarcoFalke Date: Wed, 10 Mar 2021 20:51:15 +0100 Subject: doc: Clarify memory limits in Readme --- README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index c3c73f3f..0deaca22 100644 --- a/README.md +++ b/README.md @@ -546,12 +546,10 @@ If you need to stop and re-start the fuzzing, use the same command line options mutation mode!) and switch the input directory with a dash (`-`): `afl-fuzz -i - -o output -- bin/target -d @@` -Note that afl-fuzz enforces memory limits to prevent the system to run out -of memory. By default this is 50MB for a process. If this is too little for -the target (which you can usually see by afl-fuzz bailing with the message -that it could not connect to the forkserver), then you can increase this -with the `-m` option, the value is in MB. To disable any memory limits -(beware!) set `-m none` - which is usually required for ASAN compiled targets. +Memory limits are not enforced by afl-fuzz by default and the system may run +out of memory. You can decrease the memory with the `-m` option, the value is +in MB. If this is too small for the target, you can usually see this by +afl-fuzz bailing with the message that it could not connect to the forkserver. Adding a dictionary is helpful. See the directory [dictionaries/](dictionaries/) if something is already included for your data format, and tell afl-fuzz to load -- cgit 1.4.1 From ffd8fae22ae51b6eda9bad6c4ee7173daba427b8 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 10 Mar 2021 22:44:43 +0100 Subject: PFATAL for libdislocator --- utils/libdislocator/libdislocator.so.c | 41 ++++------------------------------ 1 file changed, 4 insertions(+), 37 deletions(-) diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index c041fec6..b5f07c04 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -28,6 +28,7 @@ #include #include #include +#include "debug.h" #ifdef __APPLE__ #include @@ -95,39 +96,6 @@ typedef struct { #define SUPER_PAGE_SIZE 1 << 21 -/* Error / message handling: */ - -#define DEBUGF(_x...) \ - do { \ - \ - if (alloc_verbose) { \ - \ - if (++call_depth == 1) { \ - \ - fprintf(stderr, "[AFL] " _x); \ - fprintf(stderr, "\n"); \ - \ - } \ - call_depth--; \ - \ - } \ - \ - } while (0) - -#define FATAL(_x...) \ - do { \ - \ - if (++call_depth == 1) { \ - \ - fprintf(stderr, "*** [AFL] " _x); \ - fprintf(stderr, " ***\n"); \ - abort(); \ - \ - } \ - call_depth--; \ - \ - } while (0) - /* Macro to count the number of pages needed to store a buffer: */ #define PG_COUNT(_l) (((_l) + (PAGE_SIZE - 1)) / PAGE_SIZE) @@ -156,7 +124,6 @@ static u8 alloc_verbose, /* Additional debug messages */ #endif static __thread size_t total_mem; /* Currently allocated mem */ -static __thread u32 call_depth; /* To avoid recursion via fprintf() */ static u32 alloc_canary; /* This is the main alloc function. It allocates one page more than necessary, @@ -237,7 +204,7 @@ static void *__dislocator_alloc(size_t len) { if (ret == MAP_FAILED) { - if (hard_fail) FATAL("mmap() failed on alloc (OOM?)"); + if (hard_fail) PFATAL("mmap() failed on alloc (OOM?)"); DEBUGF("mmap() failed on alloc (OOM?)"); @@ -248,7 +215,7 @@ static void *__dislocator_alloc(size_t len) { /* Set PROT_NONE on the last page. */ if (mprotect(ret + PG_COUNT(rlen + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE)) - FATAL("mprotect() failed when allocating memory"); + PFATAL("mprotect() failed when allocating memory"); /* Offset the return pointer so that it's right-aligned to the page boundary. */ @@ -362,7 +329,7 @@ void free(void *ptr) { ptr_ -= PAGE_SIZE * PG_COUNT(len + 8) - len - 8; if (mprotect(ptr_ - 8, PG_COUNT(len + 8) * PAGE_SIZE, PROT_NONE)) - FATAL("mprotect() failed when freeing memory"); + PFATAL("mprotect() failed when freeing memory"); ptr = ptr_; -- cgit 1.4.1 From 966eba50a6892a0c218cdc462ef4dec9dcd01863 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 10 Mar 2021 22:51:05 +0100 Subject: Revert "PFATAL for libdislocator" This reverts commit ffd8fae22ae51b6eda9bad6c4ee7173daba427b8. --- utils/libdislocator/libdislocator.so.c | 41 ++++++++++++++++++++++++++++++---- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/utils/libdislocator/libdislocator.so.c b/utils/libdislocator/libdislocator.so.c index b5f07c04..c041fec6 100644 --- a/utils/libdislocator/libdislocator.so.c +++ b/utils/libdislocator/libdislocator.so.c @@ -28,7 +28,6 @@ #include #include #include -#include "debug.h" #ifdef __APPLE__ #include @@ -96,6 +95,39 @@ typedef struct { #define SUPER_PAGE_SIZE 1 << 21 +/* Error / message handling: */ + +#define DEBUGF(_x...) \ + do { \ + \ + if (alloc_verbose) { \ + \ + if (++call_depth == 1) { \ + \ + fprintf(stderr, "[AFL] " _x); \ + fprintf(stderr, "\n"); \ + \ + } \ + call_depth--; \ + \ + } \ + \ + } while (0) + +#define FATAL(_x...) \ + do { \ + \ + if (++call_depth == 1) { \ + \ + fprintf(stderr, "*** [AFL] " _x); \ + fprintf(stderr, " ***\n"); \ + abort(); \ + \ + } \ + call_depth--; \ + \ + } while (0) + /* Macro to count the number of pages needed to store a buffer: */ #define PG_COUNT(_l) (((_l) + (PAGE_SIZE - 1)) / PAGE_SIZE) @@ -124,6 +156,7 @@ static u8 alloc_verbose, /* Additional debug messages */ #endif static __thread size_t total_mem; /* Currently allocated mem */ +static __thread u32 call_depth; /* To avoid recursion via fprintf() */ static u32 alloc_canary; /* This is the main alloc function. It allocates one page more than necessary, @@ -204,7 +237,7 @@ static void *__dislocator_alloc(size_t len) { if (ret == MAP_FAILED) { - if (hard_fail) PFATAL("mmap() failed on alloc (OOM?)"); + if (hard_fail) FATAL("mmap() failed on alloc (OOM?)"); DEBUGF("mmap() failed on alloc (OOM?)"); @@ -215,7 +248,7 @@ static void *__dislocator_alloc(size_t len) { /* Set PROT_NONE on the last page. */ if (mprotect(ret + PG_COUNT(rlen + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE)) - PFATAL("mprotect() failed when allocating memory"); + FATAL("mprotect() failed when allocating memory"); /* Offset the return pointer so that it's right-aligned to the page boundary. */ @@ -329,7 +362,7 @@ void free(void *ptr) { ptr_ -= PAGE_SIZE * PG_COUNT(len + 8) - len - 8; if (mprotect(ptr_ - 8, PG_COUNT(len + 8) * PAGE_SIZE, PROT_NONE)) - PFATAL("mprotect() failed when freeing memory"); + FATAL("mprotect() failed when freeing memory"); ptr = ptr_; -- cgit 1.4.1 From d60bbff0d937cfb4ac29dd6ffb317f1b6d551855 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 11 Mar 2021 00:17:52 +0100 Subject: more time for tests --- test/test-custom-mutators.sh | 12 ++++++------ test/test-llvm.sh | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/test/test-custom-mutators.sh b/test/test-custom-mutators.sh index 24c95ac7..bae4220f 100755 --- a/test/test-custom-mutators.sh +++ b/test/test-custom-mutators.sh @@ -37,9 +37,9 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { echo "00000" > in/in # Run afl-fuzz w/ the C mutator - $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 5 seconds" + $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY=./libexamplemutator.so AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V1 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY=./libexamplemutator.so AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 } >>errors 2>&1 # Check results @@ -57,9 +57,9 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { rm -rf out errors core.* # Run afl-fuzz w/ multiple C mutators - $ECHO "$GREY[*] running afl-fuzz with multiple custom C mutators, this will take approx 5 seconds" + $ECHO "$GREY[*] running afl-fuzz with multiple custom C mutators, this will take approx 10 seconds" { - AFL_CUSTOM_MUTATOR_LIBRARY="./libexamplemutator.so;./libexamplemutator2.so" AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V1 -m ${MEM_LIMIT} -i in -o out -- ./test-multiple-mutators >>errors 2>&1 + AFL_CUSTOM_MUTATOR_LIBRARY="./libexamplemutator.so;./libexamplemutator2.so" AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-multiple-mutators >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:000000* 2>/dev/null )" && { # TODO: update here @@ -76,11 +76,11 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && { rm -rf out errors core.* # Run afl-fuzz w/ the Python mutator - $ECHO "$GREY[*] running afl-fuzz for the Python mutator, this will take approx 5 seconds" + $ECHO "$GREY[*] running afl-fuzz for the Python mutator, this will take approx 10 seconds" { export PYTHONPATH=${CUSTOM_MUTATOR_PATH} export AFL_PYTHON_MODULE=example - AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V5 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 + AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1 unset PYTHONPATH unset AFL_PYTHON_MODULE } >>errors 2>&1 diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 156b8920..e81fcce1 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -162,9 +162,9 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { test -e test-floatingpoint && { mkdir -p in echo ZZZZ > in/in - $ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 30 seconds" + $ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 40 seconds" { - AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -s 1 -V30 -m ${MEM_LIMIT} -i in -o out -D -- ./test-floatingpoint >>errors 2>&1 + AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -s 1 -V40 -m ${MEM_LIMIT} -i in -o out -D -- ./test-floatingpoint >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:* 2>/dev/null )" && { $ECHO "$GREEN[+] llvm_mode laf-intel floatingpoint splitting feature works correctly" -- cgit 1.4.1 From 0484d9b0247b0729767ba3715b90c29320395024 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 11 Mar 2021 00:49:23 +0100 Subject: more time for float split test --- test/test-llvm.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/test-llvm.sh b/test/test-llvm.sh index e81fcce1..6503cd98 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -162,9 +162,9 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { test -e test-floatingpoint && { mkdir -p in echo ZZZZ > in/in - $ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 40 seconds" + $ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 45 seconds" { - AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -s 1 -V40 -m ${MEM_LIMIT} -i in -o out -D -- ./test-floatingpoint >>errors 2>&1 + AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -Z -s 1 -V45 -m ${MEM_LIMIT} -i in -o out -D -- ./test-floatingpoint >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:* 2>/dev/null )" && { $ECHO "$GREEN[+] llvm_mode laf-intel floatingpoint splitting feature works correctly" -- cgit 1.4.1 From 16e3e2a7f78a11702fb394803bec78b3b0a99906 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 11 Mar 2021 01:39:21 +0100 Subject: implemented #801 --- src/afl-fuzz-stats.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index bd856088..2e7de7b3 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -823,7 +823,12 @@ void show_stats(afl_state_t *afl) { SAYF(bV bSTOP " total execs : " cRST "%-20s " bSTG bV bSTOP " total crashes : %s%-22s" bSTG bV "\n", u_stringify_int(IB(0), afl->fsrv.total_execs), - afl->unique_crashes ? cLRD : cRST, tmp); + // New crashes this round -> Red, restored crashes -> yellow, else + // white. + afl->total_crashes ? cLRD + : afl->unique_crashes ? cYEL + : cRST, + tmp); } -- cgit 1.4.1 From adeb0d18b12e717fe866e1790a522b4f158f11e1 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 11 Mar 2021 08:59:26 +0100 Subject: fix the auto map fix --- src/afl-fuzz.c | 159 ++++++++++++++++++++++++++++++------------------------ test/test-llvm.sh | 4 +- 2 files changed, 92 insertions(+), 71 deletions(-) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index cd049fd5..096ee29d 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1581,46 +1581,58 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.trace_bits = afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode); - if (afl->fsrv.map_size <= 8000000) { + if (!afl->non_instrumented_mode && !afl->fsrv.qemu_mode && + !afl->unicorn_mode) { - afl->fsrv.map_size = 8000000; // dummy temporary value - setenv("AFL_MAP_SIZE", "8000000", 1); + if (map_size <= 8000000&& !afl->non_instrumented_mode && + !afl->fsrv.qemu_mode && !afl->unicorn_mode) { - } + afl->fsrv.map_size = 8000000; // dummy temporary value + setenv("AFL_MAP_SIZE", "8000000", 1); - u32 new_map_size = afl_fsrv_get_mapsize( - &afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child); - - // only reinitialize when it makes sense - if (map_size < new_map_size || - (new_map_size > map_size && new_map_size - map_size > MAP_SIZE && - (!afl->cmplog_binary || new_map_size == MAP_SIZE))) { - - OKF("Re-initializing maps to %u bytes", new_map_size); - - afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size); - afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size); - afl->virgin_crash = ck_realloc(afl->virgin_crash, new_map_size); - afl->var_bytes = ck_realloc(afl->var_bytes, new_map_size); - afl->top_rated = ck_realloc(afl->top_rated, new_map_size * sizeof(void *)); - afl->clean_trace = ck_realloc(afl->clean_trace, new_map_size); - afl->clean_trace_custom = ck_realloc(afl->clean_trace_custom, new_map_size); - afl->first_trace = ck_realloc(afl->first_trace, new_map_size); - afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, new_map_size); - - afl_fsrv_kill(&afl->fsrv); - afl_shm_deinit(&afl->shm); - afl->fsrv.map_size = new_map_size; - afl->fsrv.trace_bits = - afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode); - setenv("AFL_NO_AUTODICT", "1", 1); // loaded already - afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, - afl->afl_env.afl_debug_child); - map_size = new_map_size; + } - } else { + u32 new_map_size = afl_fsrv_get_mapsize( + &afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child); + + if (new_map_size && new_map_size != map_size) { + + // only reinitialize when it makes sense + if (map_size < new_map_size || + (new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) { + + OKF("Re-initializing maps to %u bytes", new_map_size); + + afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size); + afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size); + afl->virgin_crash = ck_realloc(afl->virgin_crash, new_map_size); + afl->var_bytes = ck_realloc(afl->var_bytes, new_map_size); + afl->top_rated = + ck_realloc(afl->top_rated, new_map_size * sizeof(void *)); + afl->clean_trace = ck_realloc(afl->clean_trace, new_map_size); + afl->clean_trace_custom = + ck_realloc(afl->clean_trace_custom, new_map_size); + afl->first_trace = ck_realloc(afl->first_trace, new_map_size); + afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, new_map_size); + + afl_fsrv_kill(&afl->fsrv); + afl_shm_deinit(&afl->shm); + afl->fsrv.map_size = new_map_size; + afl->fsrv.trace_bits = + afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode); + setenv("AFL_NO_AUTODICT", "1", 1); // loaded already + afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, + afl->afl_env.afl_debug_child); - afl->fsrv.map_size = map_size; + } + + map_size = new_map_size; + + } else { + + afl->fsrv.map_size = map_size; + + } } @@ -1634,50 +1646,59 @@ int main(int argc, char **argv_orig, char **envp) { afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary; afl->cmplog_fsrv.init_child_func = cmplog_exec_child; + if (map_size <= 8000000 && !afl->non_instrumented_mode && + !afl->fsrv.qemu_mode && !afl->unicorn_mode) { + + afl->fsrv.map_size = 8000000; // dummy temporary value + setenv("AFL_MAP_SIZE", "8000000", 1); + + } + u32 new_map_size = afl_fsrv_get_mapsize(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child); - // only reinitialize when necessary - if (map_size < new_map_size || - (new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) { - - OKF("Re-initializing maps to %u bytes due cmplog", new_map_size); - - afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size); - afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size); - afl->virgin_crash = ck_realloc(afl->virgin_crash, new_map_size); - afl->var_bytes = ck_realloc(afl->var_bytes, new_map_size); - afl->top_rated = - ck_realloc(afl->top_rated, new_map_size * sizeof(void *)); - afl->clean_trace = ck_realloc(afl->clean_trace, new_map_size); - afl->clean_trace_custom = - ck_realloc(afl->clean_trace_custom, new_map_size); - afl->first_trace = ck_realloc(afl->first_trace, new_map_size); - afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, new_map_size); - - afl_fsrv_kill(&afl->fsrv); - afl_fsrv_kill(&afl->cmplog_fsrv); - afl_shm_deinit(&afl->shm); - afl->cmplog_fsrv.map_size = new_map_size; // non-cmplog stays the same - - afl->fsrv.trace_bits = - afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode); - setenv("AFL_NO_AUTODICT", "1", 1); // loaded already - afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, - afl->afl_env.afl_debug_child); - - afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, - afl->afl_env.afl_debug_child); + if (new_map_size && new_map_size != map_size) { - map_size = new_map_size; + // only reinitialize when it needs to be larger + if (map_size < new_map_size) { - } else { + OKF("Re-initializing maps to %u bytes due cmplog", new_map_size); + + afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size); + afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size); + afl->virgin_crash = ck_realloc(afl->virgin_crash, new_map_size); + afl->var_bytes = ck_realloc(afl->var_bytes, new_map_size); + afl->top_rated = + ck_realloc(afl->top_rated, new_map_size * sizeof(void *)); + afl->clean_trace = ck_realloc(afl->clean_trace, new_map_size); + afl->clean_trace_custom = + ck_realloc(afl->clean_trace_custom, new_map_size); + afl->first_trace = ck_realloc(afl->first_trace, new_map_size); + afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, new_map_size); + + afl_fsrv_kill(&afl->fsrv); + afl_fsrv_kill(&afl->cmplog_fsrv); + afl_shm_deinit(&afl->shm); + afl->cmplog_fsrv.map_size = new_map_size; // non-cmplog stays the same - afl->cmplog_fsrv.map_size = map_size; + afl->fsrv.trace_bits = + afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode); + setenv("AFL_NO_AUTODICT", "1", 1); // loaded already + afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, + afl->afl_env.afl_debug_child); + + afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, + afl->afl_env.afl_debug_child); + + } + + map_size = new_map_size; } + afl->cmplog_fsrv.map_size = map_size; + OKF("Cmplog forkserver successfully started"); } diff --git a/test/test-llvm.sh b/test/test-llvm.sh index 6503cd98..1bcf013a 100755 --- a/test/test-llvm.sh +++ b/test/test-llvm.sh @@ -162,9 +162,9 @@ test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { test -e test-floatingpoint && { mkdir -p in echo ZZZZ > in/in - $ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 45 seconds" + $ECHO "$GREY[*] running afl-fuzz with floating point splitting, this will take max. 30 seconds" { - AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -Z -s 1 -V45 -m ${MEM_LIMIT} -i in -o out -D -- ./test-floatingpoint >>errors 2>&1 + AFL_BENCH_UNTIL_CRASH=1 AFL_NO_UI=1 ../afl-fuzz -Z -s 1 -V30 -m ${MEM_LIMIT} -i in -o out -D -- ./test-floatingpoint >>errors 2>&1 } >>errors 2>&1 test -n "$( ls out/default/crashes/id:* 2>/dev/null )" && { $ECHO "$GREEN[+] llvm_mode laf-intel floatingpoint splitting feature works correctly" -- cgit 1.4.1 From b7d90a9e318933211936be8f5174690cd8c01e24 Mon Sep 17 00:00:00 2001 From: aflpp Date: Thu, 11 Mar 2021 09:32:22 +0100 Subject: new auto map --- src/afl-fuzz.c | 130 +++++++++++++++++++++++++++------------------------------ 1 file changed, 61 insertions(+), 69 deletions(-) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 096ee29d..dbf4df37 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1584,7 +1584,7 @@ int main(int argc, char **argv_orig, char **envp) { if (!afl->non_instrumented_mode && !afl->fsrv.qemu_mode && !afl->unicorn_mode) { - if (map_size <= 8000000&& !afl->non_instrumented_mode && + if (map_size <= 8000000 && !afl->non_instrumented_mode && !afl->fsrv.qemu_mode && !afl->unicorn_mode) { afl->fsrv.map_size = 8000000; // dummy temporary value @@ -1595,45 +1595,40 @@ int main(int argc, char **argv_orig, char **envp) { u32 new_map_size = afl_fsrv_get_mapsize( &afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child); - if (new_map_size && new_map_size != map_size) { - - // only reinitialize when it makes sense - if (map_size < new_map_size || - (new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) { - - OKF("Re-initializing maps to %u bytes", new_map_size); - - afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size); - afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size); - afl->virgin_crash = ck_realloc(afl->virgin_crash, new_map_size); - afl->var_bytes = ck_realloc(afl->var_bytes, new_map_size); - afl->top_rated = - ck_realloc(afl->top_rated, new_map_size * sizeof(void *)); - afl->clean_trace = ck_realloc(afl->clean_trace, new_map_size); - afl->clean_trace_custom = - ck_realloc(afl->clean_trace_custom, new_map_size); - afl->first_trace = ck_realloc(afl->first_trace, new_map_size); - afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, new_map_size); - - afl_fsrv_kill(&afl->fsrv); - afl_shm_deinit(&afl->shm); - afl->fsrv.map_size = new_map_size; - afl->fsrv.trace_bits = - afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode); - setenv("AFL_NO_AUTODICT", "1", 1); // loaded already - afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, - afl->afl_env.afl_debug_child); - - } + // only reinitialize when it makes sense + if (map_size < new_map_size || + (!afl->cmplog_binary && new_map_size < map_size && + map_size - new_map_size > MAP_SIZE)) { + + OKF("Re-initializing maps to %u bytes", new_map_size); + + afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size); + afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size); + afl->virgin_crash = ck_realloc(afl->virgin_crash, new_map_size); + afl->var_bytes = ck_realloc(afl->var_bytes, new_map_size); + afl->top_rated = + ck_realloc(afl->top_rated, new_map_size * sizeof(void *)); + afl->clean_trace = ck_realloc(afl->clean_trace, new_map_size); + afl->clean_trace_custom = + ck_realloc(afl->clean_trace_custom, new_map_size); + afl->first_trace = ck_realloc(afl->first_trace, new_map_size); + afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, new_map_size); + + afl_fsrv_kill(&afl->fsrv); + afl_shm_deinit(&afl->shm); + afl->fsrv.map_size = new_map_size; + afl->fsrv.trace_bits = + afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode); + setenv("AFL_NO_AUTODICT", "1", 1); // loaded already + afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, + afl->afl_env.afl_debug_child); map_size = new_map_size; - } else { - - afl->fsrv.map_size = map_size; - } + afl->fsrv.map_size = map_size; + } if (afl->cmplog_binary) { @@ -1658,40 +1653,37 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_get_mapsize(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child); - if (new_map_size && new_map_size != map_size) { - - // only reinitialize when it needs to be larger - if (map_size < new_map_size) { - - OKF("Re-initializing maps to %u bytes due cmplog", new_map_size); - - afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size); - afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size); - afl->virgin_crash = ck_realloc(afl->virgin_crash, new_map_size); - afl->var_bytes = ck_realloc(afl->var_bytes, new_map_size); - afl->top_rated = - ck_realloc(afl->top_rated, new_map_size * sizeof(void *)); - afl->clean_trace = ck_realloc(afl->clean_trace, new_map_size); - afl->clean_trace_custom = - ck_realloc(afl->clean_trace_custom, new_map_size); - afl->first_trace = ck_realloc(afl->first_trace, new_map_size); - afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, new_map_size); - - afl_fsrv_kill(&afl->fsrv); - afl_fsrv_kill(&afl->cmplog_fsrv); - afl_shm_deinit(&afl->shm); - afl->cmplog_fsrv.map_size = new_map_size; // non-cmplog stays the same - - afl->fsrv.trace_bits = - afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode); - setenv("AFL_NO_AUTODICT", "1", 1); // loaded already - afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, - afl->afl_env.afl_debug_child); - - afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, - afl->afl_env.afl_debug_child); - - } + // only reinitialize when it needs to be larger + if (map_size < new_map_size || + (new_map_size < map_size && map_size - new_map_size > MAP_SIZE)) { + + OKF("Re-initializing maps to %u bytes due cmplog", new_map_size); + + afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size); + afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size); + afl->virgin_crash = ck_realloc(afl->virgin_crash, new_map_size); + afl->var_bytes = ck_realloc(afl->var_bytes, new_map_size); + afl->top_rated = + ck_realloc(afl->top_rated, new_map_size * sizeof(void *)); + afl->clean_trace = ck_realloc(afl->clean_trace, new_map_size); + afl->clean_trace_custom = + ck_realloc(afl->clean_trace_custom, new_map_size); + afl->first_trace = ck_realloc(afl->first_trace, new_map_size); + afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, new_map_size); + + afl_fsrv_kill(&afl->fsrv); + afl_fsrv_kill(&afl->cmplog_fsrv); + afl_shm_deinit(&afl->shm); + afl->cmplog_fsrv.map_size = new_map_size; // non-cmplog stays the same + + afl->fsrv.trace_bits = + afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode); + setenv("AFL_NO_AUTODICT", "1", 1); // loaded already + afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, + afl->afl_env.afl_debug_child); + + afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, + afl->afl_env.afl_debug_child); map_size = new_map_size; -- cgit 1.4.1