From a3f8fc5d1ccabc455e28157ee86211f0c11c81a3 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 26 Apr 2021 16:03:08 +0200 Subject: moved custom_mutator examples --- docs/custom_mutators.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs/custom_mutators.md') diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 62e01f83..9d5381e8 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -285,8 +285,8 @@ afl-fuzz /path/to/program ## 4) Example -Please see [example.c](../utils/custom_mutators/example.c) and -[example.py](../utils/custom_mutators/example.py) +Please see [example.c](../custom_mutators/examples/example.c) and +[example.py](../custom_mutators/examples/example.py) ## 5) Other Resources -- cgit 1.4.1 From 3b93729213de46a3008709bd8170d5593394d8cb Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 25 May 2021 22:04:25 +0200 Subject: tweaks --- docs/Changelog.md | 4 ++-- docs/custom_mutators.md | 3 +++ src/afl-fuzz-python.c | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) (limited to 'docs/custom_mutators.md') diff --git a/docs/Changelog.md b/docs/Changelog.md index f8831ff1..175c6c43 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -35,8 +35,8 @@ sending a mail to . afl++ ignores these and uses them for splicing instead. - added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing after no new paths have been found for n seconds - - when AFL_FAST_CAL is set a variable path will now be calibrated - 8 times instead of 40 + - when AFL_FAST_CAL is set a variable path will no be calibrated + 8 times instead of originally 40. Long calibration is now 20. - added AFL_TRY_AFFINITY to try to bind to CPUs but don't error if it fails - afl-cc: diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 9d5381e8..3e3ae01d 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -92,6 +92,9 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): def introspection(): return string + +def deinit(): # optional for Python + pass ``` ### Custom Mutation diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 8760194c..3aa97635 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -212,7 +212,7 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { PyObject_GetAttrString(py_module, "introspection"); py_functions[PY_FUNC_DEINIT] = PyObject_GetAttrString(py_module, "deinit"); if (!py_functions[PY_FUNC_DEINIT]) - FATAL("deinit function not found in python module"); + WARNF("deinit function not found in python module"); for (py_idx = 0; py_idx < PY_FUNC_COUNT; ++py_idx) { -- cgit 1.4.1 From 5f6ff95e6a203ef6392f7c100a981671edc5fe41 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 1 Jun 2021 10:53:02 +0200 Subject: fix docs --- custom_mutators/examples/post_library_gif.so.c | 5 +++-- docs/custom_mutators.md | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'docs/custom_mutators.md') diff --git a/custom_mutators/examples/post_library_gif.so.c b/custom_mutators/examples/post_library_gif.so.c index ac10f409..aec05720 100644 --- a/custom_mutators/examples/post_library_gif.so.c +++ b/custom_mutators/examples/post_library_gif.so.c @@ -45,6 +45,7 @@ 1) If you don't want to modify the test case, simply set `*out_buf = in_buf` and return the original `len`. + NOTE: the following is currently NOT true, we abort in this case! 2) If you want to skip this test case altogether and have AFL generate a new one, return 0 or set `*out_buf = NULL`. Use this sparingly - it's faster than running the target program @@ -53,14 +54,14 @@ 3) If you want to modify the test case, allocate an appropriately-sized buffer, move the data into that buffer, make the necessary changes, and then return the new pointer as out_buf. Return an appropriate len - afterwards. + afterwards. Note that the buffer will *not* be freed for you. To avoid memory leaks, you need to free it or reuse it on subsequent calls (as shown below). *** Feel free to reuse the original 'in_buf' BUFFER and return it. *** - Aight. The example below shows a simple postprocessor that tries to make + Alright. The example below shows a simple postprocessor that tries to make sure that all input files start with "GIF89a". PS. If you don't like C, you can try out the unix-based wrapper from diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 3e3ae01d..129d6676 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -123,6 +123,7 @@ def deinit(): # optional for Python Note that this function is optional - but it makes sense to use it. You would only skip this if `post_process` is used to fix checksums etc. so if you are using it e.g. as a post processing library. + Note that a length > 0 *must* be returned! - `describe` (optional): -- cgit 1.4.1 From 37fff16a36c49f47c1a10fcf7c03aa1361a1ae2b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 11 Jul 2021 17:26:31 +0200 Subject: update custom trim --- docs/custom_mutators.md | 4 +--- src/afl-fuzz-mutators.c | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) (limited to 'docs/custom_mutators.md') diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 129d6676..2c0ca3c5 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -204,9 +204,7 @@ trimmed input. Here's a quick API description: arguments because we already have the initial buffer from `init_trim` and we can memorize the current state in the data variables. This can also save reparsing steps for each iteration. It should return the trimmed input - buffer, where the returned data must not exceed the initial input data in - length. Returning anything that is larger than the original data (passed to - `init_trim`) will result in a fatal abort of AFL++. + buffer. - `post_trim` (optional) diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index e27d6fae..6a77dfbc 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -339,7 +339,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, } - while (afl->stage_cur < afl->stage_max) { + while (afl->stage_cur <= afl->stage_max) { u8 *retbuf = NULL; -- cgit 1.4.1