From a0da53117081cbca03674224cad26e5dd2fe5eaf Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 25 May 2020 22:09:00 +0200 Subject: libfuzzer driver + llvm_mode compilation optimization --- examples/aflpp_driver/Makefile | 24 +++ examples/aflpp_driver/aflpp_driver.cpp | 281 +++++++++++++++++++++++++++++++++ 2 files changed, 305 insertions(+) create mode 100644 examples/aflpp_driver/Makefile create mode 100644 examples/aflpp_driver/aflpp_driver.cpp (limited to 'examples/aflpp_driver') diff --git a/examples/aflpp_driver/Makefile b/examples/aflpp_driver/Makefile new file mode 100644 index 00000000..6f7c7bc9 --- /dev/null +++ b/examples/aflpp_driver/Makefile @@ -0,0 +1,24 @@ +ifeq "" "$(LLVM_CONFIG)" + LLVM_CONFIG=llvm-config +endif + +LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) +ifneq "" "$(LLVM_BINDIR)" + LLVM_BINDIR := $(LLVM_BINDIR)/ +endif + + + +all: libAFLDriver.a + +aflpp_driver.o: aflpp_driver.cpp + $(LLVM_BINDIR)clang++ -O3 -march=native -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp + +afl-llvm-rt.o: ../../llvm_mode/afl-llvm-rt.o.c + $(LLVM_BINDIR)clang++ -O3 -march=native -funroll-loops -stdlib=libc++ -std=c++11 -c aflpp_driver.cpp + +libAFLDriver.a: aflpp_driver.o afl-llvm-rt.o + ar ru libAFLDriver.a aflpp_driver.o + +clean: + rm -f *.o libAFLDriver.a *~ core diff --git a/examples/aflpp_driver/aflpp_driver.cpp b/examples/aflpp_driver/aflpp_driver.cpp new file mode 100644 index 00000000..3dcc8c3c --- /dev/null +++ b/examples/aflpp_driver/aflpp_driver.cpp @@ -0,0 +1,281 @@ +//===- afl_driver.cpp - a glue between AFL and libFuzzer --------*- C++ -* ===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +//===----------------------------------------------------------------------===// + +/* This file allows to fuzz libFuzzer-style target functions + (LLVMFuzzerTestOneInput) with AFL using AFL's persistent (in-process) mode. + +Usage: +################################################################################ +cat << EOF > test_fuzzer.cc +#include +#include +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + if (size > 0 && data[0] == 'H') + if (size > 1 && data[1] == 'I') + if (size > 2 && data[2] == '!') + __builtin_trap(); + return 0; +} +EOF +# Build your target with -fsanitize-coverage=trace-pc-guard using fresh clang. +clang -g -fsanitize-coverage=trace-pc-guard test_fuzzer.cc -c +# Build afl-llvm-rt.o.c from the AFL distribution. +clang -c -w $AFL_HOME/llvm_mode/afl-llvm-rt.o.c +# Build this file, link it with afl-llvm-rt.o.o and the target code. +clang++ afl_driver.cpp test_fuzzer.o afl-llvm-rt.o.o +# Run AFL: +rm -rf IN OUT; mkdir IN OUT; echo z > IN/z; +$AFL_HOME/afl-fuzz -i IN -o OUT ./a.out +################################################################################ +AFL_DRIVER_STDERR_DUPLICATE_FILENAME: Setting this *appends* stderr to the file +specified. If the file does not exist, it is created. This is useful for getting +stack traces (when using ASAN for example) or original error messages on hard +to reproduce bugs. Note that any content written to stderr will be written to +this file instead of stderr's usual location. + +AFL_DRIVER_CLOSE_FD_MASK: Similar to libFuzzer's -close_fd_mask behavior option. +If 1, close stdout at startup. If 2 close stderr; if 3 close both. + +*/ +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include + +// Platform detection. Copied from FuzzerInternal.h +#ifdef __linux__ +#define LIBFUZZER_LINUX 1 +#define LIBFUZZER_APPLE 0 +#define LIBFUZZER_NETBSD 0 +#define LIBFUZZER_FREEBSD 0 +#define LIBFUZZER_OPENBSD 0 +#elif __APPLE__ +#define LIBFUZZER_LINUX 0 +#define LIBFUZZER_APPLE 1 +#define LIBFUZZER_NETBSD 0 +#define LIBFUZZER_FREEBSD 0 +#define LIBFUZZER_OPENBSD 0 +#elif __NetBSD__ +#define LIBFUZZER_LINUX 0 +#define LIBFUZZER_APPLE 0 +#define LIBFUZZER_NETBSD 1 +#define LIBFUZZER_FREEBSD 0 +#define LIBFUZZER_OPENBSD 0 +#elif __FreeBSD__ +#define LIBFUZZER_LINUX 0 +#define LIBFUZZER_APPLE 0 +#define LIBFUZZER_NETBSD 0 +#define LIBFUZZER_FREEBSD 1 +#define LIBFUZZER_OPENBSD 0 +#elif __OpenBSD__ +#define LIBFUZZER_LINUX 0 +#define LIBFUZZER_APPLE 0 +#define LIBFUZZER_NETBSD 0 +#define LIBFUZZER_FREEBSD 0 +#define LIBFUZZER_OPENBSD 1 +#else +#error "Support for your platform has not been implemented" +#endif + +int __afl_sharedmem_fuzzing = 1; +extern unsigned int __afl_fuzz_len; +extern unsigned char *__afl_fuzz_ptr; + +// libFuzzer interface is thin, so we don't include any libFuzzer headers. +extern "C" { +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); +__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); +} + +// Notify AFL about persistent mode. +static volatile char AFL_PERSISTENT[] = "##SIG_AFL_PERSISTENT##"; +extern "C" int __afl_persistent_loop(unsigned int); +static volatile char suppress_warning2 = AFL_PERSISTENT[0]; + +// Notify AFL about deferred forkserver. +static volatile char AFL_DEFER_FORKSVR[] = "##SIG_AFL_DEFER_FORKSRV##"; +extern "C" void __afl_manual_init(); +static volatile char suppress_warning1 = AFL_DEFER_FORKSVR[0]; + +// Input buffer. +static const size_t kMaxAflInputSize = 1 << 20; +static uint8_t AflInputBuf[kMaxAflInputSize]; + +// Use this optionally defined function to output sanitizer messages even if +// user asks to close stderr. +__attribute__((weak)) extern "C" void __sanitizer_set_report_fd(void *); + +// Keep track of where stderr content is being written to, so that +// dup_and_close_stderr can use the correct one. +static FILE *output_file = stderr; + +// Experimental feature to use afl_driver without AFL's deferred mode. +// Needs to run before __afl_auto_init. +__attribute__((constructor(0))) static void __decide_deferred_forkserver(void) { + if (getenv("AFL_DRIVER_DONT_DEFER")) { + if (unsetenv("__AFL_DEFER_FORKSRV")) { + perror("Failed to unset __AFL_DEFER_FORKSRV"); + abort(); + } + } +} + +// If the user asks us to duplicate stderr, then do it. +static void maybe_duplicate_stderr() { + char *stderr_duplicate_filename = + getenv("AFL_DRIVER_STDERR_DUPLICATE_FILENAME"); + + if (!stderr_duplicate_filename) + return; + + FILE *stderr_duplicate_stream = + freopen(stderr_duplicate_filename, "a+", stderr); + + if (!stderr_duplicate_stream) { + fprintf( + stderr, + "Failed to duplicate stderr to AFL_DRIVER_STDERR_DUPLICATE_FILENAME"); + abort(); + } + output_file = stderr_duplicate_stream; +} + +// Most of these I/O functions were inspired by/copied from libFuzzer's code. +static void discard_output(int fd) { + FILE *temp = fopen("/dev/null", "w"); + if (!temp) + abort(); + dup2(fileno(temp), fd); + fclose(temp); +} + +static void close_stdout() { discard_output(STDOUT_FILENO); } + +// Prevent the targeted code from writing to "stderr" but allow sanitizers and +// this driver to do so. +static void dup_and_close_stderr() { + int output_fileno = fileno(output_file); + int output_fd = dup(output_fileno); + if (output_fd <= 0) + abort(); + FILE *new_output_file = fdopen(output_fd, "w"); + if (!new_output_file) + abort(); + if (!__sanitizer_set_report_fd) + return; + __sanitizer_set_report_fd(reinterpret_cast(output_fd)); + discard_output(output_fileno); +} + +static void Printf(const char *Fmt, ...) { + va_list ap; + va_start(ap, Fmt); + vfprintf(output_file, Fmt, ap); + va_end(ap); + fflush(output_file); +} + +// Close stdout and/or stderr if user asks for it. +static void maybe_close_fd_mask() { + char *fd_mask_str = getenv("AFL_DRIVER_CLOSE_FD_MASK"); + if (!fd_mask_str) + return; + int fd_mask = atoi(fd_mask_str); + if (fd_mask & 2) + dup_and_close_stderr(); + if (fd_mask & 1) + close_stdout(); +} + +// Define LLVMFuzzerMutate to avoid link failures for targets that use it +// with libFuzzer's LLVMFuzzerCustomMutator. +extern "C" size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize) { + assert(false && "LLVMFuzzerMutate should not be called from afl_driver"); + return 0; +} + +// Execute any files provided as parameters. +static int ExecuteFilesOnyByOne(int argc, char **argv) { + for (int i = 1; i < argc; i++) { + std::ifstream in(argv[i], std::ios::binary); + in.seekg(0, in.end); + size_t length = in.tellg(); + in.seekg (0, in.beg); + std::cout << "Reading " << length << " bytes from " << argv[i] << std::endl; + // Allocate exactly length bytes so that we reliably catch buffer overflows. + std::vector bytes(length); + in.read(bytes.data(), bytes.size()); + assert(in); + LLVMFuzzerTestOneInput(reinterpret_cast(bytes.data()), + bytes.size()); + std::cout << "Execution successful" << std::endl; + } + return 0; +} + +int main(int argc, char **argv) { + Printf( + "======================= INFO =========================\n" + "This binary is built for AFL-fuzz.\n" + "To run the target function on individual input(s) execute this:\n" + " %s < INPUT_FILE\n" + "or\n" + " %s INPUT_FILE1 [INPUT_FILE2 ... ]\n" + "To fuzz with afl-fuzz execute this:\n" + " afl-fuzz [afl-flags] %s [-N]\n" + "afl-fuzz will run N iterations before " + "re-spawning the process (default: 1000)\n" + "======================================================\n", + argv[0], argv[0], argv[0]); + + maybe_duplicate_stderr(); + maybe_close_fd_mask(); + if (LLVMFuzzerInitialize) + LLVMFuzzerInitialize(&argc, &argv); + // Do any other expensive one-time initialization here. + + int N = 1000; + if (argc == 2 && argv[1][0] == '-') + N = atoi(argv[1] + 1); + else if(argc == 2 && (N = atoi(argv[1])) > 0) + Printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); + else if (argc > 1) { + if (!getenv("AFL_DRIVER_DONT_DEFER")) { + __afl_sharedmem_fuzzing = 0; + __afl_manual_init(); + } + return ExecuteFilesOnyByOne(argc, argv); + exit(0); + } + + assert(N > 0); + + if (!getenv("AFL_DRIVER_DONT_DEFER")) + __afl_manual_init(); + + // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization + // on the first execution of LLVMFuzzerTestOneInput is ignored. + uint8_t dummy_input[1] = {0}; + LLVMFuzzerTestOneInput(dummy_input, 1); + + int num_runs = 0; + while (__afl_persistent_loop(N)) { + if (__afl_fuzz_len > 0) { + num_runs++; + LLVMFuzzerTestOneInput(__afl_fuzz_ptr, __afl_fuzz_len); + } + } + Printf("%s: successfully executed %d input(s)\n", argv[0], num_runs); +} -- cgit 1.4.1 From 996e1515b320fb2d44c367dea7b4d26f2d56f5df Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 26 May 2020 13:19:57 +0200 Subject: better performance compilation options for afl++ and targets --- GNUmakefile | 8 ++++---- TODO.md | 1 + docs/Changelog.md | 1 + examples/aflpp_driver/GNUmakefile | 27 +++++++++++++++++++++++++++ examples/aflpp_driver/Makefile | 26 ++------------------------ llvm_mode/GNUmakefile | 12 +++++------- llvm_mode/Makefile | 2 +- llvm_mode/afl-clang-fast.c | 6 +++--- llvm_mode/afl-llvm-rt.o.c | 4 ++-- 9 files changed, 46 insertions(+), 41 deletions(-) create mode 100644 examples/aflpp_driver/GNUmakefile (limited to 'examples/aflpp_driver') diff --git a/GNUmakefile b/GNUmakefile index 0cb9ede8..14ecfaad 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -51,11 +51,11 @@ endif endif ifneq "$(shell uname)" "Darwin" - ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -march=native -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" - CFLAGS_OPT += -march=native - endif + #ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -march=native -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" + # CFLAGS_OPT += -march=native + #endif # OS X does not like _FORTIFY_SOURCE=2 -# CFLAGS_OPT += -D_FORTIFY_SOURCE=2 + CFLAGS_OPT += -D_FORTIFY_SOURCE=2 endif ifdef STATIC diff --git a/TODO.md b/TODO.md index 3ee8d091..b7d51369 100644 --- a/TODO.md +++ b/TODO.md @@ -9,6 +9,7 @@ - learn from honggfuzz - for persistent mode, have a functionality that transports the test case via shared memory (and the int write to the FD from afl-fuzz is the size) + - CPU affinity for many cores? ## Further down the road diff --git a/docs/Changelog.md b/docs/Changelog.md index 9d4d7815..5f404dba 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -32,6 +32,7 @@ sending a mail to . - fixed crash in compare-transform-pass when strcasecmp/strncasecmp was tried to be instrumented with LTO - fixed crash in cmplog with LTO + - slightly better performance compilation options for afl++ and targets - fixed afl-gcc/afl-as that could break on fast systems reusing pids in the same second - added lots of dictionaries from oss-fuzz, go-fuzz and Jakub Wilk diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile new file mode 100644 index 00000000..fca3fd2c --- /dev/null +++ b/examples/aflpp_driver/GNUmakefile @@ -0,0 +1,27 @@ +ifeq "" "$(LLVM_CONFIG)" + LLVM_CONFIG=llvm-config +endif + +LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) +ifneq "" "$(LLVM_BINDIR)" + LLVM_BINDIR := $(LLVM_BINDIR)/ +endif + +FLAGS=-O3 -funroll-loops + +all: libAFLDriver.a libAFLDriver2.a + +aflpp_driver.o: aflpp_driver.cpp + $(LLVM_BINDIR)clang++ $(FLAGS) -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp + +afl-llvm-rt.o: ../../llvm_mode/afl-llvm-rt.o.c + $(LLVM_BINDIR)clang $(FLAGS) -I../../include -c -o afl-llvm-rt.o ../../llvm_mode/afl-llvm-rt.o.c + +libAFLDriver.a: aflpp_driver.o + ar ru libAFLDriver.a aflpp_driver.o + +libAFLDriver2.a: aflpp_driver.o afl-llvm-rt.o + ar ru libAFLDriver2.a aflpp_driver.o afl-llvm-rt.o + +clean: + rm -f *.o libAFLDriver*.a *~ core diff --git a/examples/aflpp_driver/Makefile b/examples/aflpp_driver/Makefile index 6f7c7bc9..3666a74d 100644 --- a/examples/aflpp_driver/Makefile +++ b/examples/aflpp_driver/Makefile @@ -1,24 +1,2 @@ -ifeq "" "$(LLVM_CONFIG)" - LLVM_CONFIG=llvm-config -endif - -LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) -ifneq "" "$(LLVM_BINDIR)" - LLVM_BINDIR := $(LLVM_BINDIR)/ -endif - - - -all: libAFLDriver.a - -aflpp_driver.o: aflpp_driver.cpp - $(LLVM_BINDIR)clang++ -O3 -march=native -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp - -afl-llvm-rt.o: ../../llvm_mode/afl-llvm-rt.o.c - $(LLVM_BINDIR)clang++ -O3 -march=native -funroll-loops -stdlib=libc++ -std=c++11 -c aflpp_driver.cpp - -libAFLDriver.a: aflpp_driver.o afl-llvm-rt.o - ar ru libAFLDriver.a aflpp_driver.o - -clean: - rm -f *.o libAFLDriver.a *~ core +all: + @gmake all || echo please install GNUmake diff --git a/llvm_mode/GNUmakefile b/llvm_mode/GNUmakefile index a41dfbdf..50a6be2b 100644 --- a/llvm_mode/GNUmakefile +++ b/llvm_mode/GNUmakefile @@ -160,9 +160,9 @@ endif # After we set CC/CXX we can start makefile magic tests -ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -march=native -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" - CFLAGS_OPT = -march=native -endif +#ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -march=native -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" +# CFLAGS_OPT = -march=native +#endif ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -flto=full -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" AFL_CLANG_FLTO ?= -flto=full @@ -196,8 +196,7 @@ ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=`com endif endif -CFLAGS ?= -O3 -funroll-loops -# -D_FORTIFY_SOURCE=2 +CFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2 override CFLAGS += -Wall \ -g -Wno-pointer-sign -I ../include/ \ -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \ @@ -210,8 +209,7 @@ ifdef AFL_TRACE_PC $(info Compile option AFL_TRACE_PC is deprecated, just set AFL_LLVM_INSTRUMENT=PCGUARD to activate when compiling targets ) endif -CXXFLAGS ?= -O3 -funroll-loops -# -D_FORTIFY_SOURCE=2 +CXXFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2 override CXXFLAGS += -Wall -g -I ../include/ \ -DVERSION=\"$(VERSION)\" -Wno-variadic-macros diff --git a/llvm_mode/Makefile b/llvm_mode/Makefile index 0b306dde..3666a74d 100644 --- a/llvm_mode/Makefile +++ b/llvm_mode/Makefile @@ -1,2 +1,2 @@ all: - @echo please use GNU make, thanks! + @gmake all || echo please install GNUmake diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index e8f20bb2..fb072651 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -335,7 +335,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { } - cc_params[cc_par_cnt++] = "-Qunused-arguments"; + //cc_params[cc_par_cnt++] = "-Qunused-arguments"; // in case LLVM is installed not via a package manager or "make install" // e.g. compiled download or compiled from github then it's ./lib directory @@ -440,8 +440,8 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[cc_par_cnt++] = "-g"; cc_params[cc_par_cnt++] = "-O3"; cc_params[cc_par_cnt++] = "-funroll-loops"; - if (strlen(march_opt) > 1 && march_opt[0] == '-') - cc_params[cc_par_cnt++] = march_opt; + //if (strlen(march_opt) > 1 && march_opt[0] == '-') + // cc_params[cc_par_cnt++] = march_opt; } diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index a461bc03..b151de8e 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -789,12 +789,12 @@ void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { u32 inst_ratio = 100; - u8 *x; + char *x; if (start == stop || *start) return; x = getenv("AFL_INST_RATIO"); - if (x) inst_ratio = atoi(x); + if (x) inst_ratio = (u32)atoi(x); if (!inst_ratio || inst_ratio > 100) { -- cgit 1.4.1 From 9dd0b7c6de72100ceaf99bba3b0705f952b36de0 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 26 May 2020 15:57:15 +0200 Subject: make examples better --- examples/aflpp_driver/GNUmakefile | 8 +------- examples/persistent_demo/persistent_demo.c | 2 +- examples/persistent_demo/persistent_demo_new.c | 23 +---------------------- llvm_mode/README.persistent_mode.md | 3 +-- 4 files changed, 4 insertions(+), 32 deletions(-) (limited to 'examples/aflpp_driver') diff --git a/examples/aflpp_driver/GNUmakefile b/examples/aflpp_driver/GNUmakefile index fca3fd2c..a681d2cf 100644 --- a/examples/aflpp_driver/GNUmakefile +++ b/examples/aflpp_driver/GNUmakefile @@ -9,19 +9,13 @@ endif FLAGS=-O3 -funroll-loops -all: libAFLDriver.a libAFLDriver2.a +all: libAFLDriver.a aflpp_driver.o: aflpp_driver.cpp $(LLVM_BINDIR)clang++ $(FLAGS) -stdlib=libc++ -funroll-loops -std=c++11 -c aflpp_driver.cpp -afl-llvm-rt.o: ../../llvm_mode/afl-llvm-rt.o.c - $(LLVM_BINDIR)clang $(FLAGS) -I../../include -c -o afl-llvm-rt.o ../../llvm_mode/afl-llvm-rt.o.c - libAFLDriver.a: aflpp_driver.o ar ru libAFLDriver.a aflpp_driver.o -libAFLDriver2.a: aflpp_driver.o afl-llvm-rt.o - ar ru libAFLDriver2.a aflpp_driver.o afl-llvm-rt.o - clean: rm -f *.o libAFLDriver*.a *~ core diff --git a/examples/persistent_demo/persistent_demo.c b/examples/persistent_demo/persistent_demo.c index 41cd9e38..2da49bb0 100644 --- a/examples/persistent_demo/persistent_demo.c +++ b/examples/persistent_demo/persistent_demo.c @@ -63,7 +63,7 @@ int main(int argc, char **argv) { We just have some trivial inline code that faults on 'foo!'. */ /* do we have enough data? */ - if (len < 8) return 0; + if (len < 8) continue; if (buf[0] == 'f') { diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index fffd40b6..36411e13 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -30,27 +30,6 @@ __AFL_FUZZ_INIT(); -unsigned int crc32_for_byte(unsigned int r) { - - for (int j = 0; j < 8; ++j) - r = (r & 1 ? 0 : (unsigned int)0xEDB88320L) ^ r >> 1; - return r ^ (unsigned int)0xFF000000L; - -} - -unsigned int crc32(unsigned char *data, unsigned int n_bytes) { - - static unsigned char table[0x100]; - unsigned int crc = 0; - if (!*table) - for (unsigned int i = 0; i < 0x100; ++i) - table[i] = crc32_for_byte(i); - for (unsigned int i = 0; i < n_bytes; ++i) - crc = table[(unsigned char)crc ^ (data)[i]] ^ crc >> 8; - return crc; - -} - /* Main entry point. */ int main(int argc, char **argv) { @@ -70,7 +49,7 @@ int main(int argc, char **argv) { len = __AFL_FUZZ_TESTCASE_LEN; /* do we have enough data? */ - if (len < 8) return 0; + if (len < 8) continue; if (buf[0] == 'f') { diff --git a/llvm_mode/README.persistent_mode.md b/llvm_mode/README.persistent_mode.md index b092de54..7aae8faa 100644 --- a/llvm_mode/README.persistent_mode.md +++ b/llvm_mode/README.persistent_mode.md @@ -32,8 +32,7 @@ main() { while (__AFL_LOOP(10000)) { int len = __AFL_FUZZ_TESTCASE_LEN; - - if (len < 8) return 0; // check for a required/useful minimum input length + if (len < 8) continue; // check for a required/useful minimum input length /* Setup function call, e.g. struct target *tmp = libtarget_init() */ /* Call function to be fuzzed, e.g.: */ -- cgit 1.4.1