From 172d384bf26b57beecbe084d19530ebc34a6e3fc Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Sat, 7 Mar 2020 12:11:06 +0100 Subject: custom havoc mutation --- include/afl-fuzz.h | 46 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 36 insertions(+), 10 deletions(-) (limited to 'include/afl-fuzz.h') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 37b6832c..1db44a79 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -480,18 +480,16 @@ struct custom_mutator { * * (Optional for now. Required in the future) * - * @param[in] buf Input data to be mutated + * @param[in] buf Pointer to input data to be mutated * @param[in] buf_size Size of input data * @param[in] add_buf Buffer containing the additional test case * @param[in] add_buf_size Size of the additional test case - * @param[out] mutated_out Buffer to store the mutated input * @param[in] max_size Maximum size of the mutated output. The mutation must not * produce data larger than max_size. * @return Size of the mutated output. */ - size_t (*afl_custom_fuzz)(u8* buf, size_t buf_size, - u8* add_buf, size_t add_buf_size, - u8* mutated_out, size_t max_size); + size_t (*afl_custom_fuzz)(u8** buf, size_t buf_size, u8* add_buf, + size_t add_buf_size, size_t max_size); /** * A post-processing function to use right before AFL writes the test case to @@ -561,6 +559,30 @@ struct custom_mutator { * steps returned in init_trim) */ u32 (*afl_custom_post_trim)(u8 success); + + /** + * Perform a single custom mutation on a given input. + * This mutation is stacked with the other muatations in havoc. + * + * (Optional) + * + * @param[in] buf Pointer to the input data to be mutated + * @param[in] buf_size Size of input data + * @param[in] max_size Maximum size of the mutated output. The mutation must not produce data larger than max_size. + * @return Size of the mutated output. + */ + size_t (*afl_custom_havoc_mutation)(u8** buf, size_t buf_size, size_t max_size); + + /** + * Return the probability (in percentage) that afl_custom_havoc_mutation + * is called in havoc. By default it is 6 %. + * + * (Optional) + * + * @return The probability (0-100). + */ + u8 (*afl_custom_havoc_mutation_probability)(void); + }; extern struct custom_mutator* mutator; @@ -610,6 +632,8 @@ enum { /* 03 */ PY_FUNC_INIT_TRIM, /* 04 */ PY_FUNC_POST_TRIM, /* 05 */ PY_FUNC_TRIM, + /* 06 */ PY_FUNC_HAVOC_MUTATION, + /* 07 */ PY_FUNC_HAVOC_MUTATION_PROBABILITY, PY_FUNC_COUNT }; @@ -629,17 +653,19 @@ u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf); /* Python */ #ifdef USE_PYTHON + int init_py_module(u8*); void finalize_py_module(); -void init_py(unsigned int seed); -size_t fuzz_py(u8* buf, size_t buf_size, - u8* add_buf, size_t add_buf_size, - u8* mutated_out, size_t max_size); -size_t pre_save_py(u8* data, size_t size, u8** new_data); +void init_py(unsigned int); +size_t fuzz_py(u8**, size_t, u8*, size_t, size_t); +size_t pre_save_py(u8*, size_t, u8**); u32 init_trim_py(u8*, size_t); u32 post_trim_py(u8); void trim_py(u8**, size_t*); +size_t havoc_mutation_py(u8**, size_t, size_t); +u8 havoc_mutation_probability_py(void); + #endif /* Queue */ -- cgit 1.4.1 From ed5d65b54f07570c82f6704fdca403b776ff7be2 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Sat, 7 Mar 2020 14:26:33 +0100 Subject: solve linking error when python is not available --- include/afl-fuzz.h | 2 -- src/afl-fuzz-mutators.c | 7 +++++++ 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'include/afl-fuzz.h') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1db44a79..57639411 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -647,8 +647,6 @@ extern PyObject* py_functions[PY_FUNC_COUNT]; /* Custom mutators */ void setup_custom_mutator(void); void destroy_custom_mutator(void); -void load_custom_mutator(const char*); -void load_custom_mutator_py(const char*); u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf); /* Python */ diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 5bf257fb..76ce2c96 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -25,6 +25,11 @@ #include "afl-fuzz.h" +void load_custom_mutator(const char*); +#ifdef USE_PYTHON +void load_custom_mutator_py(const char*); +#endif + void setup_custom_mutator(void) { /* Try mutator library first */ @@ -286,6 +291,7 @@ abort_trimming: } +#ifdef USE_PYTHON void load_custom_mutator_py(const char* module_name) { mutator = ck_alloc(sizeof(struct custom_mutator)); @@ -325,3 +331,4 @@ void load_custom_mutator_py(const char* module_name) { mutator->afl_custom_init(UR(0xFFFFFFFF)); } +#endif -- cgit 1.4.1