From 38e5c32a55086d36c8b9ee38e4b20c15517fc4b2 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sat, 30 May 2020 11:02:34 +0200 Subject: corrected read_timed for values > 4 --- include/common.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include') diff --git a/include/common.h b/include/common.h index 4aed9572..7b7bf02d 100644 --- a/include/common.h +++ b/include/common.h @@ -107,6 +107,9 @@ u8 *u_stringify_mem_size(u8 *buf, u64 val); u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms); +/* Sets a filedescriptor to non-blocking mode (for read_timed) */ +void set_nonblocking(int fd); + /* Wrapper for select() and read(), reading exactly len bytes. Returns the time passed to read. stop_soon should point to a variable indicating ctrl+c was pressed. -- cgit v1.2.3 From 95b46b427887db655b3f2b9a04dae1924e665d27 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sat, 30 May 2020 13:53:00 +0200 Subject: reverted extendended read_timed --- include/common.h | 3 --- 1 file changed, 3 deletions(-) (limited to 'include') diff --git a/include/common.h b/include/common.h index 7b7bf02d..4aed9572 100644 --- a/include/common.h +++ b/include/common.h @@ -107,9 +107,6 @@ u8 *u_stringify_mem_size(u8 *buf, u64 val); u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms); -/* Sets a filedescriptor to non-blocking mode (for read_timed) */ -void set_nonblocking(int fd); - /* Wrapper for select() and read(), reading exactly len bytes. Returns the time passed to read. stop_soon should point to a variable indicating ctrl+c was pressed. -- cgit v1.2.3 From c0ed118ba553846fb80cfed5c02d66e5435b94c5 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sat, 30 May 2020 20:38:01 +0200 Subject: comment --- include/common.h | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) (limited to 'include') diff --git a/include/common.h b/include/common.h index 4aed9572..87a7425b 100644 --- a/include/common.h +++ b/include/common.h @@ -107,14 +107,7 @@ u8 *u_stringify_mem_size(u8 *buf, u64 val); u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms); -/* Wrapper for select() and read(), reading exactly len bytes. - Returns the time passed to read. - stop_soon should point to a variable indicating ctrl+c was pressed. - If the wait times out, returns timeout_ms + 1; - Returns 0 if an error occurred (fd closed, signal, ...); */ -u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, - volatile u8 *stop_soon_p); - +/* Reads the map size from ENV */ u32 get_map_size(void); #endif -- cgit v1.2.3 From ee14785f687d1fc99a16c4143a1fec0eba13afed Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sun, 31 May 2020 04:13:41 +0200 Subject: starting shmap support for unicorn --- include/afl-fuzz.h | 6 +++++- include/forkserver.h | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 32ae2a58..bb0bbfe2 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -444,7 +444,8 @@ typedef struct afl_state { deferred_mode, /* Deferred forkserver mode? */ fixed_seed, /* do not reseed */ fast_cal, /* Try to calibrate faster? */ - disable_trim; /* Never trim in fuzz_one */ + disable_trim, /* Never trim in fuzz_one */ + shmem_testcase_mode; /* If sharedmem testcases are used */ u8 *virgin_bits, /* Regions yet untouched by fuzzing */ *virgin_tmout, /* Bits we haven't seen in tmouts */ @@ -806,6 +807,9 @@ void afl_states_clear_screen(void); /* Sets the skip flag on all states */ void afl_states_request_skip(void); +/* Setup shmem for testcase delivery */ +void setup_testcase_shmem(afl_state_t *afl); + void read_afl_environment(afl_state_t *, char **); /**** Prototypes ****/ diff --git a/include/forkserver.h b/include/forkserver.h index 00555d7e..840ab509 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -81,9 +81,9 @@ typedef struct afl_forkserver { u8 qemu_mode; /* if running in qemu mode or not */ - u32 shdmem_fuzz_len; /* length of the fuzzing test case */ + u32 shmem_fuzz_len; /* length of the fuzzing test case */ - u8 *shdmem_fuzz; /* allocated memory for fuzzing */ + u8 *shmem_fuzz; /* allocated memory for fuzzing */ char *cmplog_binary; /* the name of the cmplog binary */ -- cgit v1.2.3 From 83112ed5e0da90634d73a5111892e713cc19733d Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 2 Jun 2020 14:54:24 +0200 Subject: got rid of questionable phrasing --- include/afl-fuzz.h | 10 +++++----- include/sharedmem.h | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index bb0bbfe2..3b5cc0e2 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -408,8 +408,8 @@ typedef struct afl_state { debug, /* Debug mode */ custom_only, /* Custom mutator only mode */ python_only, /* Python-only mode */ - is_master, /* if this is a master */ - is_slave; /* if this is a slave */ + is_main_node, /* if this is the main node */ + is_secondary_node; /* if this is a secondary instance */ u32 stats_update_freq; /* Stats update frequency (execs) */ @@ -421,7 +421,7 @@ typedef struct afl_state { u8 skip_deterministic, /* Skip deterministic stages? */ use_splicing, /* Recombine input files? */ - dumb_mode, /* Run in non-instrumented mode? */ + non_instrumented_mode, /* Run in non-instrumented mode? */ score_changed, /* Scoring for favorites changed? */ resuming_fuzz, /* Resuming an older fuzzing job? */ timeout_given, /* Specific timeout given? */ @@ -503,7 +503,7 @@ typedef struct afl_state { s32 stage_cur, stage_max; /* Stage progression */ s32 splicing_with; /* Splicing with which test case? */ - u32 master_id, master_max; /* Master instance job splitting */ + u32 main_node_id, main_node_max; /* Main instance job splitting */ u32 syncing_case; /* Syncing with case #... */ @@ -916,7 +916,7 @@ u32 find_start_position(afl_state_t *); void find_timeout(afl_state_t *); double get_runnable_processes(void); void nuke_resume_dir(afl_state_t *); -int check_master_exists(afl_state_t *); +int check_main_node_exists(afl_state_t *); void setup_dirs_fds(afl_state_t *); void setup_cmdline_file(afl_state_t *, char **); void setup_stdio_file(afl_state_t *); diff --git a/include/sharedmem.h b/include/sharedmem.h index 066a9904..a77ab7c0 100644 --- a/include/sharedmem.h +++ b/include/sharedmem.h @@ -53,7 +53,7 @@ typedef struct sharedmem { } sharedmem_t; -u8 * afl_shm_init(sharedmem_t *, size_t, unsigned char dumb_mode); +u8 * afl_shm_init(sharedmem_t *, size_t, unsigned char non_instrumented_mode); void afl_shm_deinit(sharedmem_t *); #endif -- cgit v1.2.3 From dd0ca7335ff93090def7be7fd0b46e9f71375004 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 3 Jun 2020 15:49:23 +0200 Subject: switch shmem_len to the map --- include/forkserver.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/forkserver.h b/include/forkserver.h index 840ab509..fa132837 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -75,13 +75,13 @@ typedef struct afl_forkserver { u8 use_shdmen_fuzz; /* use shared mem for test cases */ - u8 support_shdmen_fuzz; /* set by afl-fuzz */ + u8 support_shmem_fuzz; /* set by afl-fuzz */ u8 use_fauxsrv; /* Fauxsrv for non-forking targets? */ u8 qemu_mode; /* if running in qemu mode or not */ - u32 shmem_fuzz_len; /* length of the fuzzing test case */ + u32 *shmem_fuzz_len; /* length of the fuzzing test case */ u8 *shmem_fuzz; /* allocated memory for fuzzing */ -- cgit v1.2.3 From a9348e0acc1ea7de31858e2832f0a4abccf20599 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 4 Jun 2020 16:31:53 +0200 Subject: fix cmplog for shmem persistent mode --- include/forkserver.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/forkserver.h b/include/forkserver.h index fa132837..87a59eaa 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -73,7 +73,7 @@ typedef struct afl_forkserver { u8 last_kill_signal; /* Signal that killed the child */ - u8 use_shdmen_fuzz; /* use shared mem for test cases */ + u8 use_shmem_fuzz; /* use shared mem for test cases */ u8 support_shmem_fuzz; /* set by afl-fuzz */ -- cgit v1.2.3 From 73334207ce3d898f8c38b2998c832161c5660c17 Mon Sep 17 00:00:00 2001 From: Kyle ZENG Date: Sun, 7 Jun 2020 15:14:25 -0700 Subject: fix a fundamental bug: favor random branch randomly --- include/afl-as.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/afl-as.h b/include/afl-as.h index e90289d4..3c12c68f 100644 --- a/include/afl-as.h +++ b/include/afl-as.h @@ -192,7 +192,7 @@ static const u8 *main_payload_32 = #ifdef SKIP_COUNTS " orb $1, (%edx, %edi, 1)\n" #else - " incb (%edx, %edi, 1)\n" + " addb $1, (%edx, %edi, 1)\n" " adcb $0, (%edx, %edi, 1)\n" // never zero counter implementation. slightly better path discovery and little performance impact #endif /* ^SKIP_COUNTS */ "\n" @@ -447,7 +447,7 @@ static const u8 *main_payload_64 = #ifdef SKIP_COUNTS " orb $1, (%rdx, %rcx, 1)\n" #else - " incb (%rdx, %rcx, 1)\n" + " addb $1, (%rdx, %rcx, 1)\n" " adcb $0, (%rdx, %rcx, 1)\n" // never zero counter implementation. slightly better path discovery and little performance impact #endif /* ^SKIP_COUNTS */ "\n" -- cgit v1.2.3