From 51a346bcbeb66d159b01c6fd37616824c32ee569 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 19 Mar 2020 19:22:57 +0100 Subject: 50% less globals --- include/afl-as.h | 4 ++-- include/afl-fuzz.h | 21 +++++++++++++++++++-- include/forkserver.h | 2 ++ 3 files changed, 23 insertions(+), 4 deletions(-) (limited to 'include') diff --git a/include/afl-as.h b/include/afl-as.h index 7fc00ffe..a2bf1f9c 100644 --- a/include/afl-as.h +++ b/include/afl-as.h @@ -152,7 +152,7 @@ static const u8 *trampoline_fmt_64 = "/* --- END --- */\n" "\n"; -static const u8*main_payload_32 = +static const u8 *main_payload_32 = "\n" "/* --- AFL MAIN PAYLOAD (32-BIT) --- */\n" @@ -409,7 +409,7 @@ static const u8*main_payload_32 = #define CALL_L64(str) "call " str "@PLT\n" #endif /* ^__APPLE__ */ -static const u8* main_payload_64 = +static const u8 *main_payload_64 = "\n" "/* --- AFL MAIN PAYLOAD (64-BIT) --- */\n" diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 620f5062..913b08e6 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -109,6 +109,8 @@ #define CASE_PREFIX "id_" #endif /* ^!SIMPLE_FILES */ +#define STAGE_BUF_SIZE (64) /* usable size of the stage name buf in afl_state */ + extern s8 interesting_8[INTERESTING_8_LEN]; extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; extern s32 @@ -479,7 +481,7 @@ typedef struct afl_state { *stage_short, /* Short stage name */ *syncing_party; /* Currently syncing with... */ - u8 stage_name_buf64[64]; /* A name buf with len 64 if needed */ + u8 stage_name_buf[STAGE_BUF_SIZE]; /* reused stagename buf with len 64 */ s32 stage_cur, stage_max; /* Stage progression */ s32 splicing_with; /* Splicing with which test case? */ @@ -540,6 +542,7 @@ typedef struct afl_state { /* cmplog forkserver ids */ s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; + u32 cmplog_prev_timed_out; u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ @@ -555,6 +558,20 @@ typedef struct afl_state { u32 document_counter; #endif + /* statis file */ + double last_bitmap_cvg, last_stability, last_eps; + + /* plot file saves from last run */ + u32 plot_prev_qp, plot_prev_pf, plot_prev_pnf, plot_prev_ce, plot_prev_md; + u64 plot_prev_qc, plot_prev_uc, plot_prev_uh; + + u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs; + double stats_avg_exec; + + u8 clean_trace[MAP_SIZE]; + u8 clean_trace_custom[MAP_SIZE]; + u8 first_trace[MAP_SIZE]; + } afl_state_t; /* A global pointer to all instances is needed (for now) for signals to arrive @@ -786,7 +803,7 @@ u8 has_new_bits(afl_state_t *, u8 *); u8 *DI(u64); u8 *DF(double); u8 *DMS(u64); -u8 *DTD(u64, u64); +void DTD(u8 *, size_t, u64, u64); /* Extras */ diff --git a/include/forkserver.h b/include/forkserver.h index 9802b216..acdd6b2b 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -62,6 +62,8 @@ typedef struct afl_forkserver { u8 use_fauxsrv; /* Fauxsrv for non-forking targets? */ + u32 prev_timed_out; /* if prev forkserver run timed out */ + } afl_forkserver_t; void handle_timeout(int sig); -- cgit v1.2.3 From b6fa63abdfb62fba1a00d9b5401ee69cf1bced1a Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 19 Mar 2020 19:23:58 +0100 Subject: code format --- include/afl-fuzz.h | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 913b08e6..28156268 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -109,7 +109,8 @@ #define CASE_PREFIX "id_" #endif /* ^!SIMPLE_FILES */ -#define STAGE_BUF_SIZE (64) /* usable size of the stage name buf in afl_state */ +#define STAGE_BUF_SIZE (64) /* usable size of the stage name buf in afl_state \ + */ extern s8 interesting_8[INTERESTING_8_LEN]; extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; @@ -542,7 +543,7 @@ typedef struct afl_state { /* cmplog forkserver ids */ s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; - u32 cmplog_prev_timed_out; + u32 cmplog_prev_timed_out; u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ @@ -559,13 +560,13 @@ typedef struct afl_state { #endif /* statis file */ - double last_bitmap_cvg, last_stability, last_eps; + double last_bitmap_cvg, last_stability, last_eps; /* plot file saves from last run */ u32 plot_prev_qp, plot_prev_pf, plot_prev_pnf, plot_prev_ce, plot_prev_md; u64 plot_prev_qc, plot_prev_uc, plot_prev_uh; - u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs; + u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs; double stats_avg_exec; u8 clean_trace[MAP_SIZE]; @@ -800,9 +801,9 @@ u8 has_new_bits(afl_state_t *, u8 *); /* Misc */ -u8 *DI(u64); -u8 *DF(double); -u8 *DMS(u64); +u8 * DI(u64); +u8 * DF(double); +u8 * DMS(u64); void DTD(u8 *, size_t, u64, u64); /* Extras */ -- cgit v1.2.3 From 0fa47bb867bea6585abdeee0830acbf5b39db690 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 19 Mar 2020 21:33:17 +0100 Subject: removed unneeded func --- include/forkserver.h | 1 - 1 file changed, 1 deletion(-) (limited to 'include') diff --git a/include/forkserver.h b/include/forkserver.h index acdd6b2b..5d1bd2cf 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -66,7 +66,6 @@ typedef struct afl_forkserver { } afl_forkserver_t; -void handle_timeout(int sig); void afl_fsrv_init(afl_forkserver_t *fsrv); void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv); void afl_fsrv_deinit(afl_forkserver_t *fsrv); -- cgit v1.2.3 From 5b9d306cdfac1cb2a32373a0d4028abffb7ce979 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 19 Mar 2020 22:54:09 +0100 Subject: no more (?) statics --- include/afl-fuzz.h | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 28156268..1a798239 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -109,8 +109,9 @@ #define CASE_PREFIX "id_" #endif /* ^!SIMPLE_FILES */ -#define STAGE_BUF_SIZE (64) /* usable size of the stage name buf in afl_state \ - */ +#define STAGE_BUF_SIZE \ + (64) /* usable size of the stage name buf in afl_state \ + */ extern s8 interesting_8[INTERESTING_8_LEN]; extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; @@ -801,10 +802,10 @@ u8 has_new_bits(afl_state_t *, u8 *); /* Misc */ -u8 * DI(u64); -u8 * DF(double); -u8 * DMS(u64); -void DTD(u8 *, size_t, u64, u64); +u8 *DI(u8 *, size_t, u64); +u8 *DF(u8 *, size_t, double); +u8 *DMS(u8 *, size_t, u64); +u8 *DTD(u8 *, size_t, u64, u64); /* Extras */ -- cgit v1.2.3 From 29853549c3c12b4ebd4c2af4f0d728a13f30a727 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 20 Mar 2020 08:54:09 +0100 Subject: add RARE schedule. also fixes doc_path --- include/afl-fuzz.h | 1 + include/android-ashmem.h | 0 2 files changed, 1 insertion(+) mode change 100755 => 100644 include/android-ashmem.h (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1a798239..1d83f335 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -235,6 +235,7 @@ enum { /* 04 */ QUAD, /* Quadratic schedule */ /* 05 */ EXPLOIT, /* AFL's exploitation-based const. */ /* 06 */ MMOPT, /* Modified MOPT schedule */ + /* 07 */ RARE, /* Rare edges */ POWER_SCHEDULES_NUM diff --git a/include/android-ashmem.h b/include/android-ashmem.h old mode 100755 new mode 100644 -- cgit v1.2.3 From c6db05c5ae11e2a33df8aa450d6ccac7d6109a02 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 21 Mar 2020 21:10:38 +0100 Subject: test.sh with -no-pie --- include/afl-fuzz.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1d83f335..ef68ba5d 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -118,6 +118,9 @@ extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; extern s32 interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN]; +extern u32 bmcnt, initcnt, one1cnt, one2cnt, runcnt; + + struct queue_entry { u8 *fname; /* File name for the test case */ -- cgit v1.2.3 From 54d01fec43c8b649fdc04350262d5982f1e4ae85 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sat, 21 Mar 2020 21:43:58 +0100 Subject: moved string formatting to header --- include/afl-fuzz.h | 7 --- include/common.h | 167 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 167 insertions(+), 7 deletions(-) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index ef68ba5d..643d58bd 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -804,13 +804,6 @@ u8 *describe_op(afl_state_t *, u8); u8 save_if_interesting(afl_state_t *, void *, u32, u8); u8 has_new_bits(afl_state_t *, u8 *); -/* Misc */ - -u8 *DI(u8 *, size_t, u64); -u8 *DF(u8 *, size_t, double); -u8 *DMS(u8 *, size_t, u64); -u8 *DTD(u8 *, size_t, u64, u64); - /* Extras */ void load_extras_file(afl_state_t *, u8 *, u32 *, u32 *, u32); diff --git a/include/common.h b/include/common.h index 28c11049..11ae1e66 100644 --- a/include/common.h +++ b/include/common.h @@ -27,10 +27,16 @@ #ifndef __AFLCOMMON_H #define __AFLCOMMON_H +#include +#include #include #include "types.h" #include "stdbool.h" +/* STRINGIFY_VAL_SIZE_MAX will fit all stringify_ strings. */ + +#define STRINGIFY_VAL_SIZE_MAX (16) + void detect_file_args(char **argv, u8 *prog_in, u8 *use_stdin); void check_environment_vars(char **env); @@ -67,5 +73,166 @@ static u64 get_cur_time_us(void) { } +/* Describe integer. The buf should be + at least 6 bytes to fit all ints we randomly see. + Will return buf for convenience. */ + +static u8 *stringify_int(u8 *buf, size_t len, u64 val) { + +#define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ + do { \ + \ + if (val < (_divisor) * (_limit_mult)) { \ + \ + snprintf(buf, len, _fmt, ((_cast)val) / (_divisor)); \ + return buf; \ + \ + } \ + \ + } while (0) + + /* 0-9999 */ + CHK_FORMAT(1, 10000, "%llu", u64); + + /* 10.0k - 99.9k */ + CHK_FORMAT(1000, 99.95, "%0.01fk", double); + + /* 100k - 999k */ + CHK_FORMAT(1000, 1000, "%lluk", u64); + + /* 1.00M - 9.99M */ + CHK_FORMAT(1000 * 1000, 9.995, "%0.02fM", double); + + /* 10.0M - 99.9M */ + CHK_FORMAT(1000 * 1000, 99.95, "%0.01fM", double); + + /* 100M - 999M */ + CHK_FORMAT(1000 * 1000, 1000, "%lluM", u64); + + /* 1.00G - 9.99G */ + CHK_FORMAT(1000LL * 1000 * 1000, 9.995, "%0.02fG", double); + + /* 10.0G - 99.9G */ + CHK_FORMAT(1000LL * 1000 * 1000, 99.95, "%0.01fG", double); + + /* 100G - 999G */ + CHK_FORMAT(1000LL * 1000 * 1000, 1000, "%lluG", u64); + + /* 1.00T - 9.99G */ + CHK_FORMAT(1000LL * 1000 * 1000 * 1000, 9.995, "%0.02fT", double); + + /* 10.0T - 99.9T */ + CHK_FORMAT(1000LL * 1000 * 1000 * 1000, 99.95, "%0.01fT", double); + + /* 100T+ */ + strncpy(buf, "infty", len); + buf[len - 1] = '\0'; + + return buf; + +} + +/* Describe float. Similar as int. */ + +static u8 *stringify_float(u8 *buf, size_t len, double val) { + + if (val < 99.995) { + + snprintf(buf, len, "%0.02f", val); + + } else if (val < 999.95) { + + snprintf(buf, len, "%0.01f", val); + + } else { + + stringify_int(buf, len, (u64)val); + + } + + return buf; + +} + +/* Describe integer as memory size. */ + +static u8 *stringify_mem_size(u8 *buf, size_t len, u64 val) { + + /* 0-9999 */ + CHK_FORMAT(1, 10000, "%llu B", u64); + + /* 10.0k - 99.9k */ + CHK_FORMAT(1024, 99.95, "%0.01f kB", double); + + /* 100k - 999k */ + CHK_FORMAT(1024, 1000, "%llu kB", u64); + + /* 1.00M - 9.99M */ + CHK_FORMAT(1024 * 1024, 9.995, "%0.02f MB", double); + + /* 10.0M - 99.9M */ + CHK_FORMAT(1024 * 1024, 99.95, "%0.01f MB", double); + + /* 100M - 999M */ + CHK_FORMAT(1024 * 1024, 1000, "%llu MB", u64); + + /* 1.00G - 9.99G */ + CHK_FORMAT(1024LL * 1024 * 1024, 9.995, "%0.02f GB", double); + + /* 10.0G - 99.9G */ + CHK_FORMAT(1024LL * 1024 * 1024, 99.95, "%0.01f GB", double); + + /* 100G - 999G */ + CHK_FORMAT(1024LL * 1024 * 1024, 1000, "%llu GB", u64); + + /* 1.00T - 9.99G */ + CHK_FORMAT(1024LL * 1024 * 1024 * 1024, 9.995, "%0.02f TB", double); + + /* 10.0T - 99.9T */ + CHK_FORMAT(1024LL * 1024 * 1024 * 1024, 99.95, "%0.01f TB", double); + +#undef CHK_FORMAT + + /* 100T+ */ + strncpy(buf, "infty", len - 1); + buf[len - 1] = '\0'; + + return buf; + +} + +/* Describe time delta as string. + Returns a pointer to buf for convenience. */ + +static u8 *stringify_time_diff(u8 *buf, size_t len, u64 cur_ms, + u64 event_ms) { + + u64 delta; + s32 t_d, t_h, t_m, t_s; + u8 val_buf[STRINGIFY_VAL_SIZE_MAX]; + + if (!event_ms) { + + snprintf(buf, len, "none seen yet"); + + } else { + + delta = cur_ms - event_ms; + + t_d = delta / 1000 / 60 / 60 / 24; + t_h = (delta / 1000 / 60 / 60) % 24; + t_m = (delta / 1000 / 60) % 60; + t_s = (delta / 1000) % 60; + + stringify_int(val_buf, sizeof(val_buf), t_d); + snprintf(buf, len, "%s days, %d hrs, %d min, %d sec", val_buf, t_h, t_m, + t_s); + + } + + return buf; + +} + #endif -- cgit v1.2.3 From 5cf342683414616d4cecc55155226cf77cb2e20f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 21 Mar 2020 22:17:57 +0100 Subject: remove debug code --- include/afl-fuzz.h | 3 --- 1 file changed, 3 deletions(-) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 643d58bd..fce03d04 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -118,9 +118,6 @@ extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; extern s32 interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN]; -extern u32 bmcnt, initcnt, one1cnt, one2cnt, runcnt; - - struct queue_entry { u8 *fname; /* File name for the test case */ -- cgit v1.2.3 From f08a3fedf684a52b7999b1305248812a21927b99 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sat, 21 Mar 2020 22:26:13 +0100 Subject: renamed UB to rand_below --- include/afl-fuzz.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index fce03d04..5e6b3d9e 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -875,7 +875,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, /* Generate a random number (from 0 to limit - 1). This may have slight bias. */ -static inline u32 UR(afl_state_t *afl, u32 limit) { +static inline u32 rand_below(afl_state_t *afl, u32 limit) { #ifdef HAVE_ARC4RANDOM if (afl->fixed_seed) { return random() % limit; } -- cgit v1.2.3 From 5a0cc43ee142842d845a0281fa8f5d0d0721a8ba Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 22 Mar 2020 09:26:46 +0100 Subject: all afl msgs to stdout and only read AFL_BENCH_JUST_ONE once --- include/debug.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'include') diff --git a/include/debug.h b/include/debug.h index b3865c19..6ced60b1 100644 --- a/include/debug.h +++ b/include/debug.h @@ -32,6 +32,10 @@ * Terminal colors * *******************/ +#ifndev MESSAGES_TO_STDOUT +#define MESSAGES_TO_STDOUT +#endif + #ifdef USE_COLOR #define cBLK "\x1b[0;30m" -- cgit v1.2.3 From 7374af51d1b42a866d954226bf0acf9c9a01e650 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 22 Mar 2020 10:07:59 +0100 Subject: silly, silly typo --- include/debug.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/debug.h b/include/debug.h index 6ced60b1..ff2845f9 100644 --- a/include/debug.h +++ b/include/debug.h @@ -32,7 +32,7 @@ * Terminal colors * *******************/ -#ifndev MESSAGES_TO_STDOUT +#ifndef MESSAGES_TO_STDOUT #define MESSAGES_TO_STDOUT #endif -- cgit v1.2.3 From d39e9ea11c75012023a32bef813de837f4aa7325 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 22 Mar 2020 19:06:39 +0100 Subject: little performance enhancements --- include/common.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'include') diff --git a/include/common.h b/include/common.h index 11ae1e66..1bfafc8b 100644 --- a/include/common.h +++ b/include/common.h @@ -78,7 +78,7 @@ static u64 get_cur_time_us(void) { Will return buf for convenience. */ static u8 *stringify_int(u8 *buf, size_t len, u64 val) { - +\ #define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ do { \ \ @@ -204,8 +204,7 @@ static u8 *stringify_mem_size(u8 *buf, size_t len, u64 val) { /* Describe time delta as string. Returns a pointer to buf for convenience. */ -static u8 *stringify_time_diff(u8 *buf, size_t len, u64 cur_ms, - u64 event_ms) { +static u8 *stringify_time_diff(u8 *buf, size_t len, u64 cur_ms, u64 event_ms) { u64 delta; s32 t_d, t_h, t_m, t_s; -- cgit v1.2.3 From cbde30e9d46a0fdd5fc53d46c31c76ca2c715520 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 23 Mar 2020 00:14:03 +0100 Subject: less branches, cleanup --- include/afl-fuzz.h | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 5e6b3d9e..1a621625 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -109,9 +109,7 @@ #define CASE_PREFIX "id_" #endif /* ^!SIMPLE_FILES */ -#define STAGE_BUF_SIZE \ - (64) /* usable size of the stage name buf in afl_state \ - */ +#define STAGE_BUF_SIZE (64) /* usable size for stage name buf in afl_state */ extern s8 interesting_8[INTERESTING_8_LEN]; extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; -- cgit v1.2.3 From 83f925ccc9c871998f9d7a905387fd83f8e3f4af Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 23 Mar 2020 15:02:26 +0100 Subject: unsafer --- include/common.h | 160 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 159 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/common.h b/include/common.h index 1bfafc8b..97076004 100644 --- a/include/common.h +++ b/include/common.h @@ -78,7 +78,7 @@ static u64 get_cur_time_us(void) { Will return buf for convenience. */ static u8 *stringify_int(u8 *buf, size_t len, u64 val) { -\ + #define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ do { \ \ @@ -233,5 +233,163 @@ static u8 *stringify_time_diff(u8 *buf, size_t len, u64 cur_ms, u64 event_ms) { } + +/* Unsafe Describe integer. The buf sizes are not checked. + This is unsafe but fast. + Will return buf for convenience. */ + +static u8 *u_stringify_int(u8 *buf, u64 val) { + +#define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) \ + do { \ + \ + if (val < (_divisor) * (_limit_mult)) { \ + \ + sprintf(buf, _fmt, ((_cast)val) / (_divisor)); \ + return buf; \ + \ + } \ + \ + } while (0) + + /* 0-9999 */ + CHK_FORMAT(1, 10000, "%llu", u64); + + /* 10.0k - 99.9k */ + CHK_FORMAT(1000, 99.95, "%0.01fk", double); + + /* 100k - 999k */ + CHK_FORMAT(1000, 1000, "%lluk", u64); + + /* 1.00M - 9.99M */ + CHK_FORMAT(1000 * 1000, 9.995, "%0.02fM", double); + + /* 10.0M - 99.9M */ + CHK_FORMAT(1000 * 1000, 99.95, "%0.01fM", double); + + /* 100M - 999M */ + CHK_FORMAT(1000 * 1000, 1000, "%lluM", u64); + + /* 1.00G - 9.99G */ + CHK_FORMAT(1000LL * 1000 * 1000, 9.995, "%0.02fG", double); + + /* 10.0G - 99.9G */ + CHK_FORMAT(1000LL * 1000 * 1000, 99.95, "%0.01fG", double); + + /* 100G - 999G */ + CHK_FORMAT(1000LL * 1000 * 1000, 1000, "%lluG", u64); + + /* 1.00T - 9.99G */ + CHK_FORMAT(1000LL * 1000 * 1000 * 1000, 9.995, "%0.02fT", double); + + /* 10.0T - 99.9T */ + CHK_FORMAT(1000LL * 1000 * 1000 * 1000, 99.95, "%0.01fT", double); + + /* 100T+ */ + strcpy(buf, "infty"); + + return buf; + +} + +/* Unsafe describe float. Similar as unsafe int. */ + +static u8 *u_stringify_float(u8 *buf, double val) { + + if (val < 99.995) { + + sprintf(buf, "%0.02f", val); + + } else if (val < 999.95) { + + sprintf(buf, "%0.01f", val); + + } else { + + return u_stringify_int(buf, (u64)val); + + } + + return buf; + +} + +/* Unsafe describe integer as memory size. */ + +static u8 *u_stringify_mem_size(u8 *buf, u64 val) { + + /* 0-9999 */ + CHK_FORMAT(1, 10000, "%llu B", u64); + + /* 10.0k - 99.9k */ + CHK_FORMAT(1024, 99.95, "%0.01f kB", double); + + /* 100k - 999k */ + CHK_FORMAT(1024, 1000, "%llu kB", u64); + + /* 1.00M - 9.99M */ + CHK_FORMAT(1024 * 1024, 9.995, "%0.02f MB", double); + + /* 10.0M - 99.9M */ + CHK_FORMAT(1024 * 1024, 99.95, "%0.01f MB", double); + + /* 100M - 999M */ + CHK_FORMAT(1024 * 1024, 1000, "%llu MB", u64); + + /* 1.00G - 9.99G */ + CHK_FORMAT(1024LL * 1024 * 1024, 9.995, "%0.02f GB", double); + + /* 10.0G - 99.9G */ + CHK_FORMAT(1024LL * 1024 * 1024, 99.95, "%0.01f GB", double); + + /* 100G - 999G */ + CHK_FORMAT(1024LL * 1024 * 1024, 1000, "%llu GB", u64); + + /* 1.00T - 9.99G */ + CHK_FORMAT(1024LL * 1024 * 1024 * 1024, 9.995, "%0.02f TB", double); + + /* 10.0T - 99.9T */ + CHK_FORMAT(1024LL * 1024 * 1024 * 1024, 99.95, "%0.01f TB", double); + +#undef CHK_FORMAT + + /* 100T+ */ + strcpy(buf, "infty"); + + return buf; + +} + +/* Unsafe describe time delta as string. + Returns a pointer to buf for convenience. */ + +static u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms) { + + u64 delta; + s32 t_d, t_h, t_m, t_s; + u8 val_buf[STRINGIFY_VAL_SIZE_MAX]; + + if (!event_ms) { + + sprintf(buf, "none seen yet"); + + } else { + + delta = cur_ms - event_ms; + + t_d = delta / 1000 / 60 / 60 / 24; + t_h = (delta / 1000 / 60 / 60) % 24; + t_m = (delta / 1000 / 60) % 60; + t_s = (delta / 1000) % 60; + + u_stringify_int(val_buf, t_d); + sprintf(buf, "%s days, %d hrs, %d min, %d sec", val_buf, t_h, t_m, t_s); + + } + + return buf; + +} + #endif -- cgit v1.2.3 From 77b81e7361f7286cc3e0174b87ae5facb9f1290d Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 23 Mar 2020 18:18:54 +0100 Subject: custom mutators might work again like this --- include/afl-fuzz.h | 84 ++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 53 insertions(+), 31 deletions(-) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1a621625..7dddefb0 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -281,10 +281,20 @@ enum { /* 07 */ PY_FUNC_HAVOC_MUTATION_PROBABILITY, /* 08 */ PY_FUNC_QUEUE_GET, /* 09 */ PY_FUNC_QUEUE_NEW_ENTRY, + /* 10 */ PY_FUNC_DEINIT, PY_FUNC_COUNT }; +typedef struct py_mutator { + + PyObject *py_module; + PyObject *py_functions[PY_FUNC_COUNT]; + void *afl_state; + void *py_data; + +} py_mutator_t; + #endif typedef struct MOpt_globals { @@ -540,6 +550,9 @@ typedef struct afl_state { /* Custom mutators */ struct custom_mutator *mutator; +#ifdef USE_PYTHON + struct custom_mutator *py_mutator; +#endif /* cmplog forkserver ids */ s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; @@ -548,12 +561,6 @@ typedef struct afl_state { u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ -#ifdef USE_PYTHON - /* Python Mutators */ - PyObject *py_module; - PyObject *py_functions[PY_FUNC_COUNT]; -#endif - #ifdef _AFL_DOCUMENT_MUTATIONS u8 do_document; u32 document_counter; @@ -585,22 +592,25 @@ struct custom_mutator { const char *name; void * dh; + void *data; /* custom mutator data ptr */ + /* hooks for the custom mutator function */ /** * Initialize the custom mutator. * - * (Optional) - * + * @param afl AFL instance. * @param seed Seed used for the mutation. + * @return pointer to internal data or NULL on error */ - void (*afl_custom_init)(afl_state_t *afl, unsigned int seed); + void *(*afl_custom_init)(afl_state_t *afl, unsigned int seed); /** * Perform custom mutations on a given input * * (Optional for now. Required in the future) * + * @param data pointer returned in afl_custom_init for this fuzz case * @param[inout] buf Pointer to the input data to be mutated and the mutated * output * @param[in] buf_size Size of the input/output data @@ -610,7 +620,7 @@ struct custom_mutator { * not produce data larger than max_size. * @return Size of the mutated output. */ - size_t (*afl_custom_fuzz)(afl_state_t *afl, u8 **buf, size_t buf_size, + size_t (*afl_custom_fuzz)(void *data, u8 **buf, size_t buf_size, u8 *add_buf, size_t add_buf_size, size_t max_size); /** @@ -620,6 +630,7 @@ struct custom_mutator { * (Optional) If this functionality is not needed, simply don't define this * function. * + * @param[in] data pointer returned in afl_custom_init for this fuzz case * @param[in] buf Buffer containing the test case to be executed * @param[in] buf_size Size of the test case * @param[out] out_buf Pointer to the buffer of storing the test case after @@ -627,7 +638,7 @@ struct custom_mutator { * will release the memory after saving the test case. * @return Size of the output buffer after processing */ - size_t (*afl_custom_pre_save)(afl_state_t *afl, u8 *buf, size_t buf_size, + size_t (*afl_custom_pre_save)(void *data, u8 *buf, size_t buf_size, u8 **out_buf); /** @@ -646,11 +657,12 @@ struct custom_mutator { * * (Optional) * + * @param data pointer returned in afl_custom_init for this fuzz case * @param buf Buffer containing the test case * @param buf_size Size of the test case * @return The amount of possible iteration steps to trim the input */ - u32 (*afl_custom_init_trim)(afl_state_t *afl, u8 *buf, size_t buf_size); + u32 (*afl_custom_init_trim)(void *data, u8 *buf, size_t buf_size); /** * This method is called for each trimming operation. It doesn't have any @@ -663,12 +675,13 @@ struct custom_mutator { * * (Optional) * + * @param data pointer returned in afl_custom_init for this fuzz case * @param[out] out_buf Pointer to the buffer containing the trimmed test case. * External library should allocate memory for out_buf. AFL++ will release * the memory after saving the test case. * @param[out] out_buf_size Pointer to the size of the trimmed test case */ - void (*afl_custom_trim)(afl_state_t *afl, u8 **out_buf, size_t *out_buf_size); + void (*afl_custom_trim)(void *data, u8 **out_buf, size_t *out_buf_size); /** * This method is called after each trim operation to inform you if your @@ -677,11 +690,12 @@ struct custom_mutator { * * (Optional) * + * @param data pointer returned in afl_custom_init for this fuzz case * @param success Indicates if the last trim operation was successful. * @return The next trim iteration index (from 0 to the maximum amount of * steps returned in init_trim) */ - u32 (*afl_custom_post_trim)(afl_state_t *afl, u8 success); + u32 (*afl_custom_post_trim)(void *data, u8 success); /** * Perform a single custom mutation on a given input. @@ -689,6 +703,7 @@ struct custom_mutator { * * (Optional) * + * @param data pointer returned in afl_custom_init for this fuzz case * @param[inout] buf Pointer to the input data to be mutated and the mutated * output * @param[in] buf_size Size of input data @@ -696,7 +711,7 @@ struct custom_mutator { * not produce data larger than max_size. * @return Size of the mutated output. */ - size_t (*afl_custom_havoc_mutation)(afl_state_t *afl, u8 **buf, + size_t (*afl_custom_havoc_mutation)(void *data, u8 **buf, size_t buf_size, size_t max_size); /** @@ -705,20 +720,22 @@ struct custom_mutator { * * (Optional) * + * @param data pointer returned in afl_custom_init for this fuzz case * @return The probability (0-100). */ - u8 (*afl_custom_havoc_mutation_probability)(afl_state_t *afl); + u8 (*afl_custom_havoc_mutation_probability)(void *data); /** * Determine whether the fuzzer should fuzz the current queue entry or not. * * (Optional) * + * @param data pointer returned in afl_custom_init for this fuzz case * @param filename File name of the test case in the queue entry * @return Return True(1) if the fuzzer will fuzz the queue entry, and * False(0) otherwise. */ - u8 (*afl_custom_queue_get)(afl_state_t *afl, const u8 *filename); + u8 (*afl_custom_queue_get)(void *data, const u8 *filename); /** * Allow for additional analysis (e.g. calling a different tool that does a @@ -726,13 +743,20 @@ struct custom_mutator { * * (Optional) * + * @param data pointer returned in afl_custom_init for this fuzz case * @param filename_new_queue File name of the new queue entry * @param filename_orig_queue File name of the original queue entry. This * argument can be NULL while initializing the fuzzer */ - void (*afl_custom_queue_new_entry)(afl_state_t *afl, + void (*afl_custom_queue_new_entry)(void *data, const u8 * filename_new_queue, const u8 * filename_orig_queue); + /** + * Deinitialize the custom mutator. + * + * @param data pointer returned in afl_custom_init for this fuzz case + */ + void (*afl_custom_deinit)(void *data); }; @@ -750,19 +774,17 @@ u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 *in_buf); /* Python */ #ifdef USE_PYTHON -int init_py_module(afl_state_t *, u8 *); -void finalize_py_module(afl_state_t *); - -void init_py(afl_state_t *, unsigned int); -size_t fuzz_py(afl_state_t *, u8 **, size_t, u8 *, size_t, size_t); -size_t pre_save_py(afl_state_t *, u8 *, size_t, u8 **); -u32 init_trim_py(afl_state_t *, u8 *, size_t); -u32 post_trim_py(afl_state_t *, u8); -void trim_py(afl_state_t *, u8 **, size_t *); -size_t havoc_mutation_py(afl_state_t *, u8 **, size_t, size_t); -u8 havoc_mutation_probability_py(afl_state_t *); -u8 queue_get_py(afl_state_t *, const u8 *); -void queue_new_entry_py(afl_state_t *, const u8 *, const u8 *); +void finalize_py_module(void *); + +size_t pre_save_py(void *, u8 *, size_t, u8 **); +u32 init_trim_py(void *, u8 *, size_t); +u32 post_trim_py(void *, u8); +void trim_py(void *, u8 **, size_t *); +size_t havoc_mutation_py(void *, u8 **, size_t, size_t); +u8 havoc_mutation_probability_py(void *); +u8 queue_get_py(void *, const u8 *); +void queue_new_entry_py(void *, const u8 *, const u8 *); +void deinit_py(void *); #endif -- cgit v1.2.3