From 2d9b793dbbe9288a1caa4459c280678179bb46c9 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 4 Jun 2024 14:47:58 +0200 Subject: AFL_NO_SYNC --- include/afl-fuzz.h | 2 +- include/envs.h | 9 ++++----- 2 files changed, 5 insertions(+), 6 deletions(-) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 74b04fdb..65304d19 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -457,7 +457,7 @@ typedef struct afl_env_vars { afl_no_startup_calibration, afl_no_warn_instability, afl_post_process_keep_original, afl_crashing_seeds_as_new_crash, afl_final_sync, afl_ignore_seed_problems, afl_disable_redundant, - afl_sha1_filenames; + afl_sha1_filenames, afl_no_sync; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, diff --git a/include/envs.h b/include/envs.h index 5b516905..45b080cb 100644 --- a/include/envs.h +++ b/include/envs.h @@ -81,14 +81,13 @@ static char *afl_environment_variables[] = { "AFL_LLVM_MAP_DYNAMIC", "AFL_LLVM_NGRAM_SIZE", "AFL_NGRAM_SIZE", "AFL_LLVM_NO_RPATH", "AFL_LLVM_NOT_ZERO", "AFL_LLVM_INSTRUMENT_FILE", "AFL_LLVM_THREADSAFE_INST", "AFL_LLVM_SKIP_NEVERZERO", "AFL_NO_AFFINITY", - "AFL_TRY_AFFINITY", "AFL_LLVM_LTO_DONTWRITEID", - "AFL_LLVM_LTO_SKIPINIT" - "AFL_LLVM_LTO_STARTID", - "AFL_FUZZER_LOOPCOUNT", "AFL_NO_ARITH", "AFL_NO_AUTODICT", "AFL_NO_BUILTIN", + "AFL_TRY_AFFINITY", "AFL_LLVM_LTO_DONTWRITEID", "AFL_LLVM_LTO_SKIPINIT", + "AFL_LLVM_LTO_STARTID", "AFL_FUZZER_LOOPCOUNT", "AFL_NO_ARITH", + "AFL_NO_AUTODICT", "AFL_NO_BUILTIN", #if defined USE_COLOR && !defined ALWAYS_COLORED "AFL_NO_COLOR", "AFL_NO_COLOUR", #endif - "AFL_NO_CPU_RED", + "AFL_NO_CPU_RED", "AFL_NO_SYNC", "AFL_NO_CFG_FUZZING", // afl.rs rust crate option "AFL_NO_CRASH_README", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_PYTHON", "AFL_NO_STARTUP_CALIBRATION", "AFL_NO_WARN_INSTABILITY", -- cgit 1.4.1 From 2806d6be2f1d26eed7b42ae580f5bf7a29713a01 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 5 Jun 2024 09:20:30 +0200 Subject: optimize syncing --- include/config.h | 4 ++-- src/afl-fuzz.c | 25 ++++++++----------------- 2 files changed, 10 insertions(+), 19 deletions(-) (limited to 'include') diff --git a/include/config.h b/include/config.h index 3727dab1..ebe40022 100644 --- a/include/config.h +++ b/include/config.h @@ -324,9 +324,9 @@ #define SYNC_INTERVAL 8 /* Sync time (minimum time between syncing in ms, time is halfed for -M main - nodes) - default is 30 minutes: */ + nodes) - default is 20 minutes: */ -#define SYNC_TIME (30 * 60 * 1000) +#define SYNC_TIME (20 * 60 * 1000) /* Output directory reuse grace period (minutes): */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 0f6216c4..49d25d5a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2943,35 +2943,26 @@ int main(int argc, char **argv_orig, char **envp) { if (likely(!afl->stop_soon && afl->sync_id)) { - if (likely(afl->skip_deterministic)) { + if (unlikely(afl->is_main_node)) { - if (unlikely(afl->is_main_node)) { + if (unlikely(cur_time > (afl->sync_time >> 1) + afl->last_sync_time)) { - if (unlikely(cur_time > - (afl->sync_time >> 1) + afl->last_sync_time)) { + if (!(sync_interval_cnt++ % (SYNC_INTERVAL / 3))) { - if (!(sync_interval_cnt++ % (SYNC_INTERVAL / 3))) { - - sync_fuzzers(afl); - - } + sync_fuzzers(afl); } - } else { + } - if (unlikely(cur_time > afl->sync_time + afl->last_sync_time)) { + } else { - if (!(sync_interval_cnt++ % SYNC_INTERVAL)) { sync_fuzzers(afl); } + if (unlikely(cur_time > afl->sync_time + afl->last_sync_time)) { - } + if (!(sync_interval_cnt++ % SYNC_INTERVAL)) { sync_fuzzers(afl); } } - } else { - - sync_fuzzers(afl); - } } -- cgit 1.4.1 From bdfd38771abe9641db08b7569a0cc6a38f1ecf4a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 7 Jun 2024 09:47:29 +0200 Subject: add cmplog_time measurement --- include/afl-fuzz.h | 1 + src/afl-fuzz-redqueen.c | 19 +++++++++++++++++-- src/afl-fuzz-stats.c | 25 +++++++++++++++++++++---- 3 files changed, 39 insertions(+), 6 deletions(-) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 65304d19..1e670702 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -656,6 +656,7 @@ typedef struct afl_state { switch_fuzz_mode, /* auto or fixed fuzz mode */ calibration_time_us, /* Time spend on calibration */ sync_time_us, /* Time spend on sync */ + cmplog_time_us, /* Time spend on cmplog */ trim_time_us; /* Time spend on trimming */ u32 slowest_exec_ms, /* Slowest testcase non hang in ms */ diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 6c3582f2..954e5671 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -2938,7 +2938,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, // afl->queue_cur->exec_cksum u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { - u8 r = 1; + u64 cmplog_start_us = get_cur_time_us(); + u8 r = 1; if (unlikely(!afl->pass_stats)) { afl->pass_stats = ck_alloc(sizeof(struct afl_pass_stat) * CMP_MAP_W); @@ -2966,7 +2967,12 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { if (!afl->queue_cur->taint || !afl->queue_cur->cmplog_colorinput) { - if (unlikely(colorization(afl, buf, len, &taint))) { return 1; } + if (unlikely(colorization(afl, buf, len, &taint))) { + + update_cmplog_time(afl, &cmplog_start_us); + return 1; + + } // no taint? still try, create a dummy to prevent again colorization if (!taint) { @@ -2975,6 +2981,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { fprintf(stderr, "TAINT FAILED\n"); #endif afl->queue_cur->colorized = CMPLOG_LVL_MAX; + update_cmplog_time(afl, &cmplog_start_us); return 0; } @@ -2995,6 +3002,8 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { } + update_cmplog_time(afl, &cmplog_start_us); + struct tainted *t = taint; #ifdef _DEBUG @@ -3027,6 +3036,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { } + update_cmplog_time(afl, &cmplog_start_us); return 1; } @@ -3050,6 +3060,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { } + update_cmplog_time(afl, &cmplog_start_us); return 1; } @@ -3068,6 +3079,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { u64 orig_hit_cnt, new_hit_cnt; u64 orig_execs = afl->fsrv.total_execs; orig_hit_cnt = afl->queued_items + afl->saved_crashes; + update_cmplog_time(afl, &cmplog_start_us); afl->stage_name = "input-to-state"; afl->stage_short = "its"; @@ -3144,6 +3156,8 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { } + update_cmplog_time(afl, &cmplog_start_us); + } r = 0; @@ -3272,6 +3286,7 @@ exit_its: #endif + update_cmplog_time(afl, &cmplog_start_us); return r; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 609b11e4..3a71e158 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -207,6 +207,12 @@ void load_stats_file(afl_state_t *afl) { } + if (starts_with("cmplog_time", keystring)) { + + afl->cmplog_time_us = strtoull(lptr, &nptr, 10) * 1000000; + + } + if (starts_with("trim_time", keystring)) { afl->trim_time_us = strtoull(lptr, &nptr, 10) * 1000000; @@ -322,8 +328,9 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; } #endif u64 runtime_ms = afl->prev_run_time + cur_time - afl->start_time; - u64 overhead_ms = - (afl->calibration_time_us + afl->sync_time_us + afl->trim_time_us) / 1000; + u64 overhead_ms = (afl->calibration_time_us + afl->sync_time_us + + afl->trim_time_us + afl->cmplog_time_us) / + 1000; if (!runtime_ms) { runtime_ms = 1; } fprintf( @@ -337,6 +344,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, "time_wo_finds : %llu\n" "fuzz_time : %llu\n" "calibration_time : %llu\n" + "cmplog_time : %llu\n" "sync_time : %llu\n" "trim_time : %llu\n" "execs_done : %llu\n" @@ -385,8 +393,9 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, ? 0 : (cur_time - afl->last_find_time) / 1000), (runtime_ms - MIN(runtime_ms, overhead_ms)) / 1000, - afl->calibration_time_us / 1000000, afl->sync_time_us / 1000000, - afl->trim_time_us / 1000000, afl->fsrv.total_execs, + afl->calibration_time_us / 1000000, afl->cmplog_time_us / 1000000, + afl->sync_time_us / 1000000, afl->trim_time_us / 1000000, + afl->fsrv.total_execs, afl->fsrv.total_execs / ((double)(runtime_ms) / 1000), afl->last_avg_execs_saved, afl->queued_items, afl->queued_favored, afl->queued_discovered, afl->queued_imported, afl->queued_variable, @@ -2511,3 +2520,11 @@ inline void update_sync_time(afl_state_t *afl, u64 *time) { } +inline void update_cmplog_time(afl_state_t *afl, u64 *time) { + + u64 cur = get_cur_time_us(); + afl->cmplog_time_us += cur - *time; + *time = cur; + +} + -- cgit 1.4.1 From 0618bfd4ae6a31ce44fcad13bbf6f5a41bb265d1 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 7 Jun 2024 09:58:27 +0200 Subject: fix --- include/afl-fuzz.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1e670702..d3501e8d 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1227,6 +1227,7 @@ void show_init_stats(afl_state_t *); void update_calibration_time(afl_state_t *afl, u64 *time); void update_trim_time(afl_state_t *afl, u64 *time); void update_sync_time(afl_state_t *afl, u64 *time); +void update_cmplog_time(afl_state_t *afl, u64 *time); /* StatsD */ -- cgit 1.4.1 From f0937f96d49fdb23865e2025576ab5c0049ef5b5 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 7 Jun 2024 11:48:58 +0200 Subject: target hash --- TODO.md | 1 + include/afl-fuzz.h | 1 + src/afl-common.c | 18 ++++++++++++++++++ 3 files changed, 20 insertions(+) (limited to 'include') diff --git a/TODO.md b/TODO.md index ace07434..aba3cf81 100644 --- a/TODO.md +++ b/TODO.md @@ -2,6 +2,7 @@ ## Must + - fast restart of afl-fuzz if cmdline + target hash is the same - hardened_usercopy=0 page_alloc.shuffle=0 - add value_profile but only enable after 15 minutes without finds - cmplog max items env? diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index d3501e8d..e3e4e246 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1278,6 +1278,7 @@ void get_core_count(afl_state_t *); void fix_up_sync(afl_state_t *); void check_asan_opts(afl_state_t *); void check_binary(afl_state_t *, u8 *); +u64 get_binary_hash(u8 *fn); void check_if_tty(afl_state_t *); void save_cmdline(afl_state_t *, u32, char **); void read_foreign_testcases(afl_state_t *, int); diff --git a/src/afl-common.c b/src/afl-common.c index efdb5d60..4250fb36 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -51,6 +51,8 @@ #include #include +#include "hash.h" + u8 be_quiet = 0; u8 *doc_path = ""; u8 last_intr = 0; @@ -167,6 +169,22 @@ void set_sanitizer_defaults() { } +u64 get_binary_hash(u8 *fn) { + + int fd = open(fn, O_RDONLY); + if (fd < 0) { PFATAL("Unable to open '%s'", fn); } + struct stat st; + if (fstat(fd, &st) < 0) { PFATAL("Unable to fstat '%s'", fn); } + u32 f_len = st.st_size; + u8 *f_data = mmap(0, f_len, PROT_READ, MAP_PRIVATE, fd, 0); + if (f_data == MAP_FAILED) { PFATAL("Unable to mmap file '%s'", fn); } + close(fd); + u64 hash = hash64(f_data, f_len, 0); + if (munmap(f_data, f_len)) { PFATAL("unmap() failed"); } + return hash; + +} + u32 check_binary_signatures(u8 *fn) { int ret = 0, fd = open(fn, O_RDONLY); -- cgit 1.4.1 From ec0b83f127702fe23da72f4d424bc13a5bacfae9 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 9 Jun 2024 18:39:56 +0200 Subject: 4.21c --- README.md | 4 ++-- TODO.md | 2 +- docs/Changelog.md | 4 ++-- include/config.h | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) (limited to 'include') diff --git a/README.md b/README.md index 34d73890..1b255a2a 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,9 @@ AFL++ logo -Release version: [4.20c](https://github.com/AFLplusplus/AFLplusplus/releases) +Release version: [4.21c](https://github.com/AFLplusplus/AFLplusplus/releases) -GitHub version: 4.21a +GitHub version: 4.21c Repository: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) diff --git a/TODO.md b/TODO.md index aba3cf81..b36269b4 100644 --- a/TODO.md +++ b/TODO.md @@ -3,6 +3,7 @@ ## Must - fast restart of afl-fuzz if cmdline + target hash is the same + - check for null ptr for xml/curl/g_ string transform functions - hardened_usercopy=0 page_alloc.shuffle=0 - add value_profile but only enable after 15 minutes without finds - cmplog max items env? @@ -12,7 +13,6 @@ - afl-showmap -f support - afl-fuzz multicore wrapper script - when trimming then perform crash detection - - cyclomatic complexity: 2 + calls + edges - blocks ## Should diff --git a/docs/Changelog.md b/docs/Changelog.md index 0f4b2d8a..50494acc 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -3,7 +3,7 @@ This is the list of all noteworthy changes made in every public release of the tool. See README.md for the general instruction manual. -### Version ++4.21a (dev) +### Version ++4.21c (release) * afl-fuzz - fixed a regression in afl-fuzz that resulted in a 5-10% performace loss do a switch from gettimeofday() to clock_gettime() which should be rather @@ -24,6 +24,7 @@ long calibration times and syncing could result in now fuzzing being made when the time was already run out until then, thanks to @eqv! - fix -n uninstrumented mode when ending fuzzing + - enhanced the ASAN configuration - make afl-fuzz use less memory with cmplog and fix a memleak * afl-cc: - re-enable i386 support that was accidently disabled @@ -40,7 +41,6 @@ - minor fix to collect coverage -C (thanks to @bet4it) * Fixed a shmem mmap bug (that rarely came up on MacOS) * libtokencap: script generate_libtoken_dict.sh added by @a-shvedov - * enhanced the ASAN configuration ### Version ++4.20c (release) diff --git a/include/config.h b/include/config.h index ebe40022..c4acf8db 100644 --- a/include/config.h +++ b/include/config.h @@ -26,7 +26,7 @@ /* Version string: */ // c = release, a = volatile github dev, e = experimental branch -#define VERSION "++4.21a" +#define VERSION "++4.21c" /****************************************************** * * -- cgit 1.4.1