From e6d4d29af559142062476ad4c7c243c5f1769fd9 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 3 Jul 2020 15:21:33 +0100 Subject: llvm mode shared segment fix for FreeBSD. MAP_EXCL|MAP_FIXED is a (genuine) equivalent to Linux's MAP_FIXED_NOREPLACE. --- llvm_mode/afl-llvm-rt.o.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index f81d13ee..9db43e35 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -53,7 +53,11 @@ #define CONST_PRIO 5 #ifndef MAP_FIXED_NOREPLACE - #define MAP_FIXED_NOREPLACE MAP_FIXED +# ifdef MAP_EXCL + #define MAP_FIXED_NOREPLACE MAP_EXCL|MAP_FIXED +#else + #define MAP_FIXED_NOREPLACE MAP_FIXED +# endif #endif #include -- cgit 1.4.1 From 95fd080ca17743717d38b8b002d30b09a5a16748 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 5 Jul 2020 11:08:22 +0200 Subject: code format --- libdislocator/libdislocator.so.c | 3 ++- libtokencap/libtokencap.so.c | 16 ++++++++-------- llvm_mode/afl-llvm-rt.o.c | 10 +++++----- llvm_mode/compare-transform-pass.so.cc | 4 ++-- 4 files changed, 17 insertions(+), 16 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/libdislocator/libdislocator.so.c b/libdislocator/libdislocator.so.c index b93f43c1..2324e390 100644 --- a/libdislocator/libdislocator.so.c +++ b/libdislocator/libdislocator.so.c @@ -205,10 +205,11 @@ static void *__dislocator_alloc(size_t len) { #elif defined(__sun) if (sp) { - base = (void *)(caddr_t)(1<<21); + base = (void *)(caddr_t)(1 << 21); flags |= MAP_ALIGN; } + #endif #else (void)sp; diff --git a/libtokencap/libtokencap.so.c b/libtokencap/libtokencap.so.c index baf9fae6..21bac082 100644 --- a/libtokencap/libtokencap.so.c +++ b/libtokencap/libtokencap.so.c @@ -254,10 +254,10 @@ static void __tokencap_load_mappings(void) { #elif defined __sun prmap_t *c, *map; - char path[PATH_MAX]; - ssize_t r; - size_t hint; - int fd; + char path[PATH_MAX]; + ssize_t r; + size_t hint; + int fd; snprintf(path, sizeof(path), "/proc/%ld/map", getpid()); fd = open(path, O_RDONLY); @@ -266,14 +266,14 @@ static void __tokencap_load_mappings(void) { __tokencap_ro_loaded = 1; - for (; (r = pread(fd, map, hint, 0)) == hint; ) { - - hint <<= 1; + for (; (r = pread(fd, map, hint, 0)) == hint;) { + + hint <<= 1; map = realloc(map, hint); } - for (c = map; r > 0; c++ , r -= sizeof(prmap_t)) { + for (c = map; r > 0; c++, r -= sizeof(prmap_t)) { __tokencap_ro[__tokencap_ro_cnt].st = c->pr_vaddr; __tokencap_ro[__tokencap_ro_cnt].en = c->pr_vaddr + c->pr_size; diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 9db43e35..0efde7aa 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -53,11 +53,11 @@ #define CONST_PRIO 5 #ifndef MAP_FIXED_NOREPLACE -# ifdef MAP_EXCL - #define MAP_FIXED_NOREPLACE MAP_EXCL|MAP_FIXED -#else - #define MAP_FIXED_NOREPLACE MAP_FIXED -# endif + #ifdef MAP_EXCL + #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED + #else + #define MAP_FIXED_NOREPLACE MAP_FIXED + #endif #endif #include diff --git a/llvm_mode/compare-transform-pass.so.cc b/llvm_mode/compare-transform-pass.so.cc index 5119d656..2f165ea6 100644 --- a/llvm_mode/compare-transform-pass.so.cc +++ b/llvm_mode/compare-transform-pass.so.cc @@ -474,8 +474,8 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, if (cur_lenchk_bb) { IRBuilder<> cur_lenchk_IRB(&*(cur_lenchk_bb->getFirstInsertionPt())); - Value * icmp = cur_lenchk_IRB.CreateICmpEQ(sizedValue, - ConstantInt::get(sizedValue->getType(), i)); + Value * icmp = cur_lenchk_IRB.CreateICmpEQ( + sizedValue, ConstantInt::get(sizedValue->getType(), i)); cur_lenchk_IRB.CreateCondBr(icmp, end_bb, cur_cmp_bb); cur_lenchk_bb->getTerminator()->eraseFromParent(); -- cgit 1.4.1 From 11f25747a97156dd230a20ecda6a7bba672238bb Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 27 Jul 2020 09:39:15 +0200 Subject: child renice --- llvm_mode/afl-llvm-rt.o.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 0efde7aa..a509a9f0 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -514,6 +514,8 @@ static void __afl_start_snapshots(void) { if (!child_pid) { + (void)nice(-20); + signal(SIGCHLD, old_sigchld_handler); close(FORKSRV_FD); @@ -717,6 +719,8 @@ static void __afl_start_forkserver(void) { if (!child_pid) { + (void)nice(-20); + signal(SIGCHLD, old_sigchld_handler); close(FORKSRV_FD); -- cgit 1.4.1 From 031aa240bc44d3ade1306b7f569260bbeeff7b64 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 27 Jul 2020 23:09:26 +0200 Subject: unnice2 --- llvm_mode/afl-llvm-rt.o.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index a509a9f0..4e3a4249 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -514,7 +514,7 @@ static void __afl_start_snapshots(void) { if (!child_pid) { - (void)nice(-20); + //(void)nice(-20); // does not seem to improve signal(SIGCHLD, old_sigchld_handler); -- cgit 1.4.1 From 8b21c2e4728b680a7b02851a4219e78daf54a466 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 28 Jul 2020 09:55:32 +0200 Subject: unnice --- llvm_mode/afl-llvm-rt.o.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 4e3a4249..a2038188 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -719,7 +719,7 @@ static void __afl_start_forkserver(void) { if (!child_pid) { - (void)nice(-20); + //(void)nice(-20); signal(SIGCHLD, old_sigchld_handler); -- cgit 1.4.1 From a22f4dd1ac1fe12bc5b81c3311524bc175a2eed0 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 28 Jul 2020 16:13:32 +0200 Subject: new snapshot api --- include/snapshot-inl.h | 63 ++++++++++++++++++++++++++++++++++++++++------- llvm_mode/afl-llvm-rt.o.c | 2 +- 2 files changed, 55 insertions(+), 10 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/include/snapshot-inl.h b/include/snapshot-inl.h index b73a001e..55251db5 100644 --- a/include/snapshot-inl.h +++ b/include/snapshot-inl.h @@ -25,35 +25,80 @@ // From AFL-Snapshot-LKM/include/afl_snapshot.h (must be kept synced) #include -#include -#include +#include #include #define AFL_SNAPSHOT_FILE_NAME "/dev/afl_snapshot" #define AFL_SNAPSHOT_IOCTL_MAGIC 44313 -#define AFL_SNAPSHOT_IOCTL_DO _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 1) -#define AFL_SNAPSHOT_IOCTL_CLEAN _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 2) +#define AFL_SNAPSHOT_EXCLUDE_VMRANGE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 1, struct afl_snapshot_vmrange_args*) +#define AFL_SNAPSHOT_INCLUDE_VMRANGE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 2, struct afl_snapshot_vmrange_args*) +#define AFL_SNAPSHOT_IOCTL_TAKE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 3, int) +#define AFL_SNAPSHOT_IOCTL_RESTORE _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 4) +#define AFL_SNAPSHOT_IOCTL_CLEAN _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 5) + +// Trace new mmaped ares and unmap them on restore. +#define AFL_SNAPSHOT_MMAP 1 +// Do not snapshot any page (by default all writeable not-shared pages +// are shanpshotted. +#define AFL_SNAPSHOT_BLOCK 2 +// Snapshot file descriptor state, close newly opened descriptors +#define AFL_SNAPSHOT_FDS 4 +// Snapshot registers state +#define AFL_SNAPSHOT_REGS 8 +// Perform a restore when exit_group is invoked +#define AFL_SNAPSHOT_EXIT 16 +// TODO(andrea) allow not COW snapshots (high perf on small processes) +// Disable COW, restore all the snapshotted pages +#define AFL_SNAPSHOT_NOCOW 32 +// Do not snapshot Stack pages +#define AFL_SNAPSHOT_NOSTACK 64 + +struct afl_snapshot_vmrange_args { + + unsigned long start, end; + +}; static int afl_snapshot_dev_fd; -static int afl_snapshot_init(void) { +static int afl_snapshot_init() { afl_snapshot_dev_fd = open(AFL_SNAPSHOT_FILE_NAME, 0); return afl_snapshot_dev_fd; } -static int afl_snapshot_do() { +static void afl_snapshot_exclude_vmrange(void* start, void* end) { - return ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_DO); + struct afl_snapshot_vmrange_args args = {(unsigned long)start, (unsigned long)end}; + ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_EXCLUDE_VMRANGE, &args); } -static int afl_snapshot_clean(void) { +static void afl_snapshot_include_vmrange(void* start, void* end) { - return ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_CLEAN); + struct afl_snapshot_vmrange_args args = {(unsigned long)start, (unsigned long)end}; + ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_INCLUDE_VMRANGE, &args); + +} + +static int afl_snapshot_take(int config) { + + return ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_TAKE, config); + +} + +static void afl_snapshot_restore(void) { + + ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_RESTORE); + +} + +static void afl_snapshot_clean(void) { + + ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_CLEAN); } diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index a2038188..25be0d5a 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -521,7 +521,7 @@ static void __afl_start_snapshots(void) { close(FORKSRV_FD); close(FORKSRV_FD + 1); - if (!afl_snapshot_do()) { raise(SIGSTOP); } + if (!afl_snapshot_take(AFL_SNAPSHOT_MMAP | AFL_SNAPSHOT_FDS | AFL_SNAPSHOT_REGS | AFL_SNAPSHOT_EXIT)) { raise(SIGSTOP); } __afl_area_ptr[0] = 1; memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T)); -- cgit 1.4.1 From d64c0e888751a3747d945702bc3e732c94db0cc9 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 28 Jul 2020 16:31:07 +0200 Subject: lkm new api --- include/snapshot-inl.h | 37 ++++++++++++++++++++++++------------- llvm_mode/afl-llvm-rt.o.c | 7 ++++++- 2 files changed, 30 insertions(+), 14 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/include/snapshot-inl.h b/include/snapshot-inl.h index 55251db5..263a4b63 100644 --- a/include/snapshot-inl.h +++ b/include/snapshot-inl.h @@ -32,23 +32,26 @@ #define AFL_SNAPSHOT_IOCTL_MAGIC 44313 -#define AFL_SNAPSHOT_EXCLUDE_VMRANGE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 1, struct afl_snapshot_vmrange_args*) -#define AFL_SNAPSHOT_INCLUDE_VMRANGE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 2, struct afl_snapshot_vmrange_args*) -#define AFL_SNAPSHOT_IOCTL_TAKE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 3, int) -#define AFL_SNAPSHOT_IOCTL_RESTORE _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 4) -#define AFL_SNAPSHOT_IOCTL_CLEAN _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 5) +#define AFL_SNAPSHOT_IOCTL_DO _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 1) +#define AFL_SNAPSHOT_IOCTL_CLEAN _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 2) +#define AFL_SNAPSHOT_EXCLUDE_VMRANGE \ + _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 3, struct afl_snapshot_vmrange_args *) +#define AFL_SNAPSHOT_INCLUDE_VMRANGE \ + _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 4, struct afl_snapshot_vmrange_args *) +#define AFL_SNAPSHOT_IOCTL_TAKE _IOR(AFL_SNAPSHOT_IOCTL_MAGIC, 5, int) +#define AFL_SNAPSHOT_IOCTL_RESTORE _IO(AFL_SNAPSHOT_IOCTL_MAGIC, 6) // Trace new mmaped ares and unmap them on restore. -#define AFL_SNAPSHOT_MMAP 1 +#define AFL_SNAPSHOT_MMAP 1 // Do not snapshot any page (by default all writeable not-shared pages // are shanpshotted. #define AFL_SNAPSHOT_BLOCK 2 // Snapshot file descriptor state, close newly opened descriptors -#define AFL_SNAPSHOT_FDS 4 +#define AFL_SNAPSHOT_FDS 4 // Snapshot registers state -#define AFL_SNAPSHOT_REGS 8 +#define AFL_SNAPSHOT_REGS 8 // Perform a restore when exit_group is invoked -#define AFL_SNAPSHOT_EXIT 16 +#define AFL_SNAPSHOT_EXIT 16 // TODO(andrea) allow not COW snapshots (high perf on small processes) // Disable COW, restore all the snapshotted pages #define AFL_SNAPSHOT_NOCOW 32 @@ -70,16 +73,18 @@ static int afl_snapshot_init() { } -static void afl_snapshot_exclude_vmrange(void* start, void* end) { +static void afl_snapshot_exclude_vmrange(void *start, void *end) { - struct afl_snapshot_vmrange_args args = {(unsigned long)start, (unsigned long)end}; + struct afl_snapshot_vmrange_args args = {(unsigned long)start, + (unsigned long)end}; ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_EXCLUDE_VMRANGE, &args); } -static void afl_snapshot_include_vmrange(void* start, void* end) { +static void afl_snapshot_include_vmrange(void *start, void *end) { - struct afl_snapshot_vmrange_args args = {(unsigned long)start, (unsigned long)end}; + struct afl_snapshot_vmrange_args args = {(unsigned long)start, + (unsigned long)end}; ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_INCLUDE_VMRANGE, &args); } @@ -90,6 +95,12 @@ static int afl_snapshot_take(int config) { } +static int afl_snapshot_take(void) { + + return ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_DO); + +} + static void afl_snapshot_restore(void) { ioctl(afl_snapshot_dev_fd, AFL_SNAPSHOT_IOCTL_RESTORE); diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 25be0d5a..c0ed1bcf 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -521,7 +521,12 @@ static void __afl_start_snapshots(void) { close(FORKSRV_FD); close(FORKSRV_FD + 1); - if (!afl_snapshot_take(AFL_SNAPSHOT_MMAP | AFL_SNAPSHOT_FDS | AFL_SNAPSHOT_REGS | AFL_SNAPSHOT_EXIT)) { raise(SIGSTOP); } + if (!afl_snapshot_take(AFL_SNAPSHOT_MMAP | AFL_SNAPSHOT_FDS | + AFL_SNAPSHOT_REGS | AFL_SNAPSHOT_EXIT)) { + + raise(SIGSTOP); + + } __afl_area_ptr[0] = 1; memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T)); -- cgit 1.4.1 From e0d1529061a5de9d32066c05f8faedac65b29ea5 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 3 Aug 2020 10:03:45 +0200 Subject: edge id documentation example for sancov --- docs/FAQ.md | 9 +++++---- llvm_mode/afl-llvm-rt.o.c | 21 +++++++++++++++++++++ 2 files changed, 26 insertions(+), 4 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/docs/FAQ.md b/docs/FAQ.md index ee221d02..c15cd484 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -103,10 +103,11 @@ afl-clang-fast PCGUARD and afl-clang-lto LTO instrumentation! b) For PCGUARD instrumented binaries it is much more difficult. Here you can either modify the __sanitizer_cov_trace_pc_guard function in llvm_mode/afl-llvm-rt.o.c to write a backtrace to a file if the ID in - __afl_area_ptr[*guard] is one of the unstable edge IDs. Then recompile - and reinstall llvm_mode and rebuild your target. Run the recompiled - target with afl-fuzz for a while and then check the file that you - wrote with the backtrace information. + __afl_area_ptr[*guard] is one of the unstable edge IDs. + (Example code is already there). + Then recompile and reinstall llvm_mode and rebuild your target. + Run the recompiled target with afl-fuzz for a while and then check the + file that you wrote with the backtrace information. Alternatively you can use `gdb` to hook __sanitizer_cov_trace_pc_guard_init on start, check to which memory address the edge ID value is written and set a write breakpoint to that address (`watch 0x.....`). diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index c0ed1bcf..c2859d9c 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -859,6 +859,27 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) { void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { + // For stability analysis, if you want to know to which function unstable + // edge IDs belong to - uncomment, recompile+install llvm_mode, recompile + // the target. libunwind and libbacktrace are better solutions. + // Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture + // the backtrace output + /* + uint32_t unstable[] = { ... unstable edge IDs }; + uint32_t idx; + char bt[1024]; + for (idx = 0; i < sizeof(unstable)/sizeof(uint32_t); i++) { + if (unstable[idx] == __afl_area_ptr[*guard]) { + int bt_size = backtrace(bt, 256); + if (bt_size > 0) { + char **bt_syms = backtrace_symbols(bt, bt_size); + if (bt_syms) + fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx], bt_syms[0]); + } + } + } + */ + __afl_area_ptr[*guard]++; } -- cgit 1.4.1 From 409e4ae945ab5aeb31b1e3a1497ce5fc65226f07 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 3 Aug 2020 13:13:32 +0200 Subject: fix expand havoc for ..._only modes --- docs/Changelog.md | 1 + examples/persistent_demo/persistent_demo_new.c | 4 +-- llvm_mode/afl-llvm-rt.o.c | 48 +++++++++++++++----------- src/afl-fuzz-redqueen.c | 8 ++--- src/afl-fuzz.c | 3 +- test/test-cmplog.c | 22 +++++------- 6 files changed, 46 insertions(+), 40 deletions(-) (limited to 'llvm_mode/afl-llvm-rt.o.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index 8ab3fdf4..ae7377f2 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -19,6 +19,7 @@ sending a mail to . - eliminated CPU affinity race condition for -S/-M runs - expanded havoc mode added, on no cycle finds add extra splicing and MOpt into the mix + - fixed a bug in redqueen for strings - llvm_mode: - now supports llvm 12! - fixes for laf-intel float splitting (thanks to mark-griffin for diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index 5f347667..7f878c0c 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -31,8 +31,8 @@ /* this lets the source compile without afl-clang-fast/lto */ #ifndef __AFL_FUZZ_TESTCASE_LEN - ssize_t fuzz_len; - unsigned char fuzz_buf[1024000]; +ssize_t fuzz_len; +unsigned char fuzz_buf[1024000]; #define __AFL_FUZZ_TESTCASE_LEN fuzz_len #define __AFL_FUZZ_TESTCASE_BUF fuzz_buf diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index c2859d9c..88abcbe0 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -859,26 +859,34 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) { void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { - // For stability analysis, if you want to know to which function unstable - // edge IDs belong to - uncomment, recompile+install llvm_mode, recompile - // the target. libunwind and libbacktrace are better solutions. - // Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture - // the backtrace output - /* - uint32_t unstable[] = { ... unstable edge IDs }; - uint32_t idx; - char bt[1024]; - for (idx = 0; i < sizeof(unstable)/sizeof(uint32_t); i++) { - if (unstable[idx] == __afl_area_ptr[*guard]) { - int bt_size = backtrace(bt, 256); - if (bt_size > 0) { - char **bt_syms = backtrace_symbols(bt, bt_size); - if (bt_syms) - fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx], bt_syms[0]); - } - } - } - */ + // For stability analysis, if you want to know to which function unstable + // edge IDs belong to - uncomment, recompile+install llvm_mode, recompile + // the target. libunwind and libbacktrace are better solutions. + // Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture + // the backtrace output + /* + uint32_t unstable[] = { ... unstable edge IDs }; + uint32_t idx; + char bt[1024]; + for (idx = 0; i < sizeof(unstable)/sizeof(uint32_t); i++) { + + if (unstable[idx] == __afl_area_ptr[*guard]) { + + int bt_size = backtrace(bt, 256); + if (bt_size > 0) { + + char **bt_syms = backtrace_symbols(bt, bt_size); + if (bt_syms) + fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx], + bt_syms[0]); + + } + + } + + } + + */ __afl_area_ptr[*guard]++; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index b58c8537..cb4c78df 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -673,15 +673,15 @@ static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, for (i = 0; i < its_len; ++i) { - if (pattern[i] != buf[idx + i] || - o_pattern[i] != orig_buf[idx + i] || *status == 1) { + if (pattern[i] != buf[idx + i] || o_pattern[i] != orig_buf[idx + i] || + *status == 1) { break; } buf[idx + i] = repl[i]; - + if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } } @@ -727,7 +727,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { } for (idx = 0; idx < len && fails < 8; ++idx) { - + if (unlikely(rtn_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, orig_buf, buf, len, &status))) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 326ccc1c..da30797c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1304,7 +1304,8 @@ int main(int argc, char **argv_orig, char **envp) { afl->expand_havoc = 1; break; case 1: - if (afl->limit_time_sig == 0) { + if (afl->limit_time_sig == 0 && !afl->custom_only && + !afl->python_only) { afl->limit_time_sig = -1; afl->limit_time_puppet = 0; diff --git a/test/test-cmplog.c b/test/test-cmplog.c index 75efd887..b077e3ab 100644 --- a/test/test-cmplog.c +++ b/test/test-cmplog.c @@ -5,23 +5,19 @@ #include #include int main(int argc, char *argv[]) { - char buf[1024]; + + char buf[1024]; ssize_t i; - if ((i = read(0, buf, sizeof(buf) - 1)) < 24) - return 0; + if ((i = read(0, buf, sizeof(buf) - 1)) < 24) return 0; buf[i] = 0; - if (buf[0] != 'A') - return 0; - if (buf[1] != 'B') - return 0; - if (buf[2] != 'C') - return 0; - if (buf[3] != 'D') - return 0; - if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) - return 0; + if (buf[0] != 'A') return 0; + if (buf[1] != 'B') return 0; + if (buf[2] != 'C') return 0; + if (buf[3] != 'D') return 0; + if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) return 0; if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0) abort(); return 0; + } -- cgit 1.4.1