From 0f08b13fa071a959cf305d4db5ee5d17d69c2c32 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 15 Apr 2020 23:22:13 +0200 Subject: somewhat unified write_to_testcase --- src/afl-forkserver.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 54 insertions(+), 2 deletions(-) (limited to 'src/afl-forkserver.c') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 89480b07..cee23024 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -8,7 +8,9 @@ Now maintained by Marc Heuse , Heiko Eißfeldt and - Andrea Fioraldi + Andrea Fioraldi and + Dominik Maier + Copyright 2016, 2017 Google Inc. All rights reserved. Copyright 2019-2020 AFLplusplus Project. All rights reserved. @@ -38,10 +40,12 @@ #include #include #include +#include #include #include #include #include +#include /** * The correct fds for reading and writing pipes @@ -64,15 +68,20 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { // this structure needs default so we initialize it if this was not done // already - fsrv->use_stdin = 1; fsrv->out_fd = -1; fsrv->out_dir_fd = -1; fsrv->dev_null_fd = -1; #ifndef HAVE_ARC4RANDOM fsrv->dev_urandom_fd = -1; #endif + /* Settings */ + fsrv->use_stdin = 1; + fsrv->no_unlink = 0; fsrv->exec_tmout = EXEC_TIMEOUT; fsrv->mem_limit = MEM_LIMIT; + fsrv->out_file = NULL; + + /* exec related stuff */ fsrv->child_pid = -1; fsrv->map_size = MAP_SIZE; fsrv->use_fauxsrv = 0; @@ -103,6 +112,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { fsrv_to->child_pid = -1; fsrv_to->use_fauxsrv = 0; fsrv_to->last_run_timed_out = 0; + fsrv_to->out_file = NULL; fsrv_to->init_child_func = fsrv_exec_child; @@ -640,6 +650,48 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) { } +/* Delete the current testcase and write the buf to the testcase file */ + +void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { + + s32 fd = fsrv->out_fd; + + if (fsrv->out_file) { + + if (fsrv->no_unlink) { + + fd = open(fsrv->out_file, O_WRONLY | O_CREAT | O_TRUNC, 0600); + + } else { + + unlink(fsrv->out_file); /* Ignore errors. */ + fd = open(fsrv->out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); + + } + + if (fd < 0) PFATAL("Unable to create '%s'", fsrv->out_file); + + } else { + + lseek(fd, 0, SEEK_SET); + + } + + ck_write(fd, buf, len, fsrv->out_file); + + if (!fsrv->out_file) { + + if (ftruncate(fd, len)) PFATAL("ftruncate() failed"); + lseek(fd, 0, SEEK_SET); + + } else { + + close(fd); + + } + +} + /* Execute target application, monitoring for timeouts. Return status information. The called program will update afl->fsrv->trace_bits. */ -- cgit 1.4.1 From b420ccdbf8eba5875e5a0b6a6a9941564dee81bb Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 14:42:30 +0200 Subject: fixed timeout flag to u32 --- include/forkserver.h | 2 +- src/afl-forkserver.c | 18 +++++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) (limited to 'src/afl-forkserver.c') diff --git a/include/forkserver.h b/include/forkserver.h index eb1f3ae4..60ec0344 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -65,7 +65,7 @@ typedef struct afl_forkserver { FILE *plot_file; /* Gnuplot output file */ - u8 last_run_timed_out; /* Traced process timed out? */ + u32 last_run_timed_out; /* Traced process timed out? */ u8 last_kill_signal; /* Signal that killed the child */ diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index cee23024..5727c7f2 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -395,7 +395,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_ENABLED) == FS_OPT_ENABLED) { - if (!be_quiet) + if (!be_quiet && getenv("AFL_DEBUG")) ACTF("Extended forkserver functions received (%08x).", status); if ((status & FS_OPT_SNAPSHOT) == FS_OPT_SNAPSHOT) { @@ -408,13 +408,16 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_MAPSIZE) == FS_OPT_MAPSIZE) { fsrv->map_size = FS_OPT_GET_MAPSIZE(status); - if (fsrv->map_size % 8) // should not happen + if (unlikely(fsrv->map_size % 8)) { + // should not happen + WARNF("Target reported non-aligned map size of %ud", fsrv->map_size); fsrv->map_size = (((fsrv->map_size + 8) >> 3) << 3); + } if (!be_quiet) ACTF("Target map size: %u", fsrv->map_size); if (fsrv->map_size > MAP_SIZE) FATAL( "Target's coverage map size of %u is larger than the one this " - "afl++ is compiled with (%u)\n", + "afl++ is compiled with (%u) (change MAP_SIZE and recompile)\n", fsrv->map_size, MAP_SIZE); } @@ -444,7 +447,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, u32 len = status, offset = 0, count = 0; u8 *dict = ck_alloc(len); if (dict == NULL) - FATAL("Could not allocate %u bytes of autodictionary memmory", len); + FATAL("Could not allocate %u bytes of autodictionary memory", len); while (len != 0) { @@ -727,7 +730,7 @@ fsrv_run_result_t afl_fsrv_run_target( if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { - if (stop_soon_p) return 0; + if (*stop_soon_p) return 0; RPFATAL(res, "Unable to request new process from fork server (OOM?)"); } @@ -784,7 +787,7 @@ fsrv_run_result_t afl_fsrv_run_target( behave very normally and do not have to be treated as volatile. */ MEM_BARRIER(); - u32 tb4 = *(u32 *)fsrv->trace_bits; + //u32 tb4 = *(u32 *)fsrv->trace_bits; if (likely(classify_counts_func)) classify_counts_func(fsrv); @@ -811,7 +814,8 @@ fsrv_run_result_t afl_fsrv_run_target( } - if (tb4 == EXEC_FAIL_SIG) return FSRV_RUN_ERROR; + // Fauxserver should handle this now. + // if (tb4 == EXEC_FAIL_SIG) return FSRV_RUN_ERROR; return FSRV_RUN_OK; -- cgit 1.4.1 From 124665b392aa081807c8fa19948937a07de6053b Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 14:47:08 +0200 Subject: code-format --- llvm_mode/afl-clang-fast.c | 8 ++++---- src/afl-forkserver.c | 7 +++++-- src/afl-fuzz-bitmap.c | 14 ++++++++------ src/afl-fuzz-run.c | 2 +- src/afl-showmap.c | 8 ++------ src/afl-tmin.c | 3 +-- 6 files changed, 21 insertions(+), 21 deletions(-) (limited to 'src/afl-forkserver.c') diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 84ebeb9a..c0471033 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -223,10 +223,10 @@ static void edit_params(u32 argc, char **argv, char **envp) { } - if ((!(getenv("AFL_LLVM_LTO_AUTODICTIONARY") // disabled when autodictionary - && instrument_mode != INSTRUMENT_LTO)) // and lto_mode is used - && (getenv("LAF_TRANSFORM_COMPARES") || - getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES"))) { + if ((!(getenv("AFL_LLVM_LTO_AUTODICTIONARY") // disabled when autodictionary + && instrument_mode != INSTRUMENT_LTO)) // and lto_mode is used + && (getenv("LAF_TRANSFORM_COMPARES") || + getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES"))) { cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 5727c7f2..5cd000d7 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -408,11 +408,14 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_MAPSIZE) == FS_OPT_MAPSIZE) { fsrv->map_size = FS_OPT_GET_MAPSIZE(status); - if (unlikely(fsrv->map_size % 8)) { + if (unlikely(fsrv->map_size % 8)) { + // should not happen WARNF("Target reported non-aligned map size of %ud", fsrv->map_size); fsrv->map_size = (((fsrv->map_size + 8) >> 3) << 3); + } + if (!be_quiet) ACTF("Target map size: %u", fsrv->map_size); if (fsrv->map_size > MAP_SIZE) FATAL( @@ -787,7 +790,7 @@ fsrv_run_result_t afl_fsrv_run_target( behave very normally and do not have to be treated as volatile. */ MEM_BARRIER(); - //u32 tb4 = *(u32 *)fsrv->trace_bits; + // u32 tb4 = *(u32 *)fsrv->trace_bits; if (likely(classify_counts_func)) classify_counts_func(fsrv); diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 7be44fd5..92966c8c 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -112,18 +112,20 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { #ifdef WORD_SIZE_64 - if (*virgin == 0xffffffffffffffff || (cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || - (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff) || - (cur[4] && vir[4] == 0xff) || (cur[5] && vir[5] == 0xff) || - (cur[6] && vir[6] == 0xff) || (cur[7] && vir[7] == 0xff)) + if (*virgin == 0xffffffffffffffff || (cur[0] && vir[0] == 0xff) || + (cur[1] && vir[1] == 0xff) || (cur[2] && vir[2] == 0xff) || + (cur[3] && vir[3] == 0xff) || (cur[4] && vir[4] == 0xff) || + (cur[5] && vir[5] == 0xff) || (cur[6] && vir[6] == 0xff) || + (cur[7] && vir[7] == 0xff)) ret = 2; else ret = 1; #else - if (*virgin == 0xffffffff || (cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || - (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff)) + if (*virgin == 0xffffffff || (cur[0] && vir[0] == 0xff) || + (cur[1] && vir[1] == 0xff) || (cur[2] && vir[2] == 0xff) || + (cur[3] && vir[3] == 0xff)) ret = 2; else ret = 1; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 4aec01f0..3933acd8 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -50,7 +50,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { s32 doc_fd; char fn[PATH_MAX]; snprintf(fn, PATH_MAX, "%s/mutations/%09u:%s", afl->out_dir, - afl->document_counter++, describe_op(afl, 0)); + afl->document_counter++, describe_op(afl, 0)); if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600)) >= 0) { diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 2a4ab96e..48436c34 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -63,8 +63,7 @@ static char *stdin_file; /* stdin file */ static u8 *in_dir = NULL, /* input folder */ - *out_file = NULL, - *at_file = NULL; /* Substitution string for @@ */ + *out_file = NULL, *at_file = NULL; /* Substitution string for @@ */ static u8 *in_data; /* Input data */ @@ -878,8 +877,7 @@ int main(int argc, char **argv_orig, char **envp) { if (-1 == stat(infile, &statbuf) || !S_ISREG(statbuf.st_mode)) continue; #endif - snprintf(outfile, sizeof(outfile), "%s/%s", out_file, - dir_ent->d_name); + snprintf(outfile, sizeof(outfile), "%s/%s", out_file, dir_ent->d_name); if (read_file(infile)) { @@ -901,8 +899,6 @@ int main(int argc, char **argv_orig, char **envp) { run_target(fsrv, use_argv); tcnt = write_results_to_file(fsrv, out_file); - - } if (!quiet_mode) { diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 78ed63e2..cb53f56f 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -62,8 +62,7 @@ static u8 *mask_bitmap; /* Mask for trace bits (-B) */ static u8 *in_file, /* Minimizer input test case */ - *out_file, - *output_file; /* Minimizer output file */ + *out_file, *output_file; /* Minimizer output file */ static u8 *in_data; /* Input data for trimming */ -- cgit 1.4.1 From 19ce862810e504494af8e92717b57ca15cb2480b Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 15:21:34 +0200 Subject: decoupled run and classify --- include/forkserver.h | 11 +++++------ src/afl-forkserver.c | 9 ++------- src/afl-fuzz-run.c | 5 ++++- src/afl-showmap.c | 6 ++++-- src/afl-tmin.c | 9 ++++----- 5 files changed, 19 insertions(+), 21 deletions(-) (limited to 'src/afl-forkserver.c') diff --git a/include/forkserver.h b/include/forkserver.h index 60ec0344..ac89b681 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -65,6 +65,7 @@ typedef struct afl_forkserver { FILE *plot_file; /* Gnuplot output file */ + /* Note: lat_run_timed_out is u32 to send it to the child as 4 byte array */ u32 last_run_timed_out; /* Traced process timed out? */ u8 last_kill_signal; /* Signal that killed the child */ @@ -100,12 +101,10 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from); void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p, u8 debug_child_output); void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len); -fsrv_run_result_t afl_fsrv_run_target( - afl_forkserver_t *fsrv, u32 timeout, - void(classify_counts_func)(afl_forkserver_t *fsrv), - volatile u8 *stop_soon_p); -void afl_fsrv_killall(void); -void afl_fsrv_deinit(afl_forkserver_t *fsrv); +fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, + volatile u8 *stop_soon_p); +void afl_fsrv_killall(void); +void afl_fsrv_deinit(afl_forkserver_t *fsrv); #ifdef __APPLE__ #define MSG_FORK_ON_APPLE \ diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 5cd000d7..6e1dfbba 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -701,10 +701,8 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { /* Execute target application, monitoring for timeouts. Return status information. The called program will update afl->fsrv->trace_bits. */ -fsrv_run_result_t afl_fsrv_run_target( - afl_forkserver_t *fsrv, u32 timeout, - void(classify_counts_func)(afl_forkserver_t *fsrv), - volatile u8 *stop_soon_p) { +fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, + volatile u8 *stop_soon_p) { s32 res; u32 exec_ms; @@ -790,9 +788,6 @@ fsrv_run_result_t afl_fsrv_run_target( behave very normally and do not have to be treated as volatile. */ MEM_BARRIER(); - // u32 tb4 = *(u32 *)fsrv->trace_bits; - - if (likely(classify_counts_func)) classify_counts_func(fsrv); /* Report outcome to caller. */ diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 3933acd8..594a9390 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -36,7 +36,10 @@ fsrv_run_result_t run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { - return afl_fsrv_run_target(fsrv, timeout, classify_counts, &afl->stop_soon); + fsrv_run_result_t res = afl_fsrv_run_target(fsrv, timeout, &afl->stop_soon); + // TODO: Don't classify for faults? + classify_counts(fsrv); + return res; } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 48436c34..97f377f3 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -223,13 +223,15 @@ void run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, afl_fsrv_write_to_testcase(fsrv, mem, len); - if (afl_fsrv_run_target(fsrv, fsrv->exec_tmout, classify_counts, - &stop_soon) == FSRV_RUN_ERROR) { + if (afl_fsrv_run_target(fsrv, fsrv->exec_tmout, &stop_soon) == + FSRV_RUN_ERROR) { FATAL("Error running target"); } + classify_counts(fsrv); + if (stop_soon) { SAYF(cRST cLRD "\n+++ afl-showmap folder mode aborted by user +++\n" cRST); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index cb53f56f..3330561b 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -121,8 +121,6 @@ static void apply_mask(u32 *mem, u32 *mask) { static void classify_counts(afl_forkserver_t *fsrv) { - if (hang_mode) return; /* We only want hangs */ - u8 *mem = fsrv->trace_bits; u32 i = MAP_SIZE; @@ -146,8 +144,6 @@ static void classify_counts(afl_forkserver_t *fsrv) { } - apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap); - } /* See if any bytes are set in the bitmap. */ @@ -224,7 +220,7 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, afl_fsrv_write_to_testcase(fsrv, mem, len); fsrv_run_result_t ret = - afl_fsrv_run_target(fsrv, fsrv->exec_tmout, classify_counts, &stop_soon); + afl_fsrv_run_target(fsrv, fsrv->exec_tmout, &stop_soon); if (ret == FSRV_RUN_ERROR) FATAL("Couldn't run child"); @@ -250,6 +246,9 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, } + classify_counts(fsrv); + apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap); + if (ret == FSRV_RUN_TMOUT) { missed_hangs++; -- cgit 1.4.1