From 74a6044b3fba496c1255f9aedbf5b7253ae29f0e Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Tue, 9 Mar 2021 14:11:52 +0100
Subject: fix sanitizer settings

---
 src/afl-forkserver.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

(limited to 'src/afl-forkserver.c')

diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 6f08f9f4..82ec3069 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -481,11 +481,11 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
     /* This should improve performance a bit, since it stops the linker from
        doing extra work post-fork(). */
 
-    if (!getenv("LD_BIND_LAZY")) { setenv("LD_BIND_NOW", "1", 0); }
+    if (!getenv("LD_BIND_LAZY")) { setenv("LD_BIND_NOW", "1", 1); }
 
     /* Set sane defaults for ASAN if nothing else specified. */
 
-    if (fsrv->debug == true && !getenv("ASAN_OPTIONS"))
+    if (!getenv("ASAN_OPTIONS"))
       setenv("ASAN_OPTIONS",
              "abort_on_error=1:"
              "detect_leaks=0:"
@@ -498,11 +498,11 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
              "handle_abort=0:"
              "handle_sigfpe=0:"
              "handle_sigill=0",
-             0);
+             1);
 
     /* Set sane defaults for UBSAN if nothing else specified. */
 
-    if (fsrv->debug == true && !getenv("UBSAN_OPTIONS"))
+    if (!getenv("UBSAN_OPTIONS"))
       setenv("UBSAN_OPTIONS",
              "halt_on_error=1:"
              "abort_on_error=1:"
@@ -514,7 +514,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
              "handle_abort=0:"
              "handle_sigfpe=0:"
              "handle_sigill=0",
-             0);
+             1);
 
     /* Envs for QASan */
     setenv("QASAN_MAX_CALL_STACK", "0", 0);
@@ -523,7 +523,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
     /* MSAN is tricky, because it doesn't support abort_on_error=1 at this
        point. So, we do this in a very hacky way. */
 
-    if (fsrv->debug == true && !getenv("MSAN_OPTIONS"))
+    if (!getenv("MSAN_OPTIONS"))
       setenv("MSAN_OPTIONS",
            "exit_code=" STRINGIFY(MSAN_ERROR) ":"
            "symbolize=0:"
@@ -536,7 +536,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
            "handle_abort=0:"
            "handle_sigfpe=0:"
            "handle_sigill=0",
-           0);
+           1);
 
     fsrv->init_child_func(fsrv, argv);
 
@@ -931,7 +931,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
         "%s"
 
-        "    - Most likely the target has a huge coverage map, retry with setting the\n"
+        "    - Most likely the target has a huge coverage map, retry with "
+        "setting the\n"
         "      environment variable AFL_MAP_SIZE=4194304\n\n"
 
         "    - The current memory limit (%s) is too restrictive, causing an "
-- 
cgit 1.4.1


From a0c30116733dd08e8d74a879c0e99be140b7eebb Mon Sep 17 00:00:00 2001
From: vanhauser-thc <vh@thc.org>
Date: Wed, 10 Mar 2021 11:08:03 +0100
Subject: change map_size tests

---
 instrumentation/afl-llvm-common.cc |  6 ++++--
 src/afl-forkserver.c               |  8 ++++----
 src/afl-fuzz.c                     | 30 +++++++++++++++++++++++++-----
 3 files changed, 33 insertions(+), 11 deletions(-)

(limited to 'src/afl-forkserver.c')

diff --git a/instrumentation/afl-llvm-common.cc b/instrumentation/afl-llvm-common.cc
index aa54f4f7..0fd3a011 100644
--- a/instrumentation/afl-llvm-common.cc
+++ b/instrumentation/afl-llvm-common.cc
@@ -62,13 +62,15 @@ bool isIgnoreFunction(const llvm::Function *F) {
       "sancov.",
       "__ubsan_",
       "ign.",
-      "__afl_",
+      "__afl",
       "_fini",
-      "__libc_csu",
+      "__libc_",
       "__asan",
       "__msan",
       "__cmplog",
       "__sancov",
+      "__cxx_",
+      "_GLOBAL",
       "msan.",
       "LLVMFuzzerM",
       "LLVMFuzzerC",
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 82ec3069..68995388 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -821,7 +821,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
            "    - The target binary requires a large map and crashes before "
            "reporting.\n"
-           "      Set a high value (e.g. AFL_MAP_SIZE=1024000) or use "
+           "      Set a high value (e.g. AFL_MAP_SIZE=8000000) or use "
            "AFL_DEBUG=1 to see the\n"
            "      message from the target binary\n\n"
 
@@ -848,7 +848,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
            "    - The target binary requires a large map and crashes before "
            "reporting.\n"
-           "      Set a high value (e.g. AFL_MAP_SIZE=1024000) or use "
+           "      Set a high value (e.g. AFL_MAP_SIZE=8000000) or use "
            "AFL_DEBUG=1 to see the\n"
            "      message from the target binary\n\n"
 
@@ -914,7 +914,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
          "handshake with the injected code.\n"
          "Most likely the target has a huge coverage map, retry with setting"
          " the\n"
-         "environment variable AFL_MAP_SIZE=4194304\n"
+         "environment variable AFL_MAP_SIZE=8000000\n"
          "Otherwise there is a horrible bug in the fuzzer.\n"
          "Poke <afl-users@googlegroups.com> for troubleshooting tips.\n");
 
@@ -933,7 +933,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
 
         "    - Most likely the target has a huge coverage map, retry with "
         "setting the\n"
-        "      environment variable AFL_MAP_SIZE=4194304\n\n"
+        "      environment variable AFL_MAP_SIZE=8000000\n\n"
 
         "    - The current memory limit (%s) is too restrictive, causing an "
         "OOM\n"
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 065010fa..8364c1c2 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -1569,13 +1569,21 @@ int main(int argc, char **argv_orig, char **envp) {
   if (!afl->non_instrumented_mode && !afl->fsrv.qemu_mode &&
       !afl->unicorn_mode) {
 
-    afl->fsrv.map_size = 4194304;  // dummy temporary value
-    setenv("AFL_MAP_SIZE", "4194304", 1);
+    u32 set_env = 0;
+    if (!getenv("AFL_MAP_SIZE")) {
+
+      afl->fsrv.map_size = 8000000;  // dummy temporary value
+      setenv("AFL_MAP_SIZE", "8000000", 1);
+      set_env = 1;
+
+    }
+
+    u32 prev_map_size = afl->fsrv.map_size;
 
     u32 new_map_size = afl_fsrv_get_mapsize(
         &afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child);
 
-    if (new_map_size && new_map_size != 4194304) {
+    if (new_map_size && new_map_size != prev_map_size) {
 
       // only reinitialize when it makes sense
       if (map_size < new_map_size ||
@@ -1607,6 +1615,7 @@ int main(int argc, char **argv_orig, char **envp) {
       }
 
       map_size = new_map_size;
+      if (set_env) { unsetenv("AFL_MAP_SIZE"); }
 
     }
 
@@ -1624,13 +1633,22 @@ int main(int argc, char **argv_orig, char **envp) {
     afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary;
     afl->cmplog_fsrv.init_child_func = cmplog_exec_child;
 
-    afl->cmplog_fsrv.map_size = 4194304;
+    u32 set_env = 0;
+    if (!getenv("AFL_MAP_SIZE")) {
+
+      afl->fsrv.map_size = 8000000;  // dummy temporary value
+      setenv("AFL_MAP_SIZE", "8000000", 1);
+      set_env = 1;
+
+    }
+
+    u32 prev_map_size = afl->fsrv.map_size;
 
     u32 new_map_size =
         afl_fsrv_get_mapsize(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon,
                              afl->afl_env.afl_debug_child);
 
-    if (new_map_size && new_map_size != 4194304) {
+    if (new_map_size && new_map_size != prev_map_size) {
 
       // only reinitialize when it needs to be larger
       if (map_size < new_map_size) {
@@ -1667,6 +1685,8 @@ int main(int argc, char **argv_orig, char **envp) {
 
       }
 
+      if (set_env) { unsetenv("AFL_MAP_SIZE"); }
+
     }
 
     afl->cmplog_fsrv.map_size = map_size;
-- 
cgit 1.4.1