From 1429c9724efb62e5ac90ec27d93a64c28632ba5d Mon Sep 17 00:00:00 2001 From: Junwha Date: Wed, 2 Aug 2023 02:59:07 +0900 Subject: Add option for treating crashing input as new crash Signed-off-by: Junwha Hong --- src/afl-fuzz-init.c | 99 +++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 81 insertions(+), 18 deletions(-) (limited to 'src/afl-fuzz-init.c') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 24fd7077..6b7f3036 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1056,6 +1056,13 @@ void perform_dry_run(afl_state_t *afl) { "skipping", fn, (int)(s8)afl->fsrv.crash_exitcode); + } else if (afl->crashing_seeds_as_new_crash) { + + WARNF( + "Test case '%s' results in a crash," + "as AFL_CRASHING_SEEDS_AS_NEW_CRASH is set, " + "saving as a crash", fn); + } else { WARNF("Test case '%s' results in a crash, skipping", fn); @@ -1078,38 +1085,94 @@ void perform_dry_run(afl_state_t *afl) { } - q->disabled = 1; - q->perf_score = 0; + /* Crashing corpus will regrad as normal, and categorized as new crash at fuzzing */ + if (afl->crashing_seeds_as_new_crash) { + + ++afl->total_crashes; - u32 i = 0; - while (unlikely(i < afl->queued_items && afl->queue_buf[i] && - afl->queue_buf[i]->disabled)) { + if (likely(!afl->non_instrumented_mode)) { - ++i; + classify_counts(&afl->fsrv); + + simplify_trace(afl, afl->fsrv.trace_bits); - } + if (!has_new_bits(afl, afl->virgin_crash)) { break; } + + } + + + if (unlikely(!afl->saved_crashes) && + (afl->afl_env.afl_no_crash_readme != 1)) { + + write_crash_readme(afl); + + } + + u8 crash_fn[PATH_MAX]; + u8 *use_name = strstr(q->fname, ",orig:"); + + afl->stage_name = "dry_run"; + afl->stage_short = "dry_run"; + + #ifndef SIMPLE_FILES + + snprintf(crash_fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s%s", afl->out_dir, + afl->saved_crashes, afl->fsrv.last_kill_signal, + describe_op(afl, 0, NAME_MAX - strlen("id:000000,sig:00,") - strlen(use_name)), use_name); + + #else + + snprintf(crash_fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir, + afl->saved_crashes, afl->fsrv.last_kill_signal); + + #endif - if (i < afl->queued_items && afl->queue_buf[i]) { + ++afl->saved_crashes; - afl->queue = afl->queue_buf[i]; + fd = open(crash_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION); + if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", crash_fn); } + ck_write(fd, use_mem, read_len, crash_fn); + close(fd); + + afl->last_crash_time = get_cur_time(); + afl->last_crash_execs = afl->fsrv.total_execs; } else { - afl->queue = afl->queue_buf[0]; + q->disabled = 1; + q->perf_score = 0; - } + u32 i = 0; + while (unlikely(i < afl->queued_items && afl->queue_buf[i] && + afl->queue_buf[i]->disabled)) { - afl->max_depth = 0; - for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) { + ++i; - if (!afl->queue_buf[i]->disabled && - afl->queue_buf[i]->depth > afl->max_depth) - afl->max_depth = afl->queue_buf[i]->depth; + } - } + if (i < afl->queued_items && afl->queue_buf[i]) { - break; + afl->queue = afl->queue_buf[i]; + + } else { + afl->queue = afl->queue_buf[0]; + + } + + afl->max_depth = 0; + for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) { + + if (!afl->queue_buf[i]->disabled && + afl->queue_buf[i]->depth > afl->max_depth) + afl->max_depth = afl->queue_buf[i]->depth; + + } + + } + + break; + case FSRV_RUN_ERROR: FATAL("Unable to execute target application ('%s')", afl->argv[0]); -- cgit 1.4.1 From fcdfe9e990d84ab477cd3c571cbf540e8bc8e15a Mon Sep 17 00:00:00 2001 From: Junwha Date: Fri, 4 Aug 2023 18:36:58 +0900 Subject: Define AFL_CRASHING_SEEDS_AS_NEW_CRASH as env variable - and fix typo Signed-off-by: Junwha --- include/afl-fuzz.h | 6 +++--- src/afl-fuzz-init.c | 30 ++++++++++++++++-------------- src/afl-fuzz-state.c | 7 +++++++ src/afl-fuzz.c | 1 - 4 files changed, 26 insertions(+), 18 deletions(-) (limited to 'src/afl-fuzz-init.c') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 7bedc98f..18352acb 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1,3 +1,4 @@ + /* american fuzzy lop++ - fuzzer header ------------------------------------ @@ -408,7 +409,7 @@ typedef struct afl_env_vars { *afl_max_det_extras, *afl_statsd_host, *afl_statsd_port, *afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size, *afl_testcache_entries, *afl_child_kill_signal, *afl_fsrv_kill_signal, - *afl_target_env, *afl_persistent_record, *afl_exit_on_time; + *afl_target_env, *afl_persistent_record, *afl_exit_on_time, *afl_crashing_seeds_as_new_crash; s32 afl_pizza_mode; @@ -539,8 +540,7 @@ typedef struct afl_state { expand_havoc, /* perform expensive havoc after no find */ cycle_schedules, /* cycle power schedules? */ old_seed_selection, /* use vanilla afl seed selection */ - reinit_table, /* reinit the queue weight table */ - crashing_seeds_as_new_crash; /* treat crashing seeds as normal corpus */ + reinit_table; /* reinit the queue weight table */ u8 *virgin_bits, /* Regions yet untouched by fuzzing */ *virgin_tmout, /* Bits we haven't seen in tmouts */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 6b7f3036..d994d749 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1056,17 +1056,19 @@ void perform_dry_run(afl_state_t *afl) { "skipping", fn, (int)(s8)afl->fsrv.crash_exitcode); - } else if (afl->crashing_seeds_as_new_crash) { - - WARNF( - "Test case '%s' results in a crash," - "as AFL_CRASHING_SEEDS_AS_NEW_CRASH is set, " - "saving as a crash", fn); - } else { + if (afl->afl_env.afl_crashing_seeds_as_new_crash) { + + WARNF( + "Test case '%s' results in a crash, " + "as AFL_CRASHING_SEEDS_AS_NEW_CRASH is set, " + "saving as a new crash", fn); + + } else { - WARNF("Test case '%s' results in a crash, skipping", fn); - + WARNF("Test case '%s' results in a crash, skipping", fn); + + } } if (afl->afl_env.afl_exit_on_seed_issues) { @@ -1085,8 +1087,8 @@ void perform_dry_run(afl_state_t *afl) { } - /* Crashing corpus will regrad as normal, and categorized as new crash at fuzzing */ - if (afl->crashing_seeds_as_new_crash) { + /* Crashing seeds will be regarded as new crashes on startup */ + if (afl->afl_env.afl_crashing_seeds_as_new_crash) { ++afl->total_crashes; @@ -1139,9 +1141,6 @@ void perform_dry_run(afl_state_t *afl) { } else { - q->disabled = 1; - q->perf_score = 0; - u32 i = 0; while (unlikely(i < afl->queued_items && afl->queue_buf[i] && afl->queue_buf[i]->disabled)) { @@ -1171,6 +1170,9 @@ void perform_dry_run(afl_state_t *afl) { } + q->disabled = 1; + q->perf_score = 0; + break; case FSRV_RUN_ERROR: diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 99f69314..5a6b95cf 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -200,6 +200,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_exit_on_time = (u8 *)get_afl_env(afl_environment_variables[i]); + } else if (!strncmp(env, "AFL_CRASHING_SEEDS_AS_NEW_CRASH", + + afl_environment_variable_len)) { + + afl->afl_env.afl_crashing_seeds_as_new_crash = + atoi((u8 *)get_afl_env(afl_environment_variables[i])); + } else if (!strncmp(env, "AFL_NO_AFFINITY", afl_environment_variable_len)) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 5cbebb0e..51ca4ee6 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1573,7 +1573,6 @@ int main(int argc, char **argv_orig, char **envp) { if (get_afl_env("AFL_NO_ARITH")) { afl->no_arith = 1; } if (get_afl_env("AFL_SHUFFLE_QUEUE")) { afl->shuffle_queue = 1; } if (get_afl_env("AFL_EXPAND_HAVOC_NOW")) { afl->expand_havoc = 1; } - if (get_afl_env("AFL_CRASHING_SEEDS_AS_NEW_CRASH")) { afl->crashing_seeds_as_new_crash = 1; } if (afl->afl_env.afl_autoresume) { -- cgit 1.4.1