From dab498c3b726cf4503abfbd61b62f65f92c9a4e9 Mon Sep 17 00:00:00 2001
From: arnow117 <arnow117@163.com>
Date: Wed, 27 May 2020 16:01:44 +0800
Subject: fix MOPT implementation flaws in core fuzzing

---
 src/afl-fuzz-one.c | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

(limited to 'src/afl-fuzz-one.c')

diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index ddd15c84..5b1a2cba 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -4250,14 +4250,29 @@ pacemaker_fuzzing:
           u64 temp_temp_puppet =
               afl->queued_paths + afl->unique_crashes - temp_total_found;
           afl->total_puppet_find = afl->total_puppet_find + temp_temp_puppet;
-          for (i = 0; i < operator_num; ++i) {
 
-            if (MOpt_globals.cycles_v2[i] > MOpt_globals.cycles_v3[i]) {
+          if (MOpt_globals.is_pilot_mode){
 
-              MOpt_globals.finds_v2[i] += temp_temp_puppet;
+            for (i = 0; i < operator_num; ++i) {
+
+              if (MOpt_globals.cycles_v2[i] > MOpt_globals.cycles_v3[i]) {
+
+                MOpt_globals.finds_v2[i] += temp_temp_puppet;
+
+              }
 
             }
 
+          } else {
+
+          	for (i = 0; i < operator_num; i++) {
+
+							if (afl->core_operator_cycles_puppet_v2[i] > afl->core_operator_cycles_puppet_v3[i])
+
+								afl->core_operator_finds_puppet_v2[i] += temp_temp_puppet;
+
+				    }
+
           }
 
         }                                                             /* if */
@@ -4437,7 +4452,6 @@ pacemaker_fuzzing:
 
         afl->total_pacemaker_time += *MOpt_globals.pTime;
         *MOpt_globals.pTime = 0;
-        afl->temp_puppet_find = afl->total_puppet_find;
         new_hit_cnt = afl->queued_paths + afl->unique_crashes;
 
         if (MOpt_globals.is_pilot_mode) {
@@ -4448,6 +4462,7 @@ pacemaker_fuzzing:
 
         }
 
+        afl->temp_puppet_find = afl->total_puppet_find;
         u64 temp_stage_finds_puppet = 0;
         for (i = 0; i < operator_num; ++i) {
 
@@ -4530,6 +4545,15 @@ pacemaker_fuzzing:
 
         } else {
 
+					for (i = 0; i < operator_num; i++)
+					{
+
+						afl->core_operator_finds_puppet[i] = afl->core_operator_finds_puppet_v2[i];
+						afl->core_operator_cycles_puppet[i] = afl->core_operator_cycles_puppet_v2[i];
+						temp_stage_finds_puppet += afl->core_operator_finds_puppet[i];
+            
+					}
+
           afl->key_module = 2;
 
           afl->old_hit_count = new_hit_cnt;
-- 
cgit 1.4.1


From aace0d119228aeb847e97f9dae50b8e0738eed90 Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Wed, 27 May 2020 11:28:29 +0200
Subject: code format

---
 docs/Changelog.md  |  1 +
 docs/INSTALL.md    |  4 ++--
 src/afl-fuzz-one.c | 26 ++++++++++++++------------
 3 files changed, 17 insertions(+), 14 deletions(-)

(limited to 'src/afl-fuzz-one.c')

diff --git a/docs/Changelog.md b/docs/Changelog.md
index 18acfba4..d95f7367 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -16,6 +16,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
        exactly one master is present and warn otherwise
      - If no master is present at a sync one slave automatically becomes
        a temporary master until a real master shows up
+     - fix/update to MOpt (thanks to arnow117)
   - llvm_mode:
     - the default instrumentation is now PCGUARD, as it is faster and provides
       better coverage. The original afl instrumentation can be set via
diff --git a/docs/INSTALL.md b/docs/INSTALL.md
index 0f9673ad..766f24d7 100644
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@@ -17,7 +17,7 @@ You can start using the fuzzer without installation, but it is also possible to
 install it with:
 
 ```bash
-make install
+sudo make install
 ```
 
 There are no special dependencies to speak of; you will need GNU make and a
@@ -46,7 +46,7 @@ please install it first. As on Linux, you can use the fuzzer itself without
 installation, or install it with:
 
 ```
-gmake install
+sudo gmake install
 ```
 
 Keep in mind that if you are using csh as your shell, the syntax of some of the
diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c
index 5b1a2cba..56f16b4c 100644
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@@ -4251,7 +4251,7 @@ pacemaker_fuzzing:
               afl->queued_paths + afl->unique_crashes - temp_total_found;
           afl->total_puppet_find = afl->total_puppet_find + temp_temp_puppet;
 
-          if (MOpt_globals.is_pilot_mode){
+          if (MOpt_globals.is_pilot_mode) {
 
             for (i = 0; i < operator_num; ++i) {
 
@@ -4265,13 +4265,14 @@ pacemaker_fuzzing:
 
           } else {
 
-          	for (i = 0; i < operator_num; i++) {
+            for (i = 0; i < operator_num; i++) {
 
-							if (afl->core_operator_cycles_puppet_v2[i] > afl->core_operator_cycles_puppet_v3[i])
+              if (afl->core_operator_cycles_puppet_v2[i] >
+                  afl->core_operator_cycles_puppet_v3[i])
 
-								afl->core_operator_finds_puppet_v2[i] += temp_temp_puppet;
+                afl->core_operator_finds_puppet_v2[i] += temp_temp_puppet;
 
-				    }
+            }
 
           }
 
@@ -4545,14 +4546,15 @@ pacemaker_fuzzing:
 
         } else {
 
-					for (i = 0; i < operator_num; i++)
-					{
+          for (i = 0; i < operator_num; i++) {
 
-						afl->core_operator_finds_puppet[i] = afl->core_operator_finds_puppet_v2[i];
-						afl->core_operator_cycles_puppet[i] = afl->core_operator_cycles_puppet_v2[i];
-						temp_stage_finds_puppet += afl->core_operator_finds_puppet[i];
-            
-					}
+            afl->core_operator_finds_puppet[i] =
+                afl->core_operator_finds_puppet_v2[i];
+            afl->core_operator_cycles_puppet[i] =
+                afl->core_operator_cycles_puppet_v2[i];
+            temp_stage_finds_puppet += afl->core_operator_finds_puppet[i];
+
+          }
 
           afl->key_module = 2;
 
-- 
cgit 1.4.1