From 3a509c61689112cc321c4c78f058014abff66c8a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 10 Apr 2020 22:33:11 +0200 Subject: LTO optimization, variable map size, autodictionary (#307) * lto module clean-up * step 1/3 * step 1/3 completed * if tmp is ever made non-static * parts 2 and 3 - autodictionary is complete * variable map_size support * variable map size: changed overlooked functions * remove debug for autodict * 64 bit alignment of map size * fix review comments * force 64 bit alignment on both sides * typo --- src/afl-fuzz-one.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'src/afl-fuzz-one.c') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index b20bde90..80567160 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -601,7 +601,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (!afl->dumb_mode && (afl->stage_cur & 7) == 7) { - u32 cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); + u32 cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); if (afl->stage_cur == afl->stage_max - 1 && cksum == prev_cksum) { @@ -613,7 +613,7 @@ u8 fuzz_one_original(afl_state_t *afl) { ++a_len; if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) - maybe_add_auto(afl, a_collect, a_len); + maybe_add_auto((u8 *)afl, a_collect, a_len); } else if (cksum != prev_cksum) { @@ -621,7 +621,7 @@ u8 fuzz_one_original(afl_state_t *afl) { worthwhile queued up, and collect that if the answer is yes. */ if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) - maybe_add_auto(afl, a_collect, a_len); + maybe_add_auto((u8 *)afl, a_collect, a_len); a_len = 0; prev_cksum = cksum; @@ -761,7 +761,7 @@ u8 fuzz_one_original(afl_state_t *afl) { without wasting time on checksums. */ if (!afl->dumb_mode && len >= EFF_MIN_LEN) - cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); + cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); else cksum = ~afl->queue_cur->exec_cksum; @@ -2615,7 +2615,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (!afl->dumb_mode && (afl->stage_cur & 7) == 7) { - u32 cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); + u32 cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); if (afl->stage_cur == afl->stage_max - 1 && cksum == prev_cksum) { @@ -2627,7 +2627,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { ++a_len; if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) - maybe_add_auto(afl, a_collect, a_len); + maybe_add_auto((u8 *)afl, a_collect, a_len); } else if (cksum != prev_cksum) { @@ -2635,7 +2635,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { worthwhile queued up, and collect that if the answer is yes. */ if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) - maybe_add_auto(afl, a_collect, a_len); + maybe_add_auto((u8 *)afl, a_collect, a_len); a_len = 0; prev_cksum = cksum; @@ -2775,7 +2775,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { without wasting time on checksums. */ if (!afl->dumb_mode && len >= EFF_MIN_LEN) - cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); + cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); else cksum = ~afl->queue_cur->exec_cksum; -- cgit 1.4.1 From ee4e1936d0d1ca18147d1916e9365578627584e2 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Sun, 12 Apr 2020 13:20:10 +0100 Subject: build on arm64 fix. tested on Android. (#313) --- include/afl-fuzz.h | 1 + include/forkserver.h | 5 +++-- src/afl-analyze.c | 4 ++-- src/afl-common.c | 25 +++++++++++++------------ src/afl-forkserver.c | 1 + src/afl-fuzz-bitmap.c | 10 +++++----- src/afl-fuzz-init.c | 12 ++++++------ src/afl-fuzz-one.c | 4 ++-- src/afl-fuzz-run.c | 2 +- src/afl-fuzz-stats.c | 26 +++++++++++++------------- src/afl-fuzz.c | 12 ++++++------ src/afl-showmap.c | 2 +- src/afl-tmin.c | 4 ++-- 13 files changed, 56 insertions(+), 52 deletions(-) (limited to 'src/afl-fuzz-one.c') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1440b645..58fe7c41 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -61,6 +61,7 @@ #include #include #include +#include #include #include diff --git a/include/forkserver.h b/include/forkserver.h index 444f92df..77fcc126 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -29,6 +29,7 @@ #define __AFL_FORKSERVER_H #include +#include typedef struct afl_forkserver { @@ -97,9 +98,9 @@ void afl_fsrv_killall(); #endif #ifdef RLIMIT_AS -#define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" +#define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%" PRIu64 " << 10];" #else -#define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" +#define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%" PRIu64 " << 10];" #endif /* ^RLIMIT_AS */ #endif diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 66dbefab..951e2f76 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -909,7 +909,7 @@ int main(int argc, char **argv, char **envp) { } - if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%" PRIu64 "%c", &mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); @@ -1013,7 +1013,7 @@ int main(int argc, char **argv, char **envp) { read_initial_file(); - ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", + ACTF("Performing dry run (mem limit = %" PRIu64 " MB, timeout = %u ms%s)...", mem_limit, exec_tmout, edges_only ? ", edges only" : ""); run_target(use_argv, in_data, in_len, 1); diff --git a/src/afl-common.c b/src/afl-common.c index 7eba6ae4..d8af353a 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -26,6 +26,7 @@ #include #include #include +#include #include "debug.h" #include "alloc-inl.h" @@ -454,13 +455,13 @@ u8 *stringify_int(u8 *buf, size_t len, u64 val) { } while (0) /* 0-9999 */ - CHK_FORMAT(1, 10000, "%llu", u64); + CHK_FORMAT(1, 10000, "%" PRIu64, u64); /* 10.0k - 99.9k */ CHK_FORMAT(1000, 99.95, "%0.01fk", double); /* 100k - 999k */ - CHK_FORMAT(1000, 1000, "%lluk", u64); + CHK_FORMAT(1000, 1000, "%" PRIu64 "k", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1000 * 1000, 9.995, "%0.02fM", double); @@ -469,7 +470,7 @@ u8 *stringify_int(u8 *buf, size_t len, u64 val) { CHK_FORMAT(1000 * 1000, 99.95, "%0.01fM", double); /* 100M - 999M */ - CHK_FORMAT(1000 * 1000, 1000, "%lluM", u64); + CHK_FORMAT(1000 * 1000, 1000, "%" PRIu64 "M", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1000LL * 1000 * 1000, 9.995, "%0.02fG", double); @@ -521,13 +522,13 @@ u8 *stringify_float(u8 *buf, size_t len, double val) { u8 *stringify_mem_size(u8 *buf, size_t len, u64 val) { /* 0-9999 */ - CHK_FORMAT(1, 10000, "%llu B", u64); + CHK_FORMAT(1, 10000, "%" PRIu64 " B", u64); /* 10.0k - 99.9k */ CHK_FORMAT(1024, 99.95, "%0.01f kB", double); /* 100k - 999k */ - CHK_FORMAT(1024, 1000, "%llu kB", u64); + CHK_FORMAT(1024, 1000, "%" PRIu64 " kB", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1024 * 1024, 9.995, "%0.02f MB", double); @@ -536,7 +537,7 @@ u8 *stringify_mem_size(u8 *buf, size_t len, u64 val) { CHK_FORMAT(1024 * 1024, 99.95, "%0.01f MB", double); /* 100M - 999M */ - CHK_FORMAT(1024 * 1024, 1000, "%llu MB", u64); + CHK_FORMAT(1024 * 1024, 1000, "%" PRIu64 " MB", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1024LL * 1024 * 1024, 9.995, "%0.02f GB", double); @@ -614,13 +615,13 @@ u8 *u_stringify_int(u8 *buf, u64 val) { } while (0) /* 0-9999 */ - CHK_FORMAT(1, 10000, "%llu", u64); + CHK_FORMAT(1, 10000, "%" PRIu64, u64); /* 10.0k - 99.9k */ CHK_FORMAT(1000, 99.95, "%0.01fk", double); /* 100k - 999k */ - CHK_FORMAT(1000, 1000, "%lluk", u64); + CHK_FORMAT(1000, 1000, "%" PRIu64 "k", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1000 * 1000, 9.995, "%0.02fM", double); @@ -629,7 +630,7 @@ u8 *u_stringify_int(u8 *buf, u64 val) { CHK_FORMAT(1000 * 1000, 99.95, "%0.01fM", double); /* 100M - 999M */ - CHK_FORMAT(1000 * 1000, 1000, "%lluM", u64); + CHK_FORMAT(1000 * 1000, 1000, "%" PRIu64 "M", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1000LL * 1000 * 1000, 9.995, "%0.02fG", double); @@ -680,13 +681,13 @@ u8 *u_stringify_float(u8 *buf, double val) { u8 *u_stringify_mem_size(u8 *buf, u64 val) { /* 0-9999 */ - CHK_FORMAT(1, 10000, "%llu B", u64); + CHK_FORMAT(1, 10000, "%" PRIu64 " B", u64); /* 10.0k - 99.9k */ CHK_FORMAT(1024, 99.95, "%0.01f kB", double); /* 100k - 999k */ - CHK_FORMAT(1024, 1000, "%llu kB", u64); + CHK_FORMAT(1024, 1000, "%" PRIu64 " kB", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1024 * 1024, 9.995, "%0.02f MB", double); @@ -695,7 +696,7 @@ u8 *u_stringify_mem_size(u8 *buf, u64 val) { CHK_FORMAT(1024 * 1024, 99.95, "%0.01f MB", double); /* 100M - 999M */ - CHK_FORMAT(1024 * 1024, 1000, "%llu MB", u64); + CHK_FORMAT(1024 * 1024, 1000, "%" PRIu64 " MB", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1024LL * 1024 * 1024, 9.995, "%0.02f GB", double); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index a7067791..8b504584 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #include diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index b6a494db..293102a8 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -441,7 +441,7 @@ u8 *describe_op(afl_state_t *afl, u8 hnb) { sprintf(ret, "src:%06u", afl->current_entry); - sprintf(ret + strlen(ret), ",time:%llu", get_cur_time() - afl->start_time); + sprintf(ret + strlen(ret), ",time:%" PRIu64, get_cur_time() - afl->start_time); if (afl->splicing_with >= 0) sprintf(ret + strlen(ret), "+%06d", afl->splicing_with); @@ -659,12 +659,12 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES - snprintf(fn, PATH_MAX, "%s/hangs/id:%06llu,%s", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/hangs/id:%06" PRIu64 ",%s", afl->out_dir, afl->unique_hangs, describe_op(afl, 0)); #else - snprintf(fn, PATH_MAX, "%s/hangs/id_%06llu", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/hangs/id_%06" PRIu64, afl->out_dir, afl->unique_hangs); #endif /* ^!SIMPLE_FILES */ @@ -703,12 +703,12 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES - snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/crashes/id:%06" PRIu64 ",sig:%02u,%s", afl->out_dir, afl->unique_crashes, afl->kill_signal, describe_op(afl, 0)); #else - snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/crashes/id_%06" PRIu64 "_%02u", afl->out_dir, afl->unique_crashes, afl->kill_signal); #endif /* ^!SIMPLE_FILES */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 54cc81ef..85b98173 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -494,7 +494,7 @@ void perform_dry_run(afl_state_t *afl) { if (afl->stop_soon) return; if (res == afl->crash_mode || res == FAULT_NOBITS) - SAYF(cGRA " len = %u, map size = %u, exec speed = %llu us\n" cRST, + SAYF(cGRA " len = %u, map size = %u, exec speed = %" PRIu64 " us\n" cRST, q->len, q->bitmap_size, q->exec_us); switch (res) { @@ -1051,8 +1051,8 @@ static void handle_existing_out_dir(afl_state_t *afl) { u64 start_time2, last_update; if (fscanf(f, - "start_time : %llu\n" - "last_update : %llu\n", + "start_time : %" PRIu64 "\n" + "last_update : %" PRIu64 "\n", &start_time2, &last_update) != 2) FATAL("Malformed data in '%s'", fn); @@ -1602,7 +1602,7 @@ void check_cpu_governor(afl_state_t *afl) { if (f) { - if (fscanf(f, "%llu", &min) != 1) min = 0; + if (fscanf(f, "%" PRIu64, &min) != 1) min = 0; fclose(f); } @@ -1611,7 +1611,7 @@ void check_cpu_governor(afl_state_t *afl) { if (f) { - if (fscanf(f, "%llu", &max) != 1) max = 0; + if (fscanf(f, "%" PRIu64, &max) != 1) max = 0; fclose(f); } @@ -1620,7 +1620,7 @@ void check_cpu_governor(afl_state_t *afl) { SAYF("\n" cLRD "[-] " cRST "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n" - " between %llu and %llu MHz. Unfortunately, the scaling algorithm in " + " between %" PRIu64 " and %" PRIu64 " MHz. Unfortunately, the scaling algorithm in " "the\n" " kernel is imperfect and can miss the short-lived processes spawned " "by\n" diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 80567160..01ce37fb 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -405,7 +405,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (unlikely(afl->not_on_tty)) { - ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", + ACTF("Fuzzing test case #%u (%u total, %" PRIu64 " uniq crashes found)...", afl->current_entry, afl->queued_paths, afl->unique_crashes); fflush(stdout); @@ -2432,7 +2432,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->not_on_tty) { - ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", + ACTF("Fuzzing test case #%u (%u total, %" PRIu64 " uniq crashes found)...", afl->current_entry, afl->queued_paths, afl->unique_crashes); fflush(stdout); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 4c98d788..f8440f46 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -89,7 +89,7 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { "Unable to communicate with fork server. Some possible reasons:\n\n" " - You've run out of memory. Use -m to increase the the memory " "limit\n" - " to something higher than %lld.\n" + " to something higher than %" PRIu64 ".\n" " - The binary or one of the libraries it uses manages to " "create\n" " threads before the forkserver initializes.\n" diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 2e680dbb..0df950dd 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -70,13 +70,13 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, fprintf( f, - "start_time : %llu\n" - "last_update : %llu\n" - "run_time : %llu\n" + "start_time : %" PRIu64 "\n" + "last_update : %lld\n" + "run_time : %lld\n" "fuzzer_pid : %d\n" - "cycles_done : %llu\n" - "cycles_wo_finds : %llu\n" - "execs_done : %llu\n" + "cycles_done : %" PRIu64 "\n" + "cycles_wo_finds : %" PRIu64 "\n" + "execs_done : %" PRIu64 "\n" "execs_per_sec : %0.02f\n" // "real_execs_per_sec: %0.02f\n" // damn the name is too long "paths_total : %u\n" @@ -90,12 +90,12 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, "variable_paths : %u\n" "stability : %0.02f%%\n" "bitmap_cvg : %0.02f%%\n" - "unique_crashes : %llu\n" - "unique_hangs : %llu\n" - "last_path : %llu\n" - "last_crash : %llu\n" - "last_hang : %llu\n" - "execs_since_crash : %llu\n" + "unique_crashes : %" PRIu64 "\n" + "unique_hangs : %" PRIu64 "\n" + "last_path : %" PRIu64 "\n" + "last_crash : %" PRIu64 "\n" + "last_hang : %" PRIu64 "\n" + "execs_since_crash : %" PRIu64 "\n" "exec_timeout : %u\n" "slowest_exec_ms : %u\n" "peak_rss_mb : %lu\n" @@ -171,7 +171,7 @@ void maybe_update_plot_file(afl_state_t *afl, double bitmap_cvg, double eps) { execs_per_sec */ fprintf(afl->fsrv.plot_file, - "%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f\n", + "%" PRIu64 ", %" PRIu64 ", %u, %u, %u, %u, %0.02f%%, %" PRIu64 ", %" PRIu64 ", %u, %0.02f\n", get_cur_time() / 1000, afl->queue_cycle - 1, afl->current_entry, afl->queued_paths, afl->pending_not_fuzzed, afl->pending_favored, bitmap_cvg, afl->unique_crashes, afl->unique_hangs, afl->max_depth, diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 73a38215..9464dacc 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -427,7 +427,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (sscanf(optarg, "%llu%c", &afl->fsrv.mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%" PRIu64 "%c", &afl->fsrv.mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); @@ -537,7 +537,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'V': { afl->most_time_key = 1; - if (sscanf(optarg, "%llu", &afl->most_time) < 1 || optarg[0] == '-') + if (sscanf(optarg, "%" PRIu64, &afl->most_time) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -V"); } break; @@ -545,7 +545,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'E': { afl->most_execs_key = 1; - if (sscanf(optarg, "%llu", &afl->most_execs) < 1 || optarg[0] == '-') + if (sscanf(optarg, "%" PRIu64, &afl->most_execs) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -E"); } break; @@ -556,7 +556,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->limit_time_sig = 1; afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT; - if (sscanf(optarg, "%llu", &afl->limit_time_puppet) < 1 || + if (sscanf(optarg, "%" PRIu64, &afl->limit_time_puppet) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -L"); @@ -566,7 +566,7 @@ int main(int argc, char **argv_orig, char **envp) { FATAL("limit_time overflow"); afl->limit_time_puppet = limit_time_puppet2; - SAYF("limit_time_puppet %llu\n", afl->limit_time_puppet); + SAYF("limit_time_puppet %" PRIu64 "\n", afl->limit_time_puppet); afl->swarm_now = 0; if (afl->limit_time_puppet == 0) afl->key_puppet = 1; @@ -1079,7 +1079,7 @@ int main(int argc, char **argv_orig, char **envp) { if (unlikely(afl->not_on_tty)) { - ACTF("Entering queue cycle %llu.", afl->queue_cycle); + ACTF("Entering queue cycle %" PRIu64 ".", afl->queue_cycle); fflush(stdout); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index c84fa36c..6c2b2000 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -720,7 +720,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (sscanf(optarg, "%llu%c", &fsrv->mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%" PRIu64 "%c", &fsrv->mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 3be6b2c0..fd081fcf 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -989,7 +989,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (sscanf(optarg, "%llu%c", &fsrv->mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%" PRIu64 "%c", &fsrv->mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); @@ -1134,7 +1134,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_start(fsrv, use_argv, &stop_soon, get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0); - ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", + ACTF("Performing dry run (mem limit = %" PRIu64 " MB, timeout = %u ms%s)...", fsrv->mem_limit, fsrv->exec_tmout, edges_only ? ", edges only" : ""); run_target(fsrv, use_argv, in_data, in_len, 1); -- cgit 1.4.1 From 79195454993b6cfff6b03354dbf1e045e77f83cb Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Sun, 12 Apr 2020 15:55:52 +0100 Subject: Better solution for ARM64 build fix (#315) --- include/afl-fuzz.h | 1 - include/forkserver.h | 5 ++--- include/types.h | 2 +- src/afl-analyze.c | 4 ++-- src/afl-common.c | 25 ++++++++++++------------- src/afl-forkserver.c | 1 - src/afl-fuzz-bitmap.c | 10 +++++----- src/afl-fuzz-init.c | 12 ++++++------ src/afl-fuzz-one.c | 4 ++-- src/afl-fuzz-run.c | 2 +- src/afl-fuzz-stats.c | 26 +++++++++++++------------- src/afl-fuzz.c | 12 ++++++------ src/afl-showmap.c | 2 +- src/afl-tmin.c | 4 ++-- 14 files changed, 53 insertions(+), 57 deletions(-) (limited to 'src/afl-fuzz-one.c') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 58fe7c41..1440b645 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -61,7 +61,6 @@ #include #include #include -#include #include #include diff --git a/include/forkserver.h b/include/forkserver.h index 77fcc126..444f92df 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -29,7 +29,6 @@ #define __AFL_FORKSERVER_H #include -#include typedef struct afl_forkserver { @@ -98,9 +97,9 @@ void afl_fsrv_killall(); #endif #ifdef RLIMIT_AS -#define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%" PRIu64 " << 10];" +#define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" #else -#define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%" PRIu64 " << 10];" +#define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" #endif /* ^RLIMIT_AS */ #endif diff --git a/include/types.h b/include/types.h index da95cb39..f2a12953 100644 --- a/include/types.h +++ b/include/types.h @@ -46,7 +46,7 @@ typedef uint32_t u32; */ -#ifdef __x86_64__ +#if defined(__x86_64__) || defined(__aarch64__) typedef unsigned long long u64; #else typedef uint64_t u64; diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 951e2f76..66dbefab 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -909,7 +909,7 @@ int main(int argc, char **argv, char **envp) { } - if (sscanf(optarg, "%" PRIu64 "%c", &mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); @@ -1013,7 +1013,7 @@ int main(int argc, char **argv, char **envp) { read_initial_file(); - ACTF("Performing dry run (mem limit = %" PRIu64 " MB, timeout = %u ms%s)...", + ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", mem_limit, exec_tmout, edges_only ? ", edges only" : ""); run_target(use_argv, in_data, in_len, 1); diff --git a/src/afl-common.c b/src/afl-common.c index d8af353a..7eba6ae4 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -26,7 +26,6 @@ #include #include #include -#include #include "debug.h" #include "alloc-inl.h" @@ -455,13 +454,13 @@ u8 *stringify_int(u8 *buf, size_t len, u64 val) { } while (0) /* 0-9999 */ - CHK_FORMAT(1, 10000, "%" PRIu64, u64); + CHK_FORMAT(1, 10000, "%llu", u64); /* 10.0k - 99.9k */ CHK_FORMAT(1000, 99.95, "%0.01fk", double); /* 100k - 999k */ - CHK_FORMAT(1000, 1000, "%" PRIu64 "k", u64); + CHK_FORMAT(1000, 1000, "%lluk", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1000 * 1000, 9.995, "%0.02fM", double); @@ -470,7 +469,7 @@ u8 *stringify_int(u8 *buf, size_t len, u64 val) { CHK_FORMAT(1000 * 1000, 99.95, "%0.01fM", double); /* 100M - 999M */ - CHK_FORMAT(1000 * 1000, 1000, "%" PRIu64 "M", u64); + CHK_FORMAT(1000 * 1000, 1000, "%lluM", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1000LL * 1000 * 1000, 9.995, "%0.02fG", double); @@ -522,13 +521,13 @@ u8 *stringify_float(u8 *buf, size_t len, double val) { u8 *stringify_mem_size(u8 *buf, size_t len, u64 val) { /* 0-9999 */ - CHK_FORMAT(1, 10000, "%" PRIu64 " B", u64); + CHK_FORMAT(1, 10000, "%llu B", u64); /* 10.0k - 99.9k */ CHK_FORMAT(1024, 99.95, "%0.01f kB", double); /* 100k - 999k */ - CHK_FORMAT(1024, 1000, "%" PRIu64 " kB", u64); + CHK_FORMAT(1024, 1000, "%llu kB", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1024 * 1024, 9.995, "%0.02f MB", double); @@ -537,7 +536,7 @@ u8 *stringify_mem_size(u8 *buf, size_t len, u64 val) { CHK_FORMAT(1024 * 1024, 99.95, "%0.01f MB", double); /* 100M - 999M */ - CHK_FORMAT(1024 * 1024, 1000, "%" PRIu64 " MB", u64); + CHK_FORMAT(1024 * 1024, 1000, "%llu MB", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1024LL * 1024 * 1024, 9.995, "%0.02f GB", double); @@ -615,13 +614,13 @@ u8 *u_stringify_int(u8 *buf, u64 val) { } while (0) /* 0-9999 */ - CHK_FORMAT(1, 10000, "%" PRIu64, u64); + CHK_FORMAT(1, 10000, "%llu", u64); /* 10.0k - 99.9k */ CHK_FORMAT(1000, 99.95, "%0.01fk", double); /* 100k - 999k */ - CHK_FORMAT(1000, 1000, "%" PRIu64 "k", u64); + CHK_FORMAT(1000, 1000, "%lluk", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1000 * 1000, 9.995, "%0.02fM", double); @@ -630,7 +629,7 @@ u8 *u_stringify_int(u8 *buf, u64 val) { CHK_FORMAT(1000 * 1000, 99.95, "%0.01fM", double); /* 100M - 999M */ - CHK_FORMAT(1000 * 1000, 1000, "%" PRIu64 "M", u64); + CHK_FORMAT(1000 * 1000, 1000, "%lluM", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1000LL * 1000 * 1000, 9.995, "%0.02fG", double); @@ -681,13 +680,13 @@ u8 *u_stringify_float(u8 *buf, double val) { u8 *u_stringify_mem_size(u8 *buf, u64 val) { /* 0-9999 */ - CHK_FORMAT(1, 10000, "%" PRIu64 " B", u64); + CHK_FORMAT(1, 10000, "%llu B", u64); /* 10.0k - 99.9k */ CHK_FORMAT(1024, 99.95, "%0.01f kB", double); /* 100k - 999k */ - CHK_FORMAT(1024, 1000, "%" PRIu64 " kB", u64); + CHK_FORMAT(1024, 1000, "%llu kB", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1024 * 1024, 9.995, "%0.02f MB", double); @@ -696,7 +695,7 @@ u8 *u_stringify_mem_size(u8 *buf, u64 val) { CHK_FORMAT(1024 * 1024, 99.95, "%0.01f MB", double); /* 100M - 999M */ - CHK_FORMAT(1024 * 1024, 1000, "%" PRIu64 " MB", u64); + CHK_FORMAT(1024 * 1024, 1000, "%llu MB", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1024LL * 1024 * 1024, 9.995, "%0.02f GB", double); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 8b504584..a7067791 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -38,7 +38,6 @@ #include #include #include -#include #include #include #include diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 293102a8..b6a494db 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -441,7 +441,7 @@ u8 *describe_op(afl_state_t *afl, u8 hnb) { sprintf(ret, "src:%06u", afl->current_entry); - sprintf(ret + strlen(ret), ",time:%" PRIu64, get_cur_time() - afl->start_time); + sprintf(ret + strlen(ret), ",time:%llu", get_cur_time() - afl->start_time); if (afl->splicing_with >= 0) sprintf(ret + strlen(ret), "+%06d", afl->splicing_with); @@ -659,12 +659,12 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES - snprintf(fn, PATH_MAX, "%s/hangs/id:%06" PRIu64 ",%s", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/hangs/id:%06llu,%s", afl->out_dir, afl->unique_hangs, describe_op(afl, 0)); #else - snprintf(fn, PATH_MAX, "%s/hangs/id_%06" PRIu64, afl->out_dir, + snprintf(fn, PATH_MAX, "%s/hangs/id_%06llu", afl->out_dir, afl->unique_hangs); #endif /* ^!SIMPLE_FILES */ @@ -703,12 +703,12 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES - snprintf(fn, PATH_MAX, "%s/crashes/id:%06" PRIu64 ",sig:%02u,%s", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir, afl->unique_crashes, afl->kill_signal, describe_op(afl, 0)); #else - snprintf(fn, PATH_MAX, "%s/crashes/id_%06" PRIu64 "_%02u", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir, afl->unique_crashes, afl->kill_signal); #endif /* ^!SIMPLE_FILES */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 85b98173..54cc81ef 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -494,7 +494,7 @@ void perform_dry_run(afl_state_t *afl) { if (afl->stop_soon) return; if (res == afl->crash_mode || res == FAULT_NOBITS) - SAYF(cGRA " len = %u, map size = %u, exec speed = %" PRIu64 " us\n" cRST, + SAYF(cGRA " len = %u, map size = %u, exec speed = %llu us\n" cRST, q->len, q->bitmap_size, q->exec_us); switch (res) { @@ -1051,8 +1051,8 @@ static void handle_existing_out_dir(afl_state_t *afl) { u64 start_time2, last_update; if (fscanf(f, - "start_time : %" PRIu64 "\n" - "last_update : %" PRIu64 "\n", + "start_time : %llu\n" + "last_update : %llu\n", &start_time2, &last_update) != 2) FATAL("Malformed data in '%s'", fn); @@ -1602,7 +1602,7 @@ void check_cpu_governor(afl_state_t *afl) { if (f) { - if (fscanf(f, "%" PRIu64, &min) != 1) min = 0; + if (fscanf(f, "%llu", &min) != 1) min = 0; fclose(f); } @@ -1611,7 +1611,7 @@ void check_cpu_governor(afl_state_t *afl) { if (f) { - if (fscanf(f, "%" PRIu64, &max) != 1) max = 0; + if (fscanf(f, "%llu", &max) != 1) max = 0; fclose(f); } @@ -1620,7 +1620,7 @@ void check_cpu_governor(afl_state_t *afl) { SAYF("\n" cLRD "[-] " cRST "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n" - " between %" PRIu64 " and %" PRIu64 " MHz. Unfortunately, the scaling algorithm in " + " between %llu and %llu MHz. Unfortunately, the scaling algorithm in " "the\n" " kernel is imperfect and can miss the short-lived processes spawned " "by\n" diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 01ce37fb..80567160 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -405,7 +405,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (unlikely(afl->not_on_tty)) { - ACTF("Fuzzing test case #%u (%u total, %" PRIu64 " uniq crashes found)...", + ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", afl->current_entry, afl->queued_paths, afl->unique_crashes); fflush(stdout); @@ -2432,7 +2432,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->not_on_tty) { - ACTF("Fuzzing test case #%u (%u total, %" PRIu64 " uniq crashes found)...", + ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", afl->current_entry, afl->queued_paths, afl->unique_crashes); fflush(stdout); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index f8440f46..4c98d788 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -89,7 +89,7 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { "Unable to communicate with fork server. Some possible reasons:\n\n" " - You've run out of memory. Use -m to increase the the memory " "limit\n" - " to something higher than %" PRIu64 ".\n" + " to something higher than %lld.\n" " - The binary or one of the libraries it uses manages to " "create\n" " threads before the forkserver initializes.\n" diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 0df950dd..2e680dbb 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -70,13 +70,13 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, fprintf( f, - "start_time : %" PRIu64 "\n" - "last_update : %lld\n" - "run_time : %lld\n" + "start_time : %llu\n" + "last_update : %llu\n" + "run_time : %llu\n" "fuzzer_pid : %d\n" - "cycles_done : %" PRIu64 "\n" - "cycles_wo_finds : %" PRIu64 "\n" - "execs_done : %" PRIu64 "\n" + "cycles_done : %llu\n" + "cycles_wo_finds : %llu\n" + "execs_done : %llu\n" "execs_per_sec : %0.02f\n" // "real_execs_per_sec: %0.02f\n" // damn the name is too long "paths_total : %u\n" @@ -90,12 +90,12 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, "variable_paths : %u\n" "stability : %0.02f%%\n" "bitmap_cvg : %0.02f%%\n" - "unique_crashes : %" PRIu64 "\n" - "unique_hangs : %" PRIu64 "\n" - "last_path : %" PRIu64 "\n" - "last_crash : %" PRIu64 "\n" - "last_hang : %" PRIu64 "\n" - "execs_since_crash : %" PRIu64 "\n" + "unique_crashes : %llu\n" + "unique_hangs : %llu\n" + "last_path : %llu\n" + "last_crash : %llu\n" + "last_hang : %llu\n" + "execs_since_crash : %llu\n" "exec_timeout : %u\n" "slowest_exec_ms : %u\n" "peak_rss_mb : %lu\n" @@ -171,7 +171,7 @@ void maybe_update_plot_file(afl_state_t *afl, double bitmap_cvg, double eps) { execs_per_sec */ fprintf(afl->fsrv.plot_file, - "%" PRIu64 ", %" PRIu64 ", %u, %u, %u, %u, %0.02f%%, %" PRIu64 ", %" PRIu64 ", %u, %0.02f\n", + "%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f\n", get_cur_time() / 1000, afl->queue_cycle - 1, afl->current_entry, afl->queued_paths, afl->pending_not_fuzzed, afl->pending_favored, bitmap_cvg, afl->unique_crashes, afl->unique_hangs, afl->max_depth, diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 9464dacc..73a38215 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -427,7 +427,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (sscanf(optarg, "%" PRIu64 "%c", &afl->fsrv.mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%llu%c", &afl->fsrv.mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); @@ -537,7 +537,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'V': { afl->most_time_key = 1; - if (sscanf(optarg, "%" PRIu64, &afl->most_time) < 1 || optarg[0] == '-') + if (sscanf(optarg, "%llu", &afl->most_time) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -V"); } break; @@ -545,7 +545,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'E': { afl->most_execs_key = 1; - if (sscanf(optarg, "%" PRIu64, &afl->most_execs) < 1 || optarg[0] == '-') + if (sscanf(optarg, "%llu", &afl->most_execs) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -E"); } break; @@ -556,7 +556,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->limit_time_sig = 1; afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT; - if (sscanf(optarg, "%" PRIu64, &afl->limit_time_puppet) < 1 || + if (sscanf(optarg, "%llu", &afl->limit_time_puppet) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -L"); @@ -566,7 +566,7 @@ int main(int argc, char **argv_orig, char **envp) { FATAL("limit_time overflow"); afl->limit_time_puppet = limit_time_puppet2; - SAYF("limit_time_puppet %" PRIu64 "\n", afl->limit_time_puppet); + SAYF("limit_time_puppet %llu\n", afl->limit_time_puppet); afl->swarm_now = 0; if (afl->limit_time_puppet == 0) afl->key_puppet = 1; @@ -1079,7 +1079,7 @@ int main(int argc, char **argv_orig, char **envp) { if (unlikely(afl->not_on_tty)) { - ACTF("Entering queue cycle %" PRIu64 ".", afl->queue_cycle); + ACTF("Entering queue cycle %llu.", afl->queue_cycle); fflush(stdout); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 6c2b2000..c84fa36c 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -720,7 +720,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (sscanf(optarg, "%" PRIu64 "%c", &fsrv->mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%llu%c", &fsrv->mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index fd081fcf..3be6b2c0 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -989,7 +989,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (sscanf(optarg, "%" PRIu64 "%c", &fsrv->mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%llu%c", &fsrv->mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); @@ -1134,7 +1134,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_start(fsrv, use_argv, &stop_soon, get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0); - ACTF("Performing dry run (mem limit = %" PRIu64 " MB, timeout = %u ms%s)...", + ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", fsrv->mem_limit, fsrv->exec_tmout, edges_only ? ", edges only" : ""); run_target(fsrv, use_argv, in_data, in_len, 1); -- cgit 1.4.1 From dda096da03cae528dee9fd53e64896e93efe8f4a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 13 Apr 2020 12:12:27 +0200 Subject: allow -L -1 to enable mopt in parallel to classic mutation --- docs/Changelog.md | 2 ++ docs/README.MOpt.md | 3 +++ include/afl-fuzz.h | 10 +++++----- src/afl-forkserver.c | 10 +++++----- src/afl-fuzz-one.c | 14 +++++++------- src/afl-fuzz-run.c | 2 +- src/afl-fuzz.c | 50 +++++++++++++++++++++++++++++++++----------------- 7 files changed, 56 insertions(+), 35 deletions(-) (limited to 'src/afl-fuzz-one.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index 108ebd08..2c8bff3d 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -17,6 +17,8 @@ sending a mail to . - afl-fuzz: - variable map size support added (only LTO mode can use this) - snapshot feature usage now visible in UI + - Now setting "-L -1" will enable MOpt in parallel to normal mutation. + Additionally this allows to run dictionaries, radamsa and cmplog. - compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also static global and local variable comparisons (cannot find all though) - extended forkserver: map_size and more information is communicated to diff --git a/docs/README.MOpt.md b/docs/README.MOpt.md index 94e63959..3de6d670 100644 --- a/docs/README.MOpt.md +++ b/docs/README.MOpt.md @@ -36,6 +36,9 @@ enter the pacemaker fuzzing mode. Setting 0 will enter the pacemaker fuzzing mode at first, which is recommended in a short time-scale evaluation. +Setting -1 will enable both pacemaker mode and normal aflmutation fuzzing in +parallel. + Other important parameters can be found in afl-fuzz.c, for instance, 'swarm_num': the number of the PSO swarms used in the fuzzing process. diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1440b645..a7fdc5f0 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -354,14 +354,14 @@ typedef struct afl_state { /* MOpt: Lots of globals, but mostly for the status UI and other things where it really makes no sense to haul them around as function parameters. */ - u64 limit_time_puppet, orig_hit_cnt_puppet, last_limit_time_start, - tmp_pilot_time, total_pacemaker_time, total_puppet_find, temp_puppet_find, - most_time_key, most_time, most_execs_key, most_execs, old_hit_count, - force_ui_update; + u64 orig_hit_cnt_puppet, last_limit_time_start, tmp_pilot_time, + total_pacemaker_time, total_puppet_find, temp_puppet_find, most_time_key, + most_time, most_execs_key, most_execs, old_hit_count, force_ui_update; MOpt_globals_t mopt_globals_core, mopt_globals_pilot; - s32 SPLICE_CYCLES_puppet, limit_time_sig, key_puppet, key_module; + s32 limit_time_puppet, SPLICE_CYCLES_puppet, limit_time_sig, key_puppet, + key_module; double w_init, w_end, w_now; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 28f664fa..b282a119 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -365,9 +365,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, kill(fsrv->fsrv_pid, SIGKILL); } else { - + rlen = 4; - + } } else { @@ -631,9 +631,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, static void afl_fsrv_kill(afl_forkserver_t *fsrv) { - if (fsrv->child_pid > 0) kill(fsrv->child_pid, SIGKILL); - if (fsrv->fsrv_pid > 0) kill(fsrv->fsrv_pid, SIGKILL); - if (waitpid(fsrv->fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); } + if (fsrv->child_pid > 0) kill(fsrv->child_pid, SIGKILL); + if (fsrv->fsrv_pid > 0) kill(fsrv->fsrv_pid, SIGKILL); + if (waitpid(fsrv->fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); } } diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 80567160..95d622f2 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -4377,7 +4377,7 @@ void pso_updating(afl_state_t *afl) { u8 fuzz_one(afl_state_t *afl) { - int key_val_lv = 0; + int key_val_lv_1 = 0, key_val_lv_2 = 0; #ifdef _AFL_DOCUMENT_MUTATIONS @@ -4397,22 +4397,22 @@ u8 fuzz_one(afl_state_t *afl) { #endif - if (afl->limit_time_sig == 0) { + // if limit_time_sig == -1 then both are run after each other - key_val_lv = fuzz_one_original(afl); + if (afl->limit_time_sig <= 0) { key_val_lv_1 = fuzz_one_original(afl); } - } else { + if (afl->limit_time_sig != 0) { if (afl->key_module == 0) - key_val_lv = pilot_fuzzing(afl); + key_val_lv_2 = pilot_fuzzing(afl); else if (afl->key_module == 1) - key_val_lv = core_fuzzing(afl); + key_val_lv_2 = core_fuzzing(afl); else if (afl->key_module == 2) pso_updating(afl); } - return key_val_lv; + return (key_val_lv_1 | key_val_lv_2); #undef BUF_PARAMS diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 1ddd7e1a..514ba9ef 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -49,7 +49,7 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { memset(fsrv->trace_bits, 0, fsrv->map_size); MEM_BARRIER(); - + /* we have the fork server (or faux server) up and running, so simply tell it to have at it, and then read back PID. */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 136a9519..8620a402 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -109,12 +109,12 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "Mutator settings:\n" " -R[R] - add Radamsa as mutator, add another -R to exclusivly " "run it\n" - " -L minutes - use MOpt(imize) mode and set the limit time for " + " -L minutes - use MOpt(imize) mode and set the time limit for " "entering the\n" - " pacemaker mode (minutes of no new paths, 0 = " - "immediately).\n" - " a recommended value is 10-60. see " - "docs/README.MOpt.md\n" + " pacemaker mode (minutes of no new paths). 0 = " + "immediately,\n" + " -1 = immediately and together with normal mutation).\n" + " See docs/README.MOpt.md\n" " -c program - enable CmpLog by specifying a binary compiled for " "it.\n" " if using QEMU, just use -c 0.\n\n" @@ -553,20 +553,33 @@ int main(int argc, char **argv_orig, char **envp) { case 'L': { /* MOpt mode */ if (afl->limit_time_sig) FATAL("Multiple -L options not supported"); - afl->limit_time_sig = 1; afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT; - if (sscanf(optarg, "%llu", &afl->limit_time_puppet) < 1 || - optarg[0] == '-') + if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1) FATAL("Bad syntax used for -L"); + if (afl->limit_time_puppet == -1) { + + afl->limit_time_sig = -1; + afl->limit_time_puppet = 0; + + } else if (afl->limit_time_puppet < 0) { + + FATAL("-L value must be between 0 and 2000000 or -1"); + + } else { + + afl->limit_time_sig = 1; + + } + u64 limit_time_puppet2 = afl->limit_time_puppet * 60 * 1000; if (limit_time_puppet2 < afl->limit_time_puppet) FATAL("limit_time overflow"); afl->limit_time_puppet = limit_time_puppet2; - SAYF("limit_time_puppet %llu\n", afl->limit_time_puppet); + SAYF("limit_time_puppet %d\n", afl->limit_time_puppet); afl->swarm_now = 0; if (afl->limit_time_puppet == 0) afl->key_puppet = 1; @@ -701,11 +714,14 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->use_radamsa) { - if (afl->limit_time_sig) + if (afl->limit_time_sig > 0) FATAL( - "MOpt and Radamsa are mutually exclusive. We accept pull requests " - "that integrates MOpt with the optional mutators " - "(custom/radamsa/redquenn/...)."); + "MOpt and Radamsa are mutually exclusive unless you specify -L -1. " + "We accept pull requests that integrates MOpt with the optional " + "mutators (custom/radamsa/redqueen/...)."); + + if (afl->limit_time_sig && afl->use_radamsa > 1) + FATAL("Radamsa in radamsa-only mode can not run together with -L"); OKF("Using Radamsa add-on"); @@ -984,11 +1000,11 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->cmplog_binary) { - if (afl->limit_time_sig) + if (afl->limit_time_sig > 0) FATAL( - "MOpt and CmpLog are mutually exclusive. We accept pull requests " - "that integrates MOpt with the optional mutators " - "(custom/radamsa/redquenn/...)."); + "MOpt and CmpLog are mutually exclusive unless you specify -L -1. We " + "accept pull requests that integrates MOpt with the optional " + "mutators (custom/radamsa/redqueen/...)."); if (afl->unicorn_mode) FATAL("CmpLog and Unicorn mode are not compatible at the moment, sorry"); -- cgit 1.4.1 From 326ab632c378878c96f44586a6e1f3dfa3db2276 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 13 Apr 2020 16:57:19 +0200 Subject: fixed uaf and warnings --- src/afl-analyze.c | 8 ++++++++ src/afl-common.c | 11 +++++++---- src/afl-forkserver.c | 1 - src/afl-fuzz-bitmap.c | 8 ++++---- src/afl-fuzz-extras.c | 2 ++ src/afl-fuzz-init.c | 2 ++ src/afl-fuzz-one.c | 3 --- src/afl-fuzz-queue.c | 2 ++ src/afl-fuzz-redqueen.c | 8 +++++++- src/afl-fuzz-stats.c | 1 - src/afl-sharedmem.c | 10 +--------- src/afl-showmap.c | 2 +- 12 files changed, 34 insertions(+), 24 deletions(-) (limited to 'src/afl-fuzz-one.c') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 510ec94a..2c98982f 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -902,6 +902,12 @@ int main(int argc, char **argv, char **envp) { if (mem_limit_given) FATAL("Multiple -m options not supported"); mem_limit_given = 1; + if (!optarg) { + + FATAL("Bad syntax used for -m"); + + } + if (!strcmp(optarg, "none")) { mem_limit = 0; @@ -938,6 +944,8 @@ int main(int argc, char **argv, char **envp) { if (timeout_given) FATAL("Multiple -t options not supported"); timeout_given = 1; + if (!optarg) FATAL("Wrong usage of -t"); + exec_tmout = atoi(optarg); if (exec_tmout < 10 || optarg[0] == '-') diff --git a/src/afl-common.c b/src/afl-common.c index 7eba6ae4..1ac1a2f3 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -292,11 +292,10 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { *rsl = 0; cp = alloc_printf("%s/afl-qemu-trace", own_copy); - ck_free(own_copy); - if (!access(cp, X_OK)) { + if (cp && !access(cp, X_OK)) { - if (cp != NULL) ck_free(cp); + ck_free(cp); cp = alloc_printf("%s/afl-wine-trace", own_copy); @@ -309,10 +308,14 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { } - } else + ck_free(own_copy); + + } else { ck_free(own_copy); + } + u8 *ncp = BIN_PATH "/afl-qemu-trace"; if (!access(ncp, X_OK)) { diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index b282a119..b054a64d 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -455,7 +455,6 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - len = status; offset = 0; while (offset < status && (u8)dict[offset] + offset < status) { diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index b6a494db..9603f2f5 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -535,7 +535,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (unlikely(len == 0)) return 0; u8 *queue_fn = ""; - u8 hnb; + u8 hnb = '\0'; s32 fd; u8 keeping = 0, res; @@ -718,9 +718,9 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { // if the user wants to be informed on new crashes - do that #if !TARGET_OS_IPHONE - if (system(afl->infoexec) == -1) - hnb += 0; // we dont care if system errors, but we dont want a - // compiler warning either + // we dont care if system errors, but we dont want a + // compiler warning either + (void)(system(afl->infoexec)+1); #else WARNF("command execution unsupported"); #endif diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index 55146dd9..c366cc5b 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -130,6 +130,8 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len, wptr = afl->extras[afl->extras_cnt].data = ck_alloc(rptr - lptr); + if (!wptr) PFATAL("no mem for data"); + while (*lptr) { char *hexdigits = "0123456789abcdef"; diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 54cc81ef..10417da6 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2178,6 +2178,8 @@ void save_cmdline(afl_state_t *afl, u32 argc, char **argv) { u32 l = strlen(argv[i]); + if (!argv[i] || !buf) FATAL("null deref detected"); + memcpy(buf, argv[i], l); buf += l; diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 95d622f2..475c710b 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -3593,7 +3593,6 @@ pacemaker_fuzzing: } s32 temp_len_puppet; - cur_ms_lv = get_cur_time(); // for (; afl->swarm_now < swarm_num; ++afl->swarm_now) { @@ -4167,8 +4166,6 @@ pacemaker_fuzzing: afl->orig_hit_cnt_puppet))) { afl->key_puppet = 0; - cur_ms_lv = get_cur_time(); - new_hit_cnt = afl->queued_paths + afl->unique_crashes; afl->orig_hit_cnt_puppet = 0; afl->last_limit_time_start = 0; diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 346c2639..5eb110d0 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -438,6 +438,8 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { } + if (unlikely(!n_paths)) FATAL("Queue state corrupt"); + fuzz_mu = fuzz_total / n_paths; if (fuzz <= fuzz_mu) { diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 517f8d7c..b9b41c74 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -115,7 +115,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { afl->stage_short = "colorization"; afl->stage_max = 1000; - struct range *rng; + struct range *rng = NULL; afl->stage_cur = 0; while ((rng = pop_biggest_range(&ranges)) != NULL && afl->stage_cur < afl->stage_max) { @@ -141,6 +141,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { empty_range: ck_free(rng); + rng = NULL; ++afl->stage_cur; } @@ -157,6 +158,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { rng = ranges; ranges = ranges->next; ck_free(rng); + rng = NULL; } @@ -186,6 +188,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { } + return 0; checksum_fail: @@ -196,9 +199,12 @@ checksum_fail: rng = ranges; ranges = ranges->next; ck_free(rng); + rng = NULL; } + // TODO: clang notices a _potential_ leak of mem pointed to by rng + return 1; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 2e680dbb..d42df2db 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -56,7 +56,6 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, bitmap_cvg = afl->last_bitmap_cvg; stability = afl->last_stability; - eps = afl->last_eps; } else { diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 9db84e77..eea1cc95 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -67,6 +67,7 @@ list_t shm_list = {.element_prealloc_count = 0}; void afl_shm_deinit(sharedmem_t *shm) { + // TODO: clang reports a potential UAF in this function/makro(?) list_remove(&shm_list, shm); #ifdef USEMMAP @@ -93,14 +94,6 @@ void afl_shm_deinit(sharedmem_t *shm) { } -/* At exit, remove all leftover maps */ - -void afl_shm_atexit(void) { - - LIST_FOREACH(&shm_list, sharedmem_t, { afl_shm_deinit(el); }); - -} - /* Configure shared memory. Returns a pointer to shm->map for ease of use. */ @@ -207,7 +200,6 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { #endif list_append(&shm_list, shm); - atexit(afl_shm_atexit); return shm->map; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index c84fa36c..63c8caa8 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -983,7 +983,7 @@ int main(int argc, char **argv_orig, char **envp) { if (!quiet_mode) OKF("Processed %u input files.", total_execs); closedir(dir_in); - closedir(dir_out); + if (dir_out) closedir(dir_out); } else { -- cgit 1.4.1 From 1fbface656ae4f64fc8643def840fa488098e580 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 14 Apr 2020 10:09:03 +0200 Subject: cmplog is now better --- include/afl-fuzz.h | 6 ++++++ src/afl-fuzz-one.c | 35 +++++++++++++++++++++----------- src/afl-fuzz-redqueen.c | 54 ++++++++++++++++++++++++++++++++++++++++++------- src/afl-fuzz.c | 6 ------ 4 files changed, 76 insertions(+), 25 deletions(-) (limited to 'src/afl-fuzz-one.c') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 620f5062..4e2deaa3 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -316,6 +316,10 @@ typedef struct afl_env_vars { } afl_env_vars_t; +struct afl_pass_stat { + u8 total; u8 faileds; +}; + typedef struct afl_state { /* Position of this state in the global states list */ @@ -540,6 +544,8 @@ typedef struct afl_state { /* cmplog forkserver ids */ s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; + + struct afl_pass_stat* pass_stats; u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 92210c8b..c4d49ec1 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -495,7 +495,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (afl->use_radamsa > 1) goto radamsa_stage; - if (afl->shm.cmplog_mode) { + if (afl->shm.cmplog_mode && !afl->queue_cur->fully_colorized) { if (input_to_state_stage(afl, in_buf, out_buf, len, afl->queue_cur->exec_cksum)) @@ -2508,20 +2508,15 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { orig_perf = perf_score = calculate_score(afl, afl->queue_cur); - /* Skip right away if -d is given, if we have done deterministic fuzzing on - this entry ourselves (was_fuzzed), or if it has gone through deterministic - testing in earlier, resumed runs (passed_det). */ + if (afl->shm.cmplog_mode && !afl->queue_cur->fully_colorized) { - if (afl->skip_deterministic || afl->queue_cur->was_fuzzed || - afl->queue_cur->passed_det) - goto havoc_stage; + if (input_to_state_stage(afl, in_buf, out_buf, len, + afl->queue_cur->exec_cksum)) + goto abandon_entry; - /* Skip deterministic fuzzing if exec path checksum puts this out of scope - for this master instance. */ + } - if (afl->master_max && - (afl->queue_cur->exec_cksum % afl->master_max) != afl->master_id - 1) - goto havoc_stage; + /* Go to pacemker fuzzing if MOpt is doing well */ cur_ms_lv = get_cur_time(); if (!(afl->key_puppet == 0 && @@ -2534,6 +2529,22 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { goto pacemaker_fuzzing; } + + /* Skip right away if -d is given, if we have done deterministic fuzzing on + this entry ourselves (was_fuzzed), or if it has gone through deterministic + testing in earlier, resumed runs (passed_det). */ + + if (afl->skip_deterministic || afl->queue_cur->was_fuzzed || + afl->queue_cur->passed_det) + goto havoc_stage; + + /* Skip deterministic fuzzing if exec path checksum puts this out of scope + for this master instance. */ + + if (afl->master_max && + (afl->queue_cur->exec_cksum % afl->master_max) != afl->master_id - 1) + goto havoc_stage; + doing_det = 1; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index c910e75e..c8d54ce2 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -127,9 +127,14 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { rand_replace(afl, buf + rng->start, s); u32 cksum; + u64 start_us = get_cur_time_us(); if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) goto checksum_fail; + u64 stop_us = get_cur_time_us(); - if (cksum != exec_cksum) { + /* Discard if the mutations change the paths or if it is too decremental + in speed */ + if (cksum != exec_cksum || + (stop_us - start_us > 2 * afl->queue_cur->exec_us)) { ranges = add_range(ranges, rng->start, rng->start + s / 2); ranges = add_range(ranges, rng->start + s / 2 + 1, rng->end); @@ -365,9 +370,12 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { u8 status; // opt not in the paper - u32 fails = 0; + u32 fails; + u8 found_one = 0; for (i = 0; i < loggeds; ++i) { + + fails = 0; struct cmp_operands *o = &afl->shm.cmp_map->log[key][i]; @@ -396,12 +404,17 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { break; } + + if (status == 1) + found_one = 1; // If failed, add to dictionary if (fails == 8) { - try_to_add_to_dict(afl, o->v0, SHAPE_BYTES(h->shape)); - try_to_add_to_dict(afl, o->v1, SHAPE_BYTES(h->shape)); + if (afl->pass_stats[key].total == 0) { + try_to_add_to_dict(afl, o->v0, SHAPE_BYTES(h->shape)); + try_to_add_to_dict(afl, o->v1, SHAPE_BYTES(h->shape)); + } } @@ -409,6 +422,11 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { afl->stage_cur++; } + + if (!found_one && afl->pass_stats[key].faileds < 0xff) { + afl->pass_stats[key].faileds++; + } + if (afl->pass_stats[key].total < 0xff) afl->pass_stats[key].total++; return 0; @@ -450,9 +468,12 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { u8 status; // opt not in the paper - u32 fails = 0; + u32 fails; + u8 found_one = 0; for (i = 0; i < loggeds; ++i) { + + fails = 0; struct cmpfn_operands *o = &((struct cmpfn_operands *)afl->shm.cmp_map->log[key])[i]; @@ -482,12 +503,17 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { break; } + + if (status == 1) + found_one = 1; // If failed, add to dictionary if (fails == 8) { - maybe_add_auto(afl, o->v0, SHAPE_BYTES(h->shape)); - maybe_add_auto(afl, o->v1, SHAPE_BYTES(h->shape)); + if (afl->pass_stats[key].total == 0) { + maybe_add_auto(afl, o->v0, SHAPE_BYTES(h->shape)); + maybe_add_auto(afl, o->v1, SHAPE_BYTES(h->shape)); + } } @@ -495,6 +521,11 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { afl->stage_cur++; } + + if (!found_one && afl->pass_stats[key].faileds < 0xff) { + afl->pass_stats[key].faileds++; + } + if (afl->pass_stats[key].total < 0xff) afl->pass_stats[key].total++; return 0; @@ -507,6 +538,9 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, u32 exec_cksum) { u8 r = 1; + + if (afl->pass_stats == NULL) + afl->pass_stats = ck_alloc(sizeof(struct afl_pass_stat) * CMP_MAP_W); if (unlikely(colorization(afl, buf, len, exec_cksum))) return 1; @@ -528,6 +562,12 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, for (k = 0; k < CMP_MAP_W; ++k) { if (!afl->shm.cmp_map->headers[k].hits) continue; + + if (afl->pass_stats[k].total && + (UR(afl, afl->pass_stats[k].total) < afl->pass_stats[k].faileds || + afl->pass_stats[k].total == 0xff)) + afl->shm.cmp_map->headers[k].hits = 0; + if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) afl->stage_max += MIN(afl->shm.cmp_map->headers[k].hits, CMP_MAP_H); else diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 10fee76c..b89bccb4 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -966,12 +966,6 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->cmplog_binary) { - if (afl->limit_time_sig) - FATAL( - "MOpt and CmpLog are mutually exclusive. We accept pull requests " - "that integrates MOpt with the optional mutators " - "(custom/radamsa/redquenn/...)."); - if (afl->unicorn_mode) FATAL("CmpLog and Unicorn mode are not compatible at the moment, sorry"); if (!afl->qemu_mode) check_binary(afl, afl->cmplog_binary); -- cgit 1.4.1 From 92aaaef38126853f26e1be0e522a29c974e24bb5 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 14 Apr 2020 12:42:38 +0200 Subject: code format --- include/afl-fuzz.h | 9 ++- llvm_mode/afl-clang-fast.c | 4 +- src/afl-fuzz-one.c | 3 +- src/afl-fuzz-redqueen.c | 138 +++++++++++++++++++++++++++------------------ src/afl-fuzz-state.c | 2 +- src/afl-fuzz-stats.c | 14 ++--- 6 files changed, 101 insertions(+), 69 deletions(-) (limited to 'src/afl-fuzz-one.c') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 9da9452a..3df99a58 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -341,7 +341,10 @@ typedef struct afl_env_vars { } afl_env_vars_t; struct afl_pass_stat { - u8 total; u8 faileds; + + u8 total; + u8 faileds; + }; typedef struct afl_state { @@ -573,8 +576,8 @@ typedef struct afl_state { s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; u32 cmplog_prev_timed_out; - struct afl_pass_stat* pass_stats; - struct cmp_map *orig_cmp_map; + struct afl_pass_stat *pass_stats; + struct cmp_map * orig_cmp_map; u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index b121ea97..49318f2e 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -549,8 +549,8 @@ int main(int argc, char **argv, char **envp) { if ((ptr = getenv("AFL_LLVM_INSTRUMENT")) != NULL) { if (strncasecmp(ptr, "default", strlen("default")) == 0 || - strncasecmp(ptr, "afl", strlen("afl")) == 0 || - strncasecmp(ptr, "classic", strlen("classic")) == 0 ) + strncasecmp(ptr, "afl", strlen("afl")) == 0 || + strncasecmp(ptr, "classic", strlen("classic")) == 0) instrument_mode = INSTRUMENT_DEFAULT; if (strncasecmp(ptr, "cfg", strlen("cfg")) == 0 || strncasecmp(ptr, "instrim", strlen("instrim")) == 0) diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 65075db4..961a29d6 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -2543,7 +2543,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { goto pacemaker_fuzzing; } - + /* Skip right away if -d is given, if we have done deterministic fuzzing on this entry ourselves (was_fuzzed), or if it has gone through deterministic testing in earlier, resumed runs (passed_det). */ @@ -2559,7 +2559,6 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { (afl->queue_cur->exec_cksum % afl->master_max) != afl->master_id - 1) goto havoc_stage; - doing_det = 1; /********************************************* diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index c8d5565f..0a97e3ee 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -234,15 +234,18 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) { } -static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 pattern, u64 repl, u64 o_pattern, u32 idx, u8 *orig_buf, u8 *buf, u32 len, u8 do_reverse, u8 *status) { +static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, + u64 pattern, u64 repl, u64 o_pattern, u32 idx, + u8 *orig_buf, u8 *buf, u32 len, u8 do_reverse, + u8 *status) { u64 *buf_64 = (u64 *)&buf[idx]; u32 *buf_32 = (u32 *)&buf[idx]; u16 *buf_16 = (u16 *)&buf[idx]; // u8* buf_8 = &buf[idx]; - u64* o_buf_64 = (u64*)&orig_buf[idx]; - u32* o_buf_32 = (u32*)&orig_buf[idx]; - u16* o_buf_16 = (u16*)&orig_buf[idx]; + u64 *o_buf_64 = (u64 *)&orig_buf[idx]; + u32 *o_buf_32 = (u32 *)&orig_buf[idx]; + u16 *o_buf_16 = (u16 *)&orig_buf[idx]; // u8* o_buf_8 = &orig_buf[idx]; u32 its_len = len - idx; @@ -260,15 +263,17 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 patter // reverse encoding if (do_reverse) - if (unlikely(cmp_extend_encoding(afl, h, SWAP64(pattern), SWAP64(repl), SWAP64(o_pattern), idx, orig_buf, buf, len, 0, status))) + if (unlikely(cmp_extend_encoding(afl, h, SWAP64(pattern), SWAP64(repl), + SWAP64(o_pattern), idx, orig_buf, buf, + len, 0, status))) return 1; } if (SHAPE_BYTES(h->shape) == 4 || *status == 2) { - if (its_len >= 4 && - *buf_32 == (u32)pattern && *o_buf_32 == (u32)o_pattern) { + if (its_len >= 4 && *buf_32 == (u32)pattern && + *o_buf_32 == (u32)o_pattern) { *buf_32 = (u32)repl; if (unlikely(its_fuzz(afl, buf, len, status))) return 1; @@ -278,15 +283,17 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 patter // reverse encoding if (do_reverse) - if (unlikely(cmp_extend_encoding(afl, h, SWAP32(pattern), SWAP32(repl), SWAP32(o_pattern), idx, orig_buf, buf, len, 0, status))) + if (unlikely(cmp_extend_encoding(afl, h, SWAP32(pattern), SWAP32(repl), + SWAP32(o_pattern), idx, orig_buf, buf, + len, 0, status))) return 1; } if (SHAPE_BYTES(h->shape) == 2 || *status == 2) { - if (its_len >= 2 && - *buf_16 == (u16)pattern && *o_buf_16 == (u16)o_pattern) { + if (its_len >= 2 && *buf_16 == (u16)pattern && + *o_buf_16 == (u16)o_pattern) { *buf_16 = (u16)repl; if (unlikely(its_fuzz(afl, buf, len, status))) return 1; @@ -296,7 +303,9 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 patter // reverse encoding if (do_reverse) - if (unlikely(cmp_extend_encoding(afl, h, SWAP16(pattern), SWAP16(repl), SWAP16(o_pattern), idx, orig_buf, buf, len, 0, status))) + if (unlikely(cmp_extend_encoding(afl, h, SWAP16(pattern), SWAP16(repl), + SWAP16(o_pattern), idx, orig_buf, buf, + len, 0, status))) return 1; } @@ -371,35 +380,39 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { u8 status; // opt not in the paper u32 fails; - u8 found_one = 0; - + u8 found_one = 0; + /* loop cmps are useless, detect and blacklist them */ u64 s_v0, s_v1; - u8 s_v0_fixed = 1, s_v1_fixed = 1; - u8 s_v0_inc = 1, s_v1_inc = 1; - u8 s_v0_dec = 1, s_v1_dec = 1; + u8 s_v0_fixed = 1, s_v1_fixed = 1; + u8 s_v0_inc = 1, s_v1_inc = 1; + u8 s_v0_dec = 1, s_v1_dec = 1; for (i = 0; i < loggeds; ++i) { - + fails = 0; struct cmp_operands *o = &afl->shm.cmp_map->log[key][i]; - + // loop detection code if (i == 0) { + s_v0 = o->v0; s_v1 = o->v1; + } else { + if (s_v0 != o->v0) s_v0_fixed = 0; if (s_v1 != o->v1) s_v1_fixed = 0; - if (s_v0 +1 != o->v0) s_v0_inc = 0; - if (s_v1 +1 != o->v1) s_v1_inc = 0; - if (s_v0 -1 != o->v0) s_v0_dec = 0; - if (s_v1 -1 != o->v1) s_v1_dec = 0; + if (s_v0 + 1 != o->v0) s_v0_inc = 0; + if (s_v1 + 1 != o->v1) s_v1_inc = 0; + if (s_v0 - 1 != o->v0) s_v0_dec = 0; + if (s_v1 - 1 != o->v1) s_v1_dec = 0; s_v0 = o->v0; s_v1 = o->v1; + } - + struct cmp_operands *orig_o = &afl->orig_cmp_map->log[key][i]; // opt not in the paper @@ -410,14 +423,16 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { for (idx = 0; idx < len && fails < 8; ++idx) { - if (unlikely(cmp_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, orig_buf, buf, len, 1, &status))) + if (unlikely(cmp_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, + orig_buf, buf, len, 1, &status))) return 1; if (status == 2) ++fails; else if (status == 1) break; - if (unlikely(cmp_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx, orig_buf, buf, len, 1, &status))) + if (unlikely(cmp_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx, + orig_buf, buf, len, 1, &status))) return 1; if (status == 2) ++fails; @@ -425,16 +440,17 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { break; } - - if (status == 1) - found_one = 1; + + if (status == 1) found_one = 1; // If failed, add to dictionary if (fails == 8) { if (afl->pass_stats[key].total == 0) { + try_to_add_to_dict(afl, o->v0, SHAPE_BYTES(h->shape)); try_to_add_to_dict(afl, o->v1, SHAPE_BYTES(h->shape)); + } } @@ -443,22 +459,29 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { afl->stage_cur++; } - + if (loggeds > 3 && ((s_v0_fixed && s_v1_inc) || (s_v1_fixed && s_v0_inc) || (s_v0_fixed && s_v1_dec) || (s_v1_fixed && s_v0_dec))) { + afl->pass_stats[key].total = afl->pass_stats[key].faileds = 0xff; + } - + if (!found_one && afl->pass_stats[key].faileds < 0xff) { + afl->pass_stats[key].faileds++; + } + if (afl->pass_stats[key].total < 0xff) afl->pass_stats[key].total++; return 0; } -static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, u8 *pattern, u8 *repl, u8* o_pattern, u32 idx, u8 *orig_buf, u8 *buf, u32 len, u8 *status) { +static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, + u8 *pattern, u8 *repl, u8 *o_pattern, u32 idx, + u8 *orig_buf, u8 *buf, u32 len, u8 *status) { u32 i; u32 its_len = MIN(32, len - idx); @@ -470,7 +493,9 @@ static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, u8 *patter for (i = 0; i < its_len; ++i) { - if (pattern[idx + i] != buf[idx + i] || o_pattern[idx + i] != orig_buf[idx + i] || *status == 1) break; + if (pattern[idx + i] != buf[idx + i] || + o_pattern[idx + i] != orig_buf[idx + i] || *status == 1) + break; buf[idx + i] = repl[idx + i]; if (unlikely(its_fuzz(afl, buf, len, status))) return 1; @@ -493,15 +518,15 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { u8 status = 0; // opt not in the paper u32 fails = 0; - u8 found_one = 0; + u8 found_one = 0; for (i = 0; i < loggeds; ++i) { - + fails = 0; struct cmpfn_operands *o = &((struct cmpfn_operands *)afl->shm.cmp_map->log[key])[i]; - + struct cmpfn_operands *orig_o = &((struct cmpfn_operands *)afl->orig_cmp_map->log[key])[i]; @@ -513,14 +538,16 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { for (idx = 0; idx < len && fails < 8; ++idx) { - if (unlikely(rtn_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, orig_buf, buf, len, &status))) + if (unlikely(rtn_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, + orig_buf, buf, len, &status))) return 1; if (status == 2) ++fails; else if (status == 1) break; - if (unlikely(rtn_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx, orig_buf, buf, len, &status))) + if (unlikely(rtn_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx, + orig_buf, buf, len, &status))) return 1; if (status == 2) ++fails; @@ -528,16 +555,17 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { break; } - - if (status == 1) - found_one = 1; + + if (status == 1) found_one = 1; // If failed, add to dictionary if (fails == 8) { if (afl->pass_stats[key].total == 0) { + maybe_add_auto((u8 *)afl, o->v0, SHAPE_BYTES(h->shape)); maybe_add_auto((u8 *)afl, o->v1, SHAPE_BYTES(h->shape)); + } } @@ -546,10 +574,13 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { afl->stage_cur++; } - + if (!found_one && afl->pass_stats[key].faileds < 0xff) { + afl->pass_stats[key].faileds++; + } + if (afl->pass_stats[key].total < 0xff) afl->pass_stats[key].total++; return 0; @@ -565,13 +596,13 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, u8 r = 1; if (afl->orig_cmp_map == NULL) afl->orig_cmp_map = ck_alloc_nozero(sizeof(struct cmp_map)); - + if (afl->pass_stats == NULL) afl->pass_stats = ck_alloc(sizeof(struct afl_pass_stat) * CMP_MAP_W); - + // do it manually, forkserver clear only afl->fsrv.trace_bits memset(afl->shm.cmp_map->headers, 0, sizeof(afl->shm.cmp_map->headers)); - + if (unlikely(common_fuzz_cmplog_stuff(afl, buf, len))) return 1; memcpy(afl->orig_cmp_map, afl->shm.cmp_map, sizeof(struct cmp_map)); @@ -596,12 +627,13 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, for (k = 0; k < CMP_MAP_W; ++k) { if (!afl->shm.cmp_map->headers[k].hits) continue; - + if (afl->pass_stats[k].total && - (rand_below(afl, afl->pass_stats[k].total) >= afl->pass_stats[k].faileds - || afl->pass_stats[k].total == 0xff)) - afl->shm.cmp_map->headers[k].hits = 0; // blacklist this cmp - + (rand_below(afl, afl->pass_stats[k].total) >= + afl->pass_stats[k].faileds || + afl->pass_stats[k].total == 0xff)) + afl->shm.cmp_map->headers[k].hits = 0; // blacklist this cmp + if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) afl->stage_max += MIN((u32)afl->shm.cmp_map->headers[k].hits, CMP_MAP_H); else @@ -616,13 +648,11 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) { - if (unlikely(cmp_fuzz(afl, k, orig_buf, buf, len))) - goto exit_its; + if (unlikely(cmp_fuzz(afl, k, orig_buf, buf, len))) goto exit_its; } else { - if (unlikely(rtn_fuzz(afl, k, orig_buf, buf, len))) - goto exit_its; + if (unlikely(rtn_fuzz(afl, k, orig_buf, buf, len))) goto exit_its; } @@ -634,7 +664,7 @@ exit_its: new_hit_cnt = afl->queued_paths + afl->unique_crashes; afl->stage_finds[STAGE_ITS] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ITS] += afl->total_execs - orig_execs; - + memcpy(orig_buf, buf, len); return r; diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 87d74afa..7664c521 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -370,7 +370,7 @@ void afl_state_deinit(afl_state_t *afl) { free(afl->in_buf); free(afl->in_scratch_buf); free(afl->ex_buf); - + list_remove(&afl_states, afl); } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index d48dd5e3..d42df2db 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -387,9 +387,9 @@ void show_stats(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->dumb_mode) { @@ -471,9 +471,9 @@ void show_stats(afl_state_t *afl) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -503,9 +503,9 @@ void show_stats(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); @@ -579,7 +579,7 @@ void show_stats(afl_state_t *afl) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); -- cgit 1.4.1 From 6dc36f1e6e7d2d781cc6b14f2898b3f7021e1d06 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 14 Apr 2020 19:27:25 +0200 Subject: unified forkservered run_target, fixes #308 --- include/afl-fuzz.h | 16 +----- include/forkserver.h | 21 ++++++-- src/afl-analyze.c | 2 +- src/afl-forkserver.c | 132 +++++++++++++++++++++++++++++++++++++++++++++--- src/afl-fuzz-bitmap.c | 16 +++--- src/afl-fuzz-cmplog.c | 2 +- src/afl-fuzz-init.c | 14 ++--- src/afl-fuzz-mutators.c | 2 +- src/afl-fuzz-one.c | 12 ++--- src/afl-fuzz-queue.c | 2 +- src/afl-fuzz-redqueen.c | 4 +- src/afl-fuzz-run.c | 128 +++------------------------------------------- src/afl-fuzz-stats.c | 18 +++---- src/afl-fuzz.c | 2 +- src/afl-sharedmem.c | 1 - src/afl-showmap.c | 95 ++++------------------------------ src/afl-tmin.c | 109 ++++++++------------------------------- 17 files changed, 222 insertions(+), 354 deletions(-) (limited to 'src/afl-fuzz-one.c') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 3df99a58..abaa71b5 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -195,18 +195,6 @@ enum { }; -/* Execution status fault codes */ - -enum { - - /* 00 */ FAULT_NONE, - /* 01 */ FAULT_TMOUT, - /* 02 */ FAULT_CRASH, - /* 03 */ FAULT_ERROR, - /* 04 */ FAULT_NOINST, - /* 05 */ FAULT_NOBITS - -}; #define operator_num 16 #define swarm_num 5 @@ -433,7 +421,6 @@ typedef struct afl_state { use_splicing, /* Recombine input files? */ dumb_mode, /* Run in non-instrumented mode? */ score_changed, /* Scoring for favorites changed? */ - kill_signal, /* Signal that killed the child */ resuming_fuzz, /* Resuming an older fuzzing job? */ timeout_given, /* Specific timeout given? */ not_on_tty, /* stdout is not a tty */ @@ -488,7 +475,6 @@ typedef struct afl_state { total_tmouts, /* Total number of timeouts */ unique_tmouts, /* Timeouts with unique signatures */ unique_hangs, /* Hangs with unique signatures */ - total_execs, /* Total execve() calls */ last_crash_execs, /* Exec counter at last crash */ queue_cycle, /* Queue round counter */ cycles_wo_finds, /* Cycles without any new paths */ @@ -888,7 +874,7 @@ void show_init_stats(afl_state_t *); /* Run */ -u8 run_target(afl_state_t *, afl_forkserver_t *fsrv, u32); +fsrv_run_result_t run_target(afl_state_t *, afl_forkserver_t *fsrv, u32); void write_to_testcase(afl_state_t *, void *, u32); u8 calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8); void sync_fuzzers(afl_state_t *); diff --git a/include/forkserver.h b/include/forkserver.h index 6fbaf612..7559e785 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -29,6 +29,7 @@ #define __AFL_FORKSERVER_H #include +#include typedef struct afl_forkserver { @@ -55,16 +56,18 @@ typedef struct afl_forkserver { u32 snapshot; /* is snapshot feature used */ u64 mem_limit; /* Memory cap for child (MB) */ + u64 total_execs; /* How often run_target was called */ + u8 *out_file, /* File to fuzz, if any */ *target_path; /* Path of the target */ FILE *plot_file; /* Gnuplot output file */ - u8 child_timed_out; /* Traced process timed out? */ + u8 last_run_timed_out; /* Traced process timed out? */ - u8 use_fauxsrv; /* Fauxsrv for non-forking targets? */ + u8 last_kill_signal; /* Signal that killed the child */ - u32 prev_timed_out; /* if prev forkserver run timed out */ + u8 use_fauxsrv; /* Fauxsrv for non-forking targets? */ u8 qemu_mode; /* if running in qemu mode or not */ @@ -79,10 +82,22 @@ typedef struct afl_forkserver { } afl_forkserver_t; +typedef enum fsrv_run_result { + + /* 00 */ FSRV_RUN_OK = 0, + /* 01 */ FSRV_RUN_TMOUT, + /* 02 */ FSRV_RUN_CRASH, + /* 03 */ FSRV_RUN_ERROR, + /* 04 */ FSRV_RUN_NOINST, + /* 05 */ FSRV_RUN_NOBITS, + +} fsrv_run_result_t; + void afl_fsrv_init(afl_forkserver_t *fsrv); void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from); void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p, u8 debug_child_output); +fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, volatile u8 *stop_soon_p); void afl_fsrv_killall(void); void afl_fsrv_deinit(afl_forkserver_t *fsrv); diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 952786b0..8625cfda 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -80,7 +80,7 @@ static u8 edges_only, /* Ignore hit counts? */ use_stdin = 1; /* Use stdin for program input? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */ - child_timed_out; /* Child timed out? */ + child_timed_out; /* Child timed out? */ static u8 *target_path; static u8 qemu_mode; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index f647ff5d..a7be8e8b 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -76,7 +76,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { fsrv->child_pid = -1; fsrv->map_size = MAP_SIZE; fsrv->use_fauxsrv = 0; - fsrv->prev_timed_out = 0; + fsrv->last_run_timed_out = 0; fsrv->init_child_func = fsrv_exec_child; @@ -102,7 +102,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { fsrv_to->out_dir_fd = -1; fsrv_to->child_pid = -1; fsrv_to->use_fauxsrv = 0; - fsrv_to->prev_timed_out = 0; + fsrv_to->last_run_timed_out = 0; fsrv_to->init_child_func = fsrv_exec_child; @@ -217,7 +217,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); - fsrv->child_timed_out = 0; + fsrv->last_run_timed_out = 0; fsrv->fsrv_pid = fork(); if (fsrv->fsrv_pid < 0) PFATAL("fork() failed"); @@ -361,7 +361,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } else if (time > fsrv->exec_tmout * FORK_WAIT_MULT) { - fsrv->child_timed_out = 1; + fsrv->last_run_timed_out = 1; kill(fsrv->fsrv_pid, SIGKILL); } else { @@ -476,7 +476,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - if (fsrv->child_timed_out) + if (fsrv->last_run_timed_out) FATAL("Timeout while initializing fork server (adjusting -t may help)"); if (waitpid(fsrv->fsrv_pid, &status, 0) <= 0) PFATAL("waitpid() failed"); @@ -640,6 +640,127 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) { } +/* Execute target application, monitoring for timeouts. Return status + information. The called program will update afl->fsrv->trace_bits. */ + +fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, volatile u8 *stop_soon_p) { + + s32 res; + u32 exec_ms; + + int status = 0; + + u32 timeout = fsrv->exec_tmout; + + /* After this memset, fsrv->trace_bits[] are effectively volatile, so we + must prevent any earlier operations from venturing into that + territory. */ + + memset(fsrv->trace_bits, 0, fsrv->map_size); + + MEM_BARRIER(); + + /* we have the fork server (or faux server) up and running + First, tell it if the previous run timed out. */ + + if ((res = write(fsrv->fsrv_ctl_fd, &fsrv->last_run_timed_out, 4)) != 4) { + + if (*stop_soon_p) return 0; + RPFATAL(res, "Unable to request new process from fork server (OOM?)"); + + } + + fsrv->last_run_timed_out = 0; + + if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { + + if (stop_soon_p) return 0; + RPFATAL(res, "Unable to request new process from fork server (OOM?)"); + + } + + if (fsrv->child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); + + exec_ms = read_timed(fsrv->fsrv_st_fd, &status, 4, timeout, stop_soon_p); + + if (exec_ms > timeout) { + + /* If there was no response from forkserver after timeout seconds, + we kill the child. The forkserver should inform us afterwards */ + + kill(fsrv->child_pid, SIGKILL); + fsrv->last_run_timed_out = 1; + if (read(fsrv->fsrv_st_fd, &status, 4) < 4) exec_ms = 0; + + } + + if (!exec_ms) { + + if (*stop_soon_p) return 0; + SAYF("\n" cLRD "[-] " cRST + "Unable to communicate with fork server. Some possible reasons:\n\n" + " - You've run out of memory. Use -m to increase the the memory " + "limit\n" + " to something higher than %lld.\n" + " - The binary or one of the libraries it uses manages to " + "create\n" + " threads before the forkserver initializes.\n" + " - The binary, at least in some circumstances, exits in a way " + "that\n" + " also kills the parent process - raise() could be the " + "culprit.\n" + " - If using persistent mode with QEMU, " + "AFL_QEMU_PERSISTENT_ADDR " + "is\n" + " probably not valid (hint: add the base address in case of " + "PIE)" + "\n\n" + "If all else fails you can disable the fork server via " + "AFL_NO_FORKSRV=1.\n", + fsrv->mem_limit); + RPFATAL(res, "Unable to communicate with fork server"); + + } + + if (!WIFSTOPPED(status)) fsrv->child_pid = 0; + + fsrv->total_execs++; + + /* Any subsequent operations on fsrv->trace_bits must not be moved by the + compiler below this point. Past this location, fsrv->trace_bits[] + behave very normally and do not have to be treated as volatile. */ + + MEM_BARRIER(); + + /* Report outcome to caller. */ + + if (WIFSIGNALED(status) && !*stop_soon_p) { + + fsrv->last_kill_signal = WTERMSIG(status); + + if (fsrv->last_run_timed_out && fsrv->last_kill_signal == SIGKILL) + return FSRV_RUN_TMOUT; + + return FSRV_RUN_CRASH; + + } + + /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and + must use a special exit code. */ + + if (fsrv->uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { + + fsrv->last_kill_signal = 0; + return FSRV_RUN_CRASH; + + } + + if ((*(u32 *)fsrv->trace_bits) == EXEC_FAIL_SIG) return FSRV_RUN_NOINST; + + return FSRV_RUN_OK; + +} + void afl_fsrv_killall() { LIST_FOREACH(&fsrv_list, afl_forkserver_t, { @@ -656,4 +777,3 @@ void afl_fsrv_deinit(afl_forkserver_t *fsrv) { list_remove(&fsrv_list, fsrv); } - diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index a0a720fa..66b1e60d 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -598,7 +598,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { res = calibrate_case(afl, afl->queue_top, mem, afl->queue_cycle - 1, 0); - if (unlikely(res == FAULT_ERROR)) + if (unlikely(res == FSRV_RUN_ERROR)) FATAL("Unable to execute target application"); fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, 0600); @@ -612,7 +612,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { switch (fault) { - case FAULT_TMOUT: + case FSRV_RUN_TMOUT: /* Timeouts are not very interesting, but we're still obliged to keep a handful of samples. We use the presence of new bits in the @@ -651,9 +651,9 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { timeout actually uncovers a crash. Make sure we don't discard it if so. */ - if (!afl->stop_soon && new_fault == FAULT_CRASH) goto keep_as_crash; + if (!afl->stop_soon && new_fault == FSRV_RUN_CRASH) goto keep_as_crash; - if (afl->stop_soon || new_fault != FAULT_TMOUT) return keeping; + if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) return keeping; } @@ -675,7 +675,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { break; - case FAULT_CRASH: + case FSRV_RUN_CRASH: keep_as_crash: @@ -704,7 +704,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir, - afl->unique_crashes, afl->kill_signal, describe_op(afl, 0)); + afl->unique_crashes, afl->fsrv.last_kill_signal, describe_op(afl, 0)); #else @@ -730,11 +730,11 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } afl->last_crash_time = get_cur_time(); - afl->last_crash_execs = afl->total_execs; + afl->last_crash_execs = afl->fsrv.total_execs; break; - case FAULT_ERROR: FATAL("Unable to execute target application"); + case FSRV_RUN_ERROR: FATAL("Unable to execute target application"); default: return keeping; diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index e2747097..ab93d838 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -66,7 +66,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { if (afl->stop_soon) return 1; - if (fault == FAULT_TMOUT) { + if (fault == FSRV_RUN_TMOUT) { if (afl->subseq_tmouts++ > TMOUT_LIMIT) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 10417da6..55f7ce53 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -493,13 +493,13 @@ void perform_dry_run(afl_state_t *afl) { if (afl->stop_soon) return; - if (res == afl->crash_mode || res == FAULT_NOBITS) + if (res == afl->crash_mode || res == FSRV_RUN_NOBITS) SAYF(cGRA " len = %u, map size = %u, exec speed = %llu us\n" cRST, q->len, q->bitmap_size, q->exec_us); switch (res) { - case FAULT_NONE: + case FSRV_RUN_OK: if (q == afl->queue) check_map_coverage(afl); @@ -507,7 +507,7 @@ void perform_dry_run(afl_state_t *afl) { break; - case FAULT_TMOUT: + case FSRV_RUN_TMOUT: if (afl->timeout_given) { @@ -556,7 +556,7 @@ void perform_dry_run(afl_state_t *afl) { } - case FAULT_CRASH: + case FSRV_RUN_CRASH: if (afl->crash_mode) break; @@ -650,13 +650,13 @@ void perform_dry_run(afl_state_t *afl) { FATAL("Test case '%s' results in a crash", fn); - case FAULT_ERROR: + case FSRV_RUN_ERROR: FATAL("Unable to execute target application ('%s')", afl->argv[0]); - case FAULT_NOINST: FATAL("No instrumentation detected"); + case FSRV_RUN_NOINST: FATAL("No instrumentation detected"); - case FAULT_NOBITS: + case FSRV_RUN_NOBITS: ++afl->useless_at_start; diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index efb1c117..7bf23e84 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -242,7 +242,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { fault = run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); ++afl->trim_execs; - if (afl->stop_soon || fault == FAULT_ERROR) { goto abort_trimming; } + if (afl->stop_soon || fault == FSRV_RUN_ERROR) { goto abort_trimming; } cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 961a29d6..cc97654a 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -442,14 +442,14 @@ u8 fuzz_one_original(afl_state_t *afl) { if (unlikely(afl->queue_cur->cal_failed)) { - u8 res = FAULT_TMOUT; + u8 res = FSRV_RUN_TMOUT; if (afl->queue_cur->cal_failed < CAL_CHANCES) { res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); - if (unlikely(res == FAULT_ERROR)) + if (unlikely(res == FSRV_RUN_ERROR)) FATAL("Unable to execute target application"); } @@ -471,7 +471,7 @@ u8 fuzz_one_original(afl_state_t *afl) { u8 res = trim_case(afl, afl->queue_cur, in_buf); - if (unlikely(res == FAULT_ERROR)) + if (unlikely(res == FSRV_RUN_ERROR)) FATAL("Unable to execute target application"); if (unlikely(afl->stop_soon)) { @@ -2469,14 +2469,14 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->queue_cur->cal_failed) { - u8 res = FAULT_TMOUT; + u8 res = FSRV_RUN_TMOUT; if (afl->queue_cur->cal_failed < CAL_CHANCES) { res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); - if (res == FAULT_ERROR) FATAL("Unable to execute target application"); + if (res == FSRV_RUN_ERROR) FATAL("Unable to execute target application"); } @@ -2497,7 +2497,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { u8 res = trim_case(afl, afl->queue_cur, in_buf); - if (res == FAULT_ERROR) FATAL("Unable to execute target application"); + if (res == FSRV_RUN_ERROR) FATAL("Unable to execute target application"); if (afl->stop_soon) { diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 5eb110d0..d05eee08 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -492,7 +492,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { // the more often fuzz result paths are equal to this queue entry, // reduce its value perf_score *= - (1 - (double)((double)q->n_fuzz / (double)afl->total_execs)); + (1 - (double)((double)q->n_fuzz / (double)afl->fsrv.total_execs)); break; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 6a01ec89..8cea01e8 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -622,7 +622,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, if (unlikely(common_fuzz_cmplog_stuff(afl, buf, len))) return 1; u64 orig_hit_cnt, new_hit_cnt; - u64 orig_execs = afl->total_execs; + u64 orig_execs = afl->fsrv.total_execs; orig_hit_cnt = afl->queued_paths + afl->unique_crashes; afl->stage_name = "input-to-state"; @@ -670,7 +670,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, exit_its: new_hit_cnt = afl->queued_paths + afl->unique_crashes; afl->stage_finds[STAGE_ITS] += new_hit_cnt - orig_hit_cnt; - afl->stage_cycles[STAGE_ITS] += afl->total_execs - orig_execs; + afl->stage_cycles[STAGE_ITS] += afl->fsrv.total_execs - orig_execs; memcpy(orig_buf, buf, len); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 514ba9ef..b20c5436 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -32,95 +32,9 @@ /* Execute target application, monitoring for timeouts. Return status information. The called program will update afl->fsrv->trace_bits. */ -u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { +fsrv_run_result_t run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { - s32 res; - u32 exec_ms; - - int status = 0; - u32 tb4; - - fsrv->child_timed_out = 0; - - /* After this memset, fsrv->trace_bits[] are effectively volatile, so we - must prevent any earlier operations from venturing into that - territory. */ - - memset(fsrv->trace_bits, 0, fsrv->map_size); - - MEM_BARRIER(); - - /* we have the fork server (or faux server) up and running, so simply - tell it to have at it, and then read back PID. */ - - if ((res = write(fsrv->fsrv_ctl_fd, &fsrv->prev_timed_out, 4)) != 4) { - - if (afl->stop_soon) return 0; - RPFATAL(res, "Unable to request new process from fork server (OOM?)"); - - } - - if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { - - if (afl->stop_soon) return 0; - RPFATAL(res, "Unable to request new process from fork server (OOM?)"); - - } - - if (fsrv->child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); - - exec_ms = read_timed(fsrv->fsrv_st_fd, &status, 4, timeout, &afl->stop_soon); - - if (exec_ms > timeout) { - - /* If there was no response from forkserver after timeout seconds, - we kill the child. The forkserver should inform us afterwards */ - - kill(fsrv->child_pid, SIGKILL); - fsrv->child_timed_out = 1; - if (read(fsrv->fsrv_st_fd, &status, 4) < 4) exec_ms = 0; - - } - - if (!exec_ms) { - - if (afl->stop_soon) return 0; - SAYF("\n" cLRD "[-] " cRST - "Unable to communicate with fork server. Some possible reasons:\n\n" - " - You've run out of memory. Use -m to increase the the memory " - "limit\n" - " to something higher than %lld.\n" - " - The binary or one of the libraries it uses manages to " - "create\n" - " threads before the forkserver initializes.\n" - " - The binary, at least in some circumstances, exits in a way " - "that\n" - " also kills the parent process - raise() could be the " - "culprit.\n" - " - If using persistent mode with QEMU, " - "AFL_QEMU_PERSISTENT_ADDR " - "is\n" - " probably not valid (hint: add the base address in case of " - "PIE)" - "\n\n" - "If all else fails you can disable the fork server via " - "AFL_NO_FORKSRV=1.\n", - fsrv->mem_limit); - RPFATAL(res, "Unable to communicate with fork server"); - - } - - if (!WIFSTOPPED(status)) fsrv->child_pid = 0; - - ++afl->total_execs; - - /* Any subsequent operations on fsrv->trace_bits must not be moved by the - compiler below this point. Past this location, fsrv->trace_bits[] - behave very normally and do not have to be treated as volatile. */ - - MEM_BARRIER(); - - tb4 = *(u32 *)fsrv->trace_bits; + fsrv_run_result_t res = afl_fsrv_run_target(&afl->fsrv, &afl->stop_soon); #ifdef WORD_SIZE_64 classify_counts(afl, (u64 *)fsrv->trace_bits); @@ -128,35 +42,7 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { classify_counts(afl, (u32 *)fsrv->trace_bits); #endif /* ^WORD_SIZE_64 */ - fsrv->prev_timed_out = fsrv->child_timed_out; - - /* Report outcome to caller. */ - - if (WIFSIGNALED(status) && !afl->stop_soon) { - - afl->kill_signal = WTERMSIG(status); - - if (fsrv->child_timed_out && afl->kill_signal == SIGKILL) - return FAULT_TMOUT; - - return FAULT_CRASH; - - } - - /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and - must use a special exit code. */ - - if (fsrv->uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { - - afl->kill_signal = 0; - return FAULT_CRASH; - - } - - if ((afl->dumb_mode == 1 || afl->no_forkserver) && tb4 == EXEC_FAIL_SIG) - return FAULT_ERROR; - - return FAULT_NONE; + return res; } @@ -348,7 +234,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (!afl->dumb_mode && !afl->stage_cur && !count_bytes(afl, afl->fsrv.trace_bits)) { - fault = FAULT_NOINST; + fault = FSRV_RUN_NOINST; goto abort_calibration; } @@ -408,7 +294,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, parent. This is a non-critical problem, but something to warn the user about. */ - if (!afl->dumb_mode && first_run && !fault && !new_bits) fault = FAULT_NOBITS; + if (!afl->dumb_mode && first_run && !fault && !new_bits) fault = FSRV_RUN_NOBITS; abort_calibration: @@ -645,7 +531,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { fault = run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); ++afl->trim_execs; - if (afl->stop_soon || fault == FAULT_ERROR) goto abort_trimming; + if (afl->stop_soon || fault == FSRV_RUN_ERROR) goto abort_trimming; /* Note that we don't keep track of crashes or hangs here; maybe TODO? */ @@ -753,7 +639,7 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { if (afl->stop_soon) return 1; - if (fault == FAULT_TMOUT) { + if (fault == FSRV_RUN_TMOUT) { if (afl->subseq_tmouts++ > TMOUT_LIMIT) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index d48dd5e3..52148dc2 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -108,14 +108,14 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, afl->start_time / 1000, cur_time / 1000, (cur_time - afl->start_time) / 1000, getpid(), afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds, - afl->total_execs, - afl->total_execs / ((double)(get_cur_time() - afl->start_time) / 1000), + afl->fsrv.total_execs, + afl->fsrv.total_execs / ((double)(get_cur_time() - afl->start_time) / 1000), afl->queued_paths, afl->queued_favored, afl->queued_discovered, afl->queued_imported, afl->max_depth, afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed, afl->queued_variable, stability, bitmap_cvg, afl->unique_crashes, afl->unique_hangs, afl->last_path_time / 1000, afl->last_crash_time / 1000, - afl->last_hang_time / 1000, afl->total_execs - afl->last_crash_execs, + afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout, afl->slowest_exec_ms, #ifdef __APPLE__ (unsigned long int)(rus.ru_maxrss >> 20), @@ -227,7 +227,7 @@ void show_stats(afl_state_t *afl) { if (afl->most_execs_key == 1) { - if (afl->most_execs <= afl->total_execs) { + if (afl->most_execs <= afl->fsrv.total_execs) { afl->most_execs_key = 2; afl->stop_soon = 2; @@ -251,11 +251,11 @@ void show_stats(afl_state_t *afl) { if (!afl->stats_last_execs) { afl->stats_avg_exec = - ((double)afl->total_execs) * 1000 / (cur_ms - afl->start_time); + ((double)afl->fsrv.total_execs) * 1000 / (cur_ms - afl->start_time); } else { - double cur_avg = ((double)(afl->total_execs - afl->stats_last_execs)) * + double cur_avg = ((double)(afl->fsrv.total_execs - afl->stats_last_execs)) * 1000 / (cur_ms - afl->stats_last_ms); /* If there is a dramatic (5x+) jump in speed, reset the indicator @@ -270,7 +270,7 @@ void show_stats(afl_state_t *afl) { } afl->stats_last_ms = cur_ms; - afl->stats_last_execs = afl->total_execs; + afl->stats_last_execs = afl->fsrv.total_execs; /* Tell the callers when to contact us (as measured in execs). */ @@ -543,14 +543,14 @@ void show_stats(afl_state_t *afl) { SAYF(bV bSTOP " total execs : " cRST "%-20s " bSTG bV bSTOP " new crashes : %s%-22s" bSTG bV "\n", - u_stringify_int(IB(0), afl->total_execs), + u_stringify_int(IB(0), afl->fsrv.total_execs), afl->unique_crashes ? cLRD : cRST, tmp); } else { SAYF(bV bSTOP " total execs : " cRST "%-20s " bSTG bV bSTOP " total crashes : %s%-22s" bSTG bV "\n", - u_stringify_int(IB(0), afl->total_execs), + u_stringify_int(IB(0), afl->fsrv.total_execs), afl->unique_crashes ? cLRD : cRST, tmp); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 07067691..9f17b61b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -480,7 +480,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'C': /* crash mode */ if (afl->crash_mode) FATAL("Multiple -C options not supported"); - afl->crash_mode = FAULT_CRASH; + afl->crash_mode = FSRV_RUN_CRASH; break; case 'n': /* dumb mode */ diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index eea1cc95..16d6fe41 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -40,7 +40,6 @@ #include #include -#include #include #include #include diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 3fcc1d2b..5f622c25 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -69,7 +69,7 @@ static u8 *in_data; /* Input data */ static u32 total, highest; /* tuple content information */ static u32 in_len, /* Input data length */ - arg_offset, total_execs; /* Total number of execs */ + arg_offset; /* Total number of execs */ static u8 quiet_mode, /* Hide non-essential messages? */ edges_only, /* Ignore hit counts? */ @@ -193,7 +193,7 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { if (cmin_mode) { - if (fsrv->child_timed_out) break; + if (fsrv->last_run_timed_out) break; if (!caa && child_crashed != cco) break; fprintf(f, "%u%u\n", fsrv->trace_bits[i], i); @@ -233,75 +233,18 @@ static void write_to_testcase(afl_forkserver_t *fsrv, void *mem, u32 len) { } -/* Execute target application. Returns 0 if the changes are a dud, or - 1 if they should be kept. */ +/* Execute target application. */ -static u8 run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, +void run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len) { - struct itimerval it; - int status = 0; - - memset(fsrv->trace_bits, 0, MAP_SIZE); - MEM_BARRIER(); - write_to_testcase(fsrv, mem, len); - s32 res; - - /* we have the fork server up and running, so simply - tell it to have at it, and then read back PID. */ - - if ((res = write(fsrv->fsrv_ctl_fd, &fsrv->prev_timed_out, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to request new process from fork server (OOM?)"); - - } - - if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to request new process from fork server (OOM?)"); - - } - - if (fsrv->child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); - - /* Configure timeout, wait for child, cancel timeout. */ - - if (fsrv->exec_tmout) { - - it.it_value.tv_sec = (fsrv->exec_tmout / 1000); - it.it_value.tv_usec = (fsrv->exec_tmout % 1000) * 1000; - - } - - setitimer(ITIMER_REAL, &it, NULL); - - if ((res = read(fsrv->fsrv_st_fd, &status, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to communicate with fork server (OOM?)"); - - } - - fsrv->child_pid = 0; - it.it_value.tv_sec = 0; - it.it_value.tv_usec = 0; - - setitimer(ITIMER_REAL, &it, NULL); - - MEM_BARRIER(); - - /* Clean up bitmap, analyze exit condition, etc. */ - - if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) - FATAL("Unable to execute '%s'", argv[0]); + fsrv_run_result_t res = afl_fsrv_run_target(fsrv, &stop_soon); + if (res == FSRV_RUN_NOINST || res == FSRV_RUN_ERROR) FATAL("Error running target"); classify_counts(fsrv->trace_bits, binary_mode ? count_class_binary : count_class_human); - total_execs++; if (stop_soon) { @@ -310,22 +253,6 @@ static u8 run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, } - /* Always discard inputs that time out. */ - - if (fsrv->child_timed_out) { return 0; } - - /* Handle crashing inputs depending on current mode. */ - - if (WIFSIGNALED(status) || - (WIFEXITED(status) && WEXITSTATUS(status) == MSAN_ERROR) || - (WIFEXITED(status) && WEXITSTATUS(status))) { - - return 0; - - } - - return 0; - } /* Read initial file. */ @@ -425,7 +352,7 @@ static void run_target(afl_forkserver_t *fsrv, char **argv) { if (fsrv->exec_tmout) { - fsrv->child_timed_out = 0; + fsrv->last_run_timed_out = 0; it.it_value.tv_sec = (fsrv->exec_tmout / 1000); it.it_value.tv_usec = (fsrv->exec_tmout % 1000) * 1000; @@ -452,12 +379,12 @@ static void run_target(afl_forkserver_t *fsrv, char **argv) { if (!quiet_mode) SAYF(cRST "-- Program output ends --\n"); - if (!fsrv->child_timed_out && !stop_soon && WIFSIGNALED(status)) + if (!fsrv->last_run_timed_out && !stop_soon && WIFSIGNALED(status)) child_crashed = 1; if (!quiet_mode) { - if (fsrv->child_timed_out) + if (fsrv->last_run_timed_out) SAYF(cLRD "\n+++ Program timed off +++\n" cRST); else if (stop_soon) SAYF(cLRD "\n+++ Program aborted by user +++\n" cRST); @@ -980,7 +907,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (!quiet_mode) OKF("Processed %u input files.", total_execs); + if (!quiet_mode) OKF("Processed %llu input files.", fsrv->total_execs); closedir(dir_in); if (dir_out) closedir(dir_out); @@ -1010,7 +937,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_shm_deinit(&shm); - u32 ret = child_crashed * 2 + fsrv->child_timed_out; + u32 ret = child_crashed * 2 + fsrv->last_run_timed_out; if (fsrv->target_path) ck_free(fsrv->target_path); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 31fad1df..999d5f65 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -67,7 +67,6 @@ static u8 *in_data; /* Input data for trimming */ static u32 in_len, /* Input data length */ orig_cksum, /* Original checksum */ - total_execs, /* Total number of execs */ missed_hangs, /* Misses due to hangs */ missed_crashes, /* Misses due to crashes */ missed_paths; /* Misses due to exec path diffs */ @@ -249,69 +248,11 @@ static void write_to_testcase(afl_forkserver_t *fsrv, void *mem, u32 len) { static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, u8 first_run) { - struct itimerval it; - int status = 0; - - u32 cksum; - - fsrv->child_timed_out = 0; - - memset(fsrv->trace_bits, 0, fsrv->map_size); - MEM_BARRIER(); - write_to_testcase(fsrv, mem, len); - s32 res; - - /* we have the fork server up and running, so simply - tell it to have at it, and then read back PID. */ - - if ((res = write(fsrv->fsrv_ctl_fd, &fsrv->prev_timed_out, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to request new process from fork server (OOM?)"); - - } - - if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to request new process from fork server (OOM?)"); - - } - - if (fsrv->child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); - - /* Configure timeout, wait for child, cancel timeout. */ - - if (fsrv->exec_tmout) { - - it.it_value.tv_sec = (fsrv->exec_tmout / 1000); - it.it_value.tv_usec = (fsrv->exec_tmout % 1000) * 1000; - - } - - setitimer(ITIMER_REAL, &it, NULL); + fsrv_run_result_t ret = afl_fsrv_run_target(fsrv, &stop_soon); - if ((res = read(fsrv->fsrv_st_fd, &status, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to communicate with fork server (OOM?)"); - - } - - fsrv->child_pid = 0; - it.it_value.tv_sec = 0; - it.it_value.tv_usec = 0; - - setitimer(ITIMER_REAL, &it, NULL); - - MEM_BARRIER(); - - /* Clean up bitmap, analyze exit condition, etc. */ - - if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) - FATAL("Unable to execute '%s'", argv[0]); + if (ret == FSRV_RUN_ERROR) FATAL("Couldn't run child"); if (!hang_mode) { @@ -320,8 +261,6 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, } - total_execs++; - if (stop_soon) { SAYF(cRST cLRD "\n+++ Minimization aborted by user +++\n" cRST); @@ -334,25 +273,21 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, if (hang_mode) { - if (fsrv->child_timed_out) return 1; - - if (WIFSIGNALED(status) || - (WIFEXITED(status) && WEXITSTATUS(status) == MSAN_ERROR) || - (WIFEXITED(status) && WEXITSTATUS(status) && exit_crash)) { - + switch (ret) + { + case FSRV_RUN_TMOUT: + return 1; + case FSRV_RUN_CRASH: missed_crashes++; - - } else { - + return 0; + default: missed_hangs++; - + return 0; } - return 0; - } - if (fsrv->child_timed_out) { + if (ret == FSRV_RUN_TMOUT) { missed_hangs++; return 0; @@ -361,9 +296,7 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, /* Handle crashing inputs depending on current mode. */ - if (WIFSIGNALED(status) || - (WIFEXITED(status) && WEXITSTATUS(status) == MSAN_ERROR) || - (WIFEXITED(status) && WEXITSTATUS(status) && exit_crash)) { + if (ret == FSRV_RUN_CRASH) { if (first_run) crash_mode = 1; @@ -391,7 +324,9 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, } - cksum = hash32(fsrv->trace_bits, fsrv->map_size, HASH_CONST); + if (ret == FSRV_RUN_NOINST) FATAL("Binary not instrumented?"); + + u32 cksum = hash32(fsrv->trace_bits, fsrv->map_size, HASH_CONST); if (first_run) orig_cksum = cksum; @@ -640,11 +575,11 @@ finalize_all: SAYF("\n" cGRA " File size reduced by : " cRST "%0.02f%% (to %u byte%s)\n" cGRA " Characters simplified : " cRST - "%0.02f%%\n" cGRA " Number of execs done : " cRST "%u\n" cGRA + "%0.02f%%\n" cGRA " Number of execs done : " cRST "%llu\n" cGRA " Fruitless execs : " cRST "termination=%u crash=%u\n\n", 100 - ((double)in_len) * 100 / orig_len, in_len, in_len == 1 ? "" : "s", - ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), total_execs, + ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), fsrv->total_execs, missed_paths, missed_crashes); return; @@ -652,13 +587,13 @@ finalize_all: SAYF("\n" cGRA " File size reduced by : " cRST "%0.02f%% (to %u byte%s)\n" cGRA " Characters simplified : " cRST - "%0.02f%%\n" cGRA " Number of execs done : " cRST "%u\n" cGRA + "%0.02f%%\n" cGRA " Number of execs done : " cRST "%llu\n" cGRA " Fruitless execs : " cRST "path=%u crash=%u hang=%s%u\n\n", 100 - ((double)in_len) * 100 / orig_len, in_len, in_len == 1 ? "" : "s", - ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), total_execs, + ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), fsrv->total_execs, missed_paths, missed_crashes, missed_hangs ? cLRD : "", missed_hangs); - if (total_execs > 50 && missed_hangs * 10 > total_execs && !hang_mode) + if (fsrv->total_execs > 50 && missed_hangs * 10 > fsrv->total_execs && !hang_mode) WARNF(cLRD "Frequent timeouts - results may be skewed." cRST); } @@ -1139,13 +1074,13 @@ int main(int argc, char **argv_orig, char **envp) { run_target(fsrv, use_argv, in_data, in_len, 1); - if (hang_mode && !fsrv->child_timed_out) + if (hang_mode && !fsrv->last_run_timed_out) FATAL( "Target binary did not time out but hang minimization mode " "(-H) was set (-t %u).", fsrv->exec_tmout); - if (fsrv->child_timed_out && !hang_mode) + if (fsrv->last_run_timed_out && !hang_mode) FATAL( "Target binary times out (adjusting -t may help). Use -H to minimize a " "hang."); -- cgit 1.4.1 From 8511638afb1c51de37383ba2d86ed0b2a4a09415 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 15:38:43 +0200 Subject: hunting non-static functions --- GNUmakefile | 2 +- include/afl-fuzz.h | 1 + src/afl-fuzz-one.c | 4 ++-- src/afl-fuzz-python.c | 2 +- src/afl-fuzz-redqueen.c | 4 ++-- 5 files changed, 7 insertions(+), 6 deletions(-) (limited to 'src/afl-fuzz-one.c') diff --git a/GNUmakefile b/GNUmakefile index 74a290e6..5657f9a7 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -69,7 +69,7 @@ ifneq "$(shell uname -m)" "x86_64" endif CFLAGS ?= -O3 -funroll-loops $(CFLAGS_OPT) -override CFLAGS += -Wall -g -Wno-pointer-sign \ +override CFLAGS += -Wall -g -Wno-pointer-sign -Wmissing-declarations \ -I include/ -Werror -DAFL_PATH=\"$(HELPER_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index c92b002e..57ef5d58 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -808,6 +808,7 @@ u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 *in_buf); /* Python */ #ifdef USE_PYTHON +void load_custom_mutator_py(afl_state_t *, char *); void finalize_py_module(void *); size_t pre_save_py(void *, u8 *, size_t, u8 **); diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index cc97654a..a4ba739e 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -27,7 +27,7 @@ /* MOpt */ -int select_algorithm(afl_state_t *afl) { +static int select_algorithm(afl_state_t *afl) { int i_puppet, j_puppet; @@ -2366,7 +2366,7 @@ abandon_entry: } /* MOpt mode */ -u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { +static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (!MOpt_globals.is_pilot_mode) { diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 12c3a09d..33f01797 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -41,7 +41,7 @@ it just fills in `&py_mutator->something_buf, &py_mutator->something_size`. */ (void **)&((py_mutator_t *)py_mutator)->name##_buf, \ &((py_mutator_t *)py_mutator)->name##_size -size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, +static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, u8 *add_buf, size_t add_buf_size, size_t max_size) { size_t mutated_size; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 6f2fb144..3e9af088 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -37,7 +37,7 @@ struct range { }; -struct range *add_range(struct range *ranges, u32 start, u32 end) { +static struct range *add_range(struct range *ranges, u32 start, u32 end) { struct range *r = ck_alloc_nozero(sizeof(struct range)); r->start = start; @@ -47,7 +47,7 @@ struct range *add_range(struct range *ranges, u32 start, u32 end) { } -struct range *pop_biggest_range(struct range **ranges) { +static struct range *pop_biggest_range(struct range **ranges) { struct range *r = *ranges; struct range *prev = NULL; -- cgit 1.4.1