From 7b40d7b9420b2e3adb7d9afa88610199718dedba Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 12 May 2020 11:12:25 +0200 Subject: new code formatting + applied --- src/afl-fuzz-python.c | 74 +++++++++++++++++++++++++-------------------------- 1 file changed, 37 insertions(+), 37 deletions(-) (limited to 'src/afl-fuzz-python.c') diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 832dba06..1084e4f1 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -35,11 +35,11 @@ static void *unsupported(afl_state_t *afl, unsigned int seed) { } -/* sorry for this makro... -it just fills in `&py_mutator->something_buf, &py_mutator->something_size`. */ -#define BUF_PARAMS(name) \ - (void **)&((py_mutator_t *)py_mutator)->name##_buf, \ - &((py_mutator_t *)py_mutator)->name##_size + /* sorry for this makro... + it just fills in `&py_mutator->something_buf, &py_mutator->something_size`. */ + #define BUF_PARAMS(name) \ + (void **)&((py_mutator_t *)py_mutator)->name##_buf, \ + &((py_mutator_t *)py_mutator)->name##_size static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, u8 *add_buf, size_t add_buf_size, size_t max_size) { @@ -71,12 +71,12 @@ static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, PyTuple_SetItem(py_args, 1, py_value); -/* max_size */ -#if PY_MAJOR_VERSION >= 3 + /* max_size */ + #if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(max_size); -#else + #else py_value = PyInt_FromLong(max_size); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -118,11 +118,11 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { Py_Initialize(); -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 PyObject *py_name = PyUnicode_FromString(module_name); -#else + #else PyObject *py_name = PyString_FromString(module_name); -#endif + #endif py->py_module = PyImport_Import(py_name); Py_DECREF(py_name); @@ -243,11 +243,11 @@ static void init_py(afl_state_t *afl, py_mutator_t *py_mutator, /* Provide the init function a seed for the Python RNG */ py_args = PyTuple_New(1); -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(seed); -#else + #else py_value = PyInt_FromLong(seed); -#endif + #endif if (!py_value) { @@ -440,11 +440,11 @@ s32 init_trim_py(void *py_mutator, u8 *buf, size_t buf_size) { if (py_value != NULL) { -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 u32 retcnt = (u32)PyLong_AsLong(py_value); -#else + #else u32 retcnt = PyInt_AsLong(py_value); -#endif + #endif Py_DECREF(py_value); return retcnt; @@ -479,11 +479,11 @@ s32 post_trim_py(void *py_mutator, u8 success) { if (py_value != NULL) { -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 u32 retcnt = (u32)PyLong_AsLong(py_value); -#else + #else u32 retcnt = PyInt_AsLong(py_value); -#endif + #endif Py_DECREF(py_value); return retcnt; @@ -542,12 +542,12 @@ size_t havoc_mutation_py(void *py_mutator, u8 *buf, size_t buf_size, PyTuple_SetItem(py_args, 0, py_value); -/* max_size */ -#if PY_MAJOR_VERSION >= 3 + /* max_size */ + #if PY_MAJOR_VERSION >= 3 py_value = PyLong_FromLong(max_size); -#else + #else py_value = PyInt_FromLong(max_size); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -624,12 +624,12 @@ u8 queue_get_py(void *py_mutator, const u8 *filename) { py_args = PyTuple_New(1); -// File name -#if PY_MAJOR_VERSION >= 3 + // File name + #if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename); -#else + #else py_value = PyString_FromString(filename); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -674,12 +674,12 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_args = PyTuple_New(2); -// New queue -#if PY_MAJOR_VERSION >= 3 + // New queue + #if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename_new_queue); -#else + #else py_value = PyString_FromString(filename_new_queue); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -693,11 +693,11 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, py_value = Py_None; if (filename_orig_queue) { -#if PY_MAJOR_VERSION >= 3 + #if PY_MAJOR_VERSION >= 3 py_value = PyUnicode_FromString(filename_orig_queue); -#else + #else py_value = PyString_FromString(filename_orig_queue); -#endif + #endif if (!py_value) { Py_DECREF(py_args); @@ -724,7 +724,7 @@ void queue_new_entry_py(void *py_mutator, const u8 *filename_new_queue, } -#undef BUF_PARAMS + #undef BUF_PARAMS #endif /* USE_PYTHON */ -- cgit 1.4.1 From 060f4ea320b2417bab2f153779b248698544f536 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 12 May 2020 17:05:12 +0200 Subject: enforce mandatary custom functions --- docs/custom_mutators.md | 22 +++++++++++++++------- src/afl-fuzz-mutators.c | 6 +++--- src/afl-fuzz-python.c | 8 ++++++++ 3 files changed, 26 insertions(+), 10 deletions(-) (limited to 'src/afl-fuzz-python.c') diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 3cd874b9..c044be0c 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -84,13 +84,16 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): - `queue_get` (optional): - This method determines whether the fuzzer should fuzz the current queue - entry or not + This method determines whether the custom fuzzer should fuzz the current + queue entry or not -- `fuzz` (required): +- `fuzz` (optional): This method performs custom mutations on a given input. It also accepts an additional test case. + Note that this function is optional - but it makes sense to use it. + You would only skip this if `pre_send` is used to fix checksums etc. + so you are using it e.g. as a post processing library. - `havoc_mutation` and `havoc_mutation_probability` (optional): @@ -114,6 +117,13 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): This methods is called after adding a new test case to the queue. +- `deinit`: + + The last method to be called, deinitializing the state. + +Note that there are also three functions for trimming as described in the +next section. + ### Trimming Support The generic trimming routines implemented in AFL++ can easily destroy the @@ -160,10 +170,8 @@ trimmed input. Here's a quick API description: In any case, this method must return the next trim iteration index (from 0 to the maximum amount of steps you returned in `init_trim`). -`deinit` the last method to be called, deinitializing the state. - -Omitting any of three methods will cause the trimming to be disabled and trigger -a fallback to the builtin default trimming routine. +Omitting any of three trimming methods will cause the trimming to be disabled +and trigger a fallback to the builtin default trimming routine. ### Environment Variables diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 6bd13e2b..2c2efc94 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -151,7 +151,7 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { /* Mutator */ /* "afl_custom_init", optional for backward compatibility */ mutator->afl_custom_init = dlsym(dh, "afl_custom_init"); - if (!mutator->afl_custom_init) WARNF("Symbol 'afl_custom_init' not found."); + if (!mutator->afl_custom_init) FATAL("Symbol 'afl_custom_init' not found."); /* "afl_custom_fuzz" or "afl_custom_mutator", required */ mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz"); @@ -162,13 +162,13 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_mutator"); if (!mutator->afl_custom_fuzz) - FATAL("Symbol 'afl_custom_mutator' not found."); + WARNF("Symbol 'afl_custom_mutator' not found."); } /* "afl_custom_deinit", optional for backward compatibility */ mutator->afl_custom_deinit = dlsym(dh, "afl_custom_deinit"); - if (!mutator->afl_custom_deinit) WARNF("Symbol 'afl_custom_init' not found."); + if (!mutator->afl_custom_deinit) FATAL("Symbol 'afl_custom_init' not found."); /* "afl_custom_pre_save", optional */ mutator->afl_custom_pre_save = dlsym(dh, "afl_custom_pre_save"); diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 1084e4f1..460d6683 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -135,7 +135,13 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { u8 py_notrim = 0, py_idx; /* init, required */ py_functions[PY_FUNC_INIT] = PyObject_GetAttrString(py_module, "init"); + if (!py_functions[PY_FUNC_INIT]) + FATAL("init function not found in python module"); py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "fuzz"); + if (!py_functions[PY_FUNC_FUZZ]) + py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "mutate"); + if (!py_functions[PY_FUNC_FUZZ]) + WARNF("fuzz function not found in python module"); py_functions[PY_FUNC_PRE_SAVE] = PyObject_GetAttrString(py_module, "pre_save"); py_functions[PY_FUNC_INIT_TRIM] = @@ -152,6 +158,8 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { py_functions[PY_FUNC_QUEUE_NEW_ENTRY] = PyObject_GetAttrString(py_module, "queue_new_entry"); py_functions[PY_FUNC_DEINIT] = PyObject_GetAttrString(py_module, "deinit"); + if (!py_functions[PY_FUNC_DEINIT]) + FATAL("deinit function not found in python module"); for (py_idx = 0; py_idx < PY_FUNC_COUNT; ++py_idx) { -- cgit 1.4.1 From 9627458ecc61783aa1f8bf76835abe00c4107739 Mon Sep 17 00:00:00 2001 From: rish9101 Date: Wed, 13 May 2020 18:59:12 +0530 Subject: Add post library API as custom mutator and rename pre_save --- docs/custom_mutators.md | 12 ++++++------ examples/custom_mutators/example.c | 24 +++++++++++------------ examples/custom_mutators/example.py | 2 +- examples/post_library/post_library.so.c | 2 +- examples/post_library/post_library_png.so.c | 2 +- include/afl-fuzz.h | 22 ++++++++++----------- src/afl-fuzz-cmplog.c | 11 ----------- src/afl-fuzz-init.c | 24 ++++++++++++++--------- src/afl-fuzz-mutators.c | 18 +++++++++-------- src/afl-fuzz-python.c | 30 ++++++++++++++--------------- src/afl-fuzz-run.c | 20 ++++--------------- src/afl-fuzz-state.c | 1 - 12 files changed, 75 insertions(+), 93 deletions(-) (limited to 'src/afl-fuzz-python.c') diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index b15039d4..9424af9c 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -33,7 +33,7 @@ C/C++: ```c void *afl_custom_init(afl_t *afl, unsigned int seed); size_t afl_custom_fuzz(void *data, uint8_t *buf, size_t buf_size, u8 **out_buf, uint8_t *add_buf, size_t add_buf_size, size_t max_size); -size_t afl_custom_pre_save(void *data, uint8_t *buf, size_t buf_size, uint8_t **out_buf); +size_t afl_custom_post_process(void *data, uint8_t *buf, size_t buf_size, uint8_t **out_buf); int32_t afl_custom_init_trim(void *data, uint8_t *buf, size_t buf_size); size_t afl_custom_trim(void *data, uint8_t **out_buf); int32_t afl_custom_post_trim(void *data, int success) { @@ -51,7 +51,7 @@ def init(seed): def fuzz(buf, add_buf, max_size): return mutated_out -def pre_save(buf): +def post_process(buf): return out_buf def init_trim(buf): @@ -92,7 +92,7 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): This method performs custom mutations on a given input. It also accepts an additional test case. Note that this function is optional - but it makes sense to use it. - You would only skip this if `pre_send` is used to fix checksums etc. + You would only skip this if `post_process` is used to fix checksums etc. so you are using it e.g. as a post processing library. - `havoc_mutation` and `havoc_mutation_probability` (optional): @@ -102,7 +102,7 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): `havoc_mutation_probability`, returns the probability that `havoc_mutation` is called in havoc. By default, it is 6%. -- `pre_save` (optional): +- `post_process` (optional): For some cases, the format of the mutated data returned from the custom mutator is not suitable to directly execute the target with this input. @@ -110,7 +110,7 @@ def queue_new_entry(filename_new_queue, filename_orig_queue): protobuf format which corresponds to a given grammar. In order to execute the target, the protobuf data must be converted to the plain-text format expected by the target. In such scenarios, the user can define the - `pre_save` function. This function is then transforming the data into the + `post_process` function. This function is then transforming the data into the format expected by the API before executing the target. - `queue_new_entry` (optional): @@ -222,7 +222,7 @@ For C/C++ mutator, the source code must be compiled as a shared object: gcc -shared -Wall -O3 example.c -o example.so ``` Note that if you specify multiple custom mutators, the corresponding functions will -be called in the order in which they are specified. e.g first `pre_save` function of +be called in the order in which they are specified. e.g first `post_process` function of `example_first.so` will be called and then that of `example_second.so` ### Run diff --git a/examples/custom_mutators/example.c b/examples/custom_mutators/example.c index c8200b26..c9be3e0c 100644 --- a/examples/custom_mutators/example.c +++ b/examples/custom_mutators/example.c @@ -38,7 +38,7 @@ typedef struct my_mutator { BUF_VAR(u8, data); BUF_VAR(u8, havoc); BUF_VAR(u8, trim); - BUF_VAR(u8, pre_save); + BUF_VAR(u8, post_process); } my_mutator_t; @@ -139,11 +139,11 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, * @return Size of the output buffer after processing or the needed amount. * A return of 0 indicates an error. */ -size_t afl_custom_pre_save(my_mutator_t *data, uint8_t *buf, size_t buf_size, +size_t afl_custom_post_process(my_mutator_t *data, uint8_t *buf, size_t buf_size, uint8_t **out_buf) { - uint8_t *pre_save_buf = maybe_grow(BUF_PARAMS(data, pre_save), buf_size + 5); - if (!pre_save_buf) { + uint8_t *post_process_buf = maybe_grow(BUF_PARAMS(data, post_process), buf_size + 5); + if (!post_process_buf) { perror("custom mutator realloc failed."); *out_buf = NULL; @@ -151,14 +151,14 @@ size_t afl_custom_pre_save(my_mutator_t *data, uint8_t *buf, size_t buf_size, } - memcpy(pre_save_buf + 5, buf, buf_size); - pre_save_buf[0] = 'A'; - pre_save_buf[1] = 'F'; - pre_save_buf[2] = 'L'; - pre_save_buf[3] = '+'; - pre_save_buf[4] = '+'; + memcpy(post_process_buf + 5, buf, buf_size); + post_process_buf[0] = 'A'; + post_process_buf[1] = 'F'; + post_process_buf[2] = 'L'; + post_process_buf[3] = '+'; + post_process_buf[4] = '+'; - *out_buf = pre_save_buf; + *out_buf = post_process_buf; return buf_size + 5; @@ -364,7 +364,7 @@ void afl_custom_queue_new_entry(my_mutator_t * data, */ void afl_custom_deinit(my_mutator_t *data) { - free(data->pre_save_buf); + free(data->post_process_buf); free(data->havoc_buf); free(data->data_buf); free(data->fuzz_buf); diff --git a/examples/custom_mutators/example.py b/examples/custom_mutators/example.py index 3c3fa8c1..cf659e5a 100644 --- a/examples/custom_mutators/example.py +++ b/examples/custom_mutators/example.py @@ -120,7 +120,7 @@ def fuzz(buf, add_buf, max_size): # # return next_index # -# def pre_save(buf): +# def post_process(buf): # ''' # Called just before the execution to write the test case in the format # expected by the target diff --git a/examples/post_library/post_library.so.c b/examples/post_library/post_library.so.c index 0aa780cb..69fb221e 100644 --- a/examples/post_library/post_library.so.c +++ b/examples/post_library/post_library.so.c @@ -83,7 +83,7 @@ typedef struct post_state { } post_state_t; -void *afl_postprocess_init(void *afl) { +void *afl_postprocess_init(void *afl, unsigned int seed{ post_state_t *state = malloc(sizeof(post_state_t)); if (!state) { diff --git a/examples/post_library/post_library_png.so.c b/examples/post_library/post_library_png.so.c index 41ba4f5e..b29afd62 100644 --- a/examples/post_library/post_library_png.so.c +++ b/examples/post_library/post_library_png.so.c @@ -43,7 +43,7 @@ typedef struct post_state { } post_state_t; -void *afl_postprocess_init(void *afl) { +void *afl_postprocess_init(void *afl, unsigned int seed) { post_state_t *state = malloc(sizeof(post_state_t)); if (!state) { diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 421413ca..057f78c2 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -260,7 +260,7 @@ enum { /* 00 */ PY_FUNC_INIT, /* 01 */ PY_FUNC_FUZZ, - /* 02 */ PY_FUNC_PRE_SAVE, + /* 02 */ PY_FUNC_post_process, /* 03 */ PY_FUNC_INIT_TRIM, /* 04 */ PY_FUNC_POST_TRIM, /* 05 */ PY_FUNC_TRIM, @@ -283,8 +283,8 @@ typedef struct py_mutator { u8 * fuzz_buf; size_t fuzz_size; - u8 * pre_save_buf; - size_t pre_save_size; + u8 * post_process_buf; + size_t post_process_size; u8 * trim_buf; size_t trim_size; @@ -545,11 +545,9 @@ typedef struct afl_state { struct extra_data *a_extras; /* Automatically selected extras */ u32 a_extras_cnt; /* Total number of tokens available */ - /* afl_postprocess API */ - void *(*post_init)(struct afl_state *afl); - size_t (*post_handler)(void *data, u8 *buf, u32 len, u8 **out_buf); - void *(*post_deinit)(void *data); - void *post_data; + /* afl_postprocess API - Now supported via custom mutators */ + + struct custom_mutator * post_library_mutator; /* CmpLog */ @@ -623,8 +621,8 @@ struct custom_mutator { const char *name; void * dh; - u8 * pre_save_buf; - size_t pre_save_size; + u8 * post_process_buf; + size_t post_process_size; u8 stacked_custom_prob, stacked_custom; void *data; /* custom mutator data ptr */ @@ -675,7 +673,7 @@ struct custom_mutator { * It can chose to alter buf in-place, if the space is large enough. * @return Size of the output buffer. */ - size_t (*afl_custom_pre_save)(void *data, u8 *buf, size_t buf_size, + size_t (*afl_custom_post_process)(void *data, u8 *buf, size_t buf_size, u8 **out_buf); /** @@ -825,7 +823,7 @@ u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 *in_buf, struct custom_mutator *load_custom_mutator_py(afl_state_t *, char *); void finalize_py_module(void *); -size_t pre_save_py(void *, u8 *, size_t, u8 **); +size_t post_process_py(void *, u8 *, size_t, u8 **); s32 init_trim_py(void *, u8 *, size_t); s32 post_trim_py(void *, u8); size_t trim_py(void *, u8 **); diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 9452fa90..4be6a2c8 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -51,17 +51,6 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - if (afl->post_handler) { - - u8 *post_buf = NULL; - - size_t post_len = - afl->post_handler(afl->post_data, out_buf, len, &post_buf); - if (!post_buf || !post_len) { return 0; } - out_buf = post_buf; - len = post_len; - - } write_to_testcase(afl, out_buf, len); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 78b92368..2686d014 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -297,12 +297,16 @@ void setup_post(afl_state_t *afl) { dh = dlopen(fn, RTLD_NOW); if (!dh) { FATAL("%s", dlerror()); } - afl->post_handler = dlsym(dh, "afl_postprocess"); - if (!afl->post_handler) { FATAL("Symbol 'afl_postprocess' not found."); } - afl->post_init = dlsym(dh, "afl_postprocess_init"); - if (!afl->post_init) { FATAL("Symbol 'afl_postprocess_init' not found."); } - afl->post_deinit = dlsym(dh, "afl_postprocess_deinit"); - if (!afl->post_deinit) { + struct custom_mutator * mutator; + mutator = ck_alloc(sizeof(struct custom_mutator)); + memset(mutator, 0, sizeof(struct custom_mutator)); + + mutator->afl_custom_post_process = dlsym(dh, "afl_postprocess"); + if (!mutator->afl_custom_post_process) { FATAL("Symbol 'afl_postprocess' not found."); } + mutator->afl_custom_init = dlsym(dh, "afl_postprocess_init"); + if (!mutator->afl_custom_init) { FATAL("Symbol 'afl_postprocess_init' not found."); } + mutator->afl_custom_deinit = dlsym(dh, "afl_postprocess_deinit"); + if (!mutator->afl_custom_post_process) { FATAL("Symbol 'afl_postprocess_deinit' not found."); @@ -311,16 +315,18 @@ void setup_post(afl_state_t *afl) { /* Do a quick test. It's better to segfault now than later =) */ u8 *post_buf = NULL; - afl->post_data = afl->post_init(afl); - if (!afl->post_data) { FATAL("Could not initialize post handler."); } + mutator->data = mutator->afl_custom_init(afl, rand_below(afl, 0xFFFFFFFF)); + if (!mutator->data) { FATAL("Could not initialize post handler."); } - size_t post_len = afl->post_handler(afl->post_data, tbuf, tlen, &post_buf); + size_t post_len = mutator->afl_custom_post_process(mutator->data, tbuf, tlen, &post_buf); if (!post_len || !post_buf) { SAYF("Empty return in test post handler for buf=\"hello\\0\"."); } + afl->post_library_mutator = mutator; + OKF("Postprocessor installed successfully."); } diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 2c2efc94..acc1b12d 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -108,6 +108,8 @@ void setup_custom_mutators(afl_state_t *afl) { #endif + if (afl->post_library_mutator) list_append(&afl->custom_mutator_list, afl->post_library_mutator); + } void destroy_custom_mutators(afl_state_t *afl) { @@ -120,11 +122,11 @@ void destroy_custom_mutators(afl_state_t *afl) { if (el->afl_custom_deinit) el->afl_custom_deinit(el->data); if (el->dh) dlclose(el->dh); - if (el->pre_save_buf) { + if (el->post_process_buf) { - ck_free(el->pre_save_buf); - el->pre_save_buf = NULL; - el->pre_save_size = 0; + ck_free(el->post_process_buf); + el->post_process_buf = NULL; + el->post_process_size = 0; } @@ -170,10 +172,10 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) { mutator->afl_custom_deinit = dlsym(dh, "afl_custom_deinit"); if (!mutator->afl_custom_deinit) FATAL("Symbol 'afl_custom_init' not found."); - /* "afl_custom_pre_save", optional */ - mutator->afl_custom_pre_save = dlsym(dh, "afl_custom_pre_save"); - if (!mutator->afl_custom_pre_save) - ACTF("optional symbol 'afl_custom_pre_save' not found."); + /* "afl_custom_post_process", optional */ + mutator->afl_custom_post_process = dlsym(dh, "afl_custom_post_process"); + if (!mutator->afl_custom_post_process) + ACTF("optional symbol 'afl_custom_post_process' not found."); u8 notrim = 0; /* "afl_custom_init_trim", optional */ diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 460d6683..984561fd 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -142,8 +142,8 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "mutate"); if (!py_functions[PY_FUNC_FUZZ]) WARNF("fuzz function not found in python module"); - py_functions[PY_FUNC_PRE_SAVE] = - PyObject_GetAttrString(py_module, "pre_save"); + py_functions[PY_FUNC_post_process] = + PyObject_GetAttrString(py_module, "post_process"); py_functions[PY_FUNC_INIT_TRIM] = PyObject_GetAttrString(py_module, "init_trim"); py_functions[PY_FUNC_POST_TRIM] = @@ -165,9 +165,9 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { if (!py_functions[py_idx] || !PyCallable_Check(py_functions[py_idx])) { - if (py_idx == PY_FUNC_PRE_SAVE) { + if (py_idx == PY_FUNC_post_process) { - // Implenting the pre_save API is optional for now + // Implenting the post_process API is optional for now if (PyErr_Occurred()) { PyErr_Print(); } } else if (py_idx >= PY_FUNC_INIT_TRIM && py_idx <= PY_FUNC_TRIM) { @@ -309,8 +309,8 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, struct custom_mutator *mutator; mutator = ck_alloc(sizeof(struct custom_mutator)); - mutator->pre_save_buf = NULL; - mutator->pre_save_size = 0; + mutator->post_process_buf = NULL; + mutator->post_process_size = 0; mutator->name = module_name; ACTF("Loading Python mutator library from '%s'...", module_name); @@ -330,9 +330,9 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, is quite different from the custom mutator. */ mutator->afl_custom_fuzz = fuzz_py; - if (py_functions[PY_FUNC_PRE_SAVE]) { + if (py_functions[PY_FUNC_post_process]) { - mutator->afl_custom_pre_save = pre_save_py; + mutator->afl_custom_post_process = post_process_py; } @@ -384,7 +384,7 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, } -size_t pre_save_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { +size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { size_t py_out_buf_size; PyObject * py_args, *py_value; @@ -395,14 +395,14 @@ size_t pre_save_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { if (!py_value) { Py_DECREF(py_args); - FATAL("Failed to convert arguments in custom pre_save"); + FATAL("Failed to convert arguments in custom post_process"); } PyTuple_SetItem(py_args, 0, py_value); py_value = PyObject_CallObject( - ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_PRE_SAVE], py_args); + ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_post_process], py_args); Py_DECREF(py_args); @@ -410,18 +410,18 @@ size_t pre_save_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { py_out_buf_size = PyByteArray_Size(py_value); - ck_maybe_grow(BUF_PARAMS(pre_save), py_out_buf_size); + ck_maybe_grow(BUF_PARAMS(post_process), py_out_buf_size); - memcpy(py->pre_save_buf, PyByteArray_AsString(py_value), py_out_buf_size); + memcpy(py->post_process_buf, PyByteArray_AsString(py_value), py_out_buf_size); Py_DECREF(py_value); - *out_buf = py->pre_save_buf; + *out_buf = py->post_process_buf; return py_out_buf_size; } else { PyErr_Print(); - FATAL("Python custom mutator: pre_save call failed."); + FATAL("Python custom mutator: post_process call failed."); } diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 468b5fc6..d9adb792 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -97,10 +97,10 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { - if (el->afl_custom_pre_save) { + if (el->afl_custom_post_process) { new_size = - el->afl_custom_pre_save(el->data, new_mem, new_size, &new_buf); + el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf); } @@ -110,7 +110,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { if (unlikely(!new_buf && (new_size <= 0))) { - FATAL("Custom_pre_save failed (ret: %lu)", (long unsigned)new_size); + FATAL("Custom_post_process failed (ret: %lu)", (long unsigned)new_size); } else if (likely(new_buf)) { @@ -119,7 +119,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { } else { - /* custom mutators do not has a custom_pre_save function */ + /* custom mutators do not has a custom_post_process function */ afl_fsrv_write_to_testcase(&afl->fsrv, mem, len); } @@ -690,18 +690,6 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - if (afl->post_handler) { - - u8 *post_buf = NULL; - - size_t post_len = - afl->post_handler(afl->post_data, out_buf, len, &post_buf); - if (!post_buf || !post_len) { return 0; } - out_buf = post_buf; - len = post_len; - - } - write_to_testcase(afl, out_buf, len); fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 4f5389e3..316f9bd9 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -371,7 +371,6 @@ void read_afl_environment(afl_state_t *afl, char **envp) { void afl_state_deinit(afl_state_t *afl) { - if (afl->post_deinit) { afl->post_deinit(afl->post_data); } if (afl->in_place_resume) { ck_free(afl->in_dir); } if (afl->sync_id) { ck_free(afl->out_dir); } if (afl->pass_stats) { ck_free(afl->pass_stats); } -- cgit 1.4.1 From 645e331559d01d234be231a7f5076c2ad658b159 Mon Sep 17 00:00:00 2001 From: rish9101 Date: Wed, 13 May 2020 19:46:30 +0530 Subject: Fix previous commit bugs --- src/afl-fuzz-init.c | 1 - src/afl-fuzz-python.c | 8 ++++---- 2 files changed, 4 insertions(+), 5 deletions(-) (limited to 'src/afl-fuzz-python.c') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 33c00c7a..aea22f48 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -314,7 +314,6 @@ void setup_post(afl_state_t *afl) { /* Do a quick test. It's better to segfault now than later =) */ - u8 *post_buf = NULL; mutator->data = mutator->afl_custom_init(afl, rand_below(afl, 0xFFFFFFFF)); if (!mutator->data) { FATAL("Could not initialize post handler."); } diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 984561fd..2569cdaf 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -142,7 +142,7 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { py_functions[PY_FUNC_FUZZ] = PyObject_GetAttrString(py_module, "mutate"); if (!py_functions[PY_FUNC_FUZZ]) WARNF("fuzz function not found in python module"); - py_functions[PY_FUNC_post_process] = + py_functions[PY_FUNC_POST_PROCESS] = PyObject_GetAttrString(py_module, "post_process"); py_functions[PY_FUNC_INIT_TRIM] = PyObject_GetAttrString(py_module, "init_trim"); @@ -165,7 +165,7 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) { if (!py_functions[py_idx] || !PyCallable_Check(py_functions[py_idx])) { - if (py_idx == PY_FUNC_post_process) { + if (py_idx == PY_FUNC_POST_PROCESS) { // Implenting the post_process API is optional for now if (PyErr_Occurred()) { PyErr_Print(); } @@ -330,7 +330,7 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, is quite different from the custom mutator. */ mutator->afl_custom_fuzz = fuzz_py; - if (py_functions[PY_FUNC_post_process]) { + if (py_functions[PY_FUNC_POST_PROCESS]) { mutator->afl_custom_post_process = post_process_py; @@ -402,7 +402,7 @@ size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) PyTuple_SetItem(py_args, 0, py_value); py_value = PyObject_CallObject( - ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_post_process], py_args); + ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_POST_PROCESS], py_args); Py_DECREF(py_args); -- cgit 1.4.1 From 60a5df52623802ccadd0691b812761b3f4a9120e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 13 May 2020 16:49:00 +0200 Subject: code-format and slight -S/-M modifications --- examples/custom_mutators/example.c | 7 ++++--- include/afl-fuzz.h | 9 ++++---- src/afl-fuzz-cmplog.c | 1 - src/afl-fuzz-init.c | 42 ++++++++++++++++++++++---------------- src/afl-fuzz-mutators.c | 3 ++- src/afl-fuzz-python.c | 9 +++++--- src/afl-fuzz.c | 14 +++++-------- 7 files changed, 46 insertions(+), 39 deletions(-) (limited to 'src/afl-fuzz-python.c') diff --git a/examples/custom_mutators/example.c b/examples/custom_mutators/example.c index c9be3e0c..23add128 100644 --- a/examples/custom_mutators/example.c +++ b/examples/custom_mutators/example.c @@ -139,10 +139,11 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, * @return Size of the output buffer after processing or the needed amount. * A return of 0 indicates an error. */ -size_t afl_custom_post_process(my_mutator_t *data, uint8_t *buf, size_t buf_size, - uint8_t **out_buf) { +size_t afl_custom_post_process(my_mutator_t *data, uint8_t *buf, + size_t buf_size, uint8_t **out_buf) { - uint8_t *post_process_buf = maybe_grow(BUF_PARAMS(data, post_process), buf_size + 5); + uint8_t *post_process_buf = + maybe_grow(BUF_PARAMS(data, post_process), buf_size + 5); if (!post_process_buf) { perror("custom mutator realloc failed."); diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index cf8ef735..a1aa58d6 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -407,7 +407,9 @@ typedef struct afl_state { no_unlink, /* do not unlink cur_input */ debug, /* Debug mode */ custom_only, /* Custom mutator only mode */ - python_only; /* Python-only mode */ + python_only, /* Python-only mode */ + is_master, /* if this is a master */ + is_slave; /* if this is a slave */ u32 stats_update_freq; /* Stats update frequency (execs) */ @@ -418,7 +420,6 @@ typedef struct afl_state { size_t (*radamsa_mutate_ptr)(u8 *, size_t, u8 *, size_t, u32); u8 skip_deterministic, /* Skip deterministic stages? */ - force_deterministic, /* Force deterministic stages? */ use_splicing, /* Recombine input files? */ dumb_mode, /* Run in non-instrumented mode? */ score_changed, /* Scoring for favorites changed? */ @@ -547,7 +548,7 @@ typedef struct afl_state { /* afl_postprocess API - Now supported via custom mutators */ - struct custom_mutator * post_library_mutator; + struct custom_mutator *post_library_mutator; /* CmpLog */ @@ -674,7 +675,7 @@ struct custom_mutator { * @return Size of the output buffer. */ size_t (*afl_custom_post_process)(void *data, u8 *buf, size_t buf_size, - u8 **out_buf); + u8 **out_buf); /** * This method is called at the start of each trimming operation and receives diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 4be6a2c8..faf4dcb7 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -51,7 +51,6 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - write_to_testcase(afl, out_buf, len); fault = fuzz_run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index aea22f48..d468f2c8 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -297,14 +297,24 @@ void setup_post(afl_state_t *afl) { dh = dlopen(fn, RTLD_NOW); if (!dh) { FATAL("%s", dlerror()); } - struct custom_mutator * mutator; + struct custom_mutator *mutator; mutator = ck_alloc(sizeof(struct custom_mutator)); memset(mutator, 0, sizeof(struct custom_mutator)); mutator->afl_custom_post_process = dlsym(dh, "afl_postprocess"); - if (!mutator->afl_custom_post_process) { FATAL("Symbol 'afl_postprocess' not found."); } + if (!mutator->afl_custom_post_process) { + + FATAL("Symbol 'afl_postprocess' not found."); + + } + mutator->afl_custom_init = dlsym(dh, "afl_postprocess_init"); - if (!mutator->afl_custom_init) { FATAL("Symbol 'afl_postprocess_init' not found."); } + if (!mutator->afl_custom_init) { + + FATAL("Symbol 'afl_postprocess_init' not found."); + + } + mutator->afl_custom_deinit = dlsym(dh, "afl_postprocess_deinit"); if (!mutator->afl_custom_post_process) { @@ -1373,6 +1383,17 @@ void setup_dirs_fds(afl_state_t *afl) { } +/* + if (afl->is_master) { + + u8 *x = alloc_printf("%s/is_master", afl->sync_dir); + int fd = open(x, O_CREAT | O_RDWR, 0644); + if (fd < 0) FATAL("cannot create %s", x); + close(fd); + + } +*/ + if (mkdir(afl->out_dir, 0700)) { if (errno != EEXIST) { PFATAL("Unable to create '%s'", afl->out_dir); } @@ -1861,14 +1882,6 @@ void fix_up_sync(afl_state_t *afl) { if (afl->dumb_mode) { FATAL("-S / -M and -n are mutually exclusive"); } - if (afl->skip_deterministic) { - - if (afl->force_deterministic) { FATAL("use -S instead of -M -d"); } - // else - // FATAL("-S already implies -d"); - - } - while (*x) { if (!isalnum(*x) && *x != '_' && *x != '-') { @@ -1888,13 +1901,6 @@ void fix_up_sync(afl_state_t *afl) { afl->sync_dir = afl->out_dir; afl->out_dir = x; - if (!afl->force_deterministic) { - - afl->skip_deterministic = 1; - afl->use_splicing = 1; - - } - } /* Handle screen resize (SIGWINCH). */ diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index acc1b12d..87cb86fa 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -108,7 +108,8 @@ void setup_custom_mutators(afl_state_t *afl) { #endif - if (afl->post_library_mutator) list_append(&afl->custom_mutator_list, afl->post_library_mutator); + if (afl->post_library_mutator) + list_append(&afl->custom_mutator_list, afl->post_library_mutator); } diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 2569cdaf..2044c97d 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -384,7 +384,8 @@ struct custom_mutator *load_custom_mutator_py(afl_state_t *afl, } -size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) { +size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, + u8 **out_buf) { size_t py_out_buf_size; PyObject * py_args, *py_value; @@ -402,7 +403,8 @@ size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) PyTuple_SetItem(py_args, 0, py_value); py_value = PyObject_CallObject( - ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_POST_PROCESS], py_args); + ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_POST_PROCESS], + py_args); Py_DECREF(py_args); @@ -412,7 +414,8 @@ size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf) ck_maybe_grow(BUF_PARAMS(post_process), py_out_buf_size); - memcpy(py->post_process_buf, PyByteArray_AsString(py_value), py_out_buf_size); + memcpy(py->post_process_buf, PyByteArray_AsString(py_value), + py_out_buf_size); Py_DECREF(py_value); *out_buf = py->post_process_buf; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 8075f03d..979ebfa3 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -390,7 +390,7 @@ int main(int argc, char **argv_orig, char **envp) { } - afl->force_deterministic = 1; + afl->is_master = 1; } @@ -400,6 +400,9 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); + afl->is_slave = 1; + afl->skip_deterministic = 1; + afl->use_splicing = 1; break; case 'f': /* target file */ @@ -500,12 +503,6 @@ int main(int argc, char **argv_orig, char **envp) { case 'd': /* skip deterministic */ - if (afl->skip_deterministic) { - - FATAL("Multiple -d options not supported"); - - } - afl->skip_deterministic = 1; afl->use_splicing = 1; break; @@ -794,8 +791,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); - if (afl->sync_id && afl->force_deterministic && - afl->afl_env.afl_custom_mutator_only) { + if (afl->sync_id && afl->is_master && afl->afl_env.afl_custom_mutator_only) { WARNF( "Using -M master with the AFL_CUSTOM_MUTATOR_ONLY mutator options will " -- cgit 1.4.1