From 2363a047500c133996e40808f1974e4aa97ed5bf Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 17 Oct 2021 14:21:08 +0200 Subject: simplify SHAPE_BYTES(h->shape) --- src/afl-fuzz-redqueen.c | 97 ++++++++++++++++++++++++++----------------------- 1 file changed, 51 insertions(+), 46 deletions(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 268f726c..2d610132 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -64,6 +64,8 @@ struct range { }; +static u32 hshape; + static struct range *add_range(struct range *ranges, u32 start, u32 end) { struct range *r = ck_alloc_nozero(sizeof(struct range)); @@ -763,7 +765,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, // "Encode: %llx->%llx into %llx(<-%llx) at idx=%u " // "taint_len=%u shape=%u attr=%u\n", // o_pattern, pattern, repl, changed_val, idx, taint_len, - // h->shape + 1, attr); + // hshape, attr); //#ifdef CMPLOG_SOLVE_TRANSFORM // reverse atoi()/strnu?toll() is expensive, so we only to it in lvl 3 @@ -845,7 +847,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 b_val, o_b_val, mask; u8 bytes; - switch (SHAPE_BYTES(h->shape)) { + switch (hshape) { case 0: case 1: @@ -924,7 +926,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, s64 diff = pattern - b_val; s64 o_diff = o_pattern - o_b_val; /* fprintf(stderr, "DIFF1 idx=%03u shape=%02u %llx-%llx=%lx\n", idx, - h->shape + 1, o_pattern, o_b_val, o_diff); + hshape, o_pattern, o_b_val, o_diff); fprintf(stderr, "DIFF1 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff); */ if (diff == o_diff && diff) { @@ -953,7 +955,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, s64 o_diff = o_pattern ^ o_b_val; /* fprintf(stderr, "DIFF2 idx=%03u shape=%02u %llx-%llx=%lx\n", - idx, h->shape + 1, o_pattern, o_b_val, o_diff); + idx, hshape, o_pattern, o_b_val, o_diff); fprintf(stderr, "DIFF2 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff); */ @@ -1002,7 +1004,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } /* fprintf(stderr, "DIFF3 idx=%03u shape=%02u %llx-%llx=%lx\n", - idx, h->shape + 1, o_pattern, o_b_val, o_diff); + idx, hshape, o_pattern, o_b_val, o_diff); fprintf(stderr, "DIFF3 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff); */ @@ -1051,7 +1053,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } /* fprintf(stderr, "DIFF4 idx=%03u shape=%02u %llx-%llx=%lx\n", - idx, h->shape + 1, o_pattern, o_b_val, o_diff); + idx, hshape, o_pattern, o_b_val, o_diff); fprintf(stderr, "DIFF4 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff); */ @@ -1089,7 +1091,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, if ((lvl & LVL1) || attr >= IS_FP_MOD) { - if (SHAPE_BYTES(h->shape) >= 8 && *status != 1) { + if (hshape >= 8 && *status != 1) { // if (its_len >= 8) // fprintf(stderr, @@ -1132,7 +1134,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - if (SHAPE_BYTES(h->shape) >= 4 && *status != 1) { + if (hshape >= 4 && *status != 1) { // if (its_len >= 4 && (attr <= 1 || attr >= 8)) // fprintf(stderr, @@ -1173,7 +1175,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - if (SHAPE_BYTES(h->shape) >= 2 && *status != 1) { + if (hshape >= 2 && *status != 1) { if (its_len >= 2 && ((*buf_16 == (u16)pattern && *o_buf_16 == (u16)o_pattern) || @@ -1244,7 +1246,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - if (!(attr & (IS_GREATER | IS_LESSER)) || SHAPE_BYTES(h->shape) < 4) { + if (!(attr & (IS_GREATER | IS_LESSER)) || hshape < 4) { return 0; @@ -1272,7 +1274,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, if (attr & IS_GREATER) { - if (SHAPE_BYTES(h->shape) == 4 && its_len >= 4) { + if (hshape == 4 && its_len >= 4) { float *f = (float *)&repl; float g = *f; @@ -1280,7 +1282,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u32 *r = (u32 *)&g; repl_new = (u32)*r; - } else if (SHAPE_BYTES(h->shape) == 8 && its_len >= 8) { + } else if (hshape == 8 && its_len >= 8) { double *f = (double *)&repl; double g = *f; @@ -1307,7 +1309,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } else { - if (SHAPE_BYTES(h->shape) == 4) { + if (hshape == 4) { float *f = (float *)&repl; float g = *f; @@ -1315,7 +1317,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u32 *r = (u32 *)&g; repl_new = (u32)*r; - } else if (SHAPE_BYTES(h->shape) == 8) { + } else if (hshape == 8) { double *f = (double *)&repl; double g = *f; @@ -1342,7 +1344,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } // transform double to float, llvm likes to do that internally ... - if (SHAPE_BYTES(h->shape) == 8 && its_len >= 4) { + if (hshape == 8 && its_len >= 4) { double *f = (double *)&repl; float g = (float)*f; @@ -1353,7 +1355,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, memcpy(((char *)&repl_new) + 4, (char *)&g, 4); #endif changed_val = repl_new; - h->shape = 3; // modify shape + hshape = 4; // modify shape // fprintf(stderr, "DOUBLE2FLOAT %llx\n", repl_new); @@ -1361,12 +1363,12 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, afl, h, pattern, repl_new, o_pattern, changed_val, 16, idx, taint_len, orig_buf, buf, cbuf, len, 1, lvl, status))) { - h->shape = 7; // recover shape + hshape = 8; // recover shape return 1; } - h->shape = 7; // recover shape + hshape = 7; // recover shape } @@ -1428,14 +1430,13 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h, u8 *r = (u8 *)&repl; u8 backup[16]; u32 its_len = MIN(len - idx, taint_len); - u32 shape = h->shape + 1; #if (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) size_t off = 0; #else - size_t off = 16 - shape; + size_t off = 16 - hshape; #endif - if (its_len >= shape) { + if (its_len >= hshape) { #ifdef _DEBUG fprintf(stderr, "TestUN: %u>=%u (len=%u idx=%u attr=%u off=%lu) (%u) ", @@ -1462,18 +1463,18 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h, fprintf(stderr, "\n"); #endif - if (!memcmp(ptr, p + off, shape) && !memcmp(o_ptr, o_p + off, shape)) { + if (!memcmp(ptr, p + off, hshape) && !memcmp(o_ptr, o_p + off, hshape)) { - memcpy(backup, ptr, shape); - memcpy(ptr, r + off, shape); + memcpy(backup, ptr, hshape); + memcpy(ptr, r + off, hshape); if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } #ifdef CMPLOG_COMBINE - if (*status == 1) { memcpy(cbuf + idx, r, shape); } + if (*status == 1) { memcpy(cbuf + idx, r, hshape); } #endif - memcpy(ptr, backup, shape); + memcpy(ptr, backup, hshape); #ifdef _DEBUG fprintf(stderr, "Status=%u\n", *status); @@ -1485,8 +1486,8 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h, if (do_reverse && *status != 1) { if (unlikely(cmp_extend_encodingN( - afl, h, SWAPN(pattern, (shape << 3)), SWAPN(repl, (shape << 3)), - SWAPN(o_pattern, (shape << 3)), SWAPN(changed_val, (shape << 3)), + afl, h, SWAPN(pattern, (hshape << 3)), SWAPN(repl, (hshape << 3)), + SWAPN(o_pattern, (hshape << 3)), SWAPN(changed_val, (hshape << 3)), attr, idx, taint_len, orig_buf, buf, cbuf, len, 0, lvl, status))) { @@ -1615,6 +1616,8 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, u8 s_v0_inc = 1, s_v1_inc = 1; u8 s_v0_dec = 1, s_v1_dec = 1; + hshape = SHAPE_BYTES(h->shape); + if (h->hits > CMP_MAP_H) { loggeds = CMP_MAP_H; @@ -1626,7 +1629,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } #ifdef WORD_SIZE_64 - switch (SHAPE_BYTES(h->shape)) { + switch (hshape) { case 1: case 2: @@ -1680,7 +1683,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, #ifdef _DEBUG fprintf(stderr, "Handling: %llx->%llx vs %llx->%llx attr=%u shape=%u\n", orig_o->v0, o->v0, orig_o->v1, o->v1, h->attribute, - SHAPE_BYTES(h->shape)); + hshape); #endif t = taint; @@ -1830,7 +1833,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, "END: %llx->%llx vs %llx->%llx attr=%u i=%u found=%u " "isN=%u size=%u\n", orig_o->v0, o->v0, orig_o->v1, o->v1, h->attribute, i, found_one, - is_n, SHAPE_BYTES(h->shape)); + is_n, hshape); #endif // If failed, add to dictionary @@ -1841,16 +1844,16 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, #ifdef WORD_SIZE_64 if (unlikely(is_n)) { - try_to_add_to_dictN(afl, s128_v0, SHAPE_BYTES(h->shape)); - try_to_add_to_dictN(afl, s128_v1, SHAPE_BYTES(h->shape)); + try_to_add_to_dictN(afl, s128_v0, hshape); + try_to_add_to_dictN(afl, s128_v1, hshape); } else #endif { - try_to_add_to_dict(afl, o->v0, SHAPE_BYTES(h->shape)); - try_to_add_to_dict(afl, o->v1, SHAPE_BYTES(h->shape)); + try_to_add_to_dict(afl, o->v0, hshape); + try_to_add_to_dict(afl, o->v1, hshape); } @@ -2322,6 +2325,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, u32 i, j, idx, have_taint = 1, taint_len, loggeds; u8 status = 0, found_one = 0; + hshape = SHAPE_BYTES(h->shape); + if (h->hits > CMP_MAP_RTN_H) { loggeds = CMP_MAP_RTN_H; @@ -2355,12 +2360,12 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, /* struct cmp_header *hh = &afl->orig_cmp_map->headers[key]; fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits, - h->id, h->shape, h->attribute); + h->id, hshape, h->attribute); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v0[j]); fprintf(stderr, " v1="); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v1[j]); fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=", - hh->hits, hh->id, hh->shape, hh->attribute); + hh->hits, hh->id, hshape, hh->attribute); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v0[j]); fprintf(stderr, " o1="); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v1[j]); @@ -2401,23 +2406,23 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, #ifdef _DEBUG int w; fprintf(stderr, "key=%u idx=%u len=%u o0=", key, idx, - SHAPE_BYTES(h->shape)); - for (w = 0; w < SHAPE_BYTES(h->shape); ++w) + hshape); + for (w = 0; w < hshape; ++w) fprintf(stderr, "%02x", orig_o->v0[w]); fprintf(stderr, " v0="); - for (w = 0; w < SHAPE_BYTES(h->shape); ++w) + for (w = 0; w < hshape; ++w) fprintf(stderr, "%02x", o->v0[w]); fprintf(stderr, " o1="); - for (w = 0; w < SHAPE_BYTES(h->shape); ++w) + for (w = 0; w < hshape; ++w) fprintf(stderr, "%02x", orig_o->v1[w]); fprintf(stderr, " v1="); - for (w = 0; w < SHAPE_BYTES(h->shape); ++w) + for (w = 0; w < hshape; ++w) fprintf(stderr, "%02x", o->v1[w]); fprintf(stderr, "\n"); #endif if (unlikely(rtn_extend_encoding( - afl, o->v0, o->v1, orig_o->v0, orig_o->v1, SHAPE_BYTES(h->shape), + afl, o->v0, o->v1, orig_o->v0, orig_o->v1, hshape, idx, taint_len, orig_buf, buf, cbuf, len, lvl, &status))) { return 1; @@ -2434,7 +2439,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, status = 0; if (unlikely(rtn_extend_encoding( - afl, o->v1, o->v0, orig_o->v1, orig_o->v0, SHAPE_BYTES(h->shape), + afl, o->v1, o->v0, orig_o->v1, orig_o->v0, hshape, idx, taint_len, orig_buf, buf, cbuf, len, lvl, &status))) { return 1; @@ -2455,8 +2460,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (unlikely(!afl->pass_stats[key].total)) { - maybe_add_auto(afl, o->v0, SHAPE_BYTES(h->shape)); - maybe_add_auto(afl, o->v1, SHAPE_BYTES(h->shape)); + maybe_add_auto(afl, o->v0, hshape); + maybe_add_auto(afl, o->v1, hshape); } -- cgit 1.4.1 From bf0fbc24ad32b0ec5421f4d2090c85d87aeceee3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 17 Oct 2021 15:44:48 +0200 Subject: new cmplog add dict strategy --- src/afl-fuzz-redqueen.c | 170 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 131 insertions(+), 39 deletions(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 2d610132..30de12c1 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -45,6 +45,23 @@ enum { }; +// add to dictionary enum +// DEFAULT = 1, notTXT = 2, FOUND = 4, notSAME = 8 +enum { + + DICT_ADD_NEVER = 0, + DICT_ADD_NOTFOUND_SAME_TXT = 1, + DICT_ADD_NOTFOUND_SAME = 3, + DICT_ADD_FOUND_SAME_TXT = 5, + DICT_ADD_FOUND_SAME = 7, + DICT_ADD_NOTFOUND_TXT = 9, + DICT_ADD_NOTFOUND = 11, + DICT_ADD_FOUND_TXT = 13, + DICT_ADD_FOUND = 15, + DICT_ADD_ANY = DICT_ADD_FOUND + +}; + // CMPLOG LVL enum { @@ -54,6 +71,8 @@ enum { }; +#define DICT_ADD_STRATEGY DICT_ADD_FOUND_SAME + struct range { u32 start; @@ -1246,11 +1265,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - if (!(attr & (IS_GREATER | IS_LESSER)) || hshape < 4) { - - return 0; - - } + if (!(attr & (IS_GREATER | IS_LESSER)) || hshape < 4) { return 0; } // transform >= to < and <= to > if ((attr & IS_EQUAL) && (attr & (IS_GREATER | IS_LESSER))) { @@ -1487,9 +1502,9 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h, if (unlikely(cmp_extend_encodingN( afl, h, SWAPN(pattern, (hshape << 3)), SWAPN(repl, (hshape << 3)), - SWAPN(o_pattern, (hshape << 3)), SWAPN(changed_val, (hshape << 3)), - attr, idx, taint_len, orig_buf, buf, cbuf, len, 0, lvl, - status))) { + SWAPN(o_pattern, (hshape << 3)), + SWAPN(changed_val, (hshape << 3)), attr, idx, taint_len, orig_buf, + buf, cbuf, len, 0, lvl, status))) { return 1; @@ -1682,8 +1697,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, #ifdef _DEBUG fprintf(stderr, "Handling: %llx->%llx vs %llx->%llx attr=%u shape=%u\n", - orig_o->v0, o->v0, orig_o->v1, o->v1, h->attribute, - hshape); + orig_o->v0, o->v0, orig_o->v1, o->v1, h->attribute, hshape); #endif t = taint; @@ -1836,26 +1850,39 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, is_n, hshape); #endif - // If failed, add to dictionary - if (!found_one) { - - if (afl->pass_stats[key].total == 0) { + u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2); + if (o->v0 != orig_o->v0) { same0 = 8; } + if (o->v1 != orig_o->v1) { same1 = 8; } #ifdef WORD_SIZE_64 - if (unlikely(is_n)) { + if (unlikely(is_n)) { - try_to_add_to_dictN(afl, s128_v0, hshape); - try_to_add_to_dictN(afl, s128_v1, hshape); + if (DICT_ADD_STRATEGY >= same0 + result) { - } else + try_to_add_to_dictN(afl, s128_v0, hshape); + + } + + if (DICT_ADD_STRATEGY >= same1 + result) { + + try_to_add_to_dictN(afl, s128_v1, hshape); + + } + + } else #endif - { + { - try_to_add_to_dict(afl, o->v0, hshape); - try_to_add_to_dict(afl, o->v1, hshape); + if (DICT_ADD_STRATEGY >= same0 + result) { - } + try_to_add_to_dict(afl, o->v0, hshape); + + } + + if (DICT_ADD_STRATEGY >= same1 + result) { + + try_to_add_to_dict(afl, o->v1, hshape); } @@ -1885,8 +1912,9 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } -static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl, - u8 *o_pattern, u8 *changed_val, u8 plen, u32 idx, +static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, + struct cmpfn_operands *o, + struct cmpfn_operands *orig_o, u32 idx, u32 taint_len, u8 *orig_buf, u8 *buf, u8 *cbuf, u32 len, u8 lvl, u8 *status) { @@ -1897,9 +1925,50 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl, // (void)(changed_val); //#endif + u8 *pattern, *repl, *o_pattern, *changed_val; + u8 l0, l1, ol0, ol1; + + if (entry == 0) { + + pattern = o->v0; + repl = o->v1; + o_pattern = orig_o->v0; + changed_val = orig_o->v1; + l0 = o->v0_len; + ol0 = orig_o->v0_len; + l1 = o->v1_len; + ol1 = orig_o->v1_len; + + } else { + + pattern = o->v1; + repl = o->v0; + o_pattern = orig_o->v1; + changed_val = orig_o->v0; + l0 = o->v1_len; + ol0 = orig_o->v1_len; + l1 = o->v0_len; + ol1 = orig_o->v0_len; + + } + + if (l0 >= 0x80) { + + l0 -= 0x80; + l1 -= 0x80; + ol0 -= 0x80; + ol1 -= 0x80; + + } else if (l0 == 0 || l1 == 0 || ol0 == 0 || ol1 == 0) { + + l0 = l1 = ol0 = ol1 = hshape; + + } + + u8 lmax = MAX(l0, ol0); u8 save[40]; u32 saved_idx = idx, pre, from = 0, to = 0, i, j; - u32 its_len = MIN((u32)plen, len - idx); + u32 its_len = MIN(MIN(lmax, hshape), len - idx); its_len = MIN(its_len, taint_len); u32 saved_its_len = its_len; @@ -1915,7 +1984,8 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl, (void)(j); #ifdef _DEBUG - fprintf(stderr, "RTN T idx=%u lvl=%02x ", idx, lvl); + fprintf(stderr, "RTN T idx=%u lvl=%02x is_txt=%u shape=%u/%u ", idx, lvl, + o->v0_len >= 0x80 ? 1 : 0, hshape, l0); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_buf[idx + j]); fprintf(stderr, " -> "); @@ -2405,8 +2475,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, #ifdef _DEBUG int w; - fprintf(stderr, "key=%u idx=%u len=%u o0=", key, idx, - hshape); + fprintf(stderr, "key=%u idx=%u len=%u o0=", key, idx, hshape); for (w = 0; w < hshape; ++w) fprintf(stderr, "%02x", orig_o->v0[w]); fprintf(stderr, " v0="); @@ -2421,9 +2490,9 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, fprintf(stderr, "\n"); #endif - if (unlikely(rtn_extend_encoding( - afl, o->v0, o->v1, orig_o->v0, orig_o->v1, hshape, - idx, taint_len, orig_buf, buf, cbuf, len, lvl, &status))) { + if (unlikely(rtn_extend_encoding(afl, 0, o, orig_o, idx, taint_len, + orig_buf, buf, cbuf, len, lvl, + &status))) { return 1; @@ -2438,9 +2507,9 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, status = 0; - if (unlikely(rtn_extend_encoding( - afl, o->v1, o->v0, orig_o->v1, orig_o->v0, hshape, - idx, taint_len, orig_buf, buf, cbuf, len, lvl, &status))) { + if (unlikely(rtn_extend_encoding(afl, 1, o, orig_o, idx, taint_len, + orig_buf, buf, cbuf, len, lvl, + &status))) { return 1; @@ -2455,13 +2524,36 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } - // If failed, add to dictionary - if (!found_one && (lvl & LVL1)) { + // if (unlikely(!afl->pass_stats[key].total)) { + + if (lvl & LVL1) { + + u8 is_txt = 0, l0 = o->v0_len, ol0 = orig_o->v0_len, l1 = o->v1_len, + ol1 = orig_o->v1_len; + if (l0 >= 0x80) { + + is_txt = 1; + l0 -= 0x80; + l1 -= 0x80; + ol0 -= 0x80; + ol1 -= 0x80; + + } + + u8 same0 = 0, same1 = 0, result = 1 + (found_one << 2); + if (!is_txt) result += 2; + if (l0 != ol0 || memcmp(o->v0, orig_o->v0, l0) != 0) { same0 = 8; } + if (l1 != ol1 || memcmp(o->v1, orig_o->v1, l1) != 0) { same1 = 8; } + + if (DICT_ADD_STRATEGY >= same0 + result) { + + maybe_add_auto(afl, o->v0, l0); + + } - if (unlikely(!afl->pass_stats[key].total)) { + if (DICT_ADD_STRATEGY >= same1 + result) { - maybe_add_auto(afl, o->v0, hshape); - maybe_add_auto(afl, o->v1, hshape); + maybe_add_auto(afl, o->v1, l1); } -- cgit 1.4.1 From 462149de642451024199557c7a7bb7ea76e5b8fa Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 17 Oct 2021 20:31:02 +0200 Subject: fix --- instrumentation/afl-compiler-rt.o.c | 18 +------- src/afl-fuzz-redqueen.c | 87 ++++++++++++++++++++++--------------- 2 files changed, 53 insertions(+), 52 deletions(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 21772ca0..38beafb7 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1944,15 +1944,8 @@ void __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u32 len) { void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u32 len) { /* - u32 i; if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return; - fprintf(stderr, "rtn_strn len=%u arg0=", len); - for (i = 0; i < len; i++) - fprintf(stderr, "%02x", ptr1[i]); - fprintf(stderr, " arg1="); - for (i = 0; i < len; i++) - fprintf(stderr, "%02x", ptr2[i]); - fprintf(stderr, "\n"); + fprintf(stderr, "rtn_strn len=%u arg0=%s arg1=%s\n", len, ptr1, ptr2); */ if (likely(!__afl_cmp_map)) return; @@ -2005,15 +1998,8 @@ void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u32 len) { void __cmplog_rtn_hook_str(u8 *ptr1, u8 *ptr2) { /* - u32 i; if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return; - fprintf(stderr, "rtn_str arg0="); - for (i = 0; i < len; i++) - fprintf(stderr, "%02x", ptr1[i]); - fprintf(stderr, " arg1="); - for (i = 0; i < len; i++) - fprintf(stderr, "%02x", ptr2[i]); - fprintf(stderr, "\n"); + fprintf(stderr, "rtn_str arg0=%s arg1=%s\n", ptr1, ptr2); */ if (likely(!__afl_cmp_map)) return; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 30de12c1..65d21b0a 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -1455,25 +1455,25 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h, #ifdef _DEBUG fprintf(stderr, "TestUN: %u>=%u (len=%u idx=%u attr=%u off=%lu) (%u) ", - its_len, shape, len, idx, attr, off, do_reverse); + its_len, hshape, len, idx, attr, off, do_reverse); u32 i; u8 *o_r = (u8 *)&changed_val; - for (i = 0; i < shape; i++) + for (i = 0; i < hshape; i++) fprintf(stderr, "%02x", ptr[i]); fprintf(stderr, "=="); - for (i = 0; i < shape; i++) + for (i = 0; i < hshape; i++) fprintf(stderr, "%02x", p[off + i]); fprintf(stderr, " "); - for (i = 0; i < shape; i++) + for (i = 0; i < hshape; i++) fprintf(stderr, "%02x", o_ptr[i]); fprintf(stderr, "=="); - for (i = 0; i < shape; i++) + for (i = 0; i < hshape; i++) fprintf(stderr, "%02x", o_p[off + i]); fprintf(stderr, " <= "); - for (i = 0; i < shape; i++) + for (i = 0; i < hshape; i++) fprintf(stderr, "%02x", r[off + i]); fprintf(stderr, "<-"); - for (i = 0; i < shape; i++) + for (i = 0; i < hshape; i++) fprintf(stderr, "%02x", o_r[off + i]); fprintf(stderr, "\n"); #endif @@ -1850,39 +1850,46 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, is_n, hshape); #endif - u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2); - if (o->v0 != orig_o->v0) { same0 = 8; } - if (o->v1 != orig_o->v1) { same1 = 8; } + // we only learn 16 bit + + if (hshape > 1) { + + u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2); + if (o->v0 != orig_o->v0) { same0 = 8; } + if (o->v1 != orig_o->v1) { same1 = 8; } #ifdef WORD_SIZE_64 - if (unlikely(is_n)) { + if (unlikely(is_n)) { - if (DICT_ADD_STRATEGY >= same0 + result) { + if (DICT_ADD_STRATEGY >= same0 + result) { - try_to_add_to_dictN(afl, s128_v0, hshape); + try_to_add_to_dictN(afl, s128_v0, hshape); - } + } - if (DICT_ADD_STRATEGY >= same1 + result) { + if (DICT_ADD_STRATEGY >= same1 + result) { - try_to_add_to_dictN(afl, s128_v1, hshape); + try_to_add_to_dictN(afl, s128_v1, hshape); - } + } - } else + } else #endif - { + { - if (DICT_ADD_STRATEGY >= same0 + result) { + if (DICT_ADD_STRATEGY >= same0 + result) { - try_to_add_to_dict(afl, o->v0, hshape); + // fprintf(stderr, "add v0 0x%llx\n", o->v0); + try_to_add_to_dict(afl, o->v0, hshape); - } + } - if (DICT_ADD_STRATEGY >= same1 + result) { + if (DICT_ADD_STRATEGY >= same1 + result) { - try_to_add_to_dict(afl, o->v1, hshape); + // fprintf(stderr, "add v1 0x%llx\n", o->v1); + try_to_add_to_dict(afl, o->v1, hshape); + + } } @@ -2428,18 +2435,22 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } /* - struct cmp_header *hh = &afl->orig_cmp_map->headers[key]; - fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits, - h->id, hshape, h->attribute); - for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v0[j]); - fprintf(stderr, " v1="); - for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v1[j]); - fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=", - hh->hits, hh->id, hshape, hh->attribute); - for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v0[j]); - fprintf(stderr, " o1="); - for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v1[j]); - fprintf(stderr, "\n"); + struct cmp_header *hh = &afl->orig_cmp_map->headers[key]; + fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits, h->id, + hshape, h->attribute); + for (j = 0; j < 8; j++) + fprintf(stderr, "%02x", o->v0[j]); + fprintf(stderr, " v1="); + for (j = 0; j < 8; j++) + fprintf(stderr, "%02x", o->v1[j]); + fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=", hh->hits, + hh->id, hshape, hh->attribute); + for (j = 0; j < 8; j++) + fprintf(stderr, "%02x", orig_o->v0[j]); + fprintf(stderr, " o1="); + for (j = 0; j < 8; j++) + fprintf(stderr, "%02x", orig_o->v1[j]); + fprintf(stderr, "\n"); */ t = taint; @@ -2547,12 +2558,14 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (DICT_ADD_STRATEGY >= same0 + result) { + // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); maybe_add_auto(afl, o->v0, l0); } if (DICT_ADD_STRATEGY >= same1 + result) { + // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); maybe_add_auto(afl, o->v1, l1); } @@ -2727,11 +2740,13 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) { + // fprintf(stderr, "INS %u\n", k); afl->stage_max += MIN((u32)(afl->shm.cmp_map->headers[k].hits), (u32)CMP_MAP_H); } else { + // fprintf(stderr, "RTN %u\n", k); afl->stage_max += MIN((u32)(afl->shm.cmp_map->headers[k].hits), (u32)CMP_MAP_RTN_H); -- cgit 1.4.1 From 72d10fee407f32d4041573d1906a047a67277eff Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Oct 2021 10:03:39 +0200 Subject: dict enhancement --- src/afl-fuzz-redqueen.c | 64 ++++++++++++++++++++++++++++++------------------- 1 file changed, 39 insertions(+), 25 deletions(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 65d21b0a..10bcd63d 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -1853,41 +1853,48 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, // we only learn 16 bit + if (hshape > 1) { - u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2); + u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0, + result = 1 + 2 + (found_one << 2); if (o->v0 != orig_o->v0) { same0 = 8; } if (o->v1 != orig_o->v1) { same1 = 8; } + if (o->v0 != o->v1) { same2 = 8; } + if (orig_o->v0 != orig_o->v1) { same3 = 8; } + + if (!(same0 && same1) && !same2 && !same3) { #ifdef WORD_SIZE_64 - if (unlikely(is_n)) { + if (unlikely(is_n)) { - if (DICT_ADD_STRATEGY >= same0 + result) { + if (DICT_ADD_STRATEGY >= same0 + result) { - try_to_add_to_dictN(afl, s128_v0, hshape); + try_to_add_to_dictN(afl, s128_v0, hshape); - } + } - if (DICT_ADD_STRATEGY >= same1 + result) { + if (DICT_ADD_STRATEGY >= same1 + result) { - try_to_add_to_dictN(afl, s128_v1, hshape); + try_to_add_to_dictN(afl, s128_v1, hshape); - } + } - } else + } else #endif - { + { - if (DICT_ADD_STRATEGY >= same0 + result) { + if (DICT_ADD_STRATEGY >= same0 + result) { - // fprintf(stderr, "add v0 0x%llx\n", o->v0); - try_to_add_to_dict(afl, o->v0, hshape); + // fprintf(stderr, "add v0 0x%llx\n", o->v0); + try_to_add_to_dict(afl, o->v0, hshape); - } + } - if (DICT_ADD_STRATEGY >= same1 + result) { + if (DICT_ADD_STRATEGY >= same1 + result) { + + // fprintf(stderr, "add v1 0x%llx\n", o->v1); + try_to_add_to_dict(afl, o->v1, hshape); - // fprintf(stderr, "add v1 0x%llx\n", o->v1); - try_to_add_to_dict(afl, o->v1, hshape); + } } @@ -2551,22 +2558,29 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } - u8 same0 = 0, same1 = 0, result = 1 + (found_one << 2); + u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0, + result = 1 + (found_one << 2); if (!is_txt) result += 2; if (l0 != ol0 || memcmp(o->v0, orig_o->v0, l0) != 0) { same0 = 8; } if (l1 != ol1 || memcmp(o->v1, orig_o->v1, l1) != 0) { same1 = 8; } + if (l0 != l1 || memcmp(o->v0, o->v1, l0) != 0) { same2 = 8; } + if (ol0 != ol1 || memcmp(orig_o->v0, orig_o->v1, l0) != 0) { same3 = 8; } - if (DICT_ADD_STRATEGY >= same0 + result) { + if (!(same0 && same1) && !same2 && !same3) { - // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); - maybe_add_auto(afl, o->v0, l0); + if (DICT_ADD_STRATEGY >= same0 + result) { - } + // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); + maybe_add_auto(afl, o->v0, l0); - if (DICT_ADD_STRATEGY >= same1 + result) { + } + + if (DICT_ADD_STRATEGY >= same1 + result) { - // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); - maybe_add_auto(afl, o->v1, l1); + // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); + maybe_add_auto(afl, o->v1, l1); + + } } -- cgit 1.4.1 From 699df8f8ce4cc5de56510f72ebff611d26710557 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Oct 2021 11:11:56 +0200 Subject: fix --- src/afl-fuzz-redqueen.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 10bcd63d..30bad557 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -1860,18 +1860,18 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (o->v0 != o->v1) { same2 = 8; } if (orig_o->v0 != orig_o->v1) { same3 = 8; } - if (!(same0 && same1) && !same2 && !same3) { + if (!same2 && !same3) { #ifdef WORD_SIZE_64 if (unlikely(is_n)) { - if (DICT_ADD_STRATEGY >= same0 + result) { + if (!(!same0 && same1) && DICT_ADD_STRATEGY >= same0 + result) { try_to_add_to_dictN(afl, s128_v0, hshape); } - if (DICT_ADD_STRATEGY >= same1 + result) { + if (!(same0 && !same1) && DICT_ADD_STRATEGY >= same1 + result) { try_to_add_to_dictN(afl, s128_v1, hshape); @@ -2566,16 +2566,16 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (l0 != l1 || memcmp(o->v0, o->v1, l0) != 0) { same2 = 8; } if (ol0 != ol1 || memcmp(orig_o->v0, orig_o->v1, l0) != 0) { same3 = 8; } - if (!(same0 && same1) && !same2 && !same3) { + if (!same2 && !same3) { - if (DICT_ADD_STRATEGY >= same0 + result) { + if (!(same0 && !same1) && DICT_ADD_STRATEGY >= same0 + result) { // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); maybe_add_auto(afl, o->v0, l0); } - if (DICT_ADD_STRATEGY >= same1 + result) { + if (!(!same0 && same1) && DICT_ADD_STRATEGY >= same1 + result) { // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); maybe_add_auto(afl, o->v1, l1); -- cgit 1.4.1 From b4e328803c4e61c81fdf0e0412f013fcf0e72e0d Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 26 Oct 2021 18:10:57 +0200 Subject: variants --- include/cmplog.h | 2 +- src/afl-fuzz-redqueen.c | 93 ++++++++++++++++++++++++++++++++++++------------- 2 files changed, 70 insertions(+), 25 deletions(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/include/cmplog.h b/include/cmplog.h index 88aa0a61..b95a8e43 100644 --- a/include/cmplog.h +++ b/include/cmplog.h @@ -33,7 +33,7 @@ #define CMPLOG_LVL_MAX 3 #define CMP_MAP_W 65536 -#define CMP_MAP_H 64 +#define CMP_MAP_H 32 #define CMP_MAP_RTN_H (CMP_MAP_H / 4) #define SHAPE_BYTES(x) (x + 1) diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 30bad557..6002703e 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -28,6 +28,8 @@ #include "afl-fuzz.h" #include "cmplog.h" +#define VARIANT 0 + //#define _DEBUG //#define CMPLOG_INTROSPECTION @@ -461,10 +463,10 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, fprintf( f, "Colorization: fname=%s len=%u ms=%llu result=%u execs=%u found=%llu " - "taint=%u\n", + "taint=%u ascii=%u auto_extra_before=%u\n", afl->queue_cur->fname, len, get_cur_time() - start_time, afl->queue_cur->colorized, afl->stage_cur, new_hit_cnt - orig_hit_cnt, - positions); + positions, afl->queue_cur->is_ascii ? 1 : 0, afl->a_extras_cnt); #ifndef _DEBUG if (afl->not_on_tty) { fclose(f); } @@ -1854,24 +1856,34 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (hshape > 1) { u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0, - result = 1 + 2 + (found_one << 2); + result = 1 + (found_one << 2); if (o->v0 != orig_o->v0) { same0 = 8; } if (o->v1 != orig_o->v1) { same1 = 8; } if (o->v0 != o->v1) { same2 = 8; } if (orig_o->v0 != orig_o->v1) { same3 = 8; } + if (check_if_text_buf((u8 *)o->v0, hshape) < hshape) same0 += 2; + if (check_if_text_buf((u8 *)o->v1, hshape) < hshape) same1 += 2; if (!same2 && !same3) { #ifdef WORD_SIZE_64 if (unlikely(is_n)) { - if (!(!same0 && same1) && DICT_ADD_STRATEGY >= same0 + result) { + if ( + #if VARIANT == 1 + !(!same0 && same1) && + #endif + DICT_ADD_STRATEGY >= same0 + result) { try_to_add_to_dictN(afl, s128_v0, hshape); } - if (!(same0 && !same1) && DICT_ADD_STRATEGY >= same1 + result) { + if ( + #if VARIANT == 1 + !(same0 && !same1) && + #endif + DICT_ADD_STRATEGY >= same1 + result) { try_to_add_to_dictN(afl, s128_v1, hshape); @@ -1882,14 +1894,22 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, #endif { - if (DICT_ADD_STRATEGY >= same0 + result) { + if ( +#if VARIANT == 1 + !(!same0 && same1) && +#endif + DICT_ADD_STRATEGY >= same0 + result) { // fprintf(stderr, "add v0 0x%llx\n", o->v0); try_to_add_to_dict(afl, o->v0, hshape); } - if (DICT_ADD_STRATEGY >= same1 + result) { + if ( +#if VARIANT == 1 + !(same0 && !same1) && +#endif + DICT_ADD_STRATEGY >= same1 + result) { // fprintf(stderr, "add v1 0x%llx\n", o->v1); try_to_add_to_dict(afl, o->v1, hshape); @@ -1966,14 +1986,17 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, } - if (l0 >= 0x80) { + if (l0 >= 0x80 || ol0 >= 0x80) { l0 -= 0x80; l1 -= 0x80; ol0 -= 0x80; ol1 -= 0x80; - } else if (l0 == 0 || l1 == 0 || ol0 == 0 || ol1 == 0) { + } + + if (l0 == 0 || l1 == 0 || ol0 == 0 || ol1 == 0 || l0 > 31 || l1 > 31 || + ol0 > 31 || ol1 > 31) { l0 = l1 = ol0 = ol1 = hshape; @@ -2059,10 +2082,10 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, } - //#ifdef CMPLOG_SOLVE_TRANSFORM - if (*status == 1) return 0; + // transform solving + if (afl->cmplog_enable_transform && (lvl & LVL3)) { u32 toupper = 0, tolower = 0, xor = 0, arith = 0, tohex = 0, fromhex = 0; @@ -2548,7 +2571,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, u8 is_txt = 0, l0 = o->v0_len, ol0 = orig_o->v0_len, l1 = o->v1_len, ol1 = orig_o->v1_len; - if (l0 >= 0x80) { + if (l0 >= 0x80 || ol0 >= 0x80) { is_txt = 1; l0 -= 0x80; @@ -2558,29 +2581,51 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } + if (l0 == 0 || l1 == 0 || ol0 == 0 || ol1 == 0 || l0 > 31 || l1 > 31 || + ol0 > 31 || ol1 > 31) { + + l0 = l1 = ol0 = ol1 = hshape; + + } + u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0, result = 1 + (found_one << 2); - if (!is_txt) result += 2; if (l0 != ol0 || memcmp(o->v0, orig_o->v0, l0) != 0) { same0 = 8; } if (l1 != ol1 || memcmp(o->v1, orig_o->v1, l1) != 0) { same1 = 8; } if (l0 != l1 || memcmp(o->v0, o->v1, l0) != 0) { same2 = 8; } if (ol0 != ol1 || memcmp(orig_o->v0, orig_o->v1, l0) != 0) { same3 = 8; } + if (!is_txt && check_if_text_buf((u8 *)&o->v0, l0) < l0) { same0 += 2; } + if (!is_txt && check_if_text_buf((u8 *)&o->v1, l1) < l1) { same1 += 2; } - if (!same2 && !same3) { - - if (!(same0 && !same1) && DICT_ADD_STRATEGY >= same0 + result) { + if ( +#if VARIANT < 3 + !(same0 && !same1) && +#endif +#if VARIANT == 4 + (!same2 && same3) +#else + (DICT_ADD_STRATEGY >= same0 + result) +#endif + ) { - // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); - maybe_add_auto(afl, o->v0, l0); + // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); + maybe_add_auto(afl, o->v0, l0); - } - - if (!(!same0 && same1) && DICT_ADD_STRATEGY >= same1 + result) { + } - // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); - maybe_add_auto(afl, o->v1, l1); + if ( +#if VARIANT < 3 + !(!same0 && same1) && +#endif +#if VARIANT == 4 + (same2 && !same3) +#else + (DICT_ADD_STRATEGY >= same1 + result) +#endif + ) { - } + // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); + maybe_add_auto(afl, o->v1, l1); } -- cgit 1.4.1 From 245e91eb27f1572e00c6664477d588c540c30ed6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 26 Oct 2021 21:30:08 +0200 Subject: fix --- src/afl-fuzz-redqueen.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 6002703e..800a0753 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -28,7 +28,7 @@ #include "afl-fuzz.h" #include "cmplog.h" -#define VARIANT 0 +#define VARIANT 4 //#define _DEBUG //#define CMPLOG_INTROSPECTION @@ -1861,8 +1861,8 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (o->v1 != orig_o->v1) { same1 = 8; } if (o->v0 != o->v1) { same2 = 8; } if (orig_o->v0 != orig_o->v1) { same3 = 8; } - if (check_if_text_buf((u8 *)o->v0, hshape) < hshape) same0 += 2; - if (check_if_text_buf((u8 *)o->v1, hshape) < hshape) same1 += 2; + if (check_if_text_buf((u8 *)&o->v0, hshape) < hshape) same0 += 2; + if (check_if_text_buf((u8 *)&o->v1, hshape) < hshape) same1 += 2; if (!same2 && !same3) { -- cgit 1.4.1 From 9a11c8ac24f8b2c2dcd78aa3a27e5416a717ce4f Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 26 Oct 2021 22:06:01 +0200 Subject: fix --- src/afl-fuzz-redqueen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 800a0753..928cab59 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -28,7 +28,7 @@ #include "afl-fuzz.h" #include "cmplog.h" -#define VARIANT 4 +#define VARIANT 0 //#define _DEBUG //#define CMPLOG_INTROSPECTION -- cgit 1.4.1 From e2ca7a63972ef3c245395bea7bb89d873ad757af Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 28 Oct 2021 18:02:57 +0200 Subject: variant 6 --- instrumentation/afl-compiler-rt.o.c | 44 ++++++------- src/afl-fuzz-redqueen.c | 126 +++++++++++++++++++++++++++++------- 2 files changed, 125 insertions(+), 45 deletions(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 5caf57b3..17724e74 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -22,6 +22,10 @@ #include "cmplog.h" #include "llvm-alternative-coverage.h" +#define XXH_INLINE_ALL +#include "xxhash.h" +#undef XXH_INLINE_ALL + #include #include #include @@ -154,6 +158,12 @@ static void at_exit(int signal) { } +#ifdef WORD_SIZE_64 + #define default_hash(a, b) XXH64(a, b, HASH_CONST) +#else + #define default_hash(a, b) XXH64(a, b, HASH_CONST) +#endif + /* Uninspired gcc plugin instrumentation */ void __afl_trace(const u32 x) { @@ -1499,8 +1509,7 @@ void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr) { if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); u32 hits; @@ -1530,8 +1539,7 @@ void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2, uint8_t attr) { if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); u32 hits; @@ -1569,8 +1577,7 @@ void __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2, uint8_t attr) { if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); u32 hits; @@ -1608,8 +1615,7 @@ void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2, uint8_t attr) { if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); u32 hits; @@ -1652,8 +1658,7 @@ void __cmplog_ins_hookN(uint128_t arg1, uint128_t arg2, uint8_t attr, if (unlikely(!__afl_cmp_map || arg1 == arg2)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); u32 hits; @@ -1696,8 +1701,7 @@ void __cmplog_ins_hook16(uint128_t arg1, uint128_t arg2, uint8_t attr) { if (likely(!__afl_cmp_map)) return; uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); u32 hits; @@ -1802,8 +1806,8 @@ void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) { for (uint64_t i = 0; i < cases[0]; i++) { uintptr_t k = (uintptr_t)__builtin_return_address(0) + i; - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & + (CMP_MAP_W - 1)); u32 hits; @@ -1901,8 +1905,7 @@ void __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u64 len) { // fprintf(stderr, "RTN2 %u\n", l); uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); u32 hits, reset = 1; @@ -1955,8 +1958,7 @@ void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u64 len) { // fprintf(stderr, "RTN2 %u\n", l); uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); u32 hits, reset = 1; @@ -2011,8 +2013,7 @@ void __cmplog_rtn_hook_str(u8 *ptr1, u8 *ptr2) { // fprintf(stderr, "RTN2 %u\n", l); uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); u32 hits, reset = 1; @@ -2075,8 +2076,7 @@ void __cmplog_rtn_hook(u8 *ptr1, u8 *ptr2) { // fprintf(stderr, "RTN2 %u\n", len); uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= CMP_MAP_W - 1; + k = (uintptr_t)(default_hash((u8 *)&k, sizeof(uintptr_t)) & (CMP_MAP_W - 1)); u32 hits, reset = 1; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 928cab59..b5dc23c2 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -28,7 +28,7 @@ #include "afl-fuzz.h" #include "cmplog.h" -#define VARIANT 0 +#define VARIANT 6 //#define _DEBUG //#define CMPLOG_INTROSPECTION @@ -1855,6 +1855,43 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, // we only learn 16 bit + if (hshape > 1) { +#if VARIANT == 6 + if (!found_one || afl->queue_cur->is_ascii) { + + #ifdef WORD_SIZE_64 + if (unlikely(is_n)) { + + if (!found_one || + check_if_text_buf((u8 *)&s128_v0, SHAPE_BYTES(h->shape)) == + SHAPE_BYTES(h->shape)) + try_to_add_to_dictN(afl, s128_v0, SHAPE_BYTES(h->shape)); + if (!found_one || + check_if_text_buf((u8 *)&s128_v1, SHAPE_BYTES(h->shape)) == + SHAPE_BYTES(h->shape)) + try_to_add_to_dictN(afl, s128_v1, SHAPE_BYTES(h->shape)); + + } else + + #endif + { + + if (!memcmp((u8 *)&o->v0, (u8 *)&orig_o->v0, SHAPE_BYTES(h->shape)) && + (!found_one || + check_if_text_buf((u8 *)&o->v0, SHAPE_BYTES(h->shape)) == + SHAPE_BYTES(h->shape))) + try_to_add_to_dict(afl, o->v0, SHAPE_BYTES(h->shape)); + if (!memcmp((u8 *)&o->v1, (u8 *)&orig_o->v1, SHAPE_BYTES(h->shape)) && + (!found_one || + check_if_text_buf((u8 *)&o->v1, SHAPE_BYTES(h->shape)) == + SHAPE_BYTES(h->shape))) + try_to_add_to_dict(afl, o->v1, SHAPE_BYTES(h->shape)); + + } + + } + +#else + u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0, result = 1 + (found_one << 2); if (o->v0 != orig_o->v0) { same0 = 8; } @@ -1866,13 +1903,13 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (!same2 && !same3) { -#ifdef WORD_SIZE_64 + #ifdef WORD_SIZE_64 if (unlikely(is_n)) { if ( - #if VARIANT == 1 + #if VARIANT == 1 !(!same0 && same1) && - #endif + #endif DICT_ADD_STRATEGY >= same0 + result) { try_to_add_to_dictN(afl, s128_v0, hshape); @@ -1880,9 +1917,9 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } if ( - #if VARIANT == 1 + #if VARIANT == 1 !(same0 && !same1) && - #endif + #endif DICT_ADD_STRATEGY >= same1 + result) { try_to_add_to_dictN(afl, s128_v1, hshape); @@ -1891,13 +1928,13 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } else -#endif + #endif { if ( -#if VARIANT == 1 + #if VARIANT == 1 !(!same0 && same1) && -#endif + #endif DICT_ADD_STRATEGY >= same0 + result) { // fprintf(stderr, "add v0 0x%llx\n", o->v0); @@ -1906,9 +1943,9 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } if ( -#if VARIANT == 1 + #if VARIANT == 1 !(same0 && !same1) && -#endif + #endif DICT_ADD_STRATEGY >= same1 + result) { // fprintf(stderr, "add v1 0x%llx\n", o->v1); @@ -1920,6 +1957,8 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } +#endif + } cmp_fuzz_next_iter: @@ -2567,6 +2606,44 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, // if (unlikely(!afl->pass_stats[key].total)) { +#if VARIANT == 6 + if ((!found_one && (lvl & LVL1)) || afl->queue_cur->is_ascii) { + + // if (unlikely(!afl->pass_stats[key].total)) { + + u32 shape_len = SHAPE_BYTES(h->shape); + u32 v0_len = shape_len, v1_len = shape_len; + if (afl->queue_cur->is_ascii || + check_if_text_buf((u8 *)&o->v0, shape_len) == shape_len) { + + if (strlen(o->v0)) v0_len = strlen(o->v0); + + } + + if (afl->queue_cur->is_ascii || + check_if_text_buf((u8 *)&o->v1, shape_len) == shape_len) { + + if (strlen(o->v1)) v1_len = strlen(o->v1); + + } + + // fprintf(stderr, "SHOULD: found:%u ascii:%u text?%u:%u %u:%s %u:%s \n", + // found_one, afl->queue_cur->is_ascii, check_if_text_buf((u8 *)&o->v0, + // shape_len), check_if_text_buf((u8 *)&o->v1, shape_len), v0_len, + // o->v0, v1_len, o->v1); + + if (!memcmp(o->v0, orig_o->v0, v0_len) || + (!found_one || check_if_text_buf((u8 *)&o->v0, v0_len) == v0_len)) + maybe_add_auto(afl, o->v0, v0_len); + if (!memcmp(o->v1, orig_o->v1, v1_len) || + (!found_one || check_if_text_buf((u8 *)&o->v1, v1_len) == v1_len)) + maybe_add_auto(afl, o->v1, v1_len); + + //} + + } + +#else if (lvl & LVL1) { u8 is_txt = 0, l0 = o->v0_len, ol0 = orig_o->v0_len, l1 = o->v1_len, @@ -2598,14 +2675,14 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, if (!is_txt && check_if_text_buf((u8 *)&o->v1, l1) < l1) { same1 += 2; } if ( -#if VARIANT < 3 + #if VARIANT < 3 !(same0 && !same1) && -#endif -#if VARIANT == 4 + #endif + #if VARIANT == 4 (!same2 && same3) -#else + #else (DICT_ADD_STRATEGY >= same0 + result) -#endif + #endif ) { // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); @@ -2614,14 +2691,14 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } if ( -#if VARIANT < 3 + #if VARIANT < 3 !(!same0 && same1) && -#endif -#if VARIANT == 4 + #endif + #if VARIANT == 4 (same2 && !same3) -#else + #else (DICT_ADD_STRATEGY >= same1 + result) -#endif + #endif ) { // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); @@ -2631,6 +2708,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } +#endif + rtn_fuzz_next_iter: afl->stage_cur++; @@ -2966,9 +3045,10 @@ exit_its: if (f) { fprintf(f, - "Cmplog: fname=%s len=%u ms=%llu result=%u finds=%llu entries=%u\n", + "Cmplog: fname=%s len=%u ms=%llu result=%u finds=%llu entries=%u " + "auto_extra_after=%u\n", afl->queue_cur->fname, len, get_cur_time() - start_time, r, - new_hit_cnt - orig_hit_cnt, cmp_locations); + new_hit_cnt - orig_hit_cnt, cmp_locations, afl->a_extras_cnt); #ifndef _DEBUG if (afl->not_on_tty) { fclose(f); } -- cgit 1.4.1 From 639d108512027bda6e7baf4a96f9d4e058e3c1d3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 31 Oct 2021 12:29:45 +0100 Subject: add cmplog compatability check --- include/types.h | 2 + instrumentation/afl-compiler-rt.o.c | 9 ++- src/afl-forkserver.c | 11 +++ src/afl-fuzz-redqueen.c | 144 +----------------------------------- 4 files changed, 22 insertions(+), 144 deletions(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/include/types.h b/include/types.h index 7b94fb83..063e6bbd 100644 --- a/include/types.h +++ b/include/types.h @@ -46,6 +46,7 @@ typedef uint128_t u128; #define FS_ERROR_SHM_OPEN 4 #define FS_ERROR_SHMAT 8 #define FS_ERROR_MMAP 16 +#define FS_ERROR_OLD_CMPLOG 32 /* Reporting options */ #define FS_OPT_ENABLED 0x80000001 @@ -53,6 +54,7 @@ typedef uint128_t u128; #define FS_OPT_SNAPSHOT 0x20000000 #define FS_OPT_AUTODICT 0x10000000 #define FS_OPT_SHDMEM_FUZZ 0x01000000 +#define FS_OPT_NEWCMPLOG 0x02000000 #define FS_OPT_OLD_AFLPP_WORKAROUND 0x0f000000 // FS_OPT_MAX_MAPSIZE is 8388608 = 0x800000 = 2^23 = 1 << 22 #define FS_OPT_MAX_MAPSIZE ((0x00fffffeU >> 1) + 1) diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 17724e74..6ee86add 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -679,7 +679,7 @@ static void __afl_start_snapshots(void) { /* Phone home and tell the parent that we're OK. If parent isn't there, assume we're not running in forkserver mode and just execute program. */ - status |= (FS_OPT_ENABLED | FS_OPT_SNAPSHOT); + status |= (FS_OPT_ENABLED | FS_OPT_SNAPSHOT | FS_OPT_NEWCMPLOG); if (__afl_sharedmem_fuzzing != 0) status |= FS_OPT_SHDMEM_FUZZ; if (__afl_map_size <= FS_OPT_MAX_MAPSIZE) status |= (FS_OPT_SET_MAPSIZE(__afl_map_size) | FS_OPT_MAPSIZE); @@ -945,7 +945,12 @@ static void __afl_start_forkserver(void) { } if (__afl_sharedmem_fuzzing != 0) { status_for_fsrv |= FS_OPT_SHDMEM_FUZZ; } - if (status_for_fsrv) { status_for_fsrv |= (FS_OPT_ENABLED); } + if (status_for_fsrv) { + + status_for_fsrv |= (FS_OPT_ENABLED | FS_OPT_NEWCMPLOG); + + } + memcpy(tmp, &status_for_fsrv, 4); /* Phone home and tell the parent that we're OK. If parent isn't there, diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 54f510c4..da036d2f 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -342,6 +342,11 @@ static void report_error_and_exit(int error) { "the fuzzing target reports that the mmap() call to the shared " "memory failed."); break; + case FS_ERROR_OLD_CMPLOG: + FATAL( + "the -c cmplog target was instrumented with an too old afl++ " + "version, you need to recompile it."); + break; default: FATAL("unknown error code %d from fuzzing target!", error); @@ -651,6 +656,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_OLD_AFLPP_WORKAROUND) == FS_OPT_OLD_AFLPP_WORKAROUND) status = (status & 0xf0ffffff); + if ((status & FS_OPT_NEWCMPLOG) == 0 && fsrv->cmplog_binary) { + + report_error_and_exit(FS_ERROR_OLD_CMPLOG); + + } + if ((status & FS_OPT_SNAPSHOT) == FS_OPT_SNAPSHOT) { fsrv->snapshot = 1; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index b5dc23c2..c97080c7 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -28,8 +28,6 @@ #include "afl-fuzz.h" #include "cmplog.h" -#define VARIANT 6 - //#define _DEBUG //#define CMPLOG_INTROSPECTION @@ -1855,10 +1853,9 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, // we only learn 16 bit + if (hshape > 1) { -#if VARIANT == 6 if (!found_one || afl->queue_cur->is_ascii) { - #ifdef WORD_SIZE_64 +#ifdef WORD_SIZE_64 if (unlikely(is_n)) { if (!found_one || @@ -1872,7 +1869,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } else - #endif +#endif { if (!memcmp((u8 *)&o->v0, (u8 *)&orig_o->v0, SHAPE_BYTES(h->shape)) && @@ -1890,75 +1887,6 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } -#else - - u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0, - result = 1 + (found_one << 2); - if (o->v0 != orig_o->v0) { same0 = 8; } - if (o->v1 != orig_o->v1) { same1 = 8; } - if (o->v0 != o->v1) { same2 = 8; } - if (orig_o->v0 != orig_o->v1) { same3 = 8; } - if (check_if_text_buf((u8 *)&o->v0, hshape) < hshape) same0 += 2; - if (check_if_text_buf((u8 *)&o->v1, hshape) < hshape) same1 += 2; - - if (!same2 && !same3) { - - #ifdef WORD_SIZE_64 - if (unlikely(is_n)) { - - if ( - #if VARIANT == 1 - !(!same0 && same1) && - #endif - DICT_ADD_STRATEGY >= same0 + result) { - - try_to_add_to_dictN(afl, s128_v0, hshape); - - } - - if ( - #if VARIANT == 1 - !(same0 && !same1) && - #endif - DICT_ADD_STRATEGY >= same1 + result) { - - try_to_add_to_dictN(afl, s128_v1, hshape); - - } - - } else - - #endif - { - - if ( - #if VARIANT == 1 - !(!same0 && same1) && - #endif - DICT_ADD_STRATEGY >= same0 + result) { - - // fprintf(stderr, "add v0 0x%llx\n", o->v0); - try_to_add_to_dict(afl, o->v0, hshape); - - } - - if ( - #if VARIANT == 1 - !(same0 && !same1) && - #endif - DICT_ADD_STRATEGY >= same1 + result) { - - // fprintf(stderr, "add v1 0x%llx\n", o->v1); - try_to_add_to_dict(afl, o->v1, hshape); - - } - - } - - } - -#endif - } cmp_fuzz_next_iter: @@ -2606,7 +2534,6 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, // if (unlikely(!afl->pass_stats[key].total)) { -#if VARIANT == 6 if ((!found_one && (lvl & LVL1)) || afl->queue_cur->is_ascii) { // if (unlikely(!afl->pass_stats[key].total)) { @@ -2643,73 +2570,6 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, } -#else - if (lvl & LVL1) { - - u8 is_txt = 0, l0 = o->v0_len, ol0 = orig_o->v0_len, l1 = o->v1_len, - ol1 = orig_o->v1_len; - if (l0 >= 0x80 || ol0 >= 0x80) { - - is_txt = 1; - l0 -= 0x80; - l1 -= 0x80; - ol0 -= 0x80; - ol1 -= 0x80; - - } - - if (l0 == 0 || l1 == 0 || ol0 == 0 || ol1 == 0 || l0 > 31 || l1 > 31 || - ol0 > 31 || ol1 > 31) { - - l0 = l1 = ol0 = ol1 = hshape; - - } - - u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0, - result = 1 + (found_one << 2); - if (l0 != ol0 || memcmp(o->v0, orig_o->v0, l0) != 0) { same0 = 8; } - if (l1 != ol1 || memcmp(o->v1, orig_o->v1, l1) != 0) { same1 = 8; } - if (l0 != l1 || memcmp(o->v0, o->v1, l0) != 0) { same2 = 8; } - if (ol0 != ol1 || memcmp(orig_o->v0, orig_o->v1, l0) != 0) { same3 = 8; } - if (!is_txt && check_if_text_buf((u8 *)&o->v0, l0) < l0) { same0 += 2; } - if (!is_txt && check_if_text_buf((u8 *)&o->v1, l1) < l1) { same1 += 2; } - - if ( - #if VARIANT < 3 - !(same0 && !same1) && - #endif - #if VARIANT == 4 - (!same2 && same3) - #else - (DICT_ADD_STRATEGY >= same0 + result) - #endif - ) { - - // fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0); - maybe_add_auto(afl, o->v0, l0); - - } - - if ( - #if VARIANT < 3 - !(!same0 && same1) && - #endif - #if VARIANT == 4 - (same2 && !same3) - #else - (DICT_ADD_STRATEGY >= same1 + result) - #endif - ) { - - // fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1); - maybe_add_auto(afl, o->v1, l1); - - } - - } - -#endif - rtn_fuzz_next_iter: afl->stage_cur++; -- cgit 1.4.1 From 701997a2a5226c731c15f8d3f512cd8c91df1612 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 3 Nov 2021 13:33:59 +0100 Subject: fix --- src/afl-fuzz-redqueen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index c97080c7..a9c5625f 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -1383,7 +1383,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - hshape = 7; // recover shape + hshape = 8; // recover shape } -- cgit 1.4.1 From 9325a4fcbb8eb4ed1d71f93de5301bf1a9a68253 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 6 Nov 2021 10:28:22 +0100 Subject: http->https --- GNUmakefile | 2 +- GNUmakefile.gcc_plugin | 2 +- GNUmakefile.llvm | 2 +- TODO.md | 1 - afl-cmin.bash | 2 +- afl-plot | 2 +- afl-whatsup | 2 +- docs/Changelog.md | 2 +- docs/INSTALL.md | 2 +- docs/best_practices.md | 2 +- docs/interpreting_output.md | 2 +- docs/known_limitations.md | 2 +- docs/sister_projects.md | 12 ++++++------ docs/technical_details.md | 12 ++++++------ frida_mode/Scripting.md | 2 +- include/afl-as.h | 4 ++-- include/afl-fuzz.h | 2 +- include/afl-prealloc.h | 2 +- include/alloc-inl.h | 2 +- include/cmplog.h | 2 +- include/common.h | 2 +- include/config.h | 2 +- include/debug.h | 2 +- include/forkserver.h | 2 +- include/hash.h | 2 +- include/list.h | 2 +- include/sharedmem.h | 2 +- include/snapshot-inl.h | 2 +- include/types.h | 2 +- instrumentation/README.llvm.md | 2 +- instrumentation/afl-compiler-rt.o.c | 2 +- instrumentation/afl-gcc-pass.so.cc | 2 +- instrumentation/afl-llvm-dict2file.so.cc | 2 +- instrumentation/afl-llvm-lto-instrumentation.so.cc | 2 +- instrumentation/afl-llvm-lto-instrumentlist.so.cc | 2 +- instrumentation/afl-llvm-pass.so.cc | 2 +- instrumentation/afl-llvm-rt-lto.o.c | 2 +- instrumentation/cmplog-instructions-pass.cc | 2 +- instrumentation/cmplog-routines-pass.cc | 2 +- instrumentation/cmplog-switches-pass.cc | 2 +- instrumentation/compare-transform-pass.so.cc | 2 +- instrumentation/split-compares-pass.so.cc | 2 +- instrumentation/split-switches-pass.so.cc | 2 +- qemu_mode/build_qemu_support.sh | 2 +- src/afl-analyze.c | 2 +- src/afl-as.c | 4 ++-- src/afl-cc.c | 2 +- src/afl-common.c | 2 +- src/afl-forkserver.c | 8 ++++---- src/afl-fuzz-bitmap.c | 2 +- src/afl-fuzz-cmplog.c | 2 +- src/afl-fuzz-extras.c | 2 +- src/afl-fuzz-init.c | 4 ++-- src/afl-fuzz-mutators.c | 2 +- src/afl-fuzz-one.c | 2 +- src/afl-fuzz-python.c | 2 +- src/afl-fuzz-queue.c | 2 +- src/afl-fuzz-redqueen.c | 2 +- src/afl-fuzz-run.c | 2 +- src/afl-fuzz-state.c | 2 +- src/afl-fuzz-stats.c | 2 +- src/afl-fuzz.c | 2 +- src/afl-gotcpu.c | 2 +- src/afl-ld-lto.c | 2 +- src/afl-performance.c | 2 +- src/afl-sharedmem.c | 2 +- src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- test-instr.c | 2 +- unicorn_mode/build_unicorn_support.sh | 2 +- 70 files changed, 85 insertions(+), 86 deletions(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/GNUmakefile b/GNUmakefile index 0a6f3950..ad2642f3 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -10,7 +10,7 @@ # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # For Heiko: diff --git a/GNUmakefile.gcc_plugin b/GNUmakefile.gcc_plugin index bce97b2f..ed2725d7 100644 --- a/GNUmakefile.gcc_plugin +++ b/GNUmakefile.gcc_plugin @@ -17,7 +17,7 @@ # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # #TEST_MMAP=1 PREFIX ?= /usr/local diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index b802ef16..64e5beb2 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -12,7 +12,7 @@ # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # For Heiko: diff --git a/TODO.md b/TODO.md index 30676312..1d4270b4 100644 --- a/TODO.md +++ b/TODO.md @@ -2,7 +2,6 @@ ## TODO - - AFL_USE_TSAN to docs/env_variables.md after work over - screen update during input2stage - better autodetection of shifting runtime timeout values - Update afl->pending_not_fuzzed for MOpt diff --git a/afl-cmin.bash b/afl-cmin.bash index c77dfbc1..e25ddc74 100755 --- a/afl-cmin.bash +++ b/afl-cmin.bash @@ -11,7 +11,7 @@ # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # This tool tries to find the smallest subset of files in the input directory # that still trigger the full range of instrumentation data points seen in diff --git a/afl-plot b/afl-plot index 87b9caae..1ea1fc55 100755 --- a/afl-plot +++ b/afl-plot @@ -12,7 +12,7 @@ # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # get_abs_path() { diff --git a/afl-whatsup b/afl-whatsup index 9c2564c6..10a52f83 100755 --- a/afl-whatsup +++ b/afl-whatsup @@ -12,7 +12,7 @@ # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # This tool summarizes the status of any locally-running synchronized # instances of afl-fuzz. diff --git a/docs/Changelog.md b/docs/Changelog.md index cfeb8cc1..7c77a6bf 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -2760,7 +2760,7 @@ sending a mail to . - Updated the documentation and added notes_for_asan.txt. Based on feedback from Hanno Boeck, Ben Laurie, and others. - - Moved the project to http://lcamtuf.coredump.cx/afl/. + - Moved the project to https://lcamtuf.coredump.cx/afl/. ### Version 0.46b: diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 960de1af..cfa20dea 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -150,4 +150,4 @@ sysctl kern.sysv.shmseg=48 sysctl kern.sysv.shmall=98304 ``` -See [http://www.spy-hill.com/help/apple/SharedMemory.html](http://www.spy-hill.com/help/apple/SharedMemory.html) for documentation for these settings and how to make them permanent. \ No newline at end of file +See [https://www.spy-hill.com/help/apple/SharedMemory.html](https://www.spy-hill.com/help/apple/SharedMemory.html) for documentation for these settings and how to make them permanent. \ No newline at end of file diff --git a/docs/best_practices.md b/docs/best_practices.md index 0708d49d..5d07dd14 100644 --- a/docs/best_practices.md +++ b/docs/best_practices.md @@ -108,7 +108,7 @@ Four steps are required to do this and it also requires quite some knowledge of Follow this document on how to do this: [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md). If `PCGUARD` is used, then you need to follow this guide (needs llvm 12+!): - [http://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation](http://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation) + [https://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation](https://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation) Only exclude those functions from instrumentation that provide no value for coverage - that is if it does not process any fuzz data directly or indirectly (e.g. hash maps, thread management etc.). If however a function directly or indirectly handles fuzz data, then you should not put the function in a deny instrumentation list and rather live with the instability it comes with. diff --git a/docs/interpreting_output.md b/docs/interpreting_output.md index 327a0ac0..4bd705f2 100644 --- a/docs/interpreting_output.md +++ b/docs/interpreting_output.md @@ -56,7 +56,7 @@ Any existing output directory can be also used to resume aborted jobs; try: If you have gnuplot installed, you can also generate some pretty graphs for any active fuzzing task using afl-plot. For an example of how this looks like, -see [http://lcamtuf.coredump.cx/afl/plot/](http://lcamtuf.coredump.cx/afl/plot/). +see [https://lcamtuf.coredump.cx/afl/plot/](https://lcamtuf.coredump.cx/afl/plot/). You can also manually build and install afl-plot-ui, which is a helper utility for showing the graphs generated by afl-plot in a graphical window using GTK. diff --git a/docs/known_limitations.md b/docs/known_limitations.md index 2d8f84a5..a68c0a85 100644 --- a/docs/known_limitations.md +++ b/docs/known_limitations.md @@ -31,6 +31,6 @@ Here are some of the most important caveats for AFL: [https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop](https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop) - Occasionally, sentient machines rise against their creators. If this - happens to you, please consult [http://lcamtuf.coredump.cx/prep/](http://lcamtuf.coredump.cx/prep/). + happens to you, please consult [https://lcamtuf.coredump.cx/prep/](https://lcamtuf.coredump.cx/prep/). Beyond this, see [INSTALL.md](INSTALL.md) for platform-specific tips. diff --git a/docs/sister_projects.md b/docs/sister_projects.md index 5cb3a102..613bc778 100644 --- a/docs/sister_projects.md +++ b/docs/sister_projects.md @@ -15,7 +15,7 @@ instruction manual. Allows fuzz-testing of Python programs. Uses custom instrumentation and its own forkserver. -http://jwilk.net/software/python-afl +https://jwilk.net/software/python-afl ### Go-fuzz (Dmitry Vyukov) @@ -34,7 +34,7 @@ https://github.com/kmcallister/afl.rs Adds AFL-compatible instrumentation to OCaml programs. https://github.com/ocamllabs/opam-repo-dev/pull/23 -http://canopy.mirage.io/Posts/Fuzzing +https://canopy.mirage.io/Posts/Fuzzing ### AFL for GCJ Java and other GCC frontends (-) @@ -54,7 +54,7 @@ some programs to be fuzzed without the fork / execve overhead. (Similar functionality is now available as the "persistent" feature described in [the llvm_mode readme](../instrumentation/README.llvm.md)) -http://llvm.org/docs/LibFuzzer.html +https://llvm.org/docs/LibFuzzer.html ## TriforceAFL (Tim Newsham and Jesse Hertz) @@ -189,7 +189,7 @@ https://github.com/bshastry/afl-sancov Makes it easy to estimate memory usage limits when fuzzing with ASAN or MSAN. -http://jwilk.net/software/recidivm +https://jwilk.net/software/recidivm ### aflize (Jacek Wielemborek) @@ -274,7 +274,7 @@ https://goo.gl/j9EgFf A simple SQL shell designed specifically for fuzzing the underlying library. -http://www.sqlite.org/src/artifact/9e7e273da2030371 +https://www.sqlite.org/src/artifact/9e7e273da2030371 ### Support for Python mutation modules (Christian Holler) @@ -292,7 +292,7 @@ A similar guided approach as applied to fuzzing syscalls: https://github.com/google/syzkaller/wiki/Found-Bugs https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd6125931 -http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf +https://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf ### Kernel Snapshot Fuzzing using Unicornafl (Security in Telecommunications) diff --git a/docs/technical_details.md b/docs/technical_details.md index b0ca493e..b9d271d9 100644 --- a/docs/technical_details.md +++ b/docs/technical_details.md @@ -161,8 +161,8 @@ features of the underlying data format, as shown in this image: Several practical examples of the results of this algorithm are discussed here: - http://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html - http://lcamtuf.blogspot.com/2014/11/afl-fuzz-nobody-expects-cdata-sections.html + https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html + https://lcamtuf.blogspot.com/2014/11/afl-fuzz-nobody-expects-cdata-sections.html The synthetic corpus produced by this process is essentially a compact collection of "hmm, this does something new!" input files, and can be used to @@ -323,7 +323,7 @@ value of various fuzzing strategies and optimize their parameters so that they work equally well across a wide range of file types. The strategies used by afl-fuzz are generally format-agnostic and are discussed in more detail here: - http://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html + https://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html It is somewhat notable that especially early on, most of the work done by `afl-fuzz` is actually highly deterministic, and progresses to random stacked @@ -376,7 +376,7 @@ valid grammar for the tested parser. A discussion of how these features are implemented within afl-fuzz can be found here: - http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html + https://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html In essence, when basic, typically easily-obtained syntax tokens are combined together in a purely random manner, the instrumentation and the evolutionary @@ -429,7 +429,7 @@ thrown away. A detailed discussion of the value of this approach can be found here: - http://lcamtuf.blogspot.com/2014/11/afl-fuzz-crash-exploration-mode.html + https://lcamtuf.blogspot.com/2014/11/afl-fuzz-crash-exploration-mode.html The method uses instrumentation feedback to explore the state of the crashing program to get past the ambiguous faulting condition and then isolate the @@ -447,7 +447,7 @@ goes through `execve()`, linking, and libc initialization only once, and is then cloned from a stopped process image by leveraging copy-on-write. The implementation is described in more detail here: - http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html + https://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html The fork server is an integral aspect of the injected instrumentation and simply stops at the first instrumented function to await commands from diff --git a/frida_mode/Scripting.md b/frida_mode/Scripting.md index f6017fad..691b03d1 100644 --- a/frida_mode/Scripting.md +++ b/frida_mode/Scripting.md @@ -302,7 +302,7 @@ Consider the [following](test/js/test2.c) test code... Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ #include diff --git a/include/afl-as.h b/include/afl-as.h index 3c12c68f..2a2e8ad7 100644 --- a/include/afl-as.h +++ b/include/afl-as.h @@ -16,7 +16,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 This file houses the assembly-level instrumentation injected into fuzzed programs. The instrumentation stores XORed pairs of data: identifiers of the @@ -396,7 +396,7 @@ static const u8 *main_payload_32 = "\n"; /* The OpenBSD hack is due to lahf and sahf not being recognized by some - versions of binutils: http://marc.info/?l=openbsd-cvs&m=141636589924400 + versions of binutils: https://marc.info/?l=openbsd-cvs&m=141636589924400 The Apple code is a bit different when calling libc functions because they are doing relocations differently from everybody else. We also need diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index eaf55fb8..e73ea1a4 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -16,7 +16,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 This is the real deal: the program takes an instrumented binary and attempts a variety of basic fuzzing tricks, paying close attention to diff --git a/include/afl-prealloc.h b/include/afl-prealloc.h index fa6c9b70..87bbb1cc 100644 --- a/include/afl-prealloc.h +++ b/include/afl-prealloc.h @@ -16,7 +16,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ diff --git a/include/alloc-inl.h b/include/alloc-inl.h index c914da5f..0c540330 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -16,7 +16,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 This allocator is not designed to resist malicious attackers (the canaries are small and predictable), but provides a robust and portable way to detect diff --git a/include/cmplog.h b/include/cmplog.h index 878ed60c..1c15d2b8 100644 --- a/include/cmplog.h +++ b/include/cmplog.h @@ -18,7 +18,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Shared code to handle the shared memory. This is used by the fuzzer as well the other components like afl-tmin, afl-showmap, etc... diff --git a/include/common.h b/include/common.h index 2ca44301..e3997aa4 100644 --- a/include/common.h +++ b/include/common.h @@ -16,7 +16,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Gather some functions common to multiple executables diff --git a/include/config.h b/include/config.h index 4630da0c..3aee9b00 100644 --- a/include/config.h +++ b/include/config.h @@ -16,7 +16,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ diff --git a/include/debug.h b/include/debug.h index f8df5711..feb7f52d 100644 --- a/include/debug.h +++ b/include/debug.h @@ -16,7 +16,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ diff --git a/include/forkserver.h b/include/forkserver.h index c6f7de00..7af01cb2 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -18,7 +18,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Shared code that implements a forkserver. This is used by the fuzzer as well the other components like afl-tmin. diff --git a/include/hash.h b/include/hash.h index 9319ab95..9bb34ff8 100644 --- a/include/hash.h +++ b/include/hash.h @@ -21,7 +21,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ diff --git a/include/list.h b/include/list.h index 7ec81cbe..d49e56da 100644 --- a/include/list.h +++ b/include/list.h @@ -16,7 +16,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 This allocator is not designed to resist malicious attackers (the canaries are small and predictable), but provides a robust and portable way to detect diff --git a/include/sharedmem.h b/include/sharedmem.h index fdc947f9..93080d0f 100644 --- a/include/sharedmem.h +++ b/include/sharedmem.h @@ -18,7 +18,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Shared code to handle the shared memory. This is used by the fuzzer as well the other components like afl-tmin, afl-showmap, etc... diff --git a/include/snapshot-inl.h b/include/snapshot-inl.h index a18187ef..7234bbaa 100644 --- a/include/snapshot-inl.h +++ b/include/snapshot-inl.h @@ -18,7 +18,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ diff --git a/include/types.h b/include/types.h index 7b94fb83..e945f0f5 100644 --- a/include/types.h +++ b/include/types.h @@ -16,7 +16,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md index 5b1e60cc..dbb604f2 100644 --- a/instrumentation/README.llvm.md +++ b/instrumentation/README.llvm.md @@ -75,7 +75,7 @@ load modules (you'll see "Service unavailable" when loading afl-llvm-pass.so). To solve all your problems, you can grab pre-built binaries for your OS from: - http://llvm.org/releases/download.html + https://llvm.org/releases/download.html ...and then put the bin/ directory from the tarball at the beginning of your $PATH when compiling the feature and building packages later on. You don't need diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 9acab4e7..b2802a29 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -9,7 +9,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc index 3b7eb878..df2b6f2a 100644 --- a/instrumentation/afl-gcc-pass.so.cc +++ b/instrumentation/afl-gcc-pass.so.cc @@ -30,7 +30,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program. If not, see . + along with this program. If not, see . */ diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc index 0a3e74b9..7c04c0c5 100644 --- a/instrumentation/afl-llvm-dict2file.so.cc +++ b/instrumentation/afl-llvm-dict2file.so.cc @@ -10,7 +10,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 This library is plugged into LLVM when invoking clang through afl-clang-lto. diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc index c2f61d34..cd43b437 100644 --- a/instrumentation/afl-llvm-lto-instrumentation.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc @@ -10,7 +10,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 This library is plugged into LLVM when invoking clang through afl-clang-lto. diff --git a/instrumentation/afl-llvm-lto-instrumentlist.so.cc b/instrumentation/afl-llvm-lto-instrumentlist.so.cc index ee2e5dd3..cf26f912 100644 --- a/instrumentation/afl-llvm-lto-instrumentlist.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentlist.so.cc @@ -15,7 +15,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 This library is plugged into LLVM when invoking clang through afl-clang-fast. It tells the compiler to add code roughly equivalent to the bits discussed diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 9b7e625e..21ce0cf9 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -18,7 +18,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 This library is plugged into LLVM when invoking clang through afl-clang-fast. It tells the compiler to add code roughly equivalent to the bits discussed diff --git a/instrumentation/afl-llvm-rt-lto.o.c b/instrumentation/afl-llvm-rt-lto.o.c index e53785ff..eb346157 100644 --- a/instrumentation/afl-llvm-rt-lto.o.c +++ b/instrumentation/afl-llvm-rt-lto.o.c @@ -6,7 +6,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 01a8a637..80af05f0 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -11,7 +11,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 1e2610f2..01b7a373 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -11,7 +11,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ diff --git a/instrumentation/cmplog-switches-pass.cc b/instrumentation/cmplog-switches-pass.cc index c42d44fe..aa719013 100644 --- a/instrumentation/cmplog-switches-pass.cc +++ b/instrumentation/cmplog-switches-pass.cc @@ -11,7 +11,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc index 288e8282..a1239040 100644 --- a/instrumentation/compare-transform-pass.so.cc +++ b/instrumentation/compare-transform-pass.so.cc @@ -5,7 +5,7 @@ * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc index e63be98c..7c652ca2 100644 --- a/instrumentation/split-compares-pass.so.cc +++ b/instrumentation/split-compares-pass.so.cc @@ -6,7 +6,7 @@ * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, diff --git a/instrumentation/split-switches-pass.so.cc b/instrumentation/split-switches-pass.so.cc index 82f198aa..1e32a31d 100644 --- a/instrumentation/split-switches-pass.so.cc +++ b/instrumentation/split-switches-pass.so.cc @@ -5,7 +5,7 @@ * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 84f144be..71453a71 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -19,7 +19,7 @@ # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # This script downloads, patches, and builds a version of QEMU with # minor tweaks to allow non-instrumented binaries to be run under diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 09b01541..60cb1434 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -15,7 +15,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 A nifty utility that grabs an input file and takes a stab at explaining its structure by observing how changes to it affect the execution path. diff --git a/src/afl-as.c b/src/afl-as.c index 9af272f2..b644b82a 100644 --- a/src/afl-as.c +++ b/src/afl-as.c @@ -15,7 +15,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 The sole purpose of this wrapper is to preprocess assembly files generated by GCC / clang and inject the instrumentation bits included from afl-as.h. It @@ -101,7 +101,7 @@ static void edit_params(int argc, char **argv) { /* On MacOS X, the Xcode cctool 'as' driver is a bit stale and does not work with the code generated by newer versions of clang that are hand-built - by the user. See the thread here: http://goo.gl/HBWDtn. + by the user. See the thread here: https://goo.gl/HBWDtn. To work around this, when using clang and running without AFL_AS specified, we will actually call 'clang -c' instead of 'as -q' to diff --git a/src/afl-cc.c b/src/afl-cc.c index 5f77b097..8ff241ba 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -11,7 +11,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ diff --git a/src/afl-common.c b/src/afl-common.c index 26a0d54b..ec3b2f3f 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -15,7 +15,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Gather some functions common to multiple executables diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 80b295e0..b1769bfb 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -19,7 +19,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Shared code that implements a forkserver. This is used by the fuzzer as well the other components like afl-tmin. @@ -351,7 +351,7 @@ static void report_error_and_exit(int error) { /* Spins up fork server. The idea is explained here: - http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html + https://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html In essence, the instrumentation allows us to skip execve(), and just keep cloning a stopped child. So, we just execute once, and then send commands @@ -917,7 +917,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, MSG_ULIMIT_USAGE " /path/to/fuzzed_app )\n\n" - " Tip: you can use http://jwilk.net/software/recidivm to " + " Tip: you can use https://jwilk.net/software/recidivm to " "quickly\n" " estimate the required amount of virtual memory for the " "binary.\n\n" @@ -1017,7 +1017,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, MSG_ULIMIT_USAGE " /path/to/fuzzed_app )\n\n" - " Tip: you can use http://jwilk.net/software/recidivm to quickly\n" + " Tip: you can use https://jwilk.net/software/recidivm to quickly\n" " estimate the required amount of virtual memory for the " "binary.\n\n" diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 316067e4..f7b59f25 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -15,7 +15,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 This is the real deal: the program takes an instrumented binary and attempts a variety of basic fuzzing tricks, paying close attention to diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index c2e9c80f..6fc926f0 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -17,7 +17,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Shared code to handle the shared memory. This is used by the fuzzer as well the other components like afl-tmin, afl-showmap, etc... diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index 584241d4..0f0fe331 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -15,7 +15,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 This is the real deal: the program takes an instrumented binary and attempts a variety of basic fuzzing tricks, paying close attention to diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 1170715f..9262d718 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -15,7 +15,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 This is the real deal: the program takes an instrumented binary and attempts a variety of basic fuzzing tricks, paying close attention to @@ -974,7 +974,7 @@ void perform_dry_run(afl_state_t *afl) { MSG_ULIMIT_USAGE " /path/to/binary [...] . + See . This is xoshiro256++ 1.0, one of our all-purpose, rock-solid generators. It has excellent (sub-ns) speed, a state (256 bits) that is large diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 22fe5a62..7fb8f821 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -17,7 +17,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Shared code to handle the shared memory. This is used by the fuzzer as well the other components like afl-tmin, afl-showmap, etc... diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 3826e385..23ec0df0 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -18,7 +18,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 A very simple tool that runs the targeted binary and displays the contents of the trace bitmap in a human-readable form. Useful in diff --git a/src/afl-tmin.c b/src/afl-tmin.c index ce2a0b8f..8ce4bdd5 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -18,7 +18,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 A simple test case minimizer that takes an input file and tries to remove as much data as possible while keeping the binary in a crashing state diff --git a/test-instr.c b/test-instr.c index 13d4eb93..eaae50ef 100644 --- a/test-instr.c +++ b/test-instr.c @@ -7,7 +7,7 @@ Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 */ #include diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 6c376f8d..f9c0be7f 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -20,7 +20,7 @@ # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # This script downloads, patches, and builds a version of Unicorn with # minor tweaks to allow Unicorn-emulated binaries to be run under -- cgit 1.4.1 From 64704403ca957886b3ad0b55efebaf29906712b8 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 6 Nov 2021 14:54:53 +0100 Subject: better screen update --- src/afl-fuzz-redqueen.c | 70 +++++++++++++++++++++++++++++-------------------- 1 file changed, 41 insertions(+), 29 deletions(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index a9c5625f..4fa62059 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -84,6 +84,8 @@ struct range { }; static u32 hshape; +static u64 screen_update; +static u64 last_update; static struct range *add_range(struct range *ranges, u32 start, u32 end) { @@ -273,7 +275,6 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 start_time = get_cur_time(); #endif - u32 screen_update; u64 orig_hit_cnt, new_hit_cnt, exec_cksum; orig_hit_cnt = afl->queued_paths + afl->unique_crashes; @@ -282,24 +283,6 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, afl->stage_max = (len << 1); afl->stage_cur = 0; - if (likely(afl->queue_cur->exec_us)) { - - if (likely((100000 / 2) >= afl->queue_cur->exec_us)) { - - screen_update = 100000 / afl->queue_cur->exec_us; - - } else { - - screen_update = 1; - - } - - } else { - - screen_update = 100000; - - } - // in colorization we do not classify counts, hence we have to calculate // the original checksum. if (unlikely(get_exec_checksum(afl, buf, len, &exec_cksum))) { @@ -369,7 +352,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, } - if (++afl->stage_cur % screen_update) { show_stats(afl); }; + if (++afl->stage_cur % screen_update == 0) { show_stats(afl); }; } @@ -780,6 +763,13 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u32 its_len = MIN(len - idx, taint_len); + if (afl->fsrv.total_execs - last_update > screen_update) { + + show_stats(afl); + last_update = afl->fsrv.total_execs; + + } + // fprintf(stderr, // "Encode: %llx->%llx into %llx(<-%llx) at idx=%u " // "taint_len=%u shape=%u attr=%u\n", @@ -1438,6 +1428,13 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h, u32 taint_len, u8 *orig_buf, u8 *buf, u8 *cbuf, u32 len, u8 do_reverse, u8 lvl, u8 *status) { + if (afl->fsrv.total_execs - last_update > screen_update) { + + show_stats(afl); + last_update = afl->fsrv.total_execs; + + } + u8 *ptr = (u8 *)&buf[idx]; u8 *o_ptr = (u8 *)&orig_buf[idx]; u8 *p = (u8 *)&pattern; @@ -1926,6 +1923,13 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 entry, // (void)(changed_val); //#endif + if (afl->fsrv.total_execs - last_update > screen_update) { + + show_stats(afl); + last_update = afl->fsrv.total_execs; + + } + u8 *pattern, *repl, *o_pattern, *changed_val; u8 l0, l1, ol0, ol1; @@ -2600,6 +2604,23 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { } struct tainted *taint = NULL; + if (likely(afl->queue_cur->exec_us)) { + + if (likely((100000 / 2) >= afl->queue_cur->exec_us)) { + + screen_update = 100000 / afl->queue_cur->exec_us; + + } else { + + screen_update = 1; + + } + + } else { + + screen_update = 100000; + + } if (!afl->queue_cur->taint || !afl->queue_cur->cmplog_colorinput) { @@ -2700,8 +2721,6 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { u64 orig_hit_cnt, new_hit_cnt; u64 orig_execs = afl->fsrv.total_execs; orig_hit_cnt = afl->queued_paths + afl->unique_crashes; - u64 screen_update = 100000 / afl->queue_cur->exec_us, - execs = afl->fsrv.total_execs; afl->stage_name = "input-to-state"; afl->stage_short = "its"; @@ -2783,13 +2802,6 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) { } - if (afl->fsrv.total_execs - execs > screen_update) { - - execs = afl->fsrv.total_execs; - show_stats(afl); - - } - } r = 0; -- cgit 1.4.1 From 92c91f25f0abc2eb4b8eccbe9b89f433a08eeaba Mon Sep 17 00:00:00 2001 From: tl455047 Date: Sun, 7 Nov 2021 20:28:03 +0800 Subject: Fix index of cmp_map->log[key]. --- src/afl-fuzz-redqueen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-fuzz-redqueen.c') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index f6a7f3e6..a1d6e021 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -1669,7 +1669,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf, for (j = 0; j < i; ++j) { if (afl->shm.cmp_map->log[key][j].v0 == o->v0 && - afl->shm.cmp_map->log[key][i].v1 == o->v1) { + afl->shm.cmp_map->log[key][j].v1 == o->v1) { goto cmp_fuzz_next_iter; -- cgit 1.4.1