From 770e868d04c0f52a1c57e5471e459dd24a002748 Mon Sep 17 00:00:00 2001 From: yangzao Date: Fri, 24 Nov 2023 11:06:06 -0700 Subject: add custom_post_run.c --- src/afl-fuzz-run.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/afl-fuzz-run.c') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index ac4fb4a9..29cc5352 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -60,6 +60,8 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { fsrv_run_result_t res = afl_fsrv_run_target(fsrv, timeout, &afl->stop_soon); + + #ifdef PROFILING clock_gettime(CLOCK_REALTIME, &spec); time_spent_start = (spec.tv_sec * 1000000000) + spec.tv_nsec; -- cgit 1.4.1 From 8af74bcaeebbe2407006333024d8803baacdb4e2 Mon Sep 17 00:00:00 2001 From: yangzao Date: Fri, 24 Nov 2023 22:47:50 -0700 Subject: update afl-fuzz-run --- custom_mutators/examples/custom_post_run.c | 6 +++--- include/afl-fuzz.h | 4 +--- src/afl-fuzz-run.c | 19 ++++++++++++++++++- 3 files changed, 22 insertions(+), 7 deletions(-) (limited to 'src/afl-fuzz-run.c') diff --git a/custom_mutators/examples/custom_post_run.c b/custom_mutators/examples/custom_post_run.c index 073aac96..828216ea 100644 --- a/custom_mutators/examples/custom_post_run.c +++ b/custom_mutators/examples/custom_post_run.c @@ -2,10 +2,10 @@ // This is an example on how to use afl_custom_post_run // It executes custom code each time after AFL++ executes the target // -// cc -O3 -fPIC -shared -g -o custom_send.so -I../../include custom_send.c /////////////////////to_be_edited +// cc -O3 -fPIC -shared -g -o custom_post_run.so -I../../include custom_post_run.c // cd ../.. // afl-cc -o test-instr test-instr.c -// AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/examples/custom_send.so \ +// AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/examples/custom_post_run.so \ // afl-fuzz -i in -o out -- ./test-instr -f /tmp/foo // @@ -39,7 +39,7 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) { } -void afl_custom_post_run(my_mutator_t *data, uint8_t *buf, size_t buf_size) { +void afl_custom_post_run(my_mutator_t *data) { printf("hello from afl_custom_post_run\n"); return; diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 7e91dc03..94f48009 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1027,10 +1027,8 @@ struct custom_mutator { * (Optional) * * @param data pointer returned in afl_custom_init by this custom mutator - * @param buf Buffer containing the test case - * @param buf_size Size of the test case */ - void (*afl_custom_post_run)(void *data, const u8 *buf, size_t buf_size); + void (*afl_custom_post_run)(void *data); /** * Allow for additional analysis (e.g. calling a different tool that does a diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 29cc5352..ac346b86 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -60,7 +60,7 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { fsrv_run_result_t res = afl_fsrv_run_target(fsrv, timeout, &afl->stop_soon); - + post_run(afl); #ifdef PROFILING clock_gettime(CLOCK_REALTIME, &spec); @@ -1113,3 +1113,20 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { } +/* Run some code each time scripts each time AFL++ executes the target + with afl-fuzz. */ + +void post_run(afl_state_t *afl) { + if (unlikely(afl->custom_mutators_count)) { + + LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { + + if (el->afl_custom_post_run) { + + el->afl_custom_post_run(el->data); + + } + + }); + } +} \ No newline at end of file -- cgit 1.4.1 From c9e0f01b439870dc2b619ab2c18240b201ca1460 Mon Sep 17 00:00:00 2001 From: yangzao Date: Mon, 27 Nov 2023 09:58:03 -0700 Subject: format code --- src/afl-fuzz-one.c | 1 + src/afl-fuzz-python.c | 4 +--- src/afl-fuzz-run.c | 13 ++++++------- src/afl-fuzz-stats.c | 50 ++++++++++++++++++++++++++------------------------ 4 files changed, 34 insertions(+), 34 deletions(-) (limited to 'src/afl-fuzz-run.c') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 67dafda8..01e34b69 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -1894,6 +1894,7 @@ custom_mutator_stage: LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { if (el->afl_custom_fuzz) { + havoc_queued = afl->queued_items; afl->current_custom_fuzz = el; diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 1b287405..4c7da774 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -939,9 +939,7 @@ void post_run_py(void *py_mutator) { py_args = PyTuple_New(0); py_value = PyObject_CallObject( - ((py_mutator_t *)py_mutator) - ->py_functions[PY_FUNC_POST_RUN], - py_args); + ((py_mutator_t *)py_mutator)->py_functions[PY_FUNC_POST_RUN], py_args); Py_DECREF(py_args); if (py_value != NULL) { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index ac346b86..04ccccba 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -1117,16 +1117,15 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { with afl-fuzz. */ void post_run(afl_state_t *afl) { + if (unlikely(afl->custom_mutators_count)) { - LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { + LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { - if (el->afl_custom_post_run) { + if (el->afl_custom_post_run) { el->afl_custom_post_run(el->data); } - el->afl_custom_post_run(el->data); + }); - } + } - }); - } -} \ No newline at end of file +} diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 07184cf0..d945dabf 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -138,7 +138,7 @@ void load_stats_file(afl_state_t *afl) { FILE *f; u8 buf[MAX_LINE]; - u8 * lptr; + u8 *lptr; u8 fn[PATH_MAX]; u32 lineno = 0; snprintf(fn, PATH_MAX, "%s/fuzzer_stats", afl->out_dir); @@ -421,7 +421,7 @@ void write_stats_file(afl_state_t *afl, u32 t_bytes, double bitmap_cvg, void write_queue_stats(afl_state_t *afl) { FILE *f; - u8 * fn = alloc_printf("%s/queue_data", afl->out_dir); + u8 *fn = alloc_printf("%s/queue_data", afl->out_dir); if ((f = fopen(fn, "w")) != NULL) { u32 id; @@ -857,8 +857,9 @@ void show_stats_normal(afl_state_t *afl) { /* Since `total_crashes` does not get reloaded from disk on restart, it indicates if we found crashes this round already -> paint red. If it's 0, but `saved_crashes` is set from a past run, paint in yellow. */ - char *crash_color = - afl->total_crashes ? cLRD : afl->saved_crashes ? cYEL : cRST; + char *crash_color = afl->total_crashes ? cLRD + : afl->saved_crashes ? cYEL + : cRST; /* Lord, forgive me this. */ @@ -881,26 +882,26 @@ void show_stats_normal(afl_state_t *afl) { } else - /* Subsequent cycles, but we're still making finds. */ - if (afl->cycles_wo_finds < 25 || min_wo_finds < 30) { + /* Subsequent cycles, but we're still making finds. */ + if (afl->cycles_wo_finds < 25 || min_wo_finds < 30) { - strcpy(tmp, cYEL); + strcpy(tmp, cYEL); - } else + } else /* No finds for a long time and no test cases to try. */ if (afl->cycles_wo_finds > 100 && !afl->pending_not_fuzzed && min_wo_finds > 120) { - strcpy(tmp, cLGN); + strcpy(tmp, cLGN); - /* Default: cautiously OK to stop? */ + /* Default: cautiously OK to stop? */ - } else { + } else { - strcpy(tmp, cLBL); + strcpy(tmp, cLBL); - } + } } @@ -1666,8 +1667,9 @@ void show_stats_pizza(afl_state_t *afl) { /* Since `total_crashes` does not get reloaded from disk on restart, it indicates if we found crashes this round already -> paint red. If it's 0, but `saved_crashes` is set from a past run, paint in yellow. */ - char *crash_color = - afl->total_crashes ? cLRD : afl->saved_crashes ? cYEL : cRST; + char *crash_color = afl->total_crashes ? cLRD + : afl->saved_crashes ? cYEL + : cRST; /* Lord, forgive me this. */ @@ -1690,26 +1692,26 @@ void show_stats_pizza(afl_state_t *afl) { } else - /* Subsequent cycles, but we're still making finds. */ - if (afl->cycles_wo_finds < 25 || min_wo_finds < 30) { + /* Subsequent cycles, but we're still making finds. */ + if (afl->cycles_wo_finds < 25 || min_wo_finds < 30) { - strcpy(tmp, cYEL); + strcpy(tmp, cYEL); - } else + } else /* No finds for a long time and no test cases to try. */ if (afl->cycles_wo_finds > 100 && !afl->pending_not_fuzzed && min_wo_finds > 120) { - strcpy(tmp, cLGN); + strcpy(tmp, cLGN); - /* Default: cautiously OK to stop? */ + /* Default: cautiously OK to stop? */ - } else { + } else { - strcpy(tmp, cLBL); + strcpy(tmp, cLBL); - } + } } -- cgit 1.4.1 From bb523b46482ce212355b32882158cb129d2e8487 Mon Sep 17 00:00:00 2001 From: yangzao Date: Mon, 27 Nov 2023 09:59:02 -0700 Subject: update --- src/afl-fuzz-run.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-fuzz-run.c') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 04ccccba..8d0f2c2d 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -1113,7 +1113,7 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { } -/* Run some code each time scripts each time AFL++ executes the target +/* Run some code or scripts each time AFL++ executes the target program with afl-fuzz. */ void post_run(afl_state_t *afl) { -- cgit 1.4.1 From 81b43cefdfa99b14628c487dc0183a4c1a21c811 Mon Sep 17 00:00:00 2001 From: yangzao Date: Mon, 27 Nov 2023 10:25:12 -0700 Subject: merge function --- src/afl-fuzz-run.c | 30 ++++++++++++------------------ 1 file changed, 12 insertions(+), 18 deletions(-) (limited to 'src/afl-fuzz-run.c') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 8d0f2c2d..ae7969a6 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -60,7 +60,18 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { fsrv_run_result_t res = afl_fsrv_run_target(fsrv, timeout, &afl->stop_soon); - post_run(afl); + /* If post_run() function is defined in custom mutator, the function will be + called each time after AFL++ executes the target program. */ + + if (unlikely(afl->custom_mutators_count)) { + + LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { + + if (el->afl_custom_post_run) { el->afl_custom_post_run(el->data); } + + }); + + } #ifdef PROFILING clock_gettime(CLOCK_REALTIME, &spec); @@ -1112,20 +1123,3 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { return 0; } - -/* Run some code or scripts each time AFL++ executes the target program - with afl-fuzz. */ - -void post_run(afl_state_t *afl) { - - if (unlikely(afl->custom_mutators_count)) { - - LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { - - if (el->afl_custom_post_run) { el->afl_custom_post_run(el->data); } - - }); - - } - -} -- cgit 1.4.1 From d2aef74ad77e49a96f152517445a515ba4814bcb Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 22 Nov 2023 14:56:57 +0100 Subject: changes --- TODO.md | 2 ++ src/afl-fuzz-run.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'src/afl-fuzz-run.c') diff --git a/TODO.md b/TODO.md index 3f8855a0..9e9a2366 100644 --- a/TODO.md +++ b/TODO.md @@ -7,6 +7,8 @@ - cmplog rtn sanity check on fixed length? + no length 1 - afl-showmap -f support - afl-fuzz multicore wrapper script + - when trimming then perform crash detection + - either -L0 and/or -p mmopt results in zero new coverage ## Should diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index ae7969a6..b6d5df95 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -931,7 +931,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { detected, it will still work to some extent, so we don't check for this. */ - if (q->len < 5) { return 0; } + if (unlikely(q->len < 5)) { return 0; } afl->stage_name = afl->stage_name_buf; afl->bytes_trim_in += q->len; -- cgit 1.4.1 From dd9a04c901c79fe2f3f078de6cc0777e3a5d96df Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 28 Nov 2023 09:14:29 +0100 Subject: code format --- docs/Changelog.md | 1 + src/afl-fuzz-run.c | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) (limited to 'src/afl-fuzz-run.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index 1e2a4765..f7842d59 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -13,6 +13,7 @@ - added scale support to CMPLOG (-l S) - added --version and --help command line parameters - fixed endless loop when reading malformed dictionaries + - new custom mutator function: post_run - thanks to yangzao! - afl-whatsup: - detect instanced that are starting up and show them as such as not dead - now also shows coverage reached diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index b6d5df95..34a5ff81 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -62,12 +62,16 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { /* If post_run() function is defined in custom mutator, the function will be called each time after AFL++ executes the target program. */ - + if (unlikely(afl->custom_mutators_count)) { LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, { - if (el->afl_custom_post_run) { el->afl_custom_post_run(el->data); } + if (unlikely(el->afl_custom_post_run)) { + + el->afl_custom_post_run(el->data); + + } }); @@ -1123,3 +1127,4 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { return 0; } + -- cgit 1.4.1