From 5cad92e57ecda270753cf70311a7ac1ff6fdcc9e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 21 Jun 2020 18:07:30 +0200 Subject: fix unicorn mode for CFLAGS --- src/afl-fuzz-run.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/afl-fuzz-run.c') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index a1e8417f..a355ae0f 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -413,7 +413,7 @@ void sync_fuzzers(afl_state_t *afl) { DIR * sd; struct dirent *sd_ent; u32 sync_cnt = 0, synced = 0, entries = 0; - u8 path[PATH_MAX]; + u8 path[PATH_MAX + 256]; sd = opendir(afl->sync_dir); if (!sd) { PFATAL("Unable to open '%s'", afl->sync_dir); } @@ -533,7 +533,7 @@ void sync_fuzzers(afl_state_t *afl) { s32 fd; struct stat st; - sprintf(path, "%s/%s", qd_path, namelist[o]->d_name); + snprintf(path, sizeof (path), "%s/%s", qd_path, namelist[o]->d_name); afl->syncing_case = next_min_accept; next_min_accept++; o--; -- cgit 1.4.1 From a49b5ef072011cc840c37653d6f6469dc3671968 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 22 Jun 2020 07:16:24 +0200 Subject: allow /tmp --- afl-cmin.bash | 47 +++++++++++++++++++++++------------------------ afl-plot | 35 ++++++++++++++++------------------- docs/Changelog.md | 1 + src/afl-fuzz-init.c | 15 +++++++++------ src/afl-fuzz-run.c | 2 +- 5 files changed, 50 insertions(+), 50 deletions(-) (limited to 'src/afl-fuzz-run.c') diff --git a/afl-cmin.bash b/afl-cmin.bash index 1f23f6bc..bdef1edc 100755 --- a/afl-cmin.bash +++ b/afl-cmin.bash @@ -134,7 +134,6 @@ Environment variables used: AFL_KEEP_TRACES: leave the temporary \.traces directory AFL_PATH: path for the afl-showmap binary AFL_SKIP_BIN_CHECK: skip check for target binary -AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp _EOF_ exit 1 fi @@ -142,29 +141,29 @@ fi # Do a sanity check to discourage the use of /tmp, since we can't really # handle this safely from a shell script. -if [ "$AFL_ALLOW_TMP" = "" ]; then - - echo "$IN_DIR" | grep -qE '^(/var)?/tmp/' - T1="$?" - - echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/' - T2="$?" - - echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/' - T3="$?" - - echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/' - T4="$?" - - echo "$PWD" | grep -qE '^(/var)?/tmp/' - T5="$?" - - if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then - echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2 - exit 1 - fi - -fi +#if [ "$AFL_ALLOW_TMP" = "" ]; then +# +# echo "$IN_DIR" | grep -qE '^(/var)?/tmp/' +# T1="$?" +# +# echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/' +# T2="$?" +# +# echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/' +# T3="$?" +# +# echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/' +# T4="$?" +# +# echo "$PWD" | grep -qE '^(/var)?/tmp/' +# T5="$?" +# +# if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then +# echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2 +# exit 1 +# fi +# +#fi # If @@ is specified, but there's no -f, let's come up with a temporary input # file name. diff --git a/afl-plot b/afl-plot index 55745e93..de344eaa 100755 --- a/afl-plot +++ b/afl-plot @@ -35,9 +35,6 @@ an empty directory where this tool can write the resulting plots to. The program will put index.html and three PNG images in the output directory; you should be able to view it with any web browser of your choice. - -Environment variables used: -AFL_ALLOW_TMP: allow /var/tmp or /tmp for input and output directories _EOF_ exit 1 @@ -47,22 +44,22 @@ fi inputdir=`get_abs_path "$1"` outputdir=`get_abs_path "$2"` -if [ "$AFL_ALLOW_TMP" = "" ]; then - - echo "$inputdir" | grep -qE '^(/var)?/tmp/' - T1="$?" - - echo "$outputdir" | grep -qE '^(/var)?/tmp/' - T2="$?" - - if [ "$T1" = "0" -o "$T2" = "0" ]; then - - echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2 - exit 1 - - fi - -fi +#if [ "$AFL_ALLOW_TMP" = "" ]; then +# +# echo "$inputdir" | grep -qE '^(/var)?/tmp/' +# T1="$?" +# +# echo "$outputdir" | grep -qE '^(/var)?/tmp/' +# T2="$?" +# +# if [ "$T1" = "0" -o "$T2" = "0" ]; then +# +# echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2 +# exit 1 +# +# fi +# +#fi if [ ! -f "$inputdir/plot_data" ]; then diff --git a/docs/Changelog.md b/docs/Changelog.md index efc18ab5..bc91f2ee 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -44,6 +44,7 @@ sending a mail to . - Unicornafl - Added powerPC support from unicorn/next - rust bindings! + - Allow running in /tmp (only unsafe with umask 0) - persistent mode shared memory testcase handover (instead of via files/stdin) - 10-100% performance increase - General support for 64 bit PowerPC, RiscV, Sparc etc. diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index ee96c73c..a2e849dc 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2128,14 +2128,17 @@ void check_binary(afl_state_t *afl, u8 *fname) { /* Check for blatant user errors. */ - if ((!strncmp(afl->fsrv.target_path, "/tmp/", 5) && - !strchr(afl->fsrv.target_path + 5, '/')) || - (!strncmp(afl->fsrv.target_path, "/var/tmp/", 9) && - !strchr(afl->fsrv.target_path + 9, '/'))) { + /* disabled. not a real-worl scenario where this is a problem. + if ((!strncmp(afl->fsrv.target_path, "/tmp/", 5) && + !strchr(afl->fsrv.target_path + 5, '/')) || + (!strncmp(afl->fsrv.target_path, "/var/tmp/", 9) && + !strchr(afl->fsrv.target_path + 9, '/'))) { - FATAL("Please don't keep binaries in /tmp or /var/tmp"); + FATAL("Please don't keep binaries in /tmp or /var/tmp"); - } + } + + */ fd = open(afl->fsrv.target_path, O_RDONLY); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index a355ae0f..eb562c60 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -533,7 +533,7 @@ void sync_fuzzers(afl_state_t *afl) { s32 fd; struct stat st; - snprintf(path, sizeof (path), "%s/%s", qd_path, namelist[o]->d_name); + snprintf(path, sizeof(path), "%s/%s", qd_path, namelist[o]->d_name); afl->syncing_case = next_min_accept; next_min_accept++; o--; -- cgit 1.4.1 From bdc8e3b79e8fd4b59ef71a9f585fe8590b90f1c2 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 24 Jun 2020 11:09:33 +0200 Subject: create .synced/NAMES.last to document last sync attempts --- src/afl-fuzz-run.c | 11 ++++++++--- src/afl-fuzz.c | 4 ++-- 2 files changed, 10 insertions(+), 5 deletions(-) (limited to 'src/afl-fuzz-run.c') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index eb562c60..432d0195 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -466,6 +466,12 @@ void sync_fuzzers(afl_state_t *afl) { synced++; + /* document the attempt to sync to this instance */ + + sprintf(qd_synced_path, "%s/.synced/%s.last", afl->out_dir, sd_ent->d_name); + id_fd = open(qd_synced_path, O_RDWR | O_CREAT | O_TRUNC, 0600); + if (id_fd >= 0) close(id_fd); + /* Skip anything that doesn't have a queue/ subdirectory. */ sprintf(qd_path, "%s/%s/queue", afl->sync_dir, sd_ent->d_name); @@ -490,14 +496,13 @@ void sync_fuzzers(afl_state_t *afl) { if (id_fd < 0) { PFATAL("Unable to create '%s'", qd_synced_path); } - if (read(id_fd, &min_accept, sizeof(u32)) > 0) { + if (read(id_fd, &min_accept, sizeof(u32)) == sizeof(u32)) { + next_min_accept = min_accept; lseek(id_fd, 0, SEEK_SET); } - next_min_accept = min_accept; - /* Show stats */ snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "sync %u", ++sync_cnt); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c8083f71..f3b63ff0 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -384,7 +384,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->out_dir = optarg; break; - case 'M': { /* master sync ID */ + case 'M': { /* main sync ID */ u8 *c; @@ -413,7 +413,7 @@ int main(int argc, char **argv_orig, char **envp) { break; - case 'S': + case 'S': /* secondary sync id */ if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } afl->sync_id = ck_strdup(optarg); -- cgit 1.4.1 From d5409714435f5cc193f93c85c455a09718e57641 Mon Sep 17 00:00:00 2001 From: David Melski Date: Wed, 24 Jun 2020 13:49:23 -0400 Subject: Fix saturated maps & stability cliff in recalibration I have observed two problems: 1. A sudden "stability cliff" where stability drops precipitously. 2. A sudden jump to a 100% saturated "density map". Both issues are due to attempted "recalibration" of a case at the beginning of fuzz_one_original() or mopt_common_fuzzing(). See the comments "CALIBRATION (only if failed earlier on)" in those functions and the subsequent call to calibrate_case(). At those calls to calibrate_case(), afl->fsrv.trace_bits holds trace_bits for a run of the SUT on a prior queue entry. However, calibrate_case() may use the trace_bits as if they apply to the current queue entry (afl->queue_cur). Most often this bug causes the "stability cliff". Trace bits are compared for runs on distinct inputs, which can be very different. The result is a sudden drop in stability. Sometimes it leads to the "saturated map" problem. A saturated density map arises if the trace bits on the previous entry were "simplified" by simplify_trace(). Simplified traces only contain the values 1 and 128. They are meant to be compared against virgin_crashes and virgin_tmouts. However, this bug causes the (stale) simplified trace to be compared against virgin_bits during a call to has_new_bits(), which causes every byte in vigin_bits to be something other than 255. The overall map density is determined by the percentage of bytes not 255, which will be 100%. Worse, AFL++ will be unable to detect novel occurrences of edge counts 1 and 128 going forward. This patch avoids the above issues by clearing q->exec_cksum when calibration fails. Recalibrations are forced to start with a fresh trace on the queue entry. Thanks to @andreafioraldi for suggesting the current, improved patch. --- src/afl-fuzz-run.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/afl-fuzz-run.c') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 432d0195..ee63f3c9 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -374,6 +374,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, abort_calibration: + if (q->cal_failed) { q->exec_cksum = 0; } + if (new_bits == 2 && !q->has_new_cov) { q->has_new_cov = 1; -- cgit 1.4.1 From b5573b3adbe01681156598ce064c228c0140f782 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 25 Jun 2020 10:33:59 +0200 Subject: add seek power schedule, remove update stats in calibration, fix help output --- docs/Changelog.md | 2 ++ docs/power_schedules.md | 1 + include/afl-fuzz.h | 1 + src/afl-fuzz-queue.c | 15 +++++++-------- src/afl-fuzz-run.c | 6 ------ src/afl-fuzz-state.c | 6 +++--- src/afl-fuzz-stats.c | 3 ++- src/afl-fuzz.c | 28 ++++++++++++++++++---------- 8 files changed, 34 insertions(+), 28 deletions(-) (limited to 'src/afl-fuzz-run.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index 336dca01..a692571e 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -24,6 +24,8 @@ sending a mail to . - Ensure that the targets are killed on exit - fix/update to MOpt (thanks to arnow117) - added MOpt dictionary support from repo + - added experimental SEEK power schedule. It is EXPLORE with ignoring + the runtime and less focus on the length of the test case - llvm_mode: - the default instrumentation is now PCGUARD if the llvm version is >= 7, as it is faster and provides better coverage. The original afl diff --git a/docs/power_schedules.md b/docs/power_schedules.md index 067a1d91..06fefa12 100644 --- a/docs/power_schedules.md +++ b/docs/power_schedules.md @@ -21,6 +21,7 @@ We find that AFL's exploitation-based constant schedule assigns **too much energ | `-p exploit` (AFL) | ![LIN](http://latex.codecogs.com/gif.latex?p%28i%29%20%3D%20%5Calpha%28i%29) | | `-p mmopt` | Experimental: `explore` with no weighting to runtime and increased weighting on the last 5 queue entries | | `-p rare` | Experimental: `rare` puts focus on queue entries that hit rare edges | +| `-p seek` | Experimental: `seek` is EXPLORE but ignoring the runtime of the queue input and less focus on the size | where *α(i)* is the performance score that AFL uses to compute for the seed input *i*, *β(i)>1* is a constant, *s(i)* is the number of times that seed *i* has been chosen from the queue, *f(i)* is the number of generated inputs that exercise the same path as seed *i*, and *μ* is the average number of generated inputs exercising a path. More details can be found in the paper that was accepted at the [23rd ACM Conference on Computer and Communications Security (CCS'16)](https://www.sigsac.org/ccs/CCS2016/accepted-papers/). diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 16f7d717..5dca8fcd 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -233,6 +233,7 @@ enum { /* 05 */ QUAD, /* Quadratic schedule */ /* 06 */ RARE, /* Rare edges */ /* 07 */ MMOPT, /* Modified MOPT schedule */ + /* 08 */ SEEK, /* EXPLORE that ignores timings */ POWER_SCHEDULES_NUM diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 0e8c8e47..4c6eb88f 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -201,8 +201,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { else fuzz_p2 = q->fuzz_level; - if (unlikely(afl->schedule == MMOPT || afl->schedule == RARE) || - unlikely(afl->fixed_seed)) { + if (unlikely(afl->schedule >= RARE) || unlikely(afl->fixed_seed)) { fav_factor = q->len << 2; @@ -228,8 +227,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { else top_rated_fuzz_p2 = afl->top_rated[i]->fuzz_level; - if (unlikely(afl->schedule == MMOPT || afl->schedule == RARE) || - unlikely(afl->fixed_seed)) { + if (unlikely(afl->schedule >= RARE) || unlikely(afl->fixed_seed)) { top_rated_fav_factor = afl->top_rated[i]->len << 2; @@ -250,8 +248,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { } - if (unlikely(afl->schedule == MMOPT || afl->schedule == RARE) || - unlikely(afl->fixed_seed)) { + if (unlikely(afl->schedule >= RARE) || unlikely(afl->fixed_seed)) { if (fav_factor > afl->top_rated[i]->len << 2) { continue; } @@ -396,8 +393,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { // Longer execution time means longer work on the input, the deeper in // coverage, the better the fuzzing, right? -mh - if (afl->schedule != MMOPT && afl->schedule != RARE && - likely(!afl->fixed_seed)) { + if (afl->schedule >= RARE && likely(!afl->fixed_seed)) { if (q->exec_us * 0.1 > avg_exec_us) { @@ -509,6 +505,9 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { case EXPLORE: break; + case SEEK: + break; + case EXPLOIT: factor = MAX_FACTOR; break; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 432d0195..2bd0caee 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -286,12 +286,6 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, u64 cksum; - if (!first_run && !(afl->stage_cur % afl->stats_update_freq)) { - - show_stats(afl); - - } - write_to_testcase(afl, use_mem, q->len); fault = fuzz_run_target(afl, &afl->fsrv, use_tmout); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 814c2ca2..ece2d170 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -30,9 +30,9 @@ s8 interesting_8[] = {INTERESTING_8}; s16 interesting_16[] = {INTERESTING_8, INTERESTING_16}; s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32}; -char *power_names[POWER_SCHEDULES_NUM] = { - - "explore", "exploit", "fast", "coe", "lin", "quad", "rare", "mmopt"}; +char *power_names[POWER_SCHEDULES_NUM] = {"explore", "exploit", "fast", + "coe", "lin", "quad", + "rare", "mmopt", "seek"}; /* Initialize MOpt "globals" for this afl state */ diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 3fb0fdf5..0f89abca 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -194,7 +194,8 @@ void maybe_update_plot_file(afl_state_t *afl, double bitmap_cvg, double eps) { afl->plot_prev_uc == afl->unique_crashes && afl->plot_prev_uh == afl->unique_hangs && afl->plot_prev_md == afl->max_depth) || - unlikely(!afl->queue_cycle) || unlikely(get_cur_time() - afl->start_time <= 60)) { + unlikely(!afl->queue_cycle) || + unlikely(get_cur_time() - afl->start_time <= 60)) { return; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 5a5a33d2..a20d4cba 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -115,12 +115,13 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { " -o dir - output directory for fuzzer findings\n\n" "Execution control settings:\n" - " -p schedule - power schedules recompute a seed's performance " - "score.\n" - " \n" + " -p schedule - power schedules compute a seed's performance score. " + "\n" " see docs/power_schedules.md\n" - " -f file - location read by the fuzzed program (stdin)\n" + " -f file - location read by the fuzzed program (default: stdin " + "or @@)\n" " -t msec - timeout for each run (auto-scaled, 50-%d ms)\n" " -m megs - memory limit for child process (%d MB)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" @@ -146,7 +147,7 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "devices etc.!)\n" " -d - quick & dirty mode (skips deterministic steps)\n" " -n - fuzz without instrumentation (non-instrumented mode)\n" - " -x dir - optional fuzzer dictionary (see README.md, its really " + " -x dict_file - optional fuzzer dictionary (see README.md, its really " "good!)\n\n" "Testing settings:\n" @@ -164,11 +165,11 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "fuzzing\n" " -I command - execute this command/script when a new crash is " "found\n" - " -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap " - "file\n" + //" -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap + //" "file\n" " -C - crash exploration mode (the peruvian rabbit thing)\n" - " -e ext - file extension for the temporarily generated test " - "case\n\n", + " -e ext - file extension for the fuzz test case case (if " + "needed)\n\n", argv0, EXEC_TIMEOUT, MEM_LIMIT); if (more_help > 1) { @@ -349,6 +350,10 @@ int main(int argc, char **argv_orig, char **envp) { afl->schedule = RARE; + } else if (!stricmp(optarg, "seek")) { + + afl->schedule = SEEK; + } else if (!stricmp(optarg, "explore") || !stricmp(optarg, "default") || !stricmp(optarg, "normal") || !stricmp(optarg, "afl")) { @@ -954,6 +959,9 @@ int main(int argc, char **argv_orig, char **envp) { case RARE: OKF("Using rare edge focus power schedule (RARE)"); break; + case SEEK: + OKF("Using seek power schedule (SEEK)"); + break; case EXPLORE: OKF("Using exploration-based constant power schedule (EXPLORE, default)"); break; -- cgit 1.4.1 From c8f60a7fbfeac86226b4fc6c441af2c45f5db521 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 25 Jun 2020 17:25:16 +0200 Subject: initialized variable --- src/afl-fuzz-run.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/afl-fuzz-run.c') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index b8a5ad2f..d5c80cb3 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -423,7 +423,7 @@ void sync_fuzzers(afl_state_t *afl) { while ((sd_ent = readdir(sd))) { u8 qd_synced_path[PATH_MAX], qd_path[PATH_MAX]; - u32 min_accept = 0, next_min_accept; + u32 min_accept = 0, next_min_accept = 0; s32 id_fd; -- cgit 1.4.1 From 171b1923e94b7157d9c0574fae890d31fd880e4c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 25 Jun 2020 22:02:02 +0200 Subject: shmem release fix --- GNUmakefile | 8 ++++---- docs/Changelog.md | 1 + src/afl-fuzz-run.c | 1 + src/afl-fuzz.c | 38 +++++++++++++++++++++++++++++++++++--- src/afl-sharedmem.c | 2 ++ src/afl-showmap.c | 51 ++++++++++++++++++++++++++++++++------------------- src/afl-tmin.c | 49 ++++++++++++++++++++++++++++++++----------------- 7 files changed, 107 insertions(+), 43 deletions(-) (limited to 'src/afl-fuzz-run.c') diff --git a/GNUmakefile b/GNUmakefile index ad7169cd..616d4f70 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -122,7 +122,7 @@ endif ifeq "$(shell uname -s)" "Haiku" SHMAT_OK=0 override CFLAGS += -DUSEMMAP=1 -Wno-error=format -fPIC - LDFLAGS+=-Wno-deprecated-declarations -lgnu + LDFLAGS += -Wno-deprecated-declarations -lgnu SPECIAL_PERFORMANCE += -DUSEMMAP=1 endif @@ -253,14 +253,14 @@ ifeq "$(shell echo '$(HASH)include @$(HASH)include @int ma else SHMAT_OK=0 override CFLAGS+=-DUSEMMAP=1 - LDFLAGS+=-Wno-deprecated-declarations + LDFLAGS += -Wno-deprecated-declarations -lrt endif ifdef TEST_MMAP SHMAT_OK=0 override CFLAGS += -DUSEMMAP=1 - LDFLAGS += -Wno-deprecated-declarations -else + LDFLAGS += -Wno-deprecated-declarations -lrt +$(info LDFLAGS=$(LDFLAGS)) endif all: test_x86 test_shm test_python ready $(PROGS) afl-as test_build all_done diff --git a/docs/Changelog.md b/docs/Changelog.md index abfd4386..1a9623a7 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -49,6 +49,7 @@ sending a mail to . - Unicornafl - Added powerPC support from unicorn/next - rust bindings! + - ensure shmem is released on errors - we moved radamsa to be a custom mutator in ./custom_mutators/. It is not compiled by default anymore. - allow running in /tmp (only unsafe with umask 0) diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index d5c80cb3..da5b6bc4 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -262,6 +262,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shmem_fuzz) { + unsetenv(SHM_FUZZ_ENV_VAR); afl_shm_deinit(afl->shm_fuzz); ck_free(afl->shm_fuzz); afl->shm_fuzz = NULL; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 2f23aec7..e7a855ff 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -26,6 +26,13 @@ #include "afl-fuzz.h" #include "cmplog.h" #include +#ifndef USEMMAP + #include + #include + #include + #include + #include +#endif #ifdef PROFILING extern u64 time_spent_working; @@ -34,6 +41,7 @@ extern u64 time_spent_working; static void at_exit() { int i; + char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL}; char *ptr = getenv("__AFL_TARGET_PID1"); if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); @@ -42,7 +50,28 @@ static void at_exit() { if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); - // anything else? shared memory? + i = 0; + while (list[i] != NULL) { + + ptr = getenv(list[i]); + + if (ptr && *ptr) { + +#ifdef USEMMAP + + shm_unlink(ptr); + +#else + + shmctl(atoi(ptr), IPC_RMID, NULL); + +#endif + + } + + i++; + + } } @@ -991,6 +1020,8 @@ int main(int argc, char **argv_orig, char **envp) { check_crash_handling(); check_cpu_governor(afl); + atexit(at_exit); + afl->fsrv.trace_bits = afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode); @@ -1154,8 +1185,6 @@ int main(int argc, char **argv_orig, char **envp) { } - atexit(at_exit); - perform_dry_run(afl); cull_queue(afl); @@ -1326,10 +1355,13 @@ stop_fuzzing: destroy_queue(afl); destroy_extras(afl); destroy_custom_mutators(afl); + unsetenv(SHM_ENV_VAR); + unsetenv(CMPLOG_SHM_ENV_VAR); afl_shm_deinit(&afl->shm); if (afl->shm_fuzz) { + unsetenv(SHM_FUZZ_ENV_VAR); afl_shm_deinit(afl->shm_fuzz); ck_free(afl->shm_fuzz); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index f8bbebc8..44a91a97 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -66,6 +66,8 @@ static list_t shm_list = {.element_prealloc_count = 0}; void afl_shm_deinit(sharedmem_t *shm) { + if (shm == NULL) return; + list_remove(&shm_list, shm); #ifdef USEMMAP diff --git a/src/afl-showmap.c b/src/afl-showmap.c index de25e427..1ab7d0a8 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -82,11 +82,16 @@ static u8 quiet_mode, /* Hide non-essential messages? */ raw_instr_output, /* Do not apply AFL filters */ cmin_mode, /* Generate output in afl-cmin mode? */ binary_mode, /* Write output as a binary map */ - keep_cores; /* Allow coredumps? */ + keep_cores, /* Allow coredumps? */ + remove_shm = 1; /* remove shmem? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */ child_crashed; /* Child crashed? */ +static sharedmem_t shm; +static afl_forkserver_t *fsrv; +static sharedmem_t * shm_fuzz; + /* Classify tuple counts. Instead of mapping to individual bits, as in afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */ @@ -141,12 +146,32 @@ static void classify_counts(afl_forkserver_t *fsrv) { } +static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, + sharedmem_t * shm_fuzz) { + + afl_shm_deinit(shm_fuzz); + fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz = NULL; + ck_free(shm_fuzz); + return NULL; + +} + /* Get rid of temp files (atexit handler). */ static void at_exit_handler(void) { if (stdin_file) { unlink(stdin_file); } + if (remove_shm) { + + if (shm.map) afl_shm_deinit(&shm); + if (fsrv->use_shmem_fuzz) deinit_shmem(fsrv, shm_fuzz); + + } + + afl_fsrv_killall(); + } /* Write results. */ @@ -566,17 +591,6 @@ static void usage(u8 *argv0) { } -static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, - sharedmem_t * shm_fuzz) { - - afl_shm_deinit(shm_fuzz); - fsrv->support_shmem_fuzz = 0; - fsrv->shmem_fuzz = NULL; - ck_free(shm_fuzz); - return NULL; - -} - /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -590,8 +604,8 @@ int main(int argc, char **argv_orig, char **envp) { char **argv = argv_cpy_dup(argc, argv_orig); - afl_forkserver_t fsrv_var = {0}; - afl_forkserver_t *fsrv = &fsrv_var; + afl_forkserver_t fsrv_var = {0}; + fsrv = &fsrv_var; afl_fsrv_init(fsrv); map_size = get_map_size(); fsrv->map_size = map_size; @@ -797,7 +811,6 @@ int main(int argc, char **argv_orig, char **envp) { // if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } - sharedmem_t shm = {0}; fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); setup_signal_handlers(); @@ -851,8 +864,8 @@ int main(int argc, char **argv_orig, char **envp) { } - sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t)); - u8 * map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); + shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); @@ -999,14 +1012,14 @@ int main(int argc, char **argv_orig, char **envp) { } + remove_shm = 0; afl_shm_deinit(&shm); + if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); u32 ret = child_crashed * 2 + fsrv->last_run_timed_out; if (fsrv->target_path) { ck_free(fsrv->target_path); } - if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); - afl_fsrv_deinit(fsrv); if (stdin_file) { ck_free(stdin_file); } diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 8b028327..5e4bdb6c 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -80,10 +80,16 @@ static u8 crash_mode, /* Crash-centric mode? */ hang_mode, /* Minimize as long as it hangs */ exit_crash, /* Treat non-zero exit as crash? */ edges_only, /* Ignore hit counts? */ - exact_mode; /* Require path match for crashes? */ + exact_mode, /* Require path match for crashes? */ + remove_out_file, /* remove out_file on exit? */ + remove_shm = 1; /* remove shmem on exit? */ static volatile u8 stop_soon; /* Ctrl-C pressed? */ +static afl_forkserver_t *fsrv; +static sharedmem_t shm; +static sharedmem_t * shm_fuzz; + /* * forkserver section */ @@ -105,6 +111,17 @@ static const u8 count_class_lookup[256] = { }; +static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, + sharedmem_t * shm_fuzz) { + + afl_shm_deinit(shm_fuzz); + fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz = NULL; + ck_free(shm_fuzz); + return NULL; + +} + /* Apply mask to classified bitmap (if set). */ static void apply_mask(u32 *mem, u32 *mask) { @@ -169,7 +186,15 @@ static inline u8 anything_set(afl_forkserver_t *fsrv) { static void at_exit_handler(void) { + if (remove_shm) { + + if (shm.map) afl_shm_deinit(&shm); + if (fsrv->use_shmem_fuzz) deinit_shmem(fsrv, shm_fuzz); + + } + afl_fsrv_killall(); + if (remove_out_file) unlink(out_file); } @@ -623,6 +648,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) { } out_file = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, (u32)getpid()); + remove_out_file = 1; } @@ -802,17 +828,6 @@ static void usage(u8 *argv0) { } -static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, - sharedmem_t * shm_fuzz) { - - afl_shm_deinit(shm_fuzz); - fsrv->support_shmem_fuzz = 0; - fsrv->shmem_fuzz = NULL; - ck_free(shm_fuzz); - return NULL; - -} - /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -823,8 +838,8 @@ int main(int argc, char **argv_orig, char **envp) { char **argv = argv_cpy_dup(argc, argv_orig); - afl_forkserver_t fsrv_var = {0}; - afl_forkserver_t *fsrv = &fsrv_var; + afl_forkserver_t fsrv_var = {0}; + fsrv = &fsrv_var; afl_fsrv_init(fsrv); map_size = get_map_size(); fsrv->map_size = map_size; @@ -1021,7 +1036,6 @@ int main(int argc, char **argv_orig, char **envp) { check_environment_vars(envp); - sharedmem_t shm = {0}; fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); atexit(at_exit_handler); @@ -1063,8 +1077,8 @@ int main(int argc, char **argv_orig, char **envp) { SAYF("\n"); - sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t)); - u8 * map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); + shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } #ifdef USEMMAP setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); @@ -1138,6 +1152,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("We're done here. Have a nice day!\n"); + remove_shm = 0; afl_shm_deinit(&shm); if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); afl_fsrv_deinit(fsrv); -- cgit 1.4.1 From 976e99b1d41e25d6d5eabf2e6085c01d51334285 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Fri, 26 Jun 2020 10:17:21 +0200 Subject: original fix for calibration error --- src/afl-fuzz-one.c | 4 ++++ src/afl-fuzz-run.c | 2 -- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'src/afl-fuzz-run.c') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index dfb103d7..72383727 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -494,6 +494,8 @@ u8 fuzz_one_original(afl_state_t *afl) { if (afl->queue_cur->cal_failed < CAL_CHANCES) { + afl->queue_cur->exec_cksum = 0; + res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); @@ -2567,6 +2569,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->queue_cur->cal_failed < CAL_CHANCES) { + afl->queue_cur->exec_cksum = 0; + res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index da5b6bc4..52931a39 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -369,8 +369,6 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, abort_calibration: - if (q->cal_failed) { q->exec_cksum = 0; } - if (new_bits == 2 && !q->has_new_cov) { q->has_new_cov = 1; -- cgit 1.4.1 From e5e485fcdb039fc77842b0753a4adf42d6063388 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 29 Jun 2020 00:58:05 +0200 Subject: fix autodict --- GNUmakefile | 4 +-- examples/persistent_demo/persistent_demo_new.c | 4 +++ include/afl-prealloc.h | 2 +- include/alloc-inl.h | 6 ++--- llvm_mode/afl-llvm-rt.o.c | 6 +++++ src/afl-forkserver.c | 36 ++++++++++++++++---------- src/afl-fuzz-run.c | 26 ++++++++++++------- src/afl-performance.c | 4 +++ src/afl-showmap.c | 4 ++- 9 files changed, 62 insertions(+), 30 deletions(-) (limited to 'src/afl-fuzz-run.c') diff --git a/GNUmakefile b/GNUmakefile index d95eaab1..748cd73c 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -394,8 +394,8 @@ afl-gotcpu: src/afl-gotcpu.c src/afl-common.o $(COMM_HDR) | test_x86 # document all mutations and only do one run (use with only one input file!) -document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86 - $(CC) -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o afl-fuzz-document $(PYFLAGS) $(LDFLAGS) +document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-performance.o | test_x86 + $(CC) -D_DEBUG=\"1\" -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.c src/afl-performance.o -o afl-fuzz-document $(PYFLAGS) $(LDFLAGS) test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_maybe_alloc.c $(AFL_FUZZ_FILES) @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_maybe_alloc.c -o test/unittests/unit_maybe_alloc.o diff --git a/examples/persistent_demo/persistent_demo_new.c b/examples/persistent_demo/persistent_demo_new.c index 98909442..e4e328b0 100644 --- a/examples/persistent_demo/persistent_demo_new.c +++ b/examples/persistent_demo/persistent_demo_new.c @@ -49,9 +49,13 @@ int main(int argc, char **argv) { len = __AFL_FUZZ_TESTCASE_LEN; + fprintf(stderr, "input: %zd \"%s\"\n", len, buf); + /* do we have enough data? */ if (len < 8) continue; + if (strcmp((char *)buf, "thisisateststring") == 0) printf("teststring\n"); + if (buf[0] == 'f') { printf("one\n"); diff --git a/include/afl-prealloc.h b/include/afl-prealloc.h index a9de3ba2..fa6c9b70 100644 --- a/include/afl-prealloc.h +++ b/include/afl-prealloc.h @@ -60,7 +60,7 @@ typedef enum prealloc_status { \ if ((prealloc_counter) >= (prealloc_size)) { \ \ - el_ptr = (element_t *) malloc(sizeof(*el_ptr)); \ + el_ptr = (element_t *)malloc(sizeof(*el_ptr)); \ if (!el_ptr) { FATAL("error in list.h -> out of memory for element!"); } \ el_ptr->pre_status = PRE_STATUS_MALLOC; \ \ diff --git a/include/alloc-inl.h b/include/alloc-inl.h index decc2d43..832b2de4 100644 --- a/include/alloc-inl.h +++ b/include/alloc-inl.h @@ -170,10 +170,10 @@ static inline u8 *DFL_ck_strdup(u8 *str) { size = strlen((char *)str) + 1; ALLOC_CHECK_SIZE(size); - ret = (u8*) malloc(size); + ret = (u8 *)malloc(size); ALLOC_CHECK_RESULT(ret, size); - return (u8*)memcpy(ret, str, size); + return (u8 *)memcpy(ret, str, size); } @@ -204,7 +204,7 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) { if (!mem || !size) { return NULL; } ALLOC_CHECK_SIZE(size); - ret = (u8*) malloc(size + 1); + ret = (u8 *)malloc(size + 1); ALLOC_CHECK_RESULT(ret, size); memcpy(ret, mem, size); diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 184dcd0f..f81d13ee 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -395,6 +395,9 @@ static void __afl_start_snapshots(void) { if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1); + if (getenv("AFL_DEBUG")) + fprintf(stderr, "target forkserver recv: %08x\n", was_killed); + if ((was_killed & (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) == (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) { @@ -594,6 +597,9 @@ static void __afl_start_forkserver(void) { if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1); + if (getenv("AFL_DEBUG")) + fprintf(stderr, "target forkserver recv: %08x\n", was_killed); + if ((was_killed & (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) == (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ)) { diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index bb7a6797..c5709b33 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -596,9 +596,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, // this is not afl-fuzz - we deny and return if (fsrv->use_shmem_fuzz) - status = (FS_OPT_ENABLED | FS_OPT_AUTODICT | FS_OPT_SHDMEM_FUZZ); + status = (FS_OPT_ENABLED | FS_OPT_SHDMEM_FUZZ); else - status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); + status = (FS_OPT_ENABLED); if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) { FATAL("Writing to forkserver failed."); @@ -610,7 +610,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } if (!be_quiet) { ACTF("Using AUTODICT feature."); } - status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); + + if (fsrv->use_shmem_fuzz) + status = (FS_OPT_ENABLED | FS_OPT_AUTODICT | FS_OPT_SHDMEM_FUZZ); + else + status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); + if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) { FATAL("Writing to forkserver failed."); @@ -862,16 +867,21 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { *fsrv->shmem_fuzz_len = len; memcpy(fsrv->shmem_fuzz, buf, len); #ifdef _DEBUG - fprintf(stderr, "FS crc: %08x len: %u\n", - hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), - *fsrv->shmem_fuzz_len); - fprintf(stderr, "SHM :"); - for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) - fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); - fprintf(stderr, "\nORIG:"); - for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) - fprintf(stderr, "%02x", buf[i]); - fprintf(stderr, "\n"); + if (getenv("AFL_DEBUG")) { + + fprintf(stderr, "FS crc: %016llx len: %u\n", + hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), + *fsrv->shmem_fuzz_len); + fprintf(stderr, "SHM :"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); + fprintf(stderr, "\nORIG:"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", buf[i]); + fprintf(stderr, "\n"); + + } + #endif } else { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 52931a39..2a1664e2 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -156,16 +156,22 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, *afl->fsrv.shmem_fuzz_len = len - skip_len; #ifdef _DEBUG - fprintf(stderr, "FS crc: %08x len: %u\n", - hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), - *fsrv->shmem_fuzz_len); - fprintf(stderr, "SHM :"); - for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) - fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); - fprintf(stderr, "\nORIG:"); - for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) - fprintf(stderr, "%02x", buf[i]); - fprintf(stderr, "\n"); + if (afl->debug) { + + fprintf( + stderr, "FS crc: %16llx len: %u\n", + hash64(afl->fsrv.shmem_fuzz, *afl->fsrv.shmem_fuzz_len, 0xa5b35705), + *afl->fsrv.shmem_fuzz_len); + fprintf(stderr, "SHM :"); + for (int i = 0; i < *afl->fsrv.shmem_fuzz_len; i++) + fprintf(stderr, "%02x", afl->fsrv.shmem_fuzz[i]); + fprintf(stderr, "\nORIG:"); + for (int i = 0; i < *afl->fsrv.shmem_fuzz_len; i++) + fprintf(stderr, "%02x", (u8)((u8 *)mem)[i]); + fprintf(stderr, "\n"); + + } + #endif return; diff --git a/src/afl-performance.c b/src/afl-performance.c index 0832dc39..0c1697a8 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -143,8 +143,10 @@ void long_jump(afl_state_t *afl) { #ifdef _DEBUG u32 hash32(u8 *key, u32 len, u32 seed) { + #else u32 inline hash32(u8 *key, u32 len, u32 seed) { + #endif return (u32)XXH64(key, len, seed); @@ -153,8 +155,10 @@ u32 inline hash32(u8 *key, u32 len, u32 seed) { #ifdef _DEBUG u64 hash64(u8 *key, u32 len, u64 seed) { + #else u64 inline hash64(u8 *key, u32 len, u64 seed) { + #endif return XXH64(key, len, seed); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 994d80eb..883398ff 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -985,10 +985,12 @@ int main(int argc, char **argv_orig, char **envp) { if (read_file(infile)) { - if (wait_for_gdb) { + if (wait_for_gdb) { + fprintf(stderr, "exec: gdb -p %d\n", fsrv->child_pid); fprintf(stderr, "exec: kill -CONT %d\n", getpid()); kill(0, SIGSTOP); + } showmap_run_target_forkserver(fsrv, use_argv, in_data, in_len); -- cgit 1.4.1