From 9de74cce92ed9a6552d518b195fc1dfb02fa584d Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 10 Oct 2019 19:46:46 +0200 Subject: radamsa mutator as havoc cycle replacement with probability 1/24 --- src/afl-fuzz.c | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 3460f91d..d5dfa7cc 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -24,6 +24,7 @@ */ #include "afl-fuzz.h" +#include "radamsa.h" /* Display usage hints. */ @@ -119,7 +120,6 @@ int main(int argc, char** argv) { u8 mem_limit_given = 0; u8 exit_1 = !!getenv("AFL_BENCH_JUST_ONE"); char** use_argv; - s64 init_seed; struct timeval tv; struct timezone tz; @@ -134,7 +134,7 @@ int main(int argc, char** argv) { init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); while ((opt = getopt(argc, argv, - "+i:I:o:f:m:t:T:dnCB:S:M:x:QUWe:p:s:V:E:L:h")) > 0) + "+i:I:o:f:m:t:T:dnCB:S:M:x:QUWe:p:s:V:E:L:hR")) > 0) switch (opt) { @@ -511,6 +511,13 @@ int main(int argc, char** argv) { usage(argv[0]); return -1; break; // not needed + + case 'R': + + if (use_radamsa) FATAL("Multiple -R options not supported"); + use_radamsa = 1; + + break; default: usage(argv[0]); @@ -518,8 +525,27 @@ int main(int argc, char** argv) { if (optind == argc || !in_dir || !out_dir) usage(argv[0]); + OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" " + "Eissfeldt and Andrea Fioraldi"); + OKF("afl++ is open source, get it at " + "https://github.com/vanhauser-thc/AFLplusplus"); + OKF("Power schedules from github.com/mboehme/aflfast"); + OKF("Python Mutator and llvm_mode whitelisting from github.com/choller/afl"); + OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); + OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); + if (fixed_seed) OKF("Running with fixed seed: %u", (u32)init_seed); srandom((u32)init_seed); + + if (use_radamsa) { + + OKF("Using Radamsa add-on"); + /* randamsa_init installs some signal hadlers, call it firstly so that + AFL++ can then replace those signal handlers */ + radamsa_init(); + + } + setup_signal_handlers(); check_asan_opts(); @@ -560,14 +586,6 @@ int main(int argc, char** argv) { "fuzzing the right binary: " cRST "%s", argv[optind]); - OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" " - "Eissfeldt and Andrea Fioraldi"); - OKF("afl++ is open source, get it at " - "https://github.com/vanhauser-thc/AFLplusplus"); - OKF("Power schedules from github.com/mboehme/aflfast"); - OKF("Python Mutator and llvm_mode whitelisting from github.com/choller/afl"); - OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); - OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); ACTF("Getting to work..."); switch (schedule) { -- cgit 1.4.1 From 6e5143681c0784d653d22a2b3791fff2b7ccf9ef Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 24 Oct 2019 16:53:30 +0200 Subject: enhanced radamsa integration --- include/afl-fuzz.h | 3 +- src/afl-fuzz-one.c | 142 +++++++++++++++++++++++++++++---------------------- src/afl-fuzz-stats.c | 5 +- src/afl-fuzz.c | 11 ++-- 4 files changed, 95 insertions(+), 66 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 413fbca0..7de4699a 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -159,7 +159,8 @@ enum { /* 15 */ STAGE_HAVOC, /* 16 */ STAGE_SPLICE, /* 17 */ STAGE_PYTHON, - /* 18 */ STAGE_CUSTOM_MUTATOR + /* 18 */ STAGE_RADAMSA, + /* 19 */ STAGE_CUSTOM_MUTATOR }; diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 5a53de4d..d10c1922 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -483,6 +483,9 @@ u8 fuzz_one_original(char** argv) { if (perf_score == 0) goto abandon_entry; + if (use_radamsa > 1) + goto radamsa_stage; + if (custom_mutator) { stage_short = "custom"; @@ -540,22 +543,30 @@ u8 fuzz_one_original(char** argv) { perf_score < (queue_cur->depth * 30 <= havoc_max_mult * 100 ? queue_cur->depth * 30 : havoc_max_mult * 100)) || - queue_cur->passed_det) + queue_cur->passed_det) { + if (use_radamsa > 1) + goto radamsa_stage; + else #ifdef USE_PYTHON - goto python_stage; + goto python_stage; #else - goto havoc_stage; + goto havoc_stage; #endif + } /* Skip deterministic fuzzing if exec path checksum puts this out of scope for this master instance. */ - if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) + if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) { + if (use_radamsa > 1) + goto radamsa_stage; + else #ifdef USE_PYTHON - goto python_stage; + goto python_stage; #else - goto havoc_stage; + goto havoc_stage; #endif + } doing_det = 1; @@ -1731,61 +1742,11 @@ havoc_stage: for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { - if (use_radamsa && UR(RADAMSA_CHANCE) == 0) { - - u32 max_len = temp_len + choose_block_len(HAVOC_BLK_XL); - u8* new_buf = ck_alloc_nozero(max_len); - - u32 new_len = radamsa_mutate(out_buf, temp_len, new_buf, max_len, get_rand_seed()); - - if (new_len) { - - temp_len = new_len; - ck_free(out_buf); - out_buf = new_buf; - - } else { - - ck_free(new_buf); - - } - - goto havoc_run_point; - - } - u32 use_stacking = 1 << (1 + UR(HAVOC_STACK_POW2)); stage_cur_val = use_stacking; for (i = 0; i < use_stacking; ++i) { - - /*if (use_radamsa && UR(RADAMSA_CHANCE) == 0) { - - // Ramdsa stage stacked with the AFL havoc mutations. - // This is very slow, I maintain the commendted code for future or - // particular uses. - - u32 max_len = temp_len + choose_block_len(HAVOC_BLK_XL); - u8* new_buf = ck_alloc_nozero(max_len); - - u32 new_len = radamsa_mutate(out_buf, temp_len, new_buf, max_len, get_rand_seed()); - - if (new_len) { - - temp_len = new_len; - ck_free(out_buf); - out_buf = new_buf; - - } else { - - ck_free(new_buf); - - } - - continue; - - }*/ switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { @@ -2161,8 +2122,6 @@ havoc_stage: } -havoc_run_point: - if (common_fuzz_stuff(argv, out_buf, temp_len)) goto abandon_entry; /* out_buf might have been mangled a bit, so let's restore it to its @@ -2307,10 +2266,13 @@ retry_splicing: out_buf = ck_alloc_nozero(len); memcpy(out_buf, in_buf, len); + if (use_radamsa > 1) + goto radamsa_stage; + else #ifdef USE_PYTHON - goto python_stage; + goto python_stage; #else - goto havoc_stage; + goto havoc_stage; #endif } @@ -2318,7 +2280,67 @@ retry_splicing: #endif /* !IGNORE_FINDS */ ret_val = 0; + goto radamsa_stage; + + +radamsa_stage: + + if (!use_radamsa) + goto abandon_entry; + + stage_name = "radamsa"; + stage_short = "radamsa"; + stage_max = (HAVOC_CYCLES * perf_score / havoc_div / 100) << use_radamsa; + + if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN; + + orig_hit_cnt = queued_paths + unique_crashes; + + /* Read the additional testcase into a new buffer. */ + u8 *save_buf = ck_alloc_nozero(len); + memcpy(save_buf, out_buf, len); + + u32 max_len = len + choose_block_len(HAVOC_BLK_XL); + u8* new_buf = ck_alloc_nozero(max_len); + u8 *tmp_buf; + + for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { + u32 new_len = radamsa_mutate(save_buf, len, new_buf, max_len, get_rand_seed()); + + if (new_len) { + + temp_len = new_len; + tmp_buf = new_buf; + + } else { + + tmp_buf = save_buf; // nope but I dont care + temp_len = len; + + } + + if (common_fuzz_stuff(argv, tmp_buf, temp_len)) { + + ck_free(save_buf); + ck_free(new_buf); + goto abandon_entry; + + } + + } + + ck_free(save_buf); + ck_free(new_buf); + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_RADAMSA] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_RADAMSA] += stage_max; + + ret_val = 0; + goto abandon_entry; +/* we are through with this queue entry - for this iteration */ abandon_entry: splicing_with = -1; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index f1bc1c8a..7f749511 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -576,10 +576,11 @@ void show_stats(void) { " imported : " cRST "%-10s" bSTG bV "\n", tmp, sync_id ? DI(queued_imported) : (u8*)"n/a"); - sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s", DI(stage_finds[STAGE_HAVOC]), + sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s, %s/%s", DI(stage_finds[STAGE_HAVOC]), DI(stage_cycles[STAGE_HAVOC]), DI(stage_finds[STAGE_SPLICE]), DI(stage_cycles[STAGE_SPLICE]), DI(stage_finds[STAGE_PYTHON]), - DI(stage_cycles[STAGE_PYTHON]), DI(stage_finds[STAGE_CUSTOM_MUTATOR]), + DI(stage_cycles[STAGE_PYTHON]), DI(stage_finds[STAGE_RADAMSA]), + DI(stage_cycles[STAGE_RADAMSA]), DI(stage_finds[STAGE_CUSTOM_MUTATOR]), DI(stage_cycles[STAGE_CUSTOM_MUTATOR])); SAYF(bV bSTOP "havoc/custom : " cRST "%-36s " bSTG bV bSTOP, tmp); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index d5dfa7cc..14462fb7 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -55,7 +55,10 @@ static void usage(u8* argv0) { " -m megs - memory limit for child process (%d MB)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n" - " -W - use qemu-based instrumentation with Wine (Wine mode)\n" + " -W - use qemu-based instrumentation with Wine (Wine mode)\n\n" + + "Mutator settings:\n" + " -R[R] - add Radamsa as mutator, add another -R to exclusivly run it\n" " -L minutes - use MOpt(imize) mode and set the limit time for " "entering the\n" " pacemaker mode (minutes of no new paths, 0 = " @@ -514,8 +517,10 @@ int main(int argc, char** argv) { case 'R': - if (use_radamsa) FATAL("Multiple -R options not supported"); - use_radamsa = 1; + if (use_radamsa) + use_radamsa = 2; + else + use_radamsa = 1; break; -- cgit 1.4.1 From cd84339bccc104a51a5da614a9f82cc4ae615cce Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 11 Nov 2019 14:32:50 +0100 Subject: libradamsa dlopen --- Makefile | 17 +++++---- include/afl-fuzz.h | 1 + src/afl-fuzz-globals.c | 1 + src/afl-fuzz-one.c | 7 ++-- src/afl-fuzz.c | 71 ++++++++++++++++++++++++++++++++++--- src/third_party/libradamsa/Makefile | 7 ++-- 6 files changed, 86 insertions(+), 18 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/Makefile b/Makefile index 1b1a8d68..7ab9ae45 100644 --- a/Makefile +++ b/Makefile @@ -34,7 +34,7 @@ MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) CFLAGS ?= -O3 -funroll-loops CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \ - -I include/ -I src/third_party/libradamsa/ \ + -I include/ \ -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -Wno-unused-function @@ -184,11 +184,14 @@ src/afl-forkserver.o : src/afl-forkserver.c include/forkserver.h src/afl-sharedmem.o : src/afl-sharedmem.c include/sharedmem.h $(CC) $(CFLAGS) -c src/afl-sharedmem.c -o src/afl-sharedmem.o -src/third_party/libradamsa/libradamsa.a : src/third_party/libradamsa/libradamsa.c src/third_party/libradamsa/radamsa.h +radamsa: src/third_party/libradamsa/libradamsa.so + cp src/third_party/libradamsa/libradamsa.so . + +src/third_party/libradamsa/libradamsa.so: src/third_party/libradamsa/libradamsa.c src/third_party/libradamsa/radamsa.h $(MAKE) -C src/third_party/libradamsa/ -afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS) +afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS) afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86 $(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS) @@ -204,8 +207,8 @@ afl-gotcpu: src/afl-gotcpu.c $(COMM_HDR) | test_x86 # document all mutations and only do one run (use with only one input file!) -document: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS) +document: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS) code-format: @@ -253,7 +256,7 @@ all_done: test_build .NOTPARALLEL: clean clean: - rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so unicorn_mode/24f55a7973278f20f0de21b904851d99d4716263.tar.gz *.8 + rm -f $(PROGS) libradamsa.so afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so unicorn_mode/24f55a7973278f20f0de21b904851d99d4716263.tar.gz *.8 rm -rf out_dir qemu_mode/qemu-3.1.1 unicorn_mode/unicorn *.dSYM */*.dSYM -$(MAKE) -C llvm_mode clean $(MAKE) -C libdislocator clean diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 7de4699a..a1a4ed50 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -286,6 +286,7 @@ extern u8 schedule; /* Power schedule (default: EXPLORE)*/ extern u8 havoc_max_mult; extern u8 use_radamsa; +extern size_t (*radamsa_mutate_ptr)(u8*, size_t, u8*, size_t, u32); extern u8 skip_deterministic, /* Skip deterministic stages? */ force_deterministic, /* Force deterministic stages? */ diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 236c4dd3..da134807 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -96,6 +96,7 @@ u8 schedule = EXPLORE; /* Power schedule (default: EXPLORE)*/ u8 havoc_max_mult = HAVOC_MAX_MULT; u8 use_radamsa; +size_t (*radamsa_mutate_ptr)(u8*, size_t, u8*, size_t, u32); u8 skip_deterministic, /* Skip deterministic stages? */ force_deterministic, /* Force deterministic stages? */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index d10c1922..c02dbeb7 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -24,9 +24,6 @@ */ #include "afl-fuzz.h" -#include "radamsa.h" - -#define RADAMSA_CHANCE 24 /* MOpt */ @@ -2285,7 +2282,7 @@ retry_splicing: radamsa_stage: - if (!use_radamsa) + if (!use_radamsa || !radamsa_mutate_ptr) goto abandon_entry; stage_name = "radamsa"; @@ -2305,7 +2302,7 @@ radamsa_stage: u8 *tmp_buf; for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { - u32 new_len = radamsa_mutate(save_buf, len, new_buf, max_len, get_rand_seed()); + u32 new_len = radamsa_mutate_ptr(save_buf, len, new_buf, max_len, get_rand_seed()); if (new_len) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 14462fb7..a9a576fe 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -24,7 +24,58 @@ */ #include "afl-fuzz.h" -#include "radamsa.h" + +static u8* get_libradamsa_path(u8* own_loc) { + + u8 *tmp, *cp, *rsl, *own_copy; + + tmp = getenv("AFL_PATH"); + + if (tmp) { + + cp = alloc_printf("%s/libradamsa.so", tmp); + + if (access(cp, X_OK)) FATAL("Unable to find '%s'", cp); + + return cp; + + } + + own_copy = ck_strdup(own_loc); + rsl = strrchr(own_copy, '/'); + + if (rsl) { + + *rsl = 0; + + cp = alloc_printf("%s/libradamsa.so", own_copy); + ck_free(own_copy); + + if (!access(cp, X_OK)) + return cp; + + } else + + ck_free(own_copy); + + if (!access(BIN_PATH "/libradamsa.so", X_OK)) { + + return ck_strdup(BIN_PATH "/libradamsa.so"); + + } + + SAYF("\n" cLRD "[-] " cRST + "Oops, unable to find the 'libradamsa.so' binary. The binary must be " + "built\n" + " separately using 'make radamsa'." + "If you\n" + " already have the binary installed, you may need to specify " + "AFL_PATH in the\n" + " environment.\n"); + + FATAL("Failed to locate 'libradamsa.so'."); + +} /* Display usage hints. */ @@ -545,9 +596,21 @@ int main(int argc, char** argv) { if (use_radamsa) { OKF("Using Radamsa add-on"); - /* randamsa_init installs some signal hadlers, call it firstly so that - AFL++ can then replace those signal handlers */ - radamsa_init(); + + u8* libradamsa_path = get_libradamsa_path(argv[0]); + void* handle = dlopen(libradamsa_path, RTLD_NOW); + ck_free(libradamsa_path); + + if (!handle) FATAL("Failed to dlopen() libradamsa"); + + void (*radamsa_init_ptr)(void) = dlsym(handle, "radamsa_init"); + radamsa_mutate_ptr = dlsym(handle, "radamsa_mutate"); + + if (!radamsa_init_ptr || !radamsa_mutate_ptr) FATAL("Failed to dlsym() libradamsa"); + + /* randamsa_init installs some signal hadlers, call it before setup_signal_handlers + so that AFL++ can then replace those signal handlers */ + radamsa_init_ptr(); } diff --git a/src/third_party/libradamsa/Makefile b/src/third_party/libradamsa/Makefile index 9b89817b..d366a3b0 100644 --- a/src/third_party/libradamsa/Makefile +++ b/src/third_party/libradamsa/Makefile @@ -1,6 +1,9 @@ CUR_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -all: libradamsa.a +all: libradamsa.so + +libradamsa.so: libradamsa.a + $(CC) -shared libradamsa.a -o libradamsa.so libradamsa.a: libradamsa.c radamsa.h @echo " ***************************************************************" @@ -14,4 +17,4 @@ test: libradamsa.a libradamsa-test.c rm /tmp/libradamsa-*.fuzz clean: - rm -f libradamsa.a libradamsa-test + rm -f libradamsa.a libradamsa.so libradamsa-test -- cgit 1.4.1 From f0aaee204427791acec93a3988b6515a2ca8d9e1 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 11 Nov 2019 15:23:14 +0100 Subject: add test case --- src/afl-fuzz.c | 7 ++----- test/test.sh | 25 +++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 5 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index eed4992c..47e83b7b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -67,11 +67,8 @@ static u8* get_libradamsa_path(u8* own_loc) { SAYF("\n" cLRD "[-] " cRST "Oops, unable to find the 'libradamsa.so' binary. The binary must be " "built\n" - " separately using 'make radamsa'." - "If you\n" - " already have the binary installed, you may need to specify " - "AFL_PATH in the\n" - " environment.\n"); + " separately using 'make radamsa'. If you already have the binary " + "installed,\n you may need to specify AFL_PATH in the environment.\n"); FATAL("Failed to locate 'libradamsa.so'."); diff --git a/test/test.sh b/test/test.sh index 781313a7..2cf5f534 100755 --- a/test/test.sh +++ b/test/test.sh @@ -379,6 +379,31 @@ test -e ../libdislocator.so && { rm -f test.out core test-compcov.core core.test-compcov } || $ECHO "$YELLOW[-] libdislocator is not compiled, cannot test" rm -f test-compcov +test -e ../libradamsa.so && { + test -e test-instr.plain || ../afl-clang-fast -o test-instr.plain ../test-instr.c > /dev/null 2>&1 + test -e test-instr.plain || ../afl-gcc-fast -o test-instr.plain ../test-instr.c > /dev/null 2>&1 + test -e test-instr.plain || ../afl-gcc -o test-instr.plain ../test-instr.c > /dev/null 2>&1 + test -e test-instr.plain && { + mkdir -p in + echo 0 > in/in + $ECHO "$GREY[*] running afl-fuzz with radamsa, this will take approx 10 seconds" + { + ../afl-fuzz -RR -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain >>errors 2>&1 + } >>errors 2>&1 + test -n "$( ls out/queue/id:000002* 2> /dev/null )" && { + $ECHO "$GREEN[+] libradamsa performs good - and very slow - mutations" + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] libradamsa failed" + CODE=1 + } + rm -rf in out errors test-instr.plain + } || { + $ECHO "$YELLOW[-] compilation of test target failed, cannot test libradamsa" + } +} || $ECHO "$YELLOW[-] libradamsa is not compiled, cannot test" $ECHO "$BLUE[*] Testing: qemu_mode" test -e ../afl-qemu-trace && { -- cgit 1.4.1