From a632c00b0d023b8a40d09839fbb2662da1cb5d37 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 16:08:49 +0200 Subject: switch to faster and better hash + random --- src/afl-fuzz.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index fdc96931..e1401757 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -819,8 +819,14 @@ int main(int argc, char **argv_orig, char **envp) { } - srandom((u32)afl->init_seed); - srand((u32)afl->init_seed); // in case it is a different implementation + if (afl->init_seed) { + afl->rand_seed[0] = afl->init_seed; + afl->rand_seed[1] = afl->init_seed ^ 0x1234567890abcdef; + afl->rand_seed[2] = afl->init_seed & 0x0123456789abcdef; + afl->rand_seed[3] = afl->init_seed | 0x01abcde43f567908; + } + //srandom((u32)afl->init_seed); + //srand((u32)afl->init_seed); // in case it is a different implementation if (afl->use_radamsa) { -- cgit 1.4.1 From 40aca0b6b398d8de0ecc17cf075e0eb79ec15d81 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 16:33:20 +0200 Subject: fix for checksums --- include/xxh3.h | 4 +- include/xxhash.h | 469 +++++++++++++++++++++++++++--------------------------- src/afl-analyze.c | 3 +- src/afl-fuzz.c | 7 +- src/afl-tmin.c | 3 +- 5 files changed, 250 insertions(+), 236 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/include/xxh3.h b/include/xxh3.h index 54d5bf60..2354bde9 100644 --- a/include/xxh3.h +++ b/include/xxh3.h @@ -350,6 +350,7 @@ (outHi) = vget_high_u32(vreinterpretq_u32_u64(in)); \ \ } while (0) + #else #define XXH_SPLIT_IN_PLACE(in, outLo, outHi) \ do { \ @@ -358,6 +359,7 @@ (outHi) = vshrn_n_u64((in), 32); \ \ } while (0) + #endif #endif /* XXH_VECTOR == XXH_NEON */ @@ -1638,7 +1640,7 @@ XXH_FORCE_INLINE void XXH3_accumulate_512_vsx(void *XXH_RESTRICT acc, } else { /* XXH3_acc_128bits */ - /* swap high and low halves */ + /* swap high and low halves */ #ifdef __s390x__ xxh_u64x2 const data_swapped = vec_permi(data_vec, data_vec, 2); #else diff --git a/include/xxhash.h b/include/xxhash.h index b4d640ae..825eed65 100644 --- a/include/xxhash.h +++ b/include/xxhash.h @@ -414,7 +414,7 @@ XXH64_hashFromCanonical(const XXH64_canonical_t *src); * These declarations should only be used with static linking. * Never use them in association with dynamic linking! ***************************************************************************** -*/ + */ /* * These definitions are only present to allow static allocation of an XXH @@ -1165,8 +1165,8 @@ static int XXH_isLittleEndian(void) { return one.c[0]; } -\ - #define XXH_CPU_LITTLE_ENDIAN XXH_isLittleEndian() + +#define XXH_CPU_LITTLE_ENDIAN XXH_isLittleEndian() #endif #endif @@ -1374,13 +1374,14 @@ static xxh_u32 XXH32_avalanche(xxh_u32 h32) { static xxh_u32 XXH32_finalize(xxh_u32 h32, const xxh_u8 *ptr, size_t len, XXH_alignment align) { \ - #define XXH_PROCESS1 \ - do { \ - \ - h32 += (*ptr++) * XXH_PRIME32_5; \ - h32 = XXH_rotl32(h32, 11) * XXH_PRIME32_1; \ - \ - } while (0) + #define XXH_PROCESS1 do { + + h32 += (*ptr++) * XXH_PRIME32_5; + h32 = XXH_rotl32(h32, 11) * XXH_PRIME32_1; + + } + + while (0) #define XXH_PROCESS4 \ do { \ @@ -1391,90 +1392,90 @@ static xxh_u32 XXH32_finalize(xxh_u32 h32, const xxh_u8 *ptr, size_t len, \ } while (0) - /* Compact rerolled version */ - if (XXH_REROLL) { - - len &= 15; - while (len >= 4) { + /* Compact rerolled version */ + if (XXH_REROLL) { - XXH_PROCESS4; - len -= 4; + len &= 15; + while (len >= 4) { - } - - while (len > 0) { - - XXH_PROCESS1; - --len; - - } - - return XXH32_avalanche(h32); - - } else { + XXH_PROCESS4; + len -= 4; - switch (len & 15) /* or switch(bEnd - p) */ { + } - case 12: - XXH_PROCESS4; - /* fallthrough */ - case 8: - XXH_PROCESS4; - /* fallthrough */ - case 4: - XXH_PROCESS4; - return XXH32_avalanche(h32); + while (len > 0) { - case 13: - XXH_PROCESS4; - /* fallthrough */ - case 9: - XXH_PROCESS4; - /* fallthrough */ - case 5: - XXH_PROCESS4; XXH_PROCESS1; - return XXH32_avalanche(h32); + --len; - case 14: - XXH_PROCESS4; - /* fallthrough */ - case 10: - XXH_PROCESS4; - /* fallthrough */ - case 6: - XXH_PROCESS4; - XXH_PROCESS1; - XXH_PROCESS1; - return XXH32_avalanche(h32); + } - case 15: - XXH_PROCESS4; - /* fallthrough */ - case 11: - XXH_PROCESS4; - /* fallthrough */ - case 7: - XXH_PROCESS4; - /* fallthrough */ - case 3: - XXH_PROCESS1; - /* fallthrough */ - case 2: - XXH_PROCESS1; - /* fallthrough */ - case 1: - XXH_PROCESS1; - /* fallthrough */ - case 0: - return XXH32_avalanche(h32); + return XXH32_avalanche(h32); + + } else { + + switch (len & 15) /* or switch(bEnd - p) */ { + + case 12: + XXH_PROCESS4; + /* fallthrough */ + case 8: + XXH_PROCESS4; + /* fallthrough */ + case 4: + XXH_PROCESS4; + return XXH32_avalanche(h32); + + case 13: + XXH_PROCESS4; + /* fallthrough */ + case 9: + XXH_PROCESS4; + /* fallthrough */ + case 5: + XXH_PROCESS4; + XXH_PROCESS1; + return XXH32_avalanche(h32); + + case 14: + XXH_PROCESS4; + /* fallthrough */ + case 10: + XXH_PROCESS4; + /* fallthrough */ + case 6: + XXH_PROCESS4; + XXH_PROCESS1; + XXH_PROCESS1; + return XXH32_avalanche(h32); + + case 15: + XXH_PROCESS4; + /* fallthrough */ + case 11: + XXH_PROCESS4; + /* fallthrough */ + case 7: + XXH_PROCESS4; + /* fallthrough */ + case 3: + XXH_PROCESS1; + /* fallthrough */ + case 2: + XXH_PROCESS1; + /* fallthrough */ + case 1: + XXH_PROCESS1; + /* fallthrough */ + case 0: + return XXH32_avalanche(h32); - } + } - XXH_ASSERT(0); - return h32; /* reaching this point is deemed impossible */ + XXH_ASSERT(0); + return h32; /* reaching this point is deemed impossible */ - } + } } @@ -1926,16 +1927,21 @@ XXH_FORCE_INLINE xxh_u64 XXH_readLE64_align(const void * ptr, /******* xxh64 *******/ -static const xxh_u64 XXH_PRIME64_1 = 0x9E3779B185EBCA87ULL; /* 0b1001111000110111011110011011000110000101111010111100101010000111 - */ -static const xxh_u64 XXH_PRIME64_2 = 0xC2B2AE3D27D4EB4FULL; /* 0b1100001010110010101011100011110100100111110101001110101101001111 - */ -static const xxh_u64 XXH_PRIME64_3 = 0x165667B19E3779F9ULL; /* 0b0001011001010110011001111011000110011110001101110111100111111001 - */ -static const xxh_u64 XXH_PRIME64_4 = 0x85EBCA77C2B2AE63ULL; /* 0b1000010111101011110010100111011111000010101100101010111001100011 - */ -static const xxh_u64 XXH_PRIME64_5 = 0x27D4EB2F165667C5ULL; /* 0b0010011111010100111010110010111100010110010101100110011111000101 - */ +static const xxh_u64 XXH_PRIME64_1 = + 0x9E3779B185EBCA87ULL; /* 0b1001111000110111011110011011000110000101111010111100101010000111 + */ +static const xxh_u64 XXH_PRIME64_2 = + 0xC2B2AE3D27D4EB4FULL; /* 0b1100001010110010101011100011110100100111110101001110101101001111 + */ +static const xxh_u64 XXH_PRIME64_3 = + 0x165667B19E3779F9ULL; /* 0b0001011001010110011001111011000110011110001101110111100111111001 + */ +static const xxh_u64 XXH_PRIME64_4 = + 0x85EBCA77C2B2AE63ULL; /* 0b1000010111101011110010100111011111000010101100101010111001100011 + */ +static const xxh_u64 XXH_PRIME64_5 = + 0x27D4EB2F165667C5ULL; /* 0b0010011111010100111010110010111100010110010101100110011111000101 + */ #ifdef XXH_OLD_NAMES #define PRIME64_1 XXH_PRIME64_1 @@ -1979,13 +1985,14 @@ static xxh_u64 XXH64_avalanche(xxh_u64 h64) { static xxh_u64 XXH64_finalize(xxh_u64 h64, const xxh_u8 *ptr, size_t len, XXH_alignment align) { \ - #define XXH_PROCESS1_64 \ - do { \ - \ - h64 ^= (*ptr++) * XXH_PRIME64_5; \ - h64 = XXH_rotl64(h64, 11) * XXH_PRIME64_1; \ - \ - } while (0) + #define XXH_PROCESS1_64 do { + + h64 ^= (*ptr++) * XXH_PRIME64_5; + h64 = XXH_rotl64(h64, 11) * XXH_PRIME64_1; + + } + + while (0) #define XXH_PROCESS4_64 \ do { \ @@ -2006,153 +2013,153 @@ static xxh_u64 XXH64_finalize(xxh_u64 h64, const xxh_u8 *ptr, size_t len, \ } while (0) - /* Rerolled version for 32-bit targets is faster and much smaller. */ - if (XXH_REROLL || XXH_REROLL_XXH64) { - - len &= 31; - while (len >= 8) { - - XXH_PROCESS8_64; - len -= 8; - - } - - if (len >= 4) { - - XXH_PROCESS4_64; - len -= 4; - - } - - while (len > 0) { - - XXH_PROCESS1_64; - --len; - - } + /* Rerolled version for 32-bit targets is faster and much smaller. */ + if (XXH_REROLL || XXH_REROLL_XXH64) { - return XXH64_avalanche(h64); + len &= 31; + while (len >= 8) { - } else { + XXH_PROCESS8_64; + len -= 8; - switch (len & 31) { + } - case 24: - XXH_PROCESS8_64; - /* fallthrough */ - case 16: - XXH_PROCESS8_64; - /* fallthrough */ - case 8: - XXH_PROCESS8_64; - return XXH64_avalanche(h64); + if (len >= 4) { - case 28: - XXH_PROCESS8_64; - /* fallthrough */ - case 20: - XXH_PROCESS8_64; - /* fallthrough */ - case 12: - XXH_PROCESS8_64; - /* fallthrough */ - case 4: XXH_PROCESS4_64; - return XXH64_avalanche(h64); + len -= 4; - case 25: - XXH_PROCESS8_64; - /* fallthrough */ - case 17: - XXH_PROCESS8_64; - /* fallthrough */ - case 9: - XXH_PROCESS8_64; - XXH_PROCESS1_64; - return XXH64_avalanche(h64); + } - case 29: - XXH_PROCESS8_64; - /* fallthrough */ - case 21: - XXH_PROCESS8_64; - /* fallthrough */ - case 13: - XXH_PROCESS8_64; - /* fallthrough */ - case 5: - XXH_PROCESS4_64; - XXH_PROCESS1_64; - return XXH64_avalanche(h64); + while (len > 0) { - case 26: - XXH_PROCESS8_64; - /* fallthrough */ - case 18: - XXH_PROCESS8_64; - /* fallthrough */ - case 10: - XXH_PROCESS8_64; - XXH_PROCESS1_64; XXH_PROCESS1_64; - return XXH64_avalanche(h64); + --len; - case 30: - XXH_PROCESS8_64; - /* fallthrough */ - case 22: - XXH_PROCESS8_64; - /* fallthrough */ - case 14: - XXH_PROCESS8_64; - /* fallthrough */ - case 6: - XXH_PROCESS4_64; - XXH_PROCESS1_64; - XXH_PROCESS1_64; - return XXH64_avalanche(h64); + } - case 27: - XXH_PROCESS8_64; - /* fallthrough */ - case 19: - XXH_PROCESS8_64; - /* fallthrough */ - case 11: - XXH_PROCESS8_64; - XXH_PROCESS1_64; - XXH_PROCESS1_64; - XXH_PROCESS1_64; - return XXH64_avalanche(h64); + return XXH64_avalanche(h64); + + } else { + + switch (len & 31) { + + case 24: + XXH_PROCESS8_64; + /* fallthrough */ + case 16: + XXH_PROCESS8_64; + /* fallthrough */ + case 8: + XXH_PROCESS8_64; + return XXH64_avalanche(h64); + + case 28: + XXH_PROCESS8_64; + /* fallthrough */ + case 20: + XXH_PROCESS8_64; + /* fallthrough */ + case 12: + XXH_PROCESS8_64; + /* fallthrough */ + case 4: + XXH_PROCESS4_64; + return XXH64_avalanche(h64); + + case 25: + XXH_PROCESS8_64; + /* fallthrough */ + case 17: + XXH_PROCESS8_64; + /* fallthrough */ + case 9: + XXH_PROCESS8_64; + XXH_PROCESS1_64; + return XXH64_avalanche(h64); + + case 29: + XXH_PROCESS8_64; + /* fallthrough */ + case 21: + XXH_PROCESS8_64; + /* fallthrough */ + case 13: + XXH_PROCESS8_64; + /* fallthrough */ + case 5: + XXH_PROCESS4_64; + XXH_PROCESS1_64; + return XXH64_avalanche(h64); + + case 26: + XXH_PROCESS8_64; + /* fallthrough */ + case 18: + XXH_PROCESS8_64; + /* fallthrough */ + case 10: + XXH_PROCESS8_64; + XXH_PROCESS1_64; + XXH_PROCESS1_64; + return XXH64_avalanche(h64); + + case 30: + XXH_PROCESS8_64; + /* fallthrough */ + case 22: + XXH_PROCESS8_64; + /* fallthrough */ + case 14: + XXH_PROCESS8_64; + /* fallthrough */ + case 6: + XXH_PROCESS4_64; + XXH_PROCESS1_64; + XXH_PROCESS1_64; + return XXH64_avalanche(h64); + + case 27: + XXH_PROCESS8_64; + /* fallthrough */ + case 19: + XXH_PROCESS8_64; + /* fallthrough */ + case 11: + XXH_PROCESS8_64; + XXH_PROCESS1_64; + XXH_PROCESS1_64; + XXH_PROCESS1_64; + return XXH64_avalanche(h64); + + case 31: + XXH_PROCESS8_64; + /* fallthrough */ + case 23: + XXH_PROCESS8_64; + /* fallthrough */ + case 15: + XXH_PROCESS8_64; + /* fallthrough */ + case 7: + XXH_PROCESS4_64; + /* fallthrough */ + case 3: + XXH_PROCESS1_64; + /* fallthrough */ + case 2: + XXH_PROCESS1_64; + /* fallthrough */ + case 1: + XXH_PROCESS1_64; + /* fallthrough */ + case 0: + return XXH64_avalanche(h64); - case 31: - XXH_PROCESS8_64; - /* fallthrough */ - case 23: - XXH_PROCESS8_64; - /* fallthrough */ - case 15: - XXH_PROCESS8_64; - /* fallthrough */ - case 7: - XXH_PROCESS4_64; - /* fallthrough */ - case 3: - XXH_PROCESS1_64; - /* fallthrough */ - case 2: - XXH_PROCESS1_64; - /* fallthrough */ - case 1: - XXH_PROCESS1_64; - /* fallthrough */ - case 0: - return XXH64_avalanche(h64); + } } - } - /* impossible to reach */ XXH_ASSERT(0); return 0; /* unreachable, but some compilers complain without it */ diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 60ea0968..f1c141d5 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -66,11 +66,12 @@ static u8 *in_file, /* Analyzer input test case */ static u8 *in_data; /* Input data for analysis */ static u32 in_len, /* Input data length */ - orig_cksum, /* Original checksum */ total_execs, /* Total number of execs */ exec_hangs, /* Total number of hangs */ exec_tmout = EXEC_TIMEOUT; /* Exec timeout (ms) */ +static u64 orig_cksum; /* Original checksum */ + static u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ static s32 dev_null_fd = -1; /* FD to /dev/null */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e1401757..46862613 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -820,13 +820,16 @@ int main(int argc, char **argv_orig, char **envp) { } if (afl->init_seed) { + afl->rand_seed[0] = afl->init_seed; afl->rand_seed[1] = afl->init_seed ^ 0x1234567890abcdef; afl->rand_seed[2] = afl->init_seed & 0x0123456789abcdef; afl->rand_seed[3] = afl->init_seed | 0x01abcde43f567908; + } - //srandom((u32)afl->init_seed); - //srand((u32)afl->init_seed); // in case it is a different implementation + + // srandom((u32)afl->init_seed); + // srand((u32)afl->init_seed); // in case it is a different implementation if (afl->use_radamsa) { diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 13fee660..609f61d1 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -67,12 +67,13 @@ static u8 *in_file, /* Minimizer input test case */ static u8 *in_data; /* Input data for trimming */ static u32 in_len, /* Input data length */ - orig_cksum, /* Original checksum */ missed_hangs, /* Misses due to hangs */ missed_crashes, /* Misses due to crashes */ missed_paths, /* Misses due to exec path diffs */ map_size = MAP_SIZE; +static u64 orig_cksum; /* Original checksum */ + static u8 crash_mode, /* Crash-centric mode? */ hang_mode, /* Minimize as long as it hangs */ exit_crash, /* Treat non-zero exit as crash? */ -- cgit 1.4.1 From ab142282a32f93725926d59899ab17a62e65f060 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 14 Jun 2020 16:08:58 +0200 Subject: kill targets on exit --- docs/Changelog.md | 1 + src/afl-forkserver.c | 7 +++++++ src/afl-fuzz.c | 19 +++++++++++++++++++ 3 files changed, 27 insertions(+) (limited to 'src/afl-fuzz.c') diff --git a/docs/Changelog.md b/docs/Changelog.md index caf262fc..c0fc7070 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -19,6 +19,7 @@ sending a mail to . - switched murmur2 hashing and random() for xxh3 and xoshiro256**, resulting in an up to 5.5% speed increase - Resizing the window does not crash afl-fuzz anymore + - Ensure that the targets are killed on exit - fix/update to MOpt (thanks to arnow117) - added MOpt dictionary support from repo - llvm_mode: diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index af06b5ff..1f61871a 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -466,6 +466,13 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, /* PARENT PROCESS */ + char pid_buf[16]; + sprintf(pid_buf, "%d", fsrv->fsrv_pid); + if (fsrv->cmplog_binary) + setenv("__AFL_TARGET_PID2", pid_buf, 1); + else + setenv("__AFL_TARGET_PID1", pid_buf, 1); + /* Close the unneeded endpoints. */ close(ctl_pipe[0]); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 46862613..b84585bb 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -31,6 +31,23 @@ extern u64 time_spent_working; #endif +static void at_exit() { + + int i; + char *ptr = getenv("__AFL_TARGET_PID1"); + + if (ptr && *ptr && (i = atoi(ptr)) > 0) + kill(i, SIGKILL); + + ptr = getenv("__AFL_TARGET_PID2"); + + if (ptr && *ptr && (i = atoi(ptr)) > 0) + kill(i, SIGKILL); + + // anything else? shared memory? + +} + static u8 *get_libradamsa_path(u8 *own_loc) { u8 *tmp, *cp, *rsl, *own_copy; @@ -1242,6 +1259,8 @@ int main(int argc, char **argv_orig, char **envp) { OKF("Cmplog forkserver successfully started"); } + + atexit(at_exit); perform_dry_run(afl); -- cgit 1.4.1 From dc002b4b3544d79d846723b445549400935aca64 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 15 Jun 2020 11:08:24 +0200 Subject: code format --- gcc_plugin/afl-gcc-rt.o.c | 2 +- include/afl-fuzz.h | 2 +- src/afl-analyze.c | 2 +- src/afl-fuzz-one.c | 6 +++--- src/afl-fuzz-stats.c | 6 +++--- src/afl-fuzz.c | 10 ++++------ src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- 8 files changed, 15 insertions(+), 17 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index 5c94f68a..49a03cae 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -36,7 +36,7 @@ #include #ifndef USEMMAP -#include + #include #endif #include #include diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 2f712806..f6158014 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -67,7 +67,7 @@ #include #include #ifndef USEMMAP -#include + #include #endif #include #include diff --git a/src/afl-analyze.c b/src/afl-analyze.c index cf5e9b16..f9ba8860 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -52,7 +52,7 @@ #include #include #ifndef USEMMAP -#include + #include #endif #include #include diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index a247a837..fc5760cc 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -3852,7 +3852,7 @@ pacemaker_fuzzing: afl->extras[j].len > len - i || !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) || (eff_map && !memchr(eff_map + EFF_APOS(i), 1, - EFF_SPAN_ALEN(i, afl->extras[j].len)))) { + EFF_SPAN_ALEN(i, afl->extras[j].len)))) { afl->stage_max--; continue; @@ -3960,7 +3960,7 @@ pacemaker_fuzzing: !memcmp(afl->a_extras[j].data, out_buf + i, afl->a_extras[j].len) || (eff_map && !memchr(eff_map + EFF_APOS(i), 1, - EFF_SPAN_ALEN(i, afl->a_extras[j].len)))) { + EFF_SPAN_ALEN(i, afl->a_extras[j].len)))) { afl->stage_max--; continue; @@ -3986,7 +3986,7 @@ pacemaker_fuzzing: afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; - // AFLpp: Never read: skip_extras_v2: + // AFLpp: Never read: skip_extras_v2: // new_hit_cnt = afl->queued_paths + afl->unique_crashes; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index de58f277..28473c0c 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -124,11 +124,11 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout, afl->slowest_exec_ms, #ifndef __HAIKU__ -#ifdef __APPLE__ + #ifdef __APPLE__ (unsigned long int)(rus.ru_maxrss >> 20), -#else + #else (unsigned long int)(rus.ru_maxrss >> 10), -#endif + #endif #else -1UL, #endif diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index b84585bb..cefcd73f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -33,16 +33,14 @@ extern u64 time_spent_working; static void at_exit() { - int i; + int i; char *ptr = getenv("__AFL_TARGET_PID1"); - if (ptr && *ptr && (i = atoi(ptr)) > 0) - kill(i, SIGKILL); + if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); ptr = getenv("__AFL_TARGET_PID2"); - if (ptr && *ptr && (i = atoi(ptr)) > 0) - kill(i, SIGKILL); + if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); // anything else? shared memory? @@ -1259,7 +1257,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("Cmplog forkserver successfully started"); } - + atexit(at_exit); perform_dry_run(afl); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 70a30ce4..7b46cd2b 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -57,7 +57,7 @@ #include #include #ifndef USEMMAP -#include + #include #endif #include #include diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 5a28ba79..9df5112b 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -55,7 +55,7 @@ #include #include #ifndef USEMMAP -#include + #include #endif #include #include -- cgit 1.4.1 From b0866f59ccbcd90c2c3e0ecbb5ba2d9badc60319 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 21 Jun 2020 14:08:41 +0200 Subject: fix for -s 0 --- src/afl-fuzz.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index cefcd73f..c3b2da29 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -823,8 +823,7 @@ int main(int argc, char **argv_orig, char **envp) { WARNF( "Using -M main node with the AFL_CUSTOM_MUTATOR_ONLY mutator options " - "will " - "result in no deterministic mutations being done!"); + "will result in no deterministic mutations being done!"); } @@ -836,10 +835,11 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->init_seed) { - afl->rand_seed[0] = afl->init_seed; - afl->rand_seed[1] = afl->init_seed ^ 0x1234567890abcdef; - afl->rand_seed[2] = afl->init_seed & 0x0123456789abcdef; - afl->rand_seed[3] = afl->init_seed | 0x01abcde43f567908; + afl->rand_seed[0] = + hash64((void *)&afl->init_seed, sizeof(u32), HASH_CONST); + afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; + afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; + afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; } -- cgit 1.4.1 From eb3cb4bbf89e367e35e33e627e767e1b490bf861 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 21 Jun 2020 16:21:59 +0200 Subject: fix for s=0 --- src/afl-fuzz.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) (limited to 'src/afl-fuzz.c') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c3b2da29..bfd7cb33 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -833,18 +833,10 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->init_seed) { - - afl->rand_seed[0] = - hash64((void *)&afl->init_seed, sizeof(u32), HASH_CONST); - afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; - afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; - afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; - - } - - // srandom((u32)afl->init_seed); - // srand((u32)afl->init_seed); // in case it is a different implementation + afl->rand_seed[0] = hash64((void *)&afl->init_seed, sizeof(u32), HASH_CONST); + afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; + afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; + afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; if (afl->use_radamsa) { -- cgit 1.4.1 From 7119bf5d860657dab7afb60fab8b7ad5dc0ef222 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 22 Jun 2020 21:58:16 +0200 Subject: Added rand, hash unittests --- .gitignore | 2 ++ GNUmakefile | 23 +++++++++---- include/afl-fuzz.h | 8 +++-- src/afl-fuzz-one.c | 2 +- src/afl-fuzz.c | 9 ++--- src/afl-performance.c | 10 ++++++ test/unittests/unit_hash.c | 75 +++++++++++++++++++++++++++++++++++++++++ test/unittests/unit_rand.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 197 insertions(+), 16 deletions(-) create mode 100644 test/unittests/unit_hash.c create mode 100644 test/unittests/unit_rand.c (limited to 'src/afl-fuzz.c') diff --git a/.gitignore b/.gitignore index 505a4ecb..8448c8f6 100644 --- a/.gitignore +++ b/.gitignore @@ -49,5 +49,7 @@ core\.* test/unittests/unit_maybe_alloc test/unittests/unit_preallocable test/unittests/unit_list +test/unittests/unit_rand +test/unittests/unit_hash examples/afl_network_proxy/afl-network-server examples/afl_network_proxy/afl-network-client diff --git a/GNUmakefile b/GNUmakefile index a171e916..5a739ad8 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -403,13 +403,24 @@ document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/ test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_maybe_alloc.c $(AFL_FUZZ_FILES) @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_maybe_alloc.c -o test/unittests/unit_maybe_alloc.o -test/unittests/unit_preallocable.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_preallocable.c $(AFL_FUZZ_FILES) - @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_preallocable.c -o test/unittests/unit_preallocable.o - unit_maybe_alloc: test/unittests/unit_maybe_alloc.o @$(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_maybe_alloc.o -o test/unittests/unit_maybe_alloc $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka ./test/unittests/unit_maybe_alloc +test/unittests/unit_hash.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_hash.c $(AFL_FUZZ_FILES) src/afl-performance.o + @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_hash.c -o test/unittests/unit_hash.o + +unit_hash: test/unittests/unit_hash.o src/afl-performance.o + @$(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_hash $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka + ./test/unittests/unit_hash + +test/unittests/unit_rand.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_rand.c $(AFL_FUZZ_FILES) src/afl-performance.o + @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_rand.c -o test/unittests/unit_rand.o + +unit_rand: test/unittests/unit_rand.o src/afl-common.o src/afl-performance.o + @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_rand $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka + ./test/unittests/unit_rand + test/unittests/unit_list.o : $(COMM_HDR) include/list.h test/unittests/unit_list.c $(AFL_FUZZ_FILES) @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_list.c -o test/unittests/unit_list.o @@ -417,8 +428,8 @@ unit_list: test/unittests/unit_list.o @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_list.o -o test/unittests/unit_list $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka ./test/unittests/unit_list -test/unittests/preallocable.o : $(COMM_HDR) include/afl-prealloc.h test/unittests/preallocable.c $(AFL_FUZZ_FILES) - @$(CC) $(CFLAGS) $(ASAN_CFLAGS) $(CFLAGS_FLTO) -c test/unittests/preallocable.c -o test/unittests/preallocable.o +test/unittests/unit_preallocable.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_preallocable.c $(AFL_FUZZ_FILES) + @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_preallocable.c -o test/unittests/unit_preallocable.o unit_preallocable: test/unittests/unit_preallocable.o @$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka @@ -429,7 +440,7 @@ unit_clean: ifneq "$(shell uname)" "Darwin" -unit: unit_maybe_alloc unit_preallocable unit_list unit_clean +unit: unit_maybe_alloc unit_preallocable unit_list unit_clean unit_rand unit_hash else diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index e7b52d56..16f7d717 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -49,6 +49,7 @@ #include "sharedmem.h" #include "forkserver.h" #include "common.h" +#include "hash.h" #include #include @@ -971,13 +972,16 @@ static inline u32 rand_below(afl_state_t *afl, u32 limit) { } -static inline u32 get_rand_seed(afl_state_t *afl) { +static inline s64 rand_get_seed(afl_state_t *afl) { - if (unlikely(afl->fixed_seed)) { return (u32)afl->init_seed; } + if (unlikely(afl->fixed_seed)) { return afl->init_seed; } return afl->rand_seed[0]; } +/* initialize randomness with a given seed. Can be called again at any time. */ +void rand_set_seed(afl_state_t *afl, s64 init_seed); + /* Find first power of two greater or equal to val (assuming val under 2^63). */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index e42a323d..60db9777 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -2458,7 +2458,7 @@ radamsa_stage: for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { u32 new_len = afl->radamsa_mutate_ptr(save_buf, len, new_buf, max_len, - get_rand_seed(afl)); + rand_get_seed(afl)); if (new_len) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index bfd7cb33..c8083f71 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -289,7 +289,7 @@ int main(int argc, char **argv_orig, char **envp) { doc_path = access(DOC_PATH, F_OK) != 0 ? (u8 *)"docs" : (u8 *)DOC_PATH; gettimeofday(&tv, &tz); - afl->init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); + rand_set_seed(afl, tv.tv_sec ^ tv.tv_usec ^ getpid()); while ((opt = getopt(argc, argv, "+c:i:I:o:f:m:t:T:dnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > @@ -311,7 +311,7 @@ int main(int argc, char **argv_orig, char **envp) { case 's': { - afl->init_seed = strtoul(optarg, 0L, 10); + rand_set_seed(afl, strtoul(optarg, 0L, 10)); afl->fixed_seed = 1; break; @@ -833,11 +833,6 @@ int main(int argc, char **argv_orig, char **envp) { } - afl->rand_seed[0] = hash64((void *)&afl->init_seed, sizeof(u32), HASH_CONST); - afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; - afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; - afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; - if (afl->use_radamsa) { if (afl->limit_time_sig > 0) { diff --git a/src/afl-performance.c b/src/afl-performance.c index 8efefcd8..757bbe1e 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -33,6 +33,16 @@ static inline uint64_t rotl(const uint64_t x, int k) { } +void rand_set_seed(afl_state_t *afl, s64 init_seed) { + + afl->init_seed = init_seed; + afl->rand_seed[0] = hash64((void *)&afl->init_seed, sizeof(afl->init_seed), HASH_CONST); + afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; + afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; + afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; + +} + uint64_t rand_next(afl_state_t *afl) { const uint64_t result = diff --git a/test/unittests/unit_hash.c b/test/unittests/unit_hash.c new file mode 100644 index 00000000..041d107a --- /dev/null +++ b/test/unittests/unit_hash.c @@ -0,0 +1,75 @@ +#include +#include +#include +#include +#include +/* cmocka < 1.0 didn't support these features we need */ +#ifndef assert_ptr_equal +#define assert_ptr_equal(a, b) \ + _assert_int_equal(cast_ptr_to_largest_integral_type(a), \ + cast_ptr_to_largest_integral_type(b), \ + __FILE__, __LINE__) +#define CMUnitTest UnitTest +#define cmocka_unit_test unit_test +#define cmocka_run_group_tests(t, setup, teardown) run_tests(t) +#endif + + +extern void mock_assert(const int result, const char* const expression, + const char * const file, const int line); +#undef assert +#define assert(expression) \ + mock_assert((int)(expression), #expression, __FILE__, __LINE__); + +#include "afl-fuzz.h" +#include "hash.h" + +/* remap exit -> assert, then use cmocka's mock_assert + (compile with `--wrap=exit`) */ +extern void exit(int status); +extern void __real_exit(int status); +void __wrap_exit(int status); +void __wrap_exit(int status) { + assert(0); +} + +/* ignore all printfs */ +#undef printf +extern int printf(const char *format, ...); +extern int __real_printf(const char *format, ...); +int __wrap_printf(const char *format, ...); +int __wrap_printf(const char *format, ...) { + return 1; +} + +/* Rand with 0 seed would broke in the past */ +static void test_hash(void **state) { + + char bitmap[64] = {0}; + u64 hash0 = hash64(bitmap, sizeof(bitmap), 0xa5b35705); + + bitmap[10] = 1; + u64 hash1 = hash64(bitmap, sizeof(bitmap), 0xa5b35705); + + assert_int_not_equal(hash0, hash1); + + bitmap[10] = 0; + assert_int_equal(hash0, hash64(bitmap, sizeof(bitmap), 0xa5b35705)); + + bitmap[10] = 1; + assert_int_equal(hash1, hash64(bitmap, sizeof(bitmap), 0xa5b35705)); + +} + +int main(int argc, char **argv) { + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_hash) + }; + + //return cmocka_run_group_tests (tests, setup, teardown); + __real_exit( cmocka_run_group_tests (tests, NULL, NULL) ); + + // fake return for dumb compilers + return 0; +} diff --git a/test/unittests/unit_rand.c b/test/unittests/unit_rand.c new file mode 100644 index 00000000..0a90d8d1 --- /dev/null +++ b/test/unittests/unit_rand.c @@ -0,0 +1,84 @@ +#include +#include +#include +#include +#include +#include +#include +/* cmocka < 1.0 didn't support these features we need */ +#ifndef assert_ptr_equal +#define assert_ptr_equal(a, b) \ + _assert_int_equal(cast_ptr_to_largest_integral_type(a), \ + cast_ptr_to_largest_integral_type(b), \ + __FILE__, __LINE__) +#define CMUnitTest UnitTest +#define cmocka_unit_test unit_test +#define cmocka_run_group_tests(t, setup, teardown) run_tests(t) +#endif + + +extern void mock_assert(const int result, const char* const expression, + const char * const file, const int line); +#undef assert +#define assert(expression) \ + mock_assert((int)(expression), #expression, __FILE__, __LINE__); + +#include "afl-fuzz.h" + +/* remap exit -> assert, then use cmocka's mock_assert + (compile with `--wrap=exit`) */ +extern void exit(int status); +extern void __real_exit(int status); +void __wrap_exit(int status); +void __wrap_exit(int status) { + assert(0); +} + +/* ignore all printfs */ +#undef printf +extern int printf(const char *format, ...); +extern int __real_printf(const char *format, ...); +int __wrap_printf(const char *format, ...); +int __wrap_printf(const char *format, ...) { + return 1; +} + +/* Rand with 0 seed would broke in the past */ +static void test_rand_0(void **state) { + + afl_state_t afl = {0}; + rand_set_seed(&afl, 0); + + /* give this one chance to retry */ + assert_int_not_equal( + (rand_next(&afl) != rand_next(&afl) + || rand_next(&afl) != rand_next(&afl)) + , 0); + +} + +static void test_rand_below(void **state) { + + afl_state_t afl = {0}; + rand_set_seed(&afl, 1337); + + afl.fsrv.dev_urandom_fd = open("/dev/urandom", O_RDONLY); + + assert(!(rand_below(&afl, 9000) > 9000)); + assert_int_equal(rand_below(&afl, 1), 0); + +} + +int main(int argc, char **argv) { + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_rand_0), + cmocka_unit_test(test_rand_below) + }; + + //return cmocka_run_group_tests (tests, setup, teardown); + __real_exit( cmocka_run_group_tests (tests, NULL, NULL) ); + + // fake return for dumb compilers + return 0; +} -- cgit 1.4.1