From ca4a8c0f920f83c86aeb599b94b50fce2af68389 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 19 Jul 2022 12:24:03 +0200 Subject: post_process 0/NULL return support --- src/afl-fuzz-bitmap.c | 15 +++++++++++++-- src/afl-fuzz-cmplog.c | 13 +++++++++++-- src/afl-fuzz-mutators.c | 18 +++++++++++++----- src/afl-fuzz-python.c | 11 ++++++++++- src/afl-fuzz-run.c | 33 ++++++++++++++++++++++++++++----- 5 files changed, 75 insertions(+), 15 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 089f7bb5..b3a10bb7 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -647,8 +647,19 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (afl->fsrv.exec_tmout < afl->hang_tmout) { - u8 new_fault; - len = write_to_testcase(afl, &mem, len, 0); + u8 new_fault; + u32 tmp_len = write_to_testcase(afl, &mem, len, 0); + + if (likely(tmp_len)) { + + len = tmp_len; + + } else { + + len = write_to_testcase(afl, &mem, len, 1); + + } + new_fault = fuzz_run_target(afl, &afl->fsrv, afl->hang_tmout); classify_counts(&afl->fsrv); diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 258d9ea7..d0c829e2 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -47,9 +47,18 @@ void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv) { u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { - u8 fault; + u8 fault; + u32 tmp_len = write_to_testcase(afl, (void **)&out_buf, len, 0); - write_to_testcase(afl, (void **)&out_buf, len, 0); + if (likely(tmp_len)) { + + len = tmp_len; + + } else { + + len = write_to_testcase(afl, (void **)&out_buf, len, 1); + + } fault = fuzz_run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout); diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index dd97a7d3..b9daebfa 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -430,13 +430,21 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, retlen = write_to_testcase(afl, (void **)&retbuf, retlen, 0); - fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); - ++afl->trim_execs; + if (unlikely(!retlen)) { + + ++afl->trim_execs; + + } else { - if (afl->stop_soon || fault == FSRV_RUN_ERROR) { goto abort_trimming; } + fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); + ++afl->trim_execs; - classify_counts(&afl->fsrv); - cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + if (afl->stop_soon || fault == FSRV_RUN_ERROR) { goto abort_trimming; } + + classify_counts(&afl->fsrv); + cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + + } } diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index a3d864c3..a43d80bb 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -535,7 +535,16 @@ size_t post_process_py(void *py_mutator, u8 *buf, size_t buf_size, Py_DECREF(py_value); - *out_buf = (u8 *)py->post_process_buf.buf; + if (unlikely(py->post_process_buf.len == 0)) { + + *out_buf = NULL; + + } else { + + *out_buf = (u8 *)py->post_process_buf.buf; + + } + return py->post_process_buf.len; } else { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 0f3be1a7..b97a8e6a 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -109,17 +109,36 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) { if (unlikely(!new_buf && new_size <= 0)) { - FATAL("Custom_post_process failed (ret: %lu)", - (long unsigned)new_size); + new_size = 0; + new_buf = new_mem; + // FATAL("Custom_post_process failed (ret: %lu)", (long + // unsigned)new_size); - } + } else { - new_mem = new_buf; + new_mem = new_buf; + + } } }); + if (unlikely(!new_size)) { + + // perform dummy runs (fix = 1), but skip all others + if (fix) { + + new_size = len; + + } else { + + return 0; + + } + + } + if (unlikely(new_size < afl->min_length && !fix)) { new_size = afl->min_length; @@ -969,7 +988,11 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - len = write_to_testcase(afl, (void **)&out_buf, len, 0); + if (unlikely(len = write_to_testcase(afl, (void **)&out_buf, len, 0) == 0)) { + + return 0; + + } fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); -- cgit 1.4.1 From c67f98865eec641ce7480b0882331c9799575dbb Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 19 Jul 2022 14:53:43 +0200 Subject: fix --- src/afl-fuzz-run.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index b97a8e6a..d1ffb46c 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -107,7 +107,7 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) { new_size = el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf); - if (unlikely(!new_buf && new_size <= 0)) { + if (unlikely(!new_buf || new_size <= 0)) { new_size = 0; new_buf = new_mem; @@ -226,14 +226,18 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at, new_size = el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf); - if (unlikely(!new_buf || new_size <= 0)) { + if (unlikely(!new_buf && new_size <= 0)) { - FATAL("Custom_post_process failed (ret: %lu)", - (long unsigned)new_size); + new_size = 0; + new_buf = new_mem; + // FATAL("Custom_post_process failed (ret: %lu)", (long + // unsigned)new_size); - } + } else { - new_mem = new_buf; + new_mem = new_buf; + + } } -- cgit 1.4.1 From 4d20b2d28b732f20e4c9885a3d4ac4440d66bf12 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 19 Jul 2022 17:04:53 +0200 Subject: fix --- src/afl-fuzz-run.c | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index d1ffb46c..631548d4 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -76,24 +76,6 @@ fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { u32 __attribute__((hot)) write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) { -#ifdef _AFL_DOCUMENT_MUTATIONS - s32 doc_fd; - char fn[PATH_MAX]; - snprintf(fn, PATH_MAX, "%s/mutations/%09u:%s", afl->out_dir, - afl->document_counter++, - describe_op(afl, 0, NAME_MAX - strlen("000000000:"))); - - if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION)) >= - 0) { - - if (write(doc_fd, *mem, len) != len) - PFATAL("write to mutation file failed: %s", fn); - close(doc_fd); - - } - -#endif - if (unlikely(afl->custom_mutators_count)) { ssize_t new_size = len; @@ -172,6 +154,25 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) { } +#ifdef _AFL_DOCUMENT_MUTATIONS + s32 doc_fd; + char fn[PATH_MAX]; + snprintf(fn, PATH_MAX, "%s/mutations/%09u:%s", afl->out_dir, + afl->document_counter++, + describe_op(afl, 0, NAME_MAX - strlen("000000000:"))); + + if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION)) >= + 0) { + + if (write(doc_fd, *mem, len) != len) + PFATAL("write to mutation file failed: %s", fn); + close(doc_fd); + + } + +#endif + + fprintf(stderr, "len = %u\n", len); return len; } @@ -992,7 +993,7 @@ common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { u8 fault; - if (unlikely(len = write_to_testcase(afl, (void **)&out_buf, len, 0) == 0)) { + if (unlikely(len = write_to_testcase(afl, (void **)&out_buf, len, 0)) == 0) { return 0; -- cgit 1.4.1 From d09023245204808a0eedfee221216d999fe85d5c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 19 Jul 2022 17:06:23 +0200 Subject: remove debug --- src/afl-fuzz-run.c | 1 - 1 file changed, 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 631548d4..c0e72ae6 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -172,7 +172,6 @@ write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) { #endif - fprintf(stderr, "len = %u\n", len); return len; } -- cgit 1.4.1 From 6c26434a631dce949a39268f9f31e0936cf3dd83 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 21 Jul 2022 13:41:37 +0200 Subject: fix pizza mode --- src/afl-fuzz-state.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index cc4138ae..ddfd4b31 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -518,16 +518,6 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_no_crash_readme = atoi((u8 *)get_afl_env(afl_environment_variables[i])); - if (afl->afl_env.afl_pizza_mode == 0) { - - afl->afl_env.afl_pizza_mode = 1; - - } else { - - afl->pizza_is_served = 1; - - } - } else if (!strncmp(env, "AFL_SYNC_TIME", afl_environment_variable_len)) { @@ -607,6 +597,16 @@ void read_afl_environment(afl_state_t *afl, char **envp) { } + if (afl->afl_env.afl_pizza_mode == 0) { + + afl->afl_env.afl_pizza_mode = 1; + + } else { + + afl->pizza_is_served = 1; + + } + if (issue_detected) { sleep(2); } } -- cgit 1.4.1 From 0540d30274e3126204ebb8c90088d4925cfa9a94 Mon Sep 17 00:00:00 2001 From: yuawn Date: Sun, 24 Jul 2022 10:23:33 +0000 Subject: fix message overflow --- src/afl-fuzz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 287f09df..c5de8e35 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -168,7 +168,7 @@ static void usage(u8 *argv0, int more_help) { " -c program - enable CmpLog by specifying a binary compiled for " "it.\n" " if using QEMU/FRIDA or if you the fuzzing target is " - "compiled" + "compiled\n" " for CmpLog then just use -c 0.\n" " -l cmplog_opts - CmpLog configuration values (e.g. \"2AT\"):\n" " 1=small files, 2=larger files (default), 3=all " -- cgit 1.4.1 From d8d6ea93cfdd8b67dd83483eca321bf238e3b0e2 Mon Sep 17 00:00:00 2001 From: yuawn Date: Sun, 24 Jul 2022 10:30:21 +0000 Subject: fix sentence & code format --- src/afl-fuzz.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c5de8e35..76a79900 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -167,7 +167,7 @@ static void usage(u8 *argv0, int more_help) { " See docs/README.MOpt.md\n" " -c program - enable CmpLog by specifying a binary compiled for " "it.\n" - " if using QEMU/FRIDA or if you the fuzzing target is " + " if using QEMU/FRIDA or the fuzzing target is " "compiled\n" " for CmpLog then just use -c 0.\n" " -l cmplog_opts - CmpLog configuration values (e.g. \"2AT\"):\n" @@ -383,9 +383,9 @@ static int stricmp(char const *a, char const *b) { static void fasan_check_afl_preload(char *afl_preload) { char first_preload[PATH_MAX + 1] = {0}; - char *separator = strchr(afl_preload, ':'); + char * separator = strchr(afl_preload, ':'); size_t first_preload_len = PATH_MAX; - char *basename; + char * basename; char clang_runtime_prefix[] = "libclang_rt.asan"; if (separator != NULL && (separator - afl_preload) < PATH_MAX) { @@ -429,7 +429,7 @@ static void fasan_check_afl_preload(char *afl_preload) { nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) { - void *handle; + void * handle; nyx_plugin_handler_t *plugin = calloc(1, sizeof(nyx_plugin_handler_t)); ACTF("Trying to load libnyx.so plugin..."); @@ -498,8 +498,8 @@ int main(int argc, char **argv_orig, char **envp) { u8 *extras_dir[4]; u8 mem_limit_given = 0, exit_1 = 0, debug = 0, extras_dir_cnt = 0 /*, have_p = 0*/; - char *afl_preload; - char *frida_afl_preload = NULL; + char * afl_preload; + char * frida_afl_preload = NULL; char **use_argv; struct timeval tv; -- cgit 1.4.1 From f22d28333bb61b8d931fddcffab404bd62685bb3 Mon Sep 17 00:00:00 2001 From: yuawn Date: Sun, 24 Jul 2022 10:41:50 +0000 Subject: code format with clang-format-14 --- src/afl-fuzz.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 76a79900..2e151abb 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -383,9 +383,9 @@ static int stricmp(char const *a, char const *b) { static void fasan_check_afl_preload(char *afl_preload) { char first_preload[PATH_MAX + 1] = {0}; - char * separator = strchr(afl_preload, ':'); + char *separator = strchr(afl_preload, ':'); size_t first_preload_len = PATH_MAX; - char * basename; + char *basename; char clang_runtime_prefix[] = "libclang_rt.asan"; if (separator != NULL && (separator - afl_preload) < PATH_MAX) { @@ -429,7 +429,7 @@ static void fasan_check_afl_preload(char *afl_preload) { nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) { - void * handle; + void *handle; nyx_plugin_handler_t *plugin = calloc(1, sizeof(nyx_plugin_handler_t)); ACTF("Trying to load libnyx.so plugin..."); @@ -498,8 +498,8 @@ int main(int argc, char **argv_orig, char **envp) { u8 *extras_dir[4]; u8 mem_limit_given = 0, exit_1 = 0, debug = 0, extras_dir_cnt = 0 /*, have_p = 0*/; - char * afl_preload; - char * frida_afl_preload = NULL; + char *afl_preload; + char *frida_afl_preload = NULL; char **use_argv; struct timeval tv; -- cgit 1.4.1