From b3feda052d36aacd657b394169b90f05afdbbbde Mon Sep 17 00:00:00 2001 From: David Carlier Date: Wed, 10 Jun 2020 16:16:47 +0100 Subject: start of illumos cpu binding implementation. The current user needs the proc_owner permission, not something doable via the settings script. --- src/afl-fuzz-init.c | 88 +++++++++++++++++++++++++++++++++++++++++++++++------ src/afl-gotcpu.c | 17 ++++++++++- 2 files changed, 95 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 4184fa6b..16980681 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -37,6 +37,8 @@ void bind_to_free_cpu(afl_state_t *afl) { cpu_set_t c; #elif defined(__NetBSD__) cpuset_t * c; + #elif defined(__sun) + psetid_t c; #endif u8 cpu_used[4096] = {0}; @@ -181,6 +183,58 @@ void bind_to_free_cpu(afl_state_t *afl) { } ck_free(procs); + #elif defined(__sun) + kstat_named_t *n; + kstat_ctl_t *m; + kstat_t *k; + cpu_stat_t cs; + u32 ncpus; + + m = kstat_open(); + + if (!m) FATAL("kstat_open failed"); + + k = kstat_lookup(m, "unix", 0, "system_misc"); + + if (!k) { + + kstat_close(m); + return; + + } + + if (kstat_read(m, k, NULL)) { + + kstat_close(m); + return; + + } + + n = kstat_data_lookup(k, "ncpus"); + ncpus = n->value.i32; + + if (ncpus > sizeof(cpu_used)) + ncpus = sizeof(cpu_used); + + for (i = 0; i < ncpus; i ++) { + + k = kstat_lookup(m, "cpu_stat", i, NULL); + if (kstat_read(m, k, &cs)) { + + kstat_close(m); + return; + + } + + if (cs.cpu_sysinfo.cpu[CPU_IDLE] > 0) + continue; + + if (cs.cpu_sysinfo.cpu[CPU_USER] > 0 || cs.cpu_sysinfo.cpu[CPU_KERNEL] > 0) + cpu_used[i] = 1; + + } + + kstat_close(m); #else #warning \ "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus" @@ -189,7 +243,7 @@ void bind_to_free_cpu(afl_state_t *afl) { size_t cpu_start = 0; try: - #ifndef __ANDROID__ + #if !defined(__ANDROID__) for (i = cpu_start; i < afl->cpu_core_count; i++) { if (!cpu_used[i]) { break; } @@ -228,6 +282,9 @@ void bind_to_free_cpu(afl_state_t *afl) { c = cpuset_create(); if (c == NULL) PFATAL("cpuset_create failed"); cpuset_set(i, c); + #elif defined(__sun) + pset_create(&c); + if (pset_assign(c, i, NULL)) PFATAL("pset_assign failed"); #endif #if defined(__linux__) @@ -259,18 +316,31 @@ void bind_to_free_cpu(afl_state_t *afl) { } #elif defined(__NetBSD__) -if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { + if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { - if (cpu_start == afl->cpu_core_count) - PFATAL("pthread_setaffinity failed for cpu %d, exit", i); - WARNF("pthread_setaffinity failed to CPU %d, trying next CPU", i); - cpu_start++; - goto try + if (cpu_start == afl->cpu_core_count) + PFATAL("pthread_setaffinity failed for cpu %d, exit", i); + WARNF("pthread_setaffinity failed to CPU %d, trying next CPU", i); + cpu_start++; + goto try ; -} + } + + cpuset_destroy(c); + #elif defined(__sun) + if (pset_bind(c, P_PID, getpid(), NULL)) { + + if (cpu_start == afl->cpu_core_count) + PFATAL("pset_bind failed for cpu %d, exit", i); + WARNF("pthread_setaffinity failed to CPU %d, trying next CPU", i); + cpu_start++; + goto try + ; + + } -cpuset_destroy(c); + pset_destroy(c); #else // this will need something for other platforms // TODO: Solaris/Illumos has processor_bind ... might worth a try diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index 43b3196b..bdf63e8f 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -54,7 +54,7 @@ #include "common.h" #if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \ - defined(__APPLE__) || defined(__DragonFly__) + defined(__APPLE__) || defined(__DragonFly__) || defined(__sun) #define HAVE_AFFINITY 1 #if defined(__FreeBSD__) || defined(__DragonFly__) #include @@ -70,6 +70,8 @@ #include #include #include + #elif defined(__sun) + #include #endif #endif /* __linux__ || __FreeBSD__ || __NetBSD__ || __APPLE__ */ @@ -181,6 +183,12 @@ int main(int argc, char **argv) { if (thread_policy_set(native_thread, THREAD_AFFINITY_POLICY, (thread_policy_t)&c, 1) != KERN_SUCCESS) PFATAL("thread_policy_set failed"); + #elif defined(__sun) + psetid_t c; + + if (pset_create(&c)) PFATAL("pset_create failed"); + + if (pset_assign(c, i, NULL)) PFATAL("pset_assign failed"); #endif #if defined(__FreeBSD__) || defined(__DragonFly__) @@ -195,6 +203,13 @@ int main(int argc, char **argv) { cpuset_destroy(c); #endif + #if defined(__sun) + if (pset_bind(c, P_PID, getpid(), NULL)) + PFATAL("pset_bind failed"); + + pset_destroy(c); + #endif + #if defined(__linux__) if (sched_setaffinity(0, sizeof(c), &c)) { -- cgit v1.2.3 From e8da5f9e2894a89e36f899719e442a897a189f1f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 11 Jun 2020 19:30:28 +0200 Subject: code format and debug --- src/afl-forkserver.c | 4 ++-- src/afl-fuzz-init.c | 56 +++++++++++++++++++++++++--------------------------- src/afl-fuzz-stats.c | 2 +- src/afl-gotcpu.c | 3 +-- 4 files changed, 31 insertions(+), 34 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index a549e471..330fb1de 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -837,8 +837,8 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { *fsrv->shmem_fuzz_len = len; memcpy(fsrv->shmem_fuzz, buf, len); - // printf("test case len: %u [0]:0x%02x\n", *fsrv->shmem_fuzz_len, buf[0]); - // fflush(stdout); + // fprintf(stderr, "FS crc: %08x len: %u\n", hash32(fsrv->shmem_fuzz, + // *fsrv->shmem_fuzz_len, 0xa5b35705), *fsrv->shmem_fuzz_len); } else { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 16980681..1245d94b 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -38,7 +38,7 @@ void bind_to_free_cpu(afl_state_t *afl) { #elif defined(__NetBSD__) cpuset_t * c; #elif defined(__sun) - psetid_t c; + psetid_t c; #endif u8 cpu_used[4096] = {0}; @@ -185,10 +185,10 @@ void bind_to_free_cpu(afl_state_t *afl) { ck_free(procs); #elif defined(__sun) kstat_named_t *n; - kstat_ctl_t *m; - kstat_t *k; - cpu_stat_t cs; - u32 ncpus; + kstat_ctl_t * m; + kstat_t * k; + cpu_stat_t cs; + u32 ncpus; m = kstat_open(); @@ -213,10 +213,9 @@ void bind_to_free_cpu(afl_state_t *afl) { n = kstat_data_lookup(k, "ncpus"); ncpus = n->value.i32; - if (ncpus > sizeof(cpu_used)) - ncpus = sizeof(cpu_used); + if (ncpus > sizeof(cpu_used)) ncpus = sizeof(cpu_used); - for (i = 0; i < ncpus; i ++) { + for (i = 0; i < ncpus; i++) { k = kstat_lookup(m, "cpu_stat", i, NULL); if (kstat_read(m, k, &cs)) { @@ -226,8 +225,7 @@ void bind_to_free_cpu(afl_state_t *afl) { } - if (cs.cpu_sysinfo.cpu[CPU_IDLE] > 0) - continue; + if (cs.cpu_sysinfo.cpu[CPU_IDLE] > 0) continue; if (cs.cpu_sysinfo.cpu[CPU_USER] > 0 || cs.cpu_sysinfo.cpu[CPU_KERNEL] > 0) cpu_used[i] = 1; @@ -283,8 +281,8 @@ void bind_to_free_cpu(afl_state_t *afl) { if (c == NULL) PFATAL("cpuset_create failed"); cpuset_set(i, c); #elif defined(__sun) - pset_create(&c); - if (pset_assign(c, i, NULL)) PFATAL("pset_assign failed"); +pset_create(&c); +if (pset_assign(c, i, NULL)) PFATAL("pset_assign failed"); #endif #if defined(__linux__) @@ -316,31 +314,31 @@ void bind_to_free_cpu(afl_state_t *afl) { } #elif defined(__NetBSD__) - if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { +if (pthread_setaffinity_np(pthread_self(), cpuset_size(c), c)) { - if (cpu_start == afl->cpu_core_count) - PFATAL("pthread_setaffinity failed for cpu %d, exit", i); - WARNF("pthread_setaffinity failed to CPU %d, trying next CPU", i); - cpu_start++; - goto try + if (cpu_start == afl->cpu_core_count) + PFATAL("pthread_setaffinity failed for cpu %d, exit", i); + WARNF("pthread_setaffinity failed to CPU %d, trying next CPU", i); + cpu_start++; + goto try ; - } +} - cpuset_destroy(c); +cpuset_destroy(c); #elif defined(__sun) - if (pset_bind(c, P_PID, getpid(), NULL)) { +if (pset_bind(c, P_PID, getpid(), NULL)) { - if (cpu_start == afl->cpu_core_count) - PFATAL("pset_bind failed for cpu %d, exit", i); - WARNF("pthread_setaffinity failed to CPU %d, trying next CPU", i); - cpu_start++; - goto try - ; + if (cpu_start == afl->cpu_core_count) + PFATAL("pset_bind failed for cpu %d, exit", i); + WARNF("pthread_setaffinity failed to CPU %d, trying next CPU", i); + cpu_start++; + goto try + ; - } +} - pset_destroy(c); +pset_destroy(c); #else // this will need something for other platforms // TODO: Solaris/Illumos has processor_bind ... might worth a try diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 4493f34d..5d2e5358 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -125,7 +125,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, (unsigned long int)(rus.ru_maxrss >> 10), #endif #ifdef HAVE_AFFINITY - afl->cpu_aff, + afl->cpu_aff, #else -1, #endif diff --git a/src/afl-gotcpu.c b/src/afl-gotcpu.c index bdf63e8f..bd0f7de6 100644 --- a/src/afl-gotcpu.c +++ b/src/afl-gotcpu.c @@ -204,8 +204,7 @@ int main(int argc, char **argv) { #endif #if defined(__sun) - if (pset_bind(c, P_PID, getpid(), NULL)) - PFATAL("pset_bind failed"); + if (pset_bind(c, P_PID, getpid(), NULL)) PFATAL("pset_bind failed"); pset_destroy(c); #endif -- cgit v1.2.3 From 818afe6232a6ee7dd83bb0fffb739a05acf46301 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 08:27:03 +0200 Subject: added MOpt dictionary support from repo --- src/afl-fuzz-one.c | 185 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) (limited to 'src') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 578ac584..bea7e76e 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -3806,6 +3806,191 @@ skip_extras: havoc_stage: pacemaker_fuzzing: + if (afl->key_puppet == 1) { + + double select_bool = ((double)(random() % 10000) * 0.0001); + if (select_bool < 0.001) { + + /******************** + * DICTIONARY STUFF * + ********************/ + + if (!afl->extras_cnt) goto skip_puppet_extras; + + /* Overwrite with user-supplied extras. */ + + afl->stage_name = "user extras (over)"; + afl->stage_short = "ext_UO"; + afl->stage_cur = 0; + afl->stage_max = afl->extras_cnt * len; + + afl->stage_val_type = STAGE_VAL_NONE; + + orig_hit_cnt = new_hit_cnt; + + for (i = 0; i < len; i++) { + + u32 last_len = 0; + + afl->stage_cur_byte = i; + + /* Extras are sorted by size, from smallest to largest. This means + that we don't have to worry about restoring the buffer in + between writes at a particular offset determined by the outer + loop. */ + + for (j = 0; j < afl->extras_cnt; j++) { + + /* Skip extras probabilistically if extras_cnt > MAX_DET_EXTRAS. Also + skip them if there's no room to insert the payload, if the token + is redundant, or if its entire span has no bytes set in the + effector map. */ + + if ((afl->extras_cnt > MAX_DET_EXTRAS && + rand_below(afl, afl->extras_cnt) >= MAX_DET_EXTRAS) || + afl->extras[j].len > len - i || + !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) || + !memchr(eff_map + EFF_APOS(i), 1, + EFF_SPAN_ALEN(i, afl->extras[j].len))) { + + afl->stage_max--; + continue; + + } + + last_len = afl->extras[j].len; + memcpy(out_buf + i, afl->extras[j].data, last_len); + + if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + + afl->stage_cur++; + + } + + /* Restore all the clobbered memory. */ + memcpy(out_buf + i, in_buf + i, last_len); + + } + + new_hit_cnt = afl->queued_paths + afl->unique_crashes; + + afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; + afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max; + + /* Insertion of user-supplied extras. */ + + afl->stage_name = "user extras (insert)"; + afl->stage_short = "ext_UI"; + afl->stage_cur = 0; + afl->stage_max = afl->extras_cnt * len; + + orig_hit_cnt = new_hit_cnt; + + ex_tmp = ck_alloc(len + MAX_DICT_FILE); + + for (i = 0; i <= len; i++) { + + afl->stage_cur_byte = i; + + for (j = 0; j < afl->extras_cnt; j++) { + + if (len + afl->extras[j].len > MAX_FILE) { + + afl->stage_max--; + continue; + + } + + /* Insert token */ + memcpy(ex_tmp + i, afl->extras[j].data, afl->extras[j].len); + + /* Copy tail */ + memcpy(ex_tmp + i + afl->extras[j].len, out_buf + i, len - i); + + if (common_fuzz_stuff(afl, ex_tmp, len + afl->extras[j].len)) { + + ck_free(ex_tmp); + goto abandon_entry; + + } + + afl->stage_cur++; + + } + + /* Copy head */ + ex_tmp[i] = out_buf[i]; + + } + + ck_free(ex_tmp); + + new_hit_cnt = afl->queued_paths + afl->unique_crashes; + + afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; + afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max; + + skip_puppet_extras: + + if (!afl->a_extras_cnt) goto skip_extras_v2; + + afl->stage_name = "auto afl->extras (over)"; + afl->stage_short = "ext_AO"; + afl->stage_cur = 0; + afl->stage_max = MIN(afl->a_extras_cnt, USE_AUTO_EXTRAS) * len; + + afl->stage_val_type = STAGE_VAL_NONE; + + orig_hit_cnt = new_hit_cnt; + + for (i = 0; i < len; i++) { + + u32 last_len = 0; + + afl->stage_cur_byte = i; + + for (j = 0; j < MIN(afl->a_extras_cnt, USE_AUTO_EXTRAS); j++) { + + /* See the comment in the earlier code; afl->extras are sorted by + * size. */ + + if (afl->a_extras[j].len > len - i || + !memcmp(afl->a_extras[j].data, out_buf + i, + afl->a_extras[j].len) || + !memchr(eff_map + EFF_APOS(i), 1, + EFF_SPAN_ALEN(i, afl->a_extras[j].len))) { + + afl->stage_max--; + continue; + + } + + last_len = afl->a_extras[j].len; + memcpy(out_buf + i, afl->a_extras[j].data, last_len); + + if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; + + afl->stage_cur++; + + } + + /* Restore all the clobbered memory. */ + memcpy(out_buf + i, in_buf + i, last_len); + + } + + new_hit_cnt = afl->queued_paths + afl->unique_crashes; + + afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; + afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; + + skip_extras_v2: + new_hit_cnt = afl->queued_paths + afl->unique_crashes; + + } + + } + afl->stage_cur_byte = -1; /* The havoc stage mutation code is also invoked when splicing files; if the -- cgit v1.2.3 From 7d19b108c49510aaa437a855f2732107b770066d Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 09:23:38 +0200 Subject: fix warnings --- src/afl-fuzz-one.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index bea7e76e..4a411e2f 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -364,7 +364,7 @@ u8 fuzz_one_original(afl_state_t *afl) { s32 len, fd, temp_len, i, j; u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; - u64 havoc_queued = 0, orig_hit_cnt, new_hit_cnt; + u64 havoc_queued = 0, orig_hit_cnt, new_hit_cnt = 0; u32 splice_cycle = 0, perf_score = 100, orig_perf, prev_cksum, eff_cnt = 1; u8 ret_val = 1, doing_det = 0; @@ -2539,7 +2539,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { s32 len, fd, temp_len, i, j; u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; - u64 havoc_queued, orig_hit_cnt, new_hit_cnt, cur_ms_lv; + u64 havoc_queued = 0, orig_hit_cnt, new_hit_cnt = 0, cur_ms_lv; u32 splice_cycle = 0, perf_score = 100, orig_perf, prev_cksum, eff_cnt = 1; u8 ret_val = 1, doing_det = 0; -- cgit v1.2.3 From db2e04361da8f40a7ee99fef1c2a2ed8f08b0501 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 11:57:54 +0200 Subject: shm debug and fixes --- src/afl-forkserver.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 330fb1de..edabe5df 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -32,6 +32,7 @@ #include "common.h" #include "list.h" #include "forkserver.h" +#include "hash.h" #include #include @@ -837,8 +838,17 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { *fsrv->shmem_fuzz_len = len; memcpy(fsrv->shmem_fuzz, buf, len); - // fprintf(stderr, "FS crc: %08x len: %u\n", hash32(fsrv->shmem_fuzz, - // *fsrv->shmem_fuzz_len, 0xa5b35705), *fsrv->shmem_fuzz_len); +#ifdef _DEBUG + fprintf(stderr, "FS crc: %08x len: %u\n", hash32(fsrv->shmem_fuzz, + *fsrv->shmem_fuzz_len, 0xa5b35705), *fsrv->shmem_fuzz_len); + fprintf(stderr, "SHM :"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); + fprintf(stderr, "\nORIG:"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", buf[i]); + fprintf(stderr, "\n"); +#endif } else { -- cgit v1.2.3 From a632c00b0d023b8a40d09839fbb2662da1cb5d37 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 16:08:49 +0200 Subject: switch to faster and better hash + random --- src/afl-analyze.c | 4 +- src/afl-forkserver.c | 5 +- src/afl-fuzz-bitmap.c | 2 +- src/afl-fuzz-mutators.c | 4 +- src/afl-fuzz-one.c | 20 +++---- src/afl-fuzz-redqueen.c | 10 ++-- src/afl-fuzz-run.c | 8 +-- src/afl-fuzz.c | 10 +++- src/afl-performance.c | 135 ++++++++++++++++++++++++++++++++++++++++++++++++ src/afl-tmin.c | 2 +- 10 files changed, 171 insertions(+), 29 deletions(-) create mode 100644 src/afl-performance.c (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 900fbeb1..60ea0968 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -222,7 +222,7 @@ static u32 analyze_run_target(char **argv, u8 *mem, u32 len, u8 first_run) { int status = 0; s32 prog_in_fd; - u32 cksum; + u64 cksum; memset(trace_bits, 0, map_size); MEM_BARRIER(); @@ -321,7 +321,7 @@ static u32 analyze_run_target(char **argv, u8 *mem, u32 len, u8 first_run) { } - cksum = hash32(trace_bits, map_size, HASH_CONST); + cksum = hash64(trace_bits, map_size, HASH_CONST); /* We don't actually care if the target is crashing or not, except that when it does, the checksum should be different. */ diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index edabe5df..ad482224 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -839,8 +839,9 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { *fsrv->shmem_fuzz_len = len; memcpy(fsrv->shmem_fuzz, buf, len); #ifdef _DEBUG - fprintf(stderr, "FS crc: %08x len: %u\n", hash32(fsrv->shmem_fuzz, - *fsrv->shmem_fuzz_len, 0xa5b35705), *fsrv->shmem_fuzz_len); + fprintf(stderr, "FS crc: %08x len: %u\n", + hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), + *fsrv->shmem_fuzz_len); fprintf(stderr, "SHM :"); for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 5b98be9e..6075a87e 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -546,7 +546,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { u8 fn[PATH_MAX]; /* Update path frequency. */ - u32 cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); struct queue_entry *q = afl->queue; while (q) { diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 29e10d02..f149bb4c 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -272,7 +272,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, sprintf(afl->stage_name_buf, "ptrim %s", u_stringify_int(val_buf, trim_exec)); - u32 cksum; + u64 cksum; size_t retlen = mutator->afl_custom_trim(mutator->data, &retbuf); @@ -295,7 +295,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf, if (afl->stop_soon || fault == FSRV_RUN_ERROR) { goto abort_trimming; } - cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); if (cksum == q->exec_cksum) { diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 4a411e2f..d4083c07 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -364,8 +364,8 @@ u8 fuzz_one_original(afl_state_t *afl) { s32 len, fd, temp_len, i, j; u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; - u64 havoc_queued = 0, orig_hit_cnt, new_hit_cnt = 0; - u32 splice_cycle = 0, perf_score = 100, orig_perf, prev_cksum, eff_cnt = 1; + u64 havoc_queued = 0, orig_hit_cnt, new_hit_cnt = 0, prev_cksum; + u32 splice_cycle = 0, perf_score = 100, orig_perf, eff_cnt = 1; u8 ret_val = 1, doing_det = 0; @@ -653,7 +653,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (!afl->non_instrumented_mode && (afl->stage_cur & 7) == 7) { - u32 cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); if (afl->stage_cur == afl->stage_max - 1 && cksum == prev_cksum) { @@ -821,14 +821,14 @@ u8 fuzz_one_original(afl_state_t *afl) { if (!eff_map[EFF_APOS(afl->stage_cur)]) { - u32 cksum; + u64 cksum; /* If in non-instrumented mode or if the file is very short, just flag everything without wasting time on checksums. */ if (!afl->non_instrumented_mode && len >= EFF_MIN_LEN) { - cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); } else { @@ -2539,8 +2539,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { s32 len, fd, temp_len, i, j; u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; - u64 havoc_queued = 0, orig_hit_cnt, new_hit_cnt = 0, cur_ms_lv; - u32 splice_cycle = 0, perf_score = 100, orig_perf, prev_cksum, eff_cnt = 1; + u64 havoc_queued = 0, orig_hit_cnt, new_hit_cnt = 0, cur_ms_lv, prev_cksum; + u32 splice_cycle = 0, perf_score = 100, orig_perf, eff_cnt = 1; u8 ret_val = 1, doing_det = 0; @@ -2806,7 +2806,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (!afl->non_instrumented_mode && (afl->stage_cur & 7) == 7) { - u32 cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); if (afl->stage_cur == afl->stage_max - 1 && cksum == prev_cksum) { @@ -2974,14 +2974,14 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (!eff_map[EFF_APOS(afl->stage_cur)]) { - u32 cksum; + u64 cksum; /* If in non-instrumented mode or if the file is very short, just flag everything without wasting time on checksums. */ if (!afl->non_instrumented_mode && len >= EFF_MIN_LEN) { - cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); } else { diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 7621d180..7251550c 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -89,11 +89,11 @@ static struct range *pop_biggest_range(struct range **ranges) { } -static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u32 *cksum) { +static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u64 *cksum) { if (unlikely(common_fuzz_stuff(afl, buf, len))) { return 1; } - *cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + *cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); return 0; } @@ -109,7 +109,7 @@ static void rand_replace(afl_state_t *afl, u8 *buf, u32 len) { } -static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { +static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 exec_cksum) { struct range *ranges = add_range(NULL, 0, len); u8 * backup = ck_alloc_nozero(len); @@ -137,7 +137,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { memcpy(backup, buf + rng->start, s); rand_replace(afl, buf + rng->start, s); - u32 cksum; + u64 cksum; u64 start_us = get_cur_time_us(); if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) { @@ -695,7 +695,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { // afl->queue_cur->exec_cksum u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, - u32 exec_cksum) { + u64 exec_cksum) { u8 r = 1; if (afl->orig_cmp_map == NULL) { diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index a85e00fe..b45d0b8a 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -256,7 +256,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { - u32 cksum; + u64 cksum; if (!first_run && !(afl->stage_cur % afl->stats_update_freq)) { @@ -281,7 +281,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, } - cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); if (q->exec_cksum != cksum) { hnb = has_new_bits(afl, afl->virgin_bits); @@ -646,7 +646,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { while (remove_pos < q->len) { u32 trim_avail = MIN(remove_len, q->len - remove_pos); - u32 cksum; + u64 cksum; write_with_gap(afl, in_buf, q->len, remove_pos, trim_avail); @@ -658,7 +658,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { /* Note that we don't keep track of crashes or hangs here; maybe TODO? */ - cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); + cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); /* If the deletion had no impact on the trace, make it permanent. This isn't perfect for variable-path inputs, but we're just making a diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index fdc96931..e1401757 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -819,8 +819,14 @@ int main(int argc, char **argv_orig, char **envp) { } - srandom((u32)afl->init_seed); - srand((u32)afl->init_seed); // in case it is a different implementation + if (afl->init_seed) { + afl->rand_seed[0] = afl->init_seed; + afl->rand_seed[1] = afl->init_seed ^ 0x1234567890abcdef; + afl->rand_seed[2] = afl->init_seed & 0x0123456789abcdef; + afl->rand_seed[3] = afl->init_seed | 0x01abcde43f567908; + } + //srandom((u32)afl->init_seed); + //srand((u32)afl->init_seed); // in case it is a different implementation if (afl->use_radamsa) { diff --git a/src/afl-performance.c b/src/afl-performance.c new file mode 100644 index 00000000..a2eca8c9 --- /dev/null +++ b/src/afl-performance.c @@ -0,0 +1,135 @@ +/* Written in 2019 by David Blackman and Sebastiano Vigna (vigna@acm.org) + +To the extent possible under law, the author has dedicated all copyright +and related and neighboring rights to this software to the public domain +worldwide. This software is distributed without any warranty. + +See . + + This is xoshiro256++ 1.0, one of our all-purpose, rock-solid generators. + It has excellent (sub-ns) speed, a state (256 bits) that is large + enough for any parallel application, and it passes all tests we are + aware of. + + For generating just floating-point numbers, xoshiro256+ is even faster. + + The state must be seeded so that it is not everywhere zero. If you have + a 64-bit seed, we suggest to seed a splitmix64 generator and use its + output to fill s. */ + +#include +#include "afl-fuzz.h" +#include "types.h" +#include "xxh3.h" + +static inline uint64_t rotl(const uint64_t x, int k) { + + return (x << k) | (x >> (64 - k)); + +} + +uint64_t rand_next(afl_state_t *afl) { + + const uint64_t result = + rotl(afl->rand_seed[0] + afl->rand_seed[3], 23) + afl->rand_seed[0]; + + const uint64_t t = afl->rand_seed[1] << 17; + + afl->rand_seed[2] ^= afl->rand_seed[0]; + afl->rand_seed[3] ^= afl->rand_seed[1]; + afl->rand_seed[1] ^= afl->rand_seed[2]; + afl->rand_seed[0] ^= afl->rand_seed[3]; + + afl->rand_seed[2] ^= t; + + afl->rand_seed[3] = rotl(afl->rand_seed[3], 45); + + return result; + +} + +/* This is the jump function for the generator. It is equivalent + to 2^128 calls to rand_next(); it can be used to generate 2^128 + non-overlapping subsequences for parallel computations. */ + +void jump(afl_state_t *afl) { + + static const uint64_t JUMP[] = {0x180ec6d33cfd0aba, 0xd5a61266f0c9392c, + 0xa9582618e03fc9aa, 0x39abdc4529b1661c}; + + uint64_t s0 = 0; + uint64_t s1 = 0; + uint64_t s2 = 0; + uint64_t s3 = 0; + for (int i = 0; i < sizeof JUMP / sizeof *JUMP; i++) + for (int b = 0; b < 64; b++) { + + if (JUMP[i] & UINT64_C(1) << b) { + + s0 ^= afl->rand_seed[0]; + s1 ^= afl->rand_seed[1]; + s2 ^= afl->rand_seed[2]; + s3 ^= afl->rand_seed[3]; + + } + + rand_next(afl); + + } + + afl->rand_seed[0] = s0; + afl->rand_seed[1] = s1; + afl->rand_seed[2] = s2; + afl->rand_seed[3] = s3; + +} + +/* This is the long-jump function for the generator. It is equivalent to + 2^192 calls to rand_next(); it can be used to generate 2^64 starting points, + from each of which jump() will generate 2^64 non-overlapping + subsequences for parallel distributed computations. */ + +void long_jump(afl_state_t *afl) { + + static const uint64_t LONG_JUMP[] = {0x76e15d3efefdcbbf, 0xc5004e441c522fb3, + 0x77710069854ee241, 0x39109bb02acbe635}; + + uint64_t s0 = 0; + uint64_t s1 = 0; + uint64_t s2 = 0; + uint64_t s3 = 0; + for (int i = 0; i < sizeof LONG_JUMP / sizeof *LONG_JUMP; i++) + for (int b = 0; b < 64; b++) { + + if (LONG_JUMP[i] & UINT64_C(1) << b) { + + s0 ^= afl->rand_seed[0]; + s1 ^= afl->rand_seed[1]; + s2 ^= afl->rand_seed[2]; + s3 ^= afl->rand_seed[3]; + + } + + rand_next(afl); + + } + + afl->rand_seed[0] = s0; + afl->rand_seed[1] = s1; + afl->rand_seed[2] = s2; + afl->rand_seed[3] = s3; + +} + +u32 hash32(const void *key, u32 len, u32 seed) { + + return XXH64(key, len, seed) % 0x100000000; + +} + +u64 hash64(const void *key, u32 len, u64 seed) { + + return XXH64(key, len, seed); + +} + diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 091e5177..13fee660 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -300,7 +300,7 @@ static u8 tmin_run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, if (ret == FSRV_RUN_NOINST) { FATAL("Binary not instrumented?"); } - u32 cksum = hash32(fsrv->trace_bits, fsrv->map_size, HASH_CONST); + u64 cksum = hash64(fsrv->trace_bits, fsrv->map_size, HASH_CONST); if (first_run) { orig_cksum = cksum; } -- cgit v1.2.3 From 40aca0b6b398d8de0ecc17cf075e0eb79ec15d81 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 16:33:20 +0200 Subject: fix for checksums --- src/afl-analyze.c | 3 ++- src/afl-fuzz.c | 7 +++++-- src/afl-tmin.c | 3 ++- 3 files changed, 9 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 60ea0968..f1c141d5 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -66,11 +66,12 @@ static u8 *in_file, /* Analyzer input test case */ static u8 *in_data; /* Input data for analysis */ static u32 in_len, /* Input data length */ - orig_cksum, /* Original checksum */ total_execs, /* Total number of execs */ exec_hangs, /* Total number of hangs */ exec_tmout = EXEC_TIMEOUT; /* Exec timeout (ms) */ +static u64 orig_cksum; /* Original checksum */ + static u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ static s32 dev_null_fd = -1; /* FD to /dev/null */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index e1401757..46862613 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -820,13 +820,16 @@ int main(int argc, char **argv_orig, char **envp) { } if (afl->init_seed) { + afl->rand_seed[0] = afl->init_seed; afl->rand_seed[1] = afl->init_seed ^ 0x1234567890abcdef; afl->rand_seed[2] = afl->init_seed & 0x0123456789abcdef; afl->rand_seed[3] = afl->init_seed | 0x01abcde43f567908; + } - //srandom((u32)afl->init_seed); - //srand((u32)afl->init_seed); // in case it is a different implementation + + // srandom((u32)afl->init_seed); + // srand((u32)afl->init_seed); // in case it is a different implementation if (afl->use_radamsa) { diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 13fee660..609f61d1 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -67,12 +67,13 @@ static u8 *in_file, /* Minimizer input test case */ static u8 *in_data; /* Input data for trimming */ static u32 in_len, /* Input data length */ - orig_cksum, /* Original checksum */ missed_hangs, /* Misses due to hangs */ missed_crashes, /* Misses due to crashes */ missed_paths, /* Misses due to exec path diffs */ map_size = MAP_SIZE; +static u64 orig_cksum; /* Original checksum */ + static u8 crash_mode, /* Crash-centric mode? */ hang_mode, /* Minimize as long as it hangs */ exit_crash, /* Treat non-zero exit as crash? */ -- cgit v1.2.3 From ce1af1bc9c0b58aea653abec8fb42f9714d4308f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 12 Jun 2020 16:57:33 +0200 Subject: code-format killed the compilation --- src/afl-performance.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) (limited to 'src') diff --git a/src/afl-performance.c b/src/afl-performance.c index a2eca8c9..7a911ffd 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -56,13 +56,13 @@ void jump(afl_state_t *afl) { static const uint64_t JUMP[] = {0x180ec6d33cfd0aba, 0xd5a61266f0c9392c, 0xa9582618e03fc9aa, 0x39abdc4529b1661c}; - - uint64_t s0 = 0; - uint64_t s1 = 0; - uint64_t s2 = 0; - uint64_t s3 = 0; - for (int i = 0; i < sizeof JUMP / sizeof *JUMP; i++) - for (int b = 0; b < 64; b++) { + int i, b; + uint64_t s0 = 0; + uint64_t s1 = 0; + uint64_t s2 = 0; + uint64_t s3 = 0; + for (i = 0; i < sizeof JUMP / sizeof *JUMP; i++) + for (b = 0; b < 64; b++) { if (JUMP[i] & UINT64_C(1) << b) { @@ -94,12 +94,13 @@ void long_jump(afl_state_t *afl) { static const uint64_t LONG_JUMP[] = {0x76e15d3efefdcbbf, 0xc5004e441c522fb3, 0x77710069854ee241, 0x39109bb02acbe635}; + int i, b; uint64_t s0 = 0; uint64_t s1 = 0; uint64_t s2 = 0; uint64_t s3 = 0; - for (int i = 0; i < sizeof LONG_JUMP / sizeof *LONG_JUMP; i++) - for (int b = 0; b < 64; b++) { + for (i = 0; i < sizeof LONG_JUMP / sizeof *LONG_JUMP; i++) + for (b = 0; b < 64; b++) { if (LONG_JUMP[i] & UINT64_C(1) << b) { -- cgit v1.2.3 From 615ab1a7b80a7d2ae827240313f4a68d76364cf6 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 13 Jun 2020 00:14:14 +0200 Subject: fix resize window crash and slightly more performant timed_read --- src/afl-forkserver.c | 54 +++++++++++++++++++++++++++++++++++----------------- 1 file changed, 37 insertions(+), 17 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index ad482224..af06b5ff 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -132,7 +132,8 @@ static u32 read_s32_timed(s32 fd, s32 *buf, u32 timeout_ms, FD_ZERO(&readfds); FD_SET(fd, &readfds); struct timeval timeout; - size_t len = 4; + int sret; + ssize_t len_read; timeout.tv_sec = (timeout_ms / 1000); timeout.tv_usec = (timeout_ms % 1000) * 1000; @@ -141,33 +142,52 @@ static u32 read_s32_timed(s32 fd, s32 *buf, u32 timeout_ms, #endif /* set exceptfds as well to return when a child exited/closed the pipe. */ - int sret = select(fd + 1, &readfds, NULL, NULL, &timeout); +restart_select: + sret = select(fd + 1, &readfds, NULL, NULL, &timeout); - if (!sret) { + if (likely(sret > 0)) { + + restart_read: + len_read = read(fd, (u8 *)buf, 4); + + if (likely(len_read == 4)) { // for speed we put this first + +#if defined(__linux__) + u32 exec_ms = MIN( + timeout_ms, + ((u64)timeout_ms - (timeout.tv_sec * 1000 + timeout.tv_usec / 1000))); +#else + u32 exec_ms = MIN(timeout_ms, get_cur_time_us() - read_start); +#endif + + // ensure to report 1 ms has passed (0 is an error) + return exec_ms > 0 ? exec_ms : 1; + + } else if (unlikely(len_read == -1 && errno == EINTR)) { + + goto restart_read; + + } else if (unlikely(len_read < 4)) { + + return 0; + + } + + } else if (unlikely(!sret)) { *buf = -1; return timeout_ms + 1; - } else if (sret < 0) { + } else if (unlikely(sret < 0)) { + + if (likely(errno == EINTR)) goto restart_select; *buf = -1; return 0; } - ssize_t len_read = read(fd, ((u8 *)buf), len); - if (len_read < len) { return 0; } - -#if defined(__linux__) - u32 exec_ms = - MIN(timeout_ms, - ((u64)timeout_ms - (timeout.tv_sec * 1000 + timeout.tv_usec / 1000))); -#else - u32 exec_ms = MIN(timeout_ms, get_cur_time_us() - read_start); -#endif - - // ensure to report 1 ms has passed (0 is an error) - return exec_ms > 0 ? exec_ms : 1; + return 0; // not reached } -- cgit v1.2.3 From 1542c7f49c00cd7d701869f951b9a2a126a7b960 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 13 Jun 2020 10:58:30 +0200 Subject: fix typos --- src/afl-performance.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/afl-performance.c b/src/afl-performance.c index 7a911ffd..28564eb8 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -1,10 +1,11 @@ -/* Written in 2019 by David Blackman and Sebastiano Vigna (vigna@acm.org) +/* + Written in 2019 by David Blackman and Sebastiano Vigna (vigna@acm.org) -To the extent possible under law, the author has dedicated all copyright -and related and neighboring rights to this software to the public domain -worldwide. This software is distributed without any warranty. + To the extent possible under law, the author has dedicated all copyright + and related and neighboring rights to this software to the public domain + worldwide. This software is distributed without any warranty. -See . + See . This is xoshiro256++ 1.0, one of our all-purpose, rock-solid generators. It has excellent (sub-ns) speed, a state (256 bits) that is large @@ -15,13 +16,17 @@ See . The state must be seeded so that it is not everywhere zero. If you have a 64-bit seed, we suggest to seed a splitmix64 generator and use its - output to fill s. */ + output to fill s[]. +*/ #include #include "afl-fuzz.h" #include "types.h" #include "xxh3.h" +/* we use xoshiro256** instead of rand/random because it is 10x faster and has + better randomness properties. */ + static inline uint64_t rotl(const uint64_t x, int k) { return (x << k) | (x >> (64 - k)); @@ -122,6 +127,9 @@ void long_jump(afl_state_t *afl) { } +/* we switch from afl's murmur implementation to xxh3 as it is 30% faster - + and get 64 bit hashes instead of just 32 bit. Less collisions! :-) */ + u32 hash32(const void *key, u32 len, u32 seed) { return XXH64(key, len, seed) % 0x100000000; -- cgit v1.2.3 From fc26001b50d27a276d2d50af1dbcd4dfa3886de5 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 13 Jun 2020 13:47:43 +0200 Subject: fix shmem --- src/afl-fuzz-run.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index b45d0b8a..cae48ce6 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -142,7 +142,34 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, s32 fd = afl->fsrv.out_fd; u32 tail_len = len - skip_at - skip_len; - if (afl->fsrv.out_file) { + if (afl->fsrv.shmem_fuzz) { + + if (skip_at) { memcpy(afl->fsrv.shmem_fuzz, mem, skip_at); } + + if (tail_len) { + + memcpy(afl->fsrv.shmem_fuzz + skip_at, (u8*)mem + skip_at + skip_len, tail_len); + + } + + *afl->fsrv.shmem_fuzz_len = len - skip_len; + +#ifdef _DEBUG + fprintf(stderr, "FS crc: %08x len: %u\n", + hash64(fsrv->shmem_fuzz, *fsrv->shmem_fuzz_len, 0xa5b35705), + *fsrv->shmem_fuzz_len); + fprintf(stderr, "SHM :"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", fsrv->shmem_fuzz[i]); + fprintf(stderr, "\nORIG:"); + for (int i = 0; i < *fsrv->shmem_fuzz_len; i++) + fprintf(stderr, "%02x", buf[i]); + fprintf(stderr, "\n"); +#endif + + return; + + } else if (afl->fsrv.out_file) { if (afl->no_unlink) { -- cgit v1.2.3 From bfe5b88e782ffd3f97c2a25da60b0b36552a6a64 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 13 Jun 2020 14:28:42 +0200 Subject: code format --- src/afl-fuzz-run.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index cae48ce6..a1e8417f 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -148,7 +148,8 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at, if (tail_len) { - memcpy(afl->fsrv.shmem_fuzz + skip_at, (u8*)mem + skip_at + skip_len, tail_len); + memcpy(afl->fsrv.shmem_fuzz + skip_at, (u8 *)mem + skip_at + skip_len, + tail_len); } -- cgit v1.2.3 From ab142282a32f93725926d59899ab17a62e65f060 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 14 Jun 2020 16:08:58 +0200 Subject: kill targets on exit --- src/afl-forkserver.c | 7 +++++++ src/afl-fuzz.c | 19 +++++++++++++++++++ 2 files changed, 26 insertions(+) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index af06b5ff..1f61871a 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -466,6 +466,13 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, /* PARENT PROCESS */ + char pid_buf[16]; + sprintf(pid_buf, "%d", fsrv->fsrv_pid); + if (fsrv->cmplog_binary) + setenv("__AFL_TARGET_PID2", pid_buf, 1); + else + setenv("__AFL_TARGET_PID1", pid_buf, 1); + /* Close the unneeded endpoints. */ close(ctl_pipe[0]); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 46862613..b84585bb 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -31,6 +31,23 @@ extern u64 time_spent_working; #endif +static void at_exit() { + + int i; + char *ptr = getenv("__AFL_TARGET_PID1"); + + if (ptr && *ptr && (i = atoi(ptr)) > 0) + kill(i, SIGKILL); + + ptr = getenv("__AFL_TARGET_PID2"); + + if (ptr && *ptr && (i = atoi(ptr)) > 0) + kill(i, SIGKILL); + + // anything else? shared memory? + +} + static u8 *get_libradamsa_path(u8 *own_loc) { u8 *tmp, *cp, *rsl, *own_copy; @@ -1242,6 +1259,8 @@ int main(int argc, char **argv_orig, char **envp) { OKF("Cmplog forkserver successfully started"); } + + atexit(at_exit); perform_dry_run(afl); -- cgit v1.2.3 From 67d87dd2a9dbc393b56162e77ff3178f4e3f59fa Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sun, 14 Jun 2020 15:26:43 +0000 Subject: Porting to Haiku. getrusage does not implement resident memory gathering, no shm api neither. --- src/afl-analyze.c | 2 ++ src/afl-fuzz-stats.c | 8 ++++++++ src/afl-gcc.c | 2 +- src/afl-sharedmem.c | 2 +- src/afl-showmap.c | 2 ++ src/afl-tmin.c | 2 ++ src/third_party/libradamsa/libradamsa.c | 9 ++++++--- 7 files changed, 22 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index f1c141d5..cf5e9b16 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -51,7 +51,9 @@ #include #include +#ifndef USEMMAP #include +#endif #include #include #include diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 5d2e5358..de58f277 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -31,7 +31,9 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, double eps) { +#ifndef __HAIKU__ struct rusage rus; +#endif unsigned long long int cur_time = get_cur_time(); u8 fn[PATH_MAX]; @@ -65,7 +67,9 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, } +#ifndef __HAIKU__ if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; } +#endif fprintf( f, @@ -119,11 +123,15 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, afl->last_path_time / 1000, afl->last_crash_time / 1000, afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout, afl->slowest_exec_ms, +#ifndef __HAIKU__ #ifdef __APPLE__ (unsigned long int)(rus.ru_maxrss >> 20), #else (unsigned long int)(rus.ru_maxrss >> 10), #endif +#else + -1UL, +#endif #ifdef HAVE_AFFINITY afl->cpu_aff, #else diff --git a/src/afl-gcc.c b/src/afl-gcc.c index 7eb01c0c..b8ff7e77 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -335,7 +335,7 @@ static void edit_params(u32 argc, char **argv) { } -#ifdef USEMMAP +#if defined(USEMMAP) && !defined(__HAIKU__) cc_params[cc_par_cnt++] = "-lrt"; #endif diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 63013435..f8bbebc8 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -145,7 +145,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, if (!non_instrumented_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1); - if (shm->map == -1 || !shm->map) PFATAL("mmap() failed"); + if (shm->map == (void *)-1 || !shm->map) PFATAL("mmap() failed"); #else u8 *shm_str; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 560c8cf6..70a30ce4 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -56,7 +56,9 @@ #include #include +#ifndef USEMMAP #include +#endif #include #include #include diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 609f61d1..5a28ba79 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -54,7 +54,9 @@ #include #include +#ifndef USEMMAP #include +#endif #include #include #include diff --git a/src/third_party/libradamsa/libradamsa.c b/src/third_party/libradamsa/libradamsa.c index 4f5515e5..37c986e9 100644 --- a/src/third_party/libradamsa/libradamsa.c +++ b/src/third_party/libradamsa/libradamsa.c @@ -2413,9 +2413,12 @@ static word prim_sys(word op, word a, word b, word c) { #endif O_DSYNC, O_EXCL, O_NOCTTY, O_NOFOLLOW, O_NONBLOCK, O_RSYNC, O_SYNC, O_TRUNC, O_TTY_INIT, O_ACCMODE, - FD_CLOEXEC, F_DUPFD, F_DUPFD_CLOEXEC, F_GETFD, F_SETFD, F_GETFL, F_SETFL, F_GETOWN, - F_SETOWN, F_GETLK, F_SETLK, F_SETLKW, F_RDLCK, F_UNLCK, F_WRLCK, CLOCK_MONOTONIC, - CLOCK_PROCESS_CPUTIME_ID, CLOCK_REALTIME, CLOCK_THREAD_CPUTIME_ID + FD_CLOEXEC, F_DUPFD, F_DUPFD_CLOEXEC, F_GETFD, F_SETFD, F_GETFL, F_SETFL, + F_GETLK, F_SETLK, F_SETLKW, F_RDLCK, F_UNLCK, F_WRLCK, CLOCK_MONOTONIC, + CLOCK_PROCESS_CPUTIME_ID, CLOCK_REALTIME, CLOCK_THREAD_CPUTIME_ID, +#if !defined __HAIKU__ + F_GETOWN, F_SETOWN +#endif }; return onum(sysconst[immval(a) % (sizeof sysconst / W)], 0); } case 9: /* return process variables */ -- cgit v1.2.3 From acb0a2f027c7dfcca05596ba316d56532f6dbd19 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 15 Jun 2020 11:07:57 +0200 Subject: fixed potential bugs --- src/afl-fuzz-one.c | 16 ++++++++++------ src/afl-fuzz-redqueen.c | 4 ++-- 2 files changed, 12 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index d4083c07..a247a837 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -3846,12 +3846,13 @@ pacemaker_fuzzing: is redundant, or if its entire span has no bytes set in the effector map. */ + /* AFLpp: in puppet mode, eff_map is 0. */ if ((afl->extras_cnt > MAX_DET_EXTRAS && rand_below(afl, afl->extras_cnt) >= MAX_DET_EXTRAS) || afl->extras[j].len > len - i || !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) || - !memchr(eff_map + EFF_APOS(i), 1, - EFF_SPAN_ALEN(i, afl->extras[j].len))) { + (eff_map && !memchr(eff_map + EFF_APOS(i), 1, + EFF_SPAN_ALEN(i, afl->extras[j].len)))) { afl->stage_max--; continue; @@ -3954,11 +3955,12 @@ pacemaker_fuzzing: /* See the comment in the earlier code; afl->extras are sorted by * size. */ + /* AFLpp: in puppet mode, eff_map is 0. */ if (afl->a_extras[j].len > len - i || !memcmp(afl->a_extras[j].data, out_buf + i, afl->a_extras[j].len) || - !memchr(eff_map + EFF_APOS(i), 1, - EFF_SPAN_ALEN(i, afl->a_extras[j].len))) { + (eff_map && !memchr(eff_map + EFF_APOS(i), 1, + EFF_SPAN_ALEN(i, afl->a_extras[j].len)))) { afl->stage_max--; continue; @@ -3984,13 +3986,15 @@ pacemaker_fuzzing: afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; - skip_extras_v2: - new_hit_cnt = afl->queued_paths + afl->unique_crashes; + // AFLpp: Never read: skip_extras_v2: + // new_hit_cnt = afl->queued_paths + afl->unique_crashes; } } +skip_extras_v2: + afl->stage_cur_byte = -1; /* The havoc stage mutation code is also invoked when splicing files; if the diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 7251550c..43850eb5 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -180,7 +180,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 exec_cksum) { while (ranges) { rng = ranges; - ranges = ranges->next; + ranges = rng->next; ck_free(rng); rng = NULL; @@ -224,7 +224,7 @@ checksum_fail: while (ranges) { rng = ranges; - ranges = ranges->next; + ranges = rng->next; ck_free(rng); rng = NULL; -- cgit v1.2.3 From dc002b4b3544d79d846723b445549400935aca64 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 15 Jun 2020 11:08:24 +0200 Subject: code format --- src/afl-analyze.c | 2 +- src/afl-fuzz-one.c | 6 +++--- src/afl-fuzz-stats.c | 6 +++--- src/afl-fuzz.c | 10 ++++------ src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- 6 files changed, 13 insertions(+), 15 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index cf5e9b16..f9ba8860 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -52,7 +52,7 @@ #include #include #ifndef USEMMAP -#include + #include #endif #include #include diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index a247a837..fc5760cc 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -3852,7 +3852,7 @@ pacemaker_fuzzing: afl->extras[j].len > len - i || !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) || (eff_map && !memchr(eff_map + EFF_APOS(i), 1, - EFF_SPAN_ALEN(i, afl->extras[j].len)))) { + EFF_SPAN_ALEN(i, afl->extras[j].len)))) { afl->stage_max--; continue; @@ -3960,7 +3960,7 @@ pacemaker_fuzzing: !memcmp(afl->a_extras[j].data, out_buf + i, afl->a_extras[j].len) || (eff_map && !memchr(eff_map + EFF_APOS(i), 1, - EFF_SPAN_ALEN(i, afl->a_extras[j].len)))) { + EFF_SPAN_ALEN(i, afl->a_extras[j].len)))) { afl->stage_max--; continue; @@ -3986,7 +3986,7 @@ pacemaker_fuzzing: afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; - // AFLpp: Never read: skip_extras_v2: + // AFLpp: Never read: skip_extras_v2: // new_hit_cnt = afl->queued_paths + afl->unique_crashes; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index de58f277..28473c0c 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -124,11 +124,11 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout, afl->slowest_exec_ms, #ifndef __HAIKU__ -#ifdef __APPLE__ + #ifdef __APPLE__ (unsigned long int)(rus.ru_maxrss >> 20), -#else + #else (unsigned long int)(rus.ru_maxrss >> 10), -#endif + #endif #else -1UL, #endif diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index b84585bb..cefcd73f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -33,16 +33,14 @@ extern u64 time_spent_working; static void at_exit() { - int i; + int i; char *ptr = getenv("__AFL_TARGET_PID1"); - if (ptr && *ptr && (i = atoi(ptr)) > 0) - kill(i, SIGKILL); + if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); ptr = getenv("__AFL_TARGET_PID2"); - if (ptr && *ptr && (i = atoi(ptr)) > 0) - kill(i, SIGKILL); + if (ptr && *ptr && (i = atoi(ptr)) > 0) kill(i, SIGKILL); // anything else? shared memory? @@ -1259,7 +1257,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("Cmplog forkserver successfully started"); } - + atexit(at_exit); perform_dry_run(afl); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 70a30ce4..7b46cd2b 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -57,7 +57,7 @@ #include #include #ifndef USEMMAP -#include + #include #endif #include #include diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 5a28ba79..9df5112b 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -55,7 +55,7 @@ #include #include #ifndef USEMMAP -#include + #include #endif #include #include -- cgit v1.2.3 From ada59feda852a13207818f8202dabe517b721b35 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 15 Jun 2020 20:02:28 +0200 Subject: improve performance for default power schedule --- src/afl-fuzz-bitmap.c | 30 +++++++++++++++++++++--------- src/afl-fuzz-one.c | 10 ++++------ src/afl-fuzz-queue.c | 26 +++++++++++++++++++------- 3 files changed, 44 insertions(+), 22 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 6075a87e..a6d0c994 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -542,23 +542,31 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { u8 hnb = '\0'; s32 fd; u8 keeping = 0, res; + u64 cksum = 0; u8 fn[PATH_MAX]; /* Update path frequency. */ - u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - struct queue_entry *q = afl->queue; - while (q) { + /* Generating a hash on every input is super expensive. Bad idea and should + only be used for special schedules */ + if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) { - if (q->exec_cksum == cksum) { + cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); - q->n_fuzz = q->n_fuzz + 1; - break; + struct queue_entry *q = afl->queue; + while (q) { - } + if (q->exec_cksum == cksum) { - q = q->next; + q->n_fuzz = q->n_fuzz + 1; + break; + + } + + q = q->next; + + } } @@ -595,7 +603,11 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - afl->queue_top->exec_cksum = cksum; + if (cksum) + afl->queue_top->exec_cksum = cksum; + else + afl->queue_top->exec_cksum = + hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); /* Try to calibrate inline; this also calls update_bitmap_score() when successful. */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index fc5760cc..1147c878 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -566,12 +566,10 @@ u8 fuzz_one_original(afl_state_t *afl) { if it has gone through deterministic testing in earlier, resumed runs (passed_det). */ - if (afl->skip_deterministic || - ((!afl->queue_cur->passed_det) && - perf_score < (afl->queue_cur->depth * 30 <= afl->havoc_max_mult * 100 - ? afl->queue_cur->depth * 30 - : afl->havoc_max_mult * 100)) || - afl->queue_cur->passed_det) { + if (likely(afl->queue_cur->passed_det) || likely(afl->skip_deterministic) + || likely(perf_score < + (afl->queue_cur->depth * 30 <= afl->havoc_max_mult * 100 ? + afl->queue_cur->depth * 30 : afl->havoc_max_mult * 100))) { goto custom_mutator_stage; diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index ea7f57e2..0e8c8e47 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -194,9 +194,14 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { u32 i; u64 fav_factor; - u64 fuzz_p2 = next_pow2(q->n_fuzz); + u64 fuzz_p2; - if (afl->schedule == MMOPT || afl->schedule == RARE || + if (unlikely(afl->schedule >= FAST)) + fuzz_p2 = next_pow2(q->n_fuzz); + else + fuzz_p2 = q->fuzz_level; + + if (unlikely(afl->schedule == MMOPT || afl->schedule == RARE) || unlikely(afl->fixed_seed)) { fav_factor = q->len << 2; @@ -217,9 +222,13 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { /* Faster-executing or smaller test cases are favored. */ u64 top_rated_fav_factor; - u64 top_rated_fuzz_p2 = next_pow2(afl->top_rated[i]->n_fuzz); + u64 top_rated_fuzz_p2; + if (unlikely(afl->schedule >= FAST)) + top_rated_fuzz_p2 = next_pow2(afl->top_rated[i]->n_fuzz); + else + top_rated_fuzz_p2 = afl->top_rated[i]->fuzz_level; - if (afl->schedule == MMOPT || afl->schedule == RARE || + if (unlikely(afl->schedule == MMOPT || afl->schedule == RARE) || unlikely(afl->fixed_seed)) { top_rated_fav_factor = afl->top_rated[i]->len << 2; @@ -241,7 +250,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { } - if (afl->schedule == MMOPT || afl->schedule == RARE || + if (unlikely(afl->schedule == MMOPT || afl->schedule == RARE) || unlikely(afl->fixed_seed)) { if (fav_factor > afl->top_rated[i]->len << 2) { continue; } @@ -593,9 +602,12 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { } - if (factor > MAX_FACTOR) { factor = MAX_FACTOR; } + if (unlikely(afl->schedule >= FAST)) { + + if (factor > MAX_FACTOR) { factor = MAX_FACTOR; } + perf_score *= factor / POWER_BETA; - perf_score *= factor / POWER_BETA; + } // MOpt mode if (afl->limit_time_sig != 0 && afl->max_depth - q->depth < 3) { -- cgit v1.2.3 From f6d2da27e3a23436b3d13d8c9abf702edbffffb4 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 15 Jun 2020 21:07:35 +0200 Subject: switched to new MOpt dictionary support --- src/afl-fuzz-one.c | 341 ++++++++++++++++++----------------------------------- 1 file changed, 115 insertions(+), 226 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 1147c878..e42a323d 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -29,10 +29,14 @@ static int select_algorithm(afl_state_t *afl) { - int i_puppet, j_puppet; + int i_puppet, j_puppet = 0, operator_number = operator_num; + + if (!afl->extras_cnt && !afl->a_extras_cnt) operator_number -= 2; + + double range_sele = + (double)afl->probability_now[afl->swarm_now][operator_number - 1]; + double sele = ((double)(rand_below(afl, 10000) * 0.0001 * range_sele)); - double sele = ((double)(rand_below(afl, 10000)) * 0.0001); - j_puppet = 0; for (i_puppet = 0; i_puppet < operator_num; ++i_puppet) { if (unlikely(i_puppet == 0)) { @@ -52,8 +56,10 @@ static int select_algorithm(afl_state_t *afl) { } - if (j_puppet == 1 && - sele < afl->probability_now[afl->swarm_now][i_puppet - 1]) { + if ((j_puppet == 1 && + sele < afl->probability_now[afl->swarm_now][i_puppet - 1]) || + (i_puppet + 1 < operator_num && + sele > afl->probability_now[afl->swarm_now][i_puppet + 1])) { FATAL("error select_algorithm"); @@ -566,10 +572,11 @@ u8 fuzz_one_original(afl_state_t *afl) { if it has gone through deterministic testing in earlier, resumed runs (passed_det). */ - if (likely(afl->queue_cur->passed_det) || likely(afl->skip_deterministic) - || likely(perf_score < - (afl->queue_cur->depth * 30 <= afl->havoc_max_mult * 100 ? - afl->queue_cur->depth * 30 : afl->havoc_max_mult * 100))) { + if (likely(afl->queue_cur->passed_det) || likely(afl->skip_deterministic) || + likely(perf_score < + (afl->queue_cur->depth * 30 <= afl->havoc_max_mult * 100 + ? afl->queue_cur->depth * 30 + : afl->havoc_max_mult * 100))) { goto custom_mutator_stage; @@ -2228,7 +2235,7 @@ havoc_stage: case 16: { u32 use_extra, extra_len, insert_at = rand_below(afl, temp_len + 1); - u8 *new_buf; + u8 *ptr; /* Insert an extra. Do the same dice-rolling stuff as for the previous case. */ @@ -2237,44 +2244,27 @@ havoc_stage: use_extra = rand_below(afl, afl->a_extras_cnt); extra_len = afl->a_extras[use_extra].len; - - if (temp_len + extra_len >= MAX_FILE) { break; } - - new_buf = - ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + extra_len); - - /* Head */ - memcpy(new_buf, out_buf, insert_at); - - /* Inserted part */ - memcpy(new_buf + insert_at, afl->a_extras[use_extra].data, - extra_len); + ptr = afl->a_extras[use_extra].data; } else { use_extra = rand_below(afl, afl->extras_cnt); extra_len = afl->extras[use_extra].len; + ptr = afl->extras[use_extra].data; - if (temp_len + extra_len >= MAX_FILE) { break; } + } - new_buf = - ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + extra_len); + if (temp_len + extra_len >= MAX_FILE) { break; } - /* Head */ - memcpy(new_buf, out_buf, insert_at); - - /* Inserted part */ - memcpy(new_buf + insert_at, afl->extras[use_extra].data, extra_len); - - } + out_buf = ck_maybe_grow(BUF_PARAMS(out), temp_len + extra_len); /* Tail */ - memcpy(new_buf + insert_at + extra_len, out_buf + insert_at, - temp_len - insert_at); + memmove(out_buf + insert_at + extra_len, out_buf + insert_at, + temp_len - insert_at); + + /* Inserted part */ + memcpy(out_buf + insert_at, ptr, extra_len); - swap_bufs(BUF_PARAMS(out), BUF_PARAMS(out_scratch)); - out_buf = new_buf; - new_buf = NULL; temp_len += extra_len; break; @@ -3804,195 +3794,6 @@ skip_extras: havoc_stage: pacemaker_fuzzing: - if (afl->key_puppet == 1) { - - double select_bool = ((double)(random() % 10000) * 0.0001); - if (select_bool < 0.001) { - - /******************** - * DICTIONARY STUFF * - ********************/ - - if (!afl->extras_cnt) goto skip_puppet_extras; - - /* Overwrite with user-supplied extras. */ - - afl->stage_name = "user extras (over)"; - afl->stage_short = "ext_UO"; - afl->stage_cur = 0; - afl->stage_max = afl->extras_cnt * len; - - afl->stage_val_type = STAGE_VAL_NONE; - - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len; i++) { - - u32 last_len = 0; - - afl->stage_cur_byte = i; - - /* Extras are sorted by size, from smallest to largest. This means - that we don't have to worry about restoring the buffer in - between writes at a particular offset determined by the outer - loop. */ - - for (j = 0; j < afl->extras_cnt; j++) { - - /* Skip extras probabilistically if extras_cnt > MAX_DET_EXTRAS. Also - skip them if there's no room to insert the payload, if the token - is redundant, or if its entire span has no bytes set in the - effector map. */ - - /* AFLpp: in puppet mode, eff_map is 0. */ - if ((afl->extras_cnt > MAX_DET_EXTRAS && - rand_below(afl, afl->extras_cnt) >= MAX_DET_EXTRAS) || - afl->extras[j].len > len - i || - !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) || - (eff_map && !memchr(eff_map + EFF_APOS(i), 1, - EFF_SPAN_ALEN(i, afl->extras[j].len)))) { - - afl->stage_max--; - continue; - - } - - last_len = afl->extras[j].len; - memcpy(out_buf + i, afl->extras[j].data, last_len); - - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; - - afl->stage_cur++; - - } - - /* Restore all the clobbered memory. */ - memcpy(out_buf + i, in_buf + i, last_len); - - } - - new_hit_cnt = afl->queued_paths + afl->unique_crashes; - - afl->stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; - afl->stage_cycles[STAGE_EXTRAS_UO] += afl->stage_max; - - /* Insertion of user-supplied extras. */ - - afl->stage_name = "user extras (insert)"; - afl->stage_short = "ext_UI"; - afl->stage_cur = 0; - afl->stage_max = afl->extras_cnt * len; - - orig_hit_cnt = new_hit_cnt; - - ex_tmp = ck_alloc(len + MAX_DICT_FILE); - - for (i = 0; i <= len; i++) { - - afl->stage_cur_byte = i; - - for (j = 0; j < afl->extras_cnt; j++) { - - if (len + afl->extras[j].len > MAX_FILE) { - - afl->stage_max--; - continue; - - } - - /* Insert token */ - memcpy(ex_tmp + i, afl->extras[j].data, afl->extras[j].len); - - /* Copy tail */ - memcpy(ex_tmp + i + afl->extras[j].len, out_buf + i, len - i); - - if (common_fuzz_stuff(afl, ex_tmp, len + afl->extras[j].len)) { - - ck_free(ex_tmp); - goto abandon_entry; - - } - - afl->stage_cur++; - - } - - /* Copy head */ - ex_tmp[i] = out_buf[i]; - - } - - ck_free(ex_tmp); - - new_hit_cnt = afl->queued_paths + afl->unique_crashes; - - afl->stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; - afl->stage_cycles[STAGE_EXTRAS_UI] += afl->stage_max; - - skip_puppet_extras: - - if (!afl->a_extras_cnt) goto skip_extras_v2; - - afl->stage_name = "auto afl->extras (over)"; - afl->stage_short = "ext_AO"; - afl->stage_cur = 0; - afl->stage_max = MIN(afl->a_extras_cnt, USE_AUTO_EXTRAS) * len; - - afl->stage_val_type = STAGE_VAL_NONE; - - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len; i++) { - - u32 last_len = 0; - - afl->stage_cur_byte = i; - - for (j = 0; j < MIN(afl->a_extras_cnt, USE_AUTO_EXTRAS); j++) { - - /* See the comment in the earlier code; afl->extras are sorted by - * size. */ - - /* AFLpp: in puppet mode, eff_map is 0. */ - if (afl->a_extras[j].len > len - i || - !memcmp(afl->a_extras[j].data, out_buf + i, - afl->a_extras[j].len) || - (eff_map && !memchr(eff_map + EFF_APOS(i), 1, - EFF_SPAN_ALEN(i, afl->a_extras[j].len)))) { - - afl->stage_max--; - continue; - - } - - last_len = afl->a_extras[j].len; - memcpy(out_buf + i, afl->a_extras[j].data, last_len); - - if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; - - afl->stage_cur++; - - } - - /* Restore all the clobbered memory. */ - memcpy(out_buf + i, in_buf + i, last_len); - - } - - new_hit_cnt = afl->queued_paths + afl->unique_crashes; - - afl->stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; - afl->stage_cycles[STAGE_EXTRAS_AO] += afl->stage_max; - - // AFLpp: Never read: skip_extras_v2: - // new_hit_cnt = afl->queued_paths + afl->unique_crashes; - - } - - } - -skip_extras_v2: - afl->stage_cur_byte = -1; /* The havoc stage mutation code is also invoked when splicing files; if the @@ -4395,6 +4196,94 @@ skip_extras_v2: } /* case 15 */ + /* Values 16 and 17 can be selected only if there are any extras + present in the dictionaries. */ + + case 16: { + + /* Overwrite bytes with an extra. */ + + if (!afl->extras_cnt || + (afl->a_extras_cnt && rand_below(afl, 2))) { + + /* No user-specified extras or odds in our favor. Let's use an + auto-detected one. */ + + u32 use_extra = rand_below(afl, afl->a_extras_cnt); + u32 extra_len = afl->a_extras[use_extra].len; + + if (extra_len > temp_len) break; + + u32 insert_at = rand_below(afl, temp_len - extra_len + 1); + memcpy(out_buf + insert_at, afl->a_extras[use_extra].data, + extra_len); + + } else { + + /* No auto extras or odds in our favor. Use the dictionary. */ + + u32 use_extra = rand_below(afl, afl->extras_cnt); + u32 extra_len = afl->extras[use_extra].len; + + if (extra_len > temp_len) break; + + u32 insert_at = rand_below(afl, temp_len - extra_len + 1); + memcpy(out_buf + insert_at, afl->extras[use_extra].data, + extra_len); + + } + + afl->stage_cycles_puppet_v2[afl->swarm_now] + [STAGE_OverWriteExtra] += 1; + + break; + + } + + /* Insert an extra. */ + + case 17: { + + u32 use_extra, extra_len, + insert_at = rand_below(afl, temp_len + 1); + u8 *ptr; + + /* Insert an extra. Do the same dice-rolling stuff as for the + previous case. */ + + if (!afl->extras_cnt || + (afl->a_extras_cnt && rand_below(afl, 2))) { + + use_extra = rand_below(afl, afl->a_extras_cnt); + extra_len = afl->a_extras[use_extra].len; + ptr = afl->a_extras[use_extra].data; + + } else { + + use_extra = rand_below(afl, afl->extras_cnt); + extra_len = afl->extras[use_extra].len; + ptr = afl->extras[use_extra].data; + + } + + if (temp_len + extra_len >= MAX_FILE) break; + + out_buf = ck_maybe_grow(BUF_PARAMS(out), temp_len + extra_len); + + /* Tail */ + memmove(out_buf + insert_at + extra_len, out_buf + insert_at, + temp_len - insert_at); + + /* Inserted part */ + memcpy(out_buf + insert_at, ptr, extra_len); + + temp_len += extra_len; + afl->stage_cycles_puppet_v2[afl->swarm_now][STAGE_InsertExtra] += + 1; + break; + + } + } /* switch select_algorithm() */ } /* for i=0; i < use_stacking */ -- cgit v1.2.3 From 246444dd5765ee467b6fc090dc078cac3ce2074a Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 15 Jun 2020 21:40:30 +0200 Subject: tidied hash32, unicorn --- src/afl-performance.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-performance.c b/src/afl-performance.c index 28564eb8..9c842312 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -130,13 +130,13 @@ void long_jump(afl_state_t *afl) { /* we switch from afl's murmur implementation to xxh3 as it is 30% faster - and get 64 bit hashes instead of just 32 bit. Less collisions! :-) */ -u32 hash32(const void *key, u32 len, u32 seed) { +u32 inline hash32(const void *key, u32 len, u32 seed) { - return XXH64(key, len, seed) % 0x100000000; + return XXH32(key, len, seed); } -u64 hash64(const void *key, u32 len, u64 seed) { +u64 inline hash64(const void *key, u32 len, u64 seed) { return XXH64(key, len, seed); -- cgit v1.2.3 From 6804065a8d4864755af866c5c800dde0b4445155 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 15 Jun 2020 22:03:01 +0200 Subject: using XX64 for 32 bit hash --- src/afl-performance.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-performance.c b/src/afl-performance.c index 9c842312..437df963 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -132,7 +132,7 @@ void long_jump(afl_state_t *afl) { u32 inline hash32(const void *key, u32 len, u32 seed) { - return XXH32(key, len, seed); + return (u32) XXH64(key, len, seed); } -- cgit v1.2.3 From 9c293b5b7b941d8046e77989f100d084a516d029 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 15 Jun 2020 22:05:37 +0200 Subject: code format --- src/afl-performance.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-performance.c b/src/afl-performance.c index 437df963..8efefcd8 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -132,7 +132,7 @@ void long_jump(afl_state_t *afl) { u32 inline hash32(const void *key, u32 len, u32 seed) { - return (u32) XXH64(key, len, seed); + return (u32)XXH64(key, len, seed); } -- cgit v1.2.3 From bac2da866912d69eb89207757375f0753be2cae2 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Tue, 16 Jun 2020 01:29:07 +0200 Subject: fix for *BSD: remove all HAVE_ARC4RANDOM dependencies --- src/afl-forkserver.c | 8 ++------ src/afl-fuzz-init.c | 2 -- src/afl-fuzz-state.c | 2 -- 3 files changed, 2 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 1f61871a..b2734335 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -71,9 +71,8 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { fsrv->out_fd = -1; fsrv->out_dir_fd = -1; fsrv->dev_null_fd = -1; -#ifndef HAVE_ARC4RANDOM fsrv->dev_urandom_fd = -1; -#endif + /* Settings */ fsrv->use_stdin = 1; fsrv->no_unlink = 0; @@ -104,9 +103,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { fsrv_to->map_size = from->map_size; fsrv_to->support_shmem_fuzz = from->support_shmem_fuzz; -#ifndef HAVE_ARC4RANDOM fsrv_to->dev_urandom_fd = from->dev_urandom_fd; -#endif // These are forkserver specific. fsrv_to->out_dir_fd = -1; @@ -421,9 +418,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, close(fsrv->out_dir_fd); close(fsrv->dev_null_fd); -#ifndef HAVE_ARC4RANDOM close(fsrv->dev_urandom_fd); -#endif + if (fsrv->plot_file != NULL) { fclose(fsrv->plot_file); } /* This should improve performance a bit, since it stops the linker from diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 1245d94b..ee96c73c 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1541,10 +1541,8 @@ void setup_dirs_fds(afl_state_t *afl) { afl->fsrv.dev_null_fd = open("/dev/null", O_RDWR); if (afl->fsrv.dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); } -#ifndef HAVE_ARC4RANDOM afl->fsrv.dev_urandom_fd = open("/dev/urandom", O_RDONLY); if (afl->fsrv.dev_urandom_fd < 0) { PFATAL("Unable to open /dev/urandom"); } -#endif /* Gnuplot output file. */ diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 99863103..f1474f33 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -124,9 +124,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) { afl->stats_update_freq = 1; -#ifndef HAVE_ARC4RANDOM afl->fsrv.dev_urandom_fd = -1; -#endif afl->fsrv.dev_null_fd = -1; afl->fsrv.child_pid = -1; -- cgit v1.2.3 From 61107c59cf234a8c78d68534a7bd2c39a22700b4 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 17 Jun 2020 16:46:30 +0200 Subject: fix displayed schedule --- src/afl-fuzz-state.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index f1474f33..814c2ca2 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -32,7 +32,7 @@ s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32}; char *power_names[POWER_SCHEDULES_NUM] = { - "explore", "fast", "coe", "lin", "quad", "exploit", "mmopt", "rare"}; + "explore", "exploit", "fast", "coe", "lin", "quad", "rare", "mmopt"}; /* Initialize MOpt "globals" for this afl state */ -- cgit v1.2.3 From 003456f770932b6d737bf323723962d643ca39e9 Mon Sep 17 00:00:00 2001 From: 2019 <434791602@qq.com> Date: Thu, 18 Jun 2020 11:23:10 +0800 Subject: `fault == afl->crash_mode` should be likely Since during normal fuzzing, crash_mode is FSRV_RUN_OK, and fault is also usually FSRV_RUN_OK since most executions are valid executions, thus it should be likely instead of unlikely --- src/afl-fuzz-bitmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index a6d0c994..f643b5c0 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -570,7 +570,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } - if (unlikely(fault == afl->crash_mode)) { + if (likely(fault == afl->crash_mode)) { /* Keep only if there are new bits in the map, add to queue for future fuzzing, etc. */ -- cgit v1.2.3 From b3b016a4a3f15ea22eccd06b47dbf9749b6f08ec Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Sat, 20 Jun 2020 22:39:12 +0200 Subject: fix libradamsa see issue #419 --- src/third_party/libradamsa/libradamsa.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/third_party/libradamsa/libradamsa.c b/src/third_party/libradamsa/libradamsa.c index 37c986e9..cc7c5e0b 100644 --- a/src/third_party/libradamsa/libradamsa.c +++ b/src/third_party/libradamsa/libradamsa.c @@ -2414,11 +2414,11 @@ static word prim_sys(word op, word a, word b, word c) { O_DSYNC, O_EXCL, O_NOCTTY, O_NOFOLLOW, O_NONBLOCK, O_RSYNC, O_SYNC, O_TRUNC, O_TTY_INIT, O_ACCMODE, FD_CLOEXEC, F_DUPFD, F_DUPFD_CLOEXEC, F_GETFD, F_SETFD, F_GETFL, F_SETFL, - F_GETLK, F_SETLK, F_SETLKW, F_RDLCK, F_UNLCK, F_WRLCK, CLOCK_MONOTONIC, - CLOCK_PROCESS_CPUTIME_ID, CLOCK_REALTIME, CLOCK_THREAD_CPUTIME_ID, #if !defined __HAIKU__ - F_GETOWN, F_SETOWN + F_GETOWN, F_SETOWN, #endif + F_GETLK, F_SETLK, F_SETLKW, F_RDLCK, F_UNLCK, F_WRLCK, CLOCK_MONOTONIC, + CLOCK_PROCESS_CPUTIME_ID, CLOCK_REALTIME, CLOCK_THREAD_CPUTIME_ID }; return onum(sysconst[immval(a) % (sizeof sysconst / W)], 0); } case 9: /* return process variables */ -- cgit v1.2.3 From b0866f59ccbcd90c2c3e0ecbb5ba2d9badc60319 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 21 Jun 2020 14:08:41 +0200 Subject: fix for -s 0 --- src/afl-fuzz.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index cefcd73f..c3b2da29 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -823,8 +823,7 @@ int main(int argc, char **argv_orig, char **envp) { WARNF( "Using -M main node with the AFL_CUSTOM_MUTATOR_ONLY mutator options " - "will " - "result in no deterministic mutations being done!"); + "will result in no deterministic mutations being done!"); } @@ -836,10 +835,11 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->init_seed) { - afl->rand_seed[0] = afl->init_seed; - afl->rand_seed[1] = afl->init_seed ^ 0x1234567890abcdef; - afl->rand_seed[2] = afl->init_seed & 0x0123456789abcdef; - afl->rand_seed[3] = afl->init_seed | 0x01abcde43f567908; + afl->rand_seed[0] = + hash64((void *)&afl->init_seed, sizeof(u32), HASH_CONST); + afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; + afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; + afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; } -- cgit v1.2.3 From eb3cb4bbf89e367e35e33e627e767e1b490bf861 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 21 Jun 2020 16:21:59 +0200 Subject: fix for s=0 --- src/afl-fuzz.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index c3b2da29..bfd7cb33 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -833,18 +833,10 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->init_seed) { - - afl->rand_seed[0] = - hash64((void *)&afl->init_seed, sizeof(u32), HASH_CONST); - afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; - afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; - afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; - - } - - // srandom((u32)afl->init_seed); - // srand((u32)afl->init_seed); // in case it is a different implementation + afl->rand_seed[0] = hash64((void *)&afl->init_seed, sizeof(u32), HASH_CONST); + afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; + afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; + afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; if (afl->use_radamsa) { -- cgit v1.2.3 From 5cad92e57ecda270753cf70311a7ac1ff6fdcc9e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 21 Jun 2020 18:07:30 +0200 Subject: fix unicorn mode for CFLAGS --- src/afl-fuzz-run.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index a1e8417f..a355ae0f 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -413,7 +413,7 @@ void sync_fuzzers(afl_state_t *afl) { DIR * sd; struct dirent *sd_ent; u32 sync_cnt = 0, synced = 0, entries = 0; - u8 path[PATH_MAX]; + u8 path[PATH_MAX + 256]; sd = opendir(afl->sync_dir); if (!sd) { PFATAL("Unable to open '%s'", afl->sync_dir); } @@ -533,7 +533,7 @@ void sync_fuzzers(afl_state_t *afl) { s32 fd; struct stat st; - sprintf(path, "%s/%s", qd_path, namelist[o]->d_name); + snprintf(path, sizeof (path), "%s/%s", qd_path, namelist[o]->d_name); afl->syncing_case = next_min_accept; next_min_accept++; o--; -- cgit v1.2.3 From a49b5ef072011cc840c37653d6f6469dc3671968 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 22 Jun 2020 07:16:24 +0200 Subject: allow /tmp --- src/afl-fuzz-init.c | 15 +++++++++------ src/afl-fuzz-run.c | 2 +- 2 files changed, 10 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index ee96c73c..a2e849dc 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2128,14 +2128,17 @@ void check_binary(afl_state_t *afl, u8 *fname) { /* Check for blatant user errors. */ - if ((!strncmp(afl->fsrv.target_path, "/tmp/", 5) && - !strchr(afl->fsrv.target_path + 5, '/')) || - (!strncmp(afl->fsrv.target_path, "/var/tmp/", 9) && - !strchr(afl->fsrv.target_path + 9, '/'))) { + /* disabled. not a real-worl scenario where this is a problem. + if ((!strncmp(afl->fsrv.target_path, "/tmp/", 5) && + !strchr(afl->fsrv.target_path + 5, '/')) || + (!strncmp(afl->fsrv.target_path, "/var/tmp/", 9) && + !strchr(afl->fsrv.target_path + 9, '/'))) { - FATAL("Please don't keep binaries in /tmp or /var/tmp"); + FATAL("Please don't keep binaries in /tmp or /var/tmp"); - } + } + + */ fd = open(afl->fsrv.target_path, O_RDONLY); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index a355ae0f..eb562c60 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -533,7 +533,7 @@ void sync_fuzzers(afl_state_t *afl) { s32 fd; struct stat st; - snprintf(path, sizeof (path), "%s/%s", qd_path, namelist[o]->d_name); + snprintf(path, sizeof(path), "%s/%s", qd_path, namelist[o]->d_name); afl->syncing_case = next_min_accept; next_min_accept++; o--; -- cgit v1.2.3 From 87f127722c5dd9d503c9b9acab9aceb0fd573da5 Mon Sep 17 00:00:00 2001 From: aflpp Date: Mon, 22 Jun 2020 08:28:41 +0200 Subject: fix afl-cmin.bash --- src/afl-showmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 7b46cd2b..6a26a949 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -559,7 +559,7 @@ static void usage(u8 *argv0) { "size\n" " the target was compiled for\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" - "AFL_QUIET: do not print extra informational output", + "AFL_QUIET: do not print extra informational output\n", argv0, MEM_LIMIT, doc_path); exit(1); -- cgit v1.2.3 From 37edfe2de9387d460dbb8e945e22122fd9ab8e1c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 22 Jun 2020 19:56:34 +0200 Subject: shmem support for afl-tmin and afl-showmap --- src/afl-showmap.c | 42 ++++++++++++++++++++++++++++++++++++++++++ src/afl-tmin.c | 29 +++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 6a26a949..f1926b05 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -566,6 +566,17 @@ static void usage(u8 *argv0) { } +static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, + sharedmem_t * shm_fuzz) { + + afl_shm_deinit(shm_fuzz); + fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz = NULL; + ck_free(shm_fuzz); + return NULL; + +} + /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -775,6 +786,17 @@ int main(int argc, char **argv_orig, char **envp) { check_environment_vars(envp); + if (getenv("AFL_DEBUG")) { + + SAYF(cMGN "[D]" cRST); + for (int i = 0; i < argc; i++) + SAYF(" %s", argv[i]); + SAYF("\n"); + + } + + // if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); } + sharedmem_t shm = {0}; fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); setup_signal_handlers(); @@ -829,6 +851,20 @@ int main(int argc, char **argv_orig, char **envp) { } + sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + u8 * map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); + if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } +#ifdef USEMMAP + setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); +#else + u8 *shm_str = alloc_printf("%d", shm_fuzz->shm_id); + setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); + ck_free(shm_str); +#endif + fsrv->support_shmem_fuzz = 1; + fsrv->shmem_fuzz_len = (u32 *)map; + fsrv->shmem_fuzz = map + sizeof(u32); + if (in_dir) { DIR * dir_in, *dir_out; @@ -897,6 +933,9 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_start(fsrv, use_argv, &stop_soon, get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0); + if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz) + shm_fuzz = deinit_shmem(fsrv, shm_fuzz); + while (done == 0 && (dir_ent = readdir(dir_in))) { if (dir_ent->d_name[0] == '.') { @@ -966,7 +1005,10 @@ int main(int argc, char **argv_orig, char **envp) { if (fsrv->target_path) { ck_free(fsrv->target_path); } + if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); + afl_fsrv_deinit(fsrv); + if (stdin_file) { ck_free(stdin_file); } argv_cpy_free(argv); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 9df5112b..8b028327 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -802,6 +802,17 @@ static void usage(u8 *argv0) { } +static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, + sharedmem_t * shm_fuzz) { + + afl_shm_deinit(shm_fuzz); + fsrv->support_shmem_fuzz = 0; + fsrv->shmem_fuzz = NULL; + ck_free(shm_fuzz); + return NULL; + +} + /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -1052,11 +1063,28 @@ int main(int argc, char **argv_orig, char **envp) { SAYF("\n"); + sharedmem_t *shm_fuzz = ck_alloc(sizeof(sharedmem_t)); + u8 * map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1); + if (!map) { FATAL("BUG: Zero return from afl_shm_init."); } +#ifdef USEMMAP + setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); +#else + u8 *shm_str = alloc_printf("%d", shm_fuzz->shm_id); + setenv(SHM_FUZZ_ENV_VAR, shm_str, 1); + ck_free(shm_str); +#endif + fsrv->support_shmem_fuzz = 1; + fsrv->shmem_fuzz_len = (u32 *)map; + fsrv->shmem_fuzz = map + sizeof(u32); + read_initial_file(); afl_fsrv_start(fsrv, use_argv, &stop_soon, get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0); + if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz) + shm_fuzz = deinit_shmem(fsrv, shm_fuzz); + ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", fsrv->mem_limit, fsrv->exec_tmout, edges_only ? ", edges only" : ""); @@ -1111,6 +1139,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("We're done here. Have a nice day!\n"); afl_shm_deinit(&shm); + if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); afl_fsrv_deinit(fsrv); if (fsrv->target_path) { ck_free(fsrv->target_path); } if (mask_bitmap) { ck_free(mask_bitmap); } -- cgit v1.2.3 From ea1222b33fb5e97165f649168b812d83ed1ed8c4 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 22 Jun 2020 21:40:02 +0200 Subject: old compiler fix --- src/afl-showmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index f1926b05..de25e427 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -789,7 +789,7 @@ int main(int argc, char **argv_orig, char **envp) { if (getenv("AFL_DEBUG")) { SAYF(cMGN "[D]" cRST); - for (int i = 0; i < argc; i++) + for (i = 0; i < argc; i++) SAYF(" %s", argv[i]); SAYF("\n"); -- cgit v1.2.3 From 7119bf5d860657dab7afb60fab8b7ad5dc0ef222 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 22 Jun 2020 21:58:16 +0200 Subject: Added rand, hash unittests --- src/afl-fuzz-one.c | 2 +- src/afl-fuzz.c | 9 ++------- src/afl-performance.c | 10 ++++++++++ 3 files changed, 13 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index e42a323d..60db9777 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -2458,7 +2458,7 @@ radamsa_stage: for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { u32 new_len = afl->radamsa_mutate_ptr(save_buf, len, new_buf, max_len, - get_rand_seed(afl)); + rand_get_seed(afl)); if (new_len) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index bfd7cb33..c8083f71 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -289,7 +289,7 @@ int main(int argc, char **argv_orig, char **envp) { doc_path = access(DOC_PATH, F_OK) != 0 ? (u8 *)"docs" : (u8 *)DOC_PATH; gettimeofday(&tv, &tz); - afl->init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); + rand_set_seed(afl, tv.tv_sec ^ tv.tv_usec ^ getpid()); while ((opt = getopt(argc, argv, "+c:i:I:o:f:m:t:T:dnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > @@ -311,7 +311,7 @@ int main(int argc, char **argv_orig, char **envp) { case 's': { - afl->init_seed = strtoul(optarg, 0L, 10); + rand_set_seed(afl, strtoul(optarg, 0L, 10)); afl->fixed_seed = 1; break; @@ -833,11 +833,6 @@ int main(int argc, char **argv_orig, char **envp) { } - afl->rand_seed[0] = hash64((void *)&afl->init_seed, sizeof(u32), HASH_CONST); - afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; - afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; - afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; - if (afl->use_radamsa) { if (afl->limit_time_sig > 0) { diff --git a/src/afl-performance.c b/src/afl-performance.c index 8efefcd8..757bbe1e 100644 --- a/src/afl-performance.c +++ b/src/afl-performance.c @@ -33,6 +33,16 @@ static inline uint64_t rotl(const uint64_t x, int k) { } +void rand_set_seed(afl_state_t *afl, s64 init_seed) { + + afl->init_seed = init_seed; + afl->rand_seed[0] = hash64((void *)&afl->init_seed, sizeof(afl->init_seed), HASH_CONST); + afl->rand_seed[1] = afl->rand_seed[0] ^ 0x1234567890abcdef; + afl->rand_seed[2] = afl->rand_seed[0] & 0x0123456789abcdef; + afl->rand_seed[3] = afl->rand_seed[0] | 0x01abcde43f567908; + +} + uint64_t rand_next(afl_state_t *afl) { const uint64_t result = -- cgit v1.2.3