From b485b7a25262fa9151c5b6792ba3508f6474769e Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 9 Apr 2020 11:49:40 +0200 Subject: fix compilers for empty AFL_CC/AFL_CXX env --- src/afl-gcc.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/afl-gcc.c b/src/afl-gcc.c index b0153b49..32cd36cb 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -142,12 +142,12 @@ static void edit_params(u32 argc, char **argv) { if (!strcmp(name, "afl-clang++")) { u8 *alt_cxx = getenv("AFL_CXX"); - cc_params[0] = alt_cxx ? alt_cxx : (u8 *)"clang++"; + cc_params[0] = alt_cxx && *alt_cxx ? alt_cxx : (u8 *)"clang++"; } else { u8 *alt_cc = getenv("AFL_CC"); - cc_params[0] = alt_cc ? alt_cc : (u8 *)"clang"; + cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)"clang"; } @@ -187,17 +187,17 @@ static void edit_params(u32 argc, char **argv) { if (!strcmp(name, "afl-g++")) { u8 *alt_cxx = getenv("AFL_CXX"); - cc_params[0] = alt_cxx ? alt_cxx : (u8 *)"g++"; + cc_params[0] = alt_cxx && *alt_cxx ? alt_cxx : (u8 *)"g++"; } else if (!strcmp(name, "afl-gcj")) { u8 *alt_cc = getenv("AFL_GCJ"); - cc_params[0] = alt_cc ? alt_cc : (u8 *)"gcj"; + cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)"gcj"; } else { u8 *alt_cc = getenv("AFL_CC"); - cc_params[0] = alt_cc ? alt_cc : (u8 *)"gcc"; + cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)"gcc"; } -- cgit 1.4.1 From 66f535ad616f740c477fc74b6c47c7e0027e3cae Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 9 Apr 2020 13:17:56 +0200 Subject: check for empty AFL env vars --- src/afl-common.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index 73b3fa8a..7eee5265 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -353,7 +353,7 @@ void check_environment_vars(char **envp) { if (be_quiet) return; int index = 0, found = 0; - char *env; + char *env, *val; while ((env = envp[index++]) != NULL) { if (strncmp(env, "ALF_", 4) == 0) { @@ -367,10 +367,21 @@ void check_environment_vars(char **envp) { while (match == 0 && afl_environment_variables[i] != NULL) if (strncmp(env, afl_environment_variables[i], strlen(afl_environment_variables[i])) == 0 && - env[strlen(afl_environment_variables[i])] == '=') + env[strlen(afl_environment_variables[i])] == '=') { + match = 1; - else + if ((val = getenv(afl_environment_variables[i])) && !*val) + WARNF( + "AFL environment variable %s defined but is empty, this can " + "lead to unexpected consequences", + afl_environment_variables[i]); + + } else { + i++; + + } + if (match == 0) { WARNF("Mistyped AFL environment variable: %s", env); -- cgit 1.4.1 From fbf5e08425abcb0db2866067c4ede8134b8f9e98 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 9 Apr 2020 18:11:39 +0000 Subject: merge PR#306 from neoni (thanks), silence test when bash is not found --- src/afl-fuzz-init.c | 13 +++++++++++-- test/test.sh | 2 +- 2 files changed, 12 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index efdde463..ce30e599 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -134,8 +134,17 @@ void bind_to_free_cpu(afl_state_t *afl) { for (i = 0; i < proccount; i++) { #if defined(__FreeBSD__) - if (procs[i].ki_oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 60) - cpu_used[procs[i].ki_oncpu] = 1; + if (!strcmp(procs[i].ki_comm, "idle")) + continue; + + // fix when ki_oncpu = -1 + int oncpu; + oncpu = procs[i].ki_oncpu; + if (oncpu == -1) + oncpu = procs[i].ki_lastcpu; + + if (oncpu != -1 && oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 60) + cpu_used[oncpu] = 1; #elif defined(__DragonFly__) if (procs[i].kp_lwp.kl_cpuid < sizeof(cpu_used) && procs[i].kp_lwp.kl_pctcpu > 10) diff --git a/test/test.sh b/test/test.sh index c673337e..bc89ff43 100755 --- a/test/test.sh +++ b/test/test.sh @@ -185,7 +185,7 @@ test "$SYS" = "i686" -o "$SYS" = "x86_64" -o "$SYS" = "amd64" -o "$SYS" = "i86pc esac rm -f in2/in* export AFL_QUIET=1 - if type bash >/dev/null ; then { + if command -v bash >/dev/null ; then { AFL_PATH=`pwd`/.. ../afl-cmin.bash -m ${MEM_LIMIT} -i in -o in2 -- ./test-instr.plain >/dev/null CNT=`ls in2/* 2>/dev/null | wc -l` case "$CNT" in -- cgit 1.4.1 From 0b9f7c4c895c9db6195deee3e48aa21e6bb7f5ab Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 10 Apr 2020 14:34:17 +0200 Subject: added back afl_state_deinit --- src/afl-fuzz.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 5010c3ea..b2c96f04 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1200,6 +1200,7 @@ stop_fuzzing: ck_free(afl->fsrv.target_path); ck_free(afl->fsrv.out_file); ck_free(afl->sync_id); + afl_state_deinit(afl); free(afl); /* not tracked */ argv_cpy_free(argv); -- cgit 1.4.1 From a60e425d396379e6e3000341816d6be103514cfa Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 10 Apr 2020 14:52:59 +0200 Subject: fix small memory leak for in_place_resume --- src/afl-fuzz-state.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 80176a10..f3fc33ce 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -348,6 +348,7 @@ void read_afl_environment(afl_state_t *afl, char **envp) { void afl_state_deinit(afl_state_t *afl) { if (afl->post_deinit) afl->post_deinit(afl->post_data); + if (afl->in_place_resume) ck_free(afl->in_dir); free(afl->out_buf); free(afl->out_scratch_buf); -- cgit 1.4.1 From 5b977453cbff9778335eabaa5c2f808291a495ed Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 10 Apr 2020 15:06:31 +0200 Subject: another mem leak fix for master/slave usage --- src/afl-fuzz-state.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index f3fc33ce..a8c14c31 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -349,6 +349,7 @@ void afl_state_deinit(afl_state_t *afl) { if (afl->post_deinit) afl->post_deinit(afl->post_data); if (afl->in_place_resume) ck_free(afl->in_dir); + if (afl->sync_id) ck_free(afl->out_dir); free(afl->out_buf); free(afl->out_scratch_buf); -- cgit 1.4.1 From 6aa6af04acb8f024696e8723e6d73514006b3dd5 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 10 Apr 2020 16:45:45 +0200 Subject: files opened with fdopen should be closed with fclose --- src/afl-forkserver.c | 2 +- src/afl-fuzz-cmplog.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 11b359da..b3b86685 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -253,7 +253,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) { #ifndef HAVE_ARC4RANDOM close(fsrv->dev_urandom_fd); #endif - close(fsrv->plot_file == NULL ? -1 : fileno(fsrv->plot_file)); + if (fsrv->plot_file != NULL) fclose(fsrv->plot_file); /* This should improve performance a bit, since it stops the linker from doing extra work post-fork(). */ diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index f932f33b..98f7db05 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -121,7 +121,7 @@ void init_cmplog_forkserver(afl_state_t *afl) { #ifndef HAVE_ARC4RANDOM close(afl->fsrv.dev_urandom_fd); #endif - close(afl->fsrv.plot_file == NULL ? -1 : fileno(afl->fsrv.plot_file)); + if (afl->fsrv.plot_file != NULL) fclose(afl->fsrv.plot_file); /* This should improve performance a bit, since it stops the linker from doing extra work post-fork(). */ -- cgit 1.4.1 From f0f83bab5299098a441af40236f3758171b69889 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 10 Apr 2020 17:47:22 +0200 Subject: resize fix + code format --- include/common.h | 4 +++- include/forkserver.h | 3 ++- src/afl-common.c | 8 +++++--- src/afl-forkserver.c | 5 +++-- src/afl-fuzz-cmplog.c | 6 ++++-- src/afl-fuzz-init.c | 6 ++---- src/afl-fuzz-run.c | 6 ++++-- src/afl-fuzz-stats.c | 14 +++++++------- src/afl-showmap.c | 2 +- src/afl-tmin.c | 2 +- 10 files changed, 32 insertions(+), 24 deletions(-) (limited to 'src') diff --git a/include/common.h b/include/common.h index c9436e81..8dd66355 100644 --- a/include/common.h +++ b/include/common.h @@ -99,9 +99,11 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms); /* Wrapper for select() and read(), reading exactly len bytes. Returns the time passed to read. + stop_soon should point to a variable indicating ctrl+c was pressed. If the wait times out, returns timeout_ms + 1; Returns 0 if an error occurred (fd closed, signal, ...); */ -u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms); +u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, + volatile u8 *stop_soon_p); #endif diff --git a/include/forkserver.h b/include/forkserver.h index 5d1bd2cf..4110df7d 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -67,7 +67,8 @@ typedef struct afl_forkserver { } afl_forkserver_t; void afl_fsrv_init(afl_forkserver_t *fsrv); -void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv); +void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, + volatile u8 *stop_soon_p); void afl_fsrv_deinit(afl_forkserver_t *fsrv); void afl_fsrv_killall(); diff --git a/src/afl-common.c b/src/afl-common.c index 7eee5265..12b0355e 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -40,6 +40,7 @@ u8 be_quiet = 0; u8 *doc_path = ""; +u8 last_intr = 0; char *afl_environment_variables[] = { @@ -754,7 +755,8 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms) { Returns the time passed to read. If the wait times out, returns timeout_ms + 1; Returns 0 if an error occurred (fd closed, signal, ...); */ -u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms) { +u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, + volatile u8 *stop_soon_p) { struct timeval timeout; fd_set readfds; @@ -779,8 +781,8 @@ u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms) { } else if (sret < 0) { - // perror("sret malloc"); - // TODO: catch other (errno == EINTR) than ctrl+c? + /* Retry select for all signals other than than ctrl+c */ + if (errno == EINTR && !*stop_soon_p) { continue; } return 0; } diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index b3b86685..56c3c9d5 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -160,7 +160,8 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { cloning a stopped child. So, we just execute once, and then send commands through a pipe. The other part of this logic is in afl-as.h / llvm_mode */ -void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) { +void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, + volatile u8 *stop_soon_p) { int st_pipe[2], ctl_pipe[2]; int status; @@ -317,7 +318,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) { rlen = 4; u32 time = read_timed(fsrv->fsrv_st_fd, &status, rlen, - fsrv->exec_tmout * FORK_WAIT_MULT); + fsrv->exec_tmout * FORK_WAIT_MULT, stop_soon_p); if (time > fsrv->exec_tmout * FORK_WAIT_MULT) { diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 98f7db05..5ad73539 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -187,7 +187,8 @@ void init_cmplog_forkserver(afl_state_t *afl) { rlen = 4; u32 timeout_ms = afl->fsrv.exec_tmout * FORK_WAIT_MULT; /* Reuse readfds as exceptfds to see when the child closed the pipe */ - u32 exec_ms = read_timed(afl->cmplog_fsrv_st_fd, &status, rlen, timeout_ms); + u32 exec_ms = read_timed(afl->cmplog_fsrv_st_fd, &status, rlen, timeout_ms, + &afl->stop_soon); if (!exec_ms) { @@ -416,7 +417,8 @@ u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { /* Configure timeout, as requested by user, then wait for child to terminate. */ - exec_ms = read_timed(afl->cmplog_fsrv_st_fd, &status, 4, timeout); + exec_ms = + read_timed(afl->cmplog_fsrv_st_fd, &status, 4, timeout, &afl->stop_soon); if (exec_ms > timeout) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index ce30e599..6e0485e5 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -134,14 +134,12 @@ void bind_to_free_cpu(afl_state_t *afl) { for (i = 0; i < proccount; i++) { #if defined(__FreeBSD__) - if (!strcmp(procs[i].ki_comm, "idle")) - continue; + if (!strcmp(procs[i].ki_comm, "idle")) continue; // fix when ki_oncpu = -1 int oncpu; oncpu = procs[i].ki_oncpu; - if (oncpu == -1) - oncpu = procs[i].ki_lastcpu; + if (oncpu == -1) oncpu = procs[i].ki_lastcpu; if (oncpu != -1 && oncpu < sizeof(cpu_used) && procs[i].ki_pctcpu > 60) cpu_used[oncpu] = 1; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 47f6e9d9..9bbdd23a 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -67,7 +67,8 @@ u8 run_target(afl_state_t *afl, u32 timeout) { if (afl->fsrv.child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); - exec_ms = read_timed(afl->fsrv.fsrv_st_fd, &status, 4, timeout); + exec_ms = + read_timed(afl->fsrv.fsrv_st_fd, &status, 4, timeout, &afl->stop_soon); if (exec_ms > timeout) { @@ -308,7 +309,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, /* Make sure the forkserver is up before we do anything, and let's not count its spin-up time toward binary calibration. */ - if (!afl->fsrv.fsrv_pid) afl_fsrv_start(&afl->fsrv, afl->argv); + if (!afl->fsrv.fsrv_pid) + afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon); if (afl->dumb_mode != 1 && !afl->no_forkserver && !afl->cmplog_fsrv_pid && afl->shm.cmplog_mode) init_cmplog_forkserver(afl); diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 850555b5..ab84bf3f 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -366,9 +366,9 @@ void show_stats(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->dumb_mode) { @@ -450,9 +450,9 @@ void show_stats(afl_state_t *afl) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -481,9 +481,9 @@ void show_stats(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); @@ -557,7 +557,7 @@ void show_stats(afl_state_t *afl) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index e4463dc4..2fd17fb1 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -951,7 +951,7 @@ int main(int argc, char **argv_orig, char **envp) { } - afl_fsrv_start(fsrv, use_argv); + afl_fsrv_start(fsrv, use_argv, &stop_soon); while (done == 0 && (dir_ent = readdir(dir_in))) { diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 30e76d42..f899a6b5 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1133,7 +1133,7 @@ int main(int argc, char **argv_orig, char **envp) { read_initial_file(); - afl_fsrv_start(fsrv, use_argv); + afl_fsrv_start(fsrv, use_argv, &stop_soon); ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", fsrv->mem_limit, fsrv->exec_tmout, edges_only ? ", edges only" : ""); -- cgit 1.4.1 From 3209a9d4e88f09790e073af7fa90914a25e150c4 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 10 Apr 2020 20:35:16 +0200 Subject: removed vla for tmpfile --- src/afl-fuzz.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index b2c96f04..9de80c72 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -919,21 +919,20 @@ int main(int argc, char **argv_orig, char **envp) { if ((afl->tmp_dir = afl->afl_env.afl_tmpdir) != NULL && !afl->in_place_resume) { - char tmpfile[afl->file_extension ? strlen(afl->tmp_dir) + 1 + 10 + 1 + - strlen(afl->file_extension) + 1 - : strlen(afl->tmp_dir) + 1 + 10 + 1]; + char tmpfile[PATH_MAX]; + if (afl->file_extension) { - sprintf(tmpfile, "%s/.cur_input.%s", afl->tmp_dir, afl->file_extension); + snprintf(tmpfile, PATH_MAX, "%s/.cur_input.%s", afl->tmp_dir, afl->file_extension); } else { - sprintf(tmpfile, "%s/.cur_input", afl->tmp_dir); + snprintf(tmpfile, PATH_MAX, "%s/.cur_input", afl->tmp_dir); } - if (access(tmpfile, F_OK) != - -1) // there is still a race condition here, but well ... + /* there is still a race condition here, but well ... */ + if (access(tmpfile, F_OK) != -1) FATAL( "AFL_TMPDIR already has an existing temporary input file: %s - if " "this is not from another instance, then just remove the file.", -- cgit 1.4.1 From d928b148d86fcd1e7f26dc265029a36b14c3c1d4 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 10 Apr 2020 20:57:46 +0200 Subject: tackeled some warnings --- include/debug.h | 9 +++++++++ include/list.h | 2 +- src/afl-common.c | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/include/debug.h b/include/debug.h index ff2845f9..8824ff6b 100644 --- a/include/debug.h +++ b/include/debug.h @@ -28,6 +28,15 @@ #include "types.h" #include "config.h" +/* __FUNCTION__ is non-iso */ +#ifndef __FUNCTION__ +#ifdef __func__ +#define __FUNCTION__ __func__ +#else +#define __FUNCTION__ "func_unknown" +#endif +#endif + /******************* * Terminal colors * *******************/ diff --git a/include/list.h b/include/list.h index e93b4e8f..bb985c4f 100644 --- a/include/list.h +++ b/include/list.h @@ -50,7 +50,7 @@ typedef struct list_element { typedef struct list { element_t element_prealloc_buf[LIST_PREALLOC_SIZE]; - u32 element_prealloc_count; + s32 element_prealloc_count; } list_t; diff --git a/src/afl-common.c b/src/afl-common.c index 12b0355e..825cd827 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -140,7 +140,7 @@ void detect_file_args(char **argv, u8 *prog_in, u8 *use_stdin) { char **argv_cpy_dup(int argc, char **argv) { - u32 i = 0; + int i = 0; char **ret = ck_alloc((argc + 1) * sizeof(char *)); -- cgit 1.4.1 From 3a509c61689112cc321c4c78f058014abff66c8a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 10 Apr 2020 22:33:11 +0200 Subject: LTO optimization, variable map size, autodictionary (#307) * lto module clean-up * step 1/3 * step 1/3 completed * if tmp is ever made non-static * parts 2 and 3 - autodictionary is complete * variable map_size support * variable map size: changed overlooked functions * remove debug for autodict * 64 bit alignment of map size * fix review comments * force 64 bit alignment on both sides * typo --- docs/env_variables.md | 11 +- gcc_plugin/afl-gcc-rt.o.c | 4 +- include/afl-fuzz.h | 22 +- include/config.h | 14 +- include/forkserver.h | 6 + llvm_mode/GNUmakefile | 3 +- llvm_mode/README.lto.md | 41 ++-- llvm_mode/afl-clang-fast.c | 3 + llvm_mode/afl-llvm-lto-instrumentation.so.cc | 330 +++++++++++++++++++++++++-- llvm_mode/afl-llvm-rt.o.c | 170 ++++++++++++-- qemu_mode/patches/afl-qemu-cpu-inl.h | 2 +- src/afl-common.c | 1 + src/afl-forkserver.c | 96 +++++++- src/afl-fuzz-bitmap.c | 61 +++-- src/afl-fuzz-cmplog.c | 6 +- src/afl-fuzz-extras.c | 10 +- src/afl-fuzz-init.c | 4 +- src/afl-fuzz-mutators.c | 7 +- src/afl-fuzz-one.c | 16 +- src/afl-fuzz-queue.c | 19 +- src/afl-fuzz-redqueen.c | 14 +- src/afl-fuzz-run.c | 27 +-- src/afl-fuzz-state.c | 4 + src/afl-fuzz-stats.c | 11 +- src/afl-tmin.c | 4 +- 25 files changed, 726 insertions(+), 160 deletions(-) (limited to 'src') diff --git a/docs/env_variables.md b/docs/env_variables.md index cd002145..7890da35 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -111,10 +111,15 @@ Then there are a few specific features that are only available in llvm_mode: instrumentation which is 100% collision free (collisions are a big issue in afl and afl-like instrumentations). This is performed by using afl-clang-lto/afl-clang-lto++ instead of afl-clang-fast, but is only - built if LLVM 9 or newer is used. + built if LLVM 11 or newer is used. - None of these options are necessary to be used and are rather for manual - use (which only ever the author of this LTO implementation will use ;-) + - AFL_LLVM_LTO_AUTODICTIONARY will generate a dictionary in the target + binary based on string compare and memory compare functions. + afl-fuzz will automatically get these transmitted when starting to + fuzz. + + None of the following options are necessary to be used and are rather for + manual use (which only ever the author of this LTO implementation will use). These are used if several seperated instrumentation are performed which are then later combined. diff --git a/gcc_plugin/afl-gcc-rt.o.c b/gcc_plugin/afl-gcc-rt.o.c index 30606150..b157b50f 100644 --- a/gcc_plugin/afl-gcc-rt.o.c +++ b/gcc_plugin/afl-gcc-rt.o.c @@ -138,8 +138,8 @@ static void __afl_map_shm(void) { static void __afl_start_forkserver(void) { - static u8 tmp[4]; - s32 child_pid; + u8 tmp[4] = {0, 0, 0, 0}; + s32 child_pid; u8 child_stopped = 0; diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 56135d0e..edda81e1 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -577,7 +577,9 @@ typedef struct afl_state { u32 document_counter; #endif - /* statis file */ + void *maybe_add_auto; + + /* statistics file */ double last_bitmap_cvg, last_stability, last_eps; /* plot file saves from last run */ @@ -840,18 +842,18 @@ u32 calculate_score(afl_state_t *, struct queue_entry *); void read_bitmap(afl_state_t *, u8 *); void write_bitmap(afl_state_t *); -u32 count_bits(u8 *); -u32 count_bytes(u8 *); -u32 count_non_255_bytes(u8 *); +u32 count_bits(afl_state_t *, u8 *); +u32 count_bytes(afl_state_t *, u8 *); +u32 count_non_255_bytes(afl_state_t *, u8 *); #ifdef WORD_SIZE_64 -void simplify_trace(u64 *); -void classify_counts(u64 *); +void simplify_trace(afl_state_t *, u64 *); +void classify_counts(afl_state_t *, u64 *); #else -void simplify_trace(u32 *); -void classify_counts(u32 *); +void simplify_trace(afl_state_t *, u32 *); +void classify_counts(afl_state_t *, u32 *); #endif void init_count_class16(void); -void minimize_bits(u8 *, u8 *); +void minimize_bits(afl_state_t *, u8 *, u8 *); #ifndef SIMPLE_FILES u8 *describe_op(afl_state_t *, u8); #endif @@ -862,7 +864,7 @@ u8 has_new_bits(afl_state_t *, u8 *); void load_extras_file(afl_state_t *, u8 *, u32 *, u32 *, u32); void load_extras(afl_state_t *, u8 *); -void maybe_add_auto(afl_state_t *, u8 *, u32); +void maybe_add_auto(void *, u8 *, u32); void save_auto(afl_state_t *); void load_auto(afl_state_t *); void destroy_extras(afl_state_t *); diff --git a/include/config.h b/include/config.h index cf73772f..f0274fd3 100644 --- a/include/config.h +++ b/include/config.h @@ -201,8 +201,8 @@ (first value), and to keep in memory as candidates. The latter should be much higher than the former. */ -#define USE_AUTO_EXTRAS 50 -#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10) +#define USE_AUTO_EXTRAS 128 +#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 64) /* Scaling factor for the effector map used to skip some of the more expensive deterministic steps. The actual divisor is set to @@ -400,5 +400,15 @@ #endif #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ +/* Extended forkserver option values */ + +#define FS_OPT_ENABLED 0x8f000001 +#define FS_OPT_MAPSIZE 0x40000000 +#define FS_OPT_SNAPSHOT 0x20000000 +#define FS_OPT_AUTODICT 0x10000000 +#define FS_OPT_GET_MAPSIZE(x) (((x & 0x00fffffe) >> 1) + 1) +#define FS_OPT_SET_MAPSIZE(x) \ + (x <= 1 || x > MAP_SIZE || x > 0x1000000 ? 0 : ((x - 1) << 1)) + #endif /* ! _HAVE_CONFIG_H */ diff --git a/include/forkserver.h b/include/forkserver.h index 4110df7d..7470dbbc 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -51,6 +51,8 @@ typedef struct afl_forkserver { fsrv_st_fd; /* Fork server status pipe (read) */ u32 exec_tmout; /* Configurable exec timeout (ms) */ + u32 map_size; /* map size used by the target */ + u32 snapshot; /* is snapshot feature used */ u64 mem_limit; /* Memory cap for child (MB) */ u8 *out_file, /* File to fuzz, if any */ @@ -64,6 +66,10 @@ typedef struct afl_forkserver { u32 prev_timed_out; /* if prev forkserver run timed out */ + u8 *function_opt; /* for autodictionary: afl ptr */ + + void (*function_ptr)(void *afl_tmp, u8 *mem, u32 len); + } afl_forkserver_t; void afl_fsrv_init(afl_forkserver_t *fsrv); diff --git a/llvm_mode/GNUmakefile b/llvm_mode/GNUmakefile index 7432b061..b176a24f 100644 --- a/llvm_mode/GNUmakefile +++ b/llvm_mode/GNUmakefile @@ -273,6 +273,7 @@ endif ../afl-llvm-lto-instrumentation.so: afl-llvm-lto-instrumentation.so.cc ifeq "$(LLVM_LTO)" "1" $(CXX) $(CLANG_CFL) -Wno-writable-strings -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) + $(CC) $(CFLAGS) -O0 $(AFL_CLANG_FLTO) -fPIC -c afl-llvm-rt-lto.o.c -o ../afl-llvm-rt-lto.o endif # laf @@ -318,7 +319,7 @@ all_done: test_build install: all install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH) if [ -f ../afl-clang-fast -a -f ../libLLVMInsTrim.so -a -f ../afl-llvm-rt.o ]; then set -e; install -m 755 ../afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 ../libLLVMInsTrim.so ../afl-llvm-pass.so ../afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi - if [ -f ../afl-clang-lto ]; then set -e; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-lto; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-lto++; install -m 755 ../afl-llvm-lto-instrumentation.so $${DESTDIR}$(HELPER_PATH); install -m 755 ../afl-llvm-lto-whitelist.so $${DESTDIR}$(HELPER_PATH); fi + if [ -f ../afl-clang-lto ]; then set -e; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-lto; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-lto++; install -m 755 ../afl-llvm-lto-instrumentation.so ../afl-llvm-rt-lto.o ../afl-llvm-lto-whitelist.so $${DESTDIR}$(HELPER_PATH); fi if [ -f ../afl-llvm-rt-32.o ]; then set -e; install -m 755 ../afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi if [ -f ../afl-llvm-rt-64.o ]; then set -e; install -m 755 ../afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi if [ -f ../compare-transform-pass.so ]; then set -e; install -m 755 ../compare-transform-pass.so $${DESTDIR}$(HELPER_PATH); fi diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md index a3c7ddc3..48d0e36c 100644 --- a/llvm_mode/README.lto.md +++ b/llvm_mode/README.lto.md @@ -12,6 +12,8 @@ This version requires a current llvm 11 compiled from the github master. 3. It only works with llvm 11 (current github master state) +4. AUTODICTIONARY feature! see below + ## Introduction and problem description A big issue with how afl/afl++ works is that the basic block IDs that are @@ -33,33 +35,22 @@ and many dead ends until we got to this: * Our compiler (afl-clang-lto/afl-clang-lto++) takes care of setting the correct LTO options and runs our own afl-ld linker instead of the system linker - * Our linker collects all LTO files to link and instruments them so that + * The LLVM linker collects all LTO files to link and instruments them so that we have non-colliding edge overage * We use a new (for afl) edge coverage - which is the same as in llvm -fsanitize=coverage edge coverage mode :) - * after inserting our instrumentation in all interesting edges we link - all parts of the program together to our executable The result: - * 10-15% speed gain compared to llvm_mode + * 10-20% speed gain compared to llvm_mode * guaranteed non-colliding edge coverage :-) * The compile time especially for libraries can be longer Example build output from a libtiff build: ``` -/bin/bash ../libtool --tag=CC --mode=link afl-clang-lto -g -O2 -Wall -W -o thumbnail thumbnail.o ../libtiff/libtiff.la ../port/libport.la -llzma -ljbig -ljpeg -lz -lm libtool: link: afl-clang-lto -g -O2 -Wall -W -o thumbnail thumbnail.o ../libtiff/.libs/libtiff.a ../port/.libs/libport.a -llzma -ljbig -ljpeg -lz -lm -afl-clang-lto++2.62d by Marc "vanHauser" Heuse -afl-ld++2.62d by Marc "vanHauser" Heuse (level 0) -[+] Running ar unpacker on /prg/tests/lto/tiff-4.0.4/tools/../libtiff/.libs/libtiff.a into /tmp/.afl-3914343-1583339800.dir -[+] Running ar unpacker on /prg/tests/lto/tiff-4.0.4/tools/../port/.libs/libport.a into /tmp/.afl-3914343-1583339800.dir -[+] Running bitcode linker, creating /tmp/.afl-3914343-1583339800-1.ll -[+] Performing optimization via opt, creating /tmp/.afl-3914343-1583339800-2.bc -[+] Performing instrumentation via opt, creating /tmp/.afl-3914343-1583339800-3.bc -afl-llvm-lto++2.62d by Marc "vanHauser" Heuse -[+] Instrumented 15833 locations with no collisions (on average 1767 collisions would be in afl-gcc/afl-clang-fast) (non-hardened mode). -[+] Running real linker /bin/x86_64-linux-gnu-ld -[+] Linker was successful +afl-clang-lto++2.63d by Marc "vanHauser" Heuse in mode LTO +afl-llvm-lto++2.63d by Marc "vanHauser" Heuse +[+] Instrumented 11836 locations with no collisions (on average 1007 collisions would be in afl-gcc/afl-clang-fast) (non-hardened mode). ``` ## Building llvm 11 @@ -70,8 +61,8 @@ $ git clone https://github.com/llvm/llvm-project $ cd llvm-project $ mkdir build $ cd build -$ cmake -DLLVM_ENABLE_PROJECTS='clang;clang-tools-extra;compiler-rt;libclc;libcxx;libcxxabi;libunwind;lld' -DLLVM_BINUTILS_INCDIR=/usr/include/ ../llvm/ -$ make +$ cmake -DLLVM_ENABLE_PROJECTS='clang;clang-tools-extra;compiler-rt;libclc;libcxx;libcxxabi;libunwind;lld' -DCMAKE_BUILD_TYPE=Release -DLLVM_BINUTILS_INCDIR=/usr/include/ ../llvm/ +$ make -j $(nproc) $ export PATH=`pwd`/bin:$PATH $ export LLVM_CONFIG=`pwd`/bin/llcm-config $ cd /path/to/AFLplusplus/ @@ -96,6 +87,13 @@ CC=afl-clang-lto CXX=afl-clang-lto++ ./configure make ``` +## AUTODICTIONARY feature + +Setting `AFL_LLVM_LTO_AUTODICTIONARY` will generate a dictionary in the +target binary based on string compare and memory compare functions. +afl-fuzz will automatically get these transmitted when starting to fuzz. +This improves coverage on a lot of targets. + ## Potential issues ### compiling libraries fails @@ -121,11 +119,8 @@ Please report issues at: ## Upcoming Work -1. Currently the LTO whitelist feature does not allow to not instrument main, start and init functions -2. Modify the forkserver + afl-fuzz so that only the necessary map size is - loaded and used - and communicated to afl-fuzz too. - Result: faster fork in the target and faster map analysis in afl-fuzz - => more speed :-) +1. Currently the LTO whitelist feature does not allow to not instrument main, + start and init functions ## History diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 26ee0bab..cdb22cb9 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -477,6 +477,9 @@ static void edit_params(u32 argc, char **argv, char **envp) { } + if (instrument_mode == INSTRUMENT_LTO) + cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-lto.o", obj_path); + #ifndef __ANDROID__ switch (bit_mode) { diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index 93968984..f387e79c 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -38,17 +38,24 @@ #include #include "llvm/Config/llvm-config.h" +#include "llvm/ADT/Statistic.h" #include "llvm/IR/IRBuilder.h" #include "llvm/IR/LegacyPassManager.h" #include "llvm/IR/BasicBlock.h" #include "llvm/IR/Module.h" +#include "llvm/IR/DebugInfo.h" +#include "llvm/IR/CFG.h" +#include "llvm/IR/Verifier.h" #include "llvm/Support/Debug.h" +#include "llvm/Support/raw_ostream.h" #include "llvm/Transforms/IPO/PassManagerBuilder.h" #include "llvm/Transforms/Utils/BasicBlockUtils.h" #include "llvm/Analysis/LoopInfo.h" #include "llvm/Analysis/MemorySSAUpdater.h" -#include "llvm/IR/DebugInfo.h" -#include "llvm/IR/CFG.h" +#include "llvm/Analysis/ValueTracking.h" +#include "llvm/Pass.h" + +#include using namespace llvm; @@ -145,7 +152,7 @@ class AFLLTOPass : public ModulePass { bool runOnModule(Module &M) override; protected: - int afl_global_id = 1, debug = 0; + int afl_global_id = 1, debug = 0, autodictionary = 0; uint32_t be_quiet = 0, inst_blocks = 0, inst_funcs = 0, total_instr = 0; }; @@ -154,7 +161,9 @@ class AFLLTOPass : public ModulePass { bool AFLLTOPass::runOnModule(Module &M) { - LLVMContext &C = M.getContext(); + LLVMContext & C = M.getContext(); + std::vector dictionary; + std::vector calls; IntegerType *Int8Ty = IntegerType::getInt8Ty(C); IntegerType *Int32Ty = IntegerType::getInt32Ty(C); @@ -172,6 +181,10 @@ bool AFLLTOPass::runOnModule(Module &M) { be_quiet = 1; + if (getenv("AFL_LLVM_AUTODICTIONARY") || + getenv("AFL_LLVM_LTO_AUTODICTIONARY")) + autodictionary = 1; + /* Get globals for the SHM region and the previous location. Note that __afl_prev_loc is thread-local. */ @@ -193,6 +206,110 @@ bool AFLLTOPass::runOnModule(Module &M) { std::vector InsBlocks; + if (autodictionary) { + + for (auto &BB : F) { + + for (auto &IN : BB) { + + CallInst *callInst = nullptr; + + if ((callInst = dyn_cast(&IN))) { + + bool isStrcmp = true; + bool isMemcmp = true; + bool isStrncmp = true; + bool isStrcasecmp = true; + bool isStrncasecmp = true; + + Function *Callee = callInst->getCalledFunction(); + if (!Callee) continue; + if (callInst->getCallingConv() != llvm::CallingConv::C) continue; + StringRef FuncName = Callee->getName(); + isStrcmp &= !FuncName.compare(StringRef("strcmp")); + isMemcmp &= !FuncName.compare(StringRef("memcmp")); + isStrncmp &= !FuncName.compare(StringRef("strncmp")); + isStrcasecmp &= !FuncName.compare(StringRef("strcasecmp")); + isStrncasecmp &= !FuncName.compare(StringRef("strncasecmp")); + + if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp && + !isStrncasecmp) + continue; + + /* Verify the strcmp/memcmp/strncmp/strcasecmp/strncasecmp function + * prototype */ + FunctionType *FT = Callee->getFunctionType(); + + isStrcmp &= FT->getNumParams() == 2 && + FT->getReturnType()->isIntegerTy(32) && + FT->getParamType(0) == FT->getParamType(1) && + FT->getParamType(0) == + IntegerType::getInt8PtrTy(M.getContext()); + isStrcasecmp &= FT->getNumParams() == 2 && + FT->getReturnType()->isIntegerTy(32) && + FT->getParamType(0) == FT->getParamType(1) && + FT->getParamType(0) == + IntegerType::getInt8PtrTy(M.getContext()); + isMemcmp &= FT->getNumParams() == 3 && + FT->getReturnType()->isIntegerTy(32) && + FT->getParamType(0)->isPointerTy() && + FT->getParamType(1)->isPointerTy() && + FT->getParamType(2)->isIntegerTy(); + isStrncmp &= FT->getNumParams() == 3 && + FT->getReturnType()->isIntegerTy(32) && + FT->getParamType(0) == FT->getParamType(1) && + FT->getParamType(0) == + IntegerType::getInt8PtrTy(M.getContext()) && + FT->getParamType(2)->isIntegerTy(); + isStrncasecmp &= FT->getNumParams() == 3 && + FT->getReturnType()->isIntegerTy(32) && + FT->getParamType(0) == FT->getParamType(1) && + FT->getParamType(0) == + IntegerType::getInt8PtrTy(M.getContext()) && + FT->getParamType(2)->isIntegerTy(); + + if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp && + !isStrncasecmp) + continue; + + /* is a str{n,}{case,}cmp/memcmp, check if we have + * str{case,}cmp(x, "const") or str{case,}cmp("const", x) + * strn{case,}cmp(x, "const", ..) or strn{case,}cmp("const", x, ..) + * memcmp(x, "const", ..) or memcmp("const", x, ..) */ + Value *Str1P = callInst->getArgOperand(0), + *Str2P = callInst->getArgOperand(1); + StringRef Str1, Str2; + bool HasStr1 = getConstantStringInfo(Str1P, Str1); + bool HasStr2 = getConstantStringInfo(Str2P, Str2); + + /* handle cases of one string is const, one string is variable */ + if (!(HasStr1 ^ HasStr2)) continue; + + if (isMemcmp || isStrncmp || isStrncasecmp) { + + /* check if third operand is a constant integer + * strlen("constStr") and sizeof() are treated as constant */ + Value * op2 = callInst->getArgOperand(2); + ConstantInt *ilen = dyn_cast(op2); + if (!ilen) continue; + /* final precaution: if size of compare is larger than constant + * string skip it*/ + uint64_t literalLength = + HasStr1 ? GetStringLength(Str1P) : GetStringLength(Str2P); + if (literalLength < ilen->getZExtValue()) continue; + + } + + calls.push_back(callInst); + + } + + } + + } + + } + for (auto &BB : F) { uint32_t succ = 0; @@ -282,32 +399,201 @@ bool AFLLTOPass::runOnModule(Module &M) { } + // save highest location ID to global variable + // do this after each function to fail faster + if (afl_global_id > MAP_SIZE) { + + uint32_t pow2map = 1, map = afl_global_id; + while ((map = map >> 1)) + pow2map++; + FATAL( + "We have %u blocks to instrument but the map size is only %u! Edit " + "config.h and set MAP_SIZE_POW2 from %u to %u, then recompile " + "afl-fuzz and llvm_mode.", + afl_global_id, MAP_SIZE, MAP_SIZE_POW2, pow2map); + + } + } - // save highest location ID to global variable + if (calls.size()) { - if (afl_global_id > MAP_SIZE) { + for (auto &callInst : calls) { - uint32_t pow2map = 1, map = afl_global_id; - while ((map = map >> 1)) - pow2map++; - FATAL( - "We have %u blocks to instrument but the map size is only %u! Edit " - "config.h and set MAP_SIZE_POW2 from %u to %u, then recompile " - "afl-fuzz and llvm_mode.", - afl_global_id, MAP_SIZE, MAP_SIZE_POW2, pow2map); + Value *Str1P = callInst->getArgOperand(0), + *Str2P = callInst->getArgOperand(1); + StringRef Str1, Str2, ConstStr; + std::string TmpConstStr; + Value * VarStr; + bool HasStr1 = getConstantStringInfo(Str1P, Str1); + getConstantStringInfo(Str2P, Str2); + uint64_t constLen, sizedLen; + bool isMemcmp = !callInst->getCalledFunction()->getName().compare( + StringRef("memcmp")); + bool isSizedcmp = isMemcmp || + !callInst->getCalledFunction()->getName().compare( + StringRef("strncmp")) || + !callInst->getCalledFunction()->getName().compare( + StringRef("strncasecmp")); + + if (isSizedcmp) { + + Value * op2 = callInst->getArgOperand(2); + ConstantInt *ilen = dyn_cast(op2); + sizedLen = ilen->getZExtValue(); + + } else { + + sizedLen = 0; + + } + + if (HasStr1) { + + TmpConstStr = Str1.str(); + VarStr = Str2P; + constLen = isMemcmp ? sizedLen : GetStringLength(Str1P); + + } else { + + TmpConstStr = Str2.str(); + VarStr = Str1P; + constLen = isMemcmp ? sizedLen : GetStringLength(Str2P); + + } + + /* properly handle zero terminated C strings by adding the terminating 0 + * to the StringRef (in comparison to std::string a StringRef has built-in + * runtime bounds checking, which makes debugging easier) */ + TmpConstStr.append("\0", 1); + ConstStr = StringRef(TmpConstStr); + + if (isSizedcmp && constLen > sizedLen) { constLen = sizedLen; } + + /* + if (!be_quiet) + errs() << callInst->getCalledFunction()->getName() << ": len " + << constLen << ": " << ConstStr << "\n"; + */ + + if (constLen && constLen < MAX_DICT_FILE) + dictionary.push_back(ConstStr.str().substr(0, constLen)); + + } } - if (getenv("AFL_LLVM_LTO_DONTWRITEID") == NULL) { + if (getenv("AFL_LLVM_LTO_DONTWRITEID") == NULL || dictionary.size()) { + + // yes we could create our own function, insert it into ctors ... + // but this would be a pain in the butt ... so we use afl-llvm-rt-lto.o - GlobalVariable *AFLFinalLoc = new GlobalVariable( - M, Int32Ty, true, GlobalValue::ExternalLinkage, 0, "__afl_final_loc", 0, - GlobalVariable::GeneralDynamicTLSModel, 0, false); - ConstantInt *const_loc = ConstantInt::get(Int32Ty, afl_global_id); - MaybeAlign Align = MaybeAlign(4); - AFLFinalLoc->setAlignment(Align); - AFLFinalLoc->setInitializer(const_loc); + Function *f = M.getFunction("__afl_auto_init_globals"); + + if (!f) { + + fprintf(stderr, + "Error: init function could not be found (this hould not " + "happen)\n"); + exit(-1); + + } + + BasicBlock *bb = &f->getEntryBlock(); + if (!bb) { + + fprintf(stderr, + "Error: init function does not have an EntryBlock (this should " + "not happen)\n"); + exit(-1); + + } + + BasicBlock::iterator IP = bb->getFirstInsertionPt(); + IRBuilder<> IRB(&(*IP)); + + if (getenv("AFL_LLVM_LTO_DONTWRITEID") == NULL) { + + GlobalVariable *AFLFinalLoc = new GlobalVariable( + M, Int32Ty, true, GlobalValue::ExternalLinkage, 0, "__afl_final_loc", + 0, GlobalVariable::GeneralDynamicTLSModel, 0, false); + ConstantInt *const_loc = ConstantInt::get(Int32Ty, (((afl_global_id + 8) >> 3) << 3)); + StoreInst * StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc); + StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"), + MDNode::get(C, None)); + + } + + if (dictionary.size()) { + + size_t memlen = 0, count = 0, offset = 0; + char * ptr; + + for (auto token : dictionary) { + + memlen += token.length(); + count++; + + } + + if (!be_quiet) printf("AUTODICTIONARY: %lu strings found\n", count); + + if (count) { + + if ((ptr = (char *)malloc(memlen + count)) == NULL) { + + fprintf(stderr, "Error: malloc for %lu bytes failed!\n", + memlen + count); + exit(-1); + + } + + for (auto token : dictionary) { + + if (offset + token.length() < 0xfffff0) { + + ptr[offset++] = (uint8_t)token.length(); + memcpy(ptr + offset, token.c_str(), token.length()); + offset += token.length(); + + } + + } + + GlobalVariable *AFLDictionaryLen = new GlobalVariable( + M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, + "__afl_dictionary_len", 0, GlobalVariable::GeneralDynamicTLSModel, + 0, false); + ConstantInt *const_len = ConstantInt::get(Int32Ty, offset); + StoreInst *StoreDictLen = IRB.CreateStore(const_len, AFLDictionaryLen); + StoreDictLen->setMetadata(M.getMDKindID("nosanitize"), + MDNode::get(C, None)); + + ArrayType *ArrayTy = ArrayType::get(IntegerType::get(C, 8), offset); + GlobalVariable *AFLInternalDictionary = new GlobalVariable( + M, ArrayTy, true, GlobalValue::ExternalLinkage, + ConstantDataArray::get(C, + *(new ArrayRef((char *)ptr, offset))), + "__afl_internal_dictionary", 0, + GlobalVariable::GeneralDynamicTLSModel, 0, false); + AFLInternalDictionary->setInitializer(ConstantDataArray::get( + C, *(new ArrayRef((char *)ptr, offset)))); + AFLInternalDictionary->setConstant(true); + + GlobalVariable *AFLDictionary = new GlobalVariable( + M, PointerType::get(Int8Ty, 0), false, GlobalValue::ExternalLinkage, + 0, "__afl_dictionary"); + + Value *AFLDictOff = IRB.CreateGEP(AFLInternalDictionary, Zero); + Value *AFLDictPtr = + IRB.CreatePointerCast(AFLDictOff, PointerType::get(Int8Ty, 0)); + StoreInst *StoreDict = IRB.CreateStore(AFLDictPtr, AFLDictionary); + StoreDict->setMetadata(M.getMDKindID("nosanitize"), + MDNode::get(C, None)); + + } + + } } diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 3651fd97..cbc4648d 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -50,11 +50,7 @@ Basically, we need to make sure that the forkserver is initialized after the LLVM-generated runtime initialization pass, not before. */ -#ifdef USE_TRACE_PC #define CONST_PRIO 5 -#else -#define CONST_PRIO 0 -#endif /* ^USE_TRACE_PC */ #include #include @@ -65,17 +61,20 @@ u8 __afl_area_initial[MAP_SIZE]; u8 *__afl_area_ptr = __afl_area_initial; +u8 *__afl_dictionary; #ifdef __ANDROID__ PREV_LOC_T __afl_prev_loc[NGRAM_SIZE_MAX]; u32 __afl_final_loc; u32 __afl_prev_ctx; u32 __afl_cmp_counter; +u32 __afl_dictionary_len; #else __thread PREV_LOC_T __afl_prev_loc[NGRAM_SIZE_MAX]; __thread u32 __afl_final_loc; __thread u32 __afl_prev_ctx; __thread u32 __afl_cmp_counter; +__thread u32 __afl_dictionary_len; #endif struct cmp_map *__afl_cmp_map; @@ -100,6 +99,10 @@ static void __afl_map_shm(void) { const char * shm_file_path = id_str; int shm_fd = -1; unsigned char *shm_base = NULL; + unsigned int map_size = MAP_SIZE + + if (__afl_final_loc > 1 && __afl_final_loc < MAP_SIZE) map_size = + __afl_final_loc; /* create the shared memory segment as if it was a file */ shm_fd = shm_open(shm_file_path, O_RDWR, 0600); @@ -111,7 +114,7 @@ static void __afl_map_shm(void) { } /* map the shared memory segment to the address space of the process */ - shm_base = mmap(0, MAP_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, shm_fd, 0); + shm_base = mmap(0, map_size, PROT_READ | PROT_WRITE, MAP_SHARED, shm_fd, 0); if (shm_base == MAP_FAILED) { close(shm_fd); @@ -187,8 +190,15 @@ static void __afl_map_shm(void) { #ifdef __linux__ static void __afl_start_snapshots(void) { - static u8 tmp[4]; + static u8 tmp[4] = {0, 0, 0, 0}; s32 child_pid; + u32 status = 0; + u32 map_size = MAP_SIZE; + u32 already_read_first = 0; + u32 was_killed; + + if (__afl_final_loc > 1 && __afl_final_loc < MAP_SIZE) + map_size = __afl_final_loc; u8 child_stopped = 0; @@ -197,16 +207,74 @@ static void __afl_start_snapshots(void) { /* Phone home and tell the parent that we're OK. If parent isn't there, assume we're not running in forkserver mode and just execute program. */ + status |= (FS_OPT_ENABLED | FS_OPT_SNAPSHOT); + if (map_size <= 0x1000000) + status |= (FS_OPT_SET_MAPSIZE(map_size) | FS_OPT_MAPSIZE); + if (__afl_dictionary_len > 0 && __afl_dictionary) status |= FS_OPT_AUTODICT; + memcpy(tmp, &status, 4); + if (write(FORKSRV_FD + 1, tmp, 4) != 4) return; + if (__afl_dictionary_len > 0 && __afl_dictionary) { + + if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1); + + if ((was_killed & (FS_OPT_ENABLED | FS_OPT_AUTODICT)) == + (FS_OPT_ENABLED | FS_OPT_AUTODICT)) { + + // great lets pass the dictionary through the forkserver FD + u32 len = __afl_dictionary_len, offset = 0; + s32 ret; + + if (write(FORKSRV_FD + 1, &len, 4) != 4) { + + write(2, "Error: could not send dictionary len\n", + strlen("Error: could not send dictionary len\n")); + _exit(1); + + } + + while (len != 0) { + + ret = write(FORKSRV_FD + 1, __afl_dictionary + offset, len); + + if (ret < 1) { + + write(2, "Error: could not send dictionary\n", + strlen("Error: could not send dictionary\n")); + _exit(1); + + } + + len -= ret; + offset += ret; + + } + + } else { + + // uh this forkserver master does not understand extended option passing + // or does not want the dictionary + already_read_first = 1; + + } + + } + while (1) { - u32 was_killed; int status; - /* Wait for parent by reading from the pipe. Abort if read fails. */ + if (already_read_first) { - if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1); + already_read_first = 0; + + } else { + + /* Wait for parent by reading from the pipe. Abort if read fails. */ + if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1); + + } /* If we stopped the child in persistent mode, but there was a race condition and afl-fuzz already issued SIGKILL, write off the old @@ -291,26 +359,92 @@ static void __afl_start_forkserver(void) { #endif - static u8 tmp[4]; - s32 child_pid; + u8 tmp[4] = {0, 0, 0, 0}; + s32 child_pid; + u32 status = 0; + u32 map_size = MAP_SIZE; + u32 already_read_first = 0; + u32 was_killed; + + if (__afl_final_loc > 1 && __afl_final_loc < MAP_SIZE) + map_size = __afl_final_loc; u8 child_stopped = 0; void (*old_sigchld_handler)(int) = 0; // = signal(SIGCHLD, SIG_DFL); + if (map_size <= 0x1000000) + status |= (FS_OPT_SET_MAPSIZE(map_size) | FS_OPT_MAPSIZE); + if (__afl_dictionary_len > 0 && __afl_dictionary) status |= FS_OPT_AUTODICT; + if (status) status |= (FS_OPT_ENABLED); + memcpy(tmp, &status, 4); + /* Phone home and tell the parent that we're OK. If parent isn't there, assume we're not running in forkserver mode and just execute program. */ if (write(FORKSRV_FD + 1, tmp, 4) != 4) return; + if (__afl_dictionary_len > 0 && __afl_dictionary) { + + if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1); + + if ((was_killed & (FS_OPT_ENABLED | FS_OPT_AUTODICT)) == + (FS_OPT_ENABLED | FS_OPT_AUTODICT)) { + + // great lets pass the dictionary through the forkserver FD + u32 len = __afl_dictionary_len, offset = 0; + s32 ret; + + if (write(FORKSRV_FD + 1, &len, 4) != 4) { + + write(2, "Error: could not send dictionary len\n", + strlen("Error: could not send dictionary len\n")); + _exit(1); + + } + + while (len != 0) { + + ret = write(FORKSRV_FD + 1, __afl_dictionary + offset, len); + + if (ret < 1) { + + write(2, "Error: could not send dictionary\n", + strlen("Error: could not send dictionary\n")); + _exit(1); + + } + + len -= ret; + offset += ret; + + } + + } else { + + // uh this forkserver master does not understand extended option passing + // or does not want the dictionary + already_read_first = 1; + + } + + } + while (1) { - u32 was_killed; int status; /* Wait for parent by reading from the pipe. Abort if read fails. */ - if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1); + if (already_read_first) { + + already_read_first = 0; + + } else { + + if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1); + + } /* If we stopped the child in persistent mode, but there was a race condition and afl-fuzz already issued SIGKILL, write off the old @@ -378,8 +512,12 @@ static void __afl_start_forkserver(void) { int __afl_persistent_loop(unsigned int max_cnt) { - static u8 first_pass = 1; - static u32 cycle_cnt; + static u8 first_pass = 1; + static u32 cycle_cnt; + unsigned int map_size = MAP_SIZE; + + if (__afl_final_loc > 1 && __afl_final_loc < MAP_SIZE) + map_size = __afl_final_loc; if (first_pass) { @@ -390,7 +528,7 @@ int __afl_persistent_loop(unsigned int max_cnt) { if (is_persistent) { - memset(__afl_area_ptr, 0, MAP_SIZE); + memset(__afl_area_ptr, 0, map_size); __afl_area_ptr[0] = 1; memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T)); diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index 3bd107d7..d73566fc 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -293,7 +293,7 @@ static void print_mappings(void) { void afl_forkserver(CPUState *cpu) { - static unsigned char tmp[4]; + static unsigned char tmp[4] = {0, 0, 0, 0}; if (forkserver_installed == 1) return; forkserver_installed = 1; diff --git a/src/afl-common.c b/src/afl-common.c index 825cd827..5216c7e0 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -59,6 +59,7 @@ char *afl_environment_variables[] = { "AFL_LD_HARD_FAIL", "AFL_LD_LIMIT_MB", "AFL_LD_NO_CALLOC_OVER", "AFL_LD_PRELOAD", "AFL_LD_VERBOSE", "AFL_LLVM_CMPLOG", "AFL_LLVM_INSTRIM", "AFL_LLVM_CTX", "AFL_LLVM_INSTRUMENT", "AFL_LLVM_INSTRIM_LOOPHEAD", + "AFL_LLVM_LTO_AUTODICTIONARY", "AFL_LLVM_AUTODICTIONARY", "AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK", "AFL_LLVM_LAF_SPLIT_COMPARES", "AFL_LLVM_LAF_SPLIT_COMPARES_BITW", "AFL_LLVM_LAF_SPLIT_FLOATS", "AFL_LLVM_LAF_SPLIT_SWITCHES", "AFL_LLVM_LAF_TRANSFORM_COMPARES", diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 56c3c9d5..d1037194 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -69,7 +69,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { fsrv->mem_limit = MEM_LIMIT; fsrv->child_pid = -1; fsrv->out_dir_fd = -1; - + fsrv->map_size = MAP_SIZE; fsrv->use_fauxsrv = 0; fsrv->prev_timed_out = 0; @@ -82,7 +82,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { - unsigned char tmp[4] = {0}; + unsigned char tmp[4] = {0, 0, 0, 0}; pid_t child_pid = -1; /* Phone home and tell the parent that we're OK. If parent isn't there, @@ -167,9 +167,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, int status; s32 rlen; - if (fsrv->use_fauxsrv) ACTF("Using Fauxserver:"); + if (!be_quiet) ACTF("Using Fauxserver:"); - if (!getenv("AFL_QUIET")) ACTF("Spinning up the fork server..."); + if (!be_quiet) ACTF("Spinning up the fork server..."); if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); @@ -340,7 +340,93 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (rlen == 4) { - if (!getenv("AFL_QUIET")) OKF("All right - fork server is up."); + if (!be_quiet) OKF("All right - fork server is up."); + + if ((status & FS_OPT_ENABLED) == FS_OPT_ENABLED) { + + if (!be_quiet) + ACTF("Extended forkserver functions received (%08x).", status); + + if ((status & FS_OPT_SNAPSHOT) == FS_OPT_SNAPSHOT) { + + fsrv->snapshot = 1; + if (!be_quiet) ACTF("Using SNAPSHOT feature."); + + } + + if ((status & FS_OPT_MAPSIZE) == FS_OPT_MAPSIZE) { + + fsrv->map_size = FS_OPT_GET_MAPSIZE(status); + if (fsrv->map_size % 8) + fsrv->map_size = (((fsrv->map_size + 8) >> 3) << 3); + if (!be_quiet) ACTF("Target map size: %u", fsrv->map_size); + + } + + if (fsrv->function_ptr == NULL || fsrv->function_opt == NULL) { + + // this is not afl-fuzz - we deny and return + status = (0xffffffff ^ (FS_OPT_ENABLED | FS_OPT_AUTODICT)); + if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) + FATAL("Writing to forkserver failed."); + return; + + } + + if ((status & FS_OPT_AUTODICT) == FS_OPT_AUTODICT) { + + if (!be_quiet) ACTF("Using AUTODICT feature."); + status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); + if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) + FATAL("Writing to forkserver failed."); + if (read(fsrv->fsrv_st_fd, &status, 4) != 4) + FATAL("Reading from forkserver failed."); + + if (status < 2 || (u32)status > 0xffffff) + FATAL("Dictionary has an illegal size: %d", status); + + u32 len = status, offset = 0, count = 0; + u8 *dict = ck_alloc(len); + if (dict == NULL) + FATAL("Could not allocate %u bytes of autodictionary memmory", len); + + while (len != 0) { + + rlen = read(fsrv->fsrv_st_fd, dict + offset, len); + if (rlen > 0) { + + len -= rlen; + offset += rlen; + + } else { + + FATAL( + "Reading autodictionary fail at position %u with %u bytes " + "left.", + offset, len); + + } + + } + + len = status; + offset = 0; + while (offset < status && (u8)dict[offset] + offset < status) { + + fsrv->function_ptr(fsrv->function_opt, dict + offset + 1, + (u8)dict[offset]); + offset += (1 + dict[offset]); + count++; + + } + + if (!be_quiet) ACTF("Loaded %u autodictionary entries", count); + ck_free(dict); + + } + + } + return; } diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index c5347dcb..1c965532 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -78,16 +78,17 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { u64 *current = (u64 *)afl->fsrv.trace_bits; u64 *virgin = (u64 *)virgin_map; - u32 i = (MAP_SIZE >> 3); + u32 i = (afl->fsrv.map_size >> 3); #else u32 *current = (u32 *)afl->fsrv.trace_bits; u32 *virgin = (u32 *)virgin_map; - u32 i = (MAP_SIZE >> 2); + u32 i = (afl->fsrv.map_size >> 2); #endif /* ^WORD_SIZE_64 */ + if (i == 0) i = 1; u8 ret = 0; @@ -148,12 +149,14 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { /* Count the number of bits set in the provided bitmap. Used for the status screen several times every second, does not have to be fast. */ -u32 count_bits(u8 *mem) { +u32 count_bits(afl_state_t *afl, u8 *mem) { u32 *ptr = (u32 *)mem; - u32 i = (MAP_SIZE >> 2); + u32 i = (afl->fsrv.map_size >> 2); u32 ret = 0; + if (i == 0) i = 1; + while (i--) { u32 v = *(ptr++); @@ -182,12 +185,14 @@ u32 count_bits(u8 *mem) { mostly to update the status screen or calibrate and examine confirmed new paths. */ -u32 count_bytes(u8 *mem) { +u32 count_bytes(afl_state_t *afl, u8 *mem) { u32 *ptr = (u32 *)mem; - u32 i = (MAP_SIZE >> 2); + u32 i = (afl->fsrv.map_size >> 2); u32 ret = 0; + if (i == 0) i = 1; + while (i--) { u32 v = *(ptr++); @@ -207,12 +212,14 @@ u32 count_bytes(u8 *mem) { /* Count the number of non-255 bytes set in the bitmap. Used strictly for the status screen, several calls per second or so. */ -u32 count_non_255_bytes(u8 *mem) { +u32 count_non_255_bytes(afl_state_t *afl, u8 *mem) { u32 *ptr = (u32 *)mem; - u32 i = (MAP_SIZE >> 2); + u32 i = (afl->fsrv.map_size >> 2); u32 ret = 0; + if (i == 0) i = 1; + while (i--) { u32 v = *(ptr++); @@ -245,9 +252,11 @@ const u8 simplify_lookup[256] = { #ifdef WORD_SIZE_64 -void simplify_trace(u64 *mem) { +void simplify_trace(afl_state_t *afl, u64 *mem) { + + u32 i = (afl->fsrv.map_size >> 3); - u32 i = MAP_SIZE >> 3; + if (i == 0) i = 1; while (i--) { @@ -278,9 +287,11 @@ void simplify_trace(u64 *mem) { #else -void simplify_trace(u32 *mem) { +void simplify_trace(afl_state_t *afl, u32 *mem) { - u32 i = MAP_SIZE >> 2; + u32 i = (afl->fsrv.map_size >> 2); + + if (i == 0) i = 1; while (i--) { @@ -340,9 +351,11 @@ void init_count_class16(void) { #ifdef WORD_SIZE_64 -void classify_counts(u64 *mem) { +void classify_counts(afl_state_t *afl, u64 *mem) { + + u32 i = (afl->fsrv.map_size >> 3); - u32 i = MAP_SIZE >> 3; + if (i == 0) i = 1; while (i--) { @@ -367,9 +380,11 @@ void classify_counts(u64 *mem) { #else -void classify_counts(u32 *mem) { +void classify_counts(afl_state_t *afl, u32 *mem) { + + u32 i = (afl->fsrv.map_size >> 2); - u32 i = MAP_SIZE >> 2; + if (i == 0) i = 1; while (i--) { @@ -396,11 +411,11 @@ void classify_counts(u32 *mem) { count information here. This is called only sporadically, for some new paths. */ -void minimize_bits(u8 *dst, u8 *src) { +void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) { u32 i = 0; - while (i < MAP_SIZE) { + while (i < afl->fsrv.map_size) { if (*(src++)) dst[i >> 3] |= 1 << (i & 7); ++i; @@ -527,7 +542,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { u8 fn[PATH_MAX]; /* Update path frequency. */ - u32 cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); + u32 cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); struct queue_entry *q = afl->queue; while (q) { @@ -611,9 +626,9 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (likely(!afl->dumb_mode)) { #ifdef WORD_SIZE_64 - simplify_trace((u64 *)afl->fsrv.trace_bits); + simplify_trace(afl, (u64 *)afl->fsrv.trace_bits); #else - simplify_trace((u32 *)afl->fsrv.trace_bits); + simplify_trace(afl, (u32 *)afl->fsrv.trace_bits); #endif /* ^WORD_SIZE_64 */ if (!has_new_bits(afl, afl->virgin_tmout)) return keeping; @@ -675,9 +690,9 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (likely(!afl->dumb_mode)) { #ifdef WORD_SIZE_64 - simplify_trace((u64 *)afl->fsrv.trace_bits); + simplify_trace(afl, (u64 *)afl->fsrv.trace_bits); #else - simplify_trace((u32 *)afl->fsrv.trace_bits); + simplify_trace(afl, (u32 *)afl->fsrv.trace_bits); #endif /* ^WORD_SIZE_64 */ if (!has_new_bits(afl, afl->virgin_crash)) return keeping; diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 5ad73539..ed4be6e4 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -389,7 +389,7 @@ u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { must prevent any earlier operations from venturing into that territory. */ - memset(afl->fsrv.trace_bits, 0, MAP_SIZE); + memset(afl->fsrv.trace_bits, 0, afl->fsrv.map_size); MEM_BARRIER(); /* Since we always have a forkserver (or a fauxserver) running, we can simply @@ -469,9 +469,9 @@ u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { tb4 = *(u32 *)afl->fsrv.trace_bits; #ifdef WORD_SIZE_64 - classify_counts((u64 *)afl->fsrv.trace_bits); + classify_counts(afl, (u64 *)afl->fsrv.trace_bits); #else - classify_counts((u32 *)afl->fsrv.trace_bits); + classify_counts(afl, (u32 *)afl->fsrv.trace_bits); #endif /* ^WORD_SIZE_64 */ afl->cmplog_prev_timed_out = afl->fsrv.child_timed_out; diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index 16806934..55146dd9 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -305,10 +305,14 @@ static inline u8 memcmp_nocase(u8 *m1, u8 *m2, u32 len) { } /* Maybe add automatic extra. */ +/* Ugly hack: afl state is transfered as u8* because we import data via + afl-forkserver.c - which is shared with other afl tools that do not + have the afl state struct */ -void maybe_add_auto(afl_state_t *afl, u8 *mem, u32 len) { +void maybe_add_auto(void *afl_tmp, u8 *mem, u32 len) { - u32 i; + afl_state_t *afl = (afl_state_t *)afl_tmp; + u32 i; /* Allow users to specify that they don't want auto dictionaries. */ @@ -469,7 +473,7 @@ void load_auto(afl_state_t *afl) { if (len < 0) PFATAL("Unable to read from '%s'", fn); if (len >= MIN_AUTO_EXTRA && len <= MAX_AUTO_EXTRA) - maybe_add_auto(afl, tmp, len); + maybe_add_auto((u8 *)afl, tmp, len); close(fd); ck_free(fn); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 6e0485e5..94ce9604 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -448,11 +448,13 @@ static void check_map_coverage(afl_state_t *afl) { u32 i; - if (count_bytes(afl->fsrv.trace_bits) < 100) return; + if (count_bytes(afl, afl->fsrv.trace_bits) < 100) return; for (i = (1 << (MAP_SIZE_POW2 - 1)); i < MAP_SIZE; ++i) if (afl->fsrv.trace_bits[i]) return; + if (afl->fsrv.map_size != MAP_SIZE) return; + WARNF("Recompile binary with newer version of afl to improve coverage!"); } diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 754b2190..81504e29 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -244,7 +244,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { if (afl->stop_soon || fault == FAULT_ERROR) { goto abort_trimming; } - cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); + cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); if (cksum == q->exec_cksum) { @@ -257,7 +257,8 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { if (!needs_write) { needs_write = 1; - memcpy(afl->clean_trace_custom, afl->fsrv.trace_bits, MAP_SIZE); + memcpy(afl->clean_trace_custom, afl->fsrv.trace_bits, + afl->fsrv.map_size); } @@ -307,7 +308,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { ck_write(fd, in_buf, q->len, q->fname); close(fd); - memcpy(afl->fsrv.trace_bits, afl->clean_trace_custom, MAP_SIZE); + memcpy(afl->fsrv.trace_bits, afl->clean_trace_custom, afl->fsrv.map_size); update_bitmap_score(afl, q); } diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index b20bde90..80567160 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -601,7 +601,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (!afl->dumb_mode && (afl->stage_cur & 7) == 7) { - u32 cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); + u32 cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); if (afl->stage_cur == afl->stage_max - 1 && cksum == prev_cksum) { @@ -613,7 +613,7 @@ u8 fuzz_one_original(afl_state_t *afl) { ++a_len; if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) - maybe_add_auto(afl, a_collect, a_len); + maybe_add_auto((u8 *)afl, a_collect, a_len); } else if (cksum != prev_cksum) { @@ -621,7 +621,7 @@ u8 fuzz_one_original(afl_state_t *afl) { worthwhile queued up, and collect that if the answer is yes. */ if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) - maybe_add_auto(afl, a_collect, a_len); + maybe_add_auto((u8 *)afl, a_collect, a_len); a_len = 0; prev_cksum = cksum; @@ -761,7 +761,7 @@ u8 fuzz_one_original(afl_state_t *afl) { without wasting time on checksums. */ if (!afl->dumb_mode && len >= EFF_MIN_LEN) - cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); + cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); else cksum = ~afl->queue_cur->exec_cksum; @@ -2615,7 +2615,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (!afl->dumb_mode && (afl->stage_cur & 7) == 7) { - u32 cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); + u32 cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); if (afl->stage_cur == afl->stage_max - 1 && cksum == prev_cksum) { @@ -2627,7 +2627,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { ++a_len; if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) - maybe_add_auto(afl, a_collect, a_len); + maybe_add_auto((u8 *)afl, a_collect, a_len); } else if (cksum != prev_cksum) { @@ -2635,7 +2635,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { worthwhile queued up, and collect that if the answer is yes. */ if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) - maybe_add_auto(afl, a_collect, a_len); + maybe_add_auto((u8 *)afl, a_collect, a_len); a_len = 0; prev_cksum = cksum; @@ -2775,7 +2775,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { without wasting time on checksums. */ if (!afl->dumb_mode && len >= EFF_MIN_LEN) - cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); + cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); else cksum = ~afl->queue_cur->exec_cksum; diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 174d7d92..346c2639 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -195,7 +195,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { /* For every byte set in afl->fsrv.trace_bits[], see if there is a previous winner, and how it compares to us. */ - for (i = 0; i < MAP_SIZE; ++i) + for (i = 0; i < afl->fsrv.map_size; ++i) if (afl->fsrv.trace_bits[i]) { @@ -248,8 +248,10 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { if (!q->trace_mini) { - q->trace_mini = ck_alloc(MAP_SIZE >> 3); - minimize_bits(q->trace_mini, afl->fsrv.trace_bits); + u32 len = (afl->fsrv.map_size >> 3); + if (len == 0) len = 1; + q->trace_mini = ck_alloc(len); + minimize_bits(afl, q->trace_mini, afl->fsrv.trace_bits); } @@ -268,14 +270,17 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { void cull_queue(afl_state_t *afl) { struct queue_entry *q; - u8 temp_v[MAP_SIZE >> 3]; + u32 len = (afl->fsrv.map_size >> 3); u32 i; + u8 temp_v[MAP_SIZE >> 3]; + + if (len == 0) len = 1; if (afl->dumb_mode || !afl->score_changed) return; afl->score_changed = 0; - memset(temp_v, 255, MAP_SIZE >> 3); + memset(temp_v, 255, len); afl->queued_favored = 0; afl->pending_favored = 0; @@ -292,10 +297,10 @@ void cull_queue(afl_state_t *afl) { /* Let's see if anything in the bitmap isn't captured in temp_v. If yes, and if it has a afl->top_rated[] contender, let's use it. */ - for (i = 0; i < MAP_SIZE; ++i) + for (i = 0; i < afl->fsrv.map_size; ++i) if (afl->top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) { - u32 j = MAP_SIZE >> 3; + u32 j = len; /* Remove all bits belonging to the current entry from temp_v. */ diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 4acc204b..517f8d7c 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -88,7 +88,7 @@ static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u32 *cksum) { if (unlikely(common_fuzz_stuff(afl, buf, len))) return 1; - *cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); + *cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); return 0; } @@ -332,7 +332,7 @@ static void try_to_add_to_dict(afl_state_t *afl, u64 v, u8 shape) { } - maybe_add_auto(afl, (u8 *)&v, shape); + maybe_add_auto((u8 *)afl, (u8 *)&v, shape); u64 rev; switch (shape) { @@ -340,15 +340,15 @@ static void try_to_add_to_dict(afl_state_t *afl, u64 v, u8 shape) { case 1: break; case 2: rev = SWAP16((u16)v); - maybe_add_auto(afl, (u8 *)&rev, shape); + maybe_add_auto((u8 *)afl, (u8 *)&rev, shape); break; case 4: rev = SWAP32((u32)v); - maybe_add_auto(afl, (u8 *)&rev, shape); + maybe_add_auto((u8 *)afl, (u8 *)&rev, shape); break; case 8: rev = SWAP64(v); - maybe_add_auto(afl, (u8 *)&rev, shape); + maybe_add_auto((u8 *)afl, (u8 *)&rev, shape); break; } @@ -486,8 +486,8 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { // If failed, add to dictionary if (fails == 8) { - maybe_add_auto(afl, o->v0, SHAPE_BYTES(h->shape)); - maybe_add_auto(afl, o->v1, SHAPE_BYTES(h->shape)); + maybe_add_auto((u8 *)afl, o->v0, SHAPE_BYTES(h->shape)); + maybe_add_auto((u8 *)afl, o->v1, SHAPE_BYTES(h->shape)); } diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 9bbdd23a..850a18bc 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -44,7 +44,7 @@ u8 run_target(afl_state_t *afl, u32 timeout) { must prevent any earlier operations from venturing into that territory. */ - memset(afl->fsrv.trace_bits, 0, MAP_SIZE); + memset(afl->fsrv.trace_bits, 0, afl->fsrv.map_size); MEM_BARRIER(); @@ -122,9 +122,9 @@ u8 run_target(afl_state_t *afl, u32 timeout) { tb4 = *(u32 *)afl->fsrv.trace_bits; #ifdef WORD_SIZE_64 - classify_counts((u64 *)afl->fsrv.trace_bits); + classify_counts(afl, (u64 *)afl->fsrv.trace_bits); #else - classify_counts((u32 *)afl->fsrv.trace_bits); + classify_counts(afl, (u32 *)afl->fsrv.trace_bits); #endif /* ^WORD_SIZE_64 */ afl->fsrv.prev_timed_out = afl->fsrv.child_timed_out; @@ -315,7 +315,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, afl->shm.cmplog_mode) init_cmplog_forkserver(afl); - if (q->exec_cksum) memcpy(afl->first_trace, afl->fsrv.trace_bits, MAP_SIZE); + if (q->exec_cksum) + memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size); start_us = get_cur_time_us(); @@ -336,14 +337,14 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (afl->stop_soon || fault != afl->crash_mode) goto abort_calibration; if (!afl->dumb_mode && !afl->stage_cur && - !count_bytes(afl->fsrv.trace_bits)) { + !count_bytes(afl, afl->fsrv.trace_bits)) { fault = FAULT_NOINST; goto abort_calibration; } - cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); + cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); if (q->exec_cksum != cksum) { @@ -354,7 +355,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, u32 i; - for (i = 0; i < MAP_SIZE; ++i) { + for (i = 0; i < afl->fsrv.map_size; ++i) { if (unlikely(!afl->var_bytes[i]) && unlikely(afl->first_trace[i] != afl->fsrv.trace_bits[i])) @@ -368,7 +369,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, } else { q->exec_cksum = cksum; - memcpy(afl->first_trace, afl->fsrv.trace_bits, MAP_SIZE); + memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size); } @@ -385,7 +386,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, This is used for fuzzing air time calculations in calculate_score(). */ q->exec_us = (stop_us - start_us) / afl->stage_max; - q->bitmap_size = count_bytes(afl->fsrv.trace_bits); + q->bitmap_size = count_bytes(afl, afl->fsrv.trace_bits); q->handicap = handicap; q->cal_failed = 0; @@ -413,7 +414,7 @@ abort_calibration: if (var_detected) { - afl->var_byte_count = count_bytes(afl->var_bytes); + afl->var_byte_count = count_bytes(afl, afl->var_bytes); if (!q->var_behavior) { @@ -640,7 +641,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { /* Note that we don't keep track of crashes or hangs here; maybe TODO? */ - cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); + cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); /* If the deletion had no impact on the trace, make it permanent. This isn't perfect for variable-path inputs, but we're just making a @@ -663,7 +664,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { if (!needs_write) { needs_write = 1; - memcpy(afl->clean_trace, afl->fsrv.trace_bits, MAP_SIZE); + memcpy(afl->clean_trace, afl->fsrv.trace_bits, afl->fsrv.map_size); } @@ -705,7 +706,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { ck_write(fd, in_buf, q->len, q->fname); close(fd); - memcpy(afl->fsrv.trace_bits, afl->clean_trace, MAP_SIZE); + memcpy(afl->fsrv.trace_bits, afl->clean_trace, afl->fsrv.map_size); update_bitmap_score(afl, q); } diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index a8c14c31..80039d6f 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -99,6 +99,10 @@ void afl_state_init(afl_state_t *afl) { afl->fsrv.use_stdin = 1; + afl->fsrv.map_size = MAP_SIZE; + afl->fsrv.function_opt = (u8 *)afl; + afl->fsrv.function_ptr = &maybe_add_auto; + afl->cal_cycles = CAL_CYCLES; afl->cal_cycles_long = CAL_CYCLES_LONG; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index ab84bf3f..58a37298 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -37,7 +37,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, u8 fn[PATH_MAX]; s32 fd; FILE * f; - uint32_t t_bytes = count_non_255_bytes(afl->virgin_bits); + uint32_t t_bytes = count_non_255_bytes(afl, afl->virgin_bits); snprintf(fn, PATH_MAX, "%s/fuzzer_stats", afl->out_dir); @@ -258,8 +258,8 @@ void show_stats(afl_state_t *afl) { /* Do some bitmap stats. */ - t_bytes = count_non_255_bytes(afl->virgin_bits); - t_byte_ratio = ((double)t_bytes * 100) / MAP_SIZE; + t_bytes = count_non_255_bytes(afl, afl->virgin_bits); + t_byte_ratio = ((double)t_bytes * 100) / afl->fsrv.map_size; if (likely(t_bytes) && unlikely(afl->var_byte_count)) stab_ratio = 100 - (((double)afl->var_byte_count * 100) / t_bytes); @@ -305,7 +305,7 @@ void show_stats(afl_state_t *afl) { /* Compute some mildly useful bitmap stats. */ - t_bits = (MAP_SIZE << 3) - count_bits(afl->virgin_bits); + t_bits = (afl->fsrv.map_size << 3) - count_bits(afl, afl->virgin_bits); /* Now, for the visuals... */ @@ -465,7 +465,8 @@ void show_stats(afl_state_t *afl) { SAYF(bV bSTOP " now processing : " cRST "%-16s " bSTG bV bSTOP, tmp); sprintf(tmp, "%0.02f%% / %0.02f%%", - ((double)afl->queue_cur->bitmap_size) * 100 / MAP_SIZE, t_byte_ratio); + ((double)afl->queue_cur->bitmap_size) * 100 / afl->fsrv.map_size, + t_byte_ratio); SAYF(" map density : %s%-21s" bSTG bV "\n", t_byte_ratio > 70 ? cLRD diff --git a/src/afl-tmin.c b/src/afl-tmin.c index f899a6b5..53e8705d 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -258,7 +258,7 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, fsrv->child_timed_out = 0; - memset(fsrv->trace_bits, 0, MAP_SIZE); + memset(fsrv->trace_bits, 0, fsrv->map_size); MEM_BARRIER(); write_to_testcase(fsrv, mem, len); @@ -393,7 +393,7 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, } - cksum = hash32(fsrv->trace_bits, MAP_SIZE, HASH_CONST); + cksum = hash32(fsrv->trace_bits, fsrv->map_size, HASH_CONST); if (first_run) orig_cksum = cksum; -- cgit 1.4.1 From 3ab7fcf5ddcae177314488c34714155798d50c76 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 10 Apr 2020 22:53:59 +0200 Subject: fixed fauxserver msg --- src/afl-forkserver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index d1037194..d1ff0e4d 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -85,6 +85,8 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { unsigned char tmp[4] = {0, 0, 0, 0}; pid_t child_pid = -1; + if (!be_quiet) ACTF("Using Fauxserver:"); + /* Phone home and tell the parent that we're OK. If parent isn't there, assume we're not running in forkserver mode and just execute program. */ @@ -167,8 +169,6 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, int status; s32 rlen; - if (!be_quiet) ACTF("Using Fauxserver:"); - if (!be_quiet) ACTF("Spinning up the fork server..."); if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); -- cgit 1.4.1 From 39e8b918062ee92be03480075fedefcb7801f32a Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 10 Apr 2020 22:54:31 +0200 Subject: code format --- llvm_mode/afl-llvm-lto-instrumentation.so.cc | 5 +++-- src/afl-fuzz.c | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index f387e79c..28f6bf9e 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -517,8 +517,9 @@ bool AFLLTOPass::runOnModule(Module &M) { GlobalVariable *AFLFinalLoc = new GlobalVariable( M, Int32Ty, true, GlobalValue::ExternalLinkage, 0, "__afl_final_loc", 0, GlobalVariable::GeneralDynamicTLSModel, 0, false); - ConstantInt *const_loc = ConstantInt::get(Int32Ty, (((afl_global_id + 8) >> 3) << 3)); - StoreInst * StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc); + ConstantInt *const_loc = + ConstantInt::get(Int32Ty, (((afl_global_id + 8) >> 3) << 3)); + StoreInst *StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc); StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 9de80c72..836393ac 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -923,7 +923,8 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->file_extension) { - snprintf(tmpfile, PATH_MAX, "%s/.cur_input.%s", afl->tmp_dir, afl->file_extension); + snprintf(tmpfile, PATH_MAX, "%s/.cur_input.%s", afl->tmp_dir, + afl->file_extension); } else { -- cgit 1.4.1 From 29ee3a1ffca2aa5a3939beb84d7c6a81621f3355 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Sat, 11 Apr 2020 01:09:07 +0200 Subject: refactored cmplog --- include/afl-fuzz.h | 6 +- include/cmplog.h | 6 + include/forkserver.h | 10 +- src/afl-analyze.c | 10 +- src/afl-common.c | 4 +- src/afl-forkserver.c | 32 ++-- src/afl-fuzz-bitmap.c | 2 +- src/afl-fuzz-cmplog.c | 477 +----------------------------------------------- src/afl-fuzz-init.c | 6 +- src/afl-fuzz-mutators.c | 2 +- src/afl-fuzz-run.c | 65 +++---- src/afl-fuzz-stats.c | 6 +- src/afl-fuzz.c | 29 ++- src/afl-showmap.c | 18 +- src/afl-tmin.c | 14 +- 15 files changed, 129 insertions(+), 558 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index edda81e1..97c1f31c 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -439,7 +439,6 @@ typedef struct afl_state { no_arith, /* Skip most arithmetic ops */ shuffle_queue, /* Shuffle input queue? */ bitmap_changed, /* Time to update bitmap? */ - qemu_mode, /* Running in QEMU mode? */ unicorn_mode, /* Running in Unicorn mode? */ use_wine, /* Use WINE with QEMU mode */ skip_requested, /* Skip request, via SIGUSR1 */ @@ -560,7 +559,7 @@ typedef struct afl_state { /* CmpLog */ char *cmplog_binary; - s32 cmplog_child_pid, cmplog_fsrv_pid; + afl_forkserver_t cmplog_fsrv; /* cmplog has its own little forkserver */ /* Custom mutators */ struct custom_mutator *mutator; @@ -878,7 +877,7 @@ void show_init_stats(afl_state_t *); /* Run */ -u8 run_target(afl_state_t *, u32); +u8 run_target(afl_state_t *, afl_forkserver_t *fsrv, u32); void write_to_testcase(afl_state_t *, void *, u32); u8 calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8); void sync_fuzzers(afl_state_t *); @@ -922,7 +921,6 @@ void save_cmdline(afl_state_t *, u32, char **); /* CmpLog */ -void init_cmplog_forkserver(afl_state_t *afl); u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len); /* RedQueen */ diff --git a/include/cmplog.h b/include/cmplog.h index 36f8f2c5..4731f779 100644 --- a/include/cmplog.h +++ b/include/cmplog.h @@ -29,6 +29,7 @@ #define _AFL_CMPLOG_H #include "config.h" +#include "forkserver.h" #define CMP_MAP_W 65536 #define CMP_MAP_H 256 @@ -74,5 +75,10 @@ struct cmp_map { }; +/* Execs the child */ + +void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv); + + #endif diff --git a/include/forkserver.h b/include/forkserver.h index 7470dbbc..24fa3e1b 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -66,15 +66,23 @@ typedef struct afl_forkserver { u32 prev_timed_out; /* if prev forkserver run timed out */ + u8 qemu_mode; /* if running in qemu mode or not */ + + char *cmplog_binary; /* the name of the cmplog binary */ + + /* Function to kick off the forkserver child */ + void (*init_child_func)(struct afl_forkserver *fsrv, char **argv); + u8 *function_opt; /* for autodictionary: afl ptr */ void (*function_ptr)(void *afl_tmp, u8 *mem, u32 len); + } afl_forkserver_t; void afl_fsrv_init(afl_forkserver_t *fsrv); void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, - volatile u8 *stop_soon_p); + volatile u8 *stop_soon_p, u8 debug_child_output); void afl_fsrv_deinit(afl_forkserver_t *fsrv); void afl_fsrv_killall(); diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 427fbe6d..b0e8afcb 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -36,6 +36,7 @@ #include "hash.h" #include "sharedmem.h" #include "common.h" +#include "forkserver.h" #include #include @@ -57,7 +58,7 @@ static s32 child_pid; /* PID of the tested program */ -u8 *trace_bits; /* SHM with instrumentation bitmap */ +static u8 *trace_bits; /* SHM with instrumentation bitmap */ static u8 *in_file, /* Analyzer input test case */ *prog_in; /* Targeted program input file */ @@ -74,16 +75,15 @@ static u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ static s32 dev_null_fd = -1; /* FD to /dev/null */ -u8 edges_only, /* Ignore hit counts? */ +static u8 edges_only, /* Ignore hit counts? */ use_hex_offsets, /* Show hex offsets? */ use_stdin = 1; /* Use stdin for program input? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */ child_timed_out; /* Child timed out? */ -static u8 qemu_mode; - static u8 *target_path; +static u8 qemu_mode; /* Constants used for describing byte behavior. */ @@ -639,7 +639,7 @@ static void handle_stop_sig(int sig) { /* Do basic preparations - persistent fds, filenames, etc. */ -static void set_up_environment(void) { +static void set_up_environment() { u8 *x; diff --git a/src/afl-common.c b/src/afl-common.c index 5216c7e0..7eba6ae4 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -235,7 +235,7 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be " "built\n" " separately by following the instructions in " - "afl->qemu_mode/README.md. " + "qemu_mode/README.md. " "If you\n" " already have the binary installed, you may need to specify " "AFL_PATH in the\n" @@ -332,7 +332,7 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { "Oops, unable to find the '%s' binary. The binary must be " "built\n" " separately by following the instructions in " - "afl->qemu_mode/README.md. " + "qemu_mode/README.md. " "If you\n" " already have the binary installed, you may need to specify " "AFL_PATH in the\n" diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index d1ff0e4d..7ab8a4b5 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -51,6 +51,12 @@ list_t fsrv_list = {.element_prealloc_count = 0}; +static void fsrv_exec_child(afl_forkserver_t *fsrv, char **argv) { + + execv(fsrv->target_path, argv); + +} + /* Initializes the struct */ void afl_fsrv_init(afl_forkserver_t *fsrv) { @@ -73,6 +79,8 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { fsrv->use_fauxsrv = 0; fsrv->prev_timed_out = 0; + fsrv->init_child_func = fsrv_exec_child; + list_append(&fsrv_list, fsrv); } @@ -163,7 +171,7 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { through a pipe. The other part of this logic is in afl-as.h / llvm_mode */ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, - volatile u8 *stop_soon_p) { + volatile u8 *stop_soon_p, u8 debug_child_output) { int st_pipe[2], ctl_pipe[2]; int status; @@ -171,6 +179,16 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (!be_quiet) ACTF("Spinning up the fork server..."); + if (fsrv->use_fauxsrv) { + + /* TODO: Come up with sone nice way to initalize this all */ + + if (fsrv->init_child_func != fsrv_exec_child) + FATAL("Different forkserver not compatible with fauxserver"); + + fsrv->init_child_func = afl_fauxsrv_execv; + } + if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); fsrv->child_timed_out = 0; @@ -221,7 +239,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, setsid(); - if (!get_afl_env("AFL_DEBUG_CHILD_OUTPUT")) { + if (!(debug_child_output)) { dup2(fsrv->dev_null_fd, 1); dup2(fsrv->dev_null_fd, 2); @@ -283,15 +301,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, "msan_track_origins=0", 0); - if (fsrv->use_fauxsrv) { - - afl_fauxsrv_execv(fsrv, argv); - - } else { - - execv(fsrv->target_path, argv); - - } + fsrv->init_child_func(fsrv, argv); /* Use a distinctive bitmap signature to tell the parent about execv() falling through. */ diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 1c965532..b6a494db 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -645,7 +645,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { u8 new_fault; write_to_testcase(afl, mem, len); - new_fault = run_target(afl, afl->hang_tmout); + new_fault = run_target(afl, &afl->fsrv, afl->hang_tmout); /* A corner case that one user reported bumping into: increasing the timeout actually uncovers a crash. Make sure we don't discard it if diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index ed4be6e4..f9480dc4 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -29,480 +29,21 @@ #include "afl-fuzz.h" #include "cmplog.h" -void init_cmplog_forkserver(afl_state_t *afl) { +typedef struct cmplog_data { +} cmplog_data_t; - int st_pipe[2], ctl_pipe[2]; - int status; - s32 rlen; +void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv) { - ACTF("Spinning up the cmplog fork server..."); + setenv("___AFL_EINS_ZWEI_POLIZEI___", "1", 1); - if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); + if (!fsrv->qemu_mode && argv[0] != fsrv->cmplog_binary) { - afl->fsrv.child_timed_out = 0; - afl->cmplog_fsrv_pid = fork(); - - if (afl->cmplog_fsrv_pid < 0) PFATAL("fork() failed"); - - if (!afl->cmplog_fsrv_pid) { - - /* CHILD PROCESS */ - - struct rlimit r; - - /* Umpf. On OpenBSD, the default fd limit for root users is set to - soft 128. Let's try to fix that... */ - - if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) { - - r.rlim_cur = FORKSRV_FD + 2; - setrlimit(RLIMIT_NOFILE, &r); /* Ignore errors */ - - } - - if (afl->fsrv.mem_limit) { - - r.rlim_max = r.rlim_cur = ((rlim_t)afl->fsrv.mem_limit) << 20; - -#ifdef RLIMIT_AS - setrlimit(RLIMIT_AS, &r); /* Ignore errors */ -#else - /* This takes care of OpenBSD, which doesn't have RLIMIT_AS, but - according to reliable sources, RLIMIT_DATA covers anonymous - maps - so we should be getting good protection against OOM bugs. */ - - setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ -#endif /* ^RLIMIT_AS */ - - } - - /* Dumping cores is slow and can lead to anomalies if SIGKILL is delivered - before the dump is complete. */ - - // r.rlim_max = r.rlim_cur = 0; - // setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ - - /* Isolate the process and configure standard descriptors. If - afl->fsrv.out_file is specified, stdin is /dev/null; otherwise, - afl->fsrv.out_fd is cloned instead. */ - - setsid(); - - if (!(afl->afl_env.afl_debug_child_output)) { - - dup2(afl->fsrv.dev_null_fd, 1); - dup2(afl->fsrv.dev_null_fd, 2); - - } - - if (!afl->fsrv.use_stdin) { - - dup2(afl->fsrv.dev_null_fd, 0); - - } else { - - dup2(afl->fsrv.out_fd, 0); - close(afl->fsrv.out_fd); - - } - - /* Set up control and status pipes, close the unneeded original fds. */ - - if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed"); - if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed"); - - close(ctl_pipe[0]); - close(ctl_pipe[1]); - close(st_pipe[0]); - close(st_pipe[1]); - - close(afl->fsrv.out_dir_fd); - close(afl->fsrv.dev_null_fd); -#ifndef HAVE_ARC4RANDOM - close(afl->fsrv.dev_urandom_fd); -#endif - if (afl->fsrv.plot_file != NULL) fclose(afl->fsrv.plot_file); - - /* This should improve performance a bit, since it stops the linker from - doing extra work post-fork(). */ - - if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); - - /* Set sane defaults for ASAN if nothing else specified. */ - - setenv("ASAN_OPTIONS", - "abort_on_error=1:" - "detect_leaks=0:" - "malloc_context_size=0:" - "symbolize=0:" - "allocator_may_return_null=1", - 0); - - /* MSAN is tricky, because it doesn't support abort_on_error=1 at this - point. So, we do this in a very hacky way. */ - - setenv("MSAN_OPTIONS", - "exit_code=" STRINGIFY(MSAN_ERROR) ":" - "symbolize=0:" - "abort_on_error=1:" - "malloc_context_size=0:" - "allocator_may_return_null=1:" - "msan_track_origins=0", - 0); - - setenv("___AFL_EINS_ZWEI_POLIZEI___", "1", 1); - - if (!afl->qemu_mode && afl->argv[0] != afl->cmplog_binary) { - - ck_free(afl->argv[0]); - afl->argv[0] = afl->cmplog_binary; - - } - - execv(afl->argv[0], afl->argv); - - /* Use a distinctive bitmap signature to tell the parent about execv() - falling through. */ - - *(u32 *)afl->fsrv.trace_bits = EXEC_FAIL_SIG; - exit(0); - - } - - /* PARENT PROCESS */ - - /* Close the unneeded endpoints. */ - - close(ctl_pipe[0]); - close(st_pipe[1]); - - afl->cmplog_fsrv_ctl_fd = ctl_pipe[1]; - afl->cmplog_fsrv_st_fd = st_pipe[0]; - - /* Wait for the fork server to come up, but don't wait too long. */ - - rlen = 0; - if (afl->fsrv.exec_tmout) { - - rlen = 4; - u32 timeout_ms = afl->fsrv.exec_tmout * FORK_WAIT_MULT; - /* Reuse readfds as exceptfds to see when the child closed the pipe */ - u32 exec_ms = read_timed(afl->cmplog_fsrv_st_fd, &status, rlen, timeout_ms, - &afl->stop_soon); - - if (!exec_ms) { - - PFATAL("Error in timed read"); - - } else if (exec_ms > timeout_ms) { - - afl->fsrv.child_timed_out = 1; - kill(afl->cmplog_fsrv_pid, SIGKILL); - rlen = read(afl->cmplog_fsrv_st_fd, &status, 4); - - } - - } else { - - rlen = read(afl->cmplog_fsrv_st_fd, &status, 4); - - } - - /* If we have a four-byte "hello" message from the server, we're all set. - Otherwise, try to figure out what went wrong. */ - - if (afl->fsrv.child_timed_out) - FATAL( - "Timeout while initializing cmplog fork server (adjusting -t may " - "help)"); - - if (rlen == 4) { - - OKF("All right - fork server is up."); - return; - - } - - if (waitpid(afl->cmplog_fsrv_pid, &status, 0) <= 0) - PFATAL("waitpid() failed"); - - if (WIFSIGNALED(status)) { - - if (afl->fsrv.mem_limit && afl->fsrv.mem_limit < 500 && - afl->fsrv.uses_asan) { - - SAYF("\n" cLRD "[-] " cRST - "Whoops, the target binary crashed suddenly, " - "before receiving any input\n" - " from the fuzzer! Since it seems to be built with ASAN and you " - "have a\n" - " restrictive memory limit configured, this is expected; please " - "read\n" - " %s/notes_for_asan.md for help.\n", - doc_path); - - } else if (!afl->fsrv.mem_limit) { - - SAYF("\n" cLRD "[-] " cRST - "Whoops, the target binary crashed suddenly, " - "before receiving any input\n" - " from the fuzzer! There are several probable explanations:\n\n" - - " - The binary is just buggy and explodes entirely on its own. " - "If so, you\n" - " need to fix the underlying problem or find a better " - "replacement.\n\n" - - MSG_FORK_ON_APPLE - - " - Less likely, there is a horrible bug in the fuzzer. If other " - "options\n" - " fail, poke for troubleshooting " - "tips.\n"); - - } else { - - u8 val_buf[STRINGIFY_VAL_SIZE_MAX]; - - SAYF("\n" cLRD "[-] " cRST - "Whoops, the target binary crashed suddenly, " - "before receiving any input\n" - " from the fuzzer! There are several probable explanations:\n\n" - - " - The current memory limit (%s) is too restrictive, causing " - "the\n" - " target to hit an OOM condition in the dynamic linker. Try " - "bumping up\n" - " the limit with the -m setting in the command line. A simple " - "way confirm\n" - " this diagnosis would be:\n\n" - - MSG_ULIMIT_USAGE - " /path/to/fuzzed_app )\n\n" - - " Tip: you can use http://jwilk.net/software/recidivm to " - "quickly\n" - " estimate the required amount of virtual memory for the " - "binary.\n\n" - - " - The binary is just buggy and explodes entirely on its own. " - "If so, you\n" - " need to fix the underlying problem or find a better " - "replacement.\n\n" - - MSG_FORK_ON_APPLE - - " - Less likely, there is a horrible bug in the fuzzer. If other " - "options\n" - " fail, poke for troubleshooting " - "tips.\n", - stringify_mem_size(val_buf, sizeof(val_buf), - afl->fsrv.mem_limit << 20), - afl->fsrv.mem_limit - 1); - - } - - FATAL("Cmplog fork server crashed with signal %d", WTERMSIG(status)); - - } - - if (*(u32 *)afl->fsrv.trace_bits == EXEC_FAIL_SIG) - FATAL("Unable to execute target application ('%s')", afl->argv[0]); - - if (afl->fsrv.mem_limit && afl->fsrv.mem_limit < 500 && afl->fsrv.uses_asan) { - - SAYF("\n" cLRD "[-] " cRST - "Hmm, looks like the target binary terminated " - "before we could complete a\n" - " handshake with the injected code. Since it seems to be built " - "with ASAN and\n" - " you have a restrictive memory limit configured, this is " - "expected; please\n" - " read %s/notes_for_asan.md for help.\n", - doc_path); - - } else if (!afl->fsrv.mem_limit) { - - SAYF("\n" cLRD "[-] " cRST - "Hmm, looks like the target binary terminated " - "before we could complete a\n" - " handshake with the injected code. Perhaps there is a horrible " - "bug in the\n" - " fuzzer. Poke for troubleshooting " - "tips.\n"); - - } else { - - u8 val_buf[STRINGIFY_VAL_SIZE_MAX]; - - SAYF( - "\n" cLRD "[-] " cRST - "Hmm, looks like the target binary terminated " - "before we could complete a\n" - " handshake with the injected code. There are %s probable " - "explanations:\n\n" - - "%s" - " - The current memory limit (%s) is too restrictive, causing an " - "OOM\n" - " fault in the dynamic linker. This can be fixed with the -m " - "option. A\n" - " simple way to confirm the diagnosis may be:\n\n" - - MSG_ULIMIT_USAGE - " /path/to/fuzzed_app )\n\n" - - " Tip: you can use http://jwilk.net/software/recidivm to quickly\n" - " estimate the required amount of virtual memory for the " - "binary.\n\n" - - " - Less likely, there is a horrible bug in the fuzzer. If other " - "options\n" - " fail, poke for troubleshooting " - "tips.\n", - getenv(DEFER_ENV_VAR) ? "three" : "two", - getenv(DEFER_ENV_VAR) - ? " - You are using deferred forkserver, but __AFL_INIT() is " - "never\n" - " reached before the program terminates.\n\n" - : "", - stringify_mem_size(val_buf, sizeof(val_buf), afl->fsrv.mem_limit << 20), - afl->fsrv.mem_limit - 1); - - } - - FATAL("Cmplog fork server handshake failed"); - -} - -u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { - - int status = 0; - u32 exec_ms; - - u32 tb4; - s32 res; - - afl->fsrv.child_timed_out = 0; - - /* After this memset, afl->fsrv.trace_bits[] are effectively volatile, so we - must prevent any earlier operations from venturing into that - territory. */ - - memset(afl->fsrv.trace_bits, 0, afl->fsrv.map_size); - MEM_BARRIER(); - - /* Since we always have a forkserver (or a fauxserver) running, we can simply - tell them to have at it and read back the pid from it.*/ - - if ((res = write(afl->cmplog_fsrv_ctl_fd, &afl->cmplog_prev_timed_out, 4)) != - 4) { - - if (afl->stop_soon) return 0; - RPFATAL(res, - "Unable to request new process from cmplog fork server (OOM?)"); + ck_free(argv[0]); + argv[0] = fsrv->cmplog_binary; } - if ((res = read(afl->cmplog_fsrv_st_fd, &afl->cmplog_child_pid, 4)) != 4) { - - if (afl->stop_soon) return 0; - RPFATAL(res, - "Unable to request new process from cmplog fork server (OOM?)"); - - } - - if (afl->cmplog_child_pid <= 0) - FATAL("Cmplog fork server is misbehaving (OOM?)"); - - /* Configure timeout, as requested by user, then wait for child to terminate. - */ - exec_ms = - read_timed(afl->cmplog_fsrv_st_fd, &status, 4, timeout, &afl->stop_soon); - - if (exec_ms > timeout) { - - /* If there was no response from forkserver after timeout seconds, - we kill the child. The forkserver should inform us afterwards */ - - kill(afl->cmplog_child_pid, SIGKILL); - afl->fsrv.child_timed_out = 1; - - /* After killing the child, the forkserver should tell us */ - if (!read(afl->cmplog_fsrv_st_fd, &status, 4)) exec_ms = 0; - - } - - if (!exec_ms) { // Something went wrong. - - if (afl->stop_soon) return 0; - SAYF("\n" cLRD "[-] " cRST - "Unable to communicate with fork server. Some possible reasons:\n\n" - " - You've run out of memory. Use -m to increase the the memory " - "limit\n" - " to something higher than %lld.\n" - " - The binary or one of the libraries it uses manages to create\n" - " threads before the forkserver initializes.\n" - " - The binary, at least in some circumstances, exits in a way " - "that\n" - " also kills the parent process - raise() could be the " - "culprit.\n\n" - "If all else fails you can disable the fork server via " - "AFL_NO_FORKSRV=1.\n", - afl->fsrv.mem_limit); - RPFATAL(res, "Unable to communicate with fork server"); - - } - - if (!WIFSTOPPED(status)) afl->cmplog_child_pid = 0; - - if (afl->slowest_exec_ms < exec_ms) afl->slowest_exec_ms = exec_ms; - - ++afl->total_execs; - - /* Any subsequent operations on afl->fsrv.trace_bits must not be moved by the - compiler below this point. Past this location, afl->fsrv.trace_bits[] - behave very normally and do not have to be treated as volatile. */ - - MEM_BARRIER(); - - tb4 = *(u32 *)afl->fsrv.trace_bits; - -#ifdef WORD_SIZE_64 - classify_counts(afl, (u64 *)afl->fsrv.trace_bits); -#else - classify_counts(afl, (u32 *)afl->fsrv.trace_bits); -#endif /* ^WORD_SIZE_64 */ - - afl->cmplog_prev_timed_out = afl->fsrv.child_timed_out; - - /* Report outcome to caller. */ - - if (WIFSIGNALED(status) && !afl->stop_soon) { - - afl->kill_signal = WTERMSIG(status); - - if (afl->fsrv.child_timed_out && afl->kill_signal == SIGKILL) - return FAULT_TMOUT; - - return FAULT_CRASH; - - } - - /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and - must use a special exit code. */ - - if (afl->fsrv.uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { - - afl->kill_signal = 0; - return FAULT_CRASH; - - } - - if ((afl->dumb_mode == 1 || afl->no_forkserver) && tb4 == EXEC_FAIL_SIG) - return FAULT_ERROR; - - return FAULT_NONE; + execv(argv[0], argv); } @@ -524,7 +65,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { write_to_testcase(afl, out_buf, len); - fault = run_cmplog_target(afl, afl->fsrv.exec_tmout); + fault = run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout); if (afl->stop_soon) return 1; diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 94ce9604..54cc81ef 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1853,8 +1853,6 @@ static void handle_stop_sig(int sig) { if (el->fsrv.child_pid > 0) kill(el->fsrv.child_pid, SIGKILL); if (el->fsrv.fsrv_pid > 0) kill(el->fsrv.fsrv_pid, SIGKILL); - if (el->cmplog_child_pid > 0) kill(el->cmplog_child_pid, SIGKILL); - if (el->cmplog_fsrv_pid > 0) kill(el->cmplog_fsrv_pid, SIGKILL); }); @@ -1988,7 +1986,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { #endif /* ^!__APPLE__ */ - if (!afl->qemu_mode && !afl->unicorn_mode && !afl->dumb_mode && + if (!afl->fsrv.qemu_mode && !afl->unicorn_mode && !afl->dumb_mode && !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { SAYF("\n" cLRD "[-] " cRST @@ -2015,7 +2013,7 @@ void check_binary(afl_state_t *afl, u8 *fname) { } - if ((afl->qemu_mode) && + if ((afl->fsrv.qemu_mode) && memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { SAYF("\n" cLRD "[-] " cRST diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 81504e29..a7d7ae18 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -239,7 +239,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { write_to_testcase(afl, retbuf, retlen); - fault = run_target(afl, afl->fsrv.exec_tmout); + fault = run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); ++afl->trim_execs; if (afl->stop_soon || fault == FAULT_ERROR) { goto abort_trimming; } diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 850a18bc..3a178e87 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -27,10 +27,12 @@ #include #include +#include "cmplog.h" + /* Execute target application, monitoring for timeouts. Return status - information. The called program will update afl->fsrv.trace_bits. */ + information. The called program will update afl->fsrv->trace_bits. */ -u8 run_target(afl_state_t *afl, u32 timeout) { +u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { s32 res; u32 exec_ms; @@ -38,46 +40,46 @@ u8 run_target(afl_state_t *afl, u32 timeout) { int status = 0; u32 tb4; - afl->fsrv.child_timed_out = 0; + fsrv->child_timed_out = 0; - /* After this memset, afl->fsrv.trace_bits[] are effectively volatile, so we + /* After this memset, fsrv->trace_bits[] are effectively volatile, so we must prevent any earlier operations from venturing into that territory. */ - memset(afl->fsrv.trace_bits, 0, afl->fsrv.map_size); + memset(fsrv->trace_bits, 0, fsrv->map_size); MEM_BARRIER(); /* we have the fork server (or faux server) up and running, so simply tell it to have at it, and then read back PID. */ - if ((res = write(afl->fsrv.fsrv_ctl_fd, &afl->fsrv.prev_timed_out, 4)) != 4) { + if ((res = write(fsrv->fsrv_ctl_fd, &fsrv->prev_timed_out, 4)) != 4) { if (afl->stop_soon) return 0; RPFATAL(res, "Unable to request new process from fork server (OOM?)"); } - if ((res = read(afl->fsrv.fsrv_st_fd, &afl->fsrv.child_pid, 4)) != 4) { + if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { if (afl->stop_soon) return 0; RPFATAL(res, "Unable to request new process from fork server (OOM?)"); } - if (afl->fsrv.child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); + if (fsrv->child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); exec_ms = - read_timed(afl->fsrv.fsrv_st_fd, &status, 4, timeout, &afl->stop_soon); + read_timed(fsrv->fsrv_st_fd, &status, 4, timeout, &afl->stop_soon); if (exec_ms > timeout) { /* If there was no response from forkserver after timeout seconds, we kill the child. The forkserver should inform us afterwards */ - kill(afl->fsrv.child_pid, SIGKILL); - afl->fsrv.child_timed_out = 1; - if (read(afl->fsrv.fsrv_st_fd, &status, 4) < 4) exec_ms = 0; + kill(fsrv->child_pid, SIGKILL); + fsrv->child_timed_out = 1; + if (read(fsrv->fsrv_st_fd, &status, 4) < 4) exec_ms = 0; } @@ -104,30 +106,30 @@ u8 run_target(afl_state_t *afl, u32 timeout) { "\n\n" "If all else fails you can disable the fork server via " "AFL_NO_FORKSRV=1.\n", - afl->fsrv.mem_limit); + fsrv->mem_limit); RPFATAL(res, "Unable to communicate with fork server"); } - if (!WIFSTOPPED(status)) afl->fsrv.child_pid = 0; + if (!WIFSTOPPED(status)) fsrv->child_pid = 0; ++afl->total_execs; - /* Any subsequent operations on afl->fsrv.trace_bits must not be moved by the - compiler below this point. Past this location, afl->fsrv.trace_bits[] + /* Any subsequent operations on fsrv->trace_bits must not be moved by the + compiler below this point. Past this location, fsrv->trace_bits[] behave very normally and do not have to be treated as volatile. */ MEM_BARRIER(); - tb4 = *(u32 *)afl->fsrv.trace_bits; + tb4 = *(u32 *)fsrv->trace_bits; #ifdef WORD_SIZE_64 - classify_counts(afl, (u64 *)afl->fsrv.trace_bits); + classify_counts(afl, (u64 *)fsrv->trace_bits); #else - classify_counts(afl, (u32 *)afl->fsrv.trace_bits); + classify_counts(afl, (u32 *)fsrv->trace_bits); #endif /* ^WORD_SIZE_64 */ - afl->fsrv.prev_timed_out = afl->fsrv.child_timed_out; + fsrv->prev_timed_out = fsrv->child_timed_out; /* Report outcome to caller. */ @@ -135,7 +137,7 @@ u8 run_target(afl_state_t *afl, u32 timeout) { afl->kill_signal = WTERMSIG(status); - if (afl->fsrv.child_timed_out && afl->kill_signal == SIGKILL) + if (fsrv->child_timed_out && afl->kill_signal == SIGKILL) return FAULT_TMOUT; return FAULT_CRASH; @@ -145,7 +147,7 @@ u8 run_target(afl_state_t *afl, u32 timeout) { /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and must use a special exit code. */ - if (afl->fsrv.uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { + if (fsrv->uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { afl->kill_signal = 0; return FAULT_CRASH; @@ -309,11 +311,12 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, /* Make sure the forkserver is up before we do anything, and let's not count its spin-up time toward binary calibration. */ - if (!afl->fsrv.fsrv_pid) - afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon); - if (afl->dumb_mode != 1 && !afl->no_forkserver && !afl->cmplog_fsrv_pid && - afl->shm.cmplog_mode) - init_cmplog_forkserver(afl); + if (!afl->fsrv.fsrv_pid) { + if (afl->shm.cmplog_mode && afl->fsrv.init_child_func != cmplog_exec_child) { + FATAL("BUG in afl-fuzz detected. Cmplog mode not set correctly."); + } + afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child_output); + } if (q->exec_cksum) memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size); @@ -329,7 +332,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, write_to_testcase(afl, use_mem, q->len); - fault = run_target(afl, use_tmout); + fault = run_target(afl, &afl->fsrv, use_tmout); /* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed, we want to bail out quickly. */ @@ -546,7 +549,7 @@ void sync_fuzzers(afl_state_t *afl) { write_to_testcase(afl, mem, st.st_size); - fault = run_target(afl, afl->fsrv.exec_tmout); + fault = run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); if (afl->stop_soon) goto close_sync; @@ -633,7 +636,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { write_with_gap(afl, in_buf, q->len, remove_pos, trim_avail); - fault = run_target(afl, afl->fsrv.exec_tmout); + fault = run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); ++afl->trim_execs; if (afl->stop_soon || fault == FAULT_ERROR) goto abort_trimming; @@ -740,7 +743,7 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { write_to_testcase(afl, out_buf, len); - fault = run_target(afl, afl->fsrv.exec_tmout); + fault = run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); if (afl->stop_soon) return 1; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 58a37298..d83a747f 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -124,12 +124,12 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, (unsigned long int)(rus.ru_maxrss >> 10), #endif t_bytes, afl->var_byte_count, afl->use_banner, - afl->unicorn_mode ? "unicorn" : "", afl->qemu_mode ? "qemu " : "", + afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "", afl->dumb_mode ? " dumb " : "", afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", afl->persistent_mode ? "persistent " : "", afl->deferred_mode ? "deferred " : "", - (afl->unicorn_mode || afl->qemu_mode || afl->dumb_mode || + (afl->unicorn_mode || afl->fsrv.qemu_mode || afl->dumb_mode || afl->no_forkserver || afl->crash_mode || afl->persistent_mode || afl->deferred_mode) ? "" @@ -820,7 +820,7 @@ void show_init_stats(afl_state_t *afl) { SAYF("\n"); - if (avg_us > ((afl->qemu_mode || afl->unicorn_mode) ? 50000 : 10000)) + if (avg_us > ((afl->fsrv.qemu_mode || afl->unicorn_mode) ? 50000 : 10000)) WARNF(cLRD "The target binary is pretty slow! See %s/perf_tips.md.", doc_path); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 836393ac..44c48088 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -24,6 +24,7 @@ */ #include "afl-fuzz.h" +#include "cmplog.h" static u8 *get_libradamsa_path(u8 *own_loc) { @@ -213,6 +214,8 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { static int stricmp(char const *a, char const *b) { + if (!a || !b) FATAL("Null reference"); + for (;; ++a, ++b) { int d; @@ -498,8 +501,8 @@ int main(int argc, char **argv_orig, char **envp) { case 'Q': /* QEMU mode */ - if (afl->qemu_mode) FATAL("Multiple -Q options not supported"); - afl->qemu_mode = 1; + if (afl->fsrv.qemu_mode) FATAL("Multiple -Q options not supported"); + afl->fsrv.qemu_mode = 1; if (!mem_limit_given) afl->fsrv.mem_limit = MEM_LIMIT_QEMU; @@ -524,7 +527,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'W': /* Wine+QEMU mode */ if (afl->use_wine) FATAL("Multiple -W options not supported"); - afl->qemu_mode = 1; + afl->fsrv.qemu_mode = 1; afl->use_wine = 1; if (!mem_limit_given) afl->fsrv.mem_limit = 0; @@ -748,7 +751,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->dumb_mode) { if (afl->crash_mode) FATAL("-C and -n are mutually exclusive"); - if (afl->qemu_mode) FATAL("-Q and -n are mutually exclusive"); + if (afl->fsrv.qemu_mode) FATAL("-Q and -n are mutually exclusive"); if (afl->unicorn_mode) FATAL("-U and -n are mutually exclusive"); } @@ -816,7 +819,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->afl_env.afl_preload) { - if (afl->qemu_mode) { + if (afl->fsrv.qemu_mode) { u8 *qemu_preload = getenv("QEMU_SET_ENV"); u8 *afl_preload = getenv("AFL_PRELOAD"); @@ -991,7 +994,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->unicorn_mode) FATAL("CmpLog and Unicorn mode are not compatible at the moment, sorry"); - if (!afl->qemu_mode) check_binary(afl, afl->cmplog_binary); + if (!afl->fsrv.qemu_mode) check_binary(afl, afl->cmplog_binary); } @@ -999,7 +1002,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->start_time = get_cur_time(); - if (afl->qemu_mode) { + if (afl->fsrv.qemu_mode) { if (afl->use_wine) use_argv = get_wine_argv(argv[0], &afl->fsrv.target_path, argc - optind, @@ -1015,6 +1018,16 @@ int main(int argc, char **argv_orig, char **envp) { } afl->argv = use_argv; + + if (afl->cmplog_binary) { + + SAYF("Spawning cmplog forkserver"); + memcpy(&afl->cmplog_fsrv, &afl->fsrv, sizeof(afl->fsrv)); + afl->cmplog_fsrv.init_child_func = cmplog_exec_child; + afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child_output); + + } + perform_dry_run(afl); cull_queue(afl); @@ -1152,8 +1165,6 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->fsrv.child_pid > 0) kill(afl->fsrv.child_pid, SIGKILL); if (afl->fsrv.fsrv_pid > 0) kill(afl->fsrv.fsrv_pid, SIGKILL); - if (afl->cmplog_child_pid > 0) kill(afl->cmplog_child_pid, SIGKILL); - if (afl->cmplog_fsrv_pid > 0) kill(afl->cmplog_fsrv_pid, SIGKILL); /* Now that we've killed the forkserver, we wait for it to be able to get * rusage stats. */ if (waitpid(afl->fsrv.fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 2fd17fb1..a8198f79 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -81,8 +81,6 @@ u8 quiet_mode, /* Hide non-essential messages? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */ child_crashed; /* Child crashed? */ -static u8 qemu_mode; - /* Classify tuple counts. Instead of mapping to individual bits, as in afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */ @@ -482,7 +480,7 @@ static void handle_stop_sig(int sig) { /* Do basic preparations - persistent fds, filenames, etc. */ -static void set_up_environment(void) { +static void set_up_environment(afl_forkserver_t *fsrv) { setenv("ASAN_OPTIONS", "abort_on_error=1:" @@ -499,7 +497,7 @@ static void set_up_environment(void) { if (get_afl_env("AFL_PRELOAD")) { - if (qemu_mode) { + if (fsrv->qemu_mode) { u8 *qemu_preload = getenv("QEMU_SET_ENV"); u8 *afl_preload = getenv("AFL_PRELOAD"); @@ -798,10 +796,10 @@ int main(int argc, char **argv_orig, char **envp) { case 'Q': - if (qemu_mode) FATAL("Multiple -Q options not supported"); + if (fsrv->qemu_mode) FATAL("Multiple -Q options not supported"); if (!mem_limit_given) fsrv->mem_limit = MEM_LIMIT_QEMU; - qemu_mode = 1; + fsrv->qemu_mode = 1; break; case 'U': @@ -815,7 +813,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'W': /* Wine+QEMU mode */ if (use_wine) FATAL("Multiple -W options not supported"); - qemu_mode = 1; + fsrv->qemu_mode = 1; use_wine = 1; if (!mem_limit_given) fsrv->mem_limit = 0; @@ -860,7 +858,7 @@ int main(int argc, char **argv_orig, char **envp) { fsrv->trace_bits = afl_shm_init(&shm, MAP_SIZE, 0); setup_signal_handlers(); - set_up_environment(); + set_up_environment(fsrv); find_binary(fsrv, argv[optind]); @@ -885,7 +883,7 @@ int main(int argc, char **argv_orig, char **envp) { for (i = optind; i < argc; i++) if (strcmp(argv[i], "@@") == 0) arg_offset = i; - if (qemu_mode) { + if (fsrv->qemu_mode) { if (use_wine) use_argv = get_wine_argv(argv[0], &fsrv->target_path, argc - optind, @@ -951,7 +949,7 @@ int main(int argc, char **argv_orig, char **envp) { } - afl_fsrv_start(fsrv, use_argv, &stop_soon); + afl_fsrv_start(fsrv, use_argv, &stop_soon, get_afl_env("AFL_DEBUG_CHILD_OUTPUT")? 1 :0); while (done == 0 && (dir_ent = readdir(dir_in))) { diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 53e8705d..8ad33814 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -80,8 +80,6 @@ u8 crash_mode, /* Crash-centric mode? */ static volatile u8 stop_soon; /* Ctrl-C pressed? */ -static u8 qemu_mode; - /* * forkserver section */ @@ -746,7 +744,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) { if (get_afl_env("AFL_PRELOAD")) { - if (qemu_mode) { + if (fsrv->qemu_mode) { u8 *qemu_preload = getenv("QEMU_SET_ENV"); u8 *afl_preload = getenv("AFL_PRELOAD"); @@ -1029,10 +1027,10 @@ int main(int argc, char **argv_orig, char **envp) { case 'Q': - if (qemu_mode) FATAL("Multiple -Q options not supported"); + if (fsrv->qemu_mode) FATAL("Multiple -Q options not supported"); if (!mem_limit_given) fsrv->mem_limit = MEM_LIMIT_QEMU; - qemu_mode = 1; + fsrv->qemu_mode = 1; break; case 'U': @@ -1046,7 +1044,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'W': /* Wine+QEMU mode */ if (use_wine) FATAL("Multiple -W options not supported"); - qemu_mode = 1; + fsrv->qemu_mode = 1; use_wine = 1; if (!mem_limit_given) fsrv->mem_limit = 0; @@ -1107,7 +1105,7 @@ int main(int argc, char **argv_orig, char **envp) { find_binary(fsrv, argv[optind]); detect_file_args(argv + optind, fsrv->out_file, &fsrv->use_stdin); - if (qemu_mode) { + if (fsrv->qemu_mode) { if (use_wine) use_argv = get_wine_argv(argv[0], &fsrv->target_path, argc - optind, @@ -1133,7 +1131,7 @@ int main(int argc, char **argv_orig, char **envp) { read_initial_file(); - afl_fsrv_start(fsrv, use_argv, &stop_soon); + afl_fsrv_start(fsrv, use_argv, &stop_soon, get_afl_env("AFL_DEBUG_CHILD_OUTPUT")? 1 :0); ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", fsrv->mem_limit, fsrv->exec_tmout, edges_only ? ", edges only" : ""); -- cgit 1.4.1 From 68f269437d0f502a5a091a6ed62cf8d71d0148d6 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 11 Apr 2020 07:32:42 +0200 Subject: Autodictionary (#309) * lto module clean-up * step 1/3 * step 1/3 completed * if tmp is ever made non-static * parts 2 and 3 - autodictionary is complete * variable map_size support * variable map size: changed overlooked functions * remove debug for autodict * 64 bit alignment of map size * fix review comments * force 64 bit alignment on both sides * typo * better map transfer, display snapshot in UI * update readme --- include/forkserver.h | 1 - llvm_mode/README.lto.md | 3 +- llvm_mode/afl-llvm-lto-instrumentation.so.cc | 45 ++- llvm_mode/afl-llvm-rt.o.c | 4 +- src/afl-forkserver.c | 23 +- src/afl-fuzz-cmplog.c | 468 ++++++++++++++++++++++++++- src/afl-fuzz-stats.c | 26 +- 7 files changed, 528 insertions(+), 42 deletions(-) (limited to 'src') diff --git a/include/forkserver.h b/include/forkserver.h index 24fa3e1b..e1707429 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -77,7 +77,6 @@ typedef struct afl_forkserver { void (*function_ptr)(void *afl_tmp, u8 *mem, u32 len); - } afl_forkserver_t; void afl_fsrv_init(afl_forkserver_t *fsrv); diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md index 48d0e36c..9fc444df 100644 --- a/llvm_mode/README.lto.md +++ b/llvm_mode/README.lto.md @@ -50,7 +50,8 @@ Example build output from a libtiff build: libtool: link: afl-clang-lto -g -O2 -Wall -W -o thumbnail thumbnail.o ../libtiff/.libs/libtiff.a ../port/.libs/libport.a -llzma -ljbig -ljpeg -lz -lm afl-clang-lto++2.63d by Marc "vanHauser" Heuse in mode LTO afl-llvm-lto++2.63d by Marc "vanHauser" Heuse -[+] Instrumented 11836 locations with no collisions (on average 1007 collisions would be in afl-gcc/afl-clang-fast) (non-hardened mode). +AUTODICTIONARY: 11 strings found +[+] Instrumented 12071 locations with no collisions (on average 1046 collisions would be in afl-gcc/afl-clang-fast) (non-hardened mode). ``` ## Building llvm 11 diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index 28f6bf9e..5cdf0b70 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -468,15 +468,13 @@ bool AFLLTOPass::runOnModule(Module &M) { TmpConstStr.append("\0", 1); ConstStr = StringRef(TmpConstStr); - if (isSizedcmp && constLen > sizedLen) { constLen = sizedLen; } + if (isSizedcmp && constLen > sizedLen) constLen = sizedLen; - /* - if (!be_quiet) - errs() << callInst->getCalledFunction()->getName() << ": len " - << constLen << ": " << ConstStr << "\n"; - */ + if (debug) + errs() << callInst->getCalledFunction()->getName() << ": len " + << constLen << ": " << ConstStr << "\n"; - if (constLen && constLen < MAX_DICT_FILE) + if (constLen >= MIN_AUTO_EXTRA && constLen <= MAX_DICT_FILE) dictionary.push_back(ConstStr.str().substr(0, constLen)); } @@ -514,14 +512,22 @@ bool AFLLTOPass::runOnModule(Module &M) { if (getenv("AFL_LLVM_LTO_DONTWRITEID") == NULL) { - GlobalVariable *AFLFinalLoc = new GlobalVariable( - M, Int32Ty, true, GlobalValue::ExternalLinkage, 0, "__afl_final_loc", - 0, GlobalVariable::GeneralDynamicTLSModel, 0, false); - ConstantInt *const_loc = - ConstantInt::get(Int32Ty, (((afl_global_id + 8) >> 3) << 3)); - StoreInst *StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc); - StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"), - MDNode::get(C, None)); + uint32_t write_loc = afl_global_id; + + if (afl_global_id % 8) write_loc = (((afl_global_id + 8) >> 3) << 3); + + if (write_loc <= MAP_SIZE && write_loc <= 0x800000) { + + GlobalVariable *AFLFinalLoc = new GlobalVariable( + M, Int32Ty, true, GlobalValue::ExternalLinkage, 0, + "__afl_final_loc", 0, GlobalVariable::GeneralDynamicTLSModel, 0, + false); + ConstantInt *const_loc = ConstantInt::get(Int32Ty, write_loc); + StoreInst * StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc); + StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"), + MDNode::get(C, None)); + + } } @@ -537,7 +543,9 @@ bool AFLLTOPass::runOnModule(Module &M) { } - if (!be_quiet) printf("AUTODICTIONARY: %lu strings found\n", count); + if (!be_quiet) + printf("AUTODICTIONARY: %lu string%s found\n", count, + count == 1 ? "" : "s"); if (count) { @@ -549,13 +557,16 @@ bool AFLLTOPass::runOnModule(Module &M) { } + count = 0; + for (auto token : dictionary) { - if (offset + token.length() < 0xfffff0) { + if (offset + token.length() < 0xfffff0 && count < MAX_AUTO_EXTRAS) { ptr[offset++] = (uint8_t)token.length(); memcpy(ptr + offset, token.c_str(), token.length()); offset += token.length(); + count++; } diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index cbc4648d..3ad9eab4 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -208,7 +208,7 @@ static void __afl_start_snapshots(void) { assume we're not running in forkserver mode and just execute program. */ status |= (FS_OPT_ENABLED | FS_OPT_SNAPSHOT); - if (map_size <= 0x1000000) + if (map_size <= 0x800000) status |= (FS_OPT_SET_MAPSIZE(map_size) | FS_OPT_MAPSIZE); if (__afl_dictionary_len > 0 && __afl_dictionary) status |= FS_OPT_AUTODICT; memcpy(tmp, &status, 4); @@ -373,7 +373,7 @@ static void __afl_start_forkserver(void) { void (*old_sigchld_handler)(int) = 0; // = signal(SIGCHLD, SIG_DFL); - if (map_size <= 0x1000000) + if (map_size <= 0x800000) status |= (FS_OPT_SET_MAPSIZE(map_size) | FS_OPT_MAPSIZE); if (__afl_dictionary_len > 0 && __afl_dictionary) status |= FS_OPT_AUTODICT; if (status) status |= (FS_OPT_ENABLED); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 7ab8a4b5..3c0ad4a2 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -367,23 +367,28 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_MAPSIZE) == FS_OPT_MAPSIZE) { fsrv->map_size = FS_OPT_GET_MAPSIZE(status); - if (fsrv->map_size % 8) + if (fsrv->map_size % 8) // should not happen fsrv->map_size = (((fsrv->map_size + 8) >> 3) << 3); if (!be_quiet) ACTF("Target map size: %u", fsrv->map_size); + if (fsrv->map_size > MAP_SIZE) + FATAL( + "Target's coverage map size of %u is larger than the one this " + "afl++ is compiled with (%u)\n", + fsrv->map_size, MAP_SIZE); } - if (fsrv->function_ptr == NULL || fsrv->function_opt == NULL) { + if ((status & FS_OPT_AUTODICT) == FS_OPT_AUTODICT) { - // this is not afl-fuzz - we deny and return - status = (0xffffffff ^ (FS_OPT_ENABLED | FS_OPT_AUTODICT)); - if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) - FATAL("Writing to forkserver failed."); - return; + if (fsrv->function_ptr == NULL || fsrv->function_opt == NULL) { - } + // this is not afl-fuzz - we deny and return + status = (0xffffffff ^ (FS_OPT_ENABLED | FS_OPT_AUTODICT)); + if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) + FATAL("Writing to forkserver failed."); + return; - if ((status & FS_OPT_AUTODICT) == FS_OPT_AUTODICT) { + } if (!be_quiet) ACTF("Using AUTODICT feature."); status = (FS_OPT_ENABLED | FS_OPT_AUTODICT); diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index f9480dc4..4d8bb58f 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -38,12 +38,479 @@ void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv) { if (!fsrv->qemu_mode && argv[0] != fsrv->cmplog_binary) { +#if 0 + afl->fsrv.child_timed_out = 0; + afl->cmplog_fsrv_pid = fork(); + + if (afl->cmplog_fsrv_pid < 0) PFATAL("fork() failed"); + + if (!afl->cmplog_fsrv_pid) { + + /* CHILD PROCESS */ + + struct rlimit r; + + /* Umpf. On OpenBSD, the default fd limit for root users is set to + soft 128. Let's try to fix that... */ + + if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) { + + r.rlim_cur = FORKSRV_FD + 2; + setrlimit(RLIMIT_NOFILE, &r); /* Ignore errors */ + + } + + if (afl->fsrv.mem_limit) { + + r.rlim_max = r.rlim_cur = ((rlim_t)afl->fsrv.mem_limit) << 20; + +#ifdef RLIMIT_AS + setrlimit(RLIMIT_AS, &r); /* Ignore errors */ +#else + /* This takes care of OpenBSD, which doesn't have RLIMIT_AS, but + according to reliable sources, RLIMIT_DATA covers anonymous + maps - so we should be getting good protection against OOM bugs. */ + + setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ +#endif /* ^RLIMIT_AS */ + + } + + /* Dumping cores is slow and can lead to anomalies if SIGKILL is delivered + before the dump is complete. */ + + // r.rlim_max = r.rlim_cur = 0; + // setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + + /* Isolate the process and configure standard descriptors. If + afl->fsrv.out_file is specified, stdin is /dev/null; otherwise, + afl->fsrv.out_fd is cloned instead. */ + + setsid(); + + if (!(afl->afl_env.afl_debug_child_output)) { + + dup2(afl->fsrv.dev_null_fd, 1); + dup2(afl->fsrv.dev_null_fd, 2); + + } + + if (!afl->fsrv.use_stdin) { + + dup2(afl->fsrv.dev_null_fd, 0); + + } else { + + dup2(afl->fsrv.out_fd, 0); + close(afl->fsrv.out_fd); + + } + + /* Set up control and status pipes, close the unneeded original fds. */ + + if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed"); + if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed"); + + close(ctl_pipe[0]); + close(ctl_pipe[1]); + close(st_pipe[0]); + close(st_pipe[1]); + + close(afl->fsrv.out_dir_fd); + close(afl->fsrv.dev_null_fd); +#ifndef HAVE_ARC4RANDOM + close(afl->fsrv.dev_urandom_fd); +#endif + if (afl->fsrv.plot_file != NULL) fclose(afl->fsrv.plot_file); + + /* This should improve performance a bit, since it stops the linker from + doing extra work post-fork(). */ + + if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); + + /* Set sane defaults for ASAN if nothing else specified. */ + + setenv("ASAN_OPTIONS", + "abort_on_error=1:" + "detect_leaks=0:" + "malloc_context_size=0:" + "symbolize=0:" + "allocator_may_return_null=1", + 0); + + /* MSAN is tricky, because it doesn't support abort_on_error=1 at this + point. So, we do this in a very hacky way. */ + + setenv("MSAN_OPTIONS", + "exit_code=" STRINGIFY(MSAN_ERROR) ":" + "symbolize=0:" + "abort_on_error=1:" + "malloc_context_size=0:" + "allocator_may_return_null=1:" + "msan_track_origins=0", + 0); + + setenv("___AFL_EINS_ZWEI_POLIZEI___", "1", 1); + + if (!afl->qemu_mode && afl->argv[0] != afl->cmplog_binary) { + + ck_free(afl->argv[0]); + afl->argv[0] = afl->cmplog_binary; + + } + + execv(afl->argv[0], afl->argv); + + /* Use a distinctive bitmap signature to tell the parent about execv() + falling through. */ + + *(u32 *)afl->fsrv.trace_bits = EXEC_FAIL_SIG; + exit(0); + + } + + /* PARENT PROCESS */ + + /* Close the unneeded endpoints. */ + + close(ctl_pipe[0]); + close(st_pipe[1]); + + afl->cmplog_fsrv_ctl_fd = ctl_pipe[1]; + afl->cmplog_fsrv_st_fd = st_pipe[0]; + + /* Wait for the fork server to come up, but don't wait too long. */ + + rlen = 0; + if (afl->fsrv.exec_tmout) { + + rlen = 4; + u32 timeout_ms = afl->fsrv.exec_tmout * FORK_WAIT_MULT; + /* Reuse readfds as exceptfds to see when the child closed the pipe */ + u32 exec_ms = read_timed(afl->cmplog_fsrv_st_fd, &status, rlen, timeout_ms, + &afl->stop_soon); + + if (!exec_ms) { + + PFATAL("Error in timed read"); + + } else if (exec_ms > timeout_ms) { + + afl->fsrv.child_timed_out = 1; + kill(afl->cmplog_fsrv_pid, SIGKILL); + rlen = read(afl->cmplog_fsrv_st_fd, &status, 4); + + } + + } else { + + rlen = read(afl->cmplog_fsrv_st_fd, &status, 4); + + } + + /* If we have a four-byte "hello" message from the server, we're all set. + Otherwise, try to figure out what went wrong. */ + + if (afl->fsrv.child_timed_out) + FATAL( + "Timeout while initializing cmplog fork server (adjusting -t may " + "help)"); + + if (rlen == 4) { + + OKF("All right - fork server is up."); + return; + + } + + if (waitpid(afl->cmplog_fsrv_pid, &status, 0) <= 0) + PFATAL("waitpid() failed"); + + if (WIFSIGNALED(status)) { + + if (afl->fsrv.mem_limit && afl->fsrv.mem_limit < 500 && + afl->fsrv.uses_asan) { + + SAYF("\n" cLRD "[-] " cRST + "Whoops, the target binary crashed suddenly, " + "before receiving any input\n" + " from the fuzzer! Since it seems to be built with ASAN and you " + "have a\n" + " restrictive memory limit configured, this is expected; please " + "read\n" + " %s/notes_for_asan.md for help.\n", + doc_path); + + } else if (!afl->fsrv.mem_limit) { + + SAYF("\n" cLRD "[-] " cRST + "Whoops, the target binary crashed suddenly, " + "before receiving any input\n" + " from the fuzzer! There are several probable explanations:\n\n" + + " - The binary is just buggy and explodes entirely on its own. " + "If so, you\n" + " need to fix the underlying problem or find a better " + "replacement.\n\n" + + MSG_FORK_ON_APPLE + + " - Less likely, there is a horrible bug in the fuzzer. If other " + "options\n" + " fail, poke for troubleshooting " + "tips.\n"); + + } else { + + u8 val_buf[STRINGIFY_VAL_SIZE_MAX]; + + SAYF("\n" cLRD "[-] " cRST + "Whoops, the target binary crashed suddenly, " + "before receiving any input\n" + " from the fuzzer! There are several probable explanations:\n\n" + + " - The current memory limit (%s) is too restrictive, causing " + "the\n" + " target to hit an OOM condition in the dynamic linker. Try " + "bumping up\n" + " the limit with the -m setting in the command line. A simple " + "way confirm\n" + " this diagnosis would be:\n\n" + + MSG_ULIMIT_USAGE + " /path/to/fuzzed_app )\n\n" + + " Tip: you can use http://jwilk.net/software/recidivm to " + "quickly\n" + " estimate the required amount of virtual memory for the " + "binary.\n\n" + + " - The binary is just buggy and explodes entirely on its own. " + "If so, you\n" + " need to fix the underlying problem or find a better " + "replacement.\n\n" + + MSG_FORK_ON_APPLE + + " - Less likely, there is a horrible bug in the fuzzer. If other " + "options\n" + " fail, poke for troubleshooting " + "tips.\n", + stringify_mem_size(val_buf, sizeof(val_buf), + afl->fsrv.mem_limit << 20), + afl->fsrv.mem_limit - 1); + + } + + FATAL("Cmplog fork server crashed with signal %d", WTERMSIG(status)); + + } + + if (*(u32 *)afl->fsrv.trace_bits == EXEC_FAIL_SIG) + FATAL("Unable to execute target application ('%s')", afl->argv[0]); + + if (afl->fsrv.mem_limit && afl->fsrv.mem_limit < 500 && afl->fsrv.uses_asan) { + + SAYF("\n" cLRD "[-] " cRST + "Hmm, looks like the target binary terminated " + "before we could complete a\n" + " handshake with the injected code. Since it seems to be built " + "with ASAN and\n" + " you have a restrictive memory limit configured, this is " + "expected; please\n" + " read %s/notes_for_asan.md for help.\n", + doc_path); + + } else if (!afl->fsrv.mem_limit) { + + SAYF("\n" cLRD "[-] " cRST + "Hmm, looks like the target binary terminated " + "before we could complete a\n" + " handshake with the injected code. Perhaps there is a horrible " + "bug in the\n" + " fuzzer. Poke for troubleshooting " + "tips.\n"); + + } else { + + u8 val_buf[STRINGIFY_VAL_SIZE_MAX]; + + SAYF( + "\n" cLRD "[-] " cRST + "Hmm, looks like the target binary terminated " + "before we could complete a\n" + " handshake with the injected code. There are %s probable " + "explanations:\n\n" + + "%s" + " - The current memory limit (%s) is too restrictive, causing an " + "OOM\n" + " fault in the dynamic linker. This can be fixed with the -m " + "option. A\n" + " simple way to confirm the diagnosis may be:\n\n" + + MSG_ULIMIT_USAGE + " /path/to/fuzzed_app )\n\n" + + " Tip: you can use http://jwilk.net/software/recidivm to quickly\n" + " estimate the required amount of virtual memory for the " + "binary.\n\n" + + " - Less likely, there is a horrible bug in the fuzzer. If other " + "options\n" + " fail, poke for troubleshooting " + "tips.\n", + getenv(DEFER_ENV_VAR) ? "three" : "two", + getenv(DEFER_ENV_VAR) + ? " - You are using deferred forkserver, but __AFL_INIT() is " + "never\n" + " reached before the program terminates.\n\n" + : "", + stringify_mem_size(val_buf, sizeof(val_buf), afl->fsrv.mem_limit << 20), + afl->fsrv.mem_limit - 1); + + } + + FATAL("Cmplog fork server handshake failed"); + +} + +u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { + + int status = 0; + u32 exec_ms; + + u32 tb4; + s32 res; + + afl->fsrv.child_timed_out = 0; + + /* After this memset, afl->fsrv.trace_bits[] are effectively volatile, so we + must prevent any earlier operations from venturing into that + territory. */ + + memset(afl->fsrv.trace_bits, 0, afl->fsrv.map_size); + MEM_BARRIER(); + + /* Since we always have a forkserver (or a fauxserver) running, we can simply + tell them to have at it and read back the pid from it.*/ + + if ((res = write(afl->cmplog_fsrv_ctl_fd, &afl->cmplog_prev_timed_out, 4)) != + 4) { + + if (afl->stop_soon) return 0; + RPFATAL(res, + "Unable to request new process from cmplog fork server (OOM?)"); + + } + + if ((res = read(afl->cmplog_fsrv_st_fd, &afl->cmplog_child_pid, 4)) != 4) { + + if (afl->stop_soon) return 0; + RPFATAL(res, + "Unable to request new process from cmplog fork server (OOM?)"); + + } + + if (afl->cmplog_child_pid <= 0) + FATAL("Cmplog fork server is misbehaving (OOM?)"); + + /* Configure timeout, as requested by user, then wait for child to terminate. + */ + exec_ms = + read_timed(afl->cmplog_fsrv_st_fd, &status, 4, timeout, &afl->stop_soon); + + if (exec_ms > timeout) { + + /* If there was no response from forkserver after timeout seconds, + we kill the child. The forkserver should inform us afterwards */ + + kill(afl->cmplog_child_pid, SIGKILL); + afl->fsrv.child_timed_out = 1; + + /* After killing the child, the forkserver should tell us */ + if (!read(afl->cmplog_fsrv_st_fd, &status, 4)) exec_ms = 0; + + } + + if (!exec_ms) { // Something went wrong. + + if (afl->stop_soon) return 0; + SAYF("\n" cLRD "[-] " cRST + "Unable to communicate with fork server. Some possible reasons:\n\n" + " - You've run out of memory. Use -m to increase the the memory " + "limit\n" + " to something higher than %lld.\n" + " - The binary or one of the libraries it uses manages to create\n" + " threads before the forkserver initializes.\n" + " - The binary, at least in some circumstances, exits in a way " + "that\n" + " also kills the parent process - raise() could be the " + "culprit.\n\n" + "If all else fails you can disable the fork server via " + "AFL_NO_FORKSRV=1.\n", + afl->fsrv.mem_limit); + RPFATAL(res, "Unable to communicate with fork server"); + + } + + if (!WIFSTOPPED(status)) afl->cmplog_child_pid = 0; + + if (afl->slowest_exec_ms < exec_ms) afl->slowest_exec_ms = exec_ms; + + ++afl->total_execs; + + /* Any subsequent operations on afl->fsrv.trace_bits must not be moved by the + compiler below this point. Past this location, afl->fsrv.trace_bits[] + behave very normally and do not have to be treated as volatile. */ + + MEM_BARRIER(); + + tb4 = *(u32 *)afl->fsrv.trace_bits; + +#ifdef WORD_SIZE_64 + classify_counts(afl, (u64 *)afl->fsrv.trace_bits); +#else + classify_counts(afl, (u32 *)afl->fsrv.trace_bits); +#endif /* ^WORD_SIZE_64 */ + + afl->cmplog_prev_timed_out = afl->fsrv.child_timed_out; + + /* Report outcome to caller. */ + + if (WIFSIGNALED(status) && !afl->stop_soon) { + + afl->kill_signal = WTERMSIG(status); + + if (afl->fsrv.child_timed_out && afl->kill_signal == SIGKILL) + return FAULT_TMOUT; + + return FAULT_CRASH; + + } + + /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and + must use a special exit code. */ + + if (afl->fsrv.uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { + + afl->kill_signal = 0; + return FAULT_CRASH; + + } + + if ((afl->dumb_mode == 1 || afl->no_forkserver) && tb4 == EXEC_FAIL_SIG) + return FAULT_ERROR; + + return FAULT_NONE; +#else ck_free(argv[0]); argv[0] = fsrv->cmplog_binary; } execv(argv[0], argv); +#endif } @@ -104,4 +571,3 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { return 0; } - diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index d83a747f..65876f67 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -366,9 +366,9 @@ void show_stats(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->dumb_mode) { @@ -450,9 +450,9 @@ void show_stats(afl_state_t *afl) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -482,9 +482,9 @@ void show_stats(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); @@ -558,7 +558,7 @@ void show_stats(afl_state_t *afl) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); @@ -737,6 +737,8 @@ void show_stats(afl_state_t *afl) { if (afl->cpu_core_count) { + char *spacing = SP10, snap[24] = " " cLGN "snapshot" cRST " "; + double cur_runnable = get_runnable_processes(); u32 cur_utilization = cur_runnable * 100 / afl->cpu_core_count; @@ -751,23 +753,25 @@ void show_stats(afl_state_t *afl) { if (!afl->no_cpu_meter_red && cur_utilization >= 150) cpu_color = cLRD; + if (afl->fsrv.snapshot) spacing = snap; + #ifdef HAVE_AFFINITY if (afl->cpu_aff >= 0) { - SAYF(SP10 cGRA "[cpu%03u:%s%3u%%" cGRA "]\r" cRST, MIN(afl->cpu_aff, 999), - cpu_color, MIN(cur_utilization, 999)); + SAYF("%s" cGRA "[cpu%03u:%s%3u%%" cGRA "]\r" cRST, spacing, + MIN(afl->cpu_aff, 999), cpu_color, MIN(cur_utilization, 999)); } else { - SAYF(SP10 cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST, cpu_color, + SAYF("%s" cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST, spacing, cpu_color, MIN(cur_utilization, 999)); } #else - SAYF(SP10 cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST, cpu_color, + SAYF("%s" cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST, spacing, cpu_color, MIN(cur_utilization, 999)); #endif /* ^HAVE_AFFINITY */ -- cgit 1.4.1 From 32ba60185eba8a3ae8eeba0b5830d1bb43e38473 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 11 Apr 2020 08:02:54 +0200 Subject: more refactoring and update changelog --- docs/Changelog.md | 11 +- include/afl-fuzz.h | 7 +- include/cmplog.h | 1 - include/forkserver.h | 2 +- src/afl-analyze.c | 6 +- src/afl-forkserver.c | 1 + src/afl-fuzz-cmplog.c | 469 +----------------------------------------------- src/afl-fuzz-mutators.c | 6 +- src/afl-fuzz-run.c | 14 +- src/afl-fuzz-state.c | 7 + src/afl-fuzz.c | 10 +- src/afl-showmap.c | 3 +- src/afl-tmin.c | 3 +- 13 files changed, 50 insertions(+), 490 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index 0ec330a7..a1b55a69 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,7 +10,16 @@ sending a mail to . ### Version ++2.63d (development): - - LTO mode now requires llvm11 - but compiles all targets! :) + - llvm_mode LTO mode: + - now requires llvm11 - but compiles all targets! :) + - autodictionary feature added, enable with AFL_LLVM_LTO_AUTODICTIONARY + - variable map size usage + - afl-fuzz: + - variable map size support added (only LTO mode can use this) + - snapshot feature usage now visible in UI + - extended forkserver: map_size and more information is communicated to + afl-fuzz (and afl-fuzz acts accordingly) + - more refactoring - if AFL_CC/AFL_CXX is set but empty afl compilers did fail, fixed (this bug is in vanilla afl too) diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 97c1f31c..1440b645 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -331,7 +331,8 @@ typedef struct afl_env_vars { u8 afl_skip_cpufreq, afl_exit_when_done, afl_no_affinity, afl_skip_bin_check, afl_dumb_forksrv, afl_import_first, afl_custom_mutator_only, afl_no_ui, afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one, - afl_bench_until_crash, afl_debug_child_output, afl_autoresume; + afl_bench_until_crash, afl_debug_child_output, afl_autoresume, + afl_cal_fast; u8 *afl_tmpdir, *afl_post_library, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_skip_crashes, @@ -558,7 +559,7 @@ typedef struct afl_state { /* CmpLog */ - char *cmplog_binary; + char * cmplog_binary; afl_forkserver_t cmplog_fsrv; /* cmplog has its own little forkserver */ /* Custom mutators */ @@ -921,7 +922,7 @@ void save_cmdline(afl_state_t *, u32, char **); /* CmpLog */ -u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len); +u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len); /* RedQueen */ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, diff --git a/include/cmplog.h b/include/cmplog.h index 4731f779..74e6a3bb 100644 --- a/include/cmplog.h +++ b/include/cmplog.h @@ -79,6 +79,5 @@ struct cmp_map { void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv); - #endif diff --git a/include/forkserver.h b/include/forkserver.h index e1707429..444f92df 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -68,7 +68,7 @@ typedef struct afl_forkserver { u8 qemu_mode; /* if running in qemu mode or not */ - char *cmplog_binary; /* the name of the cmplog binary */ + char *cmplog_binary; /* the name of the cmplog binary */ /* Function to kick off the forkserver child */ void (*init_child_func)(struct afl_forkserver *fsrv, char **argv); diff --git a/src/afl-analyze.c b/src/afl-analyze.c index b0e8afcb..66dbefab 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -58,7 +58,7 @@ static s32 child_pid; /* PID of the tested program */ -static u8 *trace_bits; /* SHM with instrumentation bitmap */ +static u8 *trace_bits; /* SHM with instrumentation bitmap */ static u8 *in_file, /* Analyzer input test case */ *prog_in; /* Targeted program input file */ @@ -75,7 +75,7 @@ static u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ static s32 dev_null_fd = -1; /* FD to /dev/null */ -static u8 edges_only, /* Ignore hit counts? */ +static u8 edges_only, /* Ignore hit counts? */ use_hex_offsets, /* Show hex offsets? */ use_stdin = 1; /* Use stdin for program input? */ @@ -83,7 +83,7 @@ static volatile u8 stop_soon, /* Ctrl-C pressed? */ child_timed_out; /* Child timed out? */ static u8 *target_path; -static u8 qemu_mode; +static u8 qemu_mode; /* Constants used for describing byte behavior. */ diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 3c0ad4a2..a7067791 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -187,6 +187,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, FATAL("Different forkserver not compatible with fauxserver"); fsrv->init_child_func = afl_fauxsrv_execv; + } if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 4d8bb58f..6f201013 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -30,6 +30,7 @@ #include "cmplog.h" typedef struct cmplog_data { + } cmplog_data_t; void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv) { @@ -38,479 +39,12 @@ void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv) { if (!fsrv->qemu_mode && argv[0] != fsrv->cmplog_binary) { -#if 0 - afl->fsrv.child_timed_out = 0; - afl->cmplog_fsrv_pid = fork(); - - if (afl->cmplog_fsrv_pid < 0) PFATAL("fork() failed"); - - if (!afl->cmplog_fsrv_pid) { - - /* CHILD PROCESS */ - - struct rlimit r; - - /* Umpf. On OpenBSD, the default fd limit for root users is set to - soft 128. Let's try to fix that... */ - - if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) { - - r.rlim_cur = FORKSRV_FD + 2; - setrlimit(RLIMIT_NOFILE, &r); /* Ignore errors */ - - } - - if (afl->fsrv.mem_limit) { - - r.rlim_max = r.rlim_cur = ((rlim_t)afl->fsrv.mem_limit) << 20; - -#ifdef RLIMIT_AS - setrlimit(RLIMIT_AS, &r); /* Ignore errors */ -#else - /* This takes care of OpenBSD, which doesn't have RLIMIT_AS, but - according to reliable sources, RLIMIT_DATA covers anonymous - maps - so we should be getting good protection against OOM bugs. */ - - setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ -#endif /* ^RLIMIT_AS */ - - } - - /* Dumping cores is slow and can lead to anomalies if SIGKILL is delivered - before the dump is complete. */ - - // r.rlim_max = r.rlim_cur = 0; - // setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ - - /* Isolate the process and configure standard descriptors. If - afl->fsrv.out_file is specified, stdin is /dev/null; otherwise, - afl->fsrv.out_fd is cloned instead. */ - - setsid(); - - if (!(afl->afl_env.afl_debug_child_output)) { - - dup2(afl->fsrv.dev_null_fd, 1); - dup2(afl->fsrv.dev_null_fd, 2); - - } - - if (!afl->fsrv.use_stdin) { - - dup2(afl->fsrv.dev_null_fd, 0); - - } else { - - dup2(afl->fsrv.out_fd, 0); - close(afl->fsrv.out_fd); - - } - - /* Set up control and status pipes, close the unneeded original fds. */ - - if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed"); - if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed"); - - close(ctl_pipe[0]); - close(ctl_pipe[1]); - close(st_pipe[0]); - close(st_pipe[1]); - - close(afl->fsrv.out_dir_fd); - close(afl->fsrv.dev_null_fd); -#ifndef HAVE_ARC4RANDOM - close(afl->fsrv.dev_urandom_fd); -#endif - if (afl->fsrv.plot_file != NULL) fclose(afl->fsrv.plot_file); - - /* This should improve performance a bit, since it stops the linker from - doing extra work post-fork(). */ - - if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); - - /* Set sane defaults for ASAN if nothing else specified. */ - - setenv("ASAN_OPTIONS", - "abort_on_error=1:" - "detect_leaks=0:" - "malloc_context_size=0:" - "symbolize=0:" - "allocator_may_return_null=1", - 0); - - /* MSAN is tricky, because it doesn't support abort_on_error=1 at this - point. So, we do this in a very hacky way. */ - - setenv("MSAN_OPTIONS", - "exit_code=" STRINGIFY(MSAN_ERROR) ":" - "symbolize=0:" - "abort_on_error=1:" - "malloc_context_size=0:" - "allocator_may_return_null=1:" - "msan_track_origins=0", - 0); - - setenv("___AFL_EINS_ZWEI_POLIZEI___", "1", 1); - - if (!afl->qemu_mode && afl->argv[0] != afl->cmplog_binary) { - - ck_free(afl->argv[0]); - afl->argv[0] = afl->cmplog_binary; - - } - - execv(afl->argv[0], afl->argv); - - /* Use a distinctive bitmap signature to tell the parent about execv() - falling through. */ - - *(u32 *)afl->fsrv.trace_bits = EXEC_FAIL_SIG; - exit(0); - - } - - /* PARENT PROCESS */ - - /* Close the unneeded endpoints. */ - - close(ctl_pipe[0]); - close(st_pipe[1]); - - afl->cmplog_fsrv_ctl_fd = ctl_pipe[1]; - afl->cmplog_fsrv_st_fd = st_pipe[0]; - - /* Wait for the fork server to come up, but don't wait too long. */ - - rlen = 0; - if (afl->fsrv.exec_tmout) { - - rlen = 4; - u32 timeout_ms = afl->fsrv.exec_tmout * FORK_WAIT_MULT; - /* Reuse readfds as exceptfds to see when the child closed the pipe */ - u32 exec_ms = read_timed(afl->cmplog_fsrv_st_fd, &status, rlen, timeout_ms, - &afl->stop_soon); - - if (!exec_ms) { - - PFATAL("Error in timed read"); - - } else if (exec_ms > timeout_ms) { - - afl->fsrv.child_timed_out = 1; - kill(afl->cmplog_fsrv_pid, SIGKILL); - rlen = read(afl->cmplog_fsrv_st_fd, &status, 4); - - } - - } else { - - rlen = read(afl->cmplog_fsrv_st_fd, &status, 4); - - } - - /* If we have a four-byte "hello" message from the server, we're all set. - Otherwise, try to figure out what went wrong. */ - - if (afl->fsrv.child_timed_out) - FATAL( - "Timeout while initializing cmplog fork server (adjusting -t may " - "help)"); - - if (rlen == 4) { - - OKF("All right - fork server is up."); - return; - - } - - if (waitpid(afl->cmplog_fsrv_pid, &status, 0) <= 0) - PFATAL("waitpid() failed"); - - if (WIFSIGNALED(status)) { - - if (afl->fsrv.mem_limit && afl->fsrv.mem_limit < 500 && - afl->fsrv.uses_asan) { - - SAYF("\n" cLRD "[-] " cRST - "Whoops, the target binary crashed suddenly, " - "before receiving any input\n" - " from the fuzzer! Since it seems to be built with ASAN and you " - "have a\n" - " restrictive memory limit configured, this is expected; please " - "read\n" - " %s/notes_for_asan.md for help.\n", - doc_path); - - } else if (!afl->fsrv.mem_limit) { - - SAYF("\n" cLRD "[-] " cRST - "Whoops, the target binary crashed suddenly, " - "before receiving any input\n" - " from the fuzzer! There are several probable explanations:\n\n" - - " - The binary is just buggy and explodes entirely on its own. " - "If so, you\n" - " need to fix the underlying problem or find a better " - "replacement.\n\n" - - MSG_FORK_ON_APPLE - - " - Less likely, there is a horrible bug in the fuzzer. If other " - "options\n" - " fail, poke for troubleshooting " - "tips.\n"); - - } else { - - u8 val_buf[STRINGIFY_VAL_SIZE_MAX]; - - SAYF("\n" cLRD "[-] " cRST - "Whoops, the target binary crashed suddenly, " - "before receiving any input\n" - " from the fuzzer! There are several probable explanations:\n\n" - - " - The current memory limit (%s) is too restrictive, causing " - "the\n" - " target to hit an OOM condition in the dynamic linker. Try " - "bumping up\n" - " the limit with the -m setting in the command line. A simple " - "way confirm\n" - " this diagnosis would be:\n\n" - - MSG_ULIMIT_USAGE - " /path/to/fuzzed_app )\n\n" - - " Tip: you can use http://jwilk.net/software/recidivm to " - "quickly\n" - " estimate the required amount of virtual memory for the " - "binary.\n\n" - - " - The binary is just buggy and explodes entirely on its own. " - "If so, you\n" - " need to fix the underlying problem or find a better " - "replacement.\n\n" - - MSG_FORK_ON_APPLE - - " - Less likely, there is a horrible bug in the fuzzer. If other " - "options\n" - " fail, poke for troubleshooting " - "tips.\n", - stringify_mem_size(val_buf, sizeof(val_buf), - afl->fsrv.mem_limit << 20), - afl->fsrv.mem_limit - 1); - - } - - FATAL("Cmplog fork server crashed with signal %d", WTERMSIG(status)); - - } - - if (*(u32 *)afl->fsrv.trace_bits == EXEC_FAIL_SIG) - FATAL("Unable to execute target application ('%s')", afl->argv[0]); - - if (afl->fsrv.mem_limit && afl->fsrv.mem_limit < 500 && afl->fsrv.uses_asan) { - - SAYF("\n" cLRD "[-] " cRST - "Hmm, looks like the target binary terminated " - "before we could complete a\n" - " handshake with the injected code. Since it seems to be built " - "with ASAN and\n" - " you have a restrictive memory limit configured, this is " - "expected; please\n" - " read %s/notes_for_asan.md for help.\n", - doc_path); - - } else if (!afl->fsrv.mem_limit) { - - SAYF("\n" cLRD "[-] " cRST - "Hmm, looks like the target binary terminated " - "before we could complete a\n" - " handshake with the injected code. Perhaps there is a horrible " - "bug in the\n" - " fuzzer. Poke for troubleshooting " - "tips.\n"); - - } else { - - u8 val_buf[STRINGIFY_VAL_SIZE_MAX]; - - SAYF( - "\n" cLRD "[-] " cRST - "Hmm, looks like the target binary terminated " - "before we could complete a\n" - " handshake with the injected code. There are %s probable " - "explanations:\n\n" - - "%s" - " - The current memory limit (%s) is too restrictive, causing an " - "OOM\n" - " fault in the dynamic linker. This can be fixed with the -m " - "option. A\n" - " simple way to confirm the diagnosis may be:\n\n" - - MSG_ULIMIT_USAGE - " /path/to/fuzzed_app )\n\n" - - " Tip: you can use http://jwilk.net/software/recidivm to quickly\n" - " estimate the required amount of virtual memory for the " - "binary.\n\n" - - " - Less likely, there is a horrible bug in the fuzzer. If other " - "options\n" - " fail, poke for troubleshooting " - "tips.\n", - getenv(DEFER_ENV_VAR) ? "three" : "two", - getenv(DEFER_ENV_VAR) - ? " - You are using deferred forkserver, but __AFL_INIT() is " - "never\n" - " reached before the program terminates.\n\n" - : "", - stringify_mem_size(val_buf, sizeof(val_buf), afl->fsrv.mem_limit << 20), - afl->fsrv.mem_limit - 1); - - } - - FATAL("Cmplog fork server handshake failed"); - -} - -u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { - - int status = 0; - u32 exec_ms; - - u32 tb4; - s32 res; - - afl->fsrv.child_timed_out = 0; - - /* After this memset, afl->fsrv.trace_bits[] are effectively volatile, so we - must prevent any earlier operations from venturing into that - territory. */ - - memset(afl->fsrv.trace_bits, 0, afl->fsrv.map_size); - MEM_BARRIER(); - - /* Since we always have a forkserver (or a fauxserver) running, we can simply - tell them to have at it and read back the pid from it.*/ - - if ((res = write(afl->cmplog_fsrv_ctl_fd, &afl->cmplog_prev_timed_out, 4)) != - 4) { - - if (afl->stop_soon) return 0; - RPFATAL(res, - "Unable to request new process from cmplog fork server (OOM?)"); - - } - - if ((res = read(afl->cmplog_fsrv_st_fd, &afl->cmplog_child_pid, 4)) != 4) { - - if (afl->stop_soon) return 0; - RPFATAL(res, - "Unable to request new process from cmplog fork server (OOM?)"); - - } - - if (afl->cmplog_child_pid <= 0) - FATAL("Cmplog fork server is misbehaving (OOM?)"); - - /* Configure timeout, as requested by user, then wait for child to terminate. - */ - exec_ms = - read_timed(afl->cmplog_fsrv_st_fd, &status, 4, timeout, &afl->stop_soon); - - if (exec_ms > timeout) { - - /* If there was no response from forkserver after timeout seconds, - we kill the child. The forkserver should inform us afterwards */ - - kill(afl->cmplog_child_pid, SIGKILL); - afl->fsrv.child_timed_out = 1; - - /* After killing the child, the forkserver should tell us */ - if (!read(afl->cmplog_fsrv_st_fd, &status, 4)) exec_ms = 0; - - } - - if (!exec_ms) { // Something went wrong. - - if (afl->stop_soon) return 0; - SAYF("\n" cLRD "[-] " cRST - "Unable to communicate with fork server. Some possible reasons:\n\n" - " - You've run out of memory. Use -m to increase the the memory " - "limit\n" - " to something higher than %lld.\n" - " - The binary or one of the libraries it uses manages to create\n" - " threads before the forkserver initializes.\n" - " - The binary, at least in some circumstances, exits in a way " - "that\n" - " also kills the parent process - raise() could be the " - "culprit.\n\n" - "If all else fails you can disable the fork server via " - "AFL_NO_FORKSRV=1.\n", - afl->fsrv.mem_limit); - RPFATAL(res, "Unable to communicate with fork server"); - - } - - if (!WIFSTOPPED(status)) afl->cmplog_child_pid = 0; - - if (afl->slowest_exec_ms < exec_ms) afl->slowest_exec_ms = exec_ms; - - ++afl->total_execs; - - /* Any subsequent operations on afl->fsrv.trace_bits must not be moved by the - compiler below this point. Past this location, afl->fsrv.trace_bits[] - behave very normally and do not have to be treated as volatile. */ - - MEM_BARRIER(); - - tb4 = *(u32 *)afl->fsrv.trace_bits; - -#ifdef WORD_SIZE_64 - classify_counts(afl, (u64 *)afl->fsrv.trace_bits); -#else - classify_counts(afl, (u32 *)afl->fsrv.trace_bits); -#endif /* ^WORD_SIZE_64 */ - - afl->cmplog_prev_timed_out = afl->fsrv.child_timed_out; - - /* Report outcome to caller. */ - - if (WIFSIGNALED(status) && !afl->stop_soon) { - - afl->kill_signal = WTERMSIG(status); - - if (afl->fsrv.child_timed_out && afl->kill_signal == SIGKILL) - return FAULT_TMOUT; - - return FAULT_CRASH; - - } - - /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and - must use a special exit code. */ - - if (afl->fsrv.uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { - - afl->kill_signal = 0; - return FAULT_CRASH; - - } - - if ((afl->dumb_mode == 1 || afl->no_forkserver) && tb4 == EXEC_FAIL_SIG) - return FAULT_ERROR; - - return FAULT_NONE; -#else ck_free(argv[0]); argv[0] = fsrv->cmplog_binary; } execv(argv[0], argv); -#endif } @@ -571,3 +105,4 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { return 0; } + diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index a7d7ae18..efb1c117 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -34,7 +34,7 @@ void load_custom_mutator_py(afl_state_t *, char *); void setup_custom_mutator(afl_state_t *afl) { /* Try mutator library first */ - u8 *fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY"); + u8 *fn = afl->afl_env.afl_custom_mutator_library; if (fn) { @@ -52,7 +52,7 @@ void setup_custom_mutator(afl_state_t *afl) { /* Try Python module */ #ifdef USE_PYTHON - u8 *module_name = getenv("AFL_PYTHON_MODULE"); + u8 *module_name = afl->afl_env.afl_python_module; if (module_name) { @@ -67,7 +67,7 @@ void setup_custom_mutator(afl_state_t *afl) { } #else - if (getenv("AFL_PYTHON_MODULE")) + if (afl->afl_env.afl_python_module) FATAL("Your AFL binary was built without Python support"); #endif diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 3a178e87..4c98d788 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -69,8 +69,7 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { if (fsrv->child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); - exec_ms = - read_timed(fsrv->fsrv_st_fd, &status, 4, timeout, &afl->stop_soon); + exec_ms = read_timed(fsrv->fsrv_st_fd, &status, 4, timeout, &afl->stop_soon); if (exec_ms > timeout) { @@ -312,10 +311,17 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, count its spin-up time toward binary calibration. */ if (!afl->fsrv.fsrv_pid) { - if (afl->shm.cmplog_mode && afl->fsrv.init_child_func != cmplog_exec_child) { + + if (afl->shm.cmplog_mode && + afl->fsrv.init_child_func != cmplog_exec_child) { + FATAL("BUG in afl-fuzz detected. Cmplog mode not set correctly."); + } - afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child_output); + + afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon, + afl->afl_env.afl_debug_child_output); + } if (q->exec_cksum) diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 80039d6f..f58345fb 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -284,6 +284,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_autoresume = get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_CAL_FAST", + + afl_environment_variable_len)) { + + afl->afl_env.afl_cal_fast = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_TMPDIR", afl_environment_variable_len)) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 44c48088..3341898c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -248,6 +248,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_state_init(afl); afl_fsrv_init(&afl->fsrv); + if (get_afl_env("AFL_DEBUG")) afl->debug = 1; read_afl_environment(afl, envp); exit_1 = !!afl->afl_env.afl_bench_just_one; @@ -690,7 +691,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); if (afl->sync_id && afl->force_deterministic && - getenv("AFL_CUSTOM_MUTATOR_ONLY")) + afl->afl_env.afl_custom_mutator_only) WARNF( "Using -M master with the AFL_CUSTOM_MUTATOR_ONLY mutator options will " "result in no deterministic mutations being done!"); @@ -865,7 +866,7 @@ int main(int argc, char **argv_orig, char **envp) { check_if_tty(afl); if (afl->afl_env.afl_force_ui) afl->not_on_tty = 0; - if (get_afl_env("AFL_CAL_FAST")) { + if (afl->afl_env.afl_cal_fast) { /* Use less calibration cycles, for slow applications */ afl->cal_cycles = 3; @@ -873,8 +874,6 @@ int main(int argc, char **argv_orig, char **envp) { } - if (get_afl_env("AFL_DEBUG")) afl->debug = 1; - if (afl->afl_env.afl_custom_mutator_only) { /* This ensures we don't proceed to havoc/splice */ @@ -1024,7 +1023,8 @@ int main(int argc, char **argv_orig, char **envp) { SAYF("Spawning cmplog forkserver"); memcpy(&afl->cmplog_fsrv, &afl->fsrv, sizeof(afl->fsrv)); afl->cmplog_fsrv.init_child_func = cmplog_exec_child; - afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child_output); + afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, + afl->afl_env.afl_debug_child_output); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index a8198f79..c84fa36c 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -949,7 +949,8 @@ int main(int argc, char **argv_orig, char **envp) { } - afl_fsrv_start(fsrv, use_argv, &stop_soon, get_afl_env("AFL_DEBUG_CHILD_OUTPUT")? 1 :0); + afl_fsrv_start(fsrv, use_argv, &stop_soon, + get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0); while (done == 0 && (dir_ent = readdir(dir_in))) { diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 8ad33814..3be6b2c0 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -1131,7 +1131,8 @@ int main(int argc, char **argv_orig, char **envp) { read_initial_file(); - afl_fsrv_start(fsrv, use_argv, &stop_soon, get_afl_env("AFL_DEBUG_CHILD_OUTPUT")? 1 :0); + afl_fsrv_start(fsrv, use_argv, &stop_soon, + get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0); ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", fsrv->mem_limit, fsrv->exec_tmout, edges_only ? ", edges only" : ""); -- cgit 1.4.1 From cc3ac932d9d255e8600ba58cb3a02c5ad43f5e8a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 11 Apr 2020 09:16:30 +0200 Subject: fix -E/-V --- src/afl-fuzz-stats.c | 22 ++++++++++++++++++++++ src/afl-fuzz.c | 36 +++++------------------------------- 2 files changed, 27 insertions(+), 31 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 65876f67..2e680dbb 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -215,6 +215,28 @@ void show_stats(afl_state_t *afl) { cur_ms = get_cur_time(); + if (afl->most_time_key) { + + if (afl->most_time * 1000 < cur_ms - afl->start_time) { + + afl->most_time_key = 2; + afl->stop_soon = 2; + + } + + } + + if (afl->most_execs_key == 1) { + + if (afl->most_execs <= afl->total_execs) { + + afl->most_execs_key = 2; + afl->stop_soon = 2; + + } + + } + /* If not enough time has passed since last UI update, bail out. */ if (cur_ms - afl->stats_last_ms < 1000 / UI_TARGET_HZ && diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 3341898c..73a38215 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -129,12 +129,11 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "Testing settings:\n" " -s seed - use a fixed seed for the RNG\n" - " -V seconds - fuzz for a maximum total time of seconds then " + " -V seconds - fuzz for a specific time then terminate\n" + " -E execs - fuzz for a approx. no of total executions then " "terminate\n" - " -E execs - fuzz for a maximum number of total executions then " - "terminate\n" - " Note: -V/-E are not precise, they are checked after a queue entry " - "is done\n which can be many minutes/execs later\n\n" + " Note: not precise and can have several more " + "executions.\n\n" "Other stuff:\n" " -T text - text banner to show on the screen\n" @@ -144,7 +143,7 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { " -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap " "file\n" " -C - crash exploration mode (the peruvian rabbit thing)\n" - " -e ext - File extension for the temporarily generated test " + " -e ext - file extension for the temporarily generated test " "case\n\n", argv0, EXEC_TIMEOUT, MEM_LIMIT); @@ -1122,31 +1121,6 @@ int main(int argc, char **argv_orig, char **envp) { afl->queue_cur = afl->queue_cur->next; ++afl->current_entry; - if (afl->most_time_key == 1) { - - u64 cur_ms_lv = get_cur_time(); - if (afl->most_time * 1000 < cur_ms_lv - afl->start_time) { - - afl->most_time_key = 2; - afl->stop_soon = 2; - break; - - } - - } - - if (afl->most_execs_key == 1) { - - if (afl->most_execs <= afl->total_execs) { - - afl->most_execs_key = 2; - afl->stop_soon = 2; - break; - - } - - } - } // if (afl->queue_cur) show_stats(afl); -- cgit 1.4.1 From ee4e1936d0d1ca18147d1916e9365578627584e2 Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Sun, 12 Apr 2020 13:20:10 +0100 Subject: build on arm64 fix. tested on Android. (#313) --- include/afl-fuzz.h | 1 + include/forkserver.h | 5 +++-- src/afl-analyze.c | 4 ++-- src/afl-common.c | 25 +++++++++++++------------ src/afl-forkserver.c | 1 + src/afl-fuzz-bitmap.c | 10 +++++----- src/afl-fuzz-init.c | 12 ++++++------ src/afl-fuzz-one.c | 4 ++-- src/afl-fuzz-run.c | 2 +- src/afl-fuzz-stats.c | 26 +++++++++++++------------- src/afl-fuzz.c | 12 ++++++------ src/afl-showmap.c | 2 +- src/afl-tmin.c | 4 ++-- 13 files changed, 56 insertions(+), 52 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1440b645..58fe7c41 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -61,6 +61,7 @@ #include #include #include +#include #include #include diff --git a/include/forkserver.h b/include/forkserver.h index 444f92df..77fcc126 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -29,6 +29,7 @@ #define __AFL_FORKSERVER_H #include +#include typedef struct afl_forkserver { @@ -97,9 +98,9 @@ void afl_fsrv_killall(); #endif #ifdef RLIMIT_AS -#define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" +#define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%" PRIu64 " << 10];" #else -#define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" +#define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%" PRIu64 " << 10];" #endif /* ^RLIMIT_AS */ #endif diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 66dbefab..951e2f76 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -909,7 +909,7 @@ int main(int argc, char **argv, char **envp) { } - if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%" PRIu64 "%c", &mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); @@ -1013,7 +1013,7 @@ int main(int argc, char **argv, char **envp) { read_initial_file(); - ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", + ACTF("Performing dry run (mem limit = %" PRIu64 " MB, timeout = %u ms%s)...", mem_limit, exec_tmout, edges_only ? ", edges only" : ""); run_target(use_argv, in_data, in_len, 1); diff --git a/src/afl-common.c b/src/afl-common.c index 7eba6ae4..d8af353a 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -26,6 +26,7 @@ #include #include #include +#include #include "debug.h" #include "alloc-inl.h" @@ -454,13 +455,13 @@ u8 *stringify_int(u8 *buf, size_t len, u64 val) { } while (0) /* 0-9999 */ - CHK_FORMAT(1, 10000, "%llu", u64); + CHK_FORMAT(1, 10000, "%" PRIu64, u64); /* 10.0k - 99.9k */ CHK_FORMAT(1000, 99.95, "%0.01fk", double); /* 100k - 999k */ - CHK_FORMAT(1000, 1000, "%lluk", u64); + CHK_FORMAT(1000, 1000, "%" PRIu64 "k", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1000 * 1000, 9.995, "%0.02fM", double); @@ -469,7 +470,7 @@ u8 *stringify_int(u8 *buf, size_t len, u64 val) { CHK_FORMAT(1000 * 1000, 99.95, "%0.01fM", double); /* 100M - 999M */ - CHK_FORMAT(1000 * 1000, 1000, "%lluM", u64); + CHK_FORMAT(1000 * 1000, 1000, "%" PRIu64 "M", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1000LL * 1000 * 1000, 9.995, "%0.02fG", double); @@ -521,13 +522,13 @@ u8 *stringify_float(u8 *buf, size_t len, double val) { u8 *stringify_mem_size(u8 *buf, size_t len, u64 val) { /* 0-9999 */ - CHK_FORMAT(1, 10000, "%llu B", u64); + CHK_FORMAT(1, 10000, "%" PRIu64 " B", u64); /* 10.0k - 99.9k */ CHK_FORMAT(1024, 99.95, "%0.01f kB", double); /* 100k - 999k */ - CHK_FORMAT(1024, 1000, "%llu kB", u64); + CHK_FORMAT(1024, 1000, "%" PRIu64 " kB", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1024 * 1024, 9.995, "%0.02f MB", double); @@ -536,7 +537,7 @@ u8 *stringify_mem_size(u8 *buf, size_t len, u64 val) { CHK_FORMAT(1024 * 1024, 99.95, "%0.01f MB", double); /* 100M - 999M */ - CHK_FORMAT(1024 * 1024, 1000, "%llu MB", u64); + CHK_FORMAT(1024 * 1024, 1000, "%" PRIu64 " MB", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1024LL * 1024 * 1024, 9.995, "%0.02f GB", double); @@ -614,13 +615,13 @@ u8 *u_stringify_int(u8 *buf, u64 val) { } while (0) /* 0-9999 */ - CHK_FORMAT(1, 10000, "%llu", u64); + CHK_FORMAT(1, 10000, "%" PRIu64, u64); /* 10.0k - 99.9k */ CHK_FORMAT(1000, 99.95, "%0.01fk", double); /* 100k - 999k */ - CHK_FORMAT(1000, 1000, "%lluk", u64); + CHK_FORMAT(1000, 1000, "%" PRIu64 "k", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1000 * 1000, 9.995, "%0.02fM", double); @@ -629,7 +630,7 @@ u8 *u_stringify_int(u8 *buf, u64 val) { CHK_FORMAT(1000 * 1000, 99.95, "%0.01fM", double); /* 100M - 999M */ - CHK_FORMAT(1000 * 1000, 1000, "%lluM", u64); + CHK_FORMAT(1000 * 1000, 1000, "%" PRIu64 "M", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1000LL * 1000 * 1000, 9.995, "%0.02fG", double); @@ -680,13 +681,13 @@ u8 *u_stringify_float(u8 *buf, double val) { u8 *u_stringify_mem_size(u8 *buf, u64 val) { /* 0-9999 */ - CHK_FORMAT(1, 10000, "%llu B", u64); + CHK_FORMAT(1, 10000, "%" PRIu64 " B", u64); /* 10.0k - 99.9k */ CHK_FORMAT(1024, 99.95, "%0.01f kB", double); /* 100k - 999k */ - CHK_FORMAT(1024, 1000, "%llu kB", u64); + CHK_FORMAT(1024, 1000, "%" PRIu64 " kB", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1024 * 1024, 9.995, "%0.02f MB", double); @@ -695,7 +696,7 @@ u8 *u_stringify_mem_size(u8 *buf, u64 val) { CHK_FORMAT(1024 * 1024, 99.95, "%0.01f MB", double); /* 100M - 999M */ - CHK_FORMAT(1024 * 1024, 1000, "%llu MB", u64); + CHK_FORMAT(1024 * 1024, 1000, "%" PRIu64 " MB", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1024LL * 1024 * 1024, 9.995, "%0.02f GB", double); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index a7067791..8b504584 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #include diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index b6a494db..293102a8 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -441,7 +441,7 @@ u8 *describe_op(afl_state_t *afl, u8 hnb) { sprintf(ret, "src:%06u", afl->current_entry); - sprintf(ret + strlen(ret), ",time:%llu", get_cur_time() - afl->start_time); + sprintf(ret + strlen(ret), ",time:%" PRIu64, get_cur_time() - afl->start_time); if (afl->splicing_with >= 0) sprintf(ret + strlen(ret), "+%06d", afl->splicing_with); @@ -659,12 +659,12 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES - snprintf(fn, PATH_MAX, "%s/hangs/id:%06llu,%s", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/hangs/id:%06" PRIu64 ",%s", afl->out_dir, afl->unique_hangs, describe_op(afl, 0)); #else - snprintf(fn, PATH_MAX, "%s/hangs/id_%06llu", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/hangs/id_%06" PRIu64, afl->out_dir, afl->unique_hangs); #endif /* ^!SIMPLE_FILES */ @@ -703,12 +703,12 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES - snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/crashes/id:%06" PRIu64 ",sig:%02u,%s", afl->out_dir, afl->unique_crashes, afl->kill_signal, describe_op(afl, 0)); #else - snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/crashes/id_%06" PRIu64 "_%02u", afl->out_dir, afl->unique_crashes, afl->kill_signal); #endif /* ^!SIMPLE_FILES */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 54cc81ef..85b98173 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -494,7 +494,7 @@ void perform_dry_run(afl_state_t *afl) { if (afl->stop_soon) return; if (res == afl->crash_mode || res == FAULT_NOBITS) - SAYF(cGRA " len = %u, map size = %u, exec speed = %llu us\n" cRST, + SAYF(cGRA " len = %u, map size = %u, exec speed = %" PRIu64 " us\n" cRST, q->len, q->bitmap_size, q->exec_us); switch (res) { @@ -1051,8 +1051,8 @@ static void handle_existing_out_dir(afl_state_t *afl) { u64 start_time2, last_update; if (fscanf(f, - "start_time : %llu\n" - "last_update : %llu\n", + "start_time : %" PRIu64 "\n" + "last_update : %" PRIu64 "\n", &start_time2, &last_update) != 2) FATAL("Malformed data in '%s'", fn); @@ -1602,7 +1602,7 @@ void check_cpu_governor(afl_state_t *afl) { if (f) { - if (fscanf(f, "%llu", &min) != 1) min = 0; + if (fscanf(f, "%" PRIu64, &min) != 1) min = 0; fclose(f); } @@ -1611,7 +1611,7 @@ void check_cpu_governor(afl_state_t *afl) { if (f) { - if (fscanf(f, "%llu", &max) != 1) max = 0; + if (fscanf(f, "%" PRIu64, &max) != 1) max = 0; fclose(f); } @@ -1620,7 +1620,7 @@ void check_cpu_governor(afl_state_t *afl) { SAYF("\n" cLRD "[-] " cRST "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n" - " between %llu and %llu MHz. Unfortunately, the scaling algorithm in " + " between %" PRIu64 " and %" PRIu64 " MHz. Unfortunately, the scaling algorithm in " "the\n" " kernel is imperfect and can miss the short-lived processes spawned " "by\n" diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 80567160..01ce37fb 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -405,7 +405,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (unlikely(afl->not_on_tty)) { - ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", + ACTF("Fuzzing test case #%u (%u total, %" PRIu64 " uniq crashes found)...", afl->current_entry, afl->queued_paths, afl->unique_crashes); fflush(stdout); @@ -2432,7 +2432,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->not_on_tty) { - ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", + ACTF("Fuzzing test case #%u (%u total, %" PRIu64 " uniq crashes found)...", afl->current_entry, afl->queued_paths, afl->unique_crashes); fflush(stdout); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 4c98d788..f8440f46 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -89,7 +89,7 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { "Unable to communicate with fork server. Some possible reasons:\n\n" " - You've run out of memory. Use -m to increase the the memory " "limit\n" - " to something higher than %lld.\n" + " to something higher than %" PRIu64 ".\n" " - The binary or one of the libraries it uses manages to " "create\n" " threads before the forkserver initializes.\n" diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 2e680dbb..0df950dd 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -70,13 +70,13 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, fprintf( f, - "start_time : %llu\n" - "last_update : %llu\n" - "run_time : %llu\n" + "start_time : %" PRIu64 "\n" + "last_update : %lld\n" + "run_time : %lld\n" "fuzzer_pid : %d\n" - "cycles_done : %llu\n" - "cycles_wo_finds : %llu\n" - "execs_done : %llu\n" + "cycles_done : %" PRIu64 "\n" + "cycles_wo_finds : %" PRIu64 "\n" + "execs_done : %" PRIu64 "\n" "execs_per_sec : %0.02f\n" // "real_execs_per_sec: %0.02f\n" // damn the name is too long "paths_total : %u\n" @@ -90,12 +90,12 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, "variable_paths : %u\n" "stability : %0.02f%%\n" "bitmap_cvg : %0.02f%%\n" - "unique_crashes : %llu\n" - "unique_hangs : %llu\n" - "last_path : %llu\n" - "last_crash : %llu\n" - "last_hang : %llu\n" - "execs_since_crash : %llu\n" + "unique_crashes : %" PRIu64 "\n" + "unique_hangs : %" PRIu64 "\n" + "last_path : %" PRIu64 "\n" + "last_crash : %" PRIu64 "\n" + "last_hang : %" PRIu64 "\n" + "execs_since_crash : %" PRIu64 "\n" "exec_timeout : %u\n" "slowest_exec_ms : %u\n" "peak_rss_mb : %lu\n" @@ -171,7 +171,7 @@ void maybe_update_plot_file(afl_state_t *afl, double bitmap_cvg, double eps) { execs_per_sec */ fprintf(afl->fsrv.plot_file, - "%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f\n", + "%" PRIu64 ", %" PRIu64 ", %u, %u, %u, %u, %0.02f%%, %" PRIu64 ", %" PRIu64 ", %u, %0.02f\n", get_cur_time() / 1000, afl->queue_cycle - 1, afl->current_entry, afl->queued_paths, afl->pending_not_fuzzed, afl->pending_favored, bitmap_cvg, afl->unique_crashes, afl->unique_hangs, afl->max_depth, diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 73a38215..9464dacc 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -427,7 +427,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (sscanf(optarg, "%llu%c", &afl->fsrv.mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%" PRIu64 "%c", &afl->fsrv.mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); @@ -537,7 +537,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'V': { afl->most_time_key = 1; - if (sscanf(optarg, "%llu", &afl->most_time) < 1 || optarg[0] == '-') + if (sscanf(optarg, "%" PRIu64, &afl->most_time) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -V"); } break; @@ -545,7 +545,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'E': { afl->most_execs_key = 1; - if (sscanf(optarg, "%llu", &afl->most_execs) < 1 || optarg[0] == '-') + if (sscanf(optarg, "%" PRIu64, &afl->most_execs) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -E"); } break; @@ -556,7 +556,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->limit_time_sig = 1; afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT; - if (sscanf(optarg, "%llu", &afl->limit_time_puppet) < 1 || + if (sscanf(optarg, "%" PRIu64, &afl->limit_time_puppet) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -L"); @@ -566,7 +566,7 @@ int main(int argc, char **argv_orig, char **envp) { FATAL("limit_time overflow"); afl->limit_time_puppet = limit_time_puppet2; - SAYF("limit_time_puppet %llu\n", afl->limit_time_puppet); + SAYF("limit_time_puppet %" PRIu64 "\n", afl->limit_time_puppet); afl->swarm_now = 0; if (afl->limit_time_puppet == 0) afl->key_puppet = 1; @@ -1079,7 +1079,7 @@ int main(int argc, char **argv_orig, char **envp) { if (unlikely(afl->not_on_tty)) { - ACTF("Entering queue cycle %llu.", afl->queue_cycle); + ACTF("Entering queue cycle %" PRIu64 ".", afl->queue_cycle); fflush(stdout); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index c84fa36c..6c2b2000 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -720,7 +720,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (sscanf(optarg, "%llu%c", &fsrv->mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%" PRIu64 "%c", &fsrv->mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 3be6b2c0..fd081fcf 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -989,7 +989,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (sscanf(optarg, "%llu%c", &fsrv->mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%" PRIu64 "%c", &fsrv->mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); @@ -1134,7 +1134,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_start(fsrv, use_argv, &stop_soon, get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0); - ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", + ACTF("Performing dry run (mem limit = %" PRIu64 " MB, timeout = %u ms%s)...", fsrv->mem_limit, fsrv->exec_tmout, edges_only ? ", edges only" : ""); run_target(fsrv, use_argv, in_data, in_len, 1); -- cgit 1.4.1 From 79195454993b6cfff6b03354dbf1e045e77f83cb Mon Sep 17 00:00:00 2001 From: David CARLIER Date: Sun, 12 Apr 2020 15:55:52 +0100 Subject: Better solution for ARM64 build fix (#315) --- include/afl-fuzz.h | 1 - include/forkserver.h | 5 ++--- include/types.h | 2 +- src/afl-analyze.c | 4 ++-- src/afl-common.c | 25 ++++++++++++------------- src/afl-forkserver.c | 1 - src/afl-fuzz-bitmap.c | 10 +++++----- src/afl-fuzz-init.c | 12 ++++++------ src/afl-fuzz-one.c | 4 ++-- src/afl-fuzz-run.c | 2 +- src/afl-fuzz-stats.c | 26 +++++++++++++------------- src/afl-fuzz.c | 12 ++++++------ src/afl-showmap.c | 2 +- src/afl-tmin.c | 4 ++-- 14 files changed, 53 insertions(+), 57 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 58fe7c41..1440b645 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -61,7 +61,6 @@ #include #include #include -#include #include #include diff --git a/include/forkserver.h b/include/forkserver.h index 77fcc126..444f92df 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -29,7 +29,6 @@ #define __AFL_FORKSERVER_H #include -#include typedef struct afl_forkserver { @@ -98,9 +97,9 @@ void afl_fsrv_killall(); #endif #ifdef RLIMIT_AS -#define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%" PRIu64 " << 10];" +#define MSG_ULIMIT_USAGE " ( ulimit -Sv $[%llu << 10];" #else -#define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%" PRIu64 " << 10];" +#define MSG_ULIMIT_USAGE " ( ulimit -Sd $[%llu << 10];" #endif /* ^RLIMIT_AS */ #endif diff --git a/include/types.h b/include/types.h index da95cb39..f2a12953 100644 --- a/include/types.h +++ b/include/types.h @@ -46,7 +46,7 @@ typedef uint32_t u32; */ -#ifdef __x86_64__ +#if defined(__x86_64__) || defined(__aarch64__) typedef unsigned long long u64; #else typedef uint64_t u64; diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 951e2f76..66dbefab 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -909,7 +909,7 @@ int main(int argc, char **argv, char **envp) { } - if (sscanf(optarg, "%" PRIu64 "%c", &mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); @@ -1013,7 +1013,7 @@ int main(int argc, char **argv, char **envp) { read_initial_file(); - ACTF("Performing dry run (mem limit = %" PRIu64 " MB, timeout = %u ms%s)...", + ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", mem_limit, exec_tmout, edges_only ? ", edges only" : ""); run_target(use_argv, in_data, in_len, 1); diff --git a/src/afl-common.c b/src/afl-common.c index d8af353a..7eba6ae4 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -26,7 +26,6 @@ #include #include #include -#include #include "debug.h" #include "alloc-inl.h" @@ -455,13 +454,13 @@ u8 *stringify_int(u8 *buf, size_t len, u64 val) { } while (0) /* 0-9999 */ - CHK_FORMAT(1, 10000, "%" PRIu64, u64); + CHK_FORMAT(1, 10000, "%llu", u64); /* 10.0k - 99.9k */ CHK_FORMAT(1000, 99.95, "%0.01fk", double); /* 100k - 999k */ - CHK_FORMAT(1000, 1000, "%" PRIu64 "k", u64); + CHK_FORMAT(1000, 1000, "%lluk", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1000 * 1000, 9.995, "%0.02fM", double); @@ -470,7 +469,7 @@ u8 *stringify_int(u8 *buf, size_t len, u64 val) { CHK_FORMAT(1000 * 1000, 99.95, "%0.01fM", double); /* 100M - 999M */ - CHK_FORMAT(1000 * 1000, 1000, "%" PRIu64 "M", u64); + CHK_FORMAT(1000 * 1000, 1000, "%lluM", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1000LL * 1000 * 1000, 9.995, "%0.02fG", double); @@ -522,13 +521,13 @@ u8 *stringify_float(u8 *buf, size_t len, double val) { u8 *stringify_mem_size(u8 *buf, size_t len, u64 val) { /* 0-9999 */ - CHK_FORMAT(1, 10000, "%" PRIu64 " B", u64); + CHK_FORMAT(1, 10000, "%llu B", u64); /* 10.0k - 99.9k */ CHK_FORMAT(1024, 99.95, "%0.01f kB", double); /* 100k - 999k */ - CHK_FORMAT(1024, 1000, "%" PRIu64 " kB", u64); + CHK_FORMAT(1024, 1000, "%llu kB", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1024 * 1024, 9.995, "%0.02f MB", double); @@ -537,7 +536,7 @@ u8 *stringify_mem_size(u8 *buf, size_t len, u64 val) { CHK_FORMAT(1024 * 1024, 99.95, "%0.01f MB", double); /* 100M - 999M */ - CHK_FORMAT(1024 * 1024, 1000, "%" PRIu64 " MB", u64); + CHK_FORMAT(1024 * 1024, 1000, "%llu MB", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1024LL * 1024 * 1024, 9.995, "%0.02f GB", double); @@ -615,13 +614,13 @@ u8 *u_stringify_int(u8 *buf, u64 val) { } while (0) /* 0-9999 */ - CHK_FORMAT(1, 10000, "%" PRIu64, u64); + CHK_FORMAT(1, 10000, "%llu", u64); /* 10.0k - 99.9k */ CHK_FORMAT(1000, 99.95, "%0.01fk", double); /* 100k - 999k */ - CHK_FORMAT(1000, 1000, "%" PRIu64 "k", u64); + CHK_FORMAT(1000, 1000, "%lluk", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1000 * 1000, 9.995, "%0.02fM", double); @@ -630,7 +629,7 @@ u8 *u_stringify_int(u8 *buf, u64 val) { CHK_FORMAT(1000 * 1000, 99.95, "%0.01fM", double); /* 100M - 999M */ - CHK_FORMAT(1000 * 1000, 1000, "%" PRIu64 "M", u64); + CHK_FORMAT(1000 * 1000, 1000, "%lluM", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1000LL * 1000 * 1000, 9.995, "%0.02fG", double); @@ -681,13 +680,13 @@ u8 *u_stringify_float(u8 *buf, double val) { u8 *u_stringify_mem_size(u8 *buf, u64 val) { /* 0-9999 */ - CHK_FORMAT(1, 10000, "%" PRIu64 " B", u64); + CHK_FORMAT(1, 10000, "%llu B", u64); /* 10.0k - 99.9k */ CHK_FORMAT(1024, 99.95, "%0.01f kB", double); /* 100k - 999k */ - CHK_FORMAT(1024, 1000, "%" PRIu64 " kB", u64); + CHK_FORMAT(1024, 1000, "%llu kB", u64); /* 1.00M - 9.99M */ CHK_FORMAT(1024 * 1024, 9.995, "%0.02f MB", double); @@ -696,7 +695,7 @@ u8 *u_stringify_mem_size(u8 *buf, u64 val) { CHK_FORMAT(1024 * 1024, 99.95, "%0.01f MB", double); /* 100M - 999M */ - CHK_FORMAT(1024 * 1024, 1000, "%" PRIu64 " MB", u64); + CHK_FORMAT(1024 * 1024, 1000, "%llu MB", u64); /* 1.00G - 9.99G */ CHK_FORMAT(1024LL * 1024 * 1024, 9.995, "%0.02f GB", double); diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 8b504584..a7067791 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -38,7 +38,6 @@ #include #include #include -#include #include #include #include diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 293102a8..b6a494db 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -441,7 +441,7 @@ u8 *describe_op(afl_state_t *afl, u8 hnb) { sprintf(ret, "src:%06u", afl->current_entry); - sprintf(ret + strlen(ret), ",time:%" PRIu64, get_cur_time() - afl->start_time); + sprintf(ret + strlen(ret), ",time:%llu", get_cur_time() - afl->start_time); if (afl->splicing_with >= 0) sprintf(ret + strlen(ret), "+%06d", afl->splicing_with); @@ -659,12 +659,12 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES - snprintf(fn, PATH_MAX, "%s/hangs/id:%06" PRIu64 ",%s", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/hangs/id:%06llu,%s", afl->out_dir, afl->unique_hangs, describe_op(afl, 0)); #else - snprintf(fn, PATH_MAX, "%s/hangs/id_%06" PRIu64, afl->out_dir, + snprintf(fn, PATH_MAX, "%s/hangs/id_%06llu", afl->out_dir, afl->unique_hangs); #endif /* ^!SIMPLE_FILES */ @@ -703,12 +703,12 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES - snprintf(fn, PATH_MAX, "%s/crashes/id:%06" PRIu64 ",sig:%02u,%s", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir, afl->unique_crashes, afl->kill_signal, describe_op(afl, 0)); #else - snprintf(fn, PATH_MAX, "%s/crashes/id_%06" PRIu64 "_%02u", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir, afl->unique_crashes, afl->kill_signal); #endif /* ^!SIMPLE_FILES */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 85b98173..54cc81ef 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -494,7 +494,7 @@ void perform_dry_run(afl_state_t *afl) { if (afl->stop_soon) return; if (res == afl->crash_mode || res == FAULT_NOBITS) - SAYF(cGRA " len = %u, map size = %u, exec speed = %" PRIu64 " us\n" cRST, + SAYF(cGRA " len = %u, map size = %u, exec speed = %llu us\n" cRST, q->len, q->bitmap_size, q->exec_us); switch (res) { @@ -1051,8 +1051,8 @@ static void handle_existing_out_dir(afl_state_t *afl) { u64 start_time2, last_update; if (fscanf(f, - "start_time : %" PRIu64 "\n" - "last_update : %" PRIu64 "\n", + "start_time : %llu\n" + "last_update : %llu\n", &start_time2, &last_update) != 2) FATAL("Malformed data in '%s'", fn); @@ -1602,7 +1602,7 @@ void check_cpu_governor(afl_state_t *afl) { if (f) { - if (fscanf(f, "%" PRIu64, &min) != 1) min = 0; + if (fscanf(f, "%llu", &min) != 1) min = 0; fclose(f); } @@ -1611,7 +1611,7 @@ void check_cpu_governor(afl_state_t *afl) { if (f) { - if (fscanf(f, "%" PRIu64, &max) != 1) max = 0; + if (fscanf(f, "%llu", &max) != 1) max = 0; fclose(f); } @@ -1620,7 +1620,7 @@ void check_cpu_governor(afl_state_t *afl) { SAYF("\n" cLRD "[-] " cRST "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n" - " between %" PRIu64 " and %" PRIu64 " MHz. Unfortunately, the scaling algorithm in " + " between %llu and %llu MHz. Unfortunately, the scaling algorithm in " "the\n" " kernel is imperfect and can miss the short-lived processes spawned " "by\n" diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 01ce37fb..80567160 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -405,7 +405,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (unlikely(afl->not_on_tty)) { - ACTF("Fuzzing test case #%u (%u total, %" PRIu64 " uniq crashes found)...", + ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", afl->current_entry, afl->queued_paths, afl->unique_crashes); fflush(stdout); @@ -2432,7 +2432,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->not_on_tty) { - ACTF("Fuzzing test case #%u (%u total, %" PRIu64 " uniq crashes found)...", + ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", afl->current_entry, afl->queued_paths, afl->unique_crashes); fflush(stdout); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index f8440f46..4c98d788 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -89,7 +89,7 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { "Unable to communicate with fork server. Some possible reasons:\n\n" " - You've run out of memory. Use -m to increase the the memory " "limit\n" - " to something higher than %" PRIu64 ".\n" + " to something higher than %lld.\n" " - The binary or one of the libraries it uses manages to " "create\n" " threads before the forkserver initializes.\n" diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 0df950dd..2e680dbb 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -70,13 +70,13 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, fprintf( f, - "start_time : %" PRIu64 "\n" - "last_update : %lld\n" - "run_time : %lld\n" + "start_time : %llu\n" + "last_update : %llu\n" + "run_time : %llu\n" "fuzzer_pid : %d\n" - "cycles_done : %" PRIu64 "\n" - "cycles_wo_finds : %" PRIu64 "\n" - "execs_done : %" PRIu64 "\n" + "cycles_done : %llu\n" + "cycles_wo_finds : %llu\n" + "execs_done : %llu\n" "execs_per_sec : %0.02f\n" // "real_execs_per_sec: %0.02f\n" // damn the name is too long "paths_total : %u\n" @@ -90,12 +90,12 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, "variable_paths : %u\n" "stability : %0.02f%%\n" "bitmap_cvg : %0.02f%%\n" - "unique_crashes : %" PRIu64 "\n" - "unique_hangs : %" PRIu64 "\n" - "last_path : %" PRIu64 "\n" - "last_crash : %" PRIu64 "\n" - "last_hang : %" PRIu64 "\n" - "execs_since_crash : %" PRIu64 "\n" + "unique_crashes : %llu\n" + "unique_hangs : %llu\n" + "last_path : %llu\n" + "last_crash : %llu\n" + "last_hang : %llu\n" + "execs_since_crash : %llu\n" "exec_timeout : %u\n" "slowest_exec_ms : %u\n" "peak_rss_mb : %lu\n" @@ -171,7 +171,7 @@ void maybe_update_plot_file(afl_state_t *afl, double bitmap_cvg, double eps) { execs_per_sec */ fprintf(afl->fsrv.plot_file, - "%" PRIu64 ", %" PRIu64 ", %u, %u, %u, %u, %0.02f%%, %" PRIu64 ", %" PRIu64 ", %u, %0.02f\n", + "%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f\n", get_cur_time() / 1000, afl->queue_cycle - 1, afl->current_entry, afl->queued_paths, afl->pending_not_fuzzed, afl->pending_favored, bitmap_cvg, afl->unique_crashes, afl->unique_hangs, afl->max_depth, diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 9464dacc..73a38215 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -427,7 +427,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (sscanf(optarg, "%" PRIu64 "%c", &afl->fsrv.mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%llu%c", &afl->fsrv.mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); @@ -537,7 +537,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'V': { afl->most_time_key = 1; - if (sscanf(optarg, "%" PRIu64, &afl->most_time) < 1 || optarg[0] == '-') + if (sscanf(optarg, "%llu", &afl->most_time) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -V"); } break; @@ -545,7 +545,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'E': { afl->most_execs_key = 1; - if (sscanf(optarg, "%" PRIu64, &afl->most_execs) < 1 || optarg[0] == '-') + if (sscanf(optarg, "%llu", &afl->most_execs) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -E"); } break; @@ -556,7 +556,7 @@ int main(int argc, char **argv_orig, char **envp) { afl->limit_time_sig = 1; afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT; - if (sscanf(optarg, "%" PRIu64, &afl->limit_time_puppet) < 1 || + if (sscanf(optarg, "%llu", &afl->limit_time_puppet) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -L"); @@ -566,7 +566,7 @@ int main(int argc, char **argv_orig, char **envp) { FATAL("limit_time overflow"); afl->limit_time_puppet = limit_time_puppet2; - SAYF("limit_time_puppet %" PRIu64 "\n", afl->limit_time_puppet); + SAYF("limit_time_puppet %llu\n", afl->limit_time_puppet); afl->swarm_now = 0; if (afl->limit_time_puppet == 0) afl->key_puppet = 1; @@ -1079,7 +1079,7 @@ int main(int argc, char **argv_orig, char **envp) { if (unlikely(afl->not_on_tty)) { - ACTF("Entering queue cycle %" PRIu64 ".", afl->queue_cycle); + ACTF("Entering queue cycle %llu.", afl->queue_cycle); fflush(stdout); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 6c2b2000..c84fa36c 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -720,7 +720,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (sscanf(optarg, "%" PRIu64 "%c", &fsrv->mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%llu%c", &fsrv->mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index fd081fcf..3be6b2c0 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -989,7 +989,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (sscanf(optarg, "%" PRIu64 "%c", &fsrv->mem_limit, &suffix) < 1 || + if (sscanf(optarg, "%llu%c", &fsrv->mem_limit, &suffix) < 1 || optarg[0] == '-') FATAL("Bad syntax used for -m"); @@ -1134,7 +1134,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_start(fsrv, use_argv, &stop_soon, get_afl_env("AFL_DEBUG_CHILD_OUTPUT") ? 1 : 0); - ACTF("Performing dry run (mem limit = %" PRIu64 " MB, timeout = %u ms%s)...", + ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", fsrv->mem_limit, fsrv->exec_tmout, edges_only ? ", edges only" : ""); run_target(fsrv, use_argv, in_data, in_len, 1); -- cgit 1.4.1 From 995e556065375c34206f6f05c8572e0758c288ef Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 13 Apr 2020 08:54:59 +0200 Subject: cmplog forkserver tidying --- include/forkserver.h | 3 ++- src/afl-analyze.c | 2 +- src/afl-forkserver.c | 38 +++++++++++++++++++++++++++++++-- src/afl-fuzz.c | 26 +++------------------- src/afl-sharedmem.c | 2 +- src/third_party/libradamsa/libradamsa.c | 6 +++--- src/third_party/libradamsa/radamsa.h | 14 ++++++------ test/unittests/unit_maybe_alloc.c | 2 +- 8 files changed, 53 insertions(+), 40 deletions(-) (limited to 'src') diff --git a/include/forkserver.h b/include/forkserver.h index 444f92df..6fbaf612 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -80,10 +80,11 @@ typedef struct afl_forkserver { } afl_forkserver_t; void afl_fsrv_init(afl_forkserver_t *fsrv); +void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from); void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p, u8 debug_child_output); +void afl_fsrv_killall(void); void afl_fsrv_deinit(afl_forkserver_t *fsrv); -void afl_fsrv_killall(); #ifdef __APPLE__ #define MSG_FORK_ON_APPLE \ diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 66dbefab..510ec94a 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -639,7 +639,7 @@ static void handle_stop_sig(int sig) { /* Do basic preparations - persistent fds, filenames, etc. */ -static void set_up_environment() { +static void set_up_environment(void) { u8 *x; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index a7067791..9c964bf3 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -74,7 +74,6 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { fsrv->exec_tmout = EXEC_TIMEOUT; fsrv->mem_limit = MEM_LIMIT; fsrv->child_pid = -1; - fsrv->out_dir_fd = -1; fsrv->map_size = MAP_SIZE; fsrv->use_fauxsrv = 0; fsrv->prev_timed_out = 0; @@ -85,6 +84,32 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { } +/* Initialize a new forkserver instance, duplicating "global" settings */ +void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { + + fsrv_to->use_stdin = from->use_stdin; + fsrv_to->dev_null_fd = from->dev_null_fd; + fsrv_to->exec_tmout = from->exec_tmout; + fsrv_to->mem_limit = from->mem_limit; + fsrv_to->map_size = from->map_size; + +#ifndef HAVE_ARC4RANDOM + fsrv_to->dev_urandom_fd = from->dev_urandom_fd; +#endif + + // These are forkserver specific. + fsrv_to->out_fd = -1; + fsrv_to->out_dir_fd = -1; + fsrv_to->child_pid = -1; + fsrv_to->use_fauxsrv = 0; + fsrv_to->prev_timed_out = 0; + + fsrv_to->init_child_func = fsrv_exec_child; + + list_append(&fsrv_list, fsrv_to); + +} + /* Internal forkserver for dumb_mode=1 and non-forkserver mode runs. It execvs for each fork, forwarding exit codes and child pids to afl. */ @@ -599,11 +624,19 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } +static void afl_fsrv_kill(afl_forkserver_t *fsrv) { + + if (fsrv->child_pid > 0) kill(fsrv->child_pid, SIGKILL); + if (fsrv->fsrv_pid > 0) kill(fsrv->fsrv_pid, SIGKILL); + if (waitpid(fsrv->fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); } + +} + void afl_fsrv_killall() { LIST_FOREACH(&fsrv_list, afl_forkserver_t, { - if (el->child_pid > 0) kill(el->child_pid, SIGKILL); + afl_fsrv_kill(el); }); @@ -611,6 +644,7 @@ void afl_fsrv_killall() { void afl_fsrv_deinit(afl_forkserver_t *fsrv) { + afl_fsrv_kill(fsrv); list_remove(&fsrv_list, fsrv); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 73a38215..6eae2675 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1020,7 +1020,9 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->cmplog_binary) { SAYF("Spawning cmplog forkserver"); - memcpy(&afl->cmplog_fsrv, &afl->fsrv, sizeof(afl->fsrv)); + afl_fsrv_init_dup(&afl->cmplog_fsrv, &afl->fsrv); + // TODO: this is semi-nice + afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary; afl->cmplog_fsrv.init_child_func = cmplog_exec_child; afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child_output); @@ -1123,28 +1125,6 @@ int main(int argc, char **argv_orig, char **envp) { } - // if (afl->queue_cur) show_stats(afl); - - /* - * ATTENTION - the following 10 lines were copied from a PR to Google's afl - * repository - and slightly fixed. - * These lines have nothing to do with the purpose of original PR though. - * Looks like when an exit condition was completed (AFL_BENCH_JUST_ONE, - * AFL_EXIT_WHEN_DONE or AFL_BENCH_UNTIL_CRASH) the child and forkserver - * where not killed? - */ - /* if we stopped programmatically, we kill the forkserver and the current - runner. if we stopped manually, this is done by the signal handler */ - if (afl->stop_soon == 2) { - - if (afl->fsrv.child_pid > 0) kill(afl->fsrv.child_pid, SIGKILL); - if (afl->fsrv.fsrv_pid > 0) kill(afl->fsrv.fsrv_pid, SIGKILL); - /* Now that we've killed the forkserver, we wait for it to be able to get - * rusage stats. */ - if (waitpid(afl->fsrv.fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); } - - } - write_bitmap(afl); maybe_update_plot_file(afl, 0, 0); save_auto(afl); diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 7bdf8d03..9db84e77 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -95,7 +95,7 @@ void afl_shm_deinit(sharedmem_t *shm) { /* At exit, remove all leftover maps */ -void afl_shm_atexit() { +void afl_shm_atexit(void) { LIST_FOREACH(&shm_list, sharedmem_t, { afl_shm_deinit(el); }); diff --git a/src/third_party/libradamsa/libradamsa.c b/src/third_party/libradamsa/libradamsa.c index fe91594e..27cf91bc 100644 --- a/src/third_party/libradamsa/libradamsa.c +++ b/src/third_party/libradamsa/libradamsa.c @@ -2177,7 +2177,7 @@ static uint llen(word *ptr) { return len; } -static void set_signal_handler() { +static void set_signal_handler(void) { struct sigaction sa; sa.sa_handler = signal_handler; sigemptyset(&sa.sa_mask); @@ -2312,7 +2312,7 @@ static word prim_set(word wptr, hval pos, word val) { return (word) new; } -static void setdown() { +static void setdown(void) { tcsetattr(0, TCSANOW, &tsettings); /* return stdio settings */ } @@ -30773,7 +30773,7 @@ int secondary(int nargs, char **argv) { return 127; } -void radamsa_init() { +void radamsa_init(void) { int nobjs=0, nwords=0; hp = (byte *) &heap; /* builtin heap */ state = IFALSE; diff --git a/src/third_party/libradamsa/radamsa.h b/src/third_party/libradamsa/radamsa.h index d54fa2ec..33cccde4 100644 --- a/src/third_party/libradamsa/radamsa.h +++ b/src/third_party/libradamsa/radamsa.h @@ -1,15 +1,13 @@ #include #include -extern void radamsa_init(); +extern void radamsa_init(void); -extern size_t radamsa(uint8_t *ptr, size_t len, - uint8_t *target, size_t max, +extern size_t radamsa(uint8_t *ptr, size_t len, + uint8_t *target, size_t max, unsigned int seed); -extern size_t radamsa_inplace(uint8_t *ptr, - size_t len, - size_t max, +extern size_t radamsa_inplace(uint8_t *ptr, + size_t len, + size_t max, unsigned int seed); - - diff --git a/test/unittests/unit_maybe_alloc.c b/test/unittests/unit_maybe_alloc.c index a856fa08..d9c037a0 100644 --- a/test/unittests/unit_maybe_alloc.c +++ b/test/unittests/unit_maybe_alloc.c @@ -71,7 +71,7 @@ static void test_nonpow2_size(void **state) { } -static void test_zero_size() { +static void test_zero_size(void **state) { char *buf = NULL; size_t size = 0; -- cgit 1.4.1 From 0022cc478244ce12050e1bc8733ab96104313e4e Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 13 Apr 2020 10:40:24 +0200 Subject: fix some cmplog refactoring bugs --- src/afl-fuzz-run.c | 14 +++++++++----- src/afl-fuzz.c | 2 +- 2 files changed, 10 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 4c98d788..9f79a5c9 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -46,7 +46,7 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { must prevent any earlier operations from venturing into that territory. */ - memset(fsrv->trace_bits, 0, fsrv->map_size); + if (fsrv->trace_bits) memset(fsrv->trace_bits, 0, fsrv->map_size); MEM_BARRIER(); @@ -120,14 +120,18 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { MEM_BARRIER(); - tb4 = *(u32 *)fsrv->trace_bits; + if (fsrv->trace_bits) { + + tb4 = *(u32 *)fsrv->trace_bits; #ifdef WORD_SIZE_64 - classify_counts(afl, (u64 *)fsrv->trace_bits); + classify_counts(afl, (u64 *)fsrv->trace_bits); #else - classify_counts(afl, (u32 *)fsrv->trace_bits); + classify_counts(afl, (u32 *)fsrv->trace_bits); #endif /* ^WORD_SIZE_64 */ + } + fsrv->prev_timed_out = fsrv->child_timed_out; /* Report outcome to caller. */ @@ -312,7 +316,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (!afl->fsrv.fsrv_pid) { - if (afl->shm.cmplog_mode && + if (afl->fsrv.cmplog_binary && afl->fsrv.init_child_func != cmplog_exec_child) { FATAL("BUG in afl-fuzz detected. Cmplog mode not set correctly."); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 6eae2675..a813906c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1019,7 +1019,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->cmplog_binary) { - SAYF("Spawning cmplog forkserver"); + ACTF("Spawning cmplog forkserver"); afl_fsrv_init_dup(&afl->cmplog_fsrv, &afl->fsrv); // TODO: this is semi-nice afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary; -- cgit 1.4.1 From 033c743a417b208ee48218d59d8665823434ea67 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 13 Apr 2020 11:37:48 +0200 Subject: fix all cmplog errors --- src/afl-fuzz-cmplog.c | 6 +----- src/afl-fuzz-run.c | 14 +++++--------- src/afl-fuzz.c | 2 ++ 3 files changed, 8 insertions(+), 14 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index 6f201013..e2747097 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -37,13 +37,9 @@ void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv) { setenv("___AFL_EINS_ZWEI_POLIZEI___", "1", 1); - if (!fsrv->qemu_mode && argv[0] != fsrv->cmplog_binary) { - - ck_free(argv[0]); + if (!fsrv->qemu_mode && argv[0] != fsrv->cmplog_binary) argv[0] = fsrv->cmplog_binary; - } - execv(argv[0], argv); } diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 9f79a5c9..1ddd7e1a 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -46,10 +46,10 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { must prevent any earlier operations from venturing into that territory. */ - if (fsrv->trace_bits) memset(fsrv->trace_bits, 0, fsrv->map_size); + memset(fsrv->trace_bits, 0, fsrv->map_size); MEM_BARRIER(); - + /* we have the fork server (or faux server) up and running, so simply tell it to have at it, and then read back PID. */ @@ -120,18 +120,14 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { MEM_BARRIER(); - if (fsrv->trace_bits) { - - tb4 = *(u32 *)fsrv->trace_bits; + tb4 = *(u32 *)fsrv->trace_bits; #ifdef WORD_SIZE_64 - classify_counts(afl, (u64 *)fsrv->trace_bits); + classify_counts(afl, (u64 *)fsrv->trace_bits); #else - classify_counts(afl, (u32 *)fsrv->trace_bits); + classify_counts(afl, (u32 *)fsrv->trace_bits); #endif /* ^WORD_SIZE_64 */ - } - fsrv->prev_timed_out = fsrv->child_timed_out; /* Report outcome to caller. */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index a813906c..136a9519 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1022,6 +1022,8 @@ int main(int argc, char **argv_orig, char **envp) { ACTF("Spawning cmplog forkserver"); afl_fsrv_init_dup(&afl->cmplog_fsrv, &afl->fsrv); // TODO: this is semi-nice + afl->cmplog_fsrv.trace_bits = afl->fsrv.trace_bits; + afl->cmplog_fsrv.qemu_mode = afl->fsrv.qemu_mode; afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary; afl->cmplog_fsrv.init_child_func = cmplog_exec_child; afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon, -- cgit 1.4.1 From 5daec436f93240a0c411d432456f3f86fe1f3181 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 13 Apr 2020 11:43:34 +0200 Subject: fix bug forksever fail not detected when using read_timed --- src/afl-forkserver.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 9c964bf3..28f664fa 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -352,19 +352,24 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, rlen = 0; if (fsrv->exec_tmout) { - rlen = 4; - u32 time = read_timed(fsrv->fsrv_st_fd, &status, rlen, + u32 time = read_timed(fsrv->fsrv_st_fd, &status, 4, fsrv->exec_tmout * FORK_WAIT_MULT, stop_soon_p); - if (time > fsrv->exec_tmout * FORK_WAIT_MULT) { + if (!time) { + + kill(fsrv->fsrv_pid, SIGKILL); + + } else if (time > fsrv->exec_tmout * FORK_WAIT_MULT) { fsrv->child_timed_out = 1; kill(fsrv->fsrv_pid, SIGKILL); + } else { + + rlen = 4; + } - if (!time) { kill(fsrv->fsrv_pid, SIGKILL); } - } else { rlen = read(fsrv->fsrv_st_fd, &status, 4); -- cgit 1.4.1 From dda096da03cae528dee9fd53e64896e93efe8f4a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 13 Apr 2020 12:12:27 +0200 Subject: allow -L -1 to enable mopt in parallel to classic mutation --- docs/Changelog.md | 2 ++ docs/README.MOpt.md | 3 +++ include/afl-fuzz.h | 10 +++++----- src/afl-forkserver.c | 10 +++++----- src/afl-fuzz-one.c | 14 +++++++------- src/afl-fuzz-run.c | 2 +- src/afl-fuzz.c | 50 +++++++++++++++++++++++++++++++++----------------- 7 files changed, 56 insertions(+), 35 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index 108ebd08..2c8bff3d 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -17,6 +17,8 @@ sending a mail to . - afl-fuzz: - variable map size support added (only LTO mode can use this) - snapshot feature usage now visible in UI + - Now setting "-L -1" will enable MOpt in parallel to normal mutation. + Additionally this allows to run dictionaries, radamsa and cmplog. - compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also static global and local variable comparisons (cannot find all though) - extended forkserver: map_size and more information is communicated to diff --git a/docs/README.MOpt.md b/docs/README.MOpt.md index 94e63959..3de6d670 100644 --- a/docs/README.MOpt.md +++ b/docs/README.MOpt.md @@ -36,6 +36,9 @@ enter the pacemaker fuzzing mode. Setting 0 will enter the pacemaker fuzzing mode at first, which is recommended in a short time-scale evaluation. +Setting -1 will enable both pacemaker mode and normal aflmutation fuzzing in +parallel. + Other important parameters can be found in afl-fuzz.c, for instance, 'swarm_num': the number of the PSO swarms used in the fuzzing process. diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 1440b645..a7fdc5f0 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -354,14 +354,14 @@ typedef struct afl_state { /* MOpt: Lots of globals, but mostly for the status UI and other things where it really makes no sense to haul them around as function parameters. */ - u64 limit_time_puppet, orig_hit_cnt_puppet, last_limit_time_start, - tmp_pilot_time, total_pacemaker_time, total_puppet_find, temp_puppet_find, - most_time_key, most_time, most_execs_key, most_execs, old_hit_count, - force_ui_update; + u64 orig_hit_cnt_puppet, last_limit_time_start, tmp_pilot_time, + total_pacemaker_time, total_puppet_find, temp_puppet_find, most_time_key, + most_time, most_execs_key, most_execs, old_hit_count, force_ui_update; MOpt_globals_t mopt_globals_core, mopt_globals_pilot; - s32 SPLICE_CYCLES_puppet, limit_time_sig, key_puppet, key_module; + s32 limit_time_puppet, SPLICE_CYCLES_puppet, limit_time_sig, key_puppet, + key_module; double w_init, w_end, w_now; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 28f664fa..b282a119 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -365,9 +365,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, kill(fsrv->fsrv_pid, SIGKILL); } else { - + rlen = 4; - + } } else { @@ -631,9 +631,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, static void afl_fsrv_kill(afl_forkserver_t *fsrv) { - if (fsrv->child_pid > 0) kill(fsrv->child_pid, SIGKILL); - if (fsrv->fsrv_pid > 0) kill(fsrv->fsrv_pid, SIGKILL); - if (waitpid(fsrv->fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); } + if (fsrv->child_pid > 0) kill(fsrv->child_pid, SIGKILL); + if (fsrv->fsrv_pid > 0) kill(fsrv->fsrv_pid, SIGKILL); + if (waitpid(fsrv->fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); } } diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 80567160..95d622f2 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -4377,7 +4377,7 @@ void pso_updating(afl_state_t *afl) { u8 fuzz_one(afl_state_t *afl) { - int key_val_lv = 0; + int key_val_lv_1 = 0, key_val_lv_2 = 0; #ifdef _AFL_DOCUMENT_MUTATIONS @@ -4397,22 +4397,22 @@ u8 fuzz_one(afl_state_t *afl) { #endif - if (afl->limit_time_sig == 0) { + // if limit_time_sig == -1 then both are run after each other - key_val_lv = fuzz_one_original(afl); + if (afl->limit_time_sig <= 0) { key_val_lv_1 = fuzz_one_original(afl); } - } else { + if (afl->limit_time_sig != 0) { if (afl->key_module == 0) - key_val_lv = pilot_fuzzing(afl); + key_val_lv_2 = pilot_fuzzing(afl); else if (afl->key_module == 1) - key_val_lv = core_fuzzing(afl); + key_val_lv_2 = core_fuzzing(afl); else if (afl->key_module == 2) pso_updating(afl); } - return key_val_lv; + return (key_val_lv_1 | key_val_lv_2); #undef BUF_PARAMS diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 1ddd7e1a..514ba9ef 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -49,7 +49,7 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { memset(fsrv->trace_bits, 0, fsrv->map_size); MEM_BARRIER(); - + /* we have the fork server (or faux server) up and running, so simply tell it to have at it, and then read back PID. */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 136a9519..8620a402 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -109,12 +109,12 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "Mutator settings:\n" " -R[R] - add Radamsa as mutator, add another -R to exclusivly " "run it\n" - " -L minutes - use MOpt(imize) mode and set the limit time for " + " -L minutes - use MOpt(imize) mode and set the time limit for " "entering the\n" - " pacemaker mode (minutes of no new paths, 0 = " - "immediately).\n" - " a recommended value is 10-60. see " - "docs/README.MOpt.md\n" + " pacemaker mode (minutes of no new paths). 0 = " + "immediately,\n" + " -1 = immediately and together with normal mutation).\n" + " See docs/README.MOpt.md\n" " -c program - enable CmpLog by specifying a binary compiled for " "it.\n" " if using QEMU, just use -c 0.\n\n" @@ -553,20 +553,33 @@ int main(int argc, char **argv_orig, char **envp) { case 'L': { /* MOpt mode */ if (afl->limit_time_sig) FATAL("Multiple -L options not supported"); - afl->limit_time_sig = 1; afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT; - if (sscanf(optarg, "%llu", &afl->limit_time_puppet) < 1 || - optarg[0] == '-') + if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1) FATAL("Bad syntax used for -L"); + if (afl->limit_time_puppet == -1) { + + afl->limit_time_sig = -1; + afl->limit_time_puppet = 0; + + } else if (afl->limit_time_puppet < 0) { + + FATAL("-L value must be between 0 and 2000000 or -1"); + + } else { + + afl->limit_time_sig = 1; + + } + u64 limit_time_puppet2 = afl->limit_time_puppet * 60 * 1000; if (limit_time_puppet2 < afl->limit_time_puppet) FATAL("limit_time overflow"); afl->limit_time_puppet = limit_time_puppet2; - SAYF("limit_time_puppet %llu\n", afl->limit_time_puppet); + SAYF("limit_time_puppet %d\n", afl->limit_time_puppet); afl->swarm_now = 0; if (afl->limit_time_puppet == 0) afl->key_puppet = 1; @@ -701,11 +714,14 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->use_radamsa) { - if (afl->limit_time_sig) + if (afl->limit_time_sig > 0) FATAL( - "MOpt and Radamsa are mutually exclusive. We accept pull requests " - "that integrates MOpt with the optional mutators " - "(custom/radamsa/redquenn/...)."); + "MOpt and Radamsa are mutually exclusive unless you specify -L -1. " + "We accept pull requests that integrates MOpt with the optional " + "mutators (custom/radamsa/redqueen/...)."); + + if (afl->limit_time_sig && afl->use_radamsa > 1) + FATAL("Radamsa in radamsa-only mode can not run together with -L"); OKF("Using Radamsa add-on"); @@ -984,11 +1000,11 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->cmplog_binary) { - if (afl->limit_time_sig) + if (afl->limit_time_sig > 0) FATAL( - "MOpt and CmpLog are mutually exclusive. We accept pull requests " - "that integrates MOpt with the optional mutators " - "(custom/radamsa/redquenn/...)."); + "MOpt and CmpLog are mutually exclusive unless you specify -L -1. We " + "accept pull requests that integrates MOpt with the optional " + "mutators (custom/radamsa/redqueen/...)."); if (afl->unicorn_mode) FATAL("CmpLog and Unicorn mode are not compatible at the moment, sorry"); -- cgit 1.4.1 From 326ab632c378878c96f44586a6e1f3dfa3db2276 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 13 Apr 2020 16:57:19 +0200 Subject: fixed uaf and warnings --- src/afl-analyze.c | 8 ++++++++ src/afl-common.c | 11 +++++++---- src/afl-forkserver.c | 1 - src/afl-fuzz-bitmap.c | 8 ++++---- src/afl-fuzz-extras.c | 2 ++ src/afl-fuzz-init.c | 2 ++ src/afl-fuzz-one.c | 3 --- src/afl-fuzz-queue.c | 2 ++ src/afl-fuzz-redqueen.c | 8 +++++++- src/afl-fuzz-stats.c | 1 - src/afl-sharedmem.c | 10 +--------- src/afl-showmap.c | 2 +- 12 files changed, 34 insertions(+), 24 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 510ec94a..2c98982f 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -902,6 +902,12 @@ int main(int argc, char **argv, char **envp) { if (mem_limit_given) FATAL("Multiple -m options not supported"); mem_limit_given = 1; + if (!optarg) { + + FATAL("Bad syntax used for -m"); + + } + if (!strcmp(optarg, "none")) { mem_limit = 0; @@ -938,6 +944,8 @@ int main(int argc, char **argv, char **envp) { if (timeout_given) FATAL("Multiple -t options not supported"); timeout_given = 1; + if (!optarg) FATAL("Wrong usage of -t"); + exec_tmout = atoi(optarg); if (exec_tmout < 10 || optarg[0] == '-') diff --git a/src/afl-common.c b/src/afl-common.c index 7eba6ae4..1ac1a2f3 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -292,11 +292,10 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { *rsl = 0; cp = alloc_printf("%s/afl-qemu-trace", own_copy); - ck_free(own_copy); - if (!access(cp, X_OK)) { + if (cp && !access(cp, X_OK)) { - if (cp != NULL) ck_free(cp); + ck_free(cp); cp = alloc_printf("%s/afl-wine-trace", own_copy); @@ -309,10 +308,14 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { } - } else + ck_free(own_copy); + + } else { ck_free(own_copy); + } + u8 *ncp = BIN_PATH "/afl-qemu-trace"; if (!access(ncp, X_OK)) { diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index b282a119..b054a64d 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -455,7 +455,6 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - len = status; offset = 0; while (offset < status && (u8)dict[offset] + offset < status) { diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index b6a494db..9603f2f5 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -535,7 +535,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { if (unlikely(len == 0)) return 0; u8 *queue_fn = ""; - u8 hnb; + u8 hnb = '\0'; s32 fd; u8 keeping = 0, res; @@ -718,9 +718,9 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { // if the user wants to be informed on new crashes - do that #if !TARGET_OS_IPHONE - if (system(afl->infoexec) == -1) - hnb += 0; // we dont care if system errors, but we dont want a - // compiler warning either + // we dont care if system errors, but we dont want a + // compiler warning either + (void)(system(afl->infoexec)+1); #else WARNF("command execution unsupported"); #endif diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c index 55146dd9..c366cc5b 100644 --- a/src/afl-fuzz-extras.c +++ b/src/afl-fuzz-extras.c @@ -130,6 +130,8 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len, wptr = afl->extras[afl->extras_cnt].data = ck_alloc(rptr - lptr); + if (!wptr) PFATAL("no mem for data"); + while (*lptr) { char *hexdigits = "0123456789abcdef"; diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 54cc81ef..10417da6 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2178,6 +2178,8 @@ void save_cmdline(afl_state_t *afl, u32 argc, char **argv) { u32 l = strlen(argv[i]); + if (!argv[i] || !buf) FATAL("null deref detected"); + memcpy(buf, argv[i], l); buf += l; diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 95d622f2..475c710b 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -3593,7 +3593,6 @@ pacemaker_fuzzing: } s32 temp_len_puppet; - cur_ms_lv = get_cur_time(); // for (; afl->swarm_now < swarm_num; ++afl->swarm_now) { @@ -4167,8 +4166,6 @@ pacemaker_fuzzing: afl->orig_hit_cnt_puppet))) { afl->key_puppet = 0; - cur_ms_lv = get_cur_time(); - new_hit_cnt = afl->queued_paths + afl->unique_crashes; afl->orig_hit_cnt_puppet = 0; afl->last_limit_time_start = 0; diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 346c2639..5eb110d0 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -438,6 +438,8 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { } + if (unlikely(!n_paths)) FATAL("Queue state corrupt"); + fuzz_mu = fuzz_total / n_paths; if (fuzz <= fuzz_mu) { diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 517f8d7c..b9b41c74 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -115,7 +115,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { afl->stage_short = "colorization"; afl->stage_max = 1000; - struct range *rng; + struct range *rng = NULL; afl->stage_cur = 0; while ((rng = pop_biggest_range(&ranges)) != NULL && afl->stage_cur < afl->stage_max) { @@ -141,6 +141,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { empty_range: ck_free(rng); + rng = NULL; ++afl->stage_cur; } @@ -157,6 +158,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { rng = ranges; ranges = ranges->next; ck_free(rng); + rng = NULL; } @@ -186,6 +188,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { } + return 0; checksum_fail: @@ -196,9 +199,12 @@ checksum_fail: rng = ranges; ranges = ranges->next; ck_free(rng); + rng = NULL; } + // TODO: clang notices a _potential_ leak of mem pointed to by rng + return 1; } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 2e680dbb..d42df2db 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -56,7 +56,6 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, bitmap_cvg = afl->last_bitmap_cvg; stability = afl->last_stability; - eps = afl->last_eps; } else { diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 9db84e77..eea1cc95 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -67,6 +67,7 @@ list_t shm_list = {.element_prealloc_count = 0}; void afl_shm_deinit(sharedmem_t *shm) { + // TODO: clang reports a potential UAF in this function/makro(?) list_remove(&shm_list, shm); #ifdef USEMMAP @@ -93,14 +94,6 @@ void afl_shm_deinit(sharedmem_t *shm) { } -/* At exit, remove all leftover maps */ - -void afl_shm_atexit(void) { - - LIST_FOREACH(&shm_list, sharedmem_t, { afl_shm_deinit(el); }); - -} - /* Configure shared memory. Returns a pointer to shm->map for ease of use. */ @@ -207,7 +200,6 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { #endif list_append(&shm_list, shm); - atexit(afl_shm_atexit); return shm->map; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index c84fa36c..63c8caa8 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -983,7 +983,7 @@ int main(int argc, char **argv_orig, char **envp) { if (!quiet_mode) OKF("Processed %u input files.", total_execs); closedir(dir_in); - closedir(dir_out); + if (dir_out) closedir(dir_out); } else { -- cgit 1.4.1 From a897f355a97e8992126aa1f2c612a6304f547b0c Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 13 Apr 2020 16:57:41 +0200 Subject: code format --- src/afl-analyze.c | 6 +----- src/afl-fuzz-bitmap.c | 4 ++-- src/afl-fuzz-redqueen.c | 1 - src/afl-fuzz-stats.c | 14 +++++++------- 4 files changed, 10 insertions(+), 15 deletions(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 2c98982f..952786b0 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -902,11 +902,7 @@ int main(int argc, char **argv, char **envp) { if (mem_limit_given) FATAL("Multiple -m options not supported"); mem_limit_given = 1; - if (!optarg) { - - FATAL("Bad syntax used for -m"); - - } + if (!optarg) { FATAL("Bad syntax used for -m"); } if (!strcmp(optarg, "none")) { diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 9603f2f5..f5364c72 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -719,8 +719,8 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { // if the user wants to be informed on new crashes - do that #if !TARGET_OS_IPHONE // we dont care if system errors, but we dont want a - // compiler warning either - (void)(system(afl->infoexec)+1); + // compiler warning either + (void)(system(afl->infoexec) + 1); #else WARNF("command execution unsupported"); #endif diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index b9b41c74..0255b5f1 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -188,7 +188,6 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { } - return 0; checksum_fail: diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index d42df2db..d48dd5e3 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -387,9 +387,9 @@ void show_stats(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->dumb_mode) { @@ -471,9 +471,9 @@ void show_stats(afl_state_t *afl) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -503,9 +503,9 @@ void show_stats(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); @@ -579,7 +579,7 @@ void show_stats(afl_state_t *afl) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); -- cgit 1.4.1 From 12a7059ae8c7a3bd016f0d62b03a76baffcde24b Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 13 Apr 2020 16:58:35 +0200 Subject: added ignore info --- src/afl-fuzz-bitmap.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src') diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index f5364c72..a0a720fa 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -720,6 +720,8 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #if !TARGET_OS_IPHONE // we dont care if system errors, but we dont want a // compiler warning either + // See + // https://stackoverflow.com/questions/11888594/ignoring-return-values-in-c (void)(system(afl->infoexec) + 1); #else WARNF("command execution unsupported"); -- cgit 1.4.1 From 0fab4e1955b4550a24a1baed2165b4d9ea71b9e1 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 13 Apr 2020 20:23:24 +0200 Subject: c files static --- src/afl-showmap.c | 6 +++--- src/afl-tmin.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 63c8caa8..9067c2a1 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -59,9 +59,9 @@ #include #include -char *stdin_file; /* stdin file */ +static char *stdin_file; /* stdin file */ -u8 *in_dir, /* input folder */ +static u8 *in_dir, /* input folder */ *at_file = NULL; /* Substitution string for @@ */ static u8 *in_data; /* Input data */ @@ -71,7 +71,7 @@ static u32 total, highest; /* tuple content information */ static u32 in_len, /* Input data length */ arg_offset, total_execs; /* Total number of execs */ -u8 quiet_mode, /* Hide non-essential messages? */ +static u8 quiet_mode, /* Hide non-essential messages? */ edges_only, /* Ignore hit counts? */ raw_instr_output, /* Do not apply AFL filters */ cmin_mode, /* Generate output in afl-cmin mode? */ diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 3be6b2c0..2df1aed1 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -60,7 +60,7 @@ static u8 *mask_bitmap; /* Mask for trace bits (-B) */ -u8 *in_file, /* Minimizer input test case */ +static u8 *in_file, /* Minimizer input test case */ *output_file; /* Minimizer output file */ static u8 *in_data; /* Input data for trimming */ @@ -72,7 +72,7 @@ static u32 in_len, /* Input data length */ missed_crashes, /* Misses due to crashes */ missed_paths; /* Misses due to exec path diffs */ -u8 crash_mode, /* Crash-centric mode? */ +static u8 crash_mode, /* Crash-centric mode? */ hang_mode, /* Minimize as long as it hangs */ exit_crash, /* Treat non-zero exit as crash? */ edges_only, /* Ignore hit counts? */ -- cgit 1.4.1 From 1374e65401c9d40b449c78459a2d0241c779b989 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Mon, 13 Apr 2020 20:39:52 +0200 Subject: no more waitpid warning --- src/afl-forkserver.c | 8 ++++++-- src/afl-showmap.c | 6 +++--- src/afl-tmin.c | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index b054a64d..f647ff5d 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -631,8 +631,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, static void afl_fsrv_kill(afl_forkserver_t *fsrv) { if (fsrv->child_pid > 0) kill(fsrv->child_pid, SIGKILL); - if (fsrv->fsrv_pid > 0) kill(fsrv->fsrv_pid, SIGKILL); - if (waitpid(fsrv->fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); } + if (fsrv->fsrv_pid > 0) { + + kill(fsrv->fsrv_pid, SIGKILL); + if (waitpid(fsrv->fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); } + + } } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 9067c2a1..3fcc1d2b 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -59,9 +59,9 @@ #include #include -static char *stdin_file; /* stdin file */ +static char *stdin_file; /* stdin file */ -static u8 *in_dir, /* input folder */ +static u8 *in_dir, /* input folder */ *at_file = NULL; /* Substitution string for @@ */ static u8 *in_data; /* Input data */ @@ -71,7 +71,7 @@ static u32 total, highest; /* tuple content information */ static u32 in_len, /* Input data length */ arg_offset, total_execs; /* Total number of execs */ -static u8 quiet_mode, /* Hide non-essential messages? */ +static u8 quiet_mode, /* Hide non-essential messages? */ edges_only, /* Ignore hit counts? */ raw_instr_output, /* Do not apply AFL filters */ cmin_mode, /* Generate output in afl-cmin mode? */ diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 2df1aed1..31fad1df 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -60,7 +60,7 @@ static u8 *mask_bitmap; /* Mask for trace bits (-B) */ -static u8 *in_file, /* Minimizer input test case */ +static u8 *in_file, /* Minimizer input test case */ *output_file; /* Minimizer output file */ static u8 *in_data; /* Input data for trimming */ @@ -72,7 +72,7 @@ static u32 in_len, /* Input data length */ missed_crashes, /* Misses due to crashes */ missed_paths; /* Misses due to exec path diffs */ -static u8 crash_mode, /* Crash-centric mode? */ +static u8 crash_mode, /* Crash-centric mode? */ hang_mode, /* Minimize as long as it hangs */ exit_crash, /* Treat non-zero exit as crash? */ edges_only, /* Ignore hit counts? */ -- cgit 1.4.1 From 1fbface656ae4f64fc8643def840fa488098e580 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 14 Apr 2020 10:09:03 +0200 Subject: cmplog is now better --- include/afl-fuzz.h | 6 ++++++ src/afl-fuzz-one.c | 35 +++++++++++++++++++++----------- src/afl-fuzz-redqueen.c | 54 ++++++++++++++++++++++++++++++++++++++++++------- src/afl-fuzz.c | 6 ------ 4 files changed, 76 insertions(+), 25 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 620f5062..4e2deaa3 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -316,6 +316,10 @@ typedef struct afl_env_vars { } afl_env_vars_t; +struct afl_pass_stat { + u8 total; u8 faileds; +}; + typedef struct afl_state { /* Position of this state in the global states list */ @@ -540,6 +544,8 @@ typedef struct afl_state { /* cmplog forkserver ids */ s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; + + struct afl_pass_stat* pass_stats; u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 92210c8b..c4d49ec1 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -495,7 +495,7 @@ u8 fuzz_one_original(afl_state_t *afl) { if (afl->use_radamsa > 1) goto radamsa_stage; - if (afl->shm.cmplog_mode) { + if (afl->shm.cmplog_mode && !afl->queue_cur->fully_colorized) { if (input_to_state_stage(afl, in_buf, out_buf, len, afl->queue_cur->exec_cksum)) @@ -2508,20 +2508,15 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { orig_perf = perf_score = calculate_score(afl, afl->queue_cur); - /* Skip right away if -d is given, if we have done deterministic fuzzing on - this entry ourselves (was_fuzzed), or if it has gone through deterministic - testing in earlier, resumed runs (passed_det). */ + if (afl->shm.cmplog_mode && !afl->queue_cur->fully_colorized) { - if (afl->skip_deterministic || afl->queue_cur->was_fuzzed || - afl->queue_cur->passed_det) - goto havoc_stage; + if (input_to_state_stage(afl, in_buf, out_buf, len, + afl->queue_cur->exec_cksum)) + goto abandon_entry; - /* Skip deterministic fuzzing if exec path checksum puts this out of scope - for this master instance. */ + } - if (afl->master_max && - (afl->queue_cur->exec_cksum % afl->master_max) != afl->master_id - 1) - goto havoc_stage; + /* Go to pacemker fuzzing if MOpt is doing well */ cur_ms_lv = get_cur_time(); if (!(afl->key_puppet == 0 && @@ -2534,6 +2529,22 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { goto pacemaker_fuzzing; } + + /* Skip right away if -d is given, if we have done deterministic fuzzing on + this entry ourselves (was_fuzzed), or if it has gone through deterministic + testing in earlier, resumed runs (passed_det). */ + + if (afl->skip_deterministic || afl->queue_cur->was_fuzzed || + afl->queue_cur->passed_det) + goto havoc_stage; + + /* Skip deterministic fuzzing if exec path checksum puts this out of scope + for this master instance. */ + + if (afl->master_max && + (afl->queue_cur->exec_cksum % afl->master_max) != afl->master_id - 1) + goto havoc_stage; + doing_det = 1; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index c910e75e..c8d54ce2 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -127,9 +127,14 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { rand_replace(afl, buf + rng->start, s); u32 cksum; + u64 start_us = get_cur_time_us(); if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) goto checksum_fail; + u64 stop_us = get_cur_time_us(); - if (cksum != exec_cksum) { + /* Discard if the mutations change the paths or if it is too decremental + in speed */ + if (cksum != exec_cksum || + (stop_us - start_us > 2 * afl->queue_cur->exec_us)) { ranges = add_range(ranges, rng->start, rng->start + s / 2); ranges = add_range(ranges, rng->start + s / 2 + 1, rng->end); @@ -365,9 +370,12 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { u8 status; // opt not in the paper - u32 fails = 0; + u32 fails; + u8 found_one = 0; for (i = 0; i < loggeds; ++i) { + + fails = 0; struct cmp_operands *o = &afl->shm.cmp_map->log[key][i]; @@ -396,12 +404,17 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { break; } + + if (status == 1) + found_one = 1; // If failed, add to dictionary if (fails == 8) { - try_to_add_to_dict(afl, o->v0, SHAPE_BYTES(h->shape)); - try_to_add_to_dict(afl, o->v1, SHAPE_BYTES(h->shape)); + if (afl->pass_stats[key].total == 0) { + try_to_add_to_dict(afl, o->v0, SHAPE_BYTES(h->shape)); + try_to_add_to_dict(afl, o->v1, SHAPE_BYTES(h->shape)); + } } @@ -409,6 +422,11 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { afl->stage_cur++; } + + if (!found_one && afl->pass_stats[key].faileds < 0xff) { + afl->pass_stats[key].faileds++; + } + if (afl->pass_stats[key].total < 0xff) afl->pass_stats[key].total++; return 0; @@ -450,9 +468,12 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { u8 status; // opt not in the paper - u32 fails = 0; + u32 fails; + u8 found_one = 0; for (i = 0; i < loggeds; ++i) { + + fails = 0; struct cmpfn_operands *o = &((struct cmpfn_operands *)afl->shm.cmp_map->log[key])[i]; @@ -482,12 +503,17 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { break; } + + if (status == 1) + found_one = 1; // If failed, add to dictionary if (fails == 8) { - maybe_add_auto(afl, o->v0, SHAPE_BYTES(h->shape)); - maybe_add_auto(afl, o->v1, SHAPE_BYTES(h->shape)); + if (afl->pass_stats[key].total == 0) { + maybe_add_auto(afl, o->v0, SHAPE_BYTES(h->shape)); + maybe_add_auto(afl, o->v1, SHAPE_BYTES(h->shape)); + } } @@ -495,6 +521,11 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { afl->stage_cur++; } + + if (!found_one && afl->pass_stats[key].faileds < 0xff) { + afl->pass_stats[key].faileds++; + } + if (afl->pass_stats[key].total < 0xff) afl->pass_stats[key].total++; return 0; @@ -507,6 +538,9 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, u32 exec_cksum) { u8 r = 1; + + if (afl->pass_stats == NULL) + afl->pass_stats = ck_alloc(sizeof(struct afl_pass_stat) * CMP_MAP_W); if (unlikely(colorization(afl, buf, len, exec_cksum))) return 1; @@ -528,6 +562,12 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, for (k = 0; k < CMP_MAP_W; ++k) { if (!afl->shm.cmp_map->headers[k].hits) continue; + + if (afl->pass_stats[k].total && + (UR(afl, afl->pass_stats[k].total) < afl->pass_stats[k].faileds || + afl->pass_stats[k].total == 0xff)) + afl->shm.cmp_map->headers[k].hits = 0; + if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) afl->stage_max += MIN(afl->shm.cmp_map->headers[k].hits, CMP_MAP_H); else diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 10fee76c..b89bccb4 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -966,12 +966,6 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->cmplog_binary) { - if (afl->limit_time_sig) - FATAL( - "MOpt and CmpLog are mutually exclusive. We accept pull requests " - "that integrates MOpt with the optional mutators " - "(custom/radamsa/redquenn/...)."); - if (afl->unicorn_mode) FATAL("CmpLog and Unicorn mode are not compatible at the moment, sorry"); if (!afl->qemu_mode) check_binary(afl, afl->cmplog_binary); -- cgit 1.4.1 From 9eb47a924a219b3b2d2e46576757a4c14c18cfdb Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 14 Apr 2020 10:42:29 +0200 Subject: UR -> rand_below --- src/afl-fuzz-redqueen.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 9a9de02a..82753d0c 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -569,8 +569,8 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, if (!afl->shm.cmp_map->headers[k].hits) continue; if (afl->pass_stats[k].total && - (UR(afl, afl->pass_stats[k].total) < afl->pass_stats[k].faileds || - afl->pass_stats[k].total == 0xff)) + (rand_below(afl, afl->pass_stats[k].total) < afl->pass_stats[k].faileds + || afl->pass_stats[k].total == 0xff)) afl->shm.cmp_map->headers[k].hits = 0; if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) -- cgit 1.4.1 From d2a76287485dafc4df7ceb4abc44b27f1fe0527a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 14 Apr 2020 11:26:07 +0200 Subject: fix travis fails --- src/afl-fuzz-redqueen.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 82753d0c..bce1973c 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -471,9 +471,9 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { u32 loggeds = h->hits; if (h->hits > CMP_MAP_RTN_H) loggeds = CMP_MAP_RTN_H; - u8 status; + u8 status = 0; // opt not in the paper - u32 fails; + u32 fails = 0; u8 found_one = 0; for (i = 0; i < loggeds; ++i) { -- cgit 1.4.1 From 26e690c220a35ad5577eb52ca47dc27d0c737fa9 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 14 Apr 2020 12:39:29 +0200 Subject: cmplog loop detection --- include/afl-fuzz.h | 1 + src/afl-fuzz-redqueen.c | 99 ++++++++++++++++++++++++++++++++----------------- src/afl-fuzz-state.c | 4 +- 3 files changed, 69 insertions(+), 35 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 3a81cc85..9da9452a 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -574,6 +574,7 @@ typedef struct afl_state { u32 cmplog_prev_timed_out; struct afl_pass_stat* pass_stats; + struct cmp_map *orig_cmp_map; u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 82753d0c..1ba36245 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -234,17 +234,15 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) { } -static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, - u64 pattern, u64 repl, u32 idx, u8 *orig_buf, - u8 *buf, u32 len, u8 do_reverse, u8 *status) { +static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 pattern, u64 repl, u64 o_pattern, u32 idx, u8 *orig_buf, u8 *buf, u32 len, u8 do_reverse, u8 *status) { u64 *buf_64 = (u64 *)&buf[idx]; u32 *buf_32 = (u32 *)&buf[idx]; u16 *buf_16 = (u16 *)&buf[idx]; // u8* buf_8 = &buf[idx]; - // u64* o_buf_64 = (u64*)&orig_buf[idx]; - // u32* o_buf_32 = (u32*)&orig_buf[idx]; - // u16* o_buf_16 = (u16*)&orig_buf[idx]; + u64* o_buf_64 = (u64*)&orig_buf[idx]; + u32* o_buf_32 = (u32*)&orig_buf[idx]; + u16* o_buf_16 = (u16*)&orig_buf[idx]; // u8* o_buf_8 = &orig_buf[idx]; u32 its_len = len - idx; @@ -252,7 +250,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, if (SHAPE_BYTES(h->shape) == 8) { - if (its_len >= 8 && *buf_64 == pattern) { // && *o_buf_64 == pattern) { + if (its_len >= 8 && *buf_64 == pattern && *o_buf_64 == o_pattern) { *buf_64 = repl; if (unlikely(its_fuzz(afl, buf, len, status))) return 1; @@ -262,8 +260,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, // reverse encoding if (do_reverse) - if (unlikely(cmp_extend_encoding(afl, h, SWAP64(pattern), SWAP64(repl), - idx, orig_buf, buf, len, 0, status))) + if (unlikely(cmp_extend_encoding(afl, h, SWAP64(pattern), SWAP64(repl), SWAP64(o_pattern), idx, orig_buf, buf, len, 0, status))) return 1; } @@ -271,7 +268,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, if (SHAPE_BYTES(h->shape) == 4 || *status == 2) { if (its_len >= 4 && - *buf_32 == (u32)pattern) { // && *o_buf_32 == (u32)pattern) { + *buf_32 == (u32)pattern && *o_buf_32 == (u32)o_pattern) { *buf_32 = (u32)repl; if (unlikely(its_fuzz(afl, buf, len, status))) return 1; @@ -281,8 +278,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, // reverse encoding if (do_reverse) - if (unlikely(cmp_extend_encoding(afl, h, SWAP32(pattern), SWAP32(repl), - idx, orig_buf, buf, len, 0, status))) + if (unlikely(cmp_extend_encoding(afl, h, SWAP32(pattern), SWAP32(repl), SWAP32(o_pattern), idx, orig_buf, buf, len, 0, status))) return 1; } @@ -290,7 +286,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, if (SHAPE_BYTES(h->shape) == 2 || *status == 2) { if (its_len >= 2 && - *buf_16 == (u16)pattern) { // && *o_buf_16 == (u16)pattern) { + *buf_16 == (u16)pattern && *o_buf_16 == (u16)o_pattern) { *buf_16 = (u16)repl; if (unlikely(its_fuzz(afl, buf, len, status))) return 1; @@ -300,15 +296,14 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, // reverse encoding if (do_reverse) - if (unlikely(cmp_extend_encoding(afl, h, SWAP16(pattern), SWAP16(repl), - idx, orig_buf, buf, len, 0, status))) + if (unlikely(cmp_extend_encoding(afl, h, SWAP16(pattern), SWAP16(repl), SWAP16(o_pattern), idx, orig_buf, buf, len, 0, status))) return 1; } /*if (SHAPE_BYTES(h->shape) == 1 || *status == 2) { - if (its_len >= 2 && *buf_8 == (u8)pattern) {// && *o_buf_8 == (u8)pattern) { + if (its_len >= 2 && *buf_8 == (u8)pattern && *o_buf_8 == (u8)o_pattern) { *buf_8 = (u8)repl; if (unlikely(its_fuzz(afl, buf, len, status))) @@ -377,12 +372,35 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { // opt not in the paper u32 fails; u8 found_one = 0; + + /* loop cmps are useless, detect and blacklist them */ + u64 s_v0, s_v1; + u8 s_v0_fixed = 1, s_v1_fixed = 1; + u8 s_v0_inc = 1, s_v1_inc = 1; + u8 s_v0_dec = 1, s_v1_dec = 1; for (i = 0; i < loggeds; ++i) { fails = 0; struct cmp_operands *o = &afl->shm.cmp_map->log[key][i]; + + // loop detection code + if (i == 0) { + s_v0 = o->v0; + s_v1 = o->v1; + } else { + if (s_v0 != o->v0) s_v0_fixed = 0; + if (s_v1 != o->v1) s_v1_fixed = 0; + if (s_v0 +1 != o->v0) s_v0_inc = 0; + if (s_v1 +1 != o->v1) s_v1_inc = 0; + if (s_v0 -1 != o->v0) s_v0_dec = 0; + if (s_v1 -1 != o->v1) s_v1_dec = 0; + s_v0 = o->v0; + s_v1 = o->v1; + } + + struct cmp_operands *orig_o = &afl->orig_cmp_map->log[key][i]; // opt not in the paper for (j = 0; j < i; ++j) @@ -392,16 +410,14 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { for (idx = 0; idx < len && fails < 8; ++idx) { - if (unlikely(cmp_extend_encoding(afl, h, o->v0, o->v1, idx, orig_buf, buf, - len, 1, &status))) + if (unlikely(cmp_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, orig_buf, buf, len, 1, &status))) return 1; if (status == 2) ++fails; else if (status == 1) break; - if (unlikely(cmp_extend_encoding(afl, h, o->v1, o->v0, idx, orig_buf, buf, - len, 1, &status))) + if (unlikely(cmp_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx, orig_buf, buf, len, 1, &status))) return 1; if (status == 2) ++fails; @@ -428,6 +444,11 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { } + if (loggeds > 3 && ((s_v0_fixed && s_v1_inc) || (s_v1_fixed && s_v0_inc) || + (s_v0_fixed && s_v1_dec) || (s_v1_fixed && s_v0_dec))) { + afl->pass_stats[key].total = afl->pass_stats[key].faileds = 0xff; + } + if (!found_one && afl->pass_stats[key].faileds < 0xff) { afl->pass_stats[key].faileds++; } @@ -437,9 +458,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { } -static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, - u8 *pattern, u8 *repl, u32 idx, u8 *orig_buf, - u8 *buf, u32 len, u8 *status) { +static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, u8 *pattern, u8 *repl, u8* o_pattern, u32 idx, u8 *orig_buf, u8 *buf, u32 len, u8 *status) { u32 i; u32 its_len = MIN(32, len - idx); @@ -451,7 +470,7 @@ static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, for (i = 0; i < its_len; ++i) { - if (pattern[idx + i] != buf[idx + i] || *status == 1) break; + if (pattern[idx + i] != buf[idx + i] || o_pattern[idx + i] != orig_buf[idx + i] || *status == 1) break; buf[idx + i] = repl[idx + i]; if (unlikely(its_fuzz(afl, buf, len, status))) return 1; @@ -482,6 +501,9 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { struct cmpfn_operands *o = &((struct cmpfn_operands *)afl->shm.cmp_map->log[key])[i]; + + struct cmpfn_operands *orig_o = + &((struct cmpfn_operands *)afl->orig_cmp_map->log[key])[i]; // opt not in the paper for (j = 0; j < i; ++j) @@ -491,16 +513,14 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { for (idx = 0; idx < len && fails < 8; ++idx) { - if (unlikely(rtn_extend_encoding(afl, h, o->v0, o->v1, idx, orig_buf, buf, - len, &status))) + if (unlikely(rtn_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, orig_buf, buf, len, &status))) return 1; if (status == 2) ++fails; else if (status == 1) break; - if (unlikely(rtn_extend_encoding(afl, h, o->v1, o->v0, idx, orig_buf, buf, - len, &status))) + if (unlikely(rtn_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx, orig_buf, buf, len, &status))) return 1; if (status == 2) ++fails; @@ -543,9 +563,18 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, u32 exec_cksum) { u8 r = 1; + if (afl->orig_cmp_map == NULL) + afl->orig_cmp_map = ck_alloc_nozero(sizeof(struct cmp_map)); if (afl->pass_stats == NULL) afl->pass_stats = ck_alloc(sizeof(struct afl_pass_stat) * CMP_MAP_W); + + // do it manually, forkserver clear only afl->fsrv.trace_bits + memset(afl->shm.cmp_map->headers, 0, sizeof(afl->shm.cmp_map->headers)); + + if (unlikely(common_fuzz_cmplog_stuff(afl, buf, len))) return 1; + + memcpy(afl->orig_cmp_map, afl->shm.cmp_map, sizeof(struct cmp_map)); if (unlikely(colorization(afl, buf, len, exec_cksum))) return 1; @@ -569,9 +598,9 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, if (!afl->shm.cmp_map->headers[k].hits) continue; if (afl->pass_stats[k].total && - (rand_below(afl, afl->pass_stats[k].total) < afl->pass_stats[k].faileds + (rand_below(afl, afl->pass_stats[k].total) >= afl->pass_stats[k].faileds || afl->pass_stats[k].total == 0xff)) - afl->shm.cmp_map->headers[k].hits = 0; + afl->shm.cmp_map->headers[k].hits = 0; // blacklist this cmp if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) afl->stage_max += MIN((u32)afl->shm.cmp_map->headers[k].hits, CMP_MAP_H); @@ -587,11 +616,13 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) { - if (unlikely(cmp_fuzz(afl, k, orig_buf, buf, len))) goto exit_its; + if (unlikely(cmp_fuzz(afl, k, orig_buf, buf, len))) + goto exit_its; } else { - if (unlikely(rtn_fuzz(afl, k, orig_buf, buf, len))) goto exit_its; + if (unlikely(rtn_fuzz(afl, k, orig_buf, buf, len))) + goto exit_its; } @@ -600,11 +631,11 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, r = 0; exit_its: - memcpy(orig_buf, buf, len); - new_hit_cnt = afl->queued_paths + afl->unique_crashes; afl->stage_finds[STAGE_ITS] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ITS] += afl->total_execs - orig_execs; + + memcpy(orig_buf, buf, len); return r; diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index f58345fb..87d74afa 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -361,6 +361,8 @@ void afl_state_deinit(afl_state_t *afl) { if (afl->post_deinit) afl->post_deinit(afl->post_data); if (afl->in_place_resume) ck_free(afl->in_dir); if (afl->sync_id) ck_free(afl->out_dir); + if (afl->pass_stats) ck_free(afl->pass_stats); + if (afl->orig_cmp_map) ck_free(afl->orig_cmp_map); free(afl->out_buf); free(afl->out_scratch_buf); @@ -368,7 +370,7 @@ void afl_state_deinit(afl_state_t *afl) { free(afl->in_buf); free(afl->in_scratch_buf); free(afl->ex_buf); - + list_remove(&afl_states, afl); } -- cgit 1.4.1 From 92aaaef38126853f26e1be0e522a29c974e24bb5 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 14 Apr 2020 12:42:38 +0200 Subject: code format --- include/afl-fuzz.h | 9 ++- llvm_mode/afl-clang-fast.c | 4 +- src/afl-fuzz-one.c | 3 +- src/afl-fuzz-redqueen.c | 138 +++++++++++++++++++++++++++------------------ src/afl-fuzz-state.c | 2 +- src/afl-fuzz-stats.c | 14 ++--- 6 files changed, 101 insertions(+), 69 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 9da9452a..3df99a58 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -341,7 +341,10 @@ typedef struct afl_env_vars { } afl_env_vars_t; struct afl_pass_stat { - u8 total; u8 faileds; + + u8 total; + u8 faileds; + }; typedef struct afl_state { @@ -573,8 +576,8 @@ typedef struct afl_state { s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; u32 cmplog_prev_timed_out; - struct afl_pass_stat* pass_stats; - struct cmp_map *orig_cmp_map; + struct afl_pass_stat *pass_stats; + struct cmp_map * orig_cmp_map; u8 describe_op_buf_256[256]; /* describe_op will use this to return a string up to 256 */ diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index b121ea97..49318f2e 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -549,8 +549,8 @@ int main(int argc, char **argv, char **envp) { if ((ptr = getenv("AFL_LLVM_INSTRUMENT")) != NULL) { if (strncasecmp(ptr, "default", strlen("default")) == 0 || - strncasecmp(ptr, "afl", strlen("afl")) == 0 || - strncasecmp(ptr, "classic", strlen("classic")) == 0 ) + strncasecmp(ptr, "afl", strlen("afl")) == 0 || + strncasecmp(ptr, "classic", strlen("classic")) == 0) instrument_mode = INSTRUMENT_DEFAULT; if (strncasecmp(ptr, "cfg", strlen("cfg")) == 0 || strncasecmp(ptr, "instrim", strlen("instrim")) == 0) diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 65075db4..961a29d6 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -2543,7 +2543,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { goto pacemaker_fuzzing; } - + /* Skip right away if -d is given, if we have done deterministic fuzzing on this entry ourselves (was_fuzzed), or if it has gone through deterministic testing in earlier, resumed runs (passed_det). */ @@ -2559,7 +2559,6 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { (afl->queue_cur->exec_cksum % afl->master_max) != afl->master_id - 1) goto havoc_stage; - doing_det = 1; /********************************************* diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index c8d5565f..0a97e3ee 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -234,15 +234,18 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) { } -static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 pattern, u64 repl, u64 o_pattern, u32 idx, u8 *orig_buf, u8 *buf, u32 len, u8 do_reverse, u8 *status) { +static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, + u64 pattern, u64 repl, u64 o_pattern, u32 idx, + u8 *orig_buf, u8 *buf, u32 len, u8 do_reverse, + u8 *status) { u64 *buf_64 = (u64 *)&buf[idx]; u32 *buf_32 = (u32 *)&buf[idx]; u16 *buf_16 = (u16 *)&buf[idx]; // u8* buf_8 = &buf[idx]; - u64* o_buf_64 = (u64*)&orig_buf[idx]; - u32* o_buf_32 = (u32*)&orig_buf[idx]; - u16* o_buf_16 = (u16*)&orig_buf[idx]; + u64 *o_buf_64 = (u64 *)&orig_buf[idx]; + u32 *o_buf_32 = (u32 *)&orig_buf[idx]; + u16 *o_buf_16 = (u16 *)&orig_buf[idx]; // u8* o_buf_8 = &orig_buf[idx]; u32 its_len = len - idx; @@ -260,15 +263,17 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 patter // reverse encoding if (do_reverse) - if (unlikely(cmp_extend_encoding(afl, h, SWAP64(pattern), SWAP64(repl), SWAP64(o_pattern), idx, orig_buf, buf, len, 0, status))) + if (unlikely(cmp_extend_encoding(afl, h, SWAP64(pattern), SWAP64(repl), + SWAP64(o_pattern), idx, orig_buf, buf, + len, 0, status))) return 1; } if (SHAPE_BYTES(h->shape) == 4 || *status == 2) { - if (its_len >= 4 && - *buf_32 == (u32)pattern && *o_buf_32 == (u32)o_pattern) { + if (its_len >= 4 && *buf_32 == (u32)pattern && + *o_buf_32 == (u32)o_pattern) { *buf_32 = (u32)repl; if (unlikely(its_fuzz(afl, buf, len, status))) return 1; @@ -278,15 +283,17 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 patter // reverse encoding if (do_reverse) - if (unlikely(cmp_extend_encoding(afl, h, SWAP32(pattern), SWAP32(repl), SWAP32(o_pattern), idx, orig_buf, buf, len, 0, status))) + if (unlikely(cmp_extend_encoding(afl, h, SWAP32(pattern), SWAP32(repl), + SWAP32(o_pattern), idx, orig_buf, buf, + len, 0, status))) return 1; } if (SHAPE_BYTES(h->shape) == 2 || *status == 2) { - if (its_len >= 2 && - *buf_16 == (u16)pattern && *o_buf_16 == (u16)o_pattern) { + if (its_len >= 2 && *buf_16 == (u16)pattern && + *o_buf_16 == (u16)o_pattern) { *buf_16 = (u16)repl; if (unlikely(its_fuzz(afl, buf, len, status))) return 1; @@ -296,7 +303,9 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 patter // reverse encoding if (do_reverse) - if (unlikely(cmp_extend_encoding(afl, h, SWAP16(pattern), SWAP16(repl), SWAP16(o_pattern), idx, orig_buf, buf, len, 0, status))) + if (unlikely(cmp_extend_encoding(afl, h, SWAP16(pattern), SWAP16(repl), + SWAP16(o_pattern), idx, orig_buf, buf, + len, 0, status))) return 1; } @@ -371,35 +380,39 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { u8 status; // opt not in the paper u32 fails; - u8 found_one = 0; - + u8 found_one = 0; + /* loop cmps are useless, detect and blacklist them */ u64 s_v0, s_v1; - u8 s_v0_fixed = 1, s_v1_fixed = 1; - u8 s_v0_inc = 1, s_v1_inc = 1; - u8 s_v0_dec = 1, s_v1_dec = 1; + u8 s_v0_fixed = 1, s_v1_fixed = 1; + u8 s_v0_inc = 1, s_v1_inc = 1; + u8 s_v0_dec = 1, s_v1_dec = 1; for (i = 0; i < loggeds; ++i) { - + fails = 0; struct cmp_operands *o = &afl->shm.cmp_map->log[key][i]; - + // loop detection code if (i == 0) { + s_v0 = o->v0; s_v1 = o->v1; + } else { + if (s_v0 != o->v0) s_v0_fixed = 0; if (s_v1 != o->v1) s_v1_fixed = 0; - if (s_v0 +1 != o->v0) s_v0_inc = 0; - if (s_v1 +1 != o->v1) s_v1_inc = 0; - if (s_v0 -1 != o->v0) s_v0_dec = 0; - if (s_v1 -1 != o->v1) s_v1_dec = 0; + if (s_v0 + 1 != o->v0) s_v0_inc = 0; + if (s_v1 + 1 != o->v1) s_v1_inc = 0; + if (s_v0 - 1 != o->v0) s_v0_dec = 0; + if (s_v1 - 1 != o->v1) s_v1_dec = 0; s_v0 = o->v0; s_v1 = o->v1; + } - + struct cmp_operands *orig_o = &afl->orig_cmp_map->log[key][i]; // opt not in the paper @@ -410,14 +423,16 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { for (idx = 0; idx < len && fails < 8; ++idx) { - if (unlikely(cmp_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, orig_buf, buf, len, 1, &status))) + if (unlikely(cmp_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, + orig_buf, buf, len, 1, &status))) return 1; if (status == 2) ++fails; else if (status == 1) break; - if (unlikely(cmp_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx, orig_buf, buf, len, 1, &status))) + if (unlikely(cmp_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx, + orig_buf, buf, len, 1, &status))) return 1; if (status == 2) ++fails; @@ -425,16 +440,17 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { break; } - - if (status == 1) - found_one = 1; + + if (status == 1) found_one = 1; // If failed, add to dictionary if (fails == 8) { if (afl->pass_stats[key].total == 0) { + try_to_add_to_dict(afl, o->v0, SHAPE_BYTES(h->shape)); try_to_add_to_dict(afl, o->v1, SHAPE_BYTES(h->shape)); + } } @@ -443,22 +459,29 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { afl->stage_cur++; } - + if (loggeds > 3 && ((s_v0_fixed && s_v1_inc) || (s_v1_fixed && s_v0_inc) || (s_v0_fixed && s_v1_dec) || (s_v1_fixed && s_v0_dec))) { + afl->pass_stats[key].total = afl->pass_stats[key].faileds = 0xff; + } - + if (!found_one && afl->pass_stats[key].faileds < 0xff) { + afl->pass_stats[key].faileds++; + } + if (afl->pass_stats[key].total < 0xff) afl->pass_stats[key].total++; return 0; } -static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, u8 *pattern, u8 *repl, u8* o_pattern, u32 idx, u8 *orig_buf, u8 *buf, u32 len, u8 *status) { +static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, + u8 *pattern, u8 *repl, u8 *o_pattern, u32 idx, + u8 *orig_buf, u8 *buf, u32 len, u8 *status) { u32 i; u32 its_len = MIN(32, len - idx); @@ -470,7 +493,9 @@ static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h, u8 *patter for (i = 0; i < its_len; ++i) { - if (pattern[idx + i] != buf[idx + i] || o_pattern[idx + i] != orig_buf[idx + i] || *status == 1) break; + if (pattern[idx + i] != buf[idx + i] || + o_pattern[idx + i] != orig_buf[idx + i] || *status == 1) + break; buf[idx + i] = repl[idx + i]; if (unlikely(its_fuzz(afl, buf, len, status))) return 1; @@ -493,15 +518,15 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { u8 status = 0; // opt not in the paper u32 fails = 0; - u8 found_one = 0; + u8 found_one = 0; for (i = 0; i < loggeds; ++i) { - + fails = 0; struct cmpfn_operands *o = &((struct cmpfn_operands *)afl->shm.cmp_map->log[key])[i]; - + struct cmpfn_operands *orig_o = &((struct cmpfn_operands *)afl->orig_cmp_map->log[key])[i]; @@ -513,14 +538,16 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { for (idx = 0; idx < len && fails < 8; ++idx) { - if (unlikely(rtn_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, orig_buf, buf, len, &status))) + if (unlikely(rtn_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx, + orig_buf, buf, len, &status))) return 1; if (status == 2) ++fails; else if (status == 1) break; - if (unlikely(rtn_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx, orig_buf, buf, len, &status))) + if (unlikely(rtn_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx, + orig_buf, buf, len, &status))) return 1; if (status == 2) ++fails; @@ -528,16 +555,17 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { break; } - - if (status == 1) - found_one = 1; + + if (status == 1) found_one = 1; // If failed, add to dictionary if (fails == 8) { if (afl->pass_stats[key].total == 0) { + maybe_add_auto((u8 *)afl, o->v0, SHAPE_BYTES(h->shape)); maybe_add_auto((u8 *)afl, o->v1, SHAPE_BYTES(h->shape)); + } } @@ -546,10 +574,13 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { afl->stage_cur++; } - + if (!found_one && afl->pass_stats[key].faileds < 0xff) { + afl->pass_stats[key].faileds++; + } + if (afl->pass_stats[key].total < 0xff) afl->pass_stats[key].total++; return 0; @@ -565,13 +596,13 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, u8 r = 1; if (afl->orig_cmp_map == NULL) afl->orig_cmp_map = ck_alloc_nozero(sizeof(struct cmp_map)); - + if (afl->pass_stats == NULL) afl->pass_stats = ck_alloc(sizeof(struct afl_pass_stat) * CMP_MAP_W); - + // do it manually, forkserver clear only afl->fsrv.trace_bits memset(afl->shm.cmp_map->headers, 0, sizeof(afl->shm.cmp_map->headers)); - + if (unlikely(common_fuzz_cmplog_stuff(afl, buf, len))) return 1; memcpy(afl->orig_cmp_map, afl->shm.cmp_map, sizeof(struct cmp_map)); @@ -596,12 +627,13 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, for (k = 0; k < CMP_MAP_W; ++k) { if (!afl->shm.cmp_map->headers[k].hits) continue; - + if (afl->pass_stats[k].total && - (rand_below(afl, afl->pass_stats[k].total) >= afl->pass_stats[k].faileds - || afl->pass_stats[k].total == 0xff)) - afl->shm.cmp_map->headers[k].hits = 0; // blacklist this cmp - + (rand_below(afl, afl->pass_stats[k].total) >= + afl->pass_stats[k].faileds || + afl->pass_stats[k].total == 0xff)) + afl->shm.cmp_map->headers[k].hits = 0; // blacklist this cmp + if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) afl->stage_max += MIN((u32)afl->shm.cmp_map->headers[k].hits, CMP_MAP_H); else @@ -616,13 +648,11 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) { - if (unlikely(cmp_fuzz(afl, k, orig_buf, buf, len))) - goto exit_its; + if (unlikely(cmp_fuzz(afl, k, orig_buf, buf, len))) goto exit_its; } else { - if (unlikely(rtn_fuzz(afl, k, orig_buf, buf, len))) - goto exit_its; + if (unlikely(rtn_fuzz(afl, k, orig_buf, buf, len))) goto exit_its; } @@ -634,7 +664,7 @@ exit_its: new_hit_cnt = afl->queued_paths + afl->unique_crashes; afl->stage_finds[STAGE_ITS] += new_hit_cnt - orig_hit_cnt; afl->stage_cycles[STAGE_ITS] += afl->total_execs - orig_execs; - + memcpy(orig_buf, buf, len); return r; diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 87d74afa..7664c521 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -370,7 +370,7 @@ void afl_state_deinit(afl_state_t *afl) { free(afl->in_buf); free(afl->in_scratch_buf); free(afl->ex_buf); - + list_remove(&afl_states, afl); } diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index d48dd5e3..d42df2db 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -387,9 +387,9 @@ void show_stats(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->dumb_mode) { @@ -471,9 +471,9 @@ void show_stats(afl_state_t *afl) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -503,9 +503,9 @@ void show_stats(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); @@ -579,7 +579,7 @@ void show_stats(afl_state_t *afl) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); -- cgit 1.4.1 From 5ac1b6e940beb5eaf28b91f66b2a4c6a8147f733 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 14 Apr 2020 13:01:54 +0200 Subject: status 0 initialized --- src/afl-fuzz-redqueen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 0a97e3ee..8ab8ffbb 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -377,7 +377,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) { u32 loggeds = h->hits; if (h->hits > CMP_MAP_H) loggeds = CMP_MAP_H; - u8 status; + u8 status = 0; // opt not in the paper u32 fails; u8 found_one = 0; -- cgit 1.4.1 From 0d0338012beb320dcfcaa3d16ae78da47dd48b80 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 14 Apr 2020 13:02:49 +0200 Subject: one byte cmp in cmplog --- llvm_mode/afl-llvm-rt.o.c | 65 +++++++++++++++----------- qemu_mode/patches/afl-qemu-cpu-translate-inl.h | 5 +- qemu_mode/patches/afl-qemu-tcg-runtime-inl.h | 27 ++++++++++- qemu_mode/patches/tcg-runtime-head.diff | 3 +- src/afl-fuzz-redqueen.c | 15 +++--- 5 files changed, 77 insertions(+), 38 deletions(-) (limited to 'src') diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 3ad9eab4..89879a42 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -651,13 +651,29 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { ///// CmpLog instrumentation -void __cmplog_ins_hook1(uint8_t Arg1, uint8_t Arg2) { +void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2) { - return; + if (!__afl_cmp_map) return; + + uintptr_t k = (uintptr_t)__builtin_return_address(0); + k = (k >> 4) ^ (k << 8); + k &= CMP_MAP_W - 1; + + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + + u32 hits = __afl_cmp_map->headers[k].hits; + __afl_cmp_map->headers[k].hits = hits + 1; + // if (!__afl_cmp_map->headers[k].cnt) + // __afl_cmp_map->headers[k].cnt = __afl_cmp_counter++; + __afl_cmp_map->headers[k].shape = 0; + + hits &= CMP_MAP_H - 1; + __afl_cmp_map->log[k][hits].v0 = arg1; + __afl_cmp_map->log[k][hits].v1 = arg2; } -void __cmplog_ins_hook2(uint16_t Arg1, uint16_t Arg2) { +void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2) { if (!__afl_cmp_map) return; @@ -669,19 +685,16 @@ void __cmplog_ins_hook2(uint16_t Arg1, uint16_t Arg2) { u32 hits = __afl_cmp_map->headers[k].hits; __afl_cmp_map->headers[k].hits = hits + 1; - // if (!__afl_cmp_map->headers[k].cnt) - // __afl_cmp_map->headers[k].cnt = __afl_cmp_counter++; __afl_cmp_map->headers[k].shape = 1; - //__afl_cmp_map->headers[k].type = CMP_TYPE_INS; hits &= CMP_MAP_H - 1; - __afl_cmp_map->log[k][hits].v0 = Arg1; - __afl_cmp_map->log[k][hits].v1 = Arg2; + __afl_cmp_map->log[k][hits].v0 = arg1; + __afl_cmp_map->log[k][hits].v1 = arg2; } -void __cmplog_ins_hook4(uint32_t Arg1, uint32_t Arg2) { +void __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2) { if (!__afl_cmp_map) return; @@ -697,12 +710,12 @@ void __cmplog_ins_hook4(uint32_t Arg1, uint32_t Arg2) { __afl_cmp_map->headers[k].shape = 3; hits &= CMP_MAP_H - 1; - __afl_cmp_map->log[k][hits].v0 = Arg1; - __afl_cmp_map->log[k][hits].v1 = Arg2; + __afl_cmp_map->log[k][hits].v0 = arg1; + __afl_cmp_map->log[k][hits].v1 = arg2; } -void __cmplog_ins_hook8(uint64_t Arg1, uint64_t Arg2) { +void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2) { if (!__afl_cmp_map) return; @@ -718,8 +731,8 @@ void __cmplog_ins_hook8(uint64_t Arg1, uint64_t Arg2) { __afl_cmp_map->headers[k].shape = 7; hits &= CMP_MAP_H - 1; - __afl_cmp_map->log[k][hits].v0 = Arg1; - __afl_cmp_map->log[k][hits].v1 = Arg2; + __afl_cmp_map->log[k][hits].v0 = arg1; + __afl_cmp_map->log[k][hits].v1 = arg2; } @@ -734,28 +747,28 @@ void __cmplog_ins_hook8(uint64_t Arg1, uint64_t Arg2) { #pragma weak __sanitizer_cov_trace_cmp4 = __cmplog_ins_hook4 #pragma weak __sanitizer_cov_trace_cmp8 = __cmplog_ins_hook8 #else -void __sanitizer_cov_trace_const_cmp1(uint8_t Arg1, uint8_t Arg2) +void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) __attribute__((alias("__cmplog_ins_hook1"))); -void __sanitizer_cov_trace_const_cmp2(uint16_t Arg1, uint16_t Arg2) +void __sanitizer_cov_trace_const_cmp2(uint16_t arg1, uint16_t arg2) __attribute__((alias("__cmplog_ins_hook2"))); -void __sanitizer_cov_trace_const_cmp4(uint32_t Arg1, uint32_t Arg2) +void __sanitizer_cov_trace_const_cmp4(uint32_t arg1, uint32_t arg2) __attribute__((alias("__cmplog_ins_hook4"))); -void __sanitizer_cov_trace_const_cmp8(uint64_t Arg1, uint64_t Arg2) +void __sanitizer_cov_trace_const_cmp8(uint64_t arg1, uint64_t arg2) __attribute__((alias("__cmplog_ins_hook8"))); -void __sanitizer_cov_trace_cmp1(uint8_t Arg1, uint8_t Arg2) +void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2) __attribute__((alias("__cmplog_ins_hook1"))); -void __sanitizer_cov_trace_cmp2(uint16_t Arg1, uint16_t Arg2) +void __sanitizer_cov_trace_cmp2(uint16_t arg1, uint16_t arg2) __attribute__((alias("__cmplog_ins_hook2"))); -void __sanitizer_cov_trace_cmp4(uint32_t Arg1, uint32_t Arg2) +void __sanitizer_cov_trace_cmp4(uint32_t arg1, uint32_t arg2) __attribute__((alias("__cmplog_ins_hook4"))); -void __sanitizer_cov_trace_cmp8(uint64_t Arg1, uint64_t Arg2) +void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2) __attribute__((alias("__cmplog_ins_hook8"))); #endif /* defined(__APPLE__) */ -void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) { +void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) { - for (uint64_t i = 0; i < Cases[0]; i++) { + for (uint64_t i = 0; i < cases[0]; i++) { uintptr_t k = (uintptr_t)__builtin_return_address(0) + i; k = (k >> 4) ^ (k << 8); @@ -769,8 +782,8 @@ void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) { __afl_cmp_map->headers[k].shape = 7; hits &= CMP_MAP_H - 1; - __afl_cmp_map->log[k][hits].v0 = Val; - __afl_cmp_map->log[k][hits].v1 = Cases[i + 2]; + __afl_cmp_map->log[k][hits].v0 = val; + __afl_cmp_map->log[k][hits].v1 = cases[i + 2]; } diff --git a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h index 72353967..1abec477 100644 --- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h @@ -53,11 +53,12 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2, TCGv cur_loc_v = tcg_const_tl(cur_loc); - switch (ot) { + switch (ot & MO_SIZE) { case MO_64: gen_helper_afl_cmplog_64(cur_loc_v, arg1, arg2); break; case MO_32: gen_helper_afl_cmplog_32(cur_loc_v, arg1, arg2); break; case MO_16: gen_helper_afl_cmplog_16(cur_loc_v, arg1, arg2); break; + case MO_8: gen_helper_afl_cmplog_8(cur_loc_v, arg1, arg2); break; default: break; } @@ -75,7 +76,7 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2, if (cur_loc >= afl_inst_rms) return; - switch (ot) { + switch (ot & MO_SIZE) { case MO_64: gen_helper_afl_compcov_64(cur_loc_v, arg1, arg2); break; case MO_32: gen_helper_afl_compcov_32(cur_loc_v, arg1, arg2); break; diff --git a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h index 1526f09c..549b6bba 100644 --- a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h +++ b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h @@ -107,18 +107,39 @@ void HELPER(afl_compcov_64)(target_ulong cur_loc, target_ulong arg1, } +void HELPER(afl_cmplog_8)(target_ulong cur_loc, target_ulong arg1, + target_ulong arg2) { + + register uintptr_t k = (uintptr_t)cur_loc; + + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + + u32 hits = __afl_cmp_map->headers[k].hits; + __afl_cmp_map->headers[k].hits = hits + 1; + // if (!__afl_cmp_map->headers[k].cnt) + // __afl_cmp_map->headers[k].cnt = __afl_cmp_counter++; + + __afl_cmp_map->headers[k].shape = 0; + + hits &= CMP_MAP_H - 1; + __afl_cmp_map->log[k][hits].v0 = arg1; + __afl_cmp_map->log[k][hits].v1 = arg2; + +} + void HELPER(afl_cmplog_16)(target_ulong cur_loc, target_ulong arg1, target_ulong arg2) { register uintptr_t k = (uintptr_t)cur_loc; + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + u32 hits = __afl_cmp_map->headers[k].hits; __afl_cmp_map->headers[k].hits = hits + 1; // if (!__afl_cmp_map->headers[k].cnt) // __afl_cmp_map->headers[k].cnt = __afl_cmp_counter++; __afl_cmp_map->headers[k].shape = 1; - //__afl_cmp_map->headers[k].type = CMP_TYPE_INS; hits &= CMP_MAP_H - 1; __afl_cmp_map->log[k][hits].v0 = arg1; @@ -131,6 +152,8 @@ void HELPER(afl_cmplog_32)(target_ulong cur_loc, target_ulong arg1, register uintptr_t k = (uintptr_t)cur_loc; + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + u32 hits = __afl_cmp_map->headers[k].hits; __afl_cmp_map->headers[k].hits = hits + 1; @@ -147,6 +170,8 @@ void HELPER(afl_cmplog_64)(target_ulong cur_loc, target_ulong arg1, register uintptr_t k = (uintptr_t)cur_loc; + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; + u32 hits = __afl_cmp_map->headers[k].hits; __afl_cmp_map->headers[k].hits = hits + 1; diff --git a/qemu_mode/patches/tcg-runtime-head.diff b/qemu_mode/patches/tcg-runtime-head.diff index 626c67ef..f250686e 100644 --- a/qemu_mode/patches/tcg-runtime-head.diff +++ b/qemu_mode/patches/tcg-runtime-head.diff @@ -2,7 +2,7 @@ diff --git a/accel/tcg/tcg-runtime.h b/accel/tcg/tcg-runtime.h index 1bd39d13..81ef3973 100644 --- a/accel/tcg/tcg-runtime.h +++ b/accel/tcg/tcg-runtime.h -@@ -260,3 +260,13 @@ DEF_HELPER_FLAGS_4(gvec_leu8, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32) +@@ -260,3 +260,14 @@ DEF_HELPER_FLAGS_4(gvec_leu8, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32) DEF_HELPER_FLAGS_4(gvec_leu16, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32) DEF_HELPER_FLAGS_4(gvec_leu32, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32) DEF_HELPER_FLAGS_4(gvec_leu64, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32) @@ -12,6 +12,7 @@ index 1bd39d13..81ef3973 100644 +DEF_HELPER_FLAGS_3(afl_compcov_16, TCG_CALL_NO_RWG, void, tl, tl, tl) +DEF_HELPER_FLAGS_3(afl_compcov_32, TCG_CALL_NO_RWG, void, tl, tl, tl) +DEF_HELPER_FLAGS_3(afl_compcov_64, TCG_CALL_NO_RWG, void, tl, tl, tl) ++DEF_HELPER_FLAGS_3(afl_cmplog_8, TCG_CALL_NO_RWG, void, tl, tl, tl) +DEF_HELPER_FLAGS_3(afl_cmplog_16, TCG_CALL_NO_RWG, void, tl, tl, tl) +DEF_HELPER_FLAGS_3(afl_cmplog_32, TCG_CALL_NO_RWG, void, tl, tl, tl) +DEF_HELPER_FLAGS_3(afl_cmplog_64, TCG_CALL_NO_RWG, void, tl, tl, tl) diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 0a97e3ee..b80f0c36 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -242,11 +242,11 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 *buf_64 = (u64 *)&buf[idx]; u32 *buf_32 = (u32 *)&buf[idx]; u16 *buf_16 = (u16 *)&buf[idx]; - // u8* buf_8 = &buf[idx]; + u8* buf_8 = &buf[idx]; u64 *o_buf_64 = (u64 *)&orig_buf[idx]; u32 *o_buf_32 = (u32 *)&orig_buf[idx]; u16 *o_buf_16 = (u16 *)&orig_buf[idx]; - // u8* o_buf_8 = &orig_buf[idx]; + u8* o_buf_8 = &orig_buf[idx]; u32 its_len = len - idx; *status = 0; @@ -310,18 +310,17 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, } - /*if (SHAPE_BYTES(h->shape) == 1 || *status == 2) { + if (SHAPE_BYTES(h->shape) == 1 || *status == 2) { - if (its_len >= 2 && *buf_8 == (u8)pattern && *o_buf_8 == (u8)o_pattern) { + if (its_len >= 1 && *buf_8 == (u8)pattern && *o_buf_8 == (u8)o_pattern) { *buf_8 = (u8)repl; - if (unlikely(its_fuzz(afl, buf, len, status))) - return 1; - *buf_16 = (u16)pattern; + if (unlikely(its_fuzz(afl, buf, len, status))) return 1; + *buf_8 = (u8)pattern; } - }*/ + } return 0; -- cgit 1.4.1 From f4436f118c7a828e37926b948e997d1c8f5b2b03 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 14 Apr 2020 17:21:15 +0200 Subject: fixed #317 --- llvm_mode/afl-llvm-rt.o.c | 1 + qemu_mode/patches/afl-qemu-tcg-runtime-inl.h | 4 +-- src/afl-fuzz-redqueen.c | 46 ++++++++++++++++------------ src/afl-fuzz-stats.c | 14 ++++----- 4 files changed, 37 insertions(+), 28 deletions(-) (limited to 'src') diff --git a/llvm_mode/afl-llvm-rt.o.c b/llvm_mode/afl-llvm-rt.o.c index 89879a42..f286e66a 100644 --- a/llvm_mode/afl-llvm-rt.o.c +++ b/llvm_mode/afl-llvm-rt.o.c @@ -671,6 +671,7 @@ void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2) { hits &= CMP_MAP_H - 1; __afl_cmp_map->log[k][hits].v0 = arg1; __afl_cmp_map->log[k][hits].v1 = arg2; + } void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2) { diff --git a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h index 549b6bba..a0246198 100644 --- a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h +++ b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h @@ -108,10 +108,10 @@ void HELPER(afl_compcov_64)(target_ulong cur_loc, target_ulong arg1, } void HELPER(afl_cmplog_8)(target_ulong cur_loc, target_ulong arg1, - target_ulong arg2) { + target_ulong arg2) { register uintptr_t k = (uintptr_t)cur_loc; - + __afl_cmp_map->headers[k].type = CMP_TYPE_INS; u32 hits = __afl_cmp_map->headers[k].hits; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index ed21e970..6a01ec89 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -121,30 +121,37 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { afl->stage_cur < afl->stage_max) { u32 s = rng->end - rng->start; - if (s == 0) goto empty_range; - memcpy(backup, buf + rng->start, s); - rand_replace(afl, buf + rng->start, s); + if (s != 0) { - u32 cksum; - u64 start_us = get_cur_time_us(); - if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) goto checksum_fail; - u64 stop_us = get_cur_time_us(); + /* Range not empty */ - /* Discard if the mutations change the paths or if it is too decremental - in speed */ - if (cksum != exec_cksum || - (stop_us - start_us > 2 * afl->queue_cur->exec_us)) { + memcpy(backup, buf + rng->start, s); + rand_replace(afl, buf + rng->start, s); - ranges = add_range(ranges, rng->start, rng->start + s / 2); - ranges = add_range(ranges, rng->start + s / 2 + 1, rng->end); - memcpy(buf + rng->start, backup, s); + u32 cksum; + u64 start_us = get_cur_time_us(); + if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) goto checksum_fail; - } else + u64 stop_us = get_cur_time_us(); - needs_write = 1; + /* Discard if the mutations change the paths or if it is too decremental + in speed */ + if (cksum != exec_cksum || + (stop_us - start_us > 2 * afl->queue_cur->exec_us)) { + + ranges = add_range(ranges, rng->start, rng->start + s / 2); + ranges = add_range(ranges, rng->start + s / 2 + 1, rng->end); + memcpy(buf + rng->start, backup, s); + + } else { + + needs_write = 1; + + } + + } - empty_range: ck_free(rng); rng = NULL; ++afl->stage_cur; @@ -196,6 +203,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { return 0; checksum_fail: + if (rng) ck_free(rng); ck_free(backup); while (ranges) { @@ -242,11 +250,11 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h, u64 *buf_64 = (u64 *)&buf[idx]; u32 *buf_32 = (u32 *)&buf[idx]; u16 *buf_16 = (u16 *)&buf[idx]; - u8* buf_8 = &buf[idx]; + u8 * buf_8 = &buf[idx]; u64 *o_buf_64 = (u64 *)&orig_buf[idx]; u32 *o_buf_32 = (u32 *)&orig_buf[idx]; u16 *o_buf_16 = (u16 *)&orig_buf[idx]; - u8* o_buf_8 = &orig_buf[idx]; + u8 * o_buf_8 = &orig_buf[idx]; u32 its_len = len - idx; *status = 0; diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index d42df2db..d48dd5e3 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -387,9 +387,9 @@ void show_stats(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->dumb_mode) { @@ -471,9 +471,9 @@ void show_stats(afl_state_t *afl) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -503,9 +503,9 @@ void show_stats(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); @@ -579,7 +579,7 @@ void show_stats(afl_state_t *afl) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); -- cgit 1.4.1 From 6dc36f1e6e7d2d781cc6b14f2898b3f7021e1d06 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 14 Apr 2020 19:27:25 +0200 Subject: unified forkservered run_target, fixes #308 --- include/afl-fuzz.h | 16 +----- include/forkserver.h | 21 ++++++-- src/afl-analyze.c | 2 +- src/afl-forkserver.c | 132 +++++++++++++++++++++++++++++++++++++++++++++--- src/afl-fuzz-bitmap.c | 16 +++--- src/afl-fuzz-cmplog.c | 2 +- src/afl-fuzz-init.c | 14 ++--- src/afl-fuzz-mutators.c | 2 +- src/afl-fuzz-one.c | 12 ++--- src/afl-fuzz-queue.c | 2 +- src/afl-fuzz-redqueen.c | 4 +- src/afl-fuzz-run.c | 128 +++------------------------------------------- src/afl-fuzz-stats.c | 18 +++---- src/afl-fuzz.c | 2 +- src/afl-sharedmem.c | 1 - src/afl-showmap.c | 95 ++++------------------------------ src/afl-tmin.c | 109 ++++++++------------------------------- 17 files changed, 222 insertions(+), 354 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 3df99a58..abaa71b5 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -195,18 +195,6 @@ enum { }; -/* Execution status fault codes */ - -enum { - - /* 00 */ FAULT_NONE, - /* 01 */ FAULT_TMOUT, - /* 02 */ FAULT_CRASH, - /* 03 */ FAULT_ERROR, - /* 04 */ FAULT_NOINST, - /* 05 */ FAULT_NOBITS - -}; #define operator_num 16 #define swarm_num 5 @@ -433,7 +421,6 @@ typedef struct afl_state { use_splicing, /* Recombine input files? */ dumb_mode, /* Run in non-instrumented mode? */ score_changed, /* Scoring for favorites changed? */ - kill_signal, /* Signal that killed the child */ resuming_fuzz, /* Resuming an older fuzzing job? */ timeout_given, /* Specific timeout given? */ not_on_tty, /* stdout is not a tty */ @@ -488,7 +475,6 @@ typedef struct afl_state { total_tmouts, /* Total number of timeouts */ unique_tmouts, /* Timeouts with unique signatures */ unique_hangs, /* Hangs with unique signatures */ - total_execs, /* Total execve() calls */ last_crash_execs, /* Exec counter at last crash */ queue_cycle, /* Queue round counter */ cycles_wo_finds, /* Cycles without any new paths */ @@ -888,7 +874,7 @@ void show_init_stats(afl_state_t *); /* Run */ -u8 run_target(afl_state_t *, afl_forkserver_t *fsrv, u32); +fsrv_run_result_t run_target(afl_state_t *, afl_forkserver_t *fsrv, u32); void write_to_testcase(afl_state_t *, void *, u32); u8 calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8); void sync_fuzzers(afl_state_t *); diff --git a/include/forkserver.h b/include/forkserver.h index 6fbaf612..7559e785 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -29,6 +29,7 @@ #define __AFL_FORKSERVER_H #include +#include typedef struct afl_forkserver { @@ -55,16 +56,18 @@ typedef struct afl_forkserver { u32 snapshot; /* is snapshot feature used */ u64 mem_limit; /* Memory cap for child (MB) */ + u64 total_execs; /* How often run_target was called */ + u8 *out_file, /* File to fuzz, if any */ *target_path; /* Path of the target */ FILE *plot_file; /* Gnuplot output file */ - u8 child_timed_out; /* Traced process timed out? */ + u8 last_run_timed_out; /* Traced process timed out? */ - u8 use_fauxsrv; /* Fauxsrv for non-forking targets? */ + u8 last_kill_signal; /* Signal that killed the child */ - u32 prev_timed_out; /* if prev forkserver run timed out */ + u8 use_fauxsrv; /* Fauxsrv for non-forking targets? */ u8 qemu_mode; /* if running in qemu mode or not */ @@ -79,10 +82,22 @@ typedef struct afl_forkserver { } afl_forkserver_t; +typedef enum fsrv_run_result { + + /* 00 */ FSRV_RUN_OK = 0, + /* 01 */ FSRV_RUN_TMOUT, + /* 02 */ FSRV_RUN_CRASH, + /* 03 */ FSRV_RUN_ERROR, + /* 04 */ FSRV_RUN_NOINST, + /* 05 */ FSRV_RUN_NOBITS, + +} fsrv_run_result_t; + void afl_fsrv_init(afl_forkserver_t *fsrv); void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from); void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p, u8 debug_child_output); +fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, volatile u8 *stop_soon_p); void afl_fsrv_killall(void); void afl_fsrv_deinit(afl_forkserver_t *fsrv); diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 952786b0..8625cfda 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -80,7 +80,7 @@ static u8 edges_only, /* Ignore hit counts? */ use_stdin = 1; /* Use stdin for program input? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */ - child_timed_out; /* Child timed out? */ + child_timed_out; /* Child timed out? */ static u8 *target_path; static u8 qemu_mode; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index f647ff5d..a7be8e8b 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -76,7 +76,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { fsrv->child_pid = -1; fsrv->map_size = MAP_SIZE; fsrv->use_fauxsrv = 0; - fsrv->prev_timed_out = 0; + fsrv->last_run_timed_out = 0; fsrv->init_child_func = fsrv_exec_child; @@ -102,7 +102,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { fsrv_to->out_dir_fd = -1; fsrv_to->child_pid = -1; fsrv_to->use_fauxsrv = 0; - fsrv_to->prev_timed_out = 0; + fsrv_to->last_run_timed_out = 0; fsrv_to->init_child_func = fsrv_exec_child; @@ -217,7 +217,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); - fsrv->child_timed_out = 0; + fsrv->last_run_timed_out = 0; fsrv->fsrv_pid = fork(); if (fsrv->fsrv_pid < 0) PFATAL("fork() failed"); @@ -361,7 +361,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } else if (time > fsrv->exec_tmout * FORK_WAIT_MULT) { - fsrv->child_timed_out = 1; + fsrv->last_run_timed_out = 1; kill(fsrv->fsrv_pid, SIGKILL); } else { @@ -476,7 +476,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, } - if (fsrv->child_timed_out) + if (fsrv->last_run_timed_out) FATAL("Timeout while initializing fork server (adjusting -t may help)"); if (waitpid(fsrv->fsrv_pid, &status, 0) <= 0) PFATAL("waitpid() failed"); @@ -640,6 +640,127 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) { } +/* Execute target application, monitoring for timeouts. Return status + information. The called program will update afl->fsrv->trace_bits. */ + +fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, volatile u8 *stop_soon_p) { + + s32 res; + u32 exec_ms; + + int status = 0; + + u32 timeout = fsrv->exec_tmout; + + /* After this memset, fsrv->trace_bits[] are effectively volatile, so we + must prevent any earlier operations from venturing into that + territory. */ + + memset(fsrv->trace_bits, 0, fsrv->map_size); + + MEM_BARRIER(); + + /* we have the fork server (or faux server) up and running + First, tell it if the previous run timed out. */ + + if ((res = write(fsrv->fsrv_ctl_fd, &fsrv->last_run_timed_out, 4)) != 4) { + + if (*stop_soon_p) return 0; + RPFATAL(res, "Unable to request new process from fork server (OOM?)"); + + } + + fsrv->last_run_timed_out = 0; + + if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { + + if (stop_soon_p) return 0; + RPFATAL(res, "Unable to request new process from fork server (OOM?)"); + + } + + if (fsrv->child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); + + exec_ms = read_timed(fsrv->fsrv_st_fd, &status, 4, timeout, stop_soon_p); + + if (exec_ms > timeout) { + + /* If there was no response from forkserver after timeout seconds, + we kill the child. The forkserver should inform us afterwards */ + + kill(fsrv->child_pid, SIGKILL); + fsrv->last_run_timed_out = 1; + if (read(fsrv->fsrv_st_fd, &status, 4) < 4) exec_ms = 0; + + } + + if (!exec_ms) { + + if (*stop_soon_p) return 0; + SAYF("\n" cLRD "[-] " cRST + "Unable to communicate with fork server. Some possible reasons:\n\n" + " - You've run out of memory. Use -m to increase the the memory " + "limit\n" + " to something higher than %lld.\n" + " - The binary or one of the libraries it uses manages to " + "create\n" + " threads before the forkserver initializes.\n" + " - The binary, at least in some circumstances, exits in a way " + "that\n" + " also kills the parent process - raise() could be the " + "culprit.\n" + " - If using persistent mode with QEMU, " + "AFL_QEMU_PERSISTENT_ADDR " + "is\n" + " probably not valid (hint: add the base address in case of " + "PIE)" + "\n\n" + "If all else fails you can disable the fork server via " + "AFL_NO_FORKSRV=1.\n", + fsrv->mem_limit); + RPFATAL(res, "Unable to communicate with fork server"); + + } + + if (!WIFSTOPPED(status)) fsrv->child_pid = 0; + + fsrv->total_execs++; + + /* Any subsequent operations on fsrv->trace_bits must not be moved by the + compiler below this point. Past this location, fsrv->trace_bits[] + behave very normally and do not have to be treated as volatile. */ + + MEM_BARRIER(); + + /* Report outcome to caller. */ + + if (WIFSIGNALED(status) && !*stop_soon_p) { + + fsrv->last_kill_signal = WTERMSIG(status); + + if (fsrv->last_run_timed_out && fsrv->last_kill_signal == SIGKILL) + return FSRV_RUN_TMOUT; + + return FSRV_RUN_CRASH; + + } + + /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and + must use a special exit code. */ + + if (fsrv->uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { + + fsrv->last_kill_signal = 0; + return FSRV_RUN_CRASH; + + } + + if ((*(u32 *)fsrv->trace_bits) == EXEC_FAIL_SIG) return FSRV_RUN_NOINST; + + return FSRV_RUN_OK; + +} + void afl_fsrv_killall() { LIST_FOREACH(&fsrv_list, afl_forkserver_t, { @@ -656,4 +777,3 @@ void afl_fsrv_deinit(afl_forkserver_t *fsrv) { list_remove(&fsrv_list, fsrv); } - diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index a0a720fa..66b1e60d 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -598,7 +598,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { res = calibrate_case(afl, afl->queue_top, mem, afl->queue_cycle - 1, 0); - if (unlikely(res == FAULT_ERROR)) + if (unlikely(res == FSRV_RUN_ERROR)) FATAL("Unable to execute target application"); fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, 0600); @@ -612,7 +612,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { switch (fault) { - case FAULT_TMOUT: + case FSRV_RUN_TMOUT: /* Timeouts are not very interesting, but we're still obliged to keep a handful of samples. We use the presence of new bits in the @@ -651,9 +651,9 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { timeout actually uncovers a crash. Make sure we don't discard it if so. */ - if (!afl->stop_soon && new_fault == FAULT_CRASH) goto keep_as_crash; + if (!afl->stop_soon && new_fault == FSRV_RUN_CRASH) goto keep_as_crash; - if (afl->stop_soon || new_fault != FAULT_TMOUT) return keeping; + if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) return keeping; } @@ -675,7 +675,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { break; - case FAULT_CRASH: + case FSRV_RUN_CRASH: keep_as_crash: @@ -704,7 +704,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir, - afl->unique_crashes, afl->kill_signal, describe_op(afl, 0)); + afl->unique_crashes, afl->fsrv.last_kill_signal, describe_op(afl, 0)); #else @@ -730,11 +730,11 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { } afl->last_crash_time = get_cur_time(); - afl->last_crash_execs = afl->total_execs; + afl->last_crash_execs = afl->fsrv.total_execs; break; - case FAULT_ERROR: FATAL("Unable to execute target application"); + case FSRV_RUN_ERROR: FATAL("Unable to execute target application"); default: return keeping; diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index e2747097..ab93d838 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -66,7 +66,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { if (afl->stop_soon) return 1; - if (fault == FAULT_TMOUT) { + if (fault == FSRV_RUN_TMOUT) { if (afl->subseq_tmouts++ > TMOUT_LIMIT) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 10417da6..55f7ce53 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -493,13 +493,13 @@ void perform_dry_run(afl_state_t *afl) { if (afl->stop_soon) return; - if (res == afl->crash_mode || res == FAULT_NOBITS) + if (res == afl->crash_mode || res == FSRV_RUN_NOBITS) SAYF(cGRA " len = %u, map size = %u, exec speed = %llu us\n" cRST, q->len, q->bitmap_size, q->exec_us); switch (res) { - case FAULT_NONE: + case FSRV_RUN_OK: if (q == afl->queue) check_map_coverage(afl); @@ -507,7 +507,7 @@ void perform_dry_run(afl_state_t *afl) { break; - case FAULT_TMOUT: + case FSRV_RUN_TMOUT: if (afl->timeout_given) { @@ -556,7 +556,7 @@ void perform_dry_run(afl_state_t *afl) { } - case FAULT_CRASH: + case FSRV_RUN_CRASH: if (afl->crash_mode) break; @@ -650,13 +650,13 @@ void perform_dry_run(afl_state_t *afl) { FATAL("Test case '%s' results in a crash", fn); - case FAULT_ERROR: + case FSRV_RUN_ERROR: FATAL("Unable to execute target application ('%s')", afl->argv[0]); - case FAULT_NOINST: FATAL("No instrumentation detected"); + case FSRV_RUN_NOINST: FATAL("No instrumentation detected"); - case FAULT_NOBITS: + case FSRV_RUN_NOBITS: ++afl->useless_at_start; diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index efb1c117..7bf23e84 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -242,7 +242,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { fault = run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); ++afl->trim_execs; - if (afl->stop_soon || fault == FAULT_ERROR) { goto abort_trimming; } + if (afl->stop_soon || fault == FSRV_RUN_ERROR) { goto abort_trimming; } cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 961a29d6..cc97654a 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -442,14 +442,14 @@ u8 fuzz_one_original(afl_state_t *afl) { if (unlikely(afl->queue_cur->cal_failed)) { - u8 res = FAULT_TMOUT; + u8 res = FSRV_RUN_TMOUT; if (afl->queue_cur->cal_failed < CAL_CHANCES) { res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); - if (unlikely(res == FAULT_ERROR)) + if (unlikely(res == FSRV_RUN_ERROR)) FATAL("Unable to execute target application"); } @@ -471,7 +471,7 @@ u8 fuzz_one_original(afl_state_t *afl) { u8 res = trim_case(afl, afl->queue_cur, in_buf); - if (unlikely(res == FAULT_ERROR)) + if (unlikely(res == FSRV_RUN_ERROR)) FATAL("Unable to execute target application"); if (unlikely(afl->stop_soon)) { @@ -2469,14 +2469,14 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (afl->queue_cur->cal_failed) { - u8 res = FAULT_TMOUT; + u8 res = FSRV_RUN_TMOUT; if (afl->queue_cur->cal_failed < CAL_CHANCES) { res = calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0); - if (res == FAULT_ERROR) FATAL("Unable to execute target application"); + if (res == FSRV_RUN_ERROR) FATAL("Unable to execute target application"); } @@ -2497,7 +2497,7 @@ u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { u8 res = trim_case(afl, afl->queue_cur, in_buf); - if (res == FAULT_ERROR) FATAL("Unable to execute target application"); + if (res == FSRV_RUN_ERROR) FATAL("Unable to execute target application"); if (afl->stop_soon) { diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 5eb110d0..d05eee08 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -492,7 +492,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { // the more often fuzz result paths are equal to this queue entry, // reduce its value perf_score *= - (1 - (double)((double)q->n_fuzz / (double)afl->total_execs)); + (1 - (double)((double)q->n_fuzz / (double)afl->fsrv.total_execs)); break; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 6a01ec89..8cea01e8 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -622,7 +622,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, if (unlikely(common_fuzz_cmplog_stuff(afl, buf, len))) return 1; u64 orig_hit_cnt, new_hit_cnt; - u64 orig_execs = afl->total_execs; + u64 orig_execs = afl->fsrv.total_execs; orig_hit_cnt = afl->queued_paths + afl->unique_crashes; afl->stage_name = "input-to-state"; @@ -670,7 +670,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, exit_its: new_hit_cnt = afl->queued_paths + afl->unique_crashes; afl->stage_finds[STAGE_ITS] += new_hit_cnt - orig_hit_cnt; - afl->stage_cycles[STAGE_ITS] += afl->total_execs - orig_execs; + afl->stage_cycles[STAGE_ITS] += afl->fsrv.total_execs - orig_execs; memcpy(orig_buf, buf, len); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 514ba9ef..b20c5436 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -32,95 +32,9 @@ /* Execute target application, monitoring for timeouts. Return status information. The called program will update afl->fsrv->trace_bits. */ -u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { +fsrv_run_result_t run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { - s32 res; - u32 exec_ms; - - int status = 0; - u32 tb4; - - fsrv->child_timed_out = 0; - - /* After this memset, fsrv->trace_bits[] are effectively volatile, so we - must prevent any earlier operations from venturing into that - territory. */ - - memset(fsrv->trace_bits, 0, fsrv->map_size); - - MEM_BARRIER(); - - /* we have the fork server (or faux server) up and running, so simply - tell it to have at it, and then read back PID. */ - - if ((res = write(fsrv->fsrv_ctl_fd, &fsrv->prev_timed_out, 4)) != 4) { - - if (afl->stop_soon) return 0; - RPFATAL(res, "Unable to request new process from fork server (OOM?)"); - - } - - if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { - - if (afl->stop_soon) return 0; - RPFATAL(res, "Unable to request new process from fork server (OOM?)"); - - } - - if (fsrv->child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); - - exec_ms = read_timed(fsrv->fsrv_st_fd, &status, 4, timeout, &afl->stop_soon); - - if (exec_ms > timeout) { - - /* If there was no response from forkserver after timeout seconds, - we kill the child. The forkserver should inform us afterwards */ - - kill(fsrv->child_pid, SIGKILL); - fsrv->child_timed_out = 1; - if (read(fsrv->fsrv_st_fd, &status, 4) < 4) exec_ms = 0; - - } - - if (!exec_ms) { - - if (afl->stop_soon) return 0; - SAYF("\n" cLRD "[-] " cRST - "Unable to communicate with fork server. Some possible reasons:\n\n" - " - You've run out of memory. Use -m to increase the the memory " - "limit\n" - " to something higher than %lld.\n" - " - The binary or one of the libraries it uses manages to " - "create\n" - " threads before the forkserver initializes.\n" - " - The binary, at least in some circumstances, exits in a way " - "that\n" - " also kills the parent process - raise() could be the " - "culprit.\n" - " - If using persistent mode with QEMU, " - "AFL_QEMU_PERSISTENT_ADDR " - "is\n" - " probably not valid (hint: add the base address in case of " - "PIE)" - "\n\n" - "If all else fails you can disable the fork server via " - "AFL_NO_FORKSRV=1.\n", - fsrv->mem_limit); - RPFATAL(res, "Unable to communicate with fork server"); - - } - - if (!WIFSTOPPED(status)) fsrv->child_pid = 0; - - ++afl->total_execs; - - /* Any subsequent operations on fsrv->trace_bits must not be moved by the - compiler below this point. Past this location, fsrv->trace_bits[] - behave very normally and do not have to be treated as volatile. */ - - MEM_BARRIER(); - - tb4 = *(u32 *)fsrv->trace_bits; + fsrv_run_result_t res = afl_fsrv_run_target(&afl->fsrv, &afl->stop_soon); #ifdef WORD_SIZE_64 classify_counts(afl, (u64 *)fsrv->trace_bits); @@ -128,35 +42,7 @@ u8 run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { classify_counts(afl, (u32 *)fsrv->trace_bits); #endif /* ^WORD_SIZE_64 */ - fsrv->prev_timed_out = fsrv->child_timed_out; - - /* Report outcome to caller. */ - - if (WIFSIGNALED(status) && !afl->stop_soon) { - - afl->kill_signal = WTERMSIG(status); - - if (fsrv->child_timed_out && afl->kill_signal == SIGKILL) - return FAULT_TMOUT; - - return FAULT_CRASH; - - } - - /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and - must use a special exit code. */ - - if (fsrv->uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { - - afl->kill_signal = 0; - return FAULT_CRASH; - - } - - if ((afl->dumb_mode == 1 || afl->no_forkserver) && tb4 == EXEC_FAIL_SIG) - return FAULT_ERROR; - - return FAULT_NONE; + return res; } @@ -348,7 +234,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, if (!afl->dumb_mode && !afl->stage_cur && !count_bytes(afl, afl->fsrv.trace_bits)) { - fault = FAULT_NOINST; + fault = FSRV_RUN_NOINST; goto abort_calibration; } @@ -408,7 +294,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, parent. This is a non-critical problem, but something to warn the user about. */ - if (!afl->dumb_mode && first_run && !fault && !new_bits) fault = FAULT_NOBITS; + if (!afl->dumb_mode && first_run && !fault && !new_bits) fault = FSRV_RUN_NOBITS; abort_calibration: @@ -645,7 +531,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { fault = run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); ++afl->trim_execs; - if (afl->stop_soon || fault == FAULT_ERROR) goto abort_trimming; + if (afl->stop_soon || fault == FSRV_RUN_ERROR) goto abort_trimming; /* Note that we don't keep track of crashes or hangs here; maybe TODO? */ @@ -753,7 +639,7 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { if (afl->stop_soon) return 1; - if (fault == FAULT_TMOUT) { + if (fault == FSRV_RUN_TMOUT) { if (afl->subseq_tmouts++ > TMOUT_LIMIT) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index d48dd5e3..52148dc2 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -108,14 +108,14 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, afl->start_time / 1000, cur_time / 1000, (cur_time - afl->start_time) / 1000, getpid(), afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds, - afl->total_execs, - afl->total_execs / ((double)(get_cur_time() - afl->start_time) / 1000), + afl->fsrv.total_execs, + afl->fsrv.total_execs / ((double)(get_cur_time() - afl->start_time) / 1000), afl->queued_paths, afl->queued_favored, afl->queued_discovered, afl->queued_imported, afl->max_depth, afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed, afl->queued_variable, stability, bitmap_cvg, afl->unique_crashes, afl->unique_hangs, afl->last_path_time / 1000, afl->last_crash_time / 1000, - afl->last_hang_time / 1000, afl->total_execs - afl->last_crash_execs, + afl->last_hang_time / 1000, afl->fsrv.total_execs - afl->last_crash_execs, afl->fsrv.exec_tmout, afl->slowest_exec_ms, #ifdef __APPLE__ (unsigned long int)(rus.ru_maxrss >> 20), @@ -227,7 +227,7 @@ void show_stats(afl_state_t *afl) { if (afl->most_execs_key == 1) { - if (afl->most_execs <= afl->total_execs) { + if (afl->most_execs <= afl->fsrv.total_execs) { afl->most_execs_key = 2; afl->stop_soon = 2; @@ -251,11 +251,11 @@ void show_stats(afl_state_t *afl) { if (!afl->stats_last_execs) { afl->stats_avg_exec = - ((double)afl->total_execs) * 1000 / (cur_ms - afl->start_time); + ((double)afl->fsrv.total_execs) * 1000 / (cur_ms - afl->start_time); } else { - double cur_avg = ((double)(afl->total_execs - afl->stats_last_execs)) * + double cur_avg = ((double)(afl->fsrv.total_execs - afl->stats_last_execs)) * 1000 / (cur_ms - afl->stats_last_ms); /* If there is a dramatic (5x+) jump in speed, reset the indicator @@ -270,7 +270,7 @@ void show_stats(afl_state_t *afl) { } afl->stats_last_ms = cur_ms; - afl->stats_last_execs = afl->total_execs; + afl->stats_last_execs = afl->fsrv.total_execs; /* Tell the callers when to contact us (as measured in execs). */ @@ -543,14 +543,14 @@ void show_stats(afl_state_t *afl) { SAYF(bV bSTOP " total execs : " cRST "%-20s " bSTG bV bSTOP " new crashes : %s%-22s" bSTG bV "\n", - u_stringify_int(IB(0), afl->total_execs), + u_stringify_int(IB(0), afl->fsrv.total_execs), afl->unique_crashes ? cLRD : cRST, tmp); } else { SAYF(bV bSTOP " total execs : " cRST "%-20s " bSTG bV bSTOP " total crashes : %s%-22s" bSTG bV "\n", - u_stringify_int(IB(0), afl->total_execs), + u_stringify_int(IB(0), afl->fsrv.total_execs), afl->unique_crashes ? cLRD : cRST, tmp); } diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 07067691..9f17b61b 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -480,7 +480,7 @@ int main(int argc, char **argv_orig, char **envp) { case 'C': /* crash mode */ if (afl->crash_mode) FATAL("Multiple -C options not supported"); - afl->crash_mode = FAULT_CRASH; + afl->crash_mode = FSRV_RUN_CRASH; break; case 'n': /* dumb mode */ diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index eea1cc95..16d6fe41 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -40,7 +40,6 @@ #include #include -#include #include #include #include diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 3fcc1d2b..5f622c25 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -69,7 +69,7 @@ static u8 *in_data; /* Input data */ static u32 total, highest; /* tuple content information */ static u32 in_len, /* Input data length */ - arg_offset, total_execs; /* Total number of execs */ + arg_offset; /* Total number of execs */ static u8 quiet_mode, /* Hide non-essential messages? */ edges_only, /* Ignore hit counts? */ @@ -193,7 +193,7 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { if (cmin_mode) { - if (fsrv->child_timed_out) break; + if (fsrv->last_run_timed_out) break; if (!caa && child_crashed != cco) break; fprintf(f, "%u%u\n", fsrv->trace_bits[i], i); @@ -233,75 +233,18 @@ static void write_to_testcase(afl_forkserver_t *fsrv, void *mem, u32 len) { } -/* Execute target application. Returns 0 if the changes are a dud, or - 1 if they should be kept. */ +/* Execute target application. */ -static u8 run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, +void run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len) { - struct itimerval it; - int status = 0; - - memset(fsrv->trace_bits, 0, MAP_SIZE); - MEM_BARRIER(); - write_to_testcase(fsrv, mem, len); - s32 res; - - /* we have the fork server up and running, so simply - tell it to have at it, and then read back PID. */ - - if ((res = write(fsrv->fsrv_ctl_fd, &fsrv->prev_timed_out, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to request new process from fork server (OOM?)"); - - } - - if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to request new process from fork server (OOM?)"); - - } - - if (fsrv->child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); - - /* Configure timeout, wait for child, cancel timeout. */ - - if (fsrv->exec_tmout) { - - it.it_value.tv_sec = (fsrv->exec_tmout / 1000); - it.it_value.tv_usec = (fsrv->exec_tmout % 1000) * 1000; - - } - - setitimer(ITIMER_REAL, &it, NULL); - - if ((res = read(fsrv->fsrv_st_fd, &status, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to communicate with fork server (OOM?)"); - - } - - fsrv->child_pid = 0; - it.it_value.tv_sec = 0; - it.it_value.tv_usec = 0; - - setitimer(ITIMER_REAL, &it, NULL); - - MEM_BARRIER(); - - /* Clean up bitmap, analyze exit condition, etc. */ - - if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) - FATAL("Unable to execute '%s'", argv[0]); + fsrv_run_result_t res = afl_fsrv_run_target(fsrv, &stop_soon); + if (res == FSRV_RUN_NOINST || res == FSRV_RUN_ERROR) FATAL("Error running target"); classify_counts(fsrv->trace_bits, binary_mode ? count_class_binary : count_class_human); - total_execs++; if (stop_soon) { @@ -310,22 +253,6 @@ static u8 run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, } - /* Always discard inputs that time out. */ - - if (fsrv->child_timed_out) { return 0; } - - /* Handle crashing inputs depending on current mode. */ - - if (WIFSIGNALED(status) || - (WIFEXITED(status) && WEXITSTATUS(status) == MSAN_ERROR) || - (WIFEXITED(status) && WEXITSTATUS(status))) { - - return 0; - - } - - return 0; - } /* Read initial file. */ @@ -425,7 +352,7 @@ static void run_target(afl_forkserver_t *fsrv, char **argv) { if (fsrv->exec_tmout) { - fsrv->child_timed_out = 0; + fsrv->last_run_timed_out = 0; it.it_value.tv_sec = (fsrv->exec_tmout / 1000); it.it_value.tv_usec = (fsrv->exec_tmout % 1000) * 1000; @@ -452,12 +379,12 @@ static void run_target(afl_forkserver_t *fsrv, char **argv) { if (!quiet_mode) SAYF(cRST "-- Program output ends --\n"); - if (!fsrv->child_timed_out && !stop_soon && WIFSIGNALED(status)) + if (!fsrv->last_run_timed_out && !stop_soon && WIFSIGNALED(status)) child_crashed = 1; if (!quiet_mode) { - if (fsrv->child_timed_out) + if (fsrv->last_run_timed_out) SAYF(cLRD "\n+++ Program timed off +++\n" cRST); else if (stop_soon) SAYF(cLRD "\n+++ Program aborted by user +++\n" cRST); @@ -980,7 +907,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (!quiet_mode) OKF("Processed %u input files.", total_execs); + if (!quiet_mode) OKF("Processed %llu input files.", fsrv->total_execs); closedir(dir_in); if (dir_out) closedir(dir_out); @@ -1010,7 +937,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_shm_deinit(&shm); - u32 ret = child_crashed * 2 + fsrv->child_timed_out; + u32 ret = child_crashed * 2 + fsrv->last_run_timed_out; if (fsrv->target_path) ck_free(fsrv->target_path); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 31fad1df..999d5f65 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -67,7 +67,6 @@ static u8 *in_data; /* Input data for trimming */ static u32 in_len, /* Input data length */ orig_cksum, /* Original checksum */ - total_execs, /* Total number of execs */ missed_hangs, /* Misses due to hangs */ missed_crashes, /* Misses due to crashes */ missed_paths; /* Misses due to exec path diffs */ @@ -249,69 +248,11 @@ static void write_to_testcase(afl_forkserver_t *fsrv, void *mem, u32 len) { static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, u8 first_run) { - struct itimerval it; - int status = 0; - - u32 cksum; - - fsrv->child_timed_out = 0; - - memset(fsrv->trace_bits, 0, fsrv->map_size); - MEM_BARRIER(); - write_to_testcase(fsrv, mem, len); - s32 res; - - /* we have the fork server up and running, so simply - tell it to have at it, and then read back PID. */ - - if ((res = write(fsrv->fsrv_ctl_fd, &fsrv->prev_timed_out, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to request new process from fork server (OOM?)"); - - } - - if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to request new process from fork server (OOM?)"); - - } - - if (fsrv->child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); - - /* Configure timeout, wait for child, cancel timeout. */ - - if (fsrv->exec_tmout) { - - it.it_value.tv_sec = (fsrv->exec_tmout / 1000); - it.it_value.tv_usec = (fsrv->exec_tmout % 1000) * 1000; - - } - - setitimer(ITIMER_REAL, &it, NULL); + fsrv_run_result_t ret = afl_fsrv_run_target(fsrv, &stop_soon); - if ((res = read(fsrv->fsrv_st_fd, &status, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to communicate with fork server (OOM?)"); - - } - - fsrv->child_pid = 0; - it.it_value.tv_sec = 0; - it.it_value.tv_usec = 0; - - setitimer(ITIMER_REAL, &it, NULL); - - MEM_BARRIER(); - - /* Clean up bitmap, analyze exit condition, etc. */ - - if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) - FATAL("Unable to execute '%s'", argv[0]); + if (ret == FSRV_RUN_ERROR) FATAL("Couldn't run child"); if (!hang_mode) { @@ -320,8 +261,6 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, } - total_execs++; - if (stop_soon) { SAYF(cRST cLRD "\n+++ Minimization aborted by user +++\n" cRST); @@ -334,25 +273,21 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, if (hang_mode) { - if (fsrv->child_timed_out) return 1; - - if (WIFSIGNALED(status) || - (WIFEXITED(status) && WEXITSTATUS(status) == MSAN_ERROR) || - (WIFEXITED(status) && WEXITSTATUS(status) && exit_crash)) { - + switch (ret) + { + case FSRV_RUN_TMOUT: + return 1; + case FSRV_RUN_CRASH: missed_crashes++; - - } else { - + return 0; + default: missed_hangs++; - + return 0; } - return 0; - } - if (fsrv->child_timed_out) { + if (ret == FSRV_RUN_TMOUT) { missed_hangs++; return 0; @@ -361,9 +296,7 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, /* Handle crashing inputs depending on current mode. */ - if (WIFSIGNALED(status) || - (WIFEXITED(status) && WEXITSTATUS(status) == MSAN_ERROR) || - (WIFEXITED(status) && WEXITSTATUS(status) && exit_crash)) { + if (ret == FSRV_RUN_CRASH) { if (first_run) crash_mode = 1; @@ -391,7 +324,9 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, } - cksum = hash32(fsrv->trace_bits, fsrv->map_size, HASH_CONST); + if (ret == FSRV_RUN_NOINST) FATAL("Binary not instrumented?"); + + u32 cksum = hash32(fsrv->trace_bits, fsrv->map_size, HASH_CONST); if (first_run) orig_cksum = cksum; @@ -640,11 +575,11 @@ finalize_all: SAYF("\n" cGRA " File size reduced by : " cRST "%0.02f%% (to %u byte%s)\n" cGRA " Characters simplified : " cRST - "%0.02f%%\n" cGRA " Number of execs done : " cRST "%u\n" cGRA + "%0.02f%%\n" cGRA " Number of execs done : " cRST "%llu\n" cGRA " Fruitless execs : " cRST "termination=%u crash=%u\n\n", 100 - ((double)in_len) * 100 / orig_len, in_len, in_len == 1 ? "" : "s", - ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), total_execs, + ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), fsrv->total_execs, missed_paths, missed_crashes); return; @@ -652,13 +587,13 @@ finalize_all: SAYF("\n" cGRA " File size reduced by : " cRST "%0.02f%% (to %u byte%s)\n" cGRA " Characters simplified : " cRST - "%0.02f%%\n" cGRA " Number of execs done : " cRST "%u\n" cGRA + "%0.02f%%\n" cGRA " Number of execs done : " cRST "%llu\n" cGRA " Fruitless execs : " cRST "path=%u crash=%u hang=%s%u\n\n", 100 - ((double)in_len) * 100 / orig_len, in_len, in_len == 1 ? "" : "s", - ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), total_execs, + ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), fsrv->total_execs, missed_paths, missed_crashes, missed_hangs ? cLRD : "", missed_hangs); - if (total_execs > 50 && missed_hangs * 10 > total_execs && !hang_mode) + if (fsrv->total_execs > 50 && missed_hangs * 10 > fsrv->total_execs && !hang_mode) WARNF(cLRD "Frequent timeouts - results may be skewed." cRST); } @@ -1139,13 +1074,13 @@ int main(int argc, char **argv_orig, char **envp) { run_target(fsrv, use_argv, in_data, in_len, 1); - if (hang_mode && !fsrv->child_timed_out) + if (hang_mode && !fsrv->last_run_timed_out) FATAL( "Target binary did not time out but hang minimization mode " "(-H) was set (-t %u).", fsrv->exec_tmout); - if (fsrv->child_timed_out && !hang_mode) + if (fsrv->last_run_timed_out && !hang_mode) FATAL( "Target binary times out (adjusting -t may help). Use -H to minimize a " "hang."); -- cgit 1.4.1 From c009896c34ea0a0605d07be6671c677d0769a59e Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Tue, 14 Apr 2020 19:29:18 +0200 Subject: code format --- include/afl-fuzz.h | 3 +-- include/forkserver.h | 9 +++++---- src/afl-analyze.c | 2 +- src/afl-forkserver.c | 4 +++- src/afl-fuzz-bitmap.c | 3 ++- src/afl-fuzz-redqueen.c | 3 ++- src/afl-fuzz-run.c | 6 ++++-- src/afl-fuzz-stats.c | 3 ++- src/afl-showmap.c | 5 +++-- src/afl-tmin.c | 28 +++++++++++++--------------- 10 files changed, 36 insertions(+), 30 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index abaa71b5..38501699 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -195,7 +195,6 @@ enum { }; - #define operator_num 16 #define swarm_num 5 #define period_core 500000 @@ -875,7 +874,7 @@ void show_init_stats(afl_state_t *); /* Run */ fsrv_run_result_t run_target(afl_state_t *, afl_forkserver_t *fsrv, u32); -void write_to_testcase(afl_state_t *, void *, u32); +void write_to_testcase(afl_state_t *, void *, u32); u8 calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8); void sync_fuzzers(afl_state_t *); u8 trim_case(afl_state_t *, struct queue_entry *, u8 *); diff --git a/include/forkserver.h b/include/forkserver.h index 7559e785..82953855 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -63,7 +63,7 @@ typedef struct afl_forkserver { FILE *plot_file; /* Gnuplot output file */ - u8 last_run_timed_out; /* Traced process timed out? */ + u8 last_run_timed_out; /* Traced process timed out? */ u8 last_kill_signal; /* Signal that killed the child */ @@ -97,9 +97,10 @@ void afl_fsrv_init(afl_forkserver_t *fsrv); void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from); void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p, u8 debug_child_output); -fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, volatile u8 *stop_soon_p); -void afl_fsrv_killall(void); -void afl_fsrv_deinit(afl_forkserver_t *fsrv); +fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, + volatile u8 * stop_soon_p); +void afl_fsrv_killall(void); +void afl_fsrv_deinit(afl_forkserver_t *fsrv); #ifdef __APPLE__ #define MSG_FORK_ON_APPLE \ diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 8625cfda..952786b0 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -80,7 +80,7 @@ static u8 edges_only, /* Ignore hit counts? */ use_stdin = 1; /* Use stdin for program input? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */ - child_timed_out; /* Child timed out? */ + child_timed_out; /* Child timed out? */ static u8 *target_path; static u8 qemu_mode; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index a7be8e8b..f0040617 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -643,7 +643,8 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) { /* Execute target application, monitoring for timeouts. Return status information. The called program will update afl->fsrv->trace_bits. */ -fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, volatile u8 *stop_soon_p) { +fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, + volatile u8 * stop_soon_p) { s32 res; u32 exec_ms; @@ -777,3 +778,4 @@ void afl_fsrv_deinit(afl_forkserver_t *fsrv) { list_remove(&fsrv_list, fsrv); } + diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 66b1e60d..298a6207 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -704,7 +704,8 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { #ifndef SIMPLE_FILES snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir, - afl->unique_crashes, afl->fsrv.last_kill_signal, describe_op(afl, 0)); + afl->unique_crashes, afl->fsrv.last_kill_signal, + describe_op(afl, 0)); #else diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 8cea01e8..6f2fb144 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -131,7 +131,8 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) { u32 cksum; u64 start_us = get_cur_time_us(); - if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) goto checksum_fail; + if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) + goto checksum_fail; u64 stop_us = get_cur_time_us(); diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index b20c5436..370a7734 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -32,7 +32,8 @@ /* Execute target application, monitoring for timeouts. Return status information. The called program will update afl->fsrv->trace_bits. */ -fsrv_run_result_t run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { +fsrv_run_result_t run_target(afl_state_t *afl, afl_forkserver_t *fsrv, + u32 timeout) { fsrv_run_result_t res = afl_fsrv_run_target(&afl->fsrv, &afl->stop_soon); @@ -294,7 +295,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, parent. This is a non-critical problem, but something to warn the user about. */ - if (!afl->dumb_mode && first_run && !fault && !new_bits) fault = FSRV_RUN_NOBITS; + if (!afl->dumb_mode && first_run && !fault && !new_bits) + fault = FSRV_RUN_NOBITS; abort_calibration: diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 52148dc2..7cc9b920 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -109,7 +109,8 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, (cur_time - afl->start_time) / 1000, getpid(), afl->queue_cycle ? (afl->queue_cycle - 1) : 0, afl->cycles_wo_finds, afl->fsrv.total_execs, - afl->fsrv.total_execs / ((double)(get_cur_time() - afl->start_time) / 1000), + afl->fsrv.total_execs / + ((double)(get_cur_time() - afl->start_time) / 1000), afl->queued_paths, afl->queued_favored, afl->queued_discovered, afl->queued_imported, afl->max_depth, afl->current_entry, afl->pending_favored, afl->pending_not_fuzzed, afl->queued_variable, diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 5f622c25..fa799bf9 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -236,12 +236,13 @@ static void write_to_testcase(afl_forkserver_t *fsrv, void *mem, u32 len) { /* Execute target application. */ void run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, - u32 len) { + u32 len) { write_to_testcase(fsrv, mem, len); fsrv_run_result_t res = afl_fsrv_run_target(fsrv, &stop_soon); - if (res == FSRV_RUN_NOINST || res == FSRV_RUN_ERROR) FATAL("Error running target"); + if (res == FSRV_RUN_NOINST || res == FSRV_RUN_ERROR) + FATAL("Error running target"); classify_counts(fsrv->trace_bits, binary_mode ? count_class_binary : count_class_human); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 999d5f65..c994c2de 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -273,16 +273,12 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, if (hang_mode) { - switch (ret) - { - case FSRV_RUN_TMOUT: - return 1; - case FSRV_RUN_CRASH: - missed_crashes++; - return 0; - default: - missed_hangs++; - return 0; + switch (ret) { + + case FSRV_RUN_TMOUT: return 1; + case FSRV_RUN_CRASH: missed_crashes++; return 0; + default: missed_hangs++; return 0; + } } @@ -579,8 +575,8 @@ finalize_all: " Fruitless execs : " cRST "termination=%u crash=%u\n\n", 100 - ((double)in_len) * 100 / orig_len, in_len, in_len == 1 ? "" : "s", - ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), fsrv->total_execs, - missed_paths, missed_crashes); + ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), + fsrv->total_execs, missed_paths, missed_crashes); return; } @@ -590,10 +586,12 @@ finalize_all: "%0.02f%%\n" cGRA " Number of execs done : " cRST "%llu\n" cGRA " Fruitless execs : " cRST "path=%u crash=%u hang=%s%u\n\n", 100 - ((double)in_len) * 100 / orig_len, in_len, in_len == 1 ? "" : "s", - ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), fsrv->total_execs, - missed_paths, missed_crashes, missed_hangs ? cLRD : "", missed_hangs); + ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), + fsrv->total_execs, missed_paths, missed_crashes, + missed_hangs ? cLRD : "", missed_hangs); - if (fsrv->total_execs > 50 && missed_hangs * 10 > fsrv->total_execs && !hang_mode) + if (fsrv->total_execs > 50 && missed_hangs * 10 > fsrv->total_execs && + !hang_mode) WARNF(cLRD "Frequent timeouts - results may be skewed." cRST); } -- cgit 1.4.1 From 0c02a8f4d31480c8459bc695ae655b69d02b98df Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 15 Apr 2020 19:23:26 +0200 Subject: changed run_target --- include/afl-fuzz.h | 4 ++-- include/forkserver.h | 10 +++++---- llvm_mode/afl-clang-fast.c | 10 +++++++-- src/afl-forkserver.c | 13 +++++++----- src/afl-fuzz-bitmap.c | 12 +++++++---- src/afl-fuzz-run.c | 10 +-------- src/afl-showmap.c | 18 ++++++++-------- src/afl-tmin.c | 51 +++++++++++++++++++++++----------------------- 8 files changed, 68 insertions(+), 60 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 38501699..7c6019e6 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -842,10 +842,10 @@ u32 count_bytes(afl_state_t *, u8 *); u32 count_non_255_bytes(afl_state_t *, u8 *); #ifdef WORD_SIZE_64 void simplify_trace(afl_state_t *, u64 *); -void classify_counts(afl_state_t *, u64 *); +void classify_counts(afl_forkserver_t *); #else void simplify_trace(afl_state_t *, u32 *); -void classify_counts(afl_state_t *, u32 *); +void classify_counts(afl_forkserver_t *); #endif void init_count_class16(void); void minimize_bits(afl_state_t *, u8 *, u8 *); diff --git a/include/forkserver.h b/include/forkserver.h index 82953855..f24393bc 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -97,10 +97,12 @@ void afl_fsrv_init(afl_forkserver_t *fsrv); void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from); void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p, u8 debug_child_output); -fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, - volatile u8 * stop_soon_p); -void afl_fsrv_killall(void); -void afl_fsrv_deinit(afl_forkserver_t *fsrv); +fsrv_run_result_t afl_fsrv_run_target( + afl_forkserver_t *fsrv, u32 timeout, + void(classify_counts_func)(afl_forkserver_t *fsrv), + volatile u8 *stop_soon_p); +void afl_fsrv_killall(void); +void afl_fsrv_deinit(afl_forkserver_t *fsrv); #ifdef __APPLE__ #define MSG_FORK_ON_APPLE \ diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index f58c22dd..57d7b89a 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -184,7 +184,9 @@ static void edit_params(u32 argc, char **argv, char **envp) { sprintf(llvm_fullpath, CLANGPP_BIN); cc_params[0] = alt_cxx && *alt_cxx ? alt_cxx : (u8 *)llvm_fullpath; - } else if (!strcmp(name, "afl-clang-fast") || !strcmp(name, "afl-clang-lto")) { + } else if (!strcmp(name, "afl-clang-fast") || + + !strcmp(name, "afl-clang-lto")) { u8 *alt_cc = getenv("AFL_CC"); if (USE_BINDIR) @@ -194,8 +196,12 @@ static void edit_params(u32 argc, char **argv, char **envp) { cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)llvm_fullpath; } else { + fprintf(stderr, "Name of the binary: %s\n", argv[0]); - FATAL("Name of the binary is not a known name, expected afl-clang-fast(++) or afl-clang-lto(++)"); + FATAL( + "Name of the binary is not a known name, expected afl-clang-fast(++) " + "or afl-clang-lto(++)"); + } /* There are three ways to compile with afl-clang-fast. In the traditional diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index f0040617..89480b07 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -643,16 +643,16 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) { /* Execute target application, monitoring for timeouts. Return status information. The called program will update afl->fsrv->trace_bits. */ -fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, - volatile u8 * stop_soon_p) { +fsrv_run_result_t afl_fsrv_run_target( + afl_forkserver_t *fsrv, u32 timeout, + void(classify_counts_func)(afl_forkserver_t *fsrv), + volatile u8 *stop_soon_p) { s32 res; u32 exec_ms; int status = 0; - u32 timeout = fsrv->exec_tmout; - /* After this memset, fsrv->trace_bits[] are effectively volatile, so we must prevent any earlier operations from venturing into that territory. */ @@ -732,6 +732,9 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, behave very normally and do not have to be treated as volatile. */ MEM_BARRIER(); + u32 tb4 = *(u32 *)fsrv->trace_bits; + + if (likely(classify_counts_func)) classify_counts_func(fsrv); /* Report outcome to caller. */ @@ -756,7 +759,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, } - if ((*(u32 *)fsrv->trace_bits) == EXEC_FAIL_SIG) return FSRV_RUN_NOINST; + if (tb4 == EXEC_FAIL_SIG) return FSRV_RUN_ERROR; return FSRV_RUN_OK; diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 298a6207..c5cede4d 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -351,9 +351,11 @@ void init_count_class16(void) { #ifdef WORD_SIZE_64 -void classify_counts(afl_state_t *afl, u64 *mem) { +void classify_counts(afl_forkserver_t *fsrv) { - u32 i = (afl->fsrv.map_size >> 3); + u32 *mem = (u32 *)fsrv->trace_bits; + + u32 i = (fsrv->map_size >> 3); if (i == 0) i = 1; @@ -380,9 +382,11 @@ void classify_counts(afl_state_t *afl, u64 *mem) { #else -void classify_counts(afl_state_t *afl, u32 *mem) { +void classify_counts(afl_forkserver_t *fsrv) { - u32 i = (afl->fsrv.map_size >> 2); + u64 *mem = (u64 *)fsrv->trace_bits; + + u32 i = (fsrv->map_size >> 2); if (i == 0) i = 1; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 370a7734..c3ed59ef 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -35,15 +35,7 @@ fsrv_run_result_t run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { - fsrv_run_result_t res = afl_fsrv_run_target(&afl->fsrv, &afl->stop_soon); - -#ifdef WORD_SIZE_64 - classify_counts(afl, (u64 *)fsrv->trace_bits); -#else - classify_counts(afl, (u32 *)fsrv->trace_bits); -#endif /* ^WORD_SIZE_64 */ - - return res; + return afl_fsrv_run_target(fsrv, timeout, classify_counts, &afl->stop_soon); } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index fa799bf9..2326d469 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -106,7 +106,10 @@ static const u8 count_class_binary[256] = { }; -static void classify_counts(u8 *mem, const u8 *map) { +static void classify_counts(afl_forkserver_t *fsrv) { + + u8 * mem = fsrv->trace_bits; + const u8 *map = binary_mode ? count_class_binary : count_class_human; u32 i = MAP_SIZE; @@ -240,12 +243,12 @@ void run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, write_to_testcase(fsrv, mem, len); - fsrv_run_result_t res = afl_fsrv_run_target(fsrv, &stop_soon); - if (res == FSRV_RUN_NOINST || res == FSRV_RUN_ERROR) + if (afl_fsrv_run_target(fsrv, fsrv->exec_tmout, classify_counts, + &stop_soon) == FSRV_RUN_ERROR) { + FATAL("Error running target"); - classify_counts(fsrv->trace_bits, - binary_mode ? count_class_binary : count_class_human); + } if (stop_soon) { @@ -375,8 +378,7 @@ static void run_target(afl_forkserver_t *fsrv, char **argv) { if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) FATAL("Unable to execute '%s'", argv[0]); - classify_counts(fsrv->trace_bits, - binary_mode ? count_class_binary : count_class_human); + classify_counts(fsrv); if (!quiet_mode) SAYF(cRST "-- Program output ends --\n"); @@ -587,7 +589,7 @@ static void find_binary(afl_forkserver_t *fsrv, u8 *fname) { break; ck_free(fsrv->target_path); - fsrv->target_path = 0; + fsrv->target_path = NULL; } diff --git a/src/afl-tmin.c b/src/afl-tmin.c index c994c2de..84e9a498 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -100,8 +100,29 @@ static const u8 count_class_lookup[256] = { }; -static void classify_counts(u8 *mem) { +/* Apply mask to classified bitmap (if set). */ + +static void apply_mask(u32 *mem, u32 *mask) { + + u32 i = (MAP_SIZE >> 2); + + if (!mask) return; + + while (i--) { + + *mem &= ~*mask; + mem++; + mask++; + + } +} + +static void classify_counts(afl_forkserver_t *fsrv) { + + if (hang_mode) return; /* We only want hangs */ + + u8 *mem = fsrv->trace_bits; u32 i = MAP_SIZE; if (edges_only) { @@ -124,23 +145,7 @@ static void classify_counts(u8 *mem) { } -} - -/* Apply mask to classified bitmap (if set). */ - -static void apply_mask(u32 *mem, u32 *mask) { - - u32 i = (MAP_SIZE >> 2); - - if (!mask) return; - - while (i--) { - - *mem &= ~*mask; - mem++; - mask++; - - } + apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap); } @@ -250,17 +255,11 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, write_to_testcase(fsrv, mem, len); - fsrv_run_result_t ret = afl_fsrv_run_target(fsrv, &stop_soon); + fsrv_run_result_t ret = + afl_fsrv_run_target(fsrv, fsrv->exec_tmout, classify_counts, &stop_soon); if (ret == FSRV_RUN_ERROR) FATAL("Couldn't run child"); - if (!hang_mode) { - - classify_counts(fsrv->trace_bits); - apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap); - - } - if (stop_soon) { SAYF(cRST cLRD "\n+++ Minimization aborted by user +++\n" cRST); -- cgit 1.4.1 From ef1ea07e68682a4d411a0b9944cc6b48c730d214 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 15 Apr 2020 20:22:32 +0200 Subject: wrong bytes set --- src/afl-fuzz-bitmap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index c5cede4d..852e3a7c 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -353,7 +353,7 @@ void init_count_class16(void) { void classify_counts(afl_forkserver_t *fsrv) { - u32 *mem = (u32 *)fsrv->trace_bits; + u64 *mem = (u64 *)fsrv->trace_bits; u32 i = (fsrv->map_size >> 3); @@ -384,7 +384,7 @@ void classify_counts(afl_forkserver_t *fsrv) { void classify_counts(afl_forkserver_t *fsrv) { - u64 *mem = (u64 *)fsrv->trace_bits; + u32 *mem = (u32 *)fsrv->trace_bits; u32 i = (fsrv->map_size >> 2); -- cgit 1.4.1 From 21f696f02e2e17e66e8f275b2de333a4871e1863 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 15 Apr 2020 22:26:30 +0200 Subject: fix document mode --- src/afl-fuzz-run.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index c3ed59ef..c27ee30c 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -50,7 +50,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { #ifdef _AFL_DOCUMENT_MUTATIONS s32 doc_fd; char fn[PATH_MAX]; - snprintf(fn, PATH_MAX, ("%s/mutations/%09u:%s", afl->out_dir, + snprintf(fn, PATH_MAX, "%s/mutations/%09u:%s", afl->out_dir, afl->document_counter++, describe_op(afl, 0)); if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600)) >= 0) { -- cgit 1.4.1 From 0f08b13fa071a959cf305d4db5ee5d17d69c2c32 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 15 Apr 2020 23:22:13 +0200 Subject: somewhat unified write_to_testcase --- include/debug.h | 3 --- include/forkserver.h | 3 +++ src/afl-forkserver.c | 56 +++++++++++++++++++++++++++++++++++++++++++++-- src/afl-fuzz-run.c | 37 ++++--------------------------- src/afl-showmap.c | 55 ++++++++++++++++------------------------------ src/afl-tmin.c | 61 +++++++++++++--------------------------------------- 6 files changed, 95 insertions(+), 120 deletions(-) (limited to 'src') diff --git a/include/debug.h b/include/debug.h index 8824ff6b..890e8d70 100644 --- a/include/debug.h +++ b/include/debug.h @@ -29,12 +29,9 @@ #include "config.h" /* __FUNCTION__ is non-iso */ -#ifndef __FUNCTION__ #ifdef __func__ #define __FUNCTION__ __func__ #else -#define __FUNCTION__ "func_unknown" -#endif #endif /******************* diff --git a/include/forkserver.h b/include/forkserver.h index f24393bc..eb1f3ae4 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -51,6 +51,8 @@ typedef struct afl_forkserver { fsrv_ctl_fd, /* Fork server control pipe (write) */ fsrv_st_fd; /* Fork server status pipe (read) */ + u8 no_unlink; /* do not unlink cur_input */ + u32 exec_tmout; /* Configurable exec timeout (ms) */ u32 map_size; /* map size used by the target */ u32 snapshot; /* is snapshot feature used */ @@ -97,6 +99,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv); void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from); void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p, u8 debug_child_output); +void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len); fsrv_run_result_t afl_fsrv_run_target( afl_forkserver_t *fsrv, u32 timeout, void(classify_counts_func)(afl_forkserver_t *fsrv), diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 89480b07..cee23024 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -8,7 +8,9 @@ Now maintained by Marc Heuse , Heiko Eißfeldt and - Andrea Fioraldi + Andrea Fioraldi and + Dominik Maier + Copyright 2016, 2017 Google Inc. All rights reserved. Copyright 2019-2020 AFLplusplus Project. All rights reserved. @@ -38,10 +40,12 @@ #include #include #include +#include #include #include #include #include +#include /** * The correct fds for reading and writing pipes @@ -64,15 +68,20 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { // this structure needs default so we initialize it if this was not done // already - fsrv->use_stdin = 1; fsrv->out_fd = -1; fsrv->out_dir_fd = -1; fsrv->dev_null_fd = -1; #ifndef HAVE_ARC4RANDOM fsrv->dev_urandom_fd = -1; #endif + /* Settings */ + fsrv->use_stdin = 1; + fsrv->no_unlink = 0; fsrv->exec_tmout = EXEC_TIMEOUT; fsrv->mem_limit = MEM_LIMIT; + fsrv->out_file = NULL; + + /* exec related stuff */ fsrv->child_pid = -1; fsrv->map_size = MAP_SIZE; fsrv->use_fauxsrv = 0; @@ -103,6 +112,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { fsrv_to->child_pid = -1; fsrv_to->use_fauxsrv = 0; fsrv_to->last_run_timed_out = 0; + fsrv_to->out_file = NULL; fsrv_to->init_child_func = fsrv_exec_child; @@ -640,6 +650,48 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) { } +/* Delete the current testcase and write the buf to the testcase file */ + +void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { + + s32 fd = fsrv->out_fd; + + if (fsrv->out_file) { + + if (fsrv->no_unlink) { + + fd = open(fsrv->out_file, O_WRONLY | O_CREAT | O_TRUNC, 0600); + + } else { + + unlink(fsrv->out_file); /* Ignore errors. */ + fd = open(fsrv->out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); + + } + + if (fd < 0) PFATAL("Unable to create '%s'", fsrv->out_file); + + } else { + + lseek(fd, 0, SEEK_SET); + + } + + ck_write(fd, buf, len, fsrv->out_file); + + if (!fsrv->out_file) { + + if (ftruncate(fd, len)) PFATAL("ftruncate() failed"); + lseek(fd, 0, SEEK_SET); + + } else { + + close(fd); + + } + +} + /* Execute target application, monitoring for timeouts. Return status information. The called program will update afl->fsrv->trace_bits. */ diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index c27ee30c..4aec01f0 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -6,7 +6,8 @@ Now maintained by Marc Heuse , Heiko Eißfeldt and - Andrea Fioraldi + Andrea Fioraldi and + Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. Copyright 2019-2020 AFLplusplus Project. All rights reserved. @@ -45,8 +46,6 @@ fsrv_run_result_t run_target(afl_state_t *afl, afl_forkserver_t *fsrv, void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { - s32 fd = afl->fsrv.out_fd; - #ifdef _AFL_DOCUMENT_MUTATIONS s32 doc_fd; char fn[PATH_MAX]; @@ -63,25 +62,6 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { #endif - if (afl->fsrv.out_file) { - - if (afl->no_unlink) { - - fd = open(afl->fsrv.out_file, O_WRONLY | O_CREAT | O_TRUNC, 0600); - - } else { - - unlink(afl->fsrv.out_file); /* Ignore errors. */ - fd = open(afl->fsrv.out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); - - } - - if (fd < 0) PFATAL("Unable to create '%s'", afl->fsrv.out_file); - - } else - - lseek(fd, 0, SEEK_SET); - if (unlikely(afl->mutator && afl->mutator->afl_custom_pre_save)) { u8 *new_buf = NULL; @@ -93,24 +73,15 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { FATAL("Custom_pre_save failed (ret: %lu)", (long unsigned)new_size); /* everything as planned. use the new data. */ - ck_write(fd, new_buf, new_size, afl->fsrv.out_file); + afl_fsrv_write_to_testcase(&afl->fsrv, new_buf, new_size); } else { /* boring uncustom. */ - ck_write(fd, mem, len, afl->fsrv.out_file); + afl_fsrv_write_to_testcase(&afl->fsrv, mem, len); } - if (!afl->fsrv.out_file) { - - if (ftruncate(fd, len)) PFATAL("ftruncate() failed"); - lseek(fd, 0, SEEK_SET); - - } else - - close(fd); - } /* The same, but with an adjustable gap. Used for trimming. */ diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 2326d469..2a4ab96e 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -8,7 +8,8 @@ Now maintained by Marc Heuse , Heiko Eißfeldt and - Andrea Fioraldi + Andrea Fioraldi and + Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. Copyright 2019-2020 AFLplusplus Project. All rights reserved. @@ -61,7 +62,8 @@ static char *stdin_file; /* stdin file */ -static u8 *in_dir, /* input folder */ +static u8 *in_dir = NULL, /* input folder */ + *out_file = NULL, *at_file = NULL; /* Substitution string for @@ */ static u8 *in_data; /* Input data */ @@ -157,7 +159,7 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { fd = open(outfile, O_WRONLY); - if (fd < 0) PFATAL("Unable to open '%s'", fsrv->out_file); + if (fd < 0) PFATAL("Unable to open '%s'", out_file); } else if (!strcmp(outfile, "-")) { @@ -215,33 +217,12 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { } -/* Write results. */ - -static u32 write_results(afl_forkserver_t *fsrv) { - - return write_results_to_file(fsrv, fsrv->out_file); - -} - -/* Write modified data to file for testing. If use_stdin is clear, the old file - is unlinked and a new one is created. Otherwise, out_fd is rewound and - truncated. */ - -static void write_to_testcase(afl_forkserver_t *fsrv, void *mem, u32 len) { - - lseek(fsrv->out_fd, 0, SEEK_SET); - ck_write(fsrv->out_fd, mem, len, fsrv->out_file); - if (ftruncate(fsrv->out_fd, len)) PFATAL("ftruncate() failed"); - lseek(fsrv->out_fd, 0, SEEK_SET); - -} - /* Execute target application. */ void run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len) { - write_to_testcase(fsrv, mem, len); + afl_fsrv_write_to_testcase(fsrv, mem, len); if (afl_fsrv_run_target(fsrv, fsrv->exec_tmout, classify_counts, &stop_soon) == FSRV_RUN_ERROR) { @@ -632,8 +613,8 @@ int main(int argc, char **argv_orig, char **envp) { case 'o': - if (fsrv->out_file) FATAL("Multiple -o options not supported"); - fsrv->out_file = optarg; + if (out_file) FATAL("Multiple -o options not supported"); + out_file = optarg; break; case 'm': { @@ -780,7 +761,7 @@ int main(int argc, char **argv_orig, char **envp) { } - if (optind == argc || !fsrv->out_file) usage(argv[0]); + if (optind == argc || !out_file) usage(argv[0]); check_environment_vars(envp); @@ -831,7 +812,7 @@ int main(int argc, char **argv_orig, char **envp) { DIR * dir_in, *dir_out; struct dirent *dir_ent; int done = 0; - u8 infile[4096], outfile[4096]; + u8 infile[PATH_MAX], outfile[PATH_MAX]; #if !defined(DT_REG) struct stat statbuf; #endif @@ -841,9 +822,9 @@ int main(int argc, char **argv_orig, char **envp) { if (!(dir_in = opendir(in_dir))) PFATAL("cannot open directory %s", in_dir); - if (!(dir_out = opendir(fsrv->out_file))) - if (mkdir(fsrv->out_file, 0700)) - PFATAL("cannot create output directory %s", fsrv->out_file); + if (!(dir_out = opendir(out_file))) + if (mkdir(out_file, 0700)) + PFATAL("cannot create output directory %s", out_file); u8 *use_dir = "."; @@ -858,7 +839,7 @@ int main(int argc, char **argv_orig, char **envp) { unlink(stdin_file); atexit(at_exit_handler); fsrv->out_fd = open(stdin_file, O_RDWR | O_CREAT | O_EXCL, 0600); - if (fsrv->out_fd < 0) PFATAL("Unable to create '%s'", fsrv->out_file); + if (fsrv->out_fd < 0) PFATAL("Unable to create '%s'", out_file); if (arg_offset && argv[arg_offset] != stdin_file) { @@ -897,7 +878,7 @@ int main(int argc, char **argv_orig, char **envp) { if (-1 == stat(infile, &statbuf) || !S_ISREG(statbuf.st_mode)) continue; #endif - snprintf(outfile, sizeof(outfile), "%s/%s", fsrv->out_file, + snprintf(outfile, sizeof(outfile), "%s/%s", out_file, dir_ent->d_name); if (read_file(infile)) { @@ -918,7 +899,9 @@ int main(int argc, char **argv_orig, char **envp) { } else { run_target(fsrv, use_argv); - tcnt = write_results(fsrv); + tcnt = write_results_to_file(fsrv, out_file); + + } @@ -926,7 +909,7 @@ int main(int argc, char **argv_orig, char **envp) { if (!tcnt) FATAL("No instrumentation detected" cRST); OKF("Captured %u tuples (highest value %u, total values %u) in '%s'." cRST, - tcnt, highest, total, fsrv->out_file); + tcnt, highest, total, out_file); } diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 84e9a498..78ed63e2 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -8,7 +8,8 @@ Now maintained by Marc Heuse , Heiko Eißfeldt and - Andrea Fioraldi + Andrea Fioraldi and + Dominik Maier Copyright 2016, 2017 Google Inc. All rights reserved. Copyright 2019-2020 AFLplusplus Project. All rights reserved. @@ -61,6 +62,7 @@ static u8 *mask_bitmap; /* Mask for trace bits (-B) */ static u8 *in_file, /* Minimizer input test case */ + *out_file, *output_file; /* Minimizer output file */ static u8 *in_data; /* Input data for trimming */ @@ -214,46 +216,13 @@ static s32 write_to_file(u8 *path, u8 *mem, u32 len) { } -/* Write modified data to file for testing. If use_stdin is clear, the old file - is unlinked and a new one is created. Otherwise, out_fd is rewound and - truncated. */ - -static void write_to_testcase(afl_forkserver_t *fsrv, void *mem, u32 len) { - - s32 fd = fsrv->out_fd; - - if (!fsrv->use_stdin) { - - unlink(fsrv->out_file); /* Ignore errors. */ - - fd = open(fsrv->out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); - - if (fd < 0) PFATAL("Unable to create '%s'", fsrv->out_file); - - } else - - lseek(fd, 0, SEEK_SET); - - ck_write(fd, mem, len, fsrv->out_file); - - if (fsrv->use_stdin) { - - if (ftruncate(fd, len)) PFATAL("ftruncate() failed"); - lseek(fd, 0, SEEK_SET); - - } else - - close(fd); - -} - /* Execute target application. Returns 0 if the changes are a dud, or 1 if they should be kept. */ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, u8 first_run) { - write_to_testcase(fsrv, mem, len); + afl_fsrv_write_to_testcase(fsrv, mem, len); fsrv_run_result_t ret = afl_fsrv_run_target(fsrv, fsrv->exec_tmout, classify_counts, &stop_soon); @@ -613,7 +582,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) { fsrv->dev_null_fd = open("/dev/null", O_RDWR); if (fsrv->dev_null_fd < 0) PFATAL("Unable to open /dev/null"); - if (!fsrv->out_file) { + if (!out_file) { u8 *use_dir = "."; @@ -624,15 +593,15 @@ static void set_up_environment(afl_forkserver_t *fsrv) { } - fsrv->out_file = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, getpid()); + out_file = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, getpid()); } - unlink(fsrv->out_file); + unlink(out_file); - fsrv->out_fd = open(fsrv->out_file, O_RDWR | O_CREAT | O_EXCL, 0600); + fsrv->out_fd = open(out_file, O_RDWR | O_CREAT | O_EXCL, 0600); - if (fsrv->out_fd < 0) PFATAL("Unable to create '%s'", fsrv->out_file); + if (fsrv->out_fd < 0) PFATAL("Unable to create '%s'", out_file); /* Set sane defaults... */ @@ -888,9 +857,9 @@ int main(int argc, char **argv_orig, char **envp) { case 'f': - if (fsrv->out_file) FATAL("Multiple -f options not supported"); + if (out_file) FATAL("Multiple -f options not supported"); fsrv->use_stdin = 0; - fsrv->out_file = optarg; + out_file = optarg; break; case 'e': @@ -1035,7 +1004,7 @@ int main(int argc, char **argv_orig, char **envp) { set_up_environment(fsrv); find_binary(fsrv, argv[optind]); - detect_file_args(argv + optind, fsrv->out_file, &fsrv->use_stdin); + detect_file_args(argv + optind, out_file, &fsrv->use_stdin); if (fsrv->qemu_mode) { @@ -1105,9 +1074,9 @@ int main(int argc, char **argv_orig, char **envp) { ACTF("Writing output to '%s'...", output_file); - unlink(fsrv->out_file); - if (fsrv->out_file) ck_free(fsrv->out_file); - fsrv->out_file = NULL; + unlink(out_file); + if (out_file) ck_free(out_file); + out_file = NULL; close(write_to_file(output_file, in_data, in_len)); -- cgit 1.4.1 From f3789801f2ea8fd4914c1f9a6d802140cdf13c84 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 16 Apr 2020 12:09:33 +0200 Subject: little has_new_bits improvement --- src/afl-fuzz-bitmap.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 852e3a7c..7be44fd5 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -88,7 +88,8 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { u32 i = (afl->fsrv.map_size >> 2); #endif /* ^WORD_SIZE_64 */ - if (i == 0) i = 1; + // the map size must be a minimum of 8 bytes. + // for variable/dynamic map sizes this is ensured in the forkserver u8 ret = 0; @@ -98,6 +99,7 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { that have not been already cleared from the virgin map - since this will almost always be the case. */ + // the (*current) is unnecessary but speeds up the overall comparison if (unlikely(*current) && unlikely(*current & *virgin)) { if (likely(ret < 2)) { @@ -110,7 +112,7 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { #ifdef WORD_SIZE_64 - if ((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || + if (*virgin == 0xffffffffffffffff || (cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff) || (cur[4] && vir[4] == 0xff) || (cur[5] && vir[5] == 0xff) || (cur[6] && vir[6] == 0xff) || (cur[7] && vir[7] == 0xff)) @@ -120,7 +122,7 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { #else - if ((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || + if (*virgin == 0xffffffff || (cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff)) ret = 2; else @@ -139,7 +141,7 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { } - if (unlikely(ret) && unlikely(virgin_map == afl->virgin_bits)) + if (unlikely(ret) && likely(virgin_map == afl->virgin_bits)) afl->bitmap_changed = 1; return ret; -- cgit 1.4.1 From b420ccdbf8eba5875e5a0b6a6a9941564dee81bb Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 14:42:30 +0200 Subject: fixed timeout flag to u32 --- include/forkserver.h | 2 +- src/afl-forkserver.c | 18 +++++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/include/forkserver.h b/include/forkserver.h index eb1f3ae4..60ec0344 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -65,7 +65,7 @@ typedef struct afl_forkserver { FILE *plot_file; /* Gnuplot output file */ - u8 last_run_timed_out; /* Traced process timed out? */ + u32 last_run_timed_out; /* Traced process timed out? */ u8 last_kill_signal; /* Signal that killed the child */ diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index cee23024..5727c7f2 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -395,7 +395,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_ENABLED) == FS_OPT_ENABLED) { - if (!be_quiet) + if (!be_quiet && getenv("AFL_DEBUG")) ACTF("Extended forkserver functions received (%08x).", status); if ((status & FS_OPT_SNAPSHOT) == FS_OPT_SNAPSHOT) { @@ -408,13 +408,16 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_MAPSIZE) == FS_OPT_MAPSIZE) { fsrv->map_size = FS_OPT_GET_MAPSIZE(status); - if (fsrv->map_size % 8) // should not happen + if (unlikely(fsrv->map_size % 8)) { + // should not happen + WARNF("Target reported non-aligned map size of %ud", fsrv->map_size); fsrv->map_size = (((fsrv->map_size + 8) >> 3) << 3); + } if (!be_quiet) ACTF("Target map size: %u", fsrv->map_size); if (fsrv->map_size > MAP_SIZE) FATAL( "Target's coverage map size of %u is larger than the one this " - "afl++ is compiled with (%u)\n", + "afl++ is compiled with (%u) (change MAP_SIZE and recompile)\n", fsrv->map_size, MAP_SIZE); } @@ -444,7 +447,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, u32 len = status, offset = 0, count = 0; u8 *dict = ck_alloc(len); if (dict == NULL) - FATAL("Could not allocate %u bytes of autodictionary memmory", len); + FATAL("Could not allocate %u bytes of autodictionary memory", len); while (len != 0) { @@ -727,7 +730,7 @@ fsrv_run_result_t afl_fsrv_run_target( if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) { - if (stop_soon_p) return 0; + if (*stop_soon_p) return 0; RPFATAL(res, "Unable to request new process from fork server (OOM?)"); } @@ -784,7 +787,7 @@ fsrv_run_result_t afl_fsrv_run_target( behave very normally and do not have to be treated as volatile. */ MEM_BARRIER(); - u32 tb4 = *(u32 *)fsrv->trace_bits; + //u32 tb4 = *(u32 *)fsrv->trace_bits; if (likely(classify_counts_func)) classify_counts_func(fsrv); @@ -811,7 +814,8 @@ fsrv_run_result_t afl_fsrv_run_target( } - if (tb4 == EXEC_FAIL_SIG) return FSRV_RUN_ERROR; + // Fauxserver should handle this now. + // if (tb4 == EXEC_FAIL_SIG) return FSRV_RUN_ERROR; return FSRV_RUN_OK; -- cgit 1.4.1 From 124665b392aa081807c8fa19948937a07de6053b Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 14:47:08 +0200 Subject: code-format --- llvm_mode/afl-clang-fast.c | 8 ++++---- src/afl-forkserver.c | 7 +++++-- src/afl-fuzz-bitmap.c | 14 ++++++++------ src/afl-fuzz-run.c | 2 +- src/afl-showmap.c | 8 ++------ src/afl-tmin.c | 3 +-- 6 files changed, 21 insertions(+), 21 deletions(-) (limited to 'src') diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 84ebeb9a..c0471033 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -223,10 +223,10 @@ static void edit_params(u32 argc, char **argv, char **envp) { } - if ((!(getenv("AFL_LLVM_LTO_AUTODICTIONARY") // disabled when autodictionary - && instrument_mode != INSTRUMENT_LTO)) // and lto_mode is used - && (getenv("LAF_TRANSFORM_COMPARES") || - getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES"))) { + if ((!(getenv("AFL_LLVM_LTO_AUTODICTIONARY") // disabled when autodictionary + && instrument_mode != INSTRUMENT_LTO)) // and lto_mode is used + && (getenv("LAF_TRANSFORM_COMPARES") || + getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES"))) { cc_params[cc_par_cnt++] = "-Xclang"; cc_params[cc_par_cnt++] = "-load"; diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 5727c7f2..5cd000d7 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -408,11 +408,14 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_MAPSIZE) == FS_OPT_MAPSIZE) { fsrv->map_size = FS_OPT_GET_MAPSIZE(status); - if (unlikely(fsrv->map_size % 8)) { + if (unlikely(fsrv->map_size % 8)) { + // should not happen WARNF("Target reported non-aligned map size of %ud", fsrv->map_size); fsrv->map_size = (((fsrv->map_size + 8) >> 3) << 3); + } + if (!be_quiet) ACTF("Target map size: %u", fsrv->map_size); if (fsrv->map_size > MAP_SIZE) FATAL( @@ -787,7 +790,7 @@ fsrv_run_result_t afl_fsrv_run_target( behave very normally and do not have to be treated as volatile. */ MEM_BARRIER(); - //u32 tb4 = *(u32 *)fsrv->trace_bits; + // u32 tb4 = *(u32 *)fsrv->trace_bits; if (likely(classify_counts_func)) classify_counts_func(fsrv); diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 7be44fd5..92966c8c 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -112,18 +112,20 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) { #ifdef WORD_SIZE_64 - if (*virgin == 0xffffffffffffffff || (cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || - (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff) || - (cur[4] && vir[4] == 0xff) || (cur[5] && vir[5] == 0xff) || - (cur[6] && vir[6] == 0xff) || (cur[7] && vir[7] == 0xff)) + if (*virgin == 0xffffffffffffffff || (cur[0] && vir[0] == 0xff) || + (cur[1] && vir[1] == 0xff) || (cur[2] && vir[2] == 0xff) || + (cur[3] && vir[3] == 0xff) || (cur[4] && vir[4] == 0xff) || + (cur[5] && vir[5] == 0xff) || (cur[6] && vir[6] == 0xff) || + (cur[7] && vir[7] == 0xff)) ret = 2; else ret = 1; #else - if (*virgin == 0xffffffff || (cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || - (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff)) + if (*virgin == 0xffffffff || (cur[0] && vir[0] == 0xff) || + (cur[1] && vir[1] == 0xff) || (cur[2] && vir[2] == 0xff) || + (cur[3] && vir[3] == 0xff)) ret = 2; else ret = 1; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 4aec01f0..3933acd8 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -50,7 +50,7 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) { s32 doc_fd; char fn[PATH_MAX]; snprintf(fn, PATH_MAX, "%s/mutations/%09u:%s", afl->out_dir, - afl->document_counter++, describe_op(afl, 0)); + afl->document_counter++, describe_op(afl, 0)); if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600)) >= 0) { diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 2a4ab96e..48436c34 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -63,8 +63,7 @@ static char *stdin_file; /* stdin file */ static u8 *in_dir = NULL, /* input folder */ - *out_file = NULL, - *at_file = NULL; /* Substitution string for @@ */ + *out_file = NULL, *at_file = NULL; /* Substitution string for @@ */ static u8 *in_data; /* Input data */ @@ -878,8 +877,7 @@ int main(int argc, char **argv_orig, char **envp) { if (-1 == stat(infile, &statbuf) || !S_ISREG(statbuf.st_mode)) continue; #endif - snprintf(outfile, sizeof(outfile), "%s/%s", out_file, - dir_ent->d_name); + snprintf(outfile, sizeof(outfile), "%s/%s", out_file, dir_ent->d_name); if (read_file(infile)) { @@ -901,8 +899,6 @@ int main(int argc, char **argv_orig, char **envp) { run_target(fsrv, use_argv); tcnt = write_results_to_file(fsrv, out_file); - - } if (!quiet_mode) { diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 78ed63e2..cb53f56f 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -62,8 +62,7 @@ static u8 *mask_bitmap; /* Mask for trace bits (-B) */ static u8 *in_file, /* Minimizer input test case */ - *out_file, - *output_file; /* Minimizer output file */ + *out_file, *output_file; /* Minimizer output file */ static u8 *in_data; /* Input data for trimming */ -- cgit 1.4.1 From 19ce862810e504494af8e92717b57ca15cb2480b Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 15:21:34 +0200 Subject: decoupled run and classify --- include/forkserver.h | 11 +++++------ src/afl-forkserver.c | 9 ++------- src/afl-fuzz-run.c | 5 ++++- src/afl-showmap.c | 6 ++++-- src/afl-tmin.c | 9 ++++----- 5 files changed, 19 insertions(+), 21 deletions(-) (limited to 'src') diff --git a/include/forkserver.h b/include/forkserver.h index 60ec0344..ac89b681 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -65,6 +65,7 @@ typedef struct afl_forkserver { FILE *plot_file; /* Gnuplot output file */ + /* Note: lat_run_timed_out is u32 to send it to the child as 4 byte array */ u32 last_run_timed_out; /* Traced process timed out? */ u8 last_kill_signal; /* Signal that killed the child */ @@ -100,12 +101,10 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from); void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, volatile u8 *stop_soon_p, u8 debug_child_output); void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len); -fsrv_run_result_t afl_fsrv_run_target( - afl_forkserver_t *fsrv, u32 timeout, - void(classify_counts_func)(afl_forkserver_t *fsrv), - volatile u8 *stop_soon_p); -void afl_fsrv_killall(void); -void afl_fsrv_deinit(afl_forkserver_t *fsrv); +fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, + volatile u8 *stop_soon_p); +void afl_fsrv_killall(void); +void afl_fsrv_deinit(afl_forkserver_t *fsrv); #ifdef __APPLE__ #define MSG_FORK_ON_APPLE \ diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 5cd000d7..6e1dfbba 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -701,10 +701,8 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) { /* Execute target application, monitoring for timeouts. Return status information. The called program will update afl->fsrv->trace_bits. */ -fsrv_run_result_t afl_fsrv_run_target( - afl_forkserver_t *fsrv, u32 timeout, - void(classify_counts_func)(afl_forkserver_t *fsrv), - volatile u8 *stop_soon_p) { +fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout, + volatile u8 *stop_soon_p) { s32 res; u32 exec_ms; @@ -790,9 +788,6 @@ fsrv_run_result_t afl_fsrv_run_target( behave very normally and do not have to be treated as volatile. */ MEM_BARRIER(); - // u32 tb4 = *(u32 *)fsrv->trace_bits; - - if (likely(classify_counts_func)) classify_counts_func(fsrv); /* Report outcome to caller. */ diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 3933acd8..594a9390 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -36,7 +36,10 @@ fsrv_run_result_t run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { - return afl_fsrv_run_target(fsrv, timeout, classify_counts, &afl->stop_soon); + fsrv_run_result_t res = afl_fsrv_run_target(fsrv, timeout, &afl->stop_soon); + // TODO: Don't classify for faults? + classify_counts(fsrv); + return res; } diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 48436c34..97f377f3 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -223,13 +223,15 @@ void run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, afl_fsrv_write_to_testcase(fsrv, mem, len); - if (afl_fsrv_run_target(fsrv, fsrv->exec_tmout, classify_counts, - &stop_soon) == FSRV_RUN_ERROR) { + if (afl_fsrv_run_target(fsrv, fsrv->exec_tmout, &stop_soon) == + FSRV_RUN_ERROR) { FATAL("Error running target"); } + classify_counts(fsrv); + if (stop_soon) { SAYF(cRST cLRD "\n+++ afl-showmap folder mode aborted by user +++\n" cRST); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index cb53f56f..3330561b 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -121,8 +121,6 @@ static void apply_mask(u32 *mem, u32 *mask) { static void classify_counts(afl_forkserver_t *fsrv) { - if (hang_mode) return; /* We only want hangs */ - u8 *mem = fsrv->trace_bits; u32 i = MAP_SIZE; @@ -146,8 +144,6 @@ static void classify_counts(afl_forkserver_t *fsrv) { } - apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap); - } /* See if any bytes are set in the bitmap. */ @@ -224,7 +220,7 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, afl_fsrv_write_to_testcase(fsrv, mem, len); fsrv_run_result_t ret = - afl_fsrv_run_target(fsrv, fsrv->exec_tmout, classify_counts, &stop_soon); + afl_fsrv_run_target(fsrv, fsrv->exec_tmout, &stop_soon); if (ret == FSRV_RUN_ERROR) FATAL("Couldn't run child"); @@ -250,6 +246,9 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, } + classify_counts(fsrv); + apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap); + if (ret == FSRV_RUN_TMOUT) { missed_hangs++; -- cgit 1.4.1 From b10007a7b5bcc231c98f9150b073daf3f1b18c95 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 15:32:04 +0200 Subject: renamed duplicated func names --- include/afl-fuzz.h | 2 +- include/debug.h | 1 - src/afl-analyze.c | 12 ++++++------ src/afl-fuzz-bitmap.c | 2 +- src/afl-fuzz-cmplog.c | 2 +- src/afl-fuzz-mutators.c | 2 +- src/afl-fuzz-run.c | 10 +++++----- src/afl-showmap.c | 10 +++++----- src/afl-tmin.c | 12 ++++++------ 9 files changed, 26 insertions(+), 27 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 7c6019e6..c92b002e 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -873,7 +873,7 @@ void show_init_stats(afl_state_t *); /* Run */ -fsrv_run_result_t run_target(afl_state_t *, afl_forkserver_t *fsrv, u32); +fsrv_run_result_t fuzz_run_target(afl_state_t *, afl_forkserver_t *fsrv, u32); void write_to_testcase(afl_state_t *, void *, u32); u8 calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8); void sync_fuzzers(afl_state_t *); diff --git a/include/debug.h b/include/debug.h index 890e8d70..4cce56b5 100644 --- a/include/debug.h +++ b/include/debug.h @@ -31,7 +31,6 @@ /* __FUNCTION__ is non-iso */ #ifdef __func__ #define __FUNCTION__ __func__ -#else #endif /******************* diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 952786b0..f2a54a20 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -209,7 +209,7 @@ static s32 write_to_file(u8 *path, u8 *mem, u32 len) { /* Execute target application. Returns exec checksum, or 0 if program times out. */ -static u32 run_target(char **argv, u8 *mem, u32 len, u8 first_run) { +static u32 analyze_run_target(char **argv, u8 *mem, u32 len, u8 first_run) { static struct itimerval it; int status = 0; @@ -560,16 +560,16 @@ static void analyze(char **argv) { code. */ in_data[i] ^= 0xff; - xor_ff = run_target(argv, in_data, in_len, 0); + xor_ff = analyze_run_target(argv, in_data, in_len, 0); in_data[i] ^= 0xfe; - xor_01 = run_target(argv, in_data, in_len, 0); + xor_01 = analyze_run_target(argv, in_data, in_len, 0); in_data[i] = (in_data[i] ^ 0x01) - 0x10; - sub_10 = run_target(argv, in_data, in_len, 0); + sub_10 = analyze_run_target(argv, in_data, in_len, 0); in_data[i] += 0x20; - add_10 = run_target(argv, in_data, in_len, 0); + add_10 = analyze_run_target(argv, in_data, in_len, 0); in_data[i] -= 0x10; /* Classify current behavior. */ @@ -1020,7 +1020,7 @@ int main(int argc, char **argv, char **envp) { ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", mem_limit, exec_tmout, edges_only ? ", edges only" : ""); - run_target(use_argv, in_data, in_len, 1); + analyze_run_target(use_argv, in_data, in_len, 1); if (child_timed_out) FATAL("Target binary times out (adjusting -t may help)."); diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 92966c8c..6042b4b8 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -653,7 +653,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) { u8 new_fault; write_to_testcase(afl, mem, len); - new_fault = run_target(afl, &afl->fsrv, afl->hang_tmout); + new_fault = fuzz_run_target(afl, &afl->fsrv, afl->hang_tmout); /* A corner case that one user reported bumping into: increasing the timeout actually uncovers a crash. Make sure we don't discard it if diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c index ab93d838..12c814ba 100644 --- a/src/afl-fuzz-cmplog.c +++ b/src/afl-fuzz-cmplog.c @@ -62,7 +62,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { write_to_testcase(afl, out_buf, len); - fault = run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout); + fault = fuzz_run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout); if (afl->stop_soon) return 1; diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index 7bf23e84..a7d67569 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -239,7 +239,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { write_to_testcase(afl, retbuf, retlen); - fault = run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); + fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); ++afl->trim_execs; if (afl->stop_soon || fault == FSRV_RUN_ERROR) { goto abort_trimming; } diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 594a9390..6ad6444a 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -33,7 +33,7 @@ /* Execute target application, monitoring for timeouts. Return status information. The called program will update afl->fsrv->trace_bits. */ -fsrv_run_result_t run_target(afl_state_t *afl, afl_forkserver_t *fsrv, +fsrv_run_result_t fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) { fsrv_run_result_t res = afl_fsrv_run_target(fsrv, timeout, &afl->stop_soon); @@ -191,7 +191,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, write_to_testcase(afl, use_mem, q->len); - fault = run_target(afl, &afl->fsrv, use_tmout); + fault = fuzz_run_target(afl, &afl->fsrv, use_tmout); /* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed, we want to bail out quickly. */ @@ -409,7 +409,7 @@ void sync_fuzzers(afl_state_t *afl) { write_to_testcase(afl, mem, st.st_size); - fault = run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); + fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); if (afl->stop_soon) goto close_sync; @@ -496,7 +496,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) { write_with_gap(afl, in_buf, q->len, remove_pos, trim_avail); - fault = run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); + fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); ++afl->trim_execs; if (afl->stop_soon || fault == FSRV_RUN_ERROR) goto abort_trimming; @@ -603,7 +603,7 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) { write_to_testcase(afl, out_buf, len); - fault = run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); + fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout); if (afl->stop_soon) return 1; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 97f377f3..55f7d438 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -218,7 +218,7 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { /* Execute target application. */ -void run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, +static void showmap_run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len) { afl_fsrv_write_to_testcase(fsrv, mem, len); @@ -243,7 +243,7 @@ void run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, /* Read initial file. */ -u32 read_file(u8 *in_file) { +static u32 read_file(u8 *in_file) { struct stat st; s32 fd = open(in_file, O_RDONLY); @@ -268,7 +268,7 @@ u32 read_file(u8 *in_file) { /* Execute target application. */ -static void run_target(afl_forkserver_t *fsrv, char **argv) { +static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) { static struct itimerval it; int status = 0; @@ -883,7 +883,7 @@ int main(int argc, char **argv_orig, char **envp) { if (read_file(infile)) { - run_target_forkserver(fsrv, use_argv, in_data, in_len); + showmap_run_target_forkserver(fsrv, use_argv, in_data, in_len); ck_free(in_data); tcnt = write_results_to_file(fsrv, outfile); @@ -898,7 +898,7 @@ int main(int argc, char **argv_orig, char **envp) { } else { - run_target(fsrv, use_argv); + showmap_run_target(fsrv, use_argv); tcnt = write_results_to_file(fsrv, out_file); } diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 3330561b..409bf01d 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -214,7 +214,7 @@ static s32 write_to_file(u8 *path, u8 *mem, u32 len) { /* Execute target application. Returns 0 if the changes are a dud, or 1 if they should be kept. */ -static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, +static u8 tmin_run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, u8 first_run) { afl_fsrv_write_to_testcase(fsrv, mem, len); @@ -336,7 +336,7 @@ static void minimize(afl_forkserver_t *fsrv, char **argv) { memset(tmp_buf + set_pos, '0', use_len); u8 res; - res = run_target(fsrv, argv, tmp_buf, in_len, 0); + res = tmin_run_target(fsrv, argv, tmp_buf, in_len, 0); if (res) { @@ -409,7 +409,7 @@ next_del_blksize: /* Tail */ memcpy(tmp_buf + del_pos, in_data + del_pos + del_len, tail_len); - res = run_target(fsrv, argv, tmp_buf, del_pos + tail_len, 0); + res = tmin_run_target(fsrv, argv, tmp_buf, del_pos + tail_len, 0); if (res) { @@ -472,7 +472,7 @@ next_del_blksize: for (r = 0; r < in_len; r++) if (tmp_buf[r] == i) tmp_buf[r] = '0'; - res = run_target(fsrv, argv, tmp_buf, in_len, 0); + res = tmin_run_target(fsrv, argv, tmp_buf, in_len, 0); if (res) { @@ -508,7 +508,7 @@ next_del_blksize: if (orig == '0') continue; tmp_buf[i] = '0'; - res = run_target(fsrv, argv, tmp_buf, in_len, 0); + res = tmin_run_target(fsrv, argv, tmp_buf, in_len, 0); if (res) { @@ -1036,7 +1036,7 @@ int main(int argc, char **argv_orig, char **envp) { ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", fsrv->mem_limit, fsrv->exec_tmout, edges_only ? ", edges only" : ""); - run_target(fsrv, use_argv, in_data, in_len, 1); + tmin_run_target(fsrv, use_argv, in_data, in_len, 1); if (hang_mode && !fsrv->last_run_timed_out) FATAL( -- cgit 1.4.1 From 8511638afb1c51de37383ba2d86ed0b2a4a09415 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 15:38:43 +0200 Subject: hunting non-static functions --- GNUmakefile | 2 +- include/afl-fuzz.h | 1 + src/afl-fuzz-one.c | 4 ++-- src/afl-fuzz-python.c | 2 +- src/afl-fuzz-redqueen.c | 4 ++-- 5 files changed, 7 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/GNUmakefile b/GNUmakefile index 74a290e6..5657f9a7 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -69,7 +69,7 @@ ifneq "$(shell uname -m)" "x86_64" endif CFLAGS ?= -O3 -funroll-loops $(CFLAGS_OPT) -override CFLAGS += -Wall -g -Wno-pointer-sign \ +override CFLAGS += -Wall -g -Wno-pointer-sign -Wmissing-declarations \ -I include/ -Werror -DAFL_PATH=\"$(HELPER_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index c92b002e..57ef5d58 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -808,6 +808,7 @@ u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 *in_buf); /* Python */ #ifdef USE_PYTHON +void load_custom_mutator_py(afl_state_t *, char *); void finalize_py_module(void *); size_t pre_save_py(void *, u8 *, size_t, u8 **); diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index cc97654a..a4ba739e 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -27,7 +27,7 @@ /* MOpt */ -int select_algorithm(afl_state_t *afl) { +static int select_algorithm(afl_state_t *afl) { int i_puppet, j_puppet; @@ -2366,7 +2366,7 @@ abandon_entry: } /* MOpt mode */ -u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { +static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) { if (!MOpt_globals.is_pilot_mode) { diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 12c3a09d..33f01797 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -41,7 +41,7 @@ it just fills in `&py_mutator->something_buf, &py_mutator->something_size`. */ (void **)&((py_mutator_t *)py_mutator)->name##_buf, \ &((py_mutator_t *)py_mutator)->name##_size -size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, +static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, u8 *add_buf, size_t add_buf_size, size_t max_size) { size_t mutated_size; diff --git a/src/afl-fuzz-redqueen.c b/src/afl-fuzz-redqueen.c index 6f2fb144..3e9af088 100644 --- a/src/afl-fuzz-redqueen.c +++ b/src/afl-fuzz-redqueen.c @@ -37,7 +37,7 @@ struct range { }; -struct range *add_range(struct range *ranges, u32 start, u32 end) { +static struct range *add_range(struct range *ranges, u32 start, u32 end) { struct range *r = ck_alloc_nozero(sizeof(struct range)); r->start = start; @@ -47,7 +47,7 @@ struct range *add_range(struct range *ranges, u32 start, u32 end) { } -struct range *pop_biggest_range(struct range **ranges) { +static struct range *pop_biggest_range(struct range **ranges) { struct range *r = *ranges; struct range *prev = NULL; -- cgit 1.4.1 From 1ee224652cb736286053ff3e7c7f52247b570dc1 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 16:05:39 +0200 Subject: libradamsa fix --- src/afl-fuzz-mutators.c | 3 --- src/third_party/libradamsa/libradamsa.c | 4 +++- src/third_party/libradamsa/radamsa.h | 6 +++--- 3 files changed, 6 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/afl-fuzz-mutators.c b/src/afl-fuzz-mutators.c index a7d67569..434b4673 100644 --- a/src/afl-fuzz-mutators.c +++ b/src/afl-fuzz-mutators.c @@ -27,9 +27,6 @@ #include "afl-fuzz.h" void load_custom_mutator(afl_state_t *, const char *); -#ifdef USE_PYTHON -void load_custom_mutator_py(afl_state_t *, char *); -#endif void setup_custom_mutator(afl_state_t *afl) { diff --git a/src/third_party/libradamsa/libradamsa.c b/src/third_party/libradamsa/libradamsa.c index 27cf91bc..7fb5ea6d 100644 --- a/src/third_party/libradamsa/libradamsa.c +++ b/src/third_party/libradamsa/libradamsa.c @@ -1841,6 +1841,8 @@ static const unsigned char heap[] = {2,3,4,105,111,116,97,2,3,7,112,97,116,116,1 #include #include +#include "./radamsa.h" + #ifndef EMULTIHOP #define EMULTIHOP -1 #endif @@ -30757,7 +30759,7 @@ static void setup(int nwords, int nobjs) { memend = memstart + nwords - MEMPAD; } -int secondary(int nargs, char **argv) { +static int secondary(int nargs, char **argv) { word *prog; int rval, nobjs=0, nwords=0; find_heap(&nargs, &argv, &nobjs, &nwords); diff --git a/src/third_party/libradamsa/radamsa.h b/src/third_party/libradamsa/radamsa.h index 33cccde4..073599da 100644 --- a/src/third_party/libradamsa/radamsa.h +++ b/src/third_party/libradamsa/radamsa.h @@ -1,13 +1,13 @@ #include #include -extern void radamsa_init(void); +void radamsa_init(void); -extern size_t radamsa(uint8_t *ptr, size_t len, +size_t radamsa(uint8_t *ptr, size_t len, uint8_t *target, size_t max, unsigned int seed); -extern size_t radamsa_inplace(uint8_t *ptr, +size_t radamsa_inplace(uint8_t *ptr, size_t len, size_t max, unsigned int seed); -- cgit 1.4.1 From ede3545d8bf9b29e6dbf590ba9986be1472faed3 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 16:25:02 +0200 Subject: missing-decls reremoved --- GNUmakefile | 3 ++- src/third_party/libradamsa/libradamsa.c | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/GNUmakefile b/GNUmakefile index 5657f9a7..2a76fd85 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -69,9 +69,10 @@ ifneq "$(shell uname -m)" "x86_64" endif CFLAGS ?= -O3 -funroll-loops $(CFLAGS_OPT) -override CFLAGS += -Wall -g -Wno-pointer-sign -Wmissing-declarations \ +override CFLAGS += -Wall -g -Wno-pointer-sign \ -I include/ -Werror -DAFL_PATH=\"$(HELPER_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" +# -Wmissing-declarations AFL_FUZZ_FILES = $(wildcard src/afl-fuzz*.c) diff --git a/src/third_party/libradamsa/libradamsa.c b/src/third_party/libradamsa/libradamsa.c index 7fb5ea6d..b40e5670 100644 --- a/src/third_party/libradamsa/libradamsa.c +++ b/src/third_party/libradamsa/libradamsa.c @@ -30789,7 +30789,7 @@ void radamsa_init(void) { } /* bvec → value library call test with preserved state */ -word library_call(word val) { +static word library_call(word val) { word program_state = state; word res; state = IFALSE; @@ -30800,7 +30800,7 @@ word library_call(word val) { return res; } -size_t list_length(word lispval) { +static size_t list_length(word lispval) { size_t l = 0; while(lispval != INULL) { lispval = G(lispval, 2); @@ -30809,7 +30809,7 @@ size_t list_length(word lispval) { return l; } -size_t copy_list(uint8_t *ptr, word lispval, size_t max) { +static size_t copy_list(uint8_t *ptr, word lispval, size_t max) { size_t n = 0; while(pairp((word)lispval) && max-- && lispval != INULL) { *ptr++ = 255 & immval(G(lispval, 1)); // *ptr++ = car(list) -- cgit 1.4.1 From 94187837c799bd712e68890b4466abb6f52079ad Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 16:37:33 +0200 Subject: removed unused functions --- GNUmakefile | 3 +-- src/third_party/libradamsa/libradamsa.c | 5 ++++- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/GNUmakefile b/GNUmakefile index 2a76fd85..11dfa803 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -69,10 +69,9 @@ ifneq "$(shell uname -m)" "x86_64" endif CFLAGS ?= -O3 -funroll-loops $(CFLAGS_OPT) -override CFLAGS += -Wall -g -Wno-pointer-sign \ +override CFLAGS += -Wall -g -Wno-pointer-sign -Wmissing-declarations\ -I include/ -Werror -DAFL_PATH=\"$(HELPER_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" -# -Wmissing-declarations AFL_FUZZ_FILES = $(wildcard src/afl-fuzz*.c) diff --git a/src/third_party/libradamsa/libradamsa.c b/src/third_party/libradamsa/libradamsa.c index b40e5670..5de597ff 100644 --- a/src/third_party/libradamsa/libradamsa.c +++ b/src/third_party/libradamsa/libradamsa.c @@ -30758,7 +30758,7 @@ static void setup(int nwords, int nobjs) { exit(4); memend = memstart + nwords - MEMPAD; } - +/* static int secondary(int nargs, char **argv) { word *prog; int rval, nobjs=0, nwords=0; @@ -30774,6 +30774,7 @@ static int secondary(int nargs, char **argv) { } return 127; } +*/ void radamsa_init(void) { int nobjs=0, nwords=0; @@ -30800,6 +30801,7 @@ static word library_call(word val) { return res; } +/* static size_t list_length(word lispval) { size_t l = 0; while(lispval != INULL) { @@ -30808,6 +30810,7 @@ static size_t list_length(word lispval) { } return l; } +*/ static size_t copy_list(uint8_t *ptr, word lispval, size_t max) { size_t n = 0; -- cgit 1.4.1 From 872d1c1d98f311ab9b2f94773e724ba9c8af5205 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 16:47:53 +0200 Subject: less radamsa --- src/third_party/libradamsa/libradamsa.c | 36 ++++++++++++++++----------------- 1 file changed, 18 insertions(+), 18 deletions(-) (limited to 'src') diff --git a/src/third_party/libradamsa/libradamsa.c b/src/third_party/libradamsa/libradamsa.c index 5de597ff..7ad4044b 100644 --- a/src/third_party/libradamsa/libradamsa.c +++ b/src/third_party/libradamsa/libradamsa.c @@ -30707,23 +30707,23 @@ static void read_heap(const char *path) { } /* find a fasl image source to *hp or exit */ -static void find_heap(int *nargs, char ***argv, int *nobjs, int *nwords) { - file_heap = NULL; - if ((word)heap == 0) { +//static void find_heap(int *nargs, char ***argv, int *nobjs, int *nwords) { +// file_heap = NULL; +// if ((word)heap == 0) { /* if no preloaded heap, try to load it from first vm arg */ - if (*nargs < 2) - exit(1); - read_heap(argv[0][1]); - ++*argv; - --*nargs; - hp = file_heap; - if (*hp == '#') - while (*hp++ != '\n'); - } else { - hp = heap; /* builtin heap */ - } - heap_metrics(nwords, nobjs); -} +// if (*nargs < 2) +// exit(1); +// read_heap(argv[0][1]); +// ++*argv; +// --*nargs; +// hp = file_heap; +// if (*hp == '#') +// while (*hp++ != '\n'); +// } else { +// hp = heap; /* builtin heap */ +// } +// heap_metrics(nwords, nobjs); +//} static word *decode_fasl(uint nobjs) { word *ptrs; @@ -30746,7 +30746,7 @@ static word *load_heap(uint nobjs) { free(file_heap); return entry; } - +/* static void setup(int nwords, int nobjs) { tcgetattr(0, &tsettings); state = IFALSE; @@ -30758,7 +30758,7 @@ static void setup(int nwords, int nobjs) { exit(4); memend = memstart + nwords - MEMPAD; } -/* + static int secondary(int nargs, char **argv) { word *prog; int rval, nobjs=0, nwords=0; -- cgit 1.4.1 From 5e53002303820ef2ab32f411993907c92ef9f0b9 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 16:48:40 +0200 Subject: less radamsa --- src/third_party/libradamsa/libradamsa.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/third_party/libradamsa/libradamsa.c b/src/third_party/libradamsa/libradamsa.c index 7ad4044b..72c8fde6 100644 --- a/src/third_party/libradamsa/libradamsa.c +++ b/src/third_party/libradamsa/libradamsa.c @@ -2178,7 +2178,7 @@ static uint llen(word *ptr) { } return len; } - +/* static void set_signal_handler(void) { struct sigaction sa; sa.sa_handler = signal_handler; @@ -2187,7 +2187,7 @@ static void set_signal_handler(void) { sigaction(SIGINT, &sa, NULL); sigaction(SIGPIPE, &sa, NULL); } - +*/ static word mkpair(word h, word a, word d) { word *pair; allocate(3, pair); @@ -30685,7 +30685,7 @@ static void heap_metrics(int *rwords, int *rnobjs) { get_obj_metrics(rwords, rnobjs); hp = hp_start; } - +/* static void read_heap(const char *path) { struct stat st; off_t pos = 0; @@ -30705,6 +30705,7 @@ static void read_heap(const char *path) { } while (n && (pos += n) < st.st_size); close(fd); } +*/ /* find a fasl image source to *hp or exit */ //static void find_heap(int *nargs, char ***argv, int *nobjs, int *nwords) { -- cgit 1.4.1 From 380ff114e9a369c6b366c40a146eed37602d2620 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 16:51:23 +0200 Subject: the least radamsa --- src/third_party/libradamsa/libradamsa.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/third_party/libradamsa/libradamsa.c b/src/third_party/libradamsa/libradamsa.c index 72c8fde6..4f5515e5 100644 --- a/src/third_party/libradamsa/libradamsa.c +++ b/src/third_party/libradamsa/libradamsa.c @@ -2157,17 +2157,17 @@ static word *gc(int size, word *regs) { /*** OS Interaction and Helpers ***/ -static void signal_handler(int signal) { - switch (signal) { - case SIGINT: - breaked |= 2; - break; - case SIGPIPE: - break; /* can cause loop when reporting errors */ - default: - breaked |= 4; - } -} +//static void signal_handler(int signal) { +// switch (signal) { +// case SIGINT: +// breaked |= 2; +// break; +// case SIGPIPE: +// break; /* can cause loop when reporting errors */ +// default: +// breaked |= 4; +// } +//} /* list length, no overflow or valid termination checks */ static uint llen(word *ptr) { -- cgit 1.4.1 From 6940e136296d185391a34b5d829a759ac517594e Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 17:50:08 +0200 Subject: removed redundent funcs --- include/afl-fuzz.h | 1 - include/common.h | 10 +++++++ src/afl-analyze.c | 57 +----------------------------------- src/afl-common.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++ src/afl-fuzz-bitmap.c | 14 --------- src/afl-fuzz.c | 2 +- src/afl-sharedmem.c | 2 +- src/afl-showmap.c | 58 +------------------------------------ src/afl-tmin.c | 74 ++--------------------------------------------- 9 files changed, 96 insertions(+), 202 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 57ef5d58..363776cb 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -836,7 +836,6 @@ u32 calculate_score(afl_state_t *, struct queue_entry *); /* Bitmap */ -void read_bitmap(afl_state_t *, u8 *); void write_bitmap(afl_state_t *); u32 count_bits(afl_state_t *, u8 *); u32 count_bytes(afl_state_t *, u8 *); diff --git a/include/common.h b/include/common.h index 8dd66355..f5ace878 100644 --- a/include/common.h +++ b/include/common.h @@ -51,6 +51,16 @@ char * get_afl_env(char *env); extern u8 be_quiet; extern u8 *doc_path; /* path to documentation dir */ +/* Find binary, used by analyze, showmap, tmin + @returns the path, allocating the string */ + +u8 *find_binary(u8 *fname); + +/* Read a bitmap from file fname to memory + This is for the -B option again. */ + +void read_bitmap(u8 *fname, u8 *map, size_t len); + /* Get unix time in milliseconds */ u64 get_cur_time(void); diff --git a/src/afl-analyze.c b/src/afl-analyze.c index f2a54a20..fa58ca81 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -805,61 +805,6 @@ static void usage(u8 *argv0) { } -/* Find binary. */ - -static void find_binary(u8 *fname) { - - u8 * env_path = 0; - struct stat st; - - if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { - - target_path = ck_strdup(fname); - - if (stat(target_path, &st) || !S_ISREG(st.st_mode) || - !(st.st_mode & 0111) || st.st_size < 4) - FATAL("Program '%s' not found or not executable", fname); - - } else { - - while (env_path) { - - u8 *cur_elem, *delim = strchr(env_path, ':'); - - if (delim) { - - cur_elem = ck_alloc(delim - env_path + 1); - memcpy(cur_elem, env_path, delim - env_path); - delim++; - - } else - - cur_elem = ck_strdup(env_path); - - env_path = delim; - - if (cur_elem[0]) - target_path = alloc_printf("%s/%s", cur_elem, fname); - else - target_path = ck_strdup(fname); - - ck_free(cur_elem); - - if (!stat(target_path, &st) && S_ISREG(st.st_mode) && - (st.st_mode & 0111) && st.st_size >= 4) - break; - - ck_free(target_path); - target_path = 0; - - } - - if (!target_path) FATAL("Program '%s' not found or not executable", fname); - - } - -} - /* Main entry point */ int main(int argc, char **argv, char **envp) { @@ -997,7 +942,7 @@ int main(int argc, char **argv, char **envp) { set_up_environment(); - find_binary(argv[optind]); + target_path = find_binary(argv[optind]); detect_file_args(argv + optind, prog_in, &use_stdin); if (qemu_mode) { diff --git a/src/afl-common.c b/src/afl-common.c index 1ac1a2f3..ffc32533 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -37,6 +37,10 @@ #include #endif #include +#include +#include +#include +#include u8 be_quiet = 0; u8 *doc_path = ""; @@ -353,6 +357,68 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { } +/* Find binary, used by analyze, showmap, tmin + @returns the path, allocating the string */ + +u8 *find_binary(u8 *fname) { + + // TODO: Merge this function with check_binary of afl-fuzz-init.c + + u8 *env_path = NULL; + u8 *target_path = NULL; + + struct stat st; + + if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { + + target_path = ck_strdup(fname); + + if (stat(target_path, &st) || !S_ISREG(st.st_mode) || + !(st.st_mode & 0111) || st.st_size < 4) + FATAL("Program '%s' not found or not executable", fname); + + } else { + + while (env_path) { + + u8 *cur_elem, *delim = strchr(env_path, ':'); + + if (delim) { + + cur_elem = ck_alloc(delim - env_path + 1); + memcpy(cur_elem, env_path, delim - env_path); + delim++; + + } else + + cur_elem = ck_strdup(env_path); + + env_path = delim; + + if (cur_elem[0]) + target_path = alloc_printf("%s/%s", cur_elem, fname); + else + target_path = ck_strdup(fname); + + ck_free(cur_elem); + + if (!stat(target_path, &st) && S_ISREG(st.st_mode) && + (st.st_mode & 0111) && st.st_size >= 4) + break; + + ck_free(target_path); + target_path = NULL; + + } + + if (!target_path) FATAL("Program '%s' not found or not executable", fname); + + } + + return target_path; + +} + void check_environment_vars(char **envp) { if (be_quiet) return; @@ -414,6 +480,20 @@ char *get_afl_env(char *env) { } +/* Read mask bitmap from file. This is for the -B option. */ + +void read_bitmap(u8 *fname, u8 *map, size_t len) { + + s32 fd = open(fname, O_RDONLY); + + if (fd < 0) PFATAL("Unable to open '%s'", fname); + + ck_read(fd, map, len, fname); + + close(fd); + +} + u64 get_cur_time(void) { struct timeval tv; diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 6042b4b8..be8f504e 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -49,20 +49,6 @@ void write_bitmap(afl_state_t *afl) { } -/* Read bitmap from file. This is for the -B option again. */ - -void read_bitmap(afl_state_t *afl, u8 *fname) { - - s32 fd = open(fname, O_RDONLY); - - if (fd < 0) PFATAL("Unable to open '%s'", fname); - - ck_read(fd, afl->virgin_bits, MAP_SIZE, fname); - - close(fd); - -} - /* Check if the current execution path brings anything new to the table. Update virgin bits to reflect the finds. Returns 1 if the only change is the hit-count for a particular tuple; 2 if there are new tuples seen. diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 9f17b61b..edae7bb1 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -474,7 +474,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->in_bitmap) FATAL("Multiple -B options not supported"); afl->in_bitmap = optarg; - read_bitmap(afl, afl->in_bitmap); + read_bitmap(afl->in_bitmap, afl->virgin_bits, MAP_SIZE); break; case 'C': /* crash mode */ diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 16d6fe41..01ba62aa 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -60,7 +60,7 @@ #include #endif -list_t shm_list = {.element_prealloc_count = 0}; +static list_t shm_list = {.element_prealloc_count = 0}; /* Get rid of shared memory. */ diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 55f7d438..86386df3 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -526,62 +526,6 @@ static void usage(u8 *argv0) { } -/* Find binary. */ - -static void find_binary(afl_forkserver_t *fsrv, u8 *fname) { - - u8 * env_path = 0; - struct stat st; - - if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { - - fsrv->target_path = ck_strdup(fname); - - if (stat(fsrv->target_path, &st) || !S_ISREG(st.st_mode) || - !(st.st_mode & 0111) || st.st_size < 4) - FATAL("Program '%s' not found or not executable", fname); - - } else { - - while (env_path) { - - u8 *cur_elem, *delim = strchr(env_path, ':'); - - if (delim) { - - cur_elem = ck_alloc(delim - env_path + 1); - memcpy(cur_elem, env_path, delim - env_path); - delim++; - - } else - - cur_elem = ck_strdup(env_path); - - env_path = delim; - - if (cur_elem[0]) - fsrv->target_path = alloc_printf("%s/%s", cur_elem, fname); - else - fsrv->target_path = ck_strdup(fname); - - ck_free(cur_elem); - - if (!stat(fsrv->target_path, &st) && S_ISREG(st.st_mode) && - (st.st_mode & 0111) && st.st_size >= 4) - break; - - ck_free(fsrv->target_path); - fsrv->target_path = NULL; - - } - - if (!fsrv->target_path) - FATAL("Program '%s' not found or not executable", fname); - - } - -} - /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -772,7 +716,7 @@ int main(int argc, char **argv_orig, char **envp) { set_up_environment(fsrv); - find_binary(fsrv, argv[optind]); + fsrv->target_path = find_binary(argv[optind]); if (!quiet_mode) { diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 409bf01d..80692984 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -749,76 +749,6 @@ static void usage(u8 *argv0) { } -/* Find binary. */ - -static void find_binary(afl_forkserver_t *fsrv, u8 *fname) { - - u8 * env_path = 0; - struct stat st; - - if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { - - fsrv->target_path = ck_strdup(fname); - - if (stat(fsrv->target_path, &st) || !S_ISREG(st.st_mode) || - !(st.st_mode & 0111) || st.st_size < 4) - FATAL("Program '%s' not found or not executable", fname); - - } else { - - while (env_path) { - - u8 *cur_elem, *delim = strchr(env_path, ':'); - - if (delim) { - - cur_elem = ck_alloc(delim - env_path + 1); - memcpy(cur_elem, env_path, delim - env_path); - delim++; - - } else - - cur_elem = ck_strdup(env_path); - - env_path = delim; - - if (cur_elem[0]) - fsrv->target_path = alloc_printf("%s/%s", cur_elem, fname); - else - fsrv->target_path = ck_strdup(fname); - - ck_free(cur_elem); - - if (!stat(fsrv->target_path, &st) && S_ISREG(st.st_mode) && - (st.st_mode & 0111) && st.st_size >= 4) - break; - - ck_free(fsrv->target_path); - fsrv->target_path = NULL; - - } - - if (!fsrv->target_path) - FATAL("Program '%s' not found or not executable", fname); - - } - -} - -/* Read mask bitmap from file. This is for the -B option. */ - -static void read_bitmap(u8 *fname) { - - s32 fd = open(fname, O_RDONLY); - - if (fd < 0) PFATAL("Unable to open '%s'", fname); - - ck_read(fd, mask_bitmap, MAP_SIZE, fname); - - close(fd); - -} - /* Main entry point */ int main(int argc, char **argv_orig, char **envp) { @@ -977,7 +907,7 @@ int main(int argc, char **argv_orig, char **envp) { if (mask_bitmap) FATAL("Multiple -B options not supported"); mask_bitmap = ck_alloc(MAP_SIZE); - read_bitmap(optarg); + read_bitmap(optarg, mask_bitmap, MAP_SIZE); break; case 'h': @@ -1001,7 +931,7 @@ int main(int argc, char **argv_orig, char **envp) { set_up_environment(fsrv); - find_binary(fsrv, argv[optind]); + fsrv->target_path = find_binary(argv[optind]); detect_file_args(argv + optind, out_file, &fsrv->use_stdin); if (fsrv->qemu_mode) { -- cgit 1.4.1 From 69bd7c16eb3c6095e49d0d7a6dd2f69ea4bb9141 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 19:15:14 +0200 Subject: silence some clang warnings --- src/afl-analyze.c | 2 +- src/afl-fuzz.c | 2 ++ src/afl-showmap.c | 4 ++++ src/afl-tmin.c | 4 ++++ 4 files changed, 11 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index fa58ca81..85118055 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -847,7 +847,7 @@ int main(int argc, char **argv, char **envp) { if (mem_limit_given) FATAL("Multiple -m options not supported"); mem_limit_given = 1; - if (!optarg) { FATAL("Bad syntax used for -m"); } + if (!optarg) { FATAL("Wrong usage of -m"); } if (!strcmp(optarg, "none")) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index edae7bb1..925dbb1a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -420,6 +420,8 @@ int main(int argc, char **argv_orig, char **envp) { if (mem_limit_given) FATAL("Multiple -m options not supported"); mem_limit_given = 1; + if (!optarg) FATAL("Wrong usage of -m"); + if (!strcmp(optarg, "none")) { afl->fsrv.mem_limit = 0; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 86386df3..61c1754f 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -569,6 +569,8 @@ int main(int argc, char **argv_orig, char **envp) { if (mem_limit_given) FATAL("Multiple -m options not supported"); mem_limit_given = 1; + if (!optarg) FATAL("Wrong usage of -m"); + if (!strcmp(optarg, "none")) { fsrv->mem_limit = 0; @@ -612,6 +614,8 @@ int main(int argc, char **argv_orig, char **envp) { if (timeout_given) FATAL("Multiple -t options not supported"); timeout_given = 1; + if (!optarg) FATAL("Wrong usage of -t"); + if (strcmp(optarg, "none")) { fsrv->exec_tmout = atoi(optarg); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 80692984..431ff0c4 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -811,6 +811,8 @@ int main(int argc, char **argv_orig, char **envp) { if (mem_limit_given) FATAL("Multiple -m options not supported"); mem_limit_given = 1; + if (!optarg) FATAL("Wrong usage of -m"); + if (!strcmp(optarg, "none")) { fsrv->mem_limit = 0; @@ -847,6 +849,8 @@ int main(int argc, char **argv_orig, char **envp) { if (timeout_given) FATAL("Multiple -t options not supported"); timeout_given = 1; + if (!optarg) FATAL("Wrong usage of -t"); + fsrv->exec_tmout = atoi(optarg); if (fsrv->exec_tmout < 10 || optarg[0] == '-') -- cgit 1.4.1 From 35937e62634f69b34c852abb0aaeca546a712f4f Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 16 Apr 2020 19:33:40 +0200 Subject: leak? --- src/afl-analyze.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src') diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 85118055..6f946ed5 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -977,6 +977,8 @@ int main(int argc, char **argv, char **envp) { OKF("We're done here. Have a nice day!\n"); + if (target_path) ck_free(target_path); + afl_shm_deinit(&shm); exit(0); -- cgit 1.4.1 From f157bca54858dce131e90f664da2505d43e0f65f Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Thu, 16 Apr 2020 19:53:42 +0200 Subject: fix missing out_fd for cmplog forkserver --- src/afl-forkserver.c | 2 +- test/test.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 89480b07..9c89a723 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -88,6 +88,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) { void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { fsrv_to->use_stdin = from->use_stdin; + fsrv_to->out_fd = from->out_fd; fsrv_to->dev_null_fd = from->dev_null_fd; fsrv_to->exec_tmout = from->exec_tmout; fsrv_to->mem_limit = from->mem_limit; @@ -98,7 +99,6 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) { #endif // These are forkserver specific. - fsrv_to->out_fd = -1; fsrv_to->out_dir_fd = -1; fsrv_to->child_pid = -1; fsrv_to->use_fauxsrv = 0; diff --git a/test/test.sh b/test/test.sh index 4295d36b..9a53825b 100755 --- a/test/test.sh +++ b/test/test.sh @@ -671,7 +671,7 @@ test -e ../afl-qemu-trace && { test -e test-instr -a -e test-compcov && { { mkdir -p in - echo 0 > in/in + echo 00000 > in/in $ECHO "$GREY[*] running afl-fuzz for qemu_mode, this will take approx 10 seconds" { ../afl-fuzz -m ${MEM_LIMIT} -V10 -Q -i in -o out -- ./test-instr >>errors 2>&1 -- cgit 1.4.1 From c961925356bf3388066969b9975b424c4cdae890 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 17 Apr 2020 07:10:42 +0200 Subject: fix plot_data output and code-format --- docs/Changelog.md | 5 ++++- src/afl-fuzz-init.c | 2 ++ src/afl-fuzz-python.c | 2 +- src/afl-fuzz-run.c | 2 +- src/afl-fuzz-stats.c | 31 ++++++++++++++++--------------- src/afl-showmap.c | 4 ++-- src/afl-tmin.c | 2 +- 7 files changed, 27 insertions(+), 21 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index e1e558b7..60d83508 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -19,14 +19,17 @@ sending a mail to . - snapshot feature usage now visible in UI - Now setting "-L -1" will enable MOpt in parallel to normal mutation. Additionally this allows to run dictionaries, radamsa and cmplog. + - fix for cmplog/redqueen mode if stdin was used + - fix for writing a better plot_data file + - qemu_mode: fix for persistent mode - compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also static global and local variable comparisons (cannot find all though) - extended forkserver: map_size and more information is communicated to afl-fuzz (and afl-fuzz acts accordingly) - - more refactoring - if AFL_CC/AFL_CXX is set but empty afl compilers did fail, fixed (this bug is in vanilla afl too) - added NO_PYTHON flag to disable python support when building afl-fuzz + - more refactoring ### Version ++2.63c (release): diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 55f7ce53..7131ceed 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1419,6 +1419,8 @@ void setup_dirs_fds(afl_state_t *afl) { "# unix_time, cycles_done, cur_path, paths_total, " "pending_total, pending_favs, map_size, unique_crashes, " "unique_hangs, max_depth, execs_per_sec\n"); + fflush(afl->fsrv.plot_file); + /* ignore errors */ } diff --git a/src/afl-fuzz-python.c b/src/afl-fuzz-python.c index 33f01797..d4519c6d 100644 --- a/src/afl-fuzz-python.c +++ b/src/afl-fuzz-python.c @@ -42,7 +42,7 @@ it just fills in `&py_mutator->something_buf, &py_mutator->something_size`. */ &((py_mutator_t *)py_mutator)->name##_size static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf, - u8 *add_buf, size_t add_buf_size, size_t max_size) { + u8 *add_buf, size_t add_buf_size, size_t max_size) { size_t mutated_size; PyObject *py_args, *py_value; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 6ad6444a..30ba0e65 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -34,7 +34,7 @@ information. The called program will update afl->fsrv->trace_bits. */ fsrv_run_result_t fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, - u32 timeout) { + u32 timeout) { fsrv_run_result_t res = afl_fsrv_run_target(fsrv, timeout, &afl->stop_soon); // TODO: Don't classify for faults? diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 7cc9b920..c507b7f7 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -145,14 +145,15 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, void maybe_update_plot_file(afl_state_t *afl, double bitmap_cvg, double eps) { - if (afl->plot_prev_qp == afl->queued_paths && - afl->plot_prev_pf == afl->pending_favored && - afl->plot_prev_pnf == afl->pending_not_fuzzed && - afl->plot_prev_ce == afl->current_entry && - afl->plot_prev_qc == afl->queue_cycle && - afl->plot_prev_uc == afl->unique_crashes && - afl->plot_prev_uh == afl->unique_hangs && - afl->plot_prev_md == afl->max_depth) + if (unlikely(afl->plot_prev_qp == afl->queued_paths && + afl->plot_prev_pf == afl->pending_favored && + afl->plot_prev_pnf == afl->pending_not_fuzzed && + afl->plot_prev_ce == afl->current_entry && + afl->plot_prev_qc == afl->queue_cycle && + afl->plot_prev_uc == afl->unique_crashes && + afl->plot_prev_uh == afl->unique_hangs && + afl->plot_prev_md == afl->max_depth) || + unlikely(!afl->queue_cycle)) return; afl->plot_prev_qp = afl->queued_paths; @@ -388,9 +389,9 @@ void show_stats(afl_state_t *afl) { /* Lord, forgive me this. */ - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA - " overall results " bSTG bH2 bH2 bRT "\n"); + " overall results " bSTG bH2 bH2 bRT "\n"); if (afl->dumb_mode) { @@ -472,9 +473,9 @@ void show_stats(afl_state_t *afl) { " uniq hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); + " map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); /* This gets funny because we want to print several variable-length variables together, but then cram them into a fixed-width field - so we need to @@ -504,9 +505,9 @@ void show_stats(afl_state_t *afl) { SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); - SAYF(bVR bH bSTOP cCYA + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA - " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); + " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), ((double)afl->queued_favored) * 100 / afl->queued_paths); @@ -580,7 +581,7 @@ void show_stats(afl_state_t *afl) { /* Aaaalmost there... hold on! */ - SAYF(bVR bH cCYA bSTOP + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bVL "\n"); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 61c1754f..f43beb1b 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -218,8 +218,8 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { /* Execute target application. */ -static void showmap_run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem, - u32 len) { +static void showmap_run_target_forkserver(afl_forkserver_t *fsrv, char **argv, + u8 *mem, u32 len) { afl_fsrv_write_to_testcase(fsrv, mem, len); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 431ff0c4..0a462e9a 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -215,7 +215,7 @@ static s32 write_to_file(u8 *path, u8 *mem, u32 len) { 1 if they should be kept. */ static u8 tmin_run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len, - u8 first_run) { + u8 first_run) { afl_fsrv_write_to_testcase(fsrv, mem, len); -- cgit 1.4.1 From 16ce55584512274804eadd71b4790be3d1bfbf97 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 17 Apr 2020 07:52:21 +0200 Subject: fixed 2 unimportant leaks --- qemu_mode/build_qemu_support.sh | 1 + src/afl-common.c | 6 +++++- src/afl-showmap.c | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 118f6ebd..3b5378a4 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -233,6 +233,7 @@ if [ "$ORIG_CPU_TARGET" = "" ]; then gcc test-instr.c -o test-instr || exit 1 unset AFL_INST_RATIO + export ASAN_OPTIONS=detect_leaks=0 echo 0 | ./afl-showmap -m none -Q -q -o .test-instr0 ./test-instr || exit 1 echo 1 | ./afl-showmap -m none -Q -q -o .test-instr1 ./test-instr || exit 1 diff --git a/src/afl-common.c b/src/afl-common.c index ffc32533..c9f09d38 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -374,9 +374,13 @@ u8 *find_binary(u8 *fname) { target_path = ck_strdup(fname); if (stat(target_path, &st) || !S_ISREG(st.st_mode) || - !(st.st_mode & 0111) || st.st_size < 4) + !(st.st_mode & 0111) || st.st_size < 4) { + + free(target_path); FATAL("Program '%s' not found or not executable", fname); + } + } else { while (env_path) { diff --git a/src/afl-showmap.c b/src/afl-showmap.c index f43beb1b..21e18061 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -877,6 +877,7 @@ int main(int argc, char **argv_orig, char **envp) { if (stdin_file) ck_free(stdin_file); argv_cpy_free(argv); + if (fsrv->qemu_mode) free(use_argv[2]); exit(ret); -- cgit 1.4.1 From 5b70d23211ddeddfb4d1dfce29a50234d08e9502 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 17 Apr 2020 09:10:49 +0200 Subject: added AFL_MAP_SIZE (wip) --- docs/Changelog.md | 1 + include/afl-fuzz.h | 2 ++ include/config.h | 3 +-- include/forkserver.h | 2 +- src/afl-analyze.c | 22 ++++++++++++++++------ src/afl-common.c | 2 +- src/afl-forkserver.c | 21 +++++++++++++-------- src/afl-fuzz-bitmap.c | 16 +--------------- src/afl-fuzz-init.c | 19 ------------------- src/afl-fuzz-queue.c | 9 +++++---- src/afl-fuzz-state.c | 24 +++++++++++++++++++++++- src/afl-fuzz.c | 12 +++++++----- src/afl-gcc.c | 8 ++++++++ src/afl-showmap.c | 24 ++++++++++++++++++------ src/afl-tmin.c | 27 +++++++++++++++++++-------- 15 files changed, 116 insertions(+), 76 deletions(-) (limited to 'src') diff --git a/docs/Changelog.md b/docs/Changelog.md index 60d83508..3ad80b7b 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -26,6 +26,7 @@ sending a mail to . static global and local variable comparisons (cannot find all though) - extended forkserver: map_size and more information is communicated to afl-fuzz (and afl-fuzz acts accordingly) + - new environment variable: AFL_MAP_SIZE to specify the size of the shared map - if AFL_CC/AFL_CXX is set but empty afl compilers did fail, fixed (this bug is in vanilla afl too) - added NO_PYTHON flag to disable python support when building afl-fuzz diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 363776cb..88cacc4f 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -325,6 +325,8 @@ typedef struct afl_env_vars { *afl_python_module, *afl_path, *afl_hang_tmout, *afl_skip_crashes, *afl_preload; + uint32_t map_size; + } afl_env_vars_t; struct afl_pass_stat { diff --git a/include/config.h b/include/config.h index f0274fd3..fae97a42 100644 --- a/include/config.h +++ b/include/config.h @@ -407,8 +407,7 @@ #define FS_OPT_SNAPSHOT 0x20000000 #define FS_OPT_AUTODICT 0x10000000 #define FS_OPT_GET_MAPSIZE(x) (((x & 0x00fffffe) >> 1) + 1) -#define FS_OPT_SET_MAPSIZE(x) \ - (x <= 1 || x > MAP_SIZE || x > 0x1000000 ? 0 : ((x - 1) << 1)) +#define FS_OPT_SET_MAPSIZE(x) (x <= 1 || x > 0x1000000 ? 0 : ((x - 1) << 1)) #endif /* ! _HAVE_CONFIG_H */ diff --git a/include/forkserver.h b/include/forkserver.h index ac89b681..d76dfc7a 100644 --- a/include/forkserver.h +++ b/include/forkserver.h @@ -61,7 +61,7 @@ typedef struct afl_forkserver { u64 total_execs; /* How often run_target was called */ u8 *out_file, /* File to fuzz, if any */ - *target_path; /* Path of the target */ + *target_path; /* Path of the target */ FILE *plot_file; /* Gnuplot output file */ diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 6f946ed5..3d86efb1 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -84,6 +84,7 @@ static volatile u8 stop_soon, /* Ctrl-C pressed? */ static u8 *target_path; static u8 qemu_mode; +static u32 map_size = MAP_SIZE; /* Constants used for describing byte behavior. */ @@ -115,7 +116,7 @@ static u8 count_class_lookup[256] = { static void classify_counts(u8 *mem) { - u32 i = MAP_SIZE; + u32 i = map_size; if (edges_only) { @@ -144,7 +145,7 @@ static void classify_counts(u8 *mem) { static inline u8 anything_set(void) { u32 *ptr = (u32 *)trace_bits; - u32 i = (MAP_SIZE >> 2); + u32 i = (map_size >> 2); while (i--) if (*(ptr++)) return 1; @@ -217,7 +218,7 @@ static u32 analyze_run_target(char **argv, u8 *mem, u32 len, u8 first_run) { s32 prog_in_fd; u32 cksum; - memset(trace_bits, 0, MAP_SIZE); + memset(trace_bits, 0, map_size); MEM_BARRIER(); prog_in_fd = write_to_file(prog_in, mem, len); @@ -311,7 +312,7 @@ static u32 analyze_run_target(char **argv, u8 *mem, u32 len, u8 first_run) { } - cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + cksum = hash32(trace_bits, map_size, HASH_CONST); /* We don't actually care if the target is crashing or not, except that when it does, the checksum should be different. */ @@ -811,7 +812,7 @@ int main(int argc, char **argv, char **envp) { s32 opt; u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; - char **use_argv; + char **use_argv, *ptr; doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; @@ -931,12 +932,21 @@ int main(int argc, char **argv, char **envp) { if (optind == argc || !in_file) usage(argv[0]); + if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) { + + map_size = atoi(ptr); + if (map_size < 8 || map_size > (1 << 29)) + FATAL("illegal AFL_MAP_SIZE %u, must be between 2^3 and 2^30", map_size); + if (map_size % 8) map_size = (((map_size >> 3) + 1) << 3); + + } + use_hex_offsets = !!get_afl_env("AFL_ANALYZE_HEX"); check_environment_vars(envp); sharedmem_t shm = {0}; - trace_bits = afl_shm_init(&shm, MAP_SIZE, 0); + trace_bits = afl_shm_init(&shm, map_size, 0); atexit(at_exit_handler); setup_signal_handlers(); diff --git a/src/afl-common.c b/src/afl-common.c index c9f09d38..3210ee97 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -72,7 +72,7 @@ char *afl_environment_variables[] = { "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", "AFL_NO_BUILTIN", "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_X86", // not really an env but we dont want to warn on it - "AFL_PATH", "AFL_PERFORMANCE_FILE", + "AFL_MAP_SIZE", "AFL_MAPSIZE", "AFL_PATH", "AFL_PERFORMANCE_FILE", //"AFL_PERSISTENT", // not implemented anymore, so warn additionally "AFL_POST_LIBRARY", "AFL_PRELOAD", "AFL_PYTHON_MODULE", "AFL_QEMU_COMPCOV", "AFL_QEMU_COMPCOV_DEBUG", "AFL_QEMU_DEBUG_MAPS", "AFL_QEMU_DISABLE_CACHE", diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c index 006764d9..9b915a7a 100644 --- a/src/afl-forkserver.c +++ b/src/afl-forkserver.c @@ -407,21 +407,26 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv, if ((status & FS_OPT_MAPSIZE) == FS_OPT_MAPSIZE) { - fsrv->map_size = FS_OPT_GET_MAPSIZE(status); - if (unlikely(fsrv->map_size % 8)) { + u32 tmp_map_size = FS_OPT_GET_MAPSIZE(status); + + if (!fsrv->map_size) fsrv->map_size = MAP_SIZE; + + if (unlikely(tmp_map_size % 8)) { // should not happen - WARNF("Target reported non-aligned map size of %ud", fsrv->map_size); - fsrv->map_size = (((fsrv->map_size + 8) >> 3) << 3); + WARNF("Target reported non-aligned map size of %ud", tmp_map_size); + tmp_map_size = (((tmp_map_size + 8) >> 3) << 3); } - if (!be_quiet) ACTF("Target map size: %u", fsrv->map_size); - if (fsrv->map_size > MAP_SIZE) + if (!be_quiet) ACTF("Target map size: %u", tmp_map_size); + if (tmp_map_size > fsrv->map_size) FATAL( "Target's coverage map size of %u is larger than the one this " - "afl++ is compiled with (%u) (change MAP_SIZE and recompile)\n", - fsrv->map_size, MAP_SIZE); + "afl++ is set with (%u) (change MAP_SIZE_POW2 in config.h and " + "recompile or set AFL_MAP_SIZE)\n", + tmp_map_size, fsrv->map_size); + fsrv->map_size = tmp_map_size; } diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index be8f504e..0823deed 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -43,7 +43,7 @@ void write_bitmap(afl_state_t *afl) { if (fd < 0) PFATAL("Unable to open '%s'", fname); - ck_write(fd, afl->virgin_bits, MAP_SIZE, fname); + ck_write(fd, afl->virgin_bits, afl->fsrv.map_size, fname); close(fd); @@ -145,8 +145,6 @@ u32 count_bits(afl_state_t *afl, u8 *mem) { u32 i = (afl->fsrv.map_size >> 2); u32 ret = 0; - if (i == 0) i = 1; - while (i--) { u32 v = *(ptr++); @@ -181,8 +179,6 @@ u32 count_bytes(afl_state_t *afl, u8 *mem) { u32 i = (afl->fsrv.map_size >> 2); u32 ret = 0; - if (i == 0) i = 1; - while (i--) { u32 v = *(ptr++); @@ -208,8 +204,6 @@ u32 count_non_255_bytes(afl_state_t *afl, u8 *mem) { u32 i = (afl->fsrv.map_size >> 2); u32 ret = 0; - if (i == 0) i = 1; - while (i--) { u32 v = *(ptr++); @@ -246,8 +240,6 @@ void simplify_trace(afl_state_t *afl, u64 *mem) { u32 i = (afl->fsrv.map_size >> 3); - if (i == 0) i = 1; - while (i--) { /* Optimize for sparse bitmaps. */ @@ -281,8 +273,6 @@ void simplify_trace(afl_state_t *afl, u32 *mem) { u32 i = (afl->fsrv.map_size >> 2); - if (i == 0) i = 1; - while (i--) { /* Optimize for sparse bitmaps. */ @@ -347,8 +337,6 @@ void classify_counts(afl_forkserver_t *fsrv) { u32 i = (fsrv->map_size >> 3); - if (i == 0) i = 1; - while (i--) { /* Optimize for sparse bitmaps. */ @@ -378,8 +366,6 @@ void classify_counts(afl_forkserver_t *fsrv) { u32 i = (fsrv->map_size >> 2); - if (i == 0) i = 1; - while (i--) { /* Optimize for sparse bitmaps. */ diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 7131ceed..3da348d2 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -442,23 +442,6 @@ void read_testcases(afl_state_t *afl) { } -/* Examine map coverage. Called once, for first test case. */ - -static void check_map_coverage(afl_state_t *afl) { - - u32 i; - - if (count_bytes(afl, afl->fsrv.trace_bits) < 100) return; - - for (i = (1 << (MAP_SIZE_POW2 - 1)); i < MAP_SIZE; ++i) - if (afl->fsrv.trace_bits[i]) return; - - if (afl->fsrv.map_size != MAP_SIZE) return; - - WARNF("Recompile binary with newer version of afl to improve coverage!"); - -} - /* Perform dry run of all test cases to confirm that the app is working as expected. This is done only for the initial inputs, and only once. */ @@ -501,8 +484,6 @@ void perform_dry_run(afl_state_t *afl) { case FSRV_RUN_OK: - if (q == afl->queue) check_map_coverage(afl); - if (afl->crash_mode) FATAL("Test case '%s' does *NOT* crash", fn); break; diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index d05eee08..373f12d8 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -249,7 +249,6 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { if (!q->trace_mini) { u32 len = (afl->fsrv.map_size >> 3); - if (len == 0) len = 1; q->trace_mini = ck_alloc(len); minimize_bits(afl, q->trace_mini, afl->fsrv.trace_bits); @@ -272,12 +271,12 @@ void cull_queue(afl_state_t *afl) { struct queue_entry *q; u32 len = (afl->fsrv.map_size >> 3); u32 i; - u8 temp_v[MAP_SIZE >> 3]; - - if (len == 0) len = 1; + u8 * temp_v; if (afl->dumb_mode || !afl->score_changed) return; + temp_v = ck_alloc(afl->fsrv.map_size >> 3); + afl->score_changed = 0; memset(temp_v, 255, len); @@ -325,6 +324,8 @@ void cull_queue(afl_state_t *afl) { } + ck_free(temp_v); + } /* Calculate case desirability score to adjust the length of havoc fuzzing. diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 7664c521..7d068258 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -99,7 +99,11 @@ void afl_state_init(afl_state_t *afl) { afl->fsrv.use_stdin = 1; - afl->fsrv.map_size = MAP_SIZE; + if (afl->afl_env.map_size > 8 && afl->afl_env.map_size <= (1 << 29)) + afl->fsrv.map_size = afl->afl_env.map_size; + else + afl->fsrv.map_size = MAP_SIZE; + afl->fsrv.function_opt = (u8 *)afl; afl->fsrv.function_ptr = &maybe_add_auto; @@ -324,6 +328,24 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_path = (u8 *)get_afl_env(afl_environment_variables[i]); + } else if (!strncmp(env, "AFL_MAP_SIZE", + + afl_environment_variable_len) || + !strncmp(env, "AFL_MAPSIZE", + afl_environment_variable_len)) { + + afl->afl_env.map_size = + atoi((u8 *)get_afl_env(afl_environment_variables[i])); + + if (afl->afl_env.map_size < 8 || afl->afl_env.map_size > (1 << 29)) + FATAL( + "the specified AFL_MAP_SIZE size is illegal and must be " + "between 2^3 and 2^30: %u\n", + afl->afl_env.map_size); + + if (afl->afl_env.map_size % 8) + afl->afl_env.map_size = (((afl->afl_env.map_size >> 3) + 1) << 3); + } else if (!strncmp(env, "AFL_PRELOAD", afl_environment_variable_len)) { diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 925dbb1a..3cf57f86 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -249,6 +249,7 @@ int main(int argc, char **argv_orig, char **envp) { if (get_afl_env("AFL_DEBUG")) afl->debug = 1; read_afl_environment(afl, envp); + if (afl->afl_env.map_size) afl->fsrv.map_size = afl->afl_env.map_size; exit_1 = !!afl->afl_env.afl_bench_just_one; SAYF(cCYA "afl-fuzz" VERSION cRST @@ -476,7 +477,7 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->in_bitmap) FATAL("Multiple -B options not supported"); afl->in_bitmap = optarg; - read_bitmap(afl->in_bitmap, afl->virgin_bits, MAP_SIZE); + read_bitmap(afl->in_bitmap, afl->virgin_bits, afl->fsrv.map_size); break; case 'C': /* crash mode */ @@ -910,13 +911,14 @@ int main(int argc, char **argv_orig, char **envp) { check_crash_handling(); check_cpu_governor(afl); - afl->fsrv.trace_bits = afl_shm_init(&afl->shm, MAP_SIZE, afl->dumb_mode); + afl->fsrv.trace_bits = + afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->dumb_mode); setup_post(afl); - if (!afl->in_bitmap) memset(afl->virgin_bits, 255, MAP_SIZE); - memset(afl->virgin_tmout, 255, MAP_SIZE); - memset(afl->virgin_crash, 255, MAP_SIZE); + if (!afl->in_bitmap) memset(afl->virgin_bits, 255, afl->fsrv.map_size); + memset(afl->virgin_tmout, 255, afl->fsrv.map_size); + memset(afl->virgin_crash, 255, afl->fsrv.map_size); init_count_class16(); diff --git a/src/afl-gcc.c b/src/afl-gcc.c index 32cd36cb..86a88014 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -411,6 +411,14 @@ int main(int argc, char **argv) { } + u8 *ptr; + if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) { + + u32 map_size = atoi(ptr); + if (map_size != MAP_SIZE) FATAL("AFL_MAP_SIZE is not supported by afl-gcc"); + + } + find_as(argv[0]); edit_params(argc, argv); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 21e18061..c1561b4c 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -72,6 +72,8 @@ static u32 total, highest; /* tuple content information */ static u32 in_len, /* Input data length */ arg_offset; /* Total number of execs */ +static u32 map_size = MAP_SIZE; + static u8 quiet_mode, /* Hide non-essential messages? */ edges_only, /* Ignore hit counts? */ raw_instr_output, /* Do not apply AFL filters */ @@ -112,7 +114,7 @@ static void classify_counts(afl_forkserver_t *fsrv) { u8 * mem = fsrv->trace_bits; const u8 *map = binary_mode ? count_class_binary : count_class_human; - u32 i = MAP_SIZE; + u32 i = map_size; if (edges_only) { @@ -175,10 +177,10 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { if (binary_mode) { - for (i = 0; i < MAP_SIZE; i++) + for (i = 0; i < map_size; i++) if (fsrv->trace_bits[i]) ret++; - ck_write(fd, fsrv->trace_bits, MAP_SIZE, outfile); + ck_write(fd, fsrv->trace_bits, map_size, outfile); close(fd); } else { @@ -187,7 +189,7 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) { if (!f) PFATAL("fdopen() failed"); - for (i = 0; i < MAP_SIZE; i++) { + for (i = 0; i < map_size; i++) { if (!fsrv->trace_bits[i]) continue; ret++; @@ -535,7 +537,7 @@ int main(int argc, char **argv_orig, char **envp) { s32 opt, i; u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; u32 tcnt = 0; - char **use_argv; + char **use_argv, *ptr; char **argv = argv_cpy_dup(argc, argv_orig); @@ -543,6 +545,16 @@ int main(int argc, char **argv_orig, char **envp) { afl_forkserver_t *fsrv = &fsrv_var; afl_fsrv_init(fsrv); + if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) { + + map_size = atoi(ptr); + if (map_size < 8 || map_size > (1 << 29)) + FATAL("illegal AFL_MAP_SIZE %u, must be between 2^3 and 2^30", map_size); + if (map_size % 8) map_size = (((map_size >> 3) + 1) << 3); + fsrv->map_size = map_size; + + } + doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; if (getenv("AFL_QUIET") != NULL) be_quiet = 1; @@ -715,7 +727,7 @@ int main(int argc, char **argv_orig, char **envp) { check_environment_vars(envp); sharedmem_t shm = {0}; - fsrv->trace_bits = afl_shm_init(&shm, MAP_SIZE, 0); + fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); setup_signal_handlers(); set_up_environment(fsrv); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 0a462e9a..e366d260 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -70,7 +70,8 @@ static u32 in_len, /* Input data length */ orig_cksum, /* Original checksum */ missed_hangs, /* Misses due to hangs */ missed_crashes, /* Misses due to crashes */ - missed_paths; /* Misses due to exec path diffs */ + missed_paths, /* Misses due to exec path diffs */ + map_size = MAP_SIZE; static u8 crash_mode, /* Crash-centric mode? */ hang_mode, /* Minimize as long as it hangs */ @@ -105,7 +106,7 @@ static const u8 count_class_lookup[256] = { static void apply_mask(u32 *mem, u32 *mask) { - u32 i = (MAP_SIZE >> 2); + u32 i = (map_size >> 2); if (!mask) return; @@ -122,7 +123,7 @@ static void apply_mask(u32 *mem, u32 *mask) { static void classify_counts(afl_forkserver_t *fsrv) { u8 *mem = fsrv->trace_bits; - u32 i = MAP_SIZE; + u32 i = map_size; if (edges_only) { @@ -151,7 +152,7 @@ static void classify_counts(afl_forkserver_t *fsrv) { static inline u8 anything_set(afl_forkserver_t *fsrv) { u32 *ptr = (u32 *)fsrv->trace_bits; - u32 i = (MAP_SIZE >> 2); + u32 i = (map_size >> 2); while (i--) if (*(ptr++)) return 1; @@ -755,7 +756,7 @@ int main(int argc, char **argv_orig, char **envp) { s32 opt; u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; - char **use_argv; + char **use_argv, *ptr; char **argv = argv_cpy_dup(argc, argv_orig); @@ -763,6 +764,16 @@ int main(int argc, char **argv_orig, char **envp) { afl_forkserver_t *fsrv = &fsrv_var; afl_fsrv_init(fsrv); + if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) { + + map_size = atoi(ptr); + if (map_size < 8 || map_size > (1 << 29)) + FATAL("illegal AFL_MAP_SIZE %u, must be between 2^3 and 2^30", map_size); + if (map_size % 8) map_size = (((map_size >> 3) + 1) << 3); + fsrv->map_size = map_size; + + } + doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; SAYF(cCYA "afl-tmin" VERSION cRST " by Michal Zalewski\n"); @@ -910,8 +921,8 @@ int main(int argc, char **argv_orig, char **envp) { to be useful. */ if (mask_bitmap) FATAL("Multiple -B options not supported"); - mask_bitmap = ck_alloc(MAP_SIZE); - read_bitmap(optarg, mask_bitmap, MAP_SIZE); + mask_bitmap = ck_alloc(map_size); + read_bitmap(optarg, mask_bitmap, map_size); break; case 'h': @@ -928,7 +939,7 @@ int main(int argc, char **argv_orig, char **envp) { check_environment_vars(envp); sharedmem_t shm = {0}; - fsrv->trace_bits = afl_shm_init(&shm, MAP_SIZE, 0); + fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); atexit(at_exit_handler); setup_signal_handlers(); -- cgit 1.4.1 From ef311ec70cd9f58cc58fe67fd693d94e01edbf98 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 17 Apr 2020 10:08:56 +0200 Subject: done implementing AFL_MAP_SIZE --- docs/env_variables.md | 5 +++++ gcc_plugin/afl-gcc-fast.c | 10 ++++++++++ llvm_mode/afl-clang-fast.c | 10 ++++++++++ llvm_mode/afl-llvm-lto-instrumentation.so.cc | 28 +++++++++++++++------------- src/afl-gcc.c | 3 ++- 5 files changed, 42 insertions(+), 14 deletions(-) (limited to 'src') diff --git a/docs/env_variables.md b/docs/env_variables.md index 7890da35..21bf9fad 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -243,6 +243,11 @@ checks or alter some of the more exotic semantics of the tool: normally indicated by the cycle counter in the UI turning green. May be convenient for some types of automated jobs. + - AFL_MAP_SIZE sets the size of the shared map that afl-fuzz, afl-showmap, + afl-tmin and afl-analyze create to gather instrumentation data from + the target. This must be equal or larger than the size the target was + compiled with. + - Setting AFL_NO_AFFINITY disables attempts to bind to a specific CPU core on Linux systems. This slows things down, but lets you run more instances of afl-fuzz than would be prudent (if you really want to). diff --git a/gcc_plugin/afl-gcc-fast.c b/gcc_plugin/afl-gcc-fast.c index 8953c523..0e51ee62 100644 --- a/gcc_plugin/afl-gcc-fast.c +++ b/gcc_plugin/afl-gcc-fast.c @@ -364,6 +364,16 @@ int main(int argc, char **argv, char **envp) { be_quiet = 1; + u8 *ptr; + if (!be_quiet && + ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE")))) { + + u32 map_size = atoi(ptr); + if (map_size != MAP_SIZE) + FATAL("AFL_MAP_SIZE is not supported by afl-gcc-fast"); + + } + check_environment_vars(envp); find_obj(argv[0]); diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index c0471033..5abe61c6 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -796,6 +796,16 @@ int main(int argc, char **argv, char **envp) { } + u8 *ptr2; + if (!be_quiet && instrument_mode != INSTRUMENT_LTO && + ((ptr2 = getenv("AFL_MAP_SIZE")) || (ptr2 = getenv("AFL_MAPSIZE")))) { + + u32 map_size = atoi(ptr2); + if (map_size != MAP_SIZE) + FATAL("AFL_MAP_SIZE is not supported by afl-clang-fast"); + + } + if (debug) { SAYF(cMGN "[D]" cRST " cd \"%s\";", getthecwd()); diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index c5e7a2b7..a5058974 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -608,20 +608,22 @@ bool AFLLTOPass::runOnModule(Module &M) { } - // save highest location ID to global variable - // do this after each function to fail faster - if (afl_global_id > MAP_SIZE) { - - uint32_t pow2map = 1, map = afl_global_id; - while ((map = map >> 1)) - pow2map++; - FATAL( - "We have %u blocks to instrument but the map size is only %u! Edit " - "config.h and set MAP_SIZE_POW2 from %u to %u, then recompile " - "afl-fuzz and llvm_mode.", - afl_global_id, MAP_SIZE, MAP_SIZE_POW2, pow2map); + } - } + // save highest location ID to global variable + // do this after each function to fail faster + if (!be_quiet && afl_global_id > MAP_SIZE) { + + uint32_t pow2map = 1, map = afl_global_id; + while ((map = map >> 1)) + pow2map++; + WARNF( + "We have %u blocks to instrument but the map size is only %u. Either " + "edit config.h and set MAP_SIZE_POW2 from %u to %u, then recompile " + "afl-fuzz and llvm_mode and then make this target - or set " + "AFL_MAP_SIZE with at least size %u when running afl-fuzz with this " + "target.", + afl_global_id, MAP_SIZE, MAP_SIZE_POW2, pow2map, afl_global_id); } diff --git a/src/afl-gcc.c b/src/afl-gcc.c index 86a88014..1ae10975 100644 --- a/src/afl-gcc.c +++ b/src/afl-gcc.c @@ -412,7 +412,8 @@ int main(int argc, char **argv) { } u8 *ptr; - if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) { + if (!be_quiet && + ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE")))) { u32 map_size = atoi(ptr); if (map_size != MAP_SIZE) FATAL("AFL_MAP_SIZE is not supported by afl-gcc"); -- cgit 1.4.1 From 248a2f2f0bfddd9f79a4c6b6ceadef32f1765969 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 17 Apr 2020 10:21:41 +0200 Subject: added AFL_MAP_SIZE to env help output --- llvm_mode/afl-clang-fast.c | 50 +++++++++++++++++++++++----------------------- src/afl-analyze.c | 4 +++- src/afl-fuzz.c | 50 ++++++++++++++++++++++++---------------------- src/afl-showmap.c | 11 ++++++---- src/afl-tmin.c | 4 +++- 5 files changed, 64 insertions(+), 55 deletions(-) (limited to 'src') diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 5abe61c6..7466db26 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -716,30 +716,30 @@ int main(int argc, char **argv, char **envp) { "Environment variables used:\n" "AFL_CC: path to the C compiler to use\n" "AFL_CXX: path to the C++ compiler to use\n" - "AFL_PATH: path to instrumenting pass and runtime " - "(afl-llvm-rt.*o)\n" - "AFL_DONT_OPTIMIZE: disable optimization instead of -O3\n" - "AFL_NO_BUILTIN: compile for use with libtokencap.so\n" - "AFL_INST_RATIO: percentage of branches to instrument\n" - "AFL_QUIET: suppress verbose output\n" "AFL_DEBUG: enable developer debugging output\n" + "AFL_DONT_OPTIMIZE: disable optimization instead of -O3\n" "AFL_HARDEN: adds code hardening to catch memory bugs\n" - "AFL_USE_ASAN: activate address sanitizer\n" - "AFL_USE_MSAN: activate memory sanitizer\n" - "AFL_USE_UBSAN: activate undefined behaviour sanitizer\n" - "AFL_USE_CFISAN: activate control flow sanitizer\n" - "AFL_LLVM_WHITELIST: enable whitelisting (selective " - "instrumentation)\n" + "AFL_INST_RATIO: percentage of branches to instrument\n" "AFL_LLVM_NOT_ZERO: use cycling trace counters that skip zero\n" "AFL_LLVM_LAF_SPLIT_COMPARES: enable cascaded comparisons\n" - "AFL_LLVM_LAF_SPLIT_SWITCHES: casc. comp. in 'switch'\n" - "AFL_LLVM_LAF_TRANSFORM_COMPARES: transform library comparison " - "function calls\n" - " to cascaded comparisons\n" "AFL_LLVM_LAF_SPLIT_FLOATS: transform floating point comp. to " "cascaded " "comp.\n" - "AFL_LLVM_LAF_SPLIT_COMPARES_BITW: size limit (default 8)\n", + "AFL_LLVM_LAF_SPLIT_SWITCHES: casc. comp. in 'switch'\n" + " to cascaded comparisons\n" + "AFL_LLVM_LAF_TRANSFORM_COMPARES: transform library comparison " + "function calls\n" + "AFL_LLVM_LAF_SPLIT_COMPARES_BITW: size limit (default 8)\n" + "AFL_LLVM_WHITELIST: enable whitelisting (selective " + "instrumentation)\n" + "AFL_NO_BUILTIN: compile for use with libtokencap.so\n" + "AFL_PATH: path to instrumenting pass and runtime " + "(afl-llvm-rt.*o)\n" + "AFL_QUIET: suppress verbose output\n" + "AFL_USE_ASAN: activate address sanitizer\n" + "AFL_USE_CFISAN: activate control flow sanitizer\n" + "AFL_USE_MSAN: activate memory sanitizer\n" + "AFL_USE_UBSAN: activate undefined behaviour sanitizer\n", callname, BIN_PATH, BIN_PATH); SAYF( @@ -747,21 +747,21 @@ int main(int argc, char **argv, char **envp) { "AFL_LLVM_CMPLOG: log operands of comparisons (RedQueen mutator)\n" "AFL_LLVM_INSTRUMENT: set instrumentation mode: DEFAULT, CFG " "(INSTRIM), LTO, CTX, NGRAM-2 ... NGRAM-16\n" - "You can also use the old environment variables:" - "AFL_LLVM_CTX: use context sensitive coverage\n" - "AFL_LLVM_USE_TRACE_PC: use LLVM trace-pc-guard instrumentation\n" - "AFL_LLVM_NGRAM_SIZE: use ngram prev_loc count coverage\n" - "AFL_LLVM_INSTRIM: use light weight instrumentation InsTrim\n" - "AFL_LLVM_INSTRIM_LOOPHEAD: optimize loop tracing for speed (sub " + " You can also use the old environment variables instead:" + " AFL_LLVM_CTX: use context sensitive coverage\n" + " AFL_LLVM_USE_TRACE_PC: use LLVM trace-pc-guard instrumentation\n" + " AFL_LLVM_NGRAM_SIZE: use ngram prev_loc count coverage\n" + " AFL_LLVM_INSTRIM: use light weight instrumentation InsTrim\n" + " AFL_LLVM_INSTRIM_LOOPHEAD: optimize loop tracing for speed (sub " "option to INSTRIM)\n"); #ifdef AFL_CLANG_FLTO SAYF( "\nafl-clang-lto specific environment variables:\n" - "AFL_LLVM_LTO_STARTID: from which ID to start counting from for a " - "bb\n" "AFL_LLVM_LTO_DONTWRITEID: don't write the highest ID used to a " "global var\n" + "AFL_LLVM_LTO_STARTID: from which ID to start counting from for a " + "bb\n" "AFL_REAL_LD: use this lld linker instead of the compiled in path\n" "\nafl-clang-lto was built with linker target \"%s\" and LTO flags " "\"%s\"\n" diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 3d86efb1..8a84b781 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -796,8 +796,10 @@ static void usage(u8 *argv0) { " (must contain abort_on_error=1 and symbolize=0)\n" "MSAN_OPTIONS: custom settings for MSAN\n" " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n" - "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" "AFL_ANALYZE_HEX: print file offsets in hexadecimal instead of decimal\n" + "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" + " the target was compiled for\n" + "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" "AFL_SKIP_BIN_CHECK: skip checking the location of and the target\n" , argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 3cf57f86..2a1387a9 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -150,44 +150,46 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { if (more_help > 1) SAYF( "Environment variables used:\n" - "AFL_PATH: path to AFL support binaries\n" - "AFL_QUIET: suppress forkserver status messages\n" - "AFL_DEBUG_CHILD_OUTPUT: do not suppress stdout/stderr from target\n" "LD_BIND_LAZY: do not set LD_BIND_NOW env var for target\n" + "ASAN_OPTIONS: custom settings for ASAN\n" + " (must contain abort_on_error=1 and symbolize=0)\n" + "MSAN_OPTIONS: custom settings for MSAN\n" + " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n" + "AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists\n" "AFL_BENCH_JUST_ONE: run the target just once\n" - "AFL_DUMB_FORKSRV: use fork server without feedback from target\n" + "AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found\n" "AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs\n" "AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators\n" - "AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module\n" "AFL_DEBUG: extra debugging output for Python mode trimming\n" + "AFL_DEBUG_CHILD_OUTPUT: do not suppress stdout/stderr from target\n" "AFL_DISABLE_TRIM: disable the trimming of test cases\n" - "AFL_NO_UI: switch status screen off\n" - "AFL_FORCE_UI: force showing the status screen (for virtual consoles)\n" - "AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n" - "AFL_SKIP_CPUFREQ: do not warn about variable cpu clocking\n" - "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n" - "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n" - "AFL_NO_ARITH: skip arithmetic mutations in deterministic stage\n" - "AFL_SHUFFLE_QUEUE: reorder the input queue randomly on startup\n" + "AFL_DUMB_FORKSRV: use fork server without feedback from target\n" + "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n" "AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n" + "AFL_FORCE_UI: force showing the status screen (for virtual consoles)\n" "AFL_HANG_TMOUT: override timeout value (in milliseconds)\n" - "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" - "AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n" + "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers\n" "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n" + "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" + " the target was compiled for\n" "AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing\n" + "AFL_NO_ARITH: skip arithmetic mutations in deterministic stage\n" + "AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n" + "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n" + "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n" + "AFL_NO_UI: switch status screen off\n" + "AFL_PATH: path to AFL support binaries\n" "AFL_POST_LIBRARY: postprocess generated test cases before use as target input\n" - "AFL_SKIP_CRASHES: during initial dry run do not terminate for crashing inputs\n" - "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers\n" - "ASAN_OPTIONS: custom settings for ASAN\n" - " (must contain abort_on_error=1 and symbolize=0)\n" - "MSAN_OPTIONS: custom settings for MSAN\n" - " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n" + "AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module\n" + "AFL_QUIET: suppress forkserver status messages\n" + "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" + "AFL_SHUFFLE_QUEUE: reorder the input queue randomly on startup\n" "AFL_SKIP_BIN_CHECK: skip the check, if the target is an excutable\n" + "AFL_SKIP_CPUFREQ: do not warn about variable cpu clocking\n" + "AFL_SKIP_CRASHES: during initial dry run do not terminate for crashing inputs\n" + "AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n" //"AFL_PERSISTENT: not supported anymore -> no effect, just a warning\n" //"AFL_DEFER_FORKSRV: not supported anymore -> no effect, just a warning\n" - "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n" - "AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found\n" - "AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists\n" "\n" ); else diff --git a/src/afl-showmap.c b/src/afl-showmap.c index c1561b4c..59c76d41 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -515,13 +515,16 @@ static void usage(u8 *argv0) { "For additional help, consult %s/README.md.\n\n" "Environment variables used:\n" - "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" - "AFL_DEBUG: enable extra developer output\n" - "AFL_QUIET: do not print extra informational output" + "LD_BIND_LAZY: do not set LD_BIND_NOW env var for target\n", "AFL_CMIN_CRASHES_ONLY: (cmin_mode) only write tuples for crashing " "inputs\n" "AFL_CMIN_ALLOW_ANY: (cmin_mode) write tuples for crashing inputs also\n" - "LD_BIND_LAZY: do not set LD_BIND_NOW env var for target\n", + "AFL_DEBUG: enable extra developer output\n" + "AFL_MAP_SIZE: the shared memory size for that target. must be >= the " + "size\n" + " the target was compiled for\n" + "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" + "AFL_QUIET: do not print extra informational output" argv0, MEM_LIMIT, doc_path); exit(1); diff --git a/src/afl-tmin.c b/src/afl-tmin.c index e366d260..ad7d70c7 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -741,7 +741,9 @@ static void usage(u8 *argv0) { " (must contain abort_on_error=1 and symbolize=0)\n" "MSAN_OPTIONS: custom settings for MSAN\n" " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n" - "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" + "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" + " the target was compiled for\n" + "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" "AFL_TMIN_EXACT: require execution paths to match for crashing inputs\n" , argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); -- cgit 1.4.1 From 2162fd8e1a1ceb745c1fcf87fb6a1053508591c4 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 17 Apr 2020 10:46:35 +0200 Subject: preliminary stuff for AFL_MAP_SIZE and afl-llvm-pass --- llvm_mode/afl-llvm-lto-instrumentation.so.cc | 2 +- llvm_mode/afl-llvm-pass.so.cc | 68 +++++++++++++++++++++++++++- src/afl-showmap.c | 4 +- 3 files changed, 69 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/llvm_mode/afl-llvm-lto-instrumentation.so.cc b/llvm_mode/afl-llvm-lto-instrumentation.so.cc index a5058974..ece3201f 100644 --- a/llvm_mode/afl-llvm-lto-instrumentation.so.cc +++ b/llvm_mode/afl-llvm-lto-instrumentation.so.cc @@ -637,7 +637,7 @@ bool AFLLTOPass::runOnModule(Module &M) { if (!f) { fprintf(stderr, - "Error: init function could not be found (this hould not " + "Error: init function could not be found (this should not " "happen)\n"); exit(-1); diff --git a/llvm_mode/afl-llvm-pass.so.cc b/llvm_mode/afl-llvm-pass.so.cc index b4249802..71abcd05 100644 --- a/llvm_mode/afl-llvm-pass.so.cc +++ b/llvm_mode/afl-llvm-pass.so.cc @@ -125,6 +125,7 @@ class AFLCoverage : public ModulePass { std::list myWhitelist; uint32_t ngram_size = 0; uint32_t debug = 0; + uint32_t map_size = MAP_SIZE; char * ctx_str = NULL; }; @@ -192,6 +193,19 @@ bool AFLCoverage::runOnModule(Module &M) { be_quiet = 1; + /* + char *ptr; + if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) { + + map_size = atoi(ptr); + if (map_size < 8 || map_size > (1 << 29)) + FATAL("illegal AFL_MAP_SIZE %u, must be between 2^3 and 2^30", + map_size); if (map_size % 8) map_size = (((map_size >> 3) + 1) << 3); + + } + + */ + /* Decide instrumentation ratio */ char * inst_ratio_str = getenv("AFL_INST_RATIO"); @@ -365,7 +379,7 @@ bool AFLCoverage::runOnModule(Module &M) { // if yes we store a context ID for this function in the global var if (has_calls) { - ConstantInt *NewCtx = ConstantInt::get(Int32Ty, AFL_R(MAP_SIZE)); + ConstantInt *NewCtx = ConstantInt::get(Int32Ty, AFL_R(map_size)); StoreInst * StoreCtx = IRB.CreateStore(NewCtx, AFLContext); StoreCtx->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); @@ -509,7 +523,7 @@ bool AFLCoverage::runOnModule(Module &M) { /* Make up cur_loc */ // cur_loc++; - cur_loc = AFL_R(MAP_SIZE); + cur_loc = AFL_R(map_size); /* There is a problem with Ubuntu 18.04 and llvm 6.0 (see issue #63). The inline function successors() is not inlined and also not found at runtime @@ -705,6 +719,56 @@ bool AFLCoverage::runOnModule(Module &M) { } + /* + // This is currently disabled because we not only need to create/insert a + // function (easy), but also add it as a constructor with an ID < 5 + + if (getenv("AFL_LLVM_DONTWRITEID") == NULL) { + + // yes we could create our own function, insert it into ctors ... + // but this would be a pain in the butt ... so we use afl-llvm-rt.o + + Function *f = ... + + if (!f) { + + fprintf(stderr, + "Error: init function could not be created (this should not + happen)\n"); exit(-1); + + } + + ... constructor for f = 4 + + BasicBlock *bb = &f->getEntryBlock(); + if (!bb) { + + fprintf(stderr, + "Error: init function does not have an EntryBlock (this should + not happen)\n"); exit(-1); + + } + + BasicBlock::iterator IP = bb->getFirstInsertionPt(); + IRBuilder<> IRB(&(*IP)); + + if (map_size <= 0x800000) { + + GlobalVariable *AFLFinalLoc = new GlobalVariable( + M, Int32Ty, true, GlobalValue::ExternalLinkage, 0, + "__afl_final_loc", 0, GlobalVariable::GeneralDynamicTLSModel, 0, + false); + ConstantInt *const_loc = ConstantInt::get(Int32Ty, map_size); + StoreInst * StoreFinalLoc = IRB.CreateStore(const_loc, AFLFinalLoc); + StoreFinalLoc->setMetadata(M.getMDKindID("nosanitize"), + MDNode::get(C, None)); + + } + + } + + */ + /* Say something nice. */ if (!be_quiet) { diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 59c76d41..a11c128a 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -524,8 +524,8 @@ static void usage(u8 *argv0) { "size\n" " the target was compiled for\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" - "AFL_QUIET: do not print extra informational output" - argv0, MEM_LIMIT, doc_path); + "AFL_QUIET: do not print extra informational output" argv0, + MEM_LIMIT, doc_path); exit(1); -- cgit 1.4.1 From 8fa5d4c313372a337c7facf0428b0339babbe057 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 17 Apr 2020 11:01:14 +0200 Subject: clearer code --- qemu_mode/build_qemu_support.sh | 1 + src/afl-common.c | 13 +++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh index 118f6ebd..c512396a 100755 --- a/qemu_mode/build_qemu_support.sh +++ b/qemu_mode/build_qemu_support.sh @@ -234,6 +234,7 @@ if [ "$ORIG_CPU_TARGET" = "" ]; then unset AFL_INST_RATIO + echo "[*] Comparing two afl-showmap -Q outputs..." echo 0 | ./afl-showmap -m none -Q -q -o .test-instr0 ./test-instr || exit 1 echo 1 | ./afl-showmap -m none -Q -q -o .test-instr1 ./test-instr || exit 1 diff --git a/src/afl-common.c b/src/afl-common.c index ffc32533..48efff2c 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -222,10 +222,12 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) { } - } else + } else { ck_free(own_copy); + } + if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { if (cp) ck_free(cp); @@ -389,16 +391,19 @@ u8 *find_binary(u8 *fname) { memcpy(cur_elem, env_path, delim - env_path); delim++; - } else + } else { cur_elem = ck_strdup(env_path); + } + env_path = delim; - if (cur_elem[0]) + if (cur_elem[0]) { target_path = alloc_printf("%s/%s", cur_elem, fname); - else + } else { target_path = ck_strdup(fname); + } ck_free(cur_elem); -- cgit 1.4.1 From bda4d8812e6448bf7a9ce675f703c43609d76616 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 17 Apr 2020 11:15:04 +0200 Subject: forgot MAP_SIZE for afl struct maps --- include/afl-fuzz.h | 18 ++++++++-------- src/afl-fuzz-state.c | 59 +++++++++++++++++++++++++--------------------------- src/afl-fuzz.c | 21 +++++++++++++++---- src/afl-showmap.c | 6 +++--- 4 files changed, 57 insertions(+), 47 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 88cacc4f..beef3d58 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -445,11 +445,11 @@ typedef struct afl_state { fast_cal, /* Try to calibrate faster? */ disable_trim; /* Never trim in fuzz_one */ - u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */ - virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */ - virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */ + u8 *virgin_bits, /* Regions yet untouched by fuzzing */ + *virgin_tmout, /* Bits we haven't seen in tmouts */ + *virgin_crash; /* Bits we haven't seen in crashes */ - u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */ + u8 *var_bytes; /* Bytes that appear to be variable */ volatile u8 stop_soon, /* Ctrl-C pressed? */ clear_screen; /* Window resized? */ @@ -537,7 +537,7 @@ typedef struct afl_state { *queue_top, /* Top of the list */ *q_prev100; /* Previous 100 marker */ - struct queue_entry *top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ + struct queue_entry **top_rated; /* Top entries for bitmap bytes */ struct extra_data *extras; /* Extra tokens to fuzz with */ u32 extras_cnt; /* Total number of tokens read */ @@ -586,9 +586,9 @@ typedef struct afl_state { u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs; double stats_avg_exec; - u8 clean_trace[MAP_SIZE]; - u8 clean_trace_custom[MAP_SIZE]; - u8 first_trace[MAP_SIZE]; + u8 *clean_trace; + u8 *clean_trace_custom; + u8 *first_trace; /*needed for afl_fuzz_one */ // TODO: see which we can reuse @@ -796,7 +796,7 @@ struct custom_mutator { }; -void afl_state_init(afl_state_t *); +void afl_state_init(afl_state_t *, uint32_t map_size); void afl_state_deinit(afl_state_t *); void read_afl_environment(afl_state_t *, char **); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 7d068258..476782e0 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -75,12 +75,14 @@ list_t afl_states = {.element_prealloc_count = 0}; /* Initializes an afl_state_t. */ -void afl_state_init(afl_state_t *afl) { +void afl_state_init(afl_state_t *afl, uint32_t map_size) { /* thanks to this memset, growing vars like out_buf and out_size are NULL/0 by default. */ memset(afl, 0, sizeof(afl_state_t)); + if (!map_size) map_size = MAP_SIZE; + afl->w_init = 0.9; afl->w_end = 0.3; afl->g_max = 5000; @@ -97,13 +99,17 @@ void afl_state_init(afl_state_t *afl) { afl->cpu_aff = -1; /* Selected CPU core */ #endif /* HAVE_AFFINITY */ - afl->fsrv.use_stdin = 1; - - if (afl->afl_env.map_size > 8 && afl->afl_env.map_size <= (1 << 29)) - afl->fsrv.map_size = afl->afl_env.map_size; - else - afl->fsrv.map_size = MAP_SIZE; + afl->virgin_bits = ck_alloc(map_size); + afl->virgin_tmout = ck_alloc(map_size); + afl->virgin_crash = ck_alloc(map_size); + afl->var_bytes = ck_alloc(map_size); + afl->top_rated = ck_alloc(map_size); + afl->clean_trace = ck_alloc(map_size); + afl->clean_trace_custom = ck_alloc(map_size); + afl->first_trace = ck_alloc(map_size); + afl->fsrv.use_stdin = 1; + afl->fsrv.map_size = map_size; afl->fsrv.function_opt = (u8 *)afl; afl->fsrv.function_ptr = &maybe_add_auto; @@ -328,24 +334,6 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_path = (u8 *)get_afl_env(afl_environment_variables[i]); - } else if (!strncmp(env, "AFL_MAP_SIZE", - - afl_environment_variable_len) || - !strncmp(env, "AFL_MAPSIZE", - afl_environment_variable_len)) { - - afl->afl_env.map_size = - atoi((u8 *)get_afl_env(afl_environment_variables[i])); - - if (afl->afl_env.map_size < 8 || afl->afl_env.map_size > (1 << 29)) - FATAL( - "the specified AFL_MAP_SIZE size is illegal and must be " - "between 2^3 and 2^30: %u\n", - afl->afl_env.map_size); - - if (afl->afl_env.map_size % 8) - afl->afl_env.map_size = (((afl->afl_env.map_size >> 3) + 1) << 3); - } else if (!strncmp(env, "AFL_PRELOAD", afl_environment_variable_len)) { @@ -386,12 +374,21 @@ void afl_state_deinit(afl_state_t *afl) { if (afl->pass_stats) ck_free(afl->pass_stats); if (afl->orig_cmp_map) ck_free(afl->orig_cmp_map); - free(afl->out_buf); - free(afl->out_scratch_buf); - free(afl->eff_buf); - free(afl->in_buf); - free(afl->in_scratch_buf); - free(afl->ex_buf); + if (afl->out_buf) free(afl->out_buf); + if (afl->out_scratch_buf) free(afl->out_scratch_buf); + if (afl->eff_buf) free(afl->eff_buf); + if (afl->in_buf) free(afl->in_buf); + if (afl->in_scratch_buf) free(afl->in_scratch_buf); + if (afl->ex_buf) free(afl->ex_buf); + + ck_free(afl->virgin_bits); + ck_free(afl->virgin_tmout); + ck_free(afl->virgin_crash); + ck_free(afl->var_bytes); + ck_free(afl->top_rated); + ck_free(afl->clean_trace); + ck_free(afl->clean_trace_custom); + ck_free(afl->first_trace); list_remove(&afl_states, afl); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 2a1387a9..93e83eed 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -233,8 +233,8 @@ int main(int argc, char **argv_orig, char **envp) { s32 opt; u64 prev_queued = 0; - u32 sync_interval_cnt = 0, seek_to, show_help = 0; - u8 * extras_dir = 0; + u32 sync_interval_cnt = 0, seek_to, show_help = 0, map_size = MAP_SIZE; + u8 * extras_dir = 0, *ptr; u8 mem_limit_given = 0, exit_1 = 0; char **use_argv; @@ -246,10 +246,23 @@ int main(int argc, char **argv_orig, char **envp) { afl_state_t *afl = calloc(1, sizeof(afl_state_t)); if (!afl) { FATAL("Could not create afl state"); } - afl_state_init(afl); + if (get_afl_env("AFL_DEBUG")) afl->debug = 1; + if ((ptr = get_afl_env("AFL_MAP_SIZE")) || + (ptr = get_afl_env("AFL_MAPSIZE"))) { + + map_size = atoi(ptr); + if (map_size < 8 || map_size > (1 << 29)) + FATAL( + "the specified AFL_MAP_SIZE size is illegal and must be between 2^3 " + "and 2^30: %u\n", + map_size); + if (map_size % 8) map_size = (((map_size >> 3) + 1) << 3); + + } + + afl_state_init(afl, map_size); afl_fsrv_init(&afl->fsrv); - if (get_afl_env("AFL_DEBUG")) afl->debug = 1; read_afl_environment(afl, envp); if (afl->afl_env.map_size) afl->fsrv.map_size = afl->afl_env.map_size; exit_1 = !!afl->afl_env.afl_bench_just_one; diff --git a/src/afl-showmap.c b/src/afl-showmap.c index a11c128a..0bcb71ed 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -515,7 +515,7 @@ static void usage(u8 *argv0) { "For additional help, consult %s/README.md.\n\n" "Environment variables used:\n" - "LD_BIND_LAZY: do not set LD_BIND_NOW env var for target\n", + "LD_BIND_LAZY: do not set LD_BIND_NOW env var for target\n" "AFL_CMIN_CRASHES_ONLY: (cmin_mode) only write tuples for crashing " "inputs\n" "AFL_CMIN_ALLOW_ANY: (cmin_mode) write tuples for crashing inputs also\n" @@ -524,8 +524,8 @@ static void usage(u8 *argv0) { "size\n" " the target was compiled for\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" - "AFL_QUIET: do not print extra informational output" argv0, - MEM_LIMIT, doc_path); + "AFL_QUIET: do not print extra informational output", + argv0, MEM_LIMIT, doc_path); exit(1); -- cgit 1.4.1 From bfcf6db17a40056d281f15368ca623b389977f2d Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 17 Apr 2020 11:18:04 +0200 Subject: fixes --- src/afl-showmap.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index a11c128a..ef8e8261 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -488,11 +488,9 @@ static void usage(u8 *argv0) { "\n%s [ options ] -- /path/to/target_app [ ... ]\n\n" "Required parameters:\n" - " -o file - file to write the trace data to\n\n" "Execution control settings:\n" - " -t msec - timeout for each run (none)\n" " -m megs - memory limit for child process (%d MB)\n" " -Q - use binary-only instrumentation (QEMU mode)\n" @@ -500,9 +498,7 @@ static void usage(u8 *argv0) { " -W - use qemu-based instrumentation with Wine (Wine mode)\n" " (Not necessary, here for consistency with other afl-* " "tools)\n\n" - "Other settings:\n" - " -i dir - process all files in this directory, -o must be a " "directory\n" " and each bitmap will be written there individually.\n" @@ -524,7 +520,7 @@ static void usage(u8 *argv0) { "size\n" " the target was compiled for\n" "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n" - "AFL_QUIET: do not print extra informational output" argv0, + "AFL_QUIET: do not print extra informational output", argv0, MEM_LIMIT, doc_path); exit(1); -- cgit 1.4.1 From 6bd49b1d5cb3cde01dbb8f933fd9598921a9bfb9 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 17 Apr 2020 11:24:40 +0200 Subject: final fix for map_size --- src/afl-common.c | 4 ++++ src/afl-fuzz-state.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index 45868271..38c19234 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -404,9 +404,13 @@ u8 *find_binary(u8 *fname) { env_path = delim; if (cur_elem[0]) { + target_path = alloc_printf("%s/%s", cur_elem, fname); + } else { + target_path = ck_strdup(fname); + } ck_free(cur_elem); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 476782e0..86dafb3e 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -103,7 +103,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) { afl->virgin_tmout = ck_alloc(map_size); afl->virgin_crash = ck_alloc(map_size); afl->var_bytes = ck_alloc(map_size); - afl->top_rated = ck_alloc(map_size); + afl->top_rated = ck_alloc(map_size * sizeof(void *)); afl->clean_trace = ck_alloc(map_size); afl->clean_trace_custom = ck_alloc(map_size); afl->first_trace = ck_alloc(map_size); -- cgit 1.4.1 From 1931838a112a23567b41ac0f018ae811ef7fbe1c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 17 Apr 2020 11:39:38 +0200 Subject: remove unnecessary map_size variables --- include/afl-fuzz.h | 2 -- include/sharedmem.h | 3 +-- llvm_mode/afl-clang-fast.c | 22 ++++++++++++---------- src/afl-fuzz-state.c | 2 +- src/afl-fuzz.c | 2 +- src/afl-sharedmem.c | 4 ++-- 6 files changed, 17 insertions(+), 18 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index beef3d58..f6912aea 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -325,8 +325,6 @@ typedef struct afl_env_vars { *afl_python_module, *afl_path, *afl_hang_tmout, *afl_skip_crashes, *afl_preload; - uint32_t map_size; - } afl_env_vars_t; struct afl_pass_stat { diff --git a/include/sharedmem.h b/include/sharedmem.h index 57ab6cf0..6aef4b84 100644 --- a/include/sharedmem.h +++ b/include/sharedmem.h @@ -44,8 +44,7 @@ typedef struct sharedmem { u8 *map; /* shared memory region */ - size_t size_alloc; /* actual allocated size */ - size_t size_used; /* in use by shmem app */ + size_t map_size; /* actual allocated size */ int cmplog_mode; struct cmp_map *cmp_map; diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 7466db26..6584b11f 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -223,18 +223,20 @@ static void edit_params(u32 argc, char **argv, char **envp) { } - if ((!(getenv("AFL_LLVM_LTO_AUTODICTIONARY") // disabled when autodictionary - && instrument_mode != INSTRUMENT_LTO)) // and lto_mode is used - && (getenv("LAF_TRANSFORM_COMPARES") || - getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES"))) { + if (getenv("LAF_TRANSFORM_COMPARES") || + getenv("AFL_LLVM_LAF_TRANSFORM_COMPARES"))) { - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = "-load"; - cc_params[cc_par_cnt++] = "-Xclang"; - cc_params[cc_par_cnt++] = - alloc_printf("%s/compare-transform-pass.so", obj_path); + if (!be_quiet && getenv("AFL_LLVM_LTO_AUTODICTIONARY") && + instrument_mode != INSTRUMENT_LTO)) + WARNF("using AFL_LLVM_LAF_TRANSFORM_COMPARES together with AFL_LLVM_LTO_AUTODICTIONARY makes no sense. Use only AFL_LLVM_LTO_AUTODICTIONARY."); - } + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = "-load"; + cc_params[cc_par_cnt++] = "-Xclang"; + cc_params[cc_par_cnt++] = + alloc_printf("%s/compare-transform-pass.so", obj_path); + + } if (getenv("LAF_SPLIT_COMPARES") || getenv("AFL_LLVM_LAF_SPLIT_COMPARES")) { diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 86dafb3e..72bdd91e 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -81,7 +81,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) { and out_size are NULL/0 by default. */ memset(afl, 0, sizeof(afl_state_t)); - if (!map_size) map_size = MAP_SIZE; + if (!map_size) afl->shm.map_size = MAP_SIZE; afl->w_init = 0.9; afl->w_end = 0.3; diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 93e83eed..03726eb0 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -264,7 +264,7 @@ int main(int argc, char **argv_orig, char **envp) { afl_fsrv_init(&afl->fsrv); read_afl_environment(afl, envp); - if (afl->afl_env.map_size) afl->fsrv.map_size = afl->afl_env.map_size; + if (afl->shm.map_size) afl->fsrv.map_size = afl->shm.map_size; exit_1 = !!afl->afl_env.afl_bench_just_one; SAYF(cCYA "afl-fuzz" VERSION cRST diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 01ba62aa..a130411e 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -72,7 +72,7 @@ void afl_shm_deinit(sharedmem_t *shm) { #ifdef USEMMAP if (shm->map != NULL) { - munmap(shm->map, shm->size_alloc); + munmap(shm->map, shm->map_size); shm->map = NULL; } @@ -99,7 +99,7 @@ void afl_shm_deinit(sharedmem_t *shm) { u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) { - shm->size_alloc = shm->size_used = map_size; + shm->map_size = map_size; shm->map = NULL; -- cgit 1.4.1 From 76e15a06957d03df7ffc8102a043c7694ba251d6 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 17 Apr 2020 11:56:08 +0200 Subject: refactoring getting the map size --- TODO.md | 5 +++-- include/common.h | 2 ++ src/afl-analyze.c | 11 ++--------- src/afl-common.c | 18 ++++++++++++++++++ src/afl-fuzz.c | 15 ++------------- src/afl-showmap.c | 14 +++----------- src/afl-tmin.c | 14 +++----------- 7 files changed, 33 insertions(+), 46 deletions(-) (limited to 'src') diff --git a/TODO.md b/TODO.md index 703ba4ed..d31178c8 100644 --- a/TODO.md +++ b/TODO.md @@ -1,11 +1,12 @@ # TODO list for AFL++ -## Roadmap 2.64 +## Roadmap 2.65 + - AFL_MAP_SIZE for afl-llvm-pass, qemu_mode and unicorn_mode + - fix stability calculation bug - random crc32 HASH_CONST per run? because with 65536 paths we have collisions - namespace for targets? e.g. network - libradamsa as a custom module? - - fix stability calculation bug ## Further down the road diff --git a/include/common.h b/include/common.h index f5ace878..70ff0744 100644 --- a/include/common.h +++ b/include/common.h @@ -115,5 +115,7 @@ u8 *u_stringify_time_diff(u8 *buf, u64 cur_ms, u64 event_ms); u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, volatile u8 *stop_soon_p); +u32 get_map_size(); + #endif diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 8a84b781..b2c0f841 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -814,7 +814,7 @@ int main(int argc, char **argv, char **envp) { s32 opt; u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; - char **use_argv, *ptr; + char **use_argv; doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; @@ -934,14 +934,7 @@ int main(int argc, char **argv, char **envp) { if (optind == argc || !in_file) usage(argv[0]); - if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) { - - map_size = atoi(ptr); - if (map_size < 8 || map_size > (1 << 29)) - FATAL("illegal AFL_MAP_SIZE %u, must be between 2^3 and 2^30", map_size); - if (map_size % 8) map_size = (((map_size >> 3) + 1) << 3); - - } + map_size = get_map_size(); use_hex_offsets = !!get_afl_env("AFL_ANALYZE_HEX"); diff --git a/src/afl-common.c b/src/afl-common.c index 38c19234..2cbf1059 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -898,3 +898,21 @@ u32 read_timed(s32 fd, void *buf, size_t len, u32 timeout_ms, } +u32 get_map_size() { + + uint32_t map_size = MAP_SIZE; + char * ptr; + + if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) { + + map_size = atoi(ptr); + if (map_size < 8 || map_size > (1 << 29)) + FATAL("illegal AFL_MAP_SIZE %u, must be between 2^3 and 2^30", map_size); + if (map_size % 8) map_size = (((map_size >> 3) + 1) << 3); + + } + + return map_size; + +} + diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 03726eb0..83e25994 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -234,7 +234,7 @@ int main(int argc, char **argv_orig, char **envp) { s32 opt; u64 prev_queued = 0; u32 sync_interval_cnt = 0, seek_to, show_help = 0, map_size = MAP_SIZE; - u8 * extras_dir = 0, *ptr; + u8 * extras_dir = 0; u8 mem_limit_given = 0, exit_1 = 0; char **use_argv; @@ -247,19 +247,8 @@ int main(int argc, char **argv_orig, char **envp) { if (!afl) { FATAL("Could not create afl state"); } if (get_afl_env("AFL_DEBUG")) afl->debug = 1; - if ((ptr = get_afl_env("AFL_MAP_SIZE")) || - (ptr = get_afl_env("AFL_MAPSIZE"))) { - - map_size = atoi(ptr); - if (map_size < 8 || map_size > (1 << 29)) - FATAL( - "the specified AFL_MAP_SIZE size is illegal and must be between 2^3 " - "and 2^30: %u\n", - map_size); - if (map_size % 8) map_size = (((map_size >> 3) + 1) << 3); - - } + map_size = get_map_size(); afl_state_init(afl, map_size); afl_fsrv_init(&afl->fsrv); diff --git a/src/afl-showmap.c b/src/afl-showmap.c index f44b5453..a6adb695 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -536,23 +536,15 @@ int main(int argc, char **argv_orig, char **envp) { s32 opt, i; u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; u32 tcnt = 0; - char **use_argv, *ptr; + char **use_argv; char **argv = argv_cpy_dup(argc, argv_orig); afl_forkserver_t fsrv_var = {0}; afl_forkserver_t *fsrv = &fsrv_var; afl_fsrv_init(fsrv); - - if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) { - - map_size = atoi(ptr); - if (map_size < 8 || map_size > (1 << 29)) - FATAL("illegal AFL_MAP_SIZE %u, must be between 2^3 and 2^30", map_size); - if (map_size % 8) map_size = (((map_size >> 3) + 1) << 3); - fsrv->map_size = map_size; - - } + map_size = get_map_size(); + fsrv->map_size = map_size; doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; diff --git a/src/afl-tmin.c b/src/afl-tmin.c index ad7d70c7..dab2a417 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -758,23 +758,15 @@ int main(int argc, char **argv_orig, char **envp) { s32 opt; u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; - char **use_argv, *ptr; + char **use_argv; char **argv = argv_cpy_dup(argc, argv_orig); afl_forkserver_t fsrv_var = {0}; afl_forkserver_t *fsrv = &fsrv_var; afl_fsrv_init(fsrv); - - if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) { - - map_size = atoi(ptr); - if (map_size < 8 || map_size > (1 << 29)) - FATAL("illegal AFL_MAP_SIZE %u, must be between 2^3 and 2^30", map_size); - if (map_size % 8) map_size = (((map_size >> 3) + 1) << 3); - fsrv->map_size = map_size; - - } + map_size = get_map_size(); + fsrv->map_size = map_size; doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; -- cgit 1.4.1 From 8ecfbcdf3457ca4337dc6a0f45def33582f51a7f Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 17 Apr 2020 13:15:24 +0200 Subject: removed tmp alloc in queue --- include/afl-fuzz.h | 3 +++ src/afl-fuzz-queue.c | 4 +--- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index f6912aea..fbf3aa2d 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -608,6 +608,9 @@ typedef struct afl_state { u8 * ex_buf; size_t ex_size; + u8 * map_tmp_buf; + size_t map_tmp_size; + } afl_state_t; /* A global pointer to all instances is needed (for now) for signals to arrive diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 373f12d8..96711cbc 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -275,7 +275,7 @@ void cull_queue(afl_state_t *afl) { if (afl->dumb_mode || !afl->score_changed) return; - temp_v = ck_alloc(afl->fsrv.map_size >> 3); + temp_v = ck_maybe_grow((void **)&afl->map_tmp_buf, &afl->map_tmp_size, afl->fsrv.map_size >> 3); afl->score_changed = 0; @@ -324,8 +324,6 @@ void cull_queue(afl_state_t *afl) { } - ck_free(temp_v); - } /* Calculate case desirability score to adjust the length of havoc fuzzing. -- cgit 1.4.1 From f22d8120ef6814c9af3b7a0c291c1494137fc53c Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 17 Apr 2020 13:22:39 +0200 Subject: fix afl-showmap for PATH_MAX on *BSD --- src/afl-showmap.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/afl-showmap.c b/src/afl-showmap.c index a6adb695..59b4963d 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -52,6 +52,7 @@ #include #include #include +#include #include #include -- cgit 1.4.1 From 87d27b861649295c3de93e48c47544f29f07f36a Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 17 Apr 2020 13:29:32 +0200 Subject: add AFL_NO_PYTHON to list of env variables --- src/afl-common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/afl-common.c b/src/afl-common.c index 1ac1a2f3..d90cc99b 100644 --- a/src/afl-common.c +++ b/src/afl-common.c @@ -66,7 +66,7 @@ char *afl_environment_variables[] = { "AFL_LLVM_NGRAM_SIZE", "AFL_NGRAM_SIZE", "AFL_LLVM_NOT_ZERO", "AFL_LLVM_WHITELIST", "AFL_NO_AFFINITY", "AFL_LLVM_LTO_STARTID", "AFL_LLVM_LTO_DONTWRITEID", "AFL_NO_ARITH", "AFL_NO_BUILTIN", - "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", + "AFL_NO_CPU_RED", "AFL_NO_FORKSRV", "AFL_NO_UI", "AFL_NO_PYTHON", "AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_PATH", "AFL_PERFORMANCE_FILE", //"AFL_PERSISTENT", // not implemented anymore, so warn additionally -- cgit 1.4.1 From ef1d384184d2b67afb02836eb48233cce6dc4a89 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Fri, 17 Apr 2020 13:45:22 +0200 Subject: add missing limits.h include for PATH_MAX (OpenBSD) --- src/afl-fuzz.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 83e25994..efb65ba6 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -25,6 +25,7 @@ #include "afl-fuzz.h" #include "cmplog.h" +#include static u8 *get_libradamsa_path(u8 *own_loc) { -- cgit 1.4.1 From 6ee11c2a6f96c083f78bce650fbae5730c8ef971 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 17 Apr 2020 14:08:40 +0200 Subject: little more speed for queue analysis --- README.md | 4 ++-- include/afl-fuzz.h | 5 +++-- include/config.h | 2 +- src/afl-fuzz-queue.c | 4 +--- src/afl-fuzz-state.c | 3 +++ 5 files changed, 10 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/README.md b/README.md index a6afe73a..1e9b61f1 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,9 @@ ![Travis State](https://api.travis-ci.com/AFLplusplus/AFLplusplus.svg?branch=master) - Release Version: [2.63c](https://github.com/AFLplusplus/AFLplusplus/releases) + Release Version: [2.64c](https://github.com/AFLplusplus/AFLplusplus/releases) - Github Version: 2.63d + Github Version: 2.64d includes all necessary/interesting changes from Google's afl 2.56b diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index fbf3aa2d..fdfe3789 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -608,9 +608,10 @@ typedef struct afl_state { u8 * ex_buf; size_t ex_size; + /* this is a fixed buffer of size map_size that can be used by any function if they do not call another function */ u8 * map_tmp_buf; - size_t map_tmp_size; - + size_t map_tmp_len; + } afl_state_t; /* A global pointer to all instances is needed (for now) for signals to arrive diff --git a/include/config.h b/include/config.h index fae97a42..1de9973b 100644 --- a/include/config.h +++ b/include/config.h @@ -28,7 +28,7 @@ /* Version string: */ // c = release, d = volatile github dev, e = experimental branch -#define VERSION "++2.63d" +#define VERSION "++2.64c" /****************************************************** * * diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 96711cbc..121eb3f1 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -271,12 +271,10 @@ void cull_queue(afl_state_t *afl) { struct queue_entry *q; u32 len = (afl->fsrv.map_size >> 3); u32 i; - u8 * temp_v; + u8 * temp_v = afl->map_tmp_buf; if (afl->dumb_mode || !afl->score_changed) return; - temp_v = ck_maybe_grow((void **)&afl->map_tmp_buf, &afl->map_tmp_size, afl->fsrv.map_size >> 3); - afl->score_changed = 0; memset(temp_v, 255, len); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 72bdd91e..0904604c 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -107,6 +107,8 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) { afl->clean_trace = ck_alloc(map_size); afl->clean_trace_custom = ck_alloc(map_size); afl->first_trace = ck_alloc(map_size); + afl->map_tmp_buf = ck_alloc(map_size); + afl->map_tmp_len = map_size; afl->fsrv.use_stdin = 1; afl->fsrv.map_size = map_size; @@ -389,6 +391,7 @@ void afl_state_deinit(afl_state_t *afl) { ck_free(afl->clean_trace); ck_free(afl->clean_trace_custom); ck_free(afl->first_trace); + ck_free(afl->map_tmp_buf); list_remove(&afl_states, afl); -- cgit 1.4.1 From 49753eb2d0af4fbfb6aba92572f621424fc6189b Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 17 Apr 2020 14:27:28 +0200 Subject: unused var --- include/afl-fuzz.h | 3 +-- src/afl-fuzz-state.c | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) (limited to 'src') diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index fdfe3789..87e6dcff 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -610,8 +610,7 @@ typedef struct afl_state { /* this is a fixed buffer of size map_size that can be used by any function if they do not call another function */ u8 * map_tmp_buf; - size_t map_tmp_len; - + } afl_state_t; /* A global pointer to all instances is needed (for now) for signals to arrive diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 0904604c..de7a4481 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -108,7 +108,6 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) { afl->clean_trace_custom = ck_alloc(map_size); afl->first_trace = ck_alloc(map_size); afl->map_tmp_buf = ck_alloc(map_size); - afl->map_tmp_len = map_size; afl->fsrv.use_stdin = 1; afl->fsrv.map_size = map_size; -- cgit 1.4.1