changed run_target

2025-06-08 16:21:32 +00:00 · 2020-04-15 19:23:26 +02:00 · 2020-04-15 19:23:26 +02:00 · 0c02a8f4d3
commit 0c02a8f4d3
parent 48f7f7a17b
8 changed files with 68 additions and 60 deletions
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -842,10 +842,10 @@ u32  count_bytes(afl_state_t *, u8 *);
 u32  count_non_255_bytes(afl_state_t *, u8 *);
 #ifdef WORD_SIZE_64
 void simplify_trace(afl_state_t *, u64 *);
-void classify_counts(afl_state_t *, u64 *);
+void classify_counts(afl_forkserver_t *);
 #else
 void simplify_trace(afl_state_t *, u32 *);
-void classify_counts(afl_state_t *, u32 *);
+void classify_counts(afl_forkserver_t *);
 #endif
 void init_count_class16(void);
 void minimize_bits(afl_state_t *, u8 *, u8 *);
--- a/include/forkserver.h
+++ b/include/forkserver.h
@ -97,7 +97,9 @@ void afl_fsrv_init(afl_forkserver_t *fsrv);
 void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from);
 void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
                    volatile u8 *stop_soon_p, u8 debug_child_output);
-fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv,
+fsrv_run_result_t afl_fsrv_run_target(
+    afl_forkserver_t *fsrv, u32 timeout,
+    void(classify_counts_func)(afl_forkserver_t *fsrv),
    volatile u8 *stop_soon_p);
 void afl_fsrv_killall(void);
 void afl_fsrv_deinit(afl_forkserver_t *fsrv);
--- a/llvm_mode/afl-clang-fast.c
+++ b/llvm_mode/afl-clang-fast.c
@ -184,7 +184,9 @@ static void edit_params(u32 argc, char **argv, char **envp) {
      sprintf(llvm_fullpath, CLANGPP_BIN);
    cc_params[0] = alt_cxx && *alt_cxx ? alt_cxx : (u8 *)llvm_fullpath;

-  } else if (!strcmp(name, "afl-clang-fast") || !strcmp(name, "afl-clang-lto")) {
+  } else if (!strcmp(name, "afl-clang-fast") ||
+
+             !strcmp(name, "afl-clang-lto")) {

    u8 *alt_cc = getenv("AFL_CC");
    if (USE_BINDIR)
@ -194,8 +196,12 @@ static void edit_params(u32 argc, char **argv, char **envp) {
    cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)llvm_fullpath;

  } else {
+
    fprintf(stderr, "Name of the binary: %s\n", argv[0]);
-    FATAL("Name of the binary is not a known name, expected afl-clang-fast(++) or afl-clang-lto(++)");
+    FATAL(
+        "Name of the binary is not a known name, expected afl-clang-fast(++) "
+        "or afl-clang-lto(++)");
+
  }

  /* There are three ways to compile with afl-clang-fast. In the traditional
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@ -643,7 +643,9 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) {
 /* Execute target application, monitoring for timeouts. Return status
   information. The called program will update afl->fsrv->trace_bits. */

-fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv,
+fsrv_run_result_t afl_fsrv_run_target(
+    afl_forkserver_t *fsrv, u32 timeout,
+    void(classify_counts_func)(afl_forkserver_t *fsrv),
    volatile u8 *stop_soon_p) {

  s32 res;
@ -651,8 +653,6 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv,

  int status = 0;

-  u32 timeout = fsrv->exec_tmout;
-
  /* After this memset, fsrv->trace_bits[] are effectively volatile, so we
     must prevent any earlier operations from venturing into that
     territory. */
@ -732,6 +732,9 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv,
     behave very normally and do not have to be treated as volatile. */

  MEM_BARRIER();
+  u32 tb4 = *(u32 *)fsrv->trace_bits;
+
+  if (likely(classify_counts_func)) classify_counts_func(fsrv);

  /* Report outcome to caller. */

@ -756,7 +759,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv,

  }

-  if ((*(u32 *)fsrv->trace_bits) == EXEC_FAIL_SIG) return FSRV_RUN_NOINST;
+  if (tb4 == EXEC_FAIL_SIG) return FSRV_RUN_ERROR;

  return FSRV_RUN_OK;

--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@ -351,9 +351,11 @@ void init_count_class16(void) {

 #ifdef WORD_SIZE_64

-void classify_counts(afl_state_t *afl, u64 *mem) {
+void classify_counts(afl_forkserver_t *fsrv) {

-  u32 i = (afl->fsrv.map_size >> 3);
+  u32 *mem = (u32 *)fsrv->trace_bits;
+
+  u32 i = (fsrv->map_size >> 3);

  if (i == 0) i = 1;

@ -380,9 +382,11 @@ void classify_counts(afl_state_t *afl, u64 *mem) {

 #else

-void classify_counts(afl_state_t *afl, u32 *mem) {
+void classify_counts(afl_forkserver_t *fsrv) {

-  u32 i = (afl->fsrv.map_size >> 2);
+  u64 *mem = (u64 *)fsrv->trace_bits;
+
+  u32 i = (fsrv->map_size >> 2);

  if (i == 0) i = 1;

--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@ -35,15 +35,7 @@
 fsrv_run_result_t run_target(afl_state_t *afl, afl_forkserver_t *fsrv,
                             u32 timeout) {

-  fsrv_run_result_t res = afl_fsrv_run_target(&afl->fsrv, &afl->stop_soon);
-
-#ifdef WORD_SIZE_64
-  classify_counts(afl, (u64 *)fsrv->trace_bits);
-#else
-  classify_counts(afl, (u32 *)fsrv->trace_bits);
-#endif                                                     /* ^WORD_SIZE_64 */
-
-  return res;
+  return afl_fsrv_run_target(fsrv, timeout, classify_counts, &afl->stop_soon);

 }

--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@ -106,7 +106,10 @@ static const u8 count_class_binary[256] = {

 };

-static void classify_counts(u8 *mem, const u8 *map) {
+static void classify_counts(afl_forkserver_t *fsrv) {
+
+  u8 *      mem = fsrv->trace_bits;
+  const u8 *map = binary_mode ? count_class_binary : count_class_human;

  u32 i = MAP_SIZE;

@ -240,12 +243,12 @@ void run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem,

  write_to_testcase(fsrv, mem, len);

-  fsrv_run_result_t res = afl_fsrv_run_target(fsrv, &stop_soon);
-  if (res == FSRV_RUN_NOINST || res == FSRV_RUN_ERROR)
+  if (afl_fsrv_run_target(fsrv, fsrv->exec_tmout, classify_counts,
+                          &stop_soon) == FSRV_RUN_ERROR) {
+
    FATAL("Error running target");

-  classify_counts(fsrv->trace_bits,
-                  binary_mode ? count_class_binary : count_class_human);
+  }

  if (stop_soon) {

@ -375,8 +378,7 @@ static void run_target(afl_forkserver_t *fsrv, char **argv) {
  if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG)
    FATAL("Unable to execute '%s'", argv[0]);

-  classify_counts(fsrv->trace_bits,
-                  binary_mode ? count_class_binary : count_class_human);
+  classify_counts(fsrv);

  if (!quiet_mode) SAYF(cRST "-- Program output ends --\n");

@ -587,7 +589,7 @@ static void find_binary(afl_forkserver_t *fsrv, u8 *fname) {
        break;

      ck_free(fsrv->target_path);
-      fsrv->target_path = 0;
+      fsrv->target_path = NULL;

    }

--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@ -100,8 +100,29 @@ static const u8 count_class_lookup[256] = {

 };

-static void classify_counts(u8 *mem) {
+/* Apply mask to classified bitmap (if set). */

+static void apply_mask(u32 *mem, u32 *mask) {
+
+  u32 i = (MAP_SIZE >> 2);
+
+  if (!mask) return;
+
+  while (i--) {
+
+    *mem &= ~*mask;
+    mem++;
+    mask++;
+
+  }
+
+}
+
+static void classify_counts(afl_forkserver_t *fsrv) {
+
+  if (hang_mode) return;                              /* We only want hangs */
+
+  u8 *mem = fsrv->trace_bits;
  u32 i = MAP_SIZE;

  if (edges_only) {
@ -124,23 +145,7 @@ static void classify_counts(u8 *mem) {

  }

-}
-
-/* Apply mask to classified bitmap (if set). */
-
-static void apply_mask(u32 *mem, u32 *mask) {
-
-  u32 i = (MAP_SIZE >> 2);
-
-  if (!mask) return;
-
-  while (i--) {
-
-    *mem &= ~*mask;
-    mem++;
-    mask++;
-
-  }
+  apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap);

 }

@ -250,17 +255,11 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len,

  write_to_testcase(fsrv, mem, len);

-  fsrv_run_result_t ret = afl_fsrv_run_target(fsrv, &stop_soon);
+  fsrv_run_result_t ret =
+      afl_fsrv_run_target(fsrv, fsrv->exec_tmout, classify_counts, &stop_soon);

  if (ret == FSRV_RUN_ERROR) FATAL("Couldn't run child");

-  if (!hang_mode) {
-
-    classify_counts(fsrv->trace_bits);
-    apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap);
-
-  }
-
  if (stop_soon) {

    SAYF(cRST cLRD "\n+++ Minimization aborted by user +++\n" cRST);