added mutation introspection make target

2025-06-09 16:51:34 +00:00 · 2020-11-01 21:34:08 +01:00 · 2020-11-01 21:34:08 +01:00 · 0fd98ae8b0
commit 0fd98ae8b0
parent a0c0cf9712
10 changed files with 592 additions and 20 deletions
--- a/6
+++ b/6
@ -110,6 +110,11 @@ ifdef PROFILING
  LDFLAGS += -pg
 endif

+ifdef INTROSPECTION
+  $(info Compiling with introspection documentation)
+  CFLAGS_OPT += -DINTROSPECTION=1
+endif
+
 ifneq "$(shell uname -m)" "x86_64"
 ifneq "$(patsubst i%86,i386,$(shell uname -m))" "i386"
  ifneq "$(shell uname -m)" "amd64"
@ -348,6 +353,7 @@ help:
 	@echo ASAN_BUILD - compiles with memory sanitizer for debug purposes
 	@echo DEBUG - no optimization, -ggdb3, all warnings and -Werror
 	@echo PROFILING - compile afl-fuzz with profiling information
+	@echo INTROSPECTION - compile afl-fuzz with mutation introspection
 	@echo NO_PYTHON - disable python support
 	@echo NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing
 	@echo AFL_NO_X86 - if compiling on non-intel/amd platforms
--- a/README.md
+++ b/README.md
@ -211,6 +211,7 @@ These build options exist:
 * ASAN_BUILD - compiles with memory sanitizer for debug purposes
 * DEBUG - no optimization, -ggdb3, all warnings and -Werror
 * PROFILING - compile with profiling information (gprof)
+* INTROSPECTION - compile afl-fuzz with mutation introspection
 * NO_PYTHON - disable python support
 * NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing
 * AFL_NO_X86 - if compiling on non-intel/amd platforms
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -35,6 +35,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
      skipped. They are used for splicing though.
    - set the default power schedule to the superiour "seek" schedule
    - added NO_SPLICING compile option and makefile define
+    - added INTROSPECTION make target that writes all mutations to
+      out/NAME/introspection.txt
    - print special compile time options used in help output
  - instrumentation
    - We received an enhanced gcc_plugin module from AdaCore, thank you
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -717,6 +717,12 @@ typedef struct afl_state {
   * is too large) */
  struct queue_entry **q_testcase_cache;

+#ifdef INTROSPECTION
+  char  mutation[8072];
+  char  m_tmp[4096];
+  FILE *introspection_file;
+#endif
+
 } afl_state_t;

 struct custom_mutator {
--- a/include/alloc-inl.h
+++ b/include/alloc-inl.h
@ -708,6 +708,42 @@ static inline void *afl_realloc(void **buf, size_t size_needed) {

 }

+/* afl_realloc_exact uses afl alloc buffers but sets it to a specific size */
+
+static inline void *afl_realloc_exact(void **buf, size_t size_needed) {
+
+  struct afl_alloc_buf *new_buf = NULL;
+
+  size_t current_size = 0;
+
+  if (likely(*buf)) {
+
+    /* the size is always stored at buf - 1*size_t */
+    new_buf = (struct afl_alloc_buf *)afl_alloc_bufptr(*buf);
+    current_size = new_buf->complete_size;
+
+  }
+
+  size_needed += AFL_ALLOC_SIZE_OFFSET;
+
+  /* No need to realloc */
+  if (unlikely(current_size == size_needed)) { return *buf; }
+
+  /* alloc */
+  new_buf = (struct afl_alloc_buf *)realloc(new_buf, size_needed);
+  if (unlikely(!new_buf)) {
+
+    *buf = NULL;
+    return NULL;
+
+  }
+
+  new_buf->complete_size = size_needed;
+  *buf = (void *)(new_buf->buf);
+  return *buf;
+
+}
+
 static inline void afl_free(void *buf) {

  if (buf) { free(afl_alloc_bufptr(buf)); }
--- a/instrumentation/SanitizerCoveragePCGUARD.so.cc
+++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc
@ -247,13 +247,13 @@ SanitizerCoverageOptions OverrideFromCL(SanitizerCoverageOptions Options) {
  Options.CoverageType =
      SanitizerCoverageOptions::SCK_Edge;  // std::max(Options.CoverageType,
                                           // CLOpts.CoverageType);
-  Options.IndirectCalls = true;    // CLOpts.IndirectCalls;
-  Options.TraceCmp = false;        //|= ClCMPTracing;
-  Options.TraceDiv = false;        //|= ClDIVTracing;
-  Options.TraceGep = false;        //|= ClGEPTracing;
-  Options.TracePC = false;         //|= ClTracePC;
-  Options.TracePCGuard = true;     // |= ClTracePCGuard;
-  Options.Inline8bitCounters = 0;  //|= ClInline8bitCounters;
+  Options.IndirectCalls = true;            // CLOpts.IndirectCalls;
+  Options.TraceCmp = false;                //|= ClCMPTracing;
+  Options.TraceDiv = false;                //|= ClDIVTracing;
+  Options.TraceGep = false;                //|= ClGEPTracing;
+  Options.TracePC = false;                 //|= ClTracePC;
+  Options.TracePCGuard = true;             // |= ClTracePCGuard;
+  Options.Inline8bitCounters = 0;          //|= ClInline8bitCounters;
  // Options.InlineBoolFlag = 0; //|= ClInlineBoolFlag;
  Options.PCTable = false;     //|= ClCreatePCTable;
  Options.NoPrune = false;     //|= !ClPruneBlocks;
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@ -587,6 +587,11 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {

    add_to_queue(afl, queue_fn, len, 0);

+#ifdef INTROSPECTION
+    fprintf(afl->introspection_file, "QUEUE %s = %s\n", afl->mutation,
+            afl->queue_top->fname);
+#endif
+
    if (hnb == 2) {

      afl->queue_top->has_new_cov = 1;
@ -659,6 +664,9 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
      }

      ++afl->unique_tmouts;
+#ifdef INTROSPECTION
+      fprintf(afl->introspection_file, "UNIQUE_TIMEOUT %s\n", afl->mutation);
+#endif

      /* Before saving, we make sure that it's a genuine hang by re-running
         the target with a more generous timeout (unless the default timeout
@ -742,6 +750,9 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
 #endif                                                    /* ^!SIMPLE_FILES */

      ++afl->unique_crashes;
+#ifdef INTROSPECTION
+      fprintf(afl->introspection_file, "UNIQUE_CRASH %s\n", afl->mutation);
+#endif
      if (unlikely(afl->infoexec)) {

        // if the user wants to be informed on new crashes - do that
--- a/src/afl-fuzz-extras.c
+++ b/src/afl-fuzz-extras.c
@ -423,8 +423,8 @@ void dedup_extras(afl_state_t *afl) {
  }

  if (afl->extras_cnt != orig_cnt)
-    afl->extras = ck_realloc((void **)&afl->extras,
-                             afl->extras_cnt * sizeof(struct extra_data));
+    afl->extras = afl_realloc_exact(
+        (void **)&afl->extras, afl->extras_cnt * sizeof(struct extra_data));

 }

@ -462,16 +462,8 @@ void add_extra(afl_state_t *afl, u8 *mem, u32 len) {

  }

-  if (afl->extras) {
-
-    afl->extras = ck_realloc((void **)&afl->extras,
-                             (afl->extras_cnt + 1) * sizeof(struct extra_data));
-
-  } else {
-
-    afl->extras = ck_alloc((afl->extras_cnt + 1) * sizeof(struct extra_data));
-
-  }
+  afl->extras = afl_realloc((void **)&afl->extras,
+                            (afl->extras_cnt + 1) * sizeof(struct extra_data));

  if (unlikely(!afl->extras)) { PFATAL("alloc"); }

--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -236,6 +236,10 @@ static void usage(u8 *argv0, int more_help) {
  SAYF("Compiled with PROFILING\n\n");
 #endif

+#ifdef INTROSPECTION
+  SAYF("Compiled with INTROSPECTION\n\n");
+#endif
+
 #ifdef _DEBUG
  SAYF("Compiled with _DEBUG\n\n");
 #endif
@ -1462,6 +1466,19 @@ int main(int argc, char **argv_orig, char **envp) {
  u32 prev_queued_paths = 0;
  u8  skipped_fuzz;

+  #ifdef INTROSPECTION
+  char ifn[4096];
+  snprintf(ifn, sizeof(ifn), "%s/introspection.txt", afl->out_dir);
+  if ((afl->introspection_file = fopen(ifn, "w")) == NULL) {
+
+    PFATAL("could not create '%s'", ifn);
+
+  }
+
+  setvbuf(afl->introspection_file, NULL, _IONBF, 0);
+  OKF("Writing mutation introspection to '%s'", ifn);
+  #endif
+
  while (likely(!afl->stop_soon)) {

    cull_queue(afl);