ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-12 10:08:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1847 from AFLplusplus/dev

Browse Source 
push to stable
This commit is contained in:
van Hauser
2023-08-31 12:51:42 +00:00
committed by GitHub
parent ad2af7caec 1604351368
commit 11a622c63d
8 changed files with 213 additions and 176 deletions
Download Patch File Download Diff File Expand all files Collapse all files

361
afl-whatsup
View File

@ -46,7 +46,7 @@ unset RESET
if [ -z "$TERM" ]; then export TERM=vt220; fi if [ -z "$TERM" ]; then export TERM=vt220; fi
while [ "$1" = "-d" -o "$1" = "-m" -o "$1" = "-n" -o "$1" = "-s" ]; do while [ "$1" = "-d" -o "$1" = "-m" -o "$1" = "-n" -o "$1" = "-s" ]; do
if [ "$1" = "-d" ]; then if [ "$1" = "-d" ]; then
PROCESS_DEAD=1 PROCESS_DEAD=1
fi fi
@ -62,15 +62,15 @@ while [ "$1" = "-d" -o "$1" = "-m" -o "$1" = "-n" -o "$1" = "-s" ]; do
if [ "$1" = "-s" ]; then if [ "$1" = "-s" ]; then
SUMMARY_ONLY=1 SUMMARY_ONLY=1
fi fi
shift shift
done done
DIR="$1" DIR="$1"
if [ "$DIR" = "" -o "$DIR" = "-h" -o "$DIR" = "--help" ]; then if [ "$DIR" = "" -o "$DIR" = "-h" -o "$DIR" = "--help" ]; then
echo "$0 status check tool for afl-fuzz by Michal Zalewski" 1>&2 echo "$0 status check tool for afl-fuzz by Michal Zalewski" 1>&2
echo 1>&2 echo 1>&2
echo "Usage: $0 [-d] [-m] [-n] [-s] afl_output_directory" 1>&2 echo "Usage: $0 [-d] [-m] [-n] [-s] afl_output_directory" 1>&2
@ -82,7 +82,7 @@ if [ "$DIR" = "" -o "$DIR" = "-h" -o "$DIR" = "--help" ]; then
echo " -s - skip details and output summary results only" 1>&2 echo " -s - skip details and output summary results only" 1>&2
echo 1>&2 echo 1>&2
exit 1 exit 1
fi fi
if [ -z "$MINIMAL_ONLY" ]; then if [ -z "$MINIMAL_ONLY" ]; then
@ -93,10 +93,10 @@ fi
cd "$DIR" || exit 1 cd "$DIR" || exit 1
if [ -d queue ]; then if [ -d queue ]; then
echo "[-] Error: parameter is an individual output directory, not a sync dir." 1>&2 echo "[-] Error: parameter is an individual output directory, not a sync dir." 1>&2
exit 1 exit 1
fi fi
BC=`which bc 2>/dev/null` BC=`which bc 2>/dev/null`
@ -135,11 +135,11 @@ FMT_CRASH="none seen yet"
FMT_HANG="none seen yet" FMT_HANG="none seen yet"
if [ "$SUMMARY_ONLY" = "" ]; then if [ "$SUMMARY_ONLY" = "" ]; then
echo "Individual fuzzers" echo "Individual fuzzers"
echo "==================" echo "=================="
echo echo
fi fi
fmt_duration() fmt_duration()
@ -148,22 +148,22 @@ fmt_duration()
if [ $1 -le 0 ]; then if [ $1 -le 0 ]; then
return 1 return 1
fi fi
local duration=$((CUR_TIME - $1)) local duration=$((CUR_TIME - $1))
local days=$((duration / 60 / 60 / 24)) local days=$((duration / 60 / 60 / 24))
local hours=$(((duration / 60 / 60) % 24)) local hours=$(((duration / 60 / 60) % 24))
local minutes=$(((duration / 60) % 60)) local minutes=$(((duration / 60) % 60))
local seconds=$((duration % 60)) local seconds=$((duration % 60))
if [ $duration -le 0 ]; then if [ $duration -le 0 ]; then
DUR_STRING="0 seconds" DUR_STRING="0 seconds"
elif [ $duration -eq 1 ]; then elif [ $duration -eq 1 ]; then
DUR_STRING="1 second" DUR_STRING="1 second"
elif [ $days -gt 0 ]; then elif [ $days -gt 0 ]; then
DUR_STRING="$days days, $hours hours" DUR_STRING="$days days, $hours hours"
elif [ $hours -gt 0 ]; then elif [ $hours -gt 0 ]; then
DUR_STRING="$hours hours, $minutes minutes" DUR_STRING="$hours hours, $minutes minutes"
elif [ $minutes -gt 0 ]; then elif [ $minutes -gt 0 ]; then
DUR_STRING="$minutes minutes, $seconds seconds" DUR_STRING="$minutes minutes, $seconds seconds"
else else
DUR_STRING="$seconds seconds" DUR_STRING="$seconds seconds"
@ -174,168 +174,187 @@ FIRST=true
TOTAL_WCOP= TOTAL_WCOP=
TOTAL_LAST_FIND=0 TOTAL_LAST_FIND=0
for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do for j in `find . -maxdepth 2 -iname fuzzer_setup | sort`; do
sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP" DIR=$(dirname "$j")
. "$TMP" i=$DIR/fuzzer_stats
DIR=$(dirname "$i")
DIRECTORY=$DIR if [ -f "$i" ]; then
DIR=${DIR##*/}
RUN_UNIX=$run_time sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP"
RUN_DAYS=$((RUN_UNIX / 60 / 60 / 24)) . "$TMP"
RUN_HRS=$(((RUN_UNIX / 60 / 60) % 24)) DIRECTORY=$DIR
COVERAGE=$(echo $bitmap_cvg|tr -d %) DIR=${DIR##*/}
if [ -n "$TOTAL_COVERAGE" -a -n "$COVERAGE" -a -n "$BC" ]; then RUN_UNIX=$run_time
if [ "$(echo "$TOTAL_COVERAGE < $COVERAGE" | bc)" -eq 1 ]; then RUN_DAYS=$((RUN_UNIX / 60 / 60 / 24))
TOTAL_COVERAGE=$COVERAGE RUN_HRS=$(((RUN_UNIX / 60 / 60) % 24))
fi COVERAGE=$(echo $bitmap_cvg|tr -d %)
fi if [ -n "$TOTAL_COVERAGE" -a -n "$COVERAGE" -a -n "$BC" ]; then
if [ -z "$TOTAL_COVERAGE" ]; then TOTAL_COVERAGE=$COVERAGE ; fi if [ "$(echo "$TOTAL_COVERAGE < $COVERAGE" | bc)" -eq 1 ]; then
TOTAL_COVERAGE=$COVERAGE
test -n "$cycles_wo_finds" && {
test -z "$FIRST" && TOTAL_WCOP="${TOTAL_WCOP}/"
TOTAL_WCOP="${TOTAL_WCOP}${cycles_wo_finds}"
FIRST=
}
if [ "$SUMMARY_ONLY" = "" ]; then
echo ">>> $afl_banner instance: $DIR ($RUN_DAYS days, $RUN_HRS hrs) fuzzer PID: $fuzzer_pid <<<"
echo
fi
if ! kill -0 "$fuzzer_pid" 2>/dev/null; then
IS_STARTING=
IS_DEAD=
if [ -e "$i" ] && [ -e "$DIRECTORY/fuzzer_setup" ] && [ -n "$FUSER" ]; then
if [ "$i" -ot "$DIRECTORY/fuzzer_setup" ]; then
# fuzzer_setup is newer than fuzzer_stats, maybe the instance is starting?
TMP_PID=`fuser -v "$DIRECTORY" 2>&1 | grep afl-fuzz`
if [ -n "$TMP_PID" ]; then
if [ "$SUMMARY_ONLY" = "" ]; then
echo " Instance is still starting up, skipping."
echo
fi
START_CNT=$((START_CNT + 1))
last_find=0
IS_STARTING=1
if [ "$PROCESS_DEAD" = "" ]; then
continue
fi
fi
fi fi
fi fi
if [ -z "$TOTAL_COVERAGE" ]; then TOTAL_COVERAGE=$COVERAGE ; fi
if [ -z "$IS_STARTING" ]; then
if [ "$SUMMARY_ONLY" = "" ]; then
echo " Instance is dead or running remotely, skipping."
echo
fi
DEAD_CNT=$((DEAD_CNT + 1))
IS_DEAD=1
last_find=0
if [ "$PROCESS_DEAD" = "" ]; then
continue
fi
fi
fi
ALIVE_CNT=$((ALIVE_CNT + 1))
EXEC_SEC=0
test -z "$RUN_UNIX" -o "$RUN_UNIX" = 0 || EXEC_SEC=$((execs_done / RUN_UNIX))
PATH_PERC=$((cur_item * 100 / corpus_count))
TOTAL_TIME=$((TOTAL_TIME + RUN_UNIX))
TOTAL_EPS=$((TOTAL_EPS + EXEC_SEC))
TOTAL_EXECS=$((TOTAL_EXECS + execs_done))
TOTAL_CRASHES=$((TOTAL_CRASHES + saved_crashes))
TOTAL_HANGS=$((TOTAL_HANGS + saved_hangs))
TOTAL_PENDING=$((TOTAL_PENDING + pending_total))
TOTAL_PFAV=$((TOTAL_PFAV + pending_favs))
if [ "$last_find" -gt "$TOTAL_LAST_FIND" ]; then
TOTAL_LAST_FIND=$last_find
fi
if [ "$SUMMARY_ONLY" = "" ]; then
# Warnings in red
TIMEOUT_PERC=$((exec_timeout * 100 / execs_done))
if [ $TIMEOUT_PERC -ge 10 ]; then
echo " ${RED}timeout_ratio $TIMEOUT_PERC%${NC}"
fi
if [ $EXEC_SEC -eq 0 ]; then
echo " ${YELLOW}no data yet, 0 execs/sec${NC}"
elif [ $EXEC_SEC -lt 100 ]; then
echo " ${RED}slow execution, $EXEC_SEC execs/sec${NC}"
fi
fmt_duration $last_find && FMT_FIND=$DUR_STRING
fmt_duration $last_crash && FMT_CRASH=$DUR_STRING
fmt_duration $last_hang && FMT_HANG=$DUR_STRING
FMT_CWOP="not available"
test -n "$cycles_wo_finds" && { test -n "$cycles_wo_finds" && {
test "$cycles_wo_finds" = 0 && FMT_CWOP="$cycles_wo_finds" test -z "$FIRST" && TOTAL_WCOP="${TOTAL_WCOP}/"
test "$cycles_wo_finds" -gt 10 && FMT_CWOP="${YELLOW}$cycles_wo_finds${NC}" TOTAL_WCOP="${TOTAL_WCOP}${cycles_wo_finds}"
test "$cycles_wo_finds" -gt 50 && FMT_CWOP="${RED}$cycles_wo_finds${NC}" FIRST=
} }
echo " last_find : $FMT_FIND" if [ "$SUMMARY_ONLY" = "" ]; then
echo " last_crash : $FMT_CRASH"
if [ -z "$MINIMAL_ONLY" ]; then echo ">>> $afl_banner instance: $DIR ($RUN_DAYS days, $RUN_HRS hrs) fuzzer PID: $fuzzer_pid <<<"
echo " last_hang : $FMT_HANG" echo
echo " cycles_wo_finds : $FMT_CWOP"
fi fi
echo " coverage : $COVERAGE%"
if ! kill -0 "$fuzzer_pid" 2>/dev/null; then
if [ -z "$MINIMAL_ONLY" ]; then
IS_STARTING=
CPU_USAGE=$(ps aux | grep $fuzzer_pid | grep -v grep | awk '{print $3}') IS_DEAD=
MEM_USAGE=$(ps aux | grep $fuzzer_pid | grep -v grep | awk '{print $4}')
if [ -e "$i" ] && [ -e "$j" ] && [ -n "$FUSER" ]; then
echo " cpu usage $CPU_USAGE%, memory usage $MEM_USAGE%"
if [ "$i" -ot "$j" ]; then
# fuzzer_setup is newer than fuzzer_stats, maybe the instance is starting?
TMP_PID=`fuser -v "$DIRECTORY" 2>&1 | grep afl-fuzz`
if [ -n "$TMP_PID" ]; then
if [ "$SUMMARY_ONLY" = "" ]; then
echo " Instance is still starting up, skipping."
echo
fi
START_CNT=$((START_CNT + 1))
last_find=0
IS_STARTING=1
if [ "$PROCESS_DEAD" = "" ]; then
continue
fi
fi
fi
fi
if [ -z "$IS_STARTING" ]; then
if [ "$SUMMARY_ONLY" = "" ]; then
echo " Instance is dead or running remotely, skipping."
echo
fi
DEAD_CNT=$((DEAD_CNT + 1))
IS_DEAD=1
last_find=0
if [ "$PROCESS_DEAD" = "" ]; then
continue
fi
fi
fi
ALIVE_CNT=$((ALIVE_CNT + 1))
EXEC_SEC=0
test -z "$RUN_UNIX" -o "$RUN_UNIX" = 0 || EXEC_SEC=$((execs_done / RUN_UNIX))
PATH_PERC=$((cur_item * 100 / corpus_count))
TOTAL_TIME=$((TOTAL_TIME + RUN_UNIX))
TOTAL_EPS=$((TOTAL_EPS + EXEC_SEC))
TOTAL_EXECS=$((TOTAL_EXECS + execs_done))
TOTAL_CRASHES=$((TOTAL_CRASHES + saved_crashes))
TOTAL_HANGS=$((TOTAL_HANGS + saved_hangs))
TOTAL_PENDING=$((TOTAL_PENDING + pending_total))
TOTAL_PFAV=$((TOTAL_PFAV + pending_favs))
if [ "$last_find" -gt "$TOTAL_LAST_FIND" ]; then
TOTAL_LAST_FIND=$last_find
fi
if [ "$SUMMARY_ONLY" = "" ]; then
# Warnings in red
TIMEOUT_PERC=$((exec_timeout * 100 / execs_done))
if [ $TIMEOUT_PERC -ge 10 ]; then
echo " ${RED}timeout_ratio $TIMEOUT_PERC%${NC}"
fi
if [ $EXEC_SEC -eq 0 ]; then
echo " ${YELLOW}no data yet, 0 execs/sec${NC}"
elif [ $EXEC_SEC -lt 100 ]; then
echo " ${RED}slow execution, $EXEC_SEC execs/sec${NC}"
fi
fmt_duration $last_find && FMT_FIND=$DUR_STRING
fmt_duration $last_crash && FMT_CRASH=$DUR_STRING
fmt_duration $last_hang && FMT_HANG=$DUR_STRING
FMT_CWOP="not available"
test -n "$cycles_wo_finds" && {
test "$cycles_wo_finds" = 0 && FMT_CWOP="$cycles_wo_finds"
test "$cycles_wo_finds" -gt 10 && FMT_CWOP="${YELLOW}$cycles_wo_finds${NC}"
test "$cycles_wo_finds" -gt 50 && FMT_CWOP="${RED}$cycles_wo_finds${NC}"
}
echo " last_find : $FMT_FIND"
echo " last_crash : $FMT_CRASH"
if [ -z "$MINIMAL_ONLY" ]; then
echo " last_hang : $FMT_HANG"
echo " cycles_wo_finds : $FMT_CWOP"
fi
echo " coverage : $COVERAGE%"
if [ -z "$MINIMAL_ONLY" ]; then
CPU_USAGE=$(ps aux | grep $fuzzer_pid | grep -v grep | awk '{print $3}')
MEM_USAGE=$(ps aux | grep $fuzzer_pid | grep -v grep | awk '{print $4}')
echo " cpu usage $CPU_USAGE%, memory usage $MEM_USAGE%"
fi
echo " cycles $((cycles_done + 1)), lifetime speed $EXEC_SEC execs/sec, items $cur_item/$corpus_count (${PATH_PERC}%)"
if [ "$saved_crashes" = "0" ]; then
echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, no crashes yet"
else
echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, crashes saved $saved_crashes (!)"
fi
echo
fi fi
echo " cycles $((cycles_done + 1)), lifetime speed $EXEC_SEC execs/sec, items $cur_item/$corpus_count (${PATH_PERC}%)" else
if [ "$saved_crashes" = "0" ]; then if [ ! -e "$i" -a -e "$j" ]; then
echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, no crashes yet"
else if [ '!' "$PROCESS_DEAD" = "" ]; then
echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, crashes saved $saved_crashes (!)" ALIVE_CNT=$((ALIVE_CNT + 1))
fi
START_CNT=$((START_CNT + 1))
last_find=0
IS_STARTING=1
fi fi
echo
fi fi
done done
# Formatting for total time, time since last find, crash, and hang # Formatting for total time, time since last find, crash, and hang
@ -346,7 +365,7 @@ EXECS_MILLION=$((TOTAL_EXECS / 1000 / 1000))
EXECS_THOUSAND=$((TOTAL_EXECS / 1000 % 1000)) EXECS_THOUSAND=$((TOTAL_EXECS / 1000 % 1000))
if [ $EXECS_MILLION -gt 9 ]; then if [ $EXECS_MILLION -gt 9 ]; then
FMT_EXECS="$EXECS_MILLION millions" FMT_EXECS="$EXECS_MILLION millions"
elif [ $EXECS_MILLION -gt 0 ]; then elif [ $EXECS_MILLION -gt 0 ]; then
FMT_EXECS="$EXECS_MILLION millions, $EXECS_THOUSAND thousands" FMT_EXECS="$EXECS_MILLION millions, $EXECS_THOUSAND thousands"
else else
FMT_EXECS="$EXECS_THOUSAND thousands" FMT_EXECS="$EXECS_THOUSAND thousands"
@ -363,14 +382,14 @@ fmt_duration $TOTAL_LAST_FIND && TOTAL_LAST_FIND=$DUR_STRING
test "$TOTAL_TIME" = "0" && TOTAL_TIME=1 test "$TOTAL_TIME" = "0" && TOTAL_TIME=1
if [ "$PROCESS_DEAD" = "" ]; then if [ "$PROCESS_DEAD" = "" ]; then
TXT="excluded from stats" TXT="excluded from stats"
else else
TXT="included in stats" TXT="included in stats"
ALIVE_CNT=$(($ALIVE_CNT - $DEAD_CNT - $START_CNT)) ALIVE_CNT=$(($ALIVE_CNT - $DEAD_CNT - $START_CNT))
fi fi
echo "Summary stats" echo "Summary stats"

2
docs/Changelog.md
View File

@ -14,6 +14,8 @@
- now also shows coverage reached - now also shows coverage reached
- option -m shows only very relevant stats - option -m shows only very relevant stats
- option -n will not use color in the output - option -n will not use color in the output
- frida_mode:
- fixes support for large map offsets
- added benchmark/benchmark.sh if you want to see how good your fuzzing - added benchmark/benchmark.sh if you want to see how good your fuzzing
speed is in comparison to other setups. speed is in comparison to other setups.

4
docs/fuzzing_in_depth.md
View File

@ -616,7 +616,7 @@ For every secondary fuzzer there should be a variation, e.g.:
be one of them! (Although this is not really recommended.) be one of them! (Although this is not really recommended.)
All other secondaries should be used like this: All other secondaries should be used like this:
* a quarter to a third with the MOpt mutator enabled: `-L 0` * 10-20% with the MOpt mutator enabled: `-L 0`
* run with a different power schedule, recommended are: `fast` (default), * run with a different power schedule, recommended are: `fast` (default),
`explore`, `coe`, `lin`, `quad`, `exploit`, and `rare` which you can set with `explore`, `coe`, `lin`, `quad`, `exploit`, and `rare` which you can set with
the `-p` option, e.g., `-p explore`. See the the `-p` option, e.g., `-p explore`. See the
@ -940,7 +940,7 @@ too long for your overall available fuzz run time.
* 65% for `AFL_DISABLE_TRIM` * 65% for `AFL_DISABLE_TRIM`
* 50% for `AFL_KEEP_TIMEOUTS` * 50% for `AFL_KEEP_TIMEOUTS`
* 50% use a dictionary generated by `AFL_LLVM_DICT2FILE` + `AFL_LLVM_DICT2FILE_NO_MAIN=1` * 50% use a dictionary generated by `AFL_LLVM_DICT2FILE` + `AFL_LLVM_DICT2FILE_NO_MAIN=1`
* 40% use MOpt (`-L 0`) * 10% use MOpt (`-L 0`)
* 40% for `AFL_EXPAND_HAVOC_NOW` * 40% for `AFL_EXPAND_HAVOC_NOW`
* 20% for old queue processing (`-Z`) * 20% for old queue processing (`-Z`)
* for CMPLOG targets, 70% for `-l 2`, 10% for `-l 3`, 20% for `-l 2AT` * for CMPLOG targets, 70% for `-l 2`, 10% for `-l 3`, 20% for `-l 2AT`

12
frida_mode/src/instrument/instrument_arm64.c
View File

@ -402,6 +402,18 @@ bool instrument_write_inline(GumArm64Writer *cw, GumAddress code_addr,
} }
/*
* The mov instruction supports up to a 16-bit offset. If our offset is out of
* range, then it can end up clobbering the op-code portion of the instruction
* rather than just the operands. So return false and fall back to the
* alternative instrumentation.
*/
if (area_offset > UINT16_MAX) {
return false;
}
code.code.mov_x0_curr_loc |= area_offset << 5; code.code.mov_x0_curr_loc |= area_offset << 5;
if (!instrument_patch_ardp( if (!instrument_patch_ardp(

2
frida_mode/test/png/GNUmakefile
View File

@ -8,7 +8,7 @@ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/
PNGTEST_BUILD_DIR:=$(BUILD_DIR)pngtest/ PNGTEST_BUILD_DIR:=$(BUILD_DIR)pngtest/
LIBZ_FILE:=$(LIBZ_BUILD_DIR)zlib-1.2.13.tar.gz LIBZ_FILE:=$(LIBZ_BUILD_DIR)zlib-1.2.13.tar.gz
LIBZ_URL:=http://www.zlib.net/zlib-1.2.13.tar.gz LIBZ_URL:=http://www.zlib.net/fossils/zlib-1.2.13.tar.gz
LIBZ_DIR:=$(LIBZ_BUILD_DIR)zlib-1.2.13/ LIBZ_DIR:=$(LIBZ_BUILD_DIR)zlib-1.2.13/
LIBZ_PC:=$(LIBZ_DIR)zlib.pc LIBZ_PC:=$(LIBZ_DIR)zlib.pc
LIBZ_LIB:=$(LIBZ_DIR)libz.a LIBZ_LIB:=$(LIBZ_DIR)libz.a

3
frida_mode/util/frida_get_symbol_addr.sh
View File

@ -31,12 +31,13 @@ file=$(file $target|sed 's/.*: //')
arch=$(echo $file|awk -F, '{print$2}'|tr -d ' ') arch=$(echo $file|awk -F, '{print$2}'|tr -d ' ')
bits=$(echo $file|sed 's/-bit .*//'|sed 's/.* //') bits=$(echo $file|sed 's/-bit .*//'|sed 's/.* //')
pie=$(echo $file|grep -wqi pie && echo pie) pie=$(echo $file|grep -wqi pie && echo pie)
dso=$(echo $file|grep -wqi "shared object" && echo dso)
test $(uname -s) = "Darwin" && symbol=_"$symbol" test $(uname -s) = "Darwin" && symbol=_"$symbol"
tmp_addr=$(nm "$target" | grep -i "T $symbol" | awk '{print$1}' | tr a-f A-F) tmp_addr=$(nm "$target" | grep -i "T $symbol" | awk '{print$1}' | tr a-f A-F)
test -z "$tmp_addr" && { echo Error: function $symbol not found 1>&2; exit 1; } test -z "$tmp_addr" && { echo Error: function $symbol not found 1>&2; exit 1; }
test -z "$pie" && { echo 0x$tmp_addr; exit 0; } test -z "$pie" && test -z "$dso" && { echo 0x$tmp_addr; exit 0; }
test -z "$base" && { test -z "$base" && {
test "$bits" = 32 -o "$bits" = 64 || { echo "Error: could not identify arch (bits=$bits)" 1>&2 ; exit 1; } test "$bits" = 32 -o "$bits" = 64 || { echo "Error: could not identify arch (bits=$bits)" 1>&2 ; exit 1; }

2
src/afl-cc.c
View File

@ -317,7 +317,7 @@ void parse_fsanitize(char *string) {
char *p, *ptr = string + strlen("-fsanitize="); char *p, *ptr = string + strlen("-fsanitize=");
char *new = malloc(strlen(string) + 1); char *new = malloc(strlen(string) + 1);
char *tmp = malloc(strlen(ptr)); char *tmp = malloc(strlen(ptr) + 1);
u32 count = 0, len, ende = 0; u32 count = 0, len, ende = 0;
if (!new || !tmp) { FATAL("could not acquire memory"); } if (!new || !tmp) { FATAL("could not acquire memory"); }

3
src/afl-fuzz.c
View File

@ -176,6 +176,7 @@ static void usage(u8 *argv0, int more_help) {
" pacemaker mode (minutes of no new finds). 0 = " " pacemaker mode (minutes of no new finds). 0 = "
"immediately,\n" "immediately,\n"
" -1 = immediately and together with normal mutation.\n" " -1 = immediately and together with normal mutation.\n"
" Note: this option is usually not very effective\n"
" -c program - enable CmpLog by specifying a binary compiled for " " -c program - enable CmpLog by specifying a binary compiled for "
"it.\n" "it.\n"
" if using QEMU/FRIDA or the fuzzing target is " " if using QEMU/FRIDA or the fuzzing target is "
@ -265,6 +266,7 @@ static void usage(u8 *argv0, int more_help) {
"AFL_DUMB_FORKSRV: use fork server without feedback from target\n" "AFL_DUMB_FORKSRV: use fork server without feedback from target\n"
"AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n" "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n"
"AFL_EXIT_ON_TIME: exit when no new coverage is found within the specified time\n" "AFL_EXIT_ON_TIME: exit when no new coverage is found within the specified time\n"
"AFL_EXIT_ON_SEED_ISSUES: exit on any kind of seed issues\n"
"AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60\n" "AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60\n"
" minutes and a cycle without finds)\n" " minutes and a cycle without finds)\n"
"AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n" "AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n"
@ -331,6 +333,7 @@ static void usage(u8 *argv0, int more_help) {
"AFL_STATSD_TAGS_FLAVOR: set statsd tags format (default: disable tags)\n" "AFL_STATSD_TAGS_FLAVOR: set statsd tags format (default: disable tags)\n"
" suported formats: dogstatsd, librato, signalfx, influxdb\n" " suported formats: dogstatsd, librato, signalfx, influxdb\n"
"AFL_SYNC_TIME: sync time between fuzzing instances (in minutes)\n" "AFL_SYNC_TIME: sync time between fuzzing instances (in minutes)\n"
"AFL_FINAL_SYNC: sync a final time when exiting (will delay the exit!)\n"
"AFL_NO_CRASH_README: do not create a README in the crashes directory\n" "AFL_NO_CRASH_README: do not create a README in the crashes directory\n"
"AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)\n" "AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)\n"
"AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n" "AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n"