ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 11:08:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

added AFL_MAX_DET_EXTRAS env var

Browse Source
This commit is contained in:
Dominik Maier
2020-08-23 01:48:36 +02:00
parent c4f71ab201
commit 1301552101
7 changed files with 41 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
include/afl-fuzz.h
View File

@ -353,7 +353,7 @@ typedef struct afl_env_vars {
afl_cal_fast, afl_cycle_schedules, afl_expand_havoc; afl_cal_fast, afl_cycle_schedules, afl_expand_havoc;
u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
*afl_hang_tmout, *afl_skip_crashes, *afl_preload; *afl_hang_tmout, *afl_skip_crashes, *afl_preload, *afl_max_det_extras;
} afl_env_vars_t; } afl_env_vars_t;
@ -506,7 +506,8 @@ typedef struct afl_state {
useless_at_start, /* Number of useless starting paths */ useless_at_start, /* Number of useless starting paths */
var_byte_count, /* Bitmap bytes with var behavior */ var_byte_count, /* Bitmap bytes with var behavior */
current_entry, /* Current queue entry ID */ current_entry, /* Current queue entry ID */
havoc_div; /* Cycle count divisor for havoc */ havoc_div, /* Cycle count divisor for havoc */
max_det_extras; /* deterministic extra count (dicts)*/
u64 total_crashes, /* Total number of crashes */ u64 total_crashes, /* Total number of crashes */
unique_crashes, /* Crashes with unique signatures */ unique_crashes, /* Crashes with unique signatures */

1
include/envs.h
View File

@ -102,6 +102,7 @@ static char *afl_environment_variables[] = {
"AFL_NO_X86", // not really an env but we dont want to warn on it "AFL_NO_X86", // not really an env but we dont want to warn on it
"AFL_MAP_SIZE", "AFL_MAP_SIZE",
"AFL_MAPSIZE", "AFL_MAPSIZE",
"AFL_MAX_DET_EXTRAS",
"AFL_PATH", "AFL_PATH",
"AFL_PERFORMANCE_FILE", "AFL_PERFORMANCE_FILE",
"AFL_PRELOAD", "AFL_PRELOAD",

2
src/afl-forkserver.c
View File

@ -115,7 +115,7 @@ void afl_fsrv_init_dup(afl_forkserver_t *fsrv_to, afl_forkserver_t *from) {
fsrv_to->out_file = NULL; fsrv_to->out_file = NULL;
fsrv_to->init_child_func = fsrv_exec_child; fsrv_to->init_child_func = fsrv_exec_child;
//Note: do not copy ->add_extra_func // Note: do not copy ->add_extra_func
list_append(&fsrv_list, fsrv_to); list_append(&fsrv_list, fsrv_to);

8
src/afl-fuzz-extras.c
View File

@ -248,10 +248,10 @@ static void extras_check_and_sort(afl_state_t *afl, u32 min_len, u32 max_len,
} }
if (afl->extras_cnt > MAX_DET_EXTRAS) { if (afl->extras_cnt > afl->max_det_extras) {
WARNF("More than %d tokens - will use them probabilistically.", WARNF("More than %d tokens - will use them probabilistically.",
MAX_DET_EXTRAS); afl->max_det_extras);
} }
@ -403,10 +403,10 @@ void add_extra(afl_state_t *afl, u8 *mem, u32 len) {
/* We only want to print this once */ /* We only want to print this once */
if (afl->extras_cnt == MAX_DET_EXTRAS + 1) { if (afl->extras_cnt == afl->max_det_extras + 1) {
WARNF("More than %d tokens - will use them probabilistically.", WARNF("More than %d tokens - will use them probabilistically.",
MAX_DET_EXTRAS); afl->max_det_extras);
} }

16
src/afl-fuzz-one.c
View File

@ -1509,13 +1509,13 @@ skip_interest:
for (j = 0; j < afl->extras_cnt; ++j) { for (j = 0; j < afl->extras_cnt; ++j) {
/* Skip extras probabilistically if afl->extras_cnt > MAX_DET_EXTRAS. Also /* Skip extras probabilistically if afl->extras_cnt > AFL_MAX_DET_EXTRAS.
skip them if there's no room to insert the payload, if the token Also skip them if there's no room to insert the payload, if the token
is redundant, or if its entire span has no bytes set in the effector is redundant, or if its entire span has no bytes set in the effector
map. */ map. */
if ((afl->extras_cnt > MAX_DET_EXTRAS && if ((afl->extras_cnt > afl->max_det_extras &&
rand_below(afl, afl->extras_cnt) >= MAX_DET_EXTRAS) || rand_below(afl, afl->extras_cnt) >= afl->max_det_extras) ||
afl->extras[j].len > len - i || afl->extras[j].len > len - i ||
!memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) || !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) ||
!memchr(eff_map + EFF_APOS(i), 1, !memchr(eff_map + EFF_APOS(i), 1,
@ -3722,13 +3722,13 @@ skip_interest:
for (j = 0; j < afl->extras_cnt; ++j) { for (j = 0; j < afl->extras_cnt; ++j) {
/* Skip extras probabilistically if afl->extras_cnt > MAX_DET_EXTRAS. Also /* Skip extras probabilistically if afl->extras_cnt > AFL_MAX_DET_EXTRAS.
skip them if there's no room to insert the payload, if the token Also skip them if there's no room to insert the payload, if the token
is redundant, or if its entire span has no bytes set in the effector is redundant, or if its entire span has no bytes set in the effector
map. */ map. */
if ((afl->extras_cnt > MAX_DET_EXTRAS && if ((afl->extras_cnt > afl->max_det_extras &&
rand_below(afl, afl->extras_cnt) >= MAX_DET_EXTRAS) || rand_below(afl, afl->extras_cnt) >= afl->max_det_extras) ||
afl->extras[j].len > len - i || afl->extras[j].len > len - i ||
!memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) || !memcmp(afl->extras[j].data, out_buf + i, afl->extras[j].len) ||
!memchr(eff_map + EFF_APOS(i), 1, !memchr(eff_map + EFF_APOS(i), 1,

7
src/afl-fuzz-state.c
View File

@ -349,6 +349,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
afl->afl_env.afl_preload = afl->afl_env.afl_preload =
(u8 *)get_afl_env(afl_environment_variables[i]); (u8 *)get_afl_env(afl_environment_variables[i]);
} else if (!strncmp(env, "AFL_MAX_DET_EXTRAS",
afl_environment_variable_len)) {
afl->afl_env.afl_max_det_extras =
(u8 *)get_afl_env(afl_environment_variables[i]);
} }
} else { } else {

19
src/afl-fuzz.c
View File

@ -177,6 +177,8 @@ static void usage(u8 *argv0, int more_help) {
"AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n" "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n"
"AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n"
" the target was compiled for\n" " the target was compiled for\n"
"AFL_MAX_DET_EXTRAS: if the dict/extras file contains more tokens than this threshold,\n"
" the tokens will sometimes be skipped during fuzzing.\n"
"AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing\n" "AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing\n"
"AFL_NO_ARITH: skip arithmetic mutations in deterministic stage\n" "AFL_NO_ARITH: skip arithmetic mutations in deterministic stage\n"
"AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n" "AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n"
@ -949,8 +951,21 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->afl_env.afl_hang_tmout) { if (afl->afl_env.afl_hang_tmout) {
afl->hang_tmout = atoi(afl->afl_env.afl_hang_tmout); s32 hang_tmout = atoi(afl->afl_env.afl_hang_tmout);
if (!afl->hang_tmout) { FATAL("Invalid value of AFL_HANG_TMOUT"); } if (hang_tmout < 1) { FATAL("Invalid value for AFL_HANG_TMOUT"); }
afl->hang_tmout = (u32)hang_tmout;
}
if (afl->afl_env.afl_max_det_extras) {
s32 max_det_extras = atoi(afl->afl_env.afl_max_det_extras);
if (max_det_extras < 1) { FATAL("Invalid value for AFL_MAX_DET_EXTRAS"); }
afl->max_det_extras = (u32)max_det_extras;
} else {
afl->max_det_extras = MAX_DET_EXTRAS;
} }