skeleton for rtn cmplog

2025-06-11 01:31:37 +00:00 · 2020-02-18 15:05:17 +01:00 · 2020-02-18 15:05:17 +01:00 · 13296af491
commit 13296af491
parent 706718ca2e
3 changed files with 76 additions and 3 deletions
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -118,7 +118,8 @@ struct queue_entry {
      has_new_cov,                      /* Triggers new coverage?           */
      var_behavior,                     /* Variable behavior?               */
      favored,                          /* Currently favored?               */
-      fs_redundant;                     /* Marked as redundant in the fs?   */
+      fs_redundant,                     /* Marked as redundant in the fs?   */
+      fully_colorized;                  /* Do not run redqueen stage again  */

  u32 bitmap_size,                      /* Number of bits set in bitmap     */
      fuzz_level,                       /* Number of fuzzing iterations     */
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@ -531,7 +531,7 @@ u8 fuzz_one_original(char** argv) {

  }

-  if (cmplog_mode) {
+  if (cmplog_mode && !queue_cur->fully_colorized) {

    if (input_to_state_stage(argv, in_buf, out_buf, len, queue_cur->exec_cksum))
      goto abandon_entry;
--- a/src/afl-fuzz-redqueen.c
+++ b/src/afl-fuzz-redqueen.c
@ -145,6 +145,9 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) {
    --stage_cur;

  }
+  
+  if (stage_cur)
+    queue_cur->fully_colorized = 1;

  new_hit_cnt = queued_paths + unique_crashes;
  stage_finds[STAGE_COLORIZATION] += new_hit_cnt - orig_hit_cnt;
@ -417,6 +420,71 @@ u8 cmp_fuzz(u32 key, u8* orig_buf, u8* buf, u32 len) {

 }

+u8 rtn_extend_encoding(struct cmp_header* h, u8* pattern, u8* repl, u32 idx,
+                       u8* orig_buf, u8* buf, u32 len, u8* status) {
+
+  *status = 2;
+
+}
+
+u8 rtn_fuzz(u32 key, u8* orig_buf, u8* buf, u32 len) {
+
+  struct cmp_header* h = &cmp_map->headers[key];
+  u32                i, j, idx;
+
+  u32 loggeds = h->hits;
+  if (h->hits > CMP_MAP_RTN_H) loggeds = CMP_MAP_RTN_H;
+
+  u8 status;
+  // opt not in the paper
+  u32 fails = 0;
+
+  for (i = 0; i < loggeds; ++i) {
+
+    struct cmpfn_operands* o = &((struct cmpfn_operands*)cmp_map->log[key])[i];
+
+    // opt not in the paper
+    //for (j = 0; j < i; ++j)
+    //  if (cmp_map->log[key][j].v0 == o->v0 && cmp_map->log[key][i].v1 == o->v1)
+    //    goto cmp_fuzz_next_iter;
+
+    for (idx = 0; idx < len && fails < 8; ++idx) {
+
+      if (unlikely(rtn_extend_encoding(h, o->v0, o->v1, idx, orig_buf, buf, len,
+                                       &status)))
+        return 1;
+      if (status == 2)
+        ++fails;
+      else if (status == 1)
+        break;
+
+      if (unlikely(rtn_extend_encoding(h, o->v1, o->v0, idx, orig_buf, buf, len,
+                                       &status)))
+        return 1;
+      if (status == 2)
+        ++fails;
+      else if (status == 1)
+        break;
+
+    }
+
+    // If failed, add to dictionary
+    if (fails == 8) {
+
+      maybe_add_auto(o->v0, SHAPE_BYTES(h->shape));
+      maybe_add_auto(o->v1, SHAPE_BYTES(h->shape));
+
+    }
+
+  cmp_fuzz_next_iter:
+    stage_cur++;
+
+  }
+
+  return 0;
+
+}
+
 ///// Input to State stage

 // queue_cur->exec_cksum
@ -455,7 +523,11 @@ u8 input_to_state_stage(char** argv, u8* orig_buf, u8* buf, u32 len,
  for (k = 0; k < CMP_MAP_W; ++k) {

    if (!cmp_map->headers[k].hits) continue;
-    cmp_fuzz(k, orig_buf, buf, len);
+    
+    if (cmp_map->headers[k].type == CMP_TYPE_INS)
+      cmp_fuzz(k, orig_buf, buf, len);
+    else
+      rtn_fuzz(k, orig_buf, buf, len);

  }