ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-13 18:48:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add option for treating crashing input as new crash

Browse Source 
Signed-off-by: Junwha Hong <qbit@unist.ac.kr>
This commit is contained in:
Junwha
2023-08-02 02:59:07 +09:00
parent 0265b39c13
commit 1429c9724e
4 changed files with 90 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
src/afl-fuzz-init.c
View File

@ -1056,6 +1056,13 @@ void perform_dry_run(afl_state_t *afl) {
"skipping",
fn, (int)(s8)afl->fsrv.crash_exitcode);
} else if (afl->crashing_seeds_as_new_crash) {
WARNF(
"Test case '%s' results in a crash,"
"as AFL_CRASHING_SEEDS_AS_NEW_CRASH is set, "
"saving as a crash", fn);
} else {
WARNF("Test case '%s' results in a crash, skipping", fn);
@ -1078,38 +1085,94 @@ void perform_dry_run(afl_state_t *afl) {
}
q->disabled = 1;
q->perf_score = 0;
/* Crashing corpus will regrad as normal, and categorized as new crash at fuzzing */
if (afl->crashing_seeds_as_new_crash) {
++afl->total_crashes;
u32 i = 0;
while (unlikely(i < afl->queued_items && afl->queue_buf[i] &&
afl->queue_buf[i]->disabled)) {
if (likely(!afl->non_instrumented_mode)) {
++i;
classify_counts(&afl->fsrv);
simplify_trace(afl, afl->fsrv.trace_bits);
}
if (!has_new_bits(afl, afl->virgin_crash)) { break; }
if (i < afl->queued_items && afl->queue_buf[i]) {
}
afl->queue = afl->queue_buf[i];
if (unlikely(!afl->saved_crashes) &&
(afl->afl_env.afl_no_crash_readme != 1)) {
write_crash_readme(afl);
}
u8 crash_fn[PATH_MAX];
u8 *use_name = strstr(q->fname, ",orig:");
afl->stage_name = "dry_run";
afl->stage_short = "dry_run";
#ifndef SIMPLE_FILES
snprintf(crash_fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s%s", afl->out_dir,
afl->saved_crashes, afl->fsrv.last_kill_signal,
describe_op(afl, 0, NAME_MAX - strlen("id:000000,sig:00,") - strlen(use_name)), use_name);
#else
snprintf(crash_fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir,
afl->saved_crashes, afl->fsrv.last_kill_signal);
#endif
++afl->saved_crashes;
fd = open(crash_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", crash_fn); }
ck_write(fd, use_mem, read_len, crash_fn);
close(fd);
afl->last_crash_time = get_cur_time();
afl->last_crash_execs = afl->fsrv.total_execs;
} else {
afl->queue = afl->queue_buf[0];
q->disabled = 1;
q->perf_score = 0;
u32 i = 0;
while (unlikely(i < afl->queued_items && afl->queue_buf[i] &&
afl->queue_buf[i]->disabled)) {
++i;
}
if (i < afl->queued_items && afl->queue_buf[i]) {
afl->queue = afl->queue_buf[i];
} else {
afl->queue = afl->queue_buf[0];
}
afl->max_depth = 0;
for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
if (!afl->queue_buf[i]->disabled &&
afl->queue_buf[i]->depth > afl->max_depth)
afl->max_depth = afl->queue_buf[i]->depth;
}
}
afl->max_depth = 0;
for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
if (!afl->queue_buf[i]->disabled &&
afl->queue_buf[i]->depth > afl->max_depth)
afl->max_depth = afl->queue_buf[i]->depth;
}
break;
break;
case FSRV_RUN_ERROR:
FATAL("Unable to execute target application ('%s')", afl->argv[0]);