Add option for treating crashing input as new crash

Signed-off-by: Junwha Hong <qbit@unist.ac.kr>
2025-06-14 11:08:06 +00:00 · 2023-08-02 02:59:07 +09:00
parent 0265b39c13
commit 1429c9724e
4 changed files with 90 additions and 24 deletions
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -539,7 +539,8 @@ typedef struct afl_state {
      expand_havoc,                /* perform expensive havoc after no find */
      cycle_schedules,                  /* cycle power schedules?           */
      old_seed_selection,               /* use vanilla afl seed selection   */
-      reinit_table;                     /* reinit the queue weight table    */
+      reinit_table,                     /* reinit the queue weight table    */
+      crashing_seeds_as_new_crash; /* treat crashing seeds as normal corpus */

  u8 *virgin_bits,                      /* Regions yet untouched by fuzzing */
      *virgin_tmout,                    /* Bits we haven't seen in tmouts   */
--- a/include/envs.h
+++ b/include/envs.h
@ -35,6 +35,7 @@ static char *afl_environment_variables[] = {
    "AFL_COMPCOV_BINNAME",
    "AFL_COMPCOV_LEVEL",
    "AFL_CRASH_EXITCODE",
+    "AFL_CRASHING_SEEDS_AS_NEW_CRASH",
    "AFL_CUSTOM_MUTATOR_LIBRARY",
    "AFL_CUSTOM_MUTATOR_ONLY",
    "AFL_CUSTOM_INFO_PROGRAM",
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@ -1056,6 +1056,13 @@ void perform_dry_run(afl_state_t *afl) {
              "skipping",
              fn, (int)(s8)afl->fsrv.crash_exitcode);

+        } else if (afl->crashing_seeds_as_new_crash) {
+          
+          WARNF(
+              "Test case '%s' results in a crash,"
+              "as AFL_CRASHING_SEEDS_AS_NEW_CRASH is set, "
+              "saving as a crash", fn);
+
        } else {

          WARNF("Test case '%s' results in a crash, skipping", fn);
@ -1078,33 +1085,89 @@ void perform_dry_run(afl_state_t *afl) {

        }

-        q->disabled = 1;
-        q->perf_score = 0;
+        /* Crashing corpus will regrad as normal, and categorized as new crash at fuzzing  */
+        if (afl->crashing_seeds_as_new_crash) {
          
-        u32 i = 0;
-        while (unlikely(i < afl->queued_items && afl->queue_buf[i] &&
-                        afl->queue_buf[i]->disabled)) {
+          ++afl->total_crashes;

-          ++i;
+          if (likely(!afl->non_instrumented_mode)) {

-        }
+            classify_counts(&afl->fsrv);
          
-        if (i < afl->queued_items && afl->queue_buf[i]) {
+            simplify_trace(afl, afl->fsrv.trace_bits);

-          afl->queue = afl->queue_buf[i];
+            if (!has_new_bits(afl, afl->virgin_crash)) { break; }
+
+          }
+
+          
+          if (unlikely(!afl->saved_crashes) &&
+              (afl->afl_env.afl_no_crash_readme != 1)) {
+
+            write_crash_readme(afl);
+
+          }
+
+          u8  crash_fn[PATH_MAX];
+          u8 *use_name = strstr(q->fname, ",orig:");
+
+          afl->stage_name = "dry_run";
+          afl->stage_short = "dry_run";
+
+    #ifndef SIMPLE_FILES
+
+          snprintf(crash_fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s%s", afl->out_dir,
+                  afl->saved_crashes, afl->fsrv.last_kill_signal,
+                  describe_op(afl, 0, NAME_MAX - strlen("id:000000,sig:00,") - strlen(use_name)), use_name);
+
+    #else
+
+          snprintf(crash_fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir,
+                  afl->saved_crashes, afl->fsrv.last_kill_signal);
+
+    #endif  
+
+          ++afl->saved_crashes;
+
+          fd = open(crash_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
+          if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", crash_fn); }
+          ck_write(fd, use_mem, read_len, crash_fn);
+          close(fd);
+
+          afl->last_crash_time = get_cur_time();
+          afl->last_crash_execs = afl->fsrv.total_execs;

        } else {

-          afl->queue = afl->queue_buf[0];
+          q->disabled = 1;
+          q->perf_score = 0;

-        }
+          u32 i = 0;
+          while (unlikely(i < afl->queued_items && afl->queue_buf[i] &&
+                          afl->queue_buf[i]->disabled)) {

-        afl->max_depth = 0;
-        for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
+            ++i;

-          if (!afl->queue_buf[i]->disabled &&
-              afl->queue_buf[i]->depth > afl->max_depth)
-            afl->max_depth = afl->queue_buf[i]->depth;
+          }
+
+          if (i < afl->queued_items && afl->queue_buf[i]) {
+
+            afl->queue = afl->queue_buf[i];
+
+          } else {
+
+            afl->queue = afl->queue_buf[0];
+
+          }
+
+          afl->max_depth = 0;
+          for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
+
+            if (!afl->queue_buf[i]->disabled &&
+                afl->queue_buf[i]->depth > afl->max_depth)
+              afl->max_depth = afl->queue_buf[i]->depth;
+
+          }

        }
        
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -1573,6 +1573,7 @@ int main(int argc, char **argv_orig, char **envp) {
  if (get_afl_env("AFL_NO_ARITH")) { afl->no_arith = 1; }
  if (get_afl_env("AFL_SHUFFLE_QUEUE")) { afl->shuffle_queue = 1; }
  if (get_afl_env("AFL_EXPAND_HAVOC_NOW")) { afl->expand_havoc = 1; }
+  if (get_afl_env("AFL_CRASHING_SEEDS_AS_NEW_CRASH")) { afl->crashing_seeds_as_new_crash = 1; }
  
  if (afl->afl_env.afl_autoresume) {