ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-16 20:08:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

solve conflicts

Browse Source
This commit is contained in:
Andrea Fioraldi
2020-04-14 10:12:41 +02:00
parent 982d46e7cb 1374e65401
commit 1d62bf1c37
21 changed files with 124 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
GNUmakefile
View File

@ -145,6 +145,11 @@ else
PYFLAGS= PYFLAGS=
endif endif
ifdef NO_PYTHON
PYTHON_OK=0
PYFLAGS=
endif
ifdef STATIC ifdef STATIC
$(info Compiling static version of binaries) $(info Compiling static version of binaries)
# Disable python for static compilation to simplify things # Disable python for static compilation to simplify things

2
docs/Changelog.md
View File

@ -17,6 +17,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- afl-fuzz: - afl-fuzz:
- variable map size support added (only LTO mode can use this) - variable map size support added (only LTO mode can use this)
- snapshot feature usage now visible in UI - snapshot feature usage now visible in UI
- Now setting "-L -1" will enable MOpt in parallel to normal mutation.
Additionally this allows to run dictionaries, radamsa and cmplog.
- compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also - compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also
static global and local variable comparisons (cannot find all though) static global and local variable comparisons (cannot find all though)
- extended forkserver: map_size and more information is communicated to - extended forkserver: map_size and more information is communicated to

3
docs/README.MOpt.md
View File

@ -36,6 +36,9 @@ enter the pacemaker fuzzing mode.
Setting 0 will enter the pacemaker fuzzing mode at first, which is Setting 0 will enter the pacemaker fuzzing mode at first, which is
recommended in a short time-scale evaluation. recommended in a short time-scale evaluation.
Setting -1 will enable both pacemaker mode and normal aflmutation fuzzing in
parallel.
Other important parameters can be found in afl-fuzz.c, for instance, Other important parameters can be found in afl-fuzz.c, for instance,
'swarm_num': the number of the PSO swarms used in the fuzzing process. 'swarm_num': the number of the PSO swarms used in the fuzzing process.

10
include/afl-fuzz.h
View File

@ -358,14 +358,14 @@ typedef struct afl_state {
/* MOpt: /* MOpt:
Lots of globals, but mostly for the status UI and other things where it Lots of globals, but mostly for the status UI and other things where it
really makes no sense to haul them around as function parameters. */ really makes no sense to haul them around as function parameters. */
u64 limit_time_puppet, orig_hit_cnt_puppet, last_limit_time_start, u64 orig_hit_cnt_puppet, last_limit_time_start, tmp_pilot_time,
tmp_pilot_time, total_pacemaker_time, total_puppet_find, temp_puppet_find, total_pacemaker_time, total_puppet_find, temp_puppet_find, most_time_key,
most_time_key, most_time, most_execs_key, most_execs, old_hit_count, most_time, most_execs_key, most_execs, old_hit_count, force_ui_update;
force_ui_update;
MOpt_globals_t mopt_globals_core, mopt_globals_pilot; MOpt_globals_t mopt_globals_core, mopt_globals_pilot;
s32 SPLICE_CYCLES_puppet, limit_time_sig, key_puppet, key_module; s32 limit_time_puppet, SPLICE_CYCLES_puppet, limit_time_sig, key_puppet,
key_module;
double w_init, w_end, w_now; double w_init, w_end, w_now;

20
llvm_mode/GNUmakefile
View File

@ -82,8 +82,8 @@ endif
# this seems to be busted on some distros, so using the one in $PATH is # this seems to be busted on some distros, so using the one in $PATH is
# probably better. # probably better.
CC = $(LLVM_BINDIR)/clang CC ?= $(LLVM_BINDIR)/clang
CXX = $(LLVM_BINDIR)/clang++ CXX ?= $(LLVM_BINDIR)/clang++
ifeq "$(shell test -e $(CC) || echo 1 )" "1" ifeq "$(shell test -e $(CC) || echo 1 )" "1"
# llvm-config --bindir may not providing a valid path, so ... # llvm-config --bindir may not providing a valid path, so ...
@ -146,13 +146,27 @@ ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -fuse-ld=`command -v
endif endif
endif endif
CLANG_BIN = $(basename $(CC))
CLANGPP_BIN = $(basename $(CXX))
ifeq "$(shell test -e $(CLANG_BIN) || echo 1 )" "1"
CLANG_BIN = $(CC)
CLANGPP_BIN = $(CXX)
endif
ifeq "$(CC)" "$(LLVM_BINDIR)/clang"
USE_BINDIR = 1
else
USE_BINDIR = 0
endif
CFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2 CFLAGS ?= -O3 -funroll-loops -D_FORTIFY_SOURCE=2
override CFLAGS += -Wall \ override CFLAGS += -Wall \
-g -Wno-pointer-sign -I ../include/ \ -g -Wno-pointer-sign -I ../include/ \
-DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \ -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
-DLLVM_BINDIR=\"$(LLVM_BINDIR)\" -DVERSION=\"$(VERSION)\" \ -DLLVM_BINDIR=\"$(LLVM_BINDIR)\" -DVERSION=\"$(VERSION)\" \
-DLLVM_VERSION=\"$(LLVMVER)\" -DAFL_CLANG_FLTO=\"$(AFL_CLANG_FLTO)\" \ -DLLVM_VERSION=\"$(LLVMVER)\" -DAFL_CLANG_FLTO=\"$(AFL_CLANG_FLTO)\" \
-DAFL_REAL_LD=\"$(AFL_REAL_LD)\" -DAFL_CLANG_FUSELD=\"$(AFL_CLANG_FUSELD)\" -Wno-unused-function -DAFL_REAL_LD=\"$(AFL_REAL_LD)\" -DAFL_CLANG_FUSELD=\"$(AFL_CLANG_FUSELD)\" \
-DCLANG_BIN=\"$(CC)\" -DCLANGPP_BIN=\"$(CXX)\" -DUSE_BINDIR=$(USE_BINDIR) -Wno-unused-function
ifdef AFL_TRACE_PC ifdef AFL_TRACE_PC
$(info Compile option AFL_TRACE_PC is deprecated, just set AFL_LLVM_INSTRUMENT=PCGUARD to activate when compiling targets ) $(info Compile option AFL_TRACE_PC is deprecated, just set AFL_LLVM_INSTRUMENT=PCGUARD to activate when compiling targets )
endif endif

11
llvm_mode/afl-clang-fast.c
View File

@ -159,7 +159,6 @@ static void find_obj(u8 *argv0) {
static void edit_params(u32 argc, char **argv, char **envp) { static void edit_params(u32 argc, char **argv, char **envp) {
u8 fortify_set = 0, asan_set = 0, x_set = 0, bit_mode = 0; u8 fortify_set = 0, asan_set = 0, x_set = 0, bit_mode = 0;
u8 has_llvm_config = 0;
u8 *name; u8 *name;
cc_params = ck_alloc((argc + 128) * sizeof(u8 *)); cc_params = ck_alloc((argc + 128) * sizeof(u8 *));
@ -170,8 +169,6 @@ static void edit_params(u32 argc, char **argv, char **envp) {
else else
++name; ++name;
has_llvm_config = (strlen(LLVM_BINDIR) > 0);
if (instrument_mode == INSTRUMENT_LTO) if (instrument_mode == INSTRUMENT_LTO)
if (lto_flag[0] != '-') if (lto_flag[0] != '-')
FATAL( FATAL(
@ -181,19 +178,19 @@ static void edit_params(u32 argc, char **argv, char **envp) {
if (!strcmp(name, "afl-clang-fast++") || !strcmp(name, "afl-clang-lto++")) { if (!strcmp(name, "afl-clang-fast++") || !strcmp(name, "afl-clang-lto++")) {
u8 *alt_cxx = getenv("AFL_CXX"); u8 *alt_cxx = getenv("AFL_CXX");
if (has_llvm_config) if (USE_BINDIR)
snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang++", LLVM_BINDIR); snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang++", LLVM_BINDIR);
else else
sprintf(llvm_fullpath, "clang++"); sprintf(llvm_fullpath, CLANGPP_BIN);
cc_params[0] = alt_cxx && *alt_cxx ? alt_cxx : (u8 *)llvm_fullpath; cc_params[0] = alt_cxx && *alt_cxx ? alt_cxx : (u8 *)llvm_fullpath;
} else { } else {
u8 *alt_cc = getenv("AFL_CC"); u8 *alt_cc = getenv("AFL_CC");
if (has_llvm_config) if (USE_BINDIR)
snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang", LLVM_BINDIR); snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang", LLVM_BINDIR);
else else
sprintf(llvm_fullpath, "clang"); sprintf(llvm_fullpath, CLANG_BIN);
cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)llvm_fullpath; cc_params[0] = alt_cc && *alt_cc ? alt_cc : (u8 *)llvm_fullpath;
} }

4
src/afl-analyze.c
View File

@ -902,6 +902,8 @@ int main(int argc, char **argv, char **envp) {
if (mem_limit_given) FATAL("Multiple -m options not supported"); if (mem_limit_given) FATAL("Multiple -m options not supported");
mem_limit_given = 1; mem_limit_given = 1;
if (!optarg) { FATAL("Bad syntax used for -m"); }
if (!strcmp(optarg, "none")) { if (!strcmp(optarg, "none")) {
mem_limit = 0; mem_limit = 0;
@ -938,6 +940,8 @@ int main(int argc, char **argv, char **envp) {
if (timeout_given) FATAL("Multiple -t options not supported"); if (timeout_given) FATAL("Multiple -t options not supported");
timeout_given = 1; timeout_given = 1;
if (!optarg) FATAL("Wrong usage of -t");
exec_tmout = atoi(optarg); exec_tmout = atoi(optarg);
if (exec_tmout < 10 || optarg[0] == '-') if (exec_tmout < 10 || optarg[0] == '-')

11
src/afl-common.c
View File

@ -292,11 +292,10 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
*rsl = 0; *rsl = 0;
cp = alloc_printf("%s/afl-qemu-trace", own_copy); cp = alloc_printf("%s/afl-qemu-trace", own_copy);
ck_free(own_copy);
if (!access(cp, X_OK)) { if (cp && !access(cp, X_OK)) {
if (cp != NULL) ck_free(cp); ck_free(cp);
cp = alloc_printf("%s/afl-wine-trace", own_copy); cp = alloc_printf("%s/afl-wine-trace", own_copy);
@ -309,10 +308,14 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
} }
} else ck_free(own_copy);
} else {
ck_free(own_copy); ck_free(own_copy);
}
u8 *ncp = BIN_PATH "/afl-qemu-trace"; u8 *ncp = BIN_PATH "/afl-qemu-trace";
if (!access(ncp, X_OK)) { if (!access(ncp, X_OK)) {

9
src/afl-forkserver.c
View File

@ -455,7 +455,6 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
} }
len = status;
offset = 0; offset = 0;
while (offset < status && (u8)dict[offset] + offset < status) { while (offset < status && (u8)dict[offset] + offset < status) {
@ -631,10 +630,14 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
static void afl_fsrv_kill(afl_forkserver_t *fsrv) { static void afl_fsrv_kill(afl_forkserver_t *fsrv) {
if (fsrv->child_pid > 0) kill(fsrv->child_pid, SIGKILL); if (fsrv->child_pid > 0) kill(fsrv->child_pid, SIGKILL);
if (fsrv->fsrv_pid > 0) kill(fsrv->fsrv_pid, SIGKILL); if (fsrv->fsrv_pid > 0) {
kill(fsrv->fsrv_pid, SIGKILL);
if (waitpid(fsrv->fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); } if (waitpid(fsrv->fsrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); }
}
} }
void afl_fsrv_killall() { void afl_fsrv_killall() {

10
src/afl-fuzz-bitmap.c
View File

@ -535,7 +535,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
if (unlikely(len == 0)) return 0; if (unlikely(len == 0)) return 0;
u8 *queue_fn = ""; u8 *queue_fn = "";
u8 hnb; u8 hnb = '\0';
s32 fd; s32 fd;
u8 keeping = 0, res; u8 keeping = 0, res;
@ -718,9 +718,11 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
// if the user wants to be informed on new crashes - do that // if the user wants to be informed on new crashes - do that
#if !TARGET_OS_IPHONE #if !TARGET_OS_IPHONE
if (system(afl->infoexec) == -1) // we dont care if system errors, but we dont want a
hnb += 0; // we dont care if system errors, but we dont want a // compiler warning either
// compiler warning either // See
// https://stackoverflow.com/questions/11888594/ignoring-return-values-in-c
(void)(system(afl->infoexec) + 1);
#else #else
WARNF("command execution unsupported"); WARNF("command execution unsupported");
#endif #endif

2
src/afl-fuzz-extras.c
View File

@ -130,6 +130,8 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
wptr = afl->extras[afl->extras_cnt].data = ck_alloc(rptr - lptr); wptr = afl->extras[afl->extras_cnt].data = ck_alloc(rptr - lptr);
if (!wptr) PFATAL("no mem for data");
while (*lptr) { while (*lptr) {
char *hexdigits = "0123456789abcdef"; char *hexdigits = "0123456789abcdef";

2
src/afl-fuzz-init.c
View File

@ -2178,6 +2178,8 @@ void save_cmdline(afl_state_t *afl, u32 argc, char **argv) {
u32 l = strlen(argv[i]); u32 l = strlen(argv[i]);
if (!argv[i] || !buf) FATAL("null deref detected");
memcpy(buf, argv[i], l); memcpy(buf, argv[i], l);
buf += l; buf += l;

17
src/afl-fuzz-one.c
View File

@ -3604,7 +3604,6 @@ pacemaker_fuzzing:
} }
s32 temp_len_puppet; s32 temp_len_puppet;
cur_ms_lv = get_cur_time();
// for (; afl->swarm_now < swarm_num; ++afl->swarm_now) // for (; afl->swarm_now < swarm_num; ++afl->swarm_now)
{ {
@ -4178,8 +4177,6 @@ pacemaker_fuzzing:
afl->orig_hit_cnt_puppet))) { afl->orig_hit_cnt_puppet))) {
afl->key_puppet = 0; afl->key_puppet = 0;
cur_ms_lv = get_cur_time();
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
afl->orig_hit_cnt_puppet = 0; afl->orig_hit_cnt_puppet = 0;
afl->last_limit_time_start = 0; afl->last_limit_time_start = 0;
@ -4388,7 +4385,7 @@ void pso_updating(afl_state_t *afl) {
u8 fuzz_one(afl_state_t *afl) { u8 fuzz_one(afl_state_t *afl) {
int key_val_lv = 0; int key_val_lv_1 = 0, key_val_lv_2 = 0;
#ifdef _AFL_DOCUMENT_MUTATIONS #ifdef _AFL_DOCUMENT_MUTATIONS
@ -4408,22 +4405,22 @@ u8 fuzz_one(afl_state_t *afl) {
#endif #endif
if (afl->limit_time_sig == 0) { // if limit_time_sig == -1 then both are run after each other
key_val_lv = fuzz_one_original(afl); if (afl->limit_time_sig <= 0) { key_val_lv_1 = fuzz_one_original(afl); }
} else { if (afl->limit_time_sig != 0) {
if (afl->key_module == 0) if (afl->key_module == 0)
key_val_lv = pilot_fuzzing(afl); key_val_lv_2 = pilot_fuzzing(afl);
else if (afl->key_module == 1) else if (afl->key_module == 1)
key_val_lv = core_fuzzing(afl); key_val_lv_2 = core_fuzzing(afl);
else if (afl->key_module == 2) else if (afl->key_module == 2)
pso_updating(afl); pso_updating(afl);
} }
return key_val_lv; return (key_val_lv_1 | key_val_lv_2);
#undef BUF_PARAMS #undef BUF_PARAMS

2
src/afl-fuzz-queue.c
View File

@ -438,6 +438,8 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
} }
if (unlikely(!n_paths)) FATAL("Queue state corrupt");
fuzz_mu = fuzz_total / n_paths; fuzz_mu = fuzz_total / n_paths;
if (fuzz <= fuzz_mu) { if (fuzz <= fuzz_mu) {

7
src/afl-fuzz-redqueen.c
View File

@ -115,7 +115,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
afl->stage_short = "colorization"; afl->stage_short = "colorization";
afl->stage_max = 1000; afl->stage_max = 1000;
struct range *rng; struct range *rng = NULL;
afl->stage_cur = 0; afl->stage_cur = 0;
while ((rng = pop_biggest_range(&ranges)) != NULL && while ((rng = pop_biggest_range(&ranges)) != NULL &&
afl->stage_cur < afl->stage_max) { afl->stage_cur < afl->stage_max) {
@ -146,6 +146,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
empty_range: empty_range:
ck_free(rng); ck_free(rng);
rng = NULL;
++afl->stage_cur; ++afl->stage_cur;
} }
@ -162,6 +163,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
rng = ranges; rng = ranges;
ranges = ranges->next; ranges = ranges->next;
ck_free(rng); ck_free(rng);
rng = NULL;
} }
@ -201,9 +203,12 @@ checksum_fail:
rng = ranges; rng = ranges;
ranges = ranges->next; ranges = ranges->next;
ck_free(rng); ck_free(rng);
rng = NULL;
} }
// TODO: clang notices a _potential_ leak of mem pointed to by rng
return 1; return 1;
} }

15
src/afl-fuzz-stats.c
View File

@ -56,7 +56,6 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
bitmap_cvg = afl->last_bitmap_cvg; bitmap_cvg = afl->last_bitmap_cvg;
stability = afl->last_stability; stability = afl->last_stability;
eps = afl->last_eps;
} else { } else {
@ -388,9 +387,9 @@ void show_stats(afl_state_t *afl) {
/* Lord, forgive me this. */ /* Lord, forgive me this. */
SAYF(SET_G1 bSTG bLT bH bSTOP cCYA SAYF(SET_G1 bSTG bLT bH bSTOP cCYA
" process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA
" overall results " bSTG bH2 bH2 bRT "\n"); " overall results " bSTG bH2 bH2 bRT "\n");
if (afl->dumb_mode) { if (afl->dumb_mode) {
@ -472,9 +471,9 @@ void show_stats(afl_state_t *afl) {
" uniq hangs : " cRST "%-6s" bSTG bV "\n", " uniq hangs : " cRST "%-6s" bSTG bV "\n",
time_tmp, tmp); time_tmp, tmp);
SAYF(bVR bH bSTOP cCYA SAYF(bVR bH bSTOP cCYA
" cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA
" map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); " map coverage " bSTG bH bHT bH20 bH2 bVL "\n");
/* This gets funny because we want to print several variable-length variables /* This gets funny because we want to print several variable-length variables
together, but then cram them into a fixed-width field - so we need to together, but then cram them into a fixed-width field - so we need to
@ -504,9 +503,9 @@ void show_stats(afl_state_t *afl) {
SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp);
SAYF(bVR bH bSTOP cCYA SAYF(bVR bH bSTOP cCYA
" stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA
" findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n");
sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored),
((double)afl->queued_favored) * 100 / afl->queued_paths); ((double)afl->queued_favored) * 100 / afl->queued_paths);
@ -580,7 +579,7 @@ void show_stats(afl_state_t *afl) {
/* Aaaalmost there... hold on! */ /* Aaaalmost there... hold on! */
SAYF(bVR bH cCYA bSTOP SAYF(bVR bH cCYA bSTOP
" fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA
" path geometry " bSTG bH5 bH2 bVL "\n"); " path geometry " bSTG bH5 bH2 bVL "\n");

42
src/afl-fuzz.c
View File

@ -109,12 +109,12 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
"Mutator settings:\n" "Mutator settings:\n"
" -R[R] - add Radamsa as mutator, add another -R to exclusivly " " -R[R] - add Radamsa as mutator, add another -R to exclusivly "
"run it\n" "run it\n"
" -L minutes - use MOpt(imize) mode and set the limit time for " " -L minutes - use MOpt(imize) mode and set the time limit for "
"entering the\n" "entering the\n"
" pacemaker mode (minutes of no new paths, 0 = " " pacemaker mode (minutes of no new paths). 0 = "
"immediately).\n" "immediately,\n"
" a recommended value is 10-60. see " " -1 = immediately and together with normal mutation).\n"
"docs/README.MOpt.md\n" " See docs/README.MOpt.md\n"
" -c program - enable CmpLog by specifying a binary compiled for " " -c program - enable CmpLog by specifying a binary compiled for "
"it.\n" "it.\n"
" if using QEMU, just use -c 0.\n\n" " if using QEMU, just use -c 0.\n\n"
@ -553,20 +553,33 @@ int main(int argc, char **argv_orig, char **envp) {
case 'L': { /* MOpt mode */ case 'L': { /* MOpt mode */
if (afl->limit_time_sig) FATAL("Multiple -L options not supported"); if (afl->limit_time_sig) FATAL("Multiple -L options not supported");
afl->limit_time_sig = 1;
afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT; afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT;
if (sscanf(optarg, "%llu", &afl->limit_time_puppet) < 1 || if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1)
optarg[0] == '-')
FATAL("Bad syntax used for -L"); FATAL("Bad syntax used for -L");
if (afl->limit_time_puppet == -1) {
afl->limit_time_sig = -1;
afl->limit_time_puppet = 0;
} else if (afl->limit_time_puppet < 0) {
FATAL("-L value must be between 0 and 2000000 or -1");
} else {
afl->limit_time_sig = 1;
}
u64 limit_time_puppet2 = afl->limit_time_puppet * 60 * 1000; u64 limit_time_puppet2 = afl->limit_time_puppet * 60 * 1000;
if (limit_time_puppet2 < afl->limit_time_puppet) if (limit_time_puppet2 < afl->limit_time_puppet)
FATAL("limit_time overflow"); FATAL("limit_time overflow");
afl->limit_time_puppet = limit_time_puppet2; afl->limit_time_puppet = limit_time_puppet2;
SAYF("limit_time_puppet %llu\n", afl->limit_time_puppet); SAYF("limit_time_puppet %d\n", afl->limit_time_puppet);
afl->swarm_now = 0; afl->swarm_now = 0;
if (afl->limit_time_puppet == 0) afl->key_puppet = 1; if (afl->limit_time_puppet == 0) afl->key_puppet = 1;
@ -701,11 +714,14 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->use_radamsa) { if (afl->use_radamsa) {
if (afl->limit_time_sig) if (afl->limit_time_sig > 0)
FATAL( FATAL(
"MOpt and Radamsa are mutually exclusive. We accept pull requests " "MOpt and Radamsa are mutually exclusive unless you specify -L -1. "
"that integrates MOpt with the optional mutators " "We accept pull requests that integrates MOpt with the optional "
"(custom/radamsa/redquenn/...)."); "mutators (custom/radamsa/redqueen/...).");
if (afl->limit_time_sig && afl->use_radamsa > 1)
FATAL("Radamsa in radamsa-only mode can not run together with -L");
OKF("Using Radamsa add-on"); OKF("Using Radamsa add-on");

10
src/afl-sharedmem.c
View File

@ -67,6 +67,7 @@ list_t shm_list = {.element_prealloc_count = 0};
void afl_shm_deinit(sharedmem_t *shm) { void afl_shm_deinit(sharedmem_t *shm) {
// TODO: clang reports a potential UAF in this function/makro(?)
list_remove(&shm_list, shm); list_remove(&shm_list, shm);
#ifdef USEMMAP #ifdef USEMMAP
@ -93,14 +94,6 @@ void afl_shm_deinit(sharedmem_t *shm) {
} }
/* At exit, remove all leftover maps */
void afl_shm_atexit(void) {
LIST_FOREACH(&shm_list, sharedmem_t, { afl_shm_deinit(el); });
}
/* Configure shared memory. /* Configure shared memory.
Returns a pointer to shm->map for ease of use. Returns a pointer to shm->map for ease of use.
*/ */
@ -207,7 +200,6 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) {
#endif #endif
list_append(&shm_list, shm); list_append(&shm_list, shm);
atexit(afl_shm_atexit);
return shm->map; return shm->map;

8
src/afl-showmap.c
View File

@ -59,9 +59,9 @@
#include <sys/types.h> #include <sys/types.h>
#include <sys/resource.h> #include <sys/resource.h>
char *stdin_file; /* stdin file */ static char *stdin_file; /* stdin file */
u8 *in_dir, /* input folder */ static u8 *in_dir, /* input folder */
*at_file = NULL; /* Substitution string for @@ */ *at_file = NULL; /* Substitution string for @@ */
static u8 *in_data; /* Input data */ static u8 *in_data; /* Input data */
@ -71,7 +71,7 @@ static u32 total, highest; /* tuple content information */
static u32 in_len, /* Input data length */ static u32 in_len, /* Input data length */
arg_offset, total_execs; /* Total number of execs */ arg_offset, total_execs; /* Total number of execs */
u8 quiet_mode, /* Hide non-essential messages? */ static u8 quiet_mode, /* Hide non-essential messages? */
edges_only, /* Ignore hit counts? */ edges_only, /* Ignore hit counts? */
raw_instr_output, /* Do not apply AFL filters */ raw_instr_output, /* Do not apply AFL filters */
cmin_mode, /* Generate output in afl-cmin mode? */ cmin_mode, /* Generate output in afl-cmin mode? */
@ -983,7 +983,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (!quiet_mode) OKF("Processed %u input files.", total_execs); if (!quiet_mode) OKF("Processed %u input files.", total_execs);
closedir(dir_in); closedir(dir_in);
closedir(dir_out); if (dir_out) closedir(dir_out);
} else { } else {

4
src/afl-tmin.c
View File

@ -60,7 +60,7 @@
static u8 *mask_bitmap; /* Mask for trace bits (-B) */ static u8 *mask_bitmap; /* Mask for trace bits (-B) */
u8 *in_file, /* Minimizer input test case */ static u8 *in_file, /* Minimizer input test case */
*output_file; /* Minimizer output file */ *output_file; /* Minimizer output file */
static u8 *in_data; /* Input data for trimming */ static u8 *in_data; /* Input data for trimming */
@ -72,7 +72,7 @@ static u32 in_len, /* Input data length */
missed_crashes, /* Misses due to crashes */ missed_crashes, /* Misses due to crashes */
missed_paths; /* Misses due to exec path diffs */ missed_paths; /* Misses due to exec path diffs */
u8 crash_mode, /* Crash-centric mode? */ static u8 crash_mode, /* Crash-centric mode? */
hang_mode, /* Minimize as long as it hangs */ hang_mode, /* Minimize as long as it hangs */
exit_crash, /* Treat non-zero exit as crash? */ exit_crash, /* Treat non-zero exit as crash? */
edges_only, /* Ignore hit counts? */ edges_only, /* Ignore hit counts? */