ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-19 13:03:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' of https://github.com/AFLplusplus/AFLplusplus into dev

Browse Source
This commit is contained in:
hexcoder-
2023-12-28 22:08:05 +01:00
parent 934a02f7f6 b01ef97569
commit 25f9c1f4fb
26 changed files with 166 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
GNUmakefile
View File

@ -816,7 +816,7 @@ endif
.PHONY: uninstall
uninstall:
-cd $${DESTDIR}$(BIN_PATH) && rm -f $(PROGS) $(SH_PROGS) afl-cs-proxy afl-qemu-trace afl-plot-ui afl-fuzz-document afl-network-server afl-g* afl-plot.sh afl-as afl-ld-lto afl-c* afl-lto*
-cd $${DESTDIR}$(BIN_PATH) && rm -f $(PROGS) $(SH_PROGS) afl-cs-proxy afl-qemu-trace afl-plot-ui afl-fuzz-document afl-network-client afl-network-server afl-g* afl-plot.sh afl-as afl-ld-lto afl-c* afl-lto*
-cd $${DESTDIR}$(HELPER_PATH) && rm -f afl-g*.*o afl-llvm-*.*o afl-compiler-*.*o libdislocator.so libtokencap.so libcompcov.so libqasan.so afl-frida-trace.so libnyx.so socketfuzz*.so argvfuzz*.so libAFLDriver.a libAFLQemuDriver.a as afl-as SanitizerCoverage*.so compare-transform-pass.so cmplog-*-pass.so split-*-pass.so dynamic_list.txt
-rm -rf $${DESTDIR}$(MISC_PATH)/testcases $${DESTDIR}$(MISC_PATH)/dictionaries
-sh -c "ls docs/*.md | sed 's|^docs/|$${DESTDIR}$(DOC_PATH)/|' | xargs rm -f"

4
README.md
View File

@ -2,9 +2,9 @@
<img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/main/static/aflpp_bg.svg" alt="AFL++ logo" width="250" heigh="250">
Release version: [4.08c](https://github.com/AFLplusplus/AFLplusplus/releases)
Release version: [4.09c](https://github.com/AFLplusplus/AFLplusplus/releases)
GitHub version: 4.09a
GitHub version: 4.10a
Repository:
[https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)

17
docs/Changelog.md
View File

@ -3,8 +3,19 @@
This is the list of all noteworthy changes made in every public
release of the tool. See README.md for the general instruction manual.
### Version ++4.09a (dev)
### Version ++4.10a (dev)
- afl-fuzz:
- default power schedule is now EXPLORE, due a fix in fast schedules
explore is slightly better now.
- fixed minor issues in the mutation engine, thanks to @futhewo for
reporting!
- instrumentation:
- LLVM 18 support, thanks to @devnexen!
### Version ++4.09c (release)
- afl-fuzz:
- fixed the new mutation implementation for two bugs
- added `AFL_FINAL_SYNC` which forces a final fuzzer sync (also for `-F`)
before terminating.
- added AFL_IGNORE_SEED_PROBLEMS to skip over seeds that time out instead
@ -23,14 +34,16 @@
- option -n will not use color in the output
- instrumentation:
- fix for a few string compare transform functions for LAF
- we are instrumenting __cxx internal functions again. this might break
a few targets, please report if so.
- frida_mode:
- fixes support for large map offsets
- support for AFL_FUZZER_LOOPCOUNT for afl.rs and LLVMFuzzerTestOneInput
- afl-cmin/afl-cmin.bash: prevent unneeded file errors
- added new tool afl-addseeds that adds new seeds to a running campaign
- added benchmark/benchmark.py if you want to see how good your fuzzing
speed is in comparison to other setups.
### Version ++4.08c (release)
- afl-fuzz:
- new mutation engine: mutations that favor discovery more paths are

4
docs/afl-fuzz_approach.md
View File

@ -5,6 +5,10 @@ instrumentation-guided genetic algorithm. It uses a modified form of edge
coverage to effortlessly pick up subtle, local-scale changes to program control
flow.
Note: If you are interested in a more current up-to-date deep dive how AFL++
works then we commend this blog post:
[https://blog.ritsec.club/posts/afl-under-hood/](https://blog.ritsec.club/posts/afl-under-hood/)
Simplifying a bit, the overall algorithm can be summed up as:
1) Load user-supplied initial test cases into the queue.

4
docs/custom_mutators.md
View File

@ -198,7 +198,7 @@ def deinit(): # optional for Python
This method can be used if you want to send data to the target yourself,
e.g. via IPC. This replaces some usage of utils/afl_proxy but requires
that you start the target with afl-fuzz.
Example: [custom_mutators/examples/custom_send.c](custom_mutators/examples/custom_send.c)
Example: [custom_mutators/examples/custom_send.c](../custom_mutators/examples/custom_send.c)
- `queue_new_entry` (optional):
@ -377,4 +377,4 @@ See [example.c](../custom_mutators/examples/example.c) and
- [bruce30262/libprotobuf-mutator_fuzzing_learning](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator)
- [thebabush/afl-libprotobuf-mutator](https://github.com/thebabush/afl-libprotobuf-mutator)
- [XML Fuzzing@NullCon 2017](https://www.agarri.fr/docs/XML_Fuzzing-NullCon2017-PUBLIC.pdf)
- [A bug detected by AFL + XML-aware mutators](https://bugs.chromium.org/p/chromium/issues/detail?id=930663)
- [A bug detected by AFL + XML-aware mutators](https://bugs.chromium.org/p/chromium/issues/detail?id=930663)

8
docs/fuzzing_binary-only_targets.md
View File

@ -94,8 +94,7 @@ For more information, see
In FRIDA mode, you can fuzz binary-only targets as easily as with QEMU mode.
FRIDA mode is most of the times slightly faster than QEMU mode. It is also
newer, lacks COMPCOV, and has the advantage that it works on MacOS (both intel
and M1).
newer, and has the advantage that it works on MacOS (both intel and M1).
To build FRIDA mode:
@ -113,10 +112,6 @@ The mode is approximately 2-5x slower than compile-time instrumentation, and is
less conducive to parallelization. But for binary-only fuzzing, it gives a huge
speed improvement if it is possible to use.
If you want to fuzz a binary-only library, then you can fuzz it with frida-gum
via frida_mode/. You will have to write a harness to call the target function in
the library, use afl-frida.c as a template.
You can also perform remote fuzzing with frida, e.g., if you want to fuzz on
iPhone or Android devices, for this you can use
[https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/) as
@ -302,7 +297,6 @@ some are very hard to set up...
* S2E: [https://github.com/S2E](https://github.com/S2E)
* TinyInst:
[https://github.com/googleprojectzero/TinyInst](https://github.com/googleprojectzero/TinyInst)
(Mac/Windows only)
* ... please send me any missing that are good
## Closing words

5
docs/tutorials.md
View File

@ -21,7 +21,7 @@ training, then we can highly recommend the following:
* [https://github.com/antonio-morales/Fuzzing101](https://github.com/antonio-morales/Fuzzing101)
Here is a good forkflow description (and tutorial) for qemu_mode:
Here is a good workflow description (and tutorial) for qemu_mode:
* [https://airbus-seclab.github.io/AFLplusplus-blogpost/](https://airbus-seclab.github.io/AFLplusplus-blogpost/)
@ -41,6 +41,9 @@ structure is), these links have you covered (some are outdated though):
* Superion for AFL++:
[https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator)
For a very in-depth explanation on how AFL++ works check out:
[https://blog.ritsec.club/posts/afl-under-hood/](https://blog.ritsec.club/posts/afl-under-hood/)
## Video Tutorials
* [Install AFL++ Ubuntu](https://www.youtube.com/watch?v=5dCvhkbi3RA)

4
frida_mode/src/main.c
View File

@ -166,7 +166,7 @@ static void afl_print_env(void) {
if (fd < 0) {
FWARNF("Failed to open /proc/self/cmdline, errno: (%d)", errno);
FWARNF("Failed to open /proc/self/environ, errno: (%d)", errno);
return;
}
@ -174,7 +174,7 @@ static void afl_print_env(void) {
ssize_t bytes_read = read(fd, buffer, PROC_MAX - 1);
if (bytes_read < 0) {
FFATAL("Failed to read /proc/self/cmdline, errno: (%d)", errno);
FFATAL("Failed to read /proc/self/environ, errno: (%d)", errno);
}

2
frida_mode/src/ranges.c
View File

@ -653,7 +653,7 @@ void ranges_init(void) {
/*
* After step 4 we have the total ranges to be instrumented, we now subtract
* that either from the original ranges of the modules or from the whole
* memory if AFL_INST_NO_DYNAMIC_LOAD to configure the stalker.
* memory if AFL_FRIDA_INST_NO_DYNAMIC_LOAD to configure the stalker.
*/
if (ranges_inst_dynamic_load) {

35
include/afl-mutations.h
View File

@ -1082,6 +1082,7 @@ u32 mutation_strategy_exploration_binary[MUT_STRATEGY_ARRAY_SIZE] = {
MUT_CLONE_COPY,
MUT_CLONE_COPY,
MUT_CLONE_COPY,
MUT_CLONE_COPY,
MUT_CLONE_FIXED,
MUT_CLONE_FIXED,
MUT_CLONE_FIXED,
@ -2456,14 +2457,14 @@ inline u32 afl_mutate(afl_state_t *afl, u8 *buf, u32 len, u32 steps,
}
char buf[20];
snprintf(buf, sizeof(buf), "%" PRId64, val);
char numbuf[32];
snprintf(numbuf, sizeof(buf), "%" PRId64, val);
u32 old_len = off2 - off;
u32 new_len = strlen(buf);
u32 new_len = strlen(numbuf);
if (old_len == new_len) {
memcpy(buf + off, buf, new_len);
memcpy(buf + off, numbuf, new_len);
} else {
@ -2473,7 +2474,7 @@ inline u32 afl_mutate(afl_state_t *afl, u8 *buf, u32 len, u32 steps,
/* Inserted part */
memcpy(tmp_buf + off, buf, new_len);
memcpy(tmp_buf + off, numbuf, new_len);
/* Tail */
memcpy(tmp_buf + off + new_len, buf + off2, len - off2);
@ -2490,12 +2491,13 @@ inline u32 afl_mutate(afl_state_t *afl, u8 *buf, u32 len, u32 steps,
case MUT_INSERTASCIINUM: {
u32 len = 1 + rand_below(afl, 8);
u32 ins_len = 1 + rand_below(afl, 8);
u32 pos = rand_below(afl, len);
/* Insert ascii number. */
if (unlikely(len < pos + len)) {
if (unlikely(len < pos + ins_len)) {
// no retry if we have a small input
if (unlikely(len < 8)) {
break;
@ -2509,9 +2511,22 @@ inline u32 afl_mutate(afl_state_t *afl, u8 *buf, u32 len, u32 steps,
}
u64 val = rand_next(afl);
char buf[20];
snprintf(buf, sizeof(buf), "%llu", val);
memcpy(buf + pos, buf, len);
char numbuf[32];
snprintf(numbuf, sizeof(numbuf), "%llu", val);
size_t val_len = strlen(numbuf), off;
if (ins_len > val_len) {
ins_len = val_len;
off = 0;
} else {
off = val_len - ins_len;
}
memcpy(buf + pos, numbuf + off, ins_len);
break;

2
include/config.h
View File

@ -26,7 +26,7 @@
/* Version string: */
// c = release, a = volatile github dev, e = experimental branch
#define VERSION "++4.09a"
#define VERSION "++4.10a"
/******************************************************
* *

1
include/envs.h
View File

@ -172,6 +172,7 @@ static char *afl_environment_variables[] = {
"AFL_LLVM_LTO_DONTWRITEID",
"AFL_LLVM_LTO_SKIPINIT"
"AFL_LLVM_LTO_STARTID",
"AFL_FUZZER_LOOPCOUNT",
"AFL_NO_ARITH",
"AFL_NO_AUTODICT",
"AFL_NO_BUILTIN",

54
instrumentation/SanitizerCoverageLTO.so.cc
View File

@ -692,33 +692,37 @@ bool ModuleSanitizerCoverageLTO::instrumentModule(
* prototype */
FunctionType *FT = Callee->getFunctionType();
isStrcmp &= FT->getNumParams() == 2 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8PtrTy(M.getContext());
isStrcasecmp &= FT->getNumParams() == 2 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8PtrTy(M.getContext());
isStrcmp &=
FT->getNumParams() == 2 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0);
isStrcasecmp &=
FT->getNumParams() == 2 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0);
isMemcmp &= FT->getNumParams() == 3 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0)->isPointerTy() &&
FT->getParamType(1)->isPointerTy() &&
FT->getParamType(2)->isIntegerTy();
isStrncmp &= FT->getNumParams() == 3 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8PtrTy(M.getContext()) &&
FT->getParamType(2)->isIntegerTy();
isStrncasecmp &= FT->getNumParams() == 3 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8PtrTy(M.getContext()) &&
FT->getParamType(2)->isIntegerTy();
isStrncmp &=
FT->getNumParams() == 3 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0) &&
FT->getParamType(2)->isIntegerTy();
isStrncasecmp &=
FT->getNumParams() == 3 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0) &&
FT->getParamType(2)->isIntegerTy();
isStdString &= FT->getNumParams() >= 2 &&
FT->getParamType(0)->isPointerTy() &&
FT->getParamType(1)->isPointerTy();
@ -1241,7 +1245,11 @@ void ModuleSanitizerCoverageLTO::instrumentFunction(
if (F.empty()) return;
if (F.getName().find(".module_ctor") != std::string::npos)
return; // Should not instrument sanitizer init functions.
#if LLVM_VERSION_MAJOR >= 18
if (F.getName().starts_with("__sanitizer_"))
#else
if (F.getName().startswith("__sanitizer_"))
#endif
return; // Don't instrument __sanitizer_* callbacks.
// Don't touch available_externally functions, their actual body is elsewhere.
if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return;
@ -1493,7 +1501,7 @@ GlobalVariable *ModuleSanitizerCoverageLTO::CreateFunctionLocalArrayInSection(
Array->setComdat(Comdat);
#endif
Array->setSection(getSectionName(Section));
Array->setAlignment(Align(DL->getTypeStoreSize(Ty).getFixedSize()));
Array->setAlignment(Align(DL->getTypeStoreSize(Ty).getFixedValue()));
GlobalsToAppendToUsed.push_back(Array);
GlobalsToAppendToCompilerUsed.push_back(Array);
MDNode *MD = MDNode::get(F.getContext(), ValueAsMetadata::get(&F));

4
instrumentation/SanitizerCoveragePCGUARD.so.cc
View File

@ -572,7 +572,11 @@ void ModuleSanitizerCoverageAFL::instrumentFunction(
if (!isInInstrumentList(&F, FMNAME)) return;
if (F.getName().find(".module_ctor") != std::string::npos)
return; // Should not instrument sanitizer init functions.
#if LLVM_VERSION_MAJOR >= 18
if (F.getName().starts_with("__sanitizer_"))
#else
if (F.getName().startswith("__sanitizer_"))
#endif
return; // Don't instrument __sanitizer_* callbacks.
// Don't touch available_externally functions, their actual body is elewhere.
if (F.getLinkage() == GlobalValue::AvailableExternallyLinkage) return;

8
instrumentation/afl-llvm-common.cc
View File

@ -97,11 +97,15 @@ bool isIgnoreFunction(const llvm::Function *F) {
static constexpr const char *ignoreSubstringList[] = {
"__asan", "__msan", "__ubsan", "__lsan", "__san", "__sanitize",
"__cxx", "DebugCounter", "DwarfDebug", "DebugLoc"
"__asan", "__msan", "__ubsan", "__lsan", "__san",
"__sanitize", "DebugCounter", "DwarfDebug", "DebugLoc"
};
// This check is very sensitive, we must be sure to not include patterns
// that are part of user-written C++ functions like the ones including
// std::string as parameter (see #1927) as the mangled type is inserted in the
// mangled name of the user-written function
for (auto const &ignoreListFunc : ignoreSubstringList) {
// hexcoder: F->getName().contains() not avaiilable in llvm 3.8.0

33
instrumentation/afl-llvm-dict2file.so.cc
View File

@ -433,32 +433,35 @@ bool AFLdict2filePass::runOnModule(Module &M) {
isStrstr &=
FT->getNumParams() == 2 &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) == IntegerType::getInt8PtrTy(M.getContext());
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0);
isStrcmp &=
FT->getNumParams() == 2 && FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) == IntegerType::getInt8PtrTy(M.getContext());
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0);
isStrcasecmp &=
FT->getNumParams() == 2 && FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) == IntegerType::getInt8PtrTy(M.getContext());
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0);
isMemcmp &= FT->getNumParams() == 3 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0)->isPointerTy() &&
FT->getParamType(1)->isPointerTy() &&
FT->getParamType(2)->isIntegerTy();
isStrncmp &= FT->getNumParams() == 3 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8PtrTy(M.getContext()) &&
FT->getParamType(2)->isIntegerTy();
isStrncasecmp &= FT->getNumParams() == 3 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8PtrTy(M.getContext()) &&
FT->getParamType(2)->isIntegerTy();
isStrncmp &=
FT->getNumParams() == 3 && FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0) &&
FT->getParamType(2)->isIntegerTy();
isStrncasecmp &=
FT->getNumParams() == 3 && FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0) &&
FT->getParamType(2)->isIntegerTy();
isStdString &= FT->getNumParams() >= 2 &&
FT->getParamType(0)->isPointerTy() &&
FT->getParamType(1)->isPointerTy();

15
instrumentation/cmplog-routines-pass.cc
View File

@ -385,7 +385,8 @@ bool CmpLogRoutines::hookRtns(Module &M) {
isStrcmp &=
FT->getNumParams() == 2 && FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) == IntegerType::getInt8PtrTy(M.getContext());
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0);
bool isStrncmp = (!FuncName.compare("strncmp") ||
!FuncName.compare("xmlStrncmp") ||
@ -398,12 +399,12 @@ bool CmpLogRoutines::hookRtns(Module &M) {
!FuncName.compare("g_ascii_strncasecmp") ||
!FuncName.compare("Curl_strncasecompare") ||
!FuncName.compare("g_strncasecmp"));
isStrncmp &= FT->getNumParams() == 3 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8PtrTy(M.getContext()) &&
FT->getParamType(2)->isIntegerTy();
isStrncmp &=
FT->getNumParams() == 3 && FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0) &&
FT->getParamType(2)->isIntegerTy();
bool isGccStdStringStdString =
Callee->getName().find("__is_charIT_EE7__value") !=

30
instrumentation/compare-transform-pass.so.cc
View File

@ -271,28 +271,30 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
isStrcmp &=
FT->getNumParams() == 2 && FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) == IntegerType::getInt8PtrTy(M.getContext());
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0);
isStrcasecmp &=
FT->getNumParams() == 2 && FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) == IntegerType::getInt8PtrTy(M.getContext());
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0);
isMemcmp &= FT->getNumParams() == 3 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0)->isPointerTy() &&
FT->getParamType(1)->isPointerTy() &&
FT->getParamType(2)->isIntegerTy();
isStrncmp &= FT->getNumParams() == 3 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8PtrTy(M.getContext()) &&
FT->getParamType(2)->isIntegerTy();
isStrncasecmp &= FT->getNumParams() == 3 &&
FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8PtrTy(M.getContext()) &&
FT->getParamType(2)->isIntegerTy();
isStrncmp &=
FT->getNumParams() == 3 && FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0) &&
FT->getParamType(2)->isIntegerTy();
isStrncasecmp &=
FT->getNumParams() == 3 && FT->getReturnType()->isIntegerTy(32) &&
FT->getParamType(0) == FT->getParamType(1) &&
FT->getParamType(0) ==
IntegerType::getInt8Ty(M.getContext())->getPointerTo(0) &&
FT->getParamType(2)->isIntegerTy();
if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp &&
!isStrncasecmp && !isIntMemcpy)

2
nyx_mode/QEMU-Nyx

Submodule nyx_mode/QEMU-Nyx updated: 60c216bc9e...02a6f2aed3

2
nyx_mode/libnyx

Submodule nyx_mode/libnyx updated: 2da7f08b6e...512058a68d

2
nyx_mode/packer

Submodule nyx_mode/packer updated: 202bace888...bcf3e248b6

2
src/afl-cc.c
View File

@ -2313,7 +2313,7 @@ int main(int argc, char **argv, char **envp) {
"0x10000\n"
" AFL_LLVM_DOCUMENT_IDS: write all edge IDs and the corresponding "
"functions\n"
" into this file\n"
" into this file (LTO mode)\n"
" AFL_LLVM_LTO_DONTWRITEID: don't write the highest ID used to a "
"global var\n"
" AFL_LLVM_LTO_STARTID: from which ID to start counting from for "

11
src/afl-fuzz-bitmap.c
View File

@ -459,6 +459,17 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
if (unlikely(fault == FSRV_RUN_TMOUT && afl->afl_env.afl_ignore_timeouts)) {
if (likely(afl->schedule >= FAST && afl->schedule <= RARE)) {
classify_counts(&afl->fsrv);
u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
// Saturated increment
if (likely(afl->n_fuzz[cksum % N_FUZZ_SIZE] < 0xFFFFFFFF))
afl->n_fuzz[cksum % N_FUZZ_SIZE]++;
}
return 0;
}

3
src/afl-fuzz-state.c
View File

@ -89,9 +89,8 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
afl->w_end = 0.3;
afl->g_max = 5000;
afl->period_pilot_tmp = 5000.0;
afl->schedule = FAST; /* Power schedule (default: FAST) */
afl->schedule = EXPLORE; /* Power schedule (default: EXPLORE)*/
afl->havoc_max_mult = HAVOC_MAX_MULT;
afl->clear_screen = 1; /* Window resized? */
afl->havoc_div = 1; /* Cycle count divisor for havoc */
afl->stage_name = "init"; /* Name of the current fuzz stage */

2
src/afl-fuzz.c
View File

@ -138,7 +138,7 @@ static void usage(u8 *argv0, int more_help) {
"to\n"
" exploit mode, and back on new coverage (default: %u)\n"
" -p schedule - power schedules compute a seed's performance score:\n"
" fast(default), explore, exploit, seek, rare, mmopt, "
" explore(default), fast, exploit, seek, rare, mmopt, "
"coe, lin\n"
" quad -- see docs/FAQ.md for more information\n"
" -f file - location read by the fuzzed program (default: stdin "

7
utils/aflpp_driver/aflpp_driver.c
View File

@ -292,6 +292,7 @@ __attribute__((weak)) int main(int argc, char **argv) {
"afl-fuzz will run N iterations before re-spawning the process "
"(default: "
"INT_MAX)\n"
"You can also use AFL_FUZZER_LOOPCOUNT to set N\n"
"For stdin input processing, pass '-' as single command line option.\n"
"For file input processing, pass '@@' as single command line option.\n"
"To use with afl-cmin or afl-cmin.bash pass '-' as single command line "
@ -379,6 +380,12 @@ __attribute__((weak)) int LLVMFuzzerRunDriver(
}
if (getenv("AFL_FUZZER_LOOPCOUNT")) {
N = atoi(getenv("AFL_FUZZER_LOOPCOUNT"));
}
assert(N > 0);
__afl_manual_init();