ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 02:58:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix conflicts

Browse Source
This commit is contained in:
Andrea Fioraldi
2020-06-03 11:41:30 +02:00
parent f1192b2d16 fc164e4709
commit 2d8c3d2934
13 changed files with 89 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
examples/aflpp_driver/aflpp_qemu_driver.c
View File

@ -17,8 +17,8 @@ void afl_qemu_driver_stdin_input(void) {
}
int main(int argc, char **argv) {
if (LLVMFuzzerInitialize)
LLVMFuzzerInitialize(&argc, &argv);
if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv);
// Do any other expensive one-time initialization here.
if (getenv("AFL_QEMU_DRIVER_NO_HOOK")) {
@ -33,4 +33,6 @@ int main(int argc, char **argv) {
}
return 0;
}

1
examples/aflpp_driver/aflpp_qemu_driver_hook.c
View File

@ -19,3 +19,4 @@ int afl_persistent_hook_init(void) {
return 1;
}

7
examples/qemu_persistent_hook/read_into_rdi.c
View File

@ -44,8 +44,7 @@ void afl_persistent_hook(uint64_t *regs, uint64_t guest_base,
printf("placing input into %p\n", regs[R_EDI]);
if (input_len > 1024)
input_len = 1024;
if (input_len > 1024) input_len = 1024;
memcpy(g2h(regs[R_EDI]), input_buf, input_len);
regs[R_ESI] = input_len;
@ -53,7 +52,9 @@ void afl_persistent_hook(uint64_t *regs, uint64_t guest_base,
int afl_persistent_hook_init(void) {
// 1 for shared memory input (faster), 0 for normal input (you have to use read(), input_buf will be NULL)
// 1 for shared memory input (faster), 0 for normal input (you have to use
// read(), input_buf will be NULL)
return 1;
}

3
qemu_mode/patches/afl-qemu-common.h
View File

@ -63,8 +63,7 @@
#define INC_AFL_AREA(loc) afl_area_ptr[loc]++
#endif
typedef void (*afl_persistent_hook_fn)(uint64_t *regs,
uint64_t guest_base,
typedef void (*afl_persistent_hook_fn)(uint64_t *regs, uint64_t guest_base,
uint8_t *input_buf,
uint32_t input_buf_len);

11
qemu_mode/patches/afl-qemu-cpu-inl.h
View File

@ -163,7 +163,8 @@ static void afl_map_shm_fuzz(void) {
} else {
fprintf(stderr, "[AFL] ERROR: variable for fuzzing shared memory is not set\n");
fprintf(stderr,
"[AFL] ERROR: variable for fuzzing shared memory is not set\n");
exit(1);
}
@ -283,8 +284,8 @@ void afl_setup(void) {
}
int (*afl_persistent_hook_init_ptr)(void) = dlsym(plib,
"afl_persistent_hook_init");
int (*afl_persistent_hook_init_ptr)(void) =
dlsym(plib, "afl_persistent_hook_init");
if (afl_persistent_hook_init_ptr)
sharedmem_fuzzing = afl_persistent_hook_init_ptr();
@ -359,7 +360,8 @@ void afl_forkserver(CPUState *cpu) {
afl_map_shm_fuzz();
else {
fprintf(stderr, "[AFL] ERROR: afl-fuzz is old and does not support"
fprintf(stderr,
"[AFL] ERROR: afl-fuzz is old and does not support"
" shmem input");
exit(1);
@ -459,7 +461,6 @@ void afl_forkserver(CPUState *cpu) {
}
/* A simplified persistent mode handler, used as explained in
* llvm_mode/README.md. */

6
src/afl-common.c
View File

@ -253,7 +253,8 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
"binaries that are\n"
" instrumented at compile time with afl-gcc. It is also possible to "
"use it as a\n"
" traditional non-instrumented fuzzer by specifying '-n' in the command "
" traditional non-instrumented fuzzer by specifying '-n' in the "
"command "
"line.\n");
FATAL("Failed to locate 'afl-qemu-trace'.");
@ -353,7 +354,8 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
"binaries that are\n"
" instrumented at compile time with afl-gcc. It is also possible to "
"use it as a\n"
" traditional non-instrumented fuzzer by specifying '-n' in the command "
" traditional non-instrumented fuzzer by specifying '-n' in the "
"command "
"line.\n",
ncp);

4
src/afl-forkserver.c
View File

@ -524,7 +524,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
} else {
FATAL("Target requested sharedmem fuzzing, but we failed to enable it.");
FATAL(
"Target requested sharedmem fuzzing, but we failed to enable "
"it.");
}

9
src/afl-fuzz-init.c
View File

@ -1859,7 +1859,11 @@ void fix_up_sync(afl_state_t *afl) {
u8 *x = afl->sync_id;
if (afl->non_instrumented_mode) { FATAL("-S / -M and -n are mutually exclusive"); }
if (afl->non_instrumented_mode) {
FATAL("-S / -M and -n are mutually exclusive");
}
while (*x) {
@ -2126,7 +2130,8 @@ void check_binary(afl_state_t *afl, u8 *fname) {
#endif /* ^!__APPLE__ */
if (!afl->fsrv.qemu_mode && !afl->unicorn_mode && !afl->non_instrumented_mode &&
if (!afl->fsrv.qemu_mode && !afl->unicorn_mode &&
!afl->non_instrumented_mode &&
!memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) {
SAYF("\n" cLRD "[-] " cRST

15
src/afl-fuzz-one.c
View File

@ -512,7 +512,8 @@ u8 fuzz_one_original(afl_state_t *afl) {
* TRIMMING *
************/
if (!afl->non_instrumented_mode && !afl->queue_cur->trim_done && !afl->disable_trim) {
if (!afl->non_instrumented_mode && !afl->queue_cur->trim_done &&
!afl->disable_trim) {
u8 res = trim_case(afl, afl->queue_cur, in_buf);
@ -579,8 +580,8 @@ u8 fuzz_one_original(afl_state_t *afl) {
/* Skip deterministic fuzzing if exec path checksum puts this out of scope
for this main instance. */
if (afl->main_node_max &&
(afl->queue_cur->exec_cksum % afl->main_node_max) != afl->main_node_id - 1) {
if (afl->main_node_max && (afl->queue_cur->exec_cksum % afl->main_node_max) !=
afl->main_node_id - 1) {
goto custom_mutator_stage;
@ -2732,8 +2733,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
/* Skip deterministic fuzzing if exec path checksum puts this out of scope
for this main instance. */
if (afl->main_node_max &&
(afl->queue_cur->exec_cksum % afl->main_node_max) != afl->main_node_id - 1) {
if (afl->main_node_max && (afl->queue_cur->exec_cksum % afl->main_node_max) !=
afl->main_node_id - 1) {
goto havoc_stage;
@ -2975,8 +2976,8 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
u32 cksum;
/* If in non-instrumented mode or if the file is very short, just flag everything
without wasting time on checksums. */
/* If in non-instrumented mode or if the file is very short, just flag
everything without wasting time on checksums. */
if (!afl->non_instrumented_mode && len >= EFF_MIN_LEN) {

7
src/afl-fuzz-run.c
View File

@ -562,10 +562,11 @@ void sync_fuzzers(afl_state_t *afl) {
closedir(sd);
// If we are a secondary and no main was found to sync then become the main
if (unlikely(synced == 0) && likely(entries) && likely(afl->is_secondary_node)) {
if (unlikely(synced == 0) && likely(entries) &&
likely(afl->is_secondary_node)) {
// there is a small race condition here that another secondary runs at the same
// time. If so, the first temporary main node running again will demote
// there is a small race condition here that another secondary runs at the
// same time. If so, the first temporary main node running again will demote
// themselves so this is not an issue
u8 path[PATH_MAX];

9
src/afl-fuzz-stats.c
View File

@ -126,8 +126,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
t_bytes, afl->var_byte_count, afl->use_banner,
afl->unicorn_mode ? "unicorn" : "", afl->fsrv.qemu_mode ? "qemu " : "",
afl->non_instrumented_mode ? " non_instrumented " : "",
afl->no_forkserver ? "no_fsrv " : "",
afl->crash_mode ? "crash " : "",
afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "",
afl->persistent_mode ? "persistent " : "",
afl->shmem_testcase_mode ? "shmem_testcase " : "",
afl->deferred_mode ? "deferred " : "",
@ -526,7 +525,8 @@ void show_stats(afl_state_t *afl) {
t_byte_ratio);
SAYF(" map density : %s%-21s" bSTG bV "\n",
t_byte_ratio > 70 ? cLRD
t_byte_ratio > 70
? cLRD
: ((t_bytes < 200 && !afl->non_instrumented_mode) ? cPIN : cRST),
tmp);
@ -1022,7 +1022,8 @@ void show_init_stats(afl_state_t *afl) {
}
/* In non-instrumented mode, re-running every timing out test case with a generous time
/* In non-instrumented mode, re-running every timing out test case with a
generous time
limit is very expensive, so let's select a more conservative default. */
if (afl->non_instrumented_mode && !(afl->afl_env.afl_hang_tmout)) {

19
src/afl-fuzz.c
View File

@ -379,9 +379,11 @@ int main(int argc, char **argv_orig, char **envp) {
*c = 0;
if (sscanf(c + 1, "%u/%u", &afl->main_node_id, &afl->main_node_max) != 2 ||
if (sscanf(c + 1, "%u/%u", &afl->main_node_id, &afl->main_node_max) !=
2 ||
!afl->main_node_id || !afl->main_node_max ||
afl->main_node_id > afl->main_node_max || afl->main_node_max > 1000000) {
afl->main_node_id > afl->main_node_max ||
afl->main_node_max > 1000000) {
FATAL("Bogus main node ID passed to -M");
@ -533,7 +535,12 @@ int main(int argc, char **argv_orig, char **envp) {
case 'n': /* dumb mode */
if (afl->non_instrumented_mode) { FATAL("Multiple -n options not supported"); }
if (afl->non_instrumented_mode) {
FATAL("Multiple -n options not supported");
}
if (afl->afl_env.afl_dumb_forksrv) {
afl->non_instrumented_mode = 2;
@ -793,10 +800,12 @@ int main(int argc, char **argv_orig, char **envp) {
OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL");
OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL");
if (afl->sync_id && afl->is_main_node && afl->afl_env.afl_custom_mutator_only) {
if (afl->sync_id && afl->is_main_node &&
afl->afl_env.afl_custom_mutator_only) {
WARNF(
"Using -M main node with the AFL_CUSTOM_MUTATOR_ONLY mutator options will "
"Using -M main node with the AFL_CUSTOM_MUTATOR_ONLY mutator options "
"will "
"result in no deterministic mutations being done!");
}

19
src/afl-sharedmem.c
View File

@ -96,7 +96,8 @@ void afl_shm_deinit(sharedmem_t *shm) {
Returns a pointer to shm->map for ease of use.
*/
u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrumented_mode) {
u8 *afl_shm_init(sharedmem_t *shm, size_t map_size,
unsigned char non_instrumented_mode) {
shm->map_size = map_size;
@ -137,10 +138,10 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrument
}
/* If somebody is asking us to fuzz instrumented binaries in non-instrumented mode,
we don't want them to detect instrumentation, since we won't be sending
fork server commands. This should be replaced with better auto-detection
later on, perhaps? */
/* If somebody is asking us to fuzz instrumented binaries in non-instrumented
mode, we don't want them to detect instrumentation, since we won't be
sending fork server commands. This should be replaced with better
auto-detection later on, perhaps? */
if (!non_instrumented_mode) setenv(SHM_ENV_VAR, shm->g_shm_file_path, 1);
@ -164,10 +165,10 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char non_instrument
shm_str = alloc_printf("%d", shm->shm_id);
/* If somebody is asking us to fuzz instrumented binaries in non-instrumented mode,
we don't want them to detect instrumentation, since we won't be sending
fork server commands. This should be replaced with better auto-detection
later on, perhaps? */
/* If somebody is asking us to fuzz instrumented binaries in non-instrumented
mode, we don't want them to detect instrumentation, since we won't be
sending fork server commands. This should be replaced with better
auto-detection later on, perhaps? */
if (!non_instrumented_mode) { setenv(SHM_ENV_VAR, shm_str, 1); }