ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-16 20:08:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix shmem persistent mode

Browse Source
This commit is contained in:
van Hauser
2020-06-04 02:37:05 +02:00
parent e11922e5cc
commit 35ddec7aeb
5 changed files with 15 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
examples/persistent_demo/persistent_demo_new.c
View File

@ -45,7 +45,7 @@ int main(int argc, char **argv) {
__AFL_INIT(); __AFL_INIT();
buf = __AFL_FUZZ_TESTCASE_BUF; buf = __AFL_FUZZ_TESTCASE_BUF;
while (__AFL_LOOP(1000)) { while (__AFL_LOOP(1000)) { // increase if you have good stability
len = __AFL_FUZZ_TESTCASE_LEN; len = __AFL_FUZZ_TESTCASE_LEN;

4
examples/persistent_demo/test-instr.c
View File

@ -25,7 +25,7 @@ int main(int argc, char **argv) {
__AFL_INIT(); __AFL_INIT();
unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF;
while (__AFL_LOOP(2147483647)) { while (__AFL_LOOP(2147483647)) { // MAX_INT if you have 100% stability
unsigned int len = __AFL_FUZZ_TESTCASE_LEN; unsigned int len = __AFL_FUZZ_TESTCASE_LEN;
@ -50,6 +50,8 @@ int main(int argc, char **argv) {
counter++; counter++;
#endif #endif
fprintf(stderr, "len: %u\n", len);
if (!len) continue; if (!len) continue;
if (buf[0] == '0') if (buf[0] == '0')

4
llvm_mode/afl-clang-fast.c
View File

@ -495,14 +495,14 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] =
"-D__AFL_FUZZ_INIT()=" "-D__AFL_FUZZ_INIT()="
"int __afl_sharedmem_fuzzing = 1;" "int __afl_sharedmem_fuzzing = 1;"
"extern unsigned int __afl_fuzz_len;" "extern unsigned int *__afl_fuzz_len;"
"extern unsigned char *__afl_fuzz_ptr;" "extern unsigned char *__afl_fuzz_ptr;"
"unsigned char *__afl_fuzz_alt_ptr;"; "unsigned char *__afl_fuzz_alt_ptr;";
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] =
"-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : " "-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : "
"(__afl_fuzz_alt_ptr = malloc(1 * 1024 * 1024)))"; "(__afl_fuzz_alt_ptr = malloc(1 * 1024 * 1024)))";
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] =
"-D__AFL_FUZZ_TESTCASE_LEN=(__afl_fuzz_ptr ? __afl_fuzz_len : read(0, " "-D__AFL_FUZZ_TESTCASE_LEN=(__afl_fuzz_ptr ? *__afl_fuzz_len : read(0, "
"__afl_fuzz_alt_ptr, 1 * 1024 * 1024))"; "__afl_fuzz_alt_ptr, 1 * 1024 * 1024))";
cc_params[cc_par_cnt++] = cc_params[cc_par_cnt++] =

17
llvm_mode/afl-llvm-rt.o.c
View File

@ -77,9 +77,8 @@ u8 __afl_area_initial[MAP_SIZE];
u8 * __afl_area_ptr = __afl_area_initial; u8 * __afl_area_ptr = __afl_area_initial;
u8 * __afl_dictionary; u8 * __afl_dictionary;
u8 * __afl_fuzz_ptr; u8 * __afl_fuzz_ptr;
u32 __afl_fuzz_len;
u32 __afl_fuzz_len_dummy; u32 __afl_fuzz_len_dummy;
u32 *__afl_fuzz_len_shmem = &__afl_fuzz_len_dummy; u32 *__afl_fuzz_len = &__afl_fuzz_len_dummy;
u32 __afl_final_loc; u32 __afl_final_loc;
u32 __afl_map_size = MAP_SIZE; u32 __afl_map_size = MAP_SIZE;
@ -138,19 +137,19 @@ static void __afl_map_shm_fuzz() {
} }
__afl_fuzz_len_shmem = __afl_fuzz_len =
(u32 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0); (u32 *)mmap(0, MAX_FILE, PROT_READ, MAP_SHARED, shm_fd, 0);
#else #else
u32 shm_id = atoi(id_str); u32 shm_id = atoi(id_str);
__afl_fuzz_len_shmem = (u32 *)shmat(shm_id, NULL, 0); __afl_fuzz_len = (u32 *)shmat(shm_id, NULL, 0);
#endif #endif
/* Whooooops. */ /* Whooooops. */
if (__afl_fuzz_len_shmem == (void *)-1) { if (__afl_fuzz_len == (void *)-1) {
fprintf(stderr, "Error: could not access fuzzing shared memory\n"); fprintf(stderr, "Error: could not access fuzzing shared memory\n");
exit(1); exit(1);
@ -167,7 +166,7 @@ static void __afl_map_shm_fuzz() {
} }
__afl_fuzz_ptr = (u8 *)(__afl_fuzz_len_shmem + sizeof(int)); __afl_fuzz_ptr = (u8 *)(__afl_fuzz_len + sizeof(int));
} }
@ -457,7 +456,7 @@ static void __afl_start_snapshots(void) {
s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600);
if (fd_doc >= 0) { if (fd_doc >= 0) {
if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { if (write(fd_doc, __afl_fuzz_ptr, *__afl_fuzz_len) != *__afl_fuzz_len) {
fprintf(stderr, "write of mutation file failed: %s\n", fn); fprintf(stderr, "write of mutation file failed: %s\n", fn);
unlink(fn); unlink(fn);
@ -657,7 +656,7 @@ static void __afl_start_forkserver(void) {
s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); s32 fd_doc = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600);
if (fd_doc >= 0) { if (fd_doc >= 0) {
if (write(fd_doc, __afl_fuzz_ptr, __afl_fuzz_len) != __afl_fuzz_len) { if (write(fd_doc, __afl_fuzz_ptr, *__afl_fuzz_len) != *__afl_fuzz_len) {
fprintf(stderr, "write of mutation file failed: %s\n", fn); fprintf(stderr, "write of mutation file failed: %s\n", fn);
unlink(fn); unlink(fn);
@ -770,8 +769,6 @@ int __afl_persistent_loop(unsigned int max_cnt) {
raise(SIGSTOP); raise(SIGSTOP);
__afl_fuzz_len = *__afl_fuzz_len_shmem;
__afl_area_ptr[0] = 1; __afl_area_ptr[0] = 1;
memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T)); memset(__afl_prev_loc, 0, NGRAM_SIZE_MAX * sizeof(PREV_LOC_T));

3
src/afl-forkserver.c
View File

@ -831,8 +831,9 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
if (fsrv->shmem_fuzz) { if (fsrv->shmem_fuzz) {
memcpy(fsrv->shmem_fuzz, buf, len);
*fsrv->shmem_fuzz_len = len; *fsrv->shmem_fuzz_len = len;
memcpy(fsrv->shmem_fuzz, buf, len);
// fprintf(stderr, "test case len: %u\n", *fsrv->shmem_fuzz_len);
} else { } else {