ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-15 03:18:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

small improvements to Marcel's patch, fix laf-intel + redqueen crashes

Browse Source
This commit is contained in:
van Hauser
2020-09-29 15:02:57 +02:00
parent fe08482c1b
commit 383cd487a2
12 changed files with 104 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/Changelog.md
View File

@ -14,6 +14,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- all compilers combined to afl-cc which emulates the previous ones - all compilers combined to afl-cc which emulates the previous ones
- afl-llvm/gcc-rt.o merged into afl-compiler-rt.o - afl-llvm/gcc-rt.o merged into afl-compiler-rt.o
- afl-fuzz - afl-fuzz
- Marcel Boehme submitted a patch that improves all AFFast schedules :)
- reading testcases from -i now descends into subdirectories - reading testcases from -i now descends into subdirectories
- allow up to 4 -x command line options - allow up to 4 -x command line options
- loaded extras now have a duplicate protection - loaded extras now have a duplicate protection

5
include/afl-fuzz.h
View File

@ -151,7 +151,8 @@ struct queue_entry {
is_ascii; /* Is the input just ascii text? */ is_ascii; /* Is the input just ascii text? */
u32 bitmap_size, /* Number of bits set in bitmap */ u32 bitmap_size, /* Number of bits set in bitmap */
fuzz_level; /* Number of fuzzing iterations */ fuzz_level, /* Number of fuzzing iterations */
n_fuzz_entry; /* offset in n_fuzz */
u64 exec_us, /* Execution time (us) */ u64 exec_us, /* Execution time (us) */
handicap, /* Number of queue cycles behind */ handicap, /* Number of queue cycles behind */
@ -491,7 +492,7 @@ typedef struct afl_state {
u8 *var_bytes; /* Bytes that appear to be variable */ u8 *var_bytes; /* Bytes that appear to be variable */
#define n_fuzz_size (1 << 21) #define N_FUZZ_SIZE (1 << 21)
u32 *n_fuzz; u32 *n_fuzz;
volatile u8 stop_soon, /* Ctrl-C pressed? */ volatile u8 stop_soon, /* Ctrl-C pressed? */

14
instrumentation/afl-llvm-dict2file.so.cc
View File

@ -381,8 +381,9 @@ bool AFLdict2filePass::runOnModule(Module &M) {
if (debug) if (debug)
fprintf(stderr, "F:%s %p(%s)->\"%s\"(%s) %p(%s)->\"%s\"(%s)\n", fprintf(stderr, "F:%s %p(%s)->\"%s\"(%s) %p(%s)->\"%s\"(%s)\n",
FuncName.c_str(), (void*)Str1P, Str1P->getName().str().c_str(), FuncName.c_str(), (void *)Str1P,
Str1.c_str(), HasStr1 == true ? "true" : "false", (void*)Str2P, Str1P->getName().str().c_str(), Str1.c_str(),
HasStr1 == true ? "true" : "false", (void *)Str2P,
Str2P->getName().str().c_str(), Str2.c_str(), Str2P->getName().str().c_str(), Str2.c_str(),
HasStr2 == true ? "true" : "false"); HasStr2 == true ? "true" : "false");
@ -436,7 +437,8 @@ bool AFLdict2filePass::runOnModule(Module &M) {
valueMap[Str1P] = new std::string(Str2); valueMap[Str1P] = new std::string(Str2);
if (debug) if (debug)
fprintf(stderr, "Saved: %s for %p\n", Str2.c_str(), (void*)Str1P); fprintf(stderr, "Saved: %s for %p\n", Str2.c_str(),
(void *)Str1P);
continue; continue;
} }
@ -455,7 +457,8 @@ bool AFLdict2filePass::runOnModule(Module &M) {
Str2 = *strng; Str2 = *strng;
HasStr2 = true; HasStr2 = true;
if (debug) if (debug)
fprintf(stderr, "Filled2: %s for %p\n", strng->c_str(), (void*)Str2P); fprintf(stderr, "Filled2: %s for %p\n", strng->c_str(),
(void *)Str2P);
} }
@ -497,7 +500,8 @@ bool AFLdict2filePass::runOnModule(Module &M) {
Str1 = *strng; Str1 = *strng;
HasStr1 = true; HasStr1 = true;
if (debug) if (debug)
fprintf(stderr, "Filled1: %s for %p\n", strng->c_str(), (void*)Str1P); fprintf(stderr, "Filled1: %s for %p\n", strng->c_str(),
(void *)Str1P);
} }

6
instrumentation/cmplog-instructions-pass.cc
View File

@ -210,7 +210,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
} }
if (!icomps.size()) return false; if (!icomps.size()) return false;
if (!be_quiet) errs() << "Hooking " << icomps.size() << " cmp instructions\n"; // if (!be_quiet) errs() << "Hooking " << icomps.size() << " cmp
// instructions\n";
for (auto &selectcmpInst : icomps) { for (auto &selectcmpInst : icomps) {
@ -259,8 +260,7 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
bool CmpLogInstructions::runOnModule(Module &M) { bool CmpLogInstructions::runOnModule(Module &M) {
if (getenv("AFL_QUIET") == NULL) if (getenv("AFL_QUIET") == NULL)
llvm::errs() printf("Running cmplog-instructions-pass by andreafioraldi@gmail.com\n");
<< "Running cmplog-instructions-pass by andreafioraldi@gmail.com\n";
else else
be_quiet = 1; be_quiet = 1;
hookInstrs(M); hookInstrs(M);

5
instrumentation/cmplog-routines-pass.cc
View File

@ -149,9 +149,11 @@ bool CmpLogRoutines::hookRtns(Module &M) {
} }
if (!calls.size()) return false; if (!calls.size()) return false;
/*
if (!be_quiet) if (!be_quiet)
errs() << "Hooking " << calls.size() errs() << "Hooking " << calls.size()
<< " calls with pointers as arguments\n"; << " calls with pointers as arguments\n";
*/
for (auto &callInst : calls) { for (auto &callInst : calls) {
@ -179,8 +181,7 @@ bool CmpLogRoutines::hookRtns(Module &M) {
bool CmpLogRoutines::runOnModule(Module &M) { bool CmpLogRoutines::runOnModule(Module &M) {
if (getenv("AFL_QUIET") == NULL) if (getenv("AFL_QUIET") == NULL)
llvm::errs() printf("Running cmplog-routines-pass by andreafioraldi@gmail.com\n");
<< "Running cmplog-routines-pass by andreafioraldi@gmail.com\n";
else else
be_quiet = 1; be_quiet = 1;
hookRtns(M); hookRtns(M);

16
instrumentation/compare-transform-pass.so.cc
View File

@ -339,8 +339,9 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
if (!calls.size()) return false; if (!calls.size()) return false;
if (!be_quiet) if (!be_quiet)
errs() << "Replacing " << calls.size() printf(
<< " calls to strcmp/memcmp/strncmp/strcasecmp/strncasecmp\n"; "Replacing %lu calls to strcmp/memcmp/strncmp/strcasecmp/strncasecmp\n",
calls.size());
for (auto &callInst : calls) { for (auto &callInst : calls) {
@ -426,11 +427,14 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
else else
unrollLen = constStrLen; unrollLen = constStrLen;
/*
if (!be_quiet) if (!be_quiet)
errs() << callInst->getCalledFunction()->getName() << ": unroll len " errs() << callInst->getCalledFunction()->getName() << ": unroll len "
<< unrollLen << unrollLen
<< ((isSizedcmp && !isConstSized) ? ", variable n" : "") << ": " << ((isSizedcmp && !isConstSized) ? ", variable n" : "") << ":
"
<< ConstStr << "\n"; << ConstStr << "\n";
*/
/* split before the call instruction */ /* split before the call instruction */
BasicBlock *bb = callInst->getParent(); BasicBlock *bb = callInst->getParent();
@ -556,10 +560,12 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
bool CompareTransform::runOnModule(Module &M) { bool CompareTransform::runOnModule(Module &M) {
if ((isatty(2) && getenv("AFL_QUIET") == NULL) || getenv("AFL_DEBUG") != NULL) if ((isatty(2) && getenv("AFL_QUIET") == NULL) || getenv("AFL_DEBUG") != NULL)
llvm::errs() << "Running compare-transform-pass by laf.intel@gmail.com, " printf(
"extended by heiko@hexco.de\n"; "Running compare-transform-pass by laf.intel@gmail.com, extended by "
"heiko@hexco.de\n");
else else
be_quiet = 1; be_quiet = 1;
transformCmps(M, true, true, true, true, true); transformCmps(M, true, true, true, true, true);
verifyModule(M); verifyModule(M);

27
instrumentation/split-compares-pass.so.cc
View File

@ -1262,8 +1262,9 @@ bool SplitComparesTransform::runOnModule(Module &M) {
if ((isatty(2) && getenv("AFL_QUIET") == NULL) || if ((isatty(2) && getenv("AFL_QUIET") == NULL) ||
getenv("AFL_DEBUG") != NULL) { getenv("AFL_DEBUG") != NULL) {
errs() << "Split-compare-pass by laf.intel@gmail.com, extended by " printf(
"heiko@hexco.de\n"; "Split-compare-pass by laf.intel@gmail.com, extended by "
"heiko@hexco.de\n");
} else { } else {
@ -1275,6 +1276,7 @@ bool SplitComparesTransform::runOnModule(Module &M) {
count = splitFPCompares(M); count = splitFPCompares(M);
/*
if (!be_quiet) { if (!be_quiet) {
errs() << "Split-floatingpoint-compare-pass: " << count errs() << "Split-floatingpoint-compare-pass: " << count
@ -1282,6 +1284,7 @@ bool SplitComparesTransform::runOnModule(Module &M) {
} }
*/
simplifyFPCompares(M); simplifyFPCompares(M);
} }
@ -1294,10 +1297,12 @@ bool SplitComparesTransform::runOnModule(Module &M) {
case 64: case 64:
count = splitIntCompares(M, bitw); count = splitIntCompares(M, bitw);
/*
if (!be_quiet) if (!be_quiet)
errs() << "Split-integer-compare-pass " << bitw << "bit: " << count errs() << "Split-integer-compare-pass " << bitw << "bit: " <<
count
<< " split\n"; << " split\n";
*/
bitw >>= 1; bitw >>= 1;
#if LLVM_VERSION_MAJOR > 3 || \ #if LLVM_VERSION_MAJOR > 3 || \
(LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 7) (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 7)
@ -1305,10 +1310,12 @@ bool SplitComparesTransform::runOnModule(Module &M) {
#endif #endif
case 32: case 32:
count = splitIntCompares(M, bitw); count = splitIntCompares(M, bitw);
/*
if (!be_quiet) if (!be_quiet)
errs() << "Split-integer-compare-pass " << bitw << "bit: " << count errs() << "Split-integer-compare-pass " << bitw << "bit: " <<
count
<< " split\n"; << " split\n";
*/
bitw >>= 1; bitw >>= 1;
#if LLVM_VERSION_MAJOR > 3 || \ #if LLVM_VERSION_MAJOR > 3 || \
(LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 7) (LLVM_VERSION_MAJOR == 3 && LLVM_VERSION_MINOR > 7)
@ -1316,15 +1323,17 @@ bool SplitComparesTransform::runOnModule(Module &M) {
#endif #endif
case 16: case 16:
count = splitIntCompares(M, bitw); count = splitIntCompares(M, bitw);
/*
if (!be_quiet) if (!be_quiet)
errs() << "Split-integer-compare-pass " << bitw << "bit: " << count errs() << "Split-integer-compare-pass " << bitw << "bit: " <<
count
<< " split\n"; << " split\n";
*/
bitw >>= 1; bitw >>= 1;
break; break;
default: default:
if (!be_quiet) errs() << "NOT Running split-compare-pass \n"; // if (!be_quiet) errs() << "NOT Running split-compare-pass \n";
return false; return false;
break; break;

9
instrumentation/split-switches-pass.so.cc
View File

@ -327,10 +327,11 @@ bool SplitSwitchesTransform::splitSwitches(Module &M) {
} }
if (!switches.size()) return false; if (!switches.size()) return false;
/*
if (!be_quiet) if (!be_quiet)
errs() << "Rewriting " << switches.size() << " switch statements " errs() << "Rewriting " << switches.size() << " switch statements "
<< "\n"; << "\n";
*/
for (auto &SI : switches) { for (auto &SI : switches) {
BasicBlock *CurBlock = SI->getParent(); BasicBlock *CurBlock = SI->getParent();
@ -341,15 +342,17 @@ bool SplitSwitchesTransform::splitSwitches(Module &M) {
BasicBlock *Default = SI->getDefaultDest(); BasicBlock *Default = SI->getDefaultDest();
unsigned bitw = Val->getType()->getIntegerBitWidth(); unsigned bitw = Val->getType()->getIntegerBitWidth();
/*
if (!be_quiet) if (!be_quiet)
errs() << "switch: " << SI->getNumCases() << " cases " << bitw errs() << "switch: " << SI->getNumCases() << " cases " << bitw
<< " bit\n"; << " bit\n";
*/
/* If there is only the default destination or the condition checks 8 bit or /* If there is only the default destination or the condition checks 8 bit or
* less, don't bother with the code below. */ * less, don't bother with the code below. */
if (!SI->getNumCases() || bitw <= 8) { if (!SI->getNumCases() || bitw <= 8) {
if (!be_quiet) errs() << "skip trivial switch..\n"; // if (!be_quiet) errs() << "skip trivial switch..\n";
continue; continue;
} }
@ -415,7 +418,7 @@ bool SplitSwitchesTransform::splitSwitches(Module &M) {
bool SplitSwitchesTransform::runOnModule(Module &M) { bool SplitSwitchesTransform::runOnModule(Module &M) {
if ((isatty(2) && getenv("AFL_QUIET") == NULL) || getenv("AFL_DEBUG") != NULL) if ((isatty(2) && getenv("AFL_QUIET") == NULL) || getenv("AFL_DEBUG") != NULL)
llvm::errs() << "Running split-switches-pass by laf.intel@gmail.com\n"; printf("Running split-switches-pass by laf.intel@gmail.com\n");
else else
be_quiet = 1; be_quiet = 1;
splitSwitches(M); splitSwitches(M);

13
src/afl-fuzz-bitmap.c
View File

@ -556,8 +556,8 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
/* Saturated increment */ /* Saturated increment */
if (afl->n_fuzz[cksum % n_fuzz_size] < 0xFFFFFFFF) if (afl->n_fuzz[cksum % N_FUZZ_SIZE] < 0xFFFFFFFF)
afl->n_fuzz[cksum % n_fuzz_size]++; afl->n_fuzz[cksum % N_FUZZ_SIZE]++;
} }
@ -597,10 +597,15 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
if (cksum) if (cksum)
afl->queue_top->exec_cksum = cksum; afl->queue_top->exec_cksum = cksum;
else else
afl->queue_top->exec_cksum = cksum = afl->queue_top->exec_cksum =
hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
afl->n_fuzz[cksum % n_fuzz_size] = 1; if (afl->schedule >= FAST && afl->schedule <= RARE) {
afl->queue_top->n_fuzz_entry = cksum % N_FUZZ_SIZE;
afl->n_fuzz[afl->queue_top->n_fuzz_entry] = 1;
}
/* Try to calibrate inline; this also calls update_bitmap_score() when /* Try to calibrate inline; this also calls update_bitmap_score() when
successful. */ successful. */

4
src/afl-fuzz-init.c
View File

@ -732,8 +732,8 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) { if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) {
u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
afl->queue_top->n_fuzz_entry = cksum % N_FUZZ_SIZE;
afl->n_fuzz[cksum % n_fuzz_size] = 1; afl->n_fuzz[afl->queue_top->n_fuzz_entry] = 1;
} }

24
src/afl-fuzz-queue.c
View File

@ -310,7 +310,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
if (unlikely(afl->schedule >= FAST && afl->schedule < RARE)) if (unlikely(afl->schedule >= FAST && afl->schedule < RARE))
fuzz_p2 = 0; // Skip the fuzz_p2 comparison fuzz_p2 = 0; // Skip the fuzz_p2 comparison
else if (unlikely(afl->schedule == RARE)) else if (unlikely(afl->schedule == RARE))
fuzz_p2 = next_pow2(afl->n_fuzz[q->exec_cksum % n_fuzz_size]); fuzz_p2 = next_pow2(afl->n_fuzz[q->n_fuzz_entry]);
else else
fuzz_p2 = q->fuzz_level; fuzz_p2 = q->fuzz_level;
@ -336,7 +336,8 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
u64 top_rated_fav_factor; u64 top_rated_fav_factor;
u64 top_rated_fuzz_p2; u64 top_rated_fuzz_p2;
if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE))
top_rated_fuzz_p2 = next_pow2(afl->n_fuzz[afl->top_rated[i]->exec_cksum % n_fuzz_size]); top_rated_fuzz_p2 =
next_pow2(afl->n_fuzz[afl->top_rated[i]->n_fuzz_entry]);
else else
top_rated_fuzz_p2 = afl->top_rated[i]->fuzz_level; top_rated_fuzz_p2 = afl->top_rated[i]->fuzz_level;
@ -611,7 +612,6 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
double factor = 1.0; double factor = 1.0;
long double fuzz_mu; long double fuzz_mu;
switch (afl->schedule) { switch (afl->schedule) {
case EXPLORE: case EXPLORE:
@ -634,7 +634,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
struct queue_entry *queue_it = afl->queue; struct queue_entry *queue_it = afl->queue;
while (queue_it) { while (queue_it) {
fuzz_mu += log2(afl->n_fuzz[q->exec_cksum % n_fuzz_size]); fuzz_mu += log2(afl->n_fuzz[q->n_fuzz_entry]);
n_paths++; n_paths++;
queue_it = queue_it->next; queue_it = queue_it->next;
@ -645,7 +645,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
fuzz_mu = fuzz_mu / n_paths; fuzz_mu = fuzz_mu / n_paths;
if (log2(afl->n_fuzz[q->exec_cksum % n_fuzz_size]) > fuzz_mu) { if (log2(afl->n_fuzz[q->n_fuzz_entry]) > fuzz_mu) {
/* Never skip favourites */ /* Never skip favourites */
if (!q->favored) factor = 0; if (!q->favored) factor = 0;
@ -660,7 +660,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
// Don't modify unfuzzed seeds // Don't modify unfuzzed seeds
if (q->fuzz_level == 0) break; if (q->fuzz_level == 0) break;
switch ((u32)log2(afl->n_fuzz[q->exec_cksum % n_fuzz_size])) { switch ((u32)log2(afl->n_fuzz[q->n_fuzz_entry])) {
case 0 ... 1: case 0 ... 1:
factor = 4; factor = 4;
@ -691,17 +691,17 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
} }
if (q->favored) if (q->favored) factor *= 1.15;
factor *= 1.15;
break; break;
case LIN: case LIN:
factor = q->fuzz_level / (afl->n_fuzz[q->exec_cksum % n_fuzz_size] + 1); factor = q->fuzz_level / (afl->n_fuzz[q->n_fuzz_entry] + 1);
break; break;
case QUAD: case QUAD:
factor = q->fuzz_level * q->fuzz_level / (afl->n_fuzz[q->exec_cksum % n_fuzz_size] + 1); factor =
q->fuzz_level * q->fuzz_level / (afl->n_fuzz[q->n_fuzz_entry] + 1);
break; break;
case MMOPT: case MMOPT:
@ -726,8 +726,8 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
perf_score += (q->tc_ref * 10); perf_score += (q->tc_ref * 10);
// the more often fuzz result paths are equal to this queue entry, // the more often fuzz result paths are equal to this queue entry,
// reduce its value // reduce its value
perf_score *= perf_score *= (1 - (double)((double)afl->n_fuzz[q->n_fuzz_entry] /
(1 - (double)((double)afl->n_fuzz[q->exec_cksum % n_fuzz_size] / (double)afl->fsrv.total_execs)); (double)afl->fsrv.total_execs));
break; break;

2
src/afl-fuzz.c
View File

@ -939,7 +939,7 @@ int main(int argc, char **argv_orig, char **envp) {
/* Dynamically allocate memory for AFLFast schedules */ /* Dynamically allocate memory for AFLFast schedules */
if (afl->schedule >= FAST && afl->schedule <= RARE) { if (afl->schedule >= FAST && afl->schedule <= RARE) {
afl->n_fuzz = ck_alloc(n_fuzz_size * sizeof(u32)); afl->n_fuzz = ck_alloc(N_FUZZ_SIZE * sizeof(u32));
} }