fix lto cmplog stability issue

2025-06-10 09:11:34 +00:00 · 2021-10-15 11:25:02 +02:00 · 2021-10-15 11:25:02 +02:00 · 3deca3b09b
commit 3deca3b09b
parent 17c59de1c2
5 changed files with 32 additions and 5 deletions
--- a/custom_mutators/grammar_mutator/grammar_mutator
+++ b/custom_mutators/grammar_mutator/grammar_mutator
@ -1 +1 @@
-Subproject commit eedf07ddb0fb1f437f5e76b77cfd4064cf6a5d63
+Subproject commit b79d51a8daccbd7a693f9b6765c81ead14f28e26
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -16,6 +16,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
    - fix a regression introduced in 3.10 that resulted in less
      coverage being detected. thanks to Collin May for reporting!
    - fix -n dumb mode (nobody should use this)
+    - fix stability issue with LTO and cmplog
  - afl-showmap, afl-tmin and afl-analyze now honor persistent mode
    for more speed. thanks to dloffre-snl for reporting!
  - Prevent accidently killing non-afl/fuzz services when aborting
--- a/qemu_mode/qemuafl
+++ b/qemu_mode/qemuafl
@ -1 +1 @@
-Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5
+Subproject commit 71ed0d206fd3d877420dceb4993a1011a4637ae6
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@ -291,8 +291,6 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
 u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
                  u32 handicap, u8 from_queue) {

-  if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; }
-
  u8 fault = 0, new_bits = 0, var_detected = 0, hnb = 0,
     first_run = (q->exec_cksum == 0);
  u64 start_us, stop_us, diff_us;
@ -300,6 +298,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
  u32 use_tmout = afl->fsrv.exec_tmout;
  u8 *old_sn = afl->stage_name;

+  if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; }
+
  /* Be a bit more generous about timeouts when resuming sessions, or when
     trying to calibrate already-added finds. This helps avoid trouble due
     to intermittent latency. */
@ -343,6 +343,32 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,

  }

+  /* we need a dummy run if this is LTO + cmplog */
+  if (unlikely(afl->shm.cmplog_mode)) {
+
+    write_to_testcase(afl, use_mem, q->len);
+
+    fault = fuzz_run_target(afl, &afl->fsrv, use_tmout);
+
+    /* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed,
+       we want to bail out quickly. */
+
+    if (afl->stop_soon || fault != afl->crash_mode) { goto abort_calibration; }
+
+    if (!afl->non_instrumented_mode && !afl->stage_cur &&
+        !count_bytes(afl, afl->fsrv.trace_bits)) {
+
+      fault = FSRV_RUN_NOINST;
+      goto abort_calibration;
+
+    }
+
+#ifdef INTROSPECTION
+    if (unlikely(!q->bitsmap_size)) q->bitsmap_size = afl->bitsmap_size;
+#endif
+
+  }
+
  if (q->exec_cksum) {

    memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size);
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@ -1 +1 @@
-Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e
+Subproject commit f1c853648a74b0157d233a2ef9f1693cfee78c11