fix lto cmplog stability issue

2025-06-13 10:38:07 +00:00 · 2021-10-15 11:25:02 +02:00
parent 17c59de1c2
commit 3deca3b09b
5 changed files with 32 additions and 5 deletions
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@ -291,8 +291,6 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
 u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
                  u32 handicap, u8 from_queue) {

-  if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; }
-
  u8 fault = 0, new_bits = 0, var_detected = 0, hnb = 0,
     first_run = (q->exec_cksum == 0);
  u64 start_us, stop_us, diff_us;
@ -300,6 +298,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
  u32 use_tmout = afl->fsrv.exec_tmout;
  u8 *old_sn = afl->stage_name;

+  if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; }
+
  /* Be a bit more generous about timeouts when resuming sessions, or when
     trying to calibrate already-added finds. This helps avoid trouble due
     to intermittent latency. */
@ -343,6 +343,32 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,

  }

+  /* we need a dummy run if this is LTO + cmplog */
+  if (unlikely(afl->shm.cmplog_mode)) {
+
+    write_to_testcase(afl, use_mem, q->len);
+
+    fault = fuzz_run_target(afl, &afl->fsrv, use_tmout);
+
+    /* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed,
+       we want to bail out quickly. */
+
+    if (afl->stop_soon || fault != afl->crash_mode) { goto abort_calibration; }
+
+    if (!afl->non_instrumented_mode && !afl->stage_cur &&
+        !count_bytes(afl, afl->fsrv.trace_bits)) {
+
+      fault = FSRV_RUN_NOINST;
+      goto abort_calibration;
+
+    }
+
+#ifdef INTROSPECTION
+    if (unlikely(!q->bitsmap_size)) q->bitsmap_size = afl->bitsmap_size;
+#endif
+
+  }
+
  if (q->exec_cksum) {

    memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size);