ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-09 08:41:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1499 from AFLplusplus/dev

Browse Source 
push to stable
This commit is contained in:
van Hauser 2022-08-25 15:56:36 +02:00 committed by GitHub
commit 413e68ab6d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
28 changed files with 387 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
GNUmakefile
View File

@ -309,6 +309,17 @@ endif
.PHONY: all .PHONY: all
all: test_x86 test_shm test_python ready $(PROGS) afl-as llvm gcc_plugin test_build all_done all: test_x86 test_shm test_python ready $(PROGS) afl-as llvm gcc_plugin test_build all_done
-$(MAKE) -C utils/aflpp_driver -$(MAKE) -C utils/aflpp_driver
@echo
@echo
@echo Build Summary:
@test -e afl-fuzz && echo "[+] afl-fuzz and supporting tools successfully built" || echo "[-] afl-fuzz could not be built, please set CC to a working compiler"
@test -e afl-llvm-pass.so && echo "[+] LLVM basic mode successfully built" || echo "[-] LLVM mode could not be build, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md"
@test -e SanitizerCoveragePCGUARD.so && echo "[+] LLVM mode successfully built" || echo "[-] LLVM mode could not be build, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md"
@test -e SanitizerCoverageLTO.so && echo "[+] LLVM LTO mode successfully built" || echo "[-] LLVM LTO mode could not be build, it is optional, if you want it, please install LLVM 11-14. More information at instrumentation/README.lto.md on how to build it"
ifneq "$(SYS)" "Darwin"
@test -e afl-gcc-pass.so && echo "[+] gcc_mode successfully built" || echo "[-] gcc_mode could not be built, it is optional, install gcc-VERSION-plugin-dev to enable this"
endif
@echo
.PHONY: llvm .PHONY: llvm
llvm: llvm:
@ -674,6 +685,31 @@ endif
-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
endif endif
endif endif
@echo
@echo
@echo Build Summary:
@test -e afl-fuzz && echo "[+] afl-fuzz and supporting tools successfully built" || echo "[-] afl-fuzz could not be built, please set CC to a working compiler"
ifneq "$(SYS)" "Darwin"
ifeq "$(ARCH)" "aarch64"
ifndef NO_CORESIGHT
@test -e afl-cs-proxy && echo "[+] coresight_mode successfully built" || echo "[-] coresight_mode could not be built, it is optional and experimental, see coresight_mode/README.md for what is needed"
endif
endif
ifeq "$(SYS)" "Linux"
ifndef NO_NYX
@test -e libnyx.so && echo "[+] nyx_mode successfully built" || echo "[-] nyx_mode could not be built, it is optional, see nyx_mode/README.md for what is needed"
endif
endif
@test -e afl-qemu-trace && echo "[+] qemu_mode successfully built" || echo "[-] qemu_mode could not be built, see docs/INSTALL.md for what is needed"
ifeq "$(ARCH)" "aarch64"
ifndef NO_UNICORN_ARM64
@test -e unicorn_mode/unicornafl/build_python/libunicornafl.so && echo "[+] unicorn_mode successfully built" || echo "[-] unicorn_mode could not be built, it is optional, see unicorn_mode/README.md for what is needed"
endif
else
@test -e unicorn_mode/unicornafl/build_python/libunicornafl.so && echo "[+] unicorn_mode successfully built" || echo "[-] unicorn_mode could not be built, it is optional, see unicorn_mode/README.md for what is needed"
endif
endif
@echo
.PHONY: source-only .PHONY: source-only
source-only: all source-only: all
@ -689,6 +725,22 @@ ifndef NO_NYX
-cd nyx_mode && ./build_nyx_support.sh -cd nyx_mode && ./build_nyx_support.sh
endif endif
endif endif
@echo
@echo
@echo Build Summary:
@test -e afl-fuzz && echo "[+] afl-fuzz and supporting tools successfully built" || echo "[-] afl-fuzz could not be built, please set CC to a working compiler"
@test -e afl-llvm-pass.so && echo "[+] LLVM basic mode successfully built" || echo "[-] LLVM mode could not be build, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md"
@test -e SanitizerCoveragePCGUARD.so && echo "[+] LLVM mode successfully built" || echo "[-] LLVM mode could not be build, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md"
@test -e SanitizerCoverageLTO.so && echo "[+] LLVM LTO mode successfully built" || echo "[-] LLVM LTO mode could not be build, it is optional, if you want it, please install LLVM 11-14. More information at instrumentation/README.lto.md on how to build it"
ifneq "$(SYS)" "Darwin"
test -e afl-gcc-pass.so && echo "[+] gcc_mode successfully built" || echo "[-] gcc_mode could not be built, it is optional, install gcc-VERSION-plugin-dev to enable this"
endif
ifeq "$(SYS)" "Linux"
ifndef NO_NYX
@test -e libnyx.so && echo "[+] nyx_mode successfully built" || echo "[-] nyx_mode could not be built, it is optional, see nyx_mode/README.md for what is needed"
endif
endif
@echo
%.8: % %.8: %
@echo .TH $* 8 $(BUILD_DATE) "afl++" > $@ @echo .TH $* 8 $(BUILD_DATE) "afl++" > $@

2
README.md
View File

@ -4,7 +4,7 @@
Release version: [4.02c](https://github.com/AFLplusplus/AFLplusplus/releases) Release version: [4.02c](https://github.com/AFLplusplus/AFLplusplus/releases)
GitHub version: 4.02c GitHub version: 4.03a
Repository: Repository:
[https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)

1
TODO.md
View File

@ -2,7 +2,6 @@
## Should ## Should
- makefiles should show provide a build summary success/failure
- better documentation for custom mutators - better documentation for custom mutators
- better autodetection of shifting runtime timeout values - better autodetection of shifting runtime timeout values
- Update afl->pending_not_fuzzed for MOpt - Update afl->pending_not_fuzzed for MOpt

18
afl-cmin
View File

@ -291,6 +291,16 @@ BEGIN {
target_bin = tnew target_bin = tnew
} }
if (0 == system ( "grep -aq AFL_DUMP_MAP_SIZE " target_bin )) {
echo "[!] Trying to obtain the map size of the target ..."
get_map_size = "AFL_DUMP_MAP_SIZE=1 " target_bin
get_map_size | getline mapsize
if (mapsize && mapsize > 65535 && mapsize < 100000000) {
AFL_MAP_SIZE = "AFL_MAP_SIZE="mapsize" "
print "[+] Setting "AFL_MAP_SIZE
}
}
if (!ENVIRON["AFL_SKIP_BIN_CHECK"] && !qemu_mode && !frida_mode && !unicorn_mode) { if (!ENVIRON["AFL_SKIP_BIN_CHECK"] && !qemu_mode && !frida_mode && !unicorn_mode) {
if (0 != system( "grep -q __AFL_SHM_ID "target_bin )) { if (0 != system( "grep -q __AFL_SHM_ID "target_bin )) {
print "[-] Error: binary '"target_bin"' doesn't appear to be instrumented." > "/dev/stderr" print "[-] Error: binary '"target_bin"' doesn't appear to be instrumented." > "/dev/stderr"
@ -399,10 +409,10 @@ BEGIN {
print "[*] Testing the target binary..." print "[*] Testing the target binary..."
if (!stdin_file) { if (!stdin_file) {
system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"") system(AFL_MAP_SIZE "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"")
} else { } else {
system("cp \""in_dir"/"first_file"\" "stdin_file) system("cp \""in_dir"/"first_file"\" "stdin_file)
system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null") system(AFL_MAP_SIZE "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
} }
first_count = 0 first_count = 0
@ -435,11 +445,11 @@ BEGIN {
if (!stdin_file) { if (!stdin_file) {
print " Processing "in_count" files (forkserver mode)..." print " Processing "in_count" files (forkserver mode)..."
# print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string # print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string
retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string) retval = system(AFL_MAP_SIZE AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string)
} else { } else {
print " Processing "in_count" files (forkserver mode)..." print " Processing "in_count" files (forkserver mode)..."
# print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null" # print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null"
retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null") retval = system(AFL_MAP_SIZE AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
} }
if (retval && !AFL_CMIN_CRASHES_ONLY) { if (retval && !AFL_CMIN_CRASHES_ONLY) {

9
afl-cmin.bash
View File

@ -215,6 +215,15 @@ if [ ! -f "$TARGET_BIN" -o ! -x "$TARGET_BIN" ]; then
fi fi
grep -aq AFL_DUMP_MAP_SIZE "./$TARGET_BIN" && {
echo "[!] Trying to obtain the map size of the target ..."
MAPSIZE=`AFL_DUMP_MAP_SIZE=1 "./$TARGET_BIN" 2>/dev/null`
test -n "$MAPSIZE" && {
export AFL_MAP_SIZE=$MAPSIZE
echo "[+] Setting AFL_MAP_SIZE=$MAPSIZE"
}
}
if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" -a "$FRIDA_MODE" = "" -a "$UNICORN_MODE" = "" ]; then if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" -a "$FRIDA_MODE" = "" -a "$UNICORN_MODE" = "" ]; then
if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then

20
docs/Changelog.md
View File

@ -8,6 +8,25 @@
Want to stay in the loop on major new features? Join our mailing list by Want to stay in the loop on major new features? Join our mailing list by
sending a mail to <afl-users+subscribe@googlegroups.com>. sending a mail to <afl-users+subscribe@googlegroups.com>.
### Version ++4.03a (dev)
- Building now gives a build summary what succeeded and what not
- afl-fuzz:
- added AFL_NO_STARTUP_CALIBRATION to start fuzzing at once instead
of calibrating all initial seeds first. Good for large queues
and long execution times, especially in CIs.
- default calibration cycles set to 7 from 8, and only add 5 cycles
to variables queue items instead of 12.
- afl-cc:
- better handling of -fsanitize=..,...,.. lists
- fix gcc_mode cmplog
- obtain the map size of a target with setting AFL_DUMP_MAP_SIZE=1
note that this will exit the target before main()
- qemu_mode:
- added AFL_QEMU_TRACK_UNSTABLE to log the addresses of unstable
edges (together with AFL_DEBUG=1 afl-fuzz). thanks to
worksbutnottested!
### Version ++4.02c (release) ### Version ++4.02c (release)
- afl-cc: - afl-cc:
- important fix for the default pcguard mode when LLVM IR vector - important fix for the default pcguard mode when LLVM IR vector
@ -22,7 +41,6 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- change post_process hook to allow returning NULL and 0 length to - change post_process hook to allow returning NULL and 0 length to
tell afl-fuzz to skip this mutated input tell afl-fuzz to skip this mutated input
### Version ++4.01c (release) ### Version ++4.01c (release)
- fixed */build_...sh scripts to work outside of git - fixed */build_...sh scripts to work outside of git
- new custom_mutator: libafl with token fuzzing :) - new custom_mutator: libafl with token fuzzing :)

15
docs/FAQ.md
View File

@ -255,3 +255,18 @@ If you find an interesting or important question missing, submit it via
Solution: `git pull ; make clean install` of AFL++. Solution: `git pull ; make clean install` of AFL++.
</p></details> </p></details>
<details>
<summary id="afl-map-size-warning">AFL++ map size warning.</summary><p>
When you run a large instrumented program stand-alone or via afl-showmap
you might see a warning like the following:
```
Warning: AFL++ tools might need to set AFL_MAP_SIZE to 223723 to be able to run this instrumented program if this crashes!
```
Depending how the target works it might also crash afterwards.
Solution: just do an `export AFL_MAP_SIZE=(the value in the warning)`.
</p></details>

4
docs/INSTALL.md
View File

@ -21,8 +21,8 @@ development state of AFL++.
If you want to build AFL++ yourself, you have many options. The easiest choice If you want to build AFL++ yourself, you have many options. The easiest choice
is to build and install everything: is to build and install everything:
NOTE: depending on your Debian/Ubuntu/Kali/... version release `-12` with NOTE: depending on your Debian/Ubuntu/Kali/... release, replace `-12` with
whatever llvm version is available! whatever llvm version is available. We recommend llvm 12, 13 or 14.
```shell ```shell
sudo apt-get update sudo apt-get update

3
docs/env_variables.md
View File

@ -462,6 +462,9 @@ checks or alter some of the more exotic semantics of the tool:
some basic stats. This behavior is also automatically triggered when the some basic stats. This behavior is also automatically triggered when the
output from afl-fuzz is redirected to a file or to a pipe. output from afl-fuzz is redirected to a file or to a pipe.
- Setting `AFL_NO_STARTUP_CALIBRATION` will skip the initial calibration
of all starting seeds, and start fuzzing at once.
- In QEMU mode (-Q) and FRIDA mode (-O), `AFL_PATH` will be searched for - In QEMU mode (-Q) and FRIDA mode (-O), `AFL_PATH` will be searched for
afl-qemu-trace and afl-frida-trace.so. afl-qemu-trace and afl-frida-trace.so.

7
docs/fuzzing_in_depth.md
View File

@ -626,6 +626,9 @@ from other fuzzers in the campaign first.
If you have a large corpus, a corpus from a previous run or are fuzzing in a CI, If you have a large corpus, a corpus from a previous run or are fuzzing in a CI,
then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`. then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`.
If the queue in the CI is huge and/or the execution time is slow then you can
also add `AFL_NO_STARTUP_CALIBRATION=1` to skip the initial queue calibration
phase and start fuzzing at once.
You can also use different fuzzers. If you are using AFL spinoffs or AFL You can also use different fuzzers. If you are using AFL spinoffs or AFL
conforming fuzzers, then just use the same -o directory and give it a unique conforming fuzzers, then just use the same -o directory and give it a unique
@ -902,6 +905,10 @@ complex file formats.
Some notes on continuous integration (CI) fuzzing - this fuzzing is different to Some notes on continuous integration (CI) fuzzing - this fuzzing is different to
normal fuzzing campaigns as these are much shorter runnings. normal fuzzing campaigns as these are much shorter runnings.
If the queue in the CI is huge and/or the execution time is slow then you can
also add `AFL_NO_STARTUP_CALIBRATION=1` to skip the initial queue calibration
phase and start fuzzing at once.
1. Always: 1. Always:
* LTO has a much longer compile time which is diametrical to short fuzzing - * LTO has a much longer compile time which is diametrical to short fuzzing -
hence use afl-clang-fast instead. hence use afl-clang-fast instead.

2
frida_mode/GNUmakefile
View File

@ -252,7 +252,7 @@ CFLAGS+=-I $(FRIDA_DIR)build/frida_thin-$(OS)-$(ARCH)/include/frida-1.0 \
-I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ \ -I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ \
ifeq "$(OS)" "android" ifeq "$(OS)" "android"
CFLAGS += -static-libstdc++ CFLAGS += -static-libstdc++
endif endif
else else
CFLAGS+=-I $(FRIDA_DIR)build/frida_thin-$(OS)-$(ARCH)/include/frida-1.0 \ CFLAGS+=-I $(FRIDA_DIR)build/frida_thin-$(OS)-$(ARCH)/include/frida-1.0 \

4
frida_mode/src/module.c
View File

@ -77,7 +77,9 @@ static int on_dlclose(void *handle) {
range = &g_array_index(ranges, gum_range_t, i); range = &g_array_index(ranges, gum_range_t, i);
base = range->range.base_address; base = range->range.base_address;
limit = base + range->range.size; limit = base + range->range.size;
FVERBOSE("Reserving range: 0x%016lx, 0x%016lX", base, limit); FVERBOSE("Reserving range: 0x%016" G_GINT64_MODIFIER
"x, 0x%016" G_GINT64_MODIFIER "X",
base, limit);
mem = gum_memory_allocate(GSIZE_TO_POINTER(base), range->range.size, mem = gum_memory_allocate(GSIZE_TO_POINTER(base), range->range.size,
page_size, GUM_PAGE_NO_ACCESS); page_size, GUM_PAGE_NO_ACCESS);
if (mem == NULL) { FATAL("Failed to allocate %p (%d)", mem, errno); } if (mem == NULL) { FATAL("Failed to allocate %p (%d)", mem, errno); }

74
frida_mode/test/png/GNUmakefile
View File

@ -2,10 +2,17 @@ PWD:=$(shell pwd)/
ROOT:=$(PWD)../../../ ROOT:=$(PWD)../../../
BUILD_DIR:=$(PWD)build/ BUILD_DIR:=$(PWD)build/
LIBZ_BUILD_DIR:=$(BUILD_DIR)libz/
LIBPNG_BUILD_DIR:=$(BUILD_DIR)libpng/ LIBPNG_BUILD_DIR:=$(BUILD_DIR)libpng/
HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/ HARNESS_BUILD_DIR:=$(BUILD_DIR)harness/
PNGTEST_BUILD_DIR:=$(BUILD_DIR)pngtest/ PNGTEST_BUILD_DIR:=$(BUILD_DIR)pngtest/
LIBZ_FILE:=$(LIBZ_BUILD_DIR)zlib-1.2.12.tar.gz
LIBZ_URL:=http://www.zlib.net/zlib-1.2.12.tar.gz
LIBZ_DIR:=$(LIBZ_BUILD_DIR)zlib-1.2.12/
LIBZ_PC:=$(ZLIB_DIR)zlib.pc
LIBZ_LIB:=$(LIBZ_DIR)libz.a
LIBPNG_FILE:=$(LIBPNG_BUILD_DIR)libpng-1.2.56.tar.gz LIBPNG_FILE:=$(LIBPNG_BUILD_DIR)libpng-1.2.56.tar.gz
LIBPNG_URL:=https://downloads.sourceforge.net/project/libpng/libpng12/older-releases/1.2.56/libpng-1.2.56.tar.gz LIBPNG_URL:=https://downloads.sourceforge.net/project/libpng/libpng12/older-releases/1.2.56/libpng-1.2.56.tar.gz
LIBPNG_DIR:=$(LIBPNG_BUILD_DIR)libpng-1.2.56/ LIBPNG_DIR:=$(LIBPNG_BUILD_DIR)libpng-1.2.56/
@ -32,11 +39,16 @@ FRIDA_OUT:=$(BUILD_DIR)frida-out
.PHONY: all clean qemu frida .PHONY: all clean qemu frida
ARCH?=""
all: $(TEST_BIN) all: $(TEST_BIN)
make -C $(ROOT)frida_mode/ make -C $(ROOT)frida_mode/
32: 32:
CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all CFLAGS="-m32" LDFLAGS="-m32" make $(TEST_BIN)
arm:
ARCH="arm" CC="arm-linux-gnueabihf-gcc" CXX="arm-linux-gnueabihf-g++" make $(TEST_BIN)
$(BUILD_DIR): $(BUILD_DIR):
mkdir -p $@ mkdir -p $@
@ -51,6 +63,8 @@ $(HARNESS_FILE): | $(HARNESS_BUILD_DIR)
$(HARNESS_OBJ): $(HARNESS_FILE) $(HARNESS_OBJ): $(HARNESS_FILE)
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ -c $< $(CC) $(CFLAGS) $(LDFLAGS) -o $@ -c $<
harness: $(HARNESS_OBJ)
######### PNGTEST ######## ######### PNGTEST ########
$(PNGTEST_BUILD_DIR): | $(BUILD_DIR) $(PNGTEST_BUILD_DIR): | $(BUILD_DIR)
@ -62,6 +76,34 @@ $(PNGTEST_FILE): | $(PNGTEST_BUILD_DIR)
$(PNGTEST_OBJ): $(PNGTEST_FILE) | $(LIBPNG_DIR) $(PNGTEST_OBJ): $(PNGTEST_FILE) | $(LIBPNG_DIR)
$(CXX) $(CFLAGS) $(LDFLAGS) -std=c++11 -I $(LIBPNG_DIR) -o $@ -c $< $(CXX) $(CFLAGS) $(LDFLAGS) -std=c++11 -I $(LIBPNG_DIR) -o $@ -c $<
pngtest: $(PNGTEST_OBJ)
######### LIBZ ########
$(LIBZ_BUILD_DIR): | $(BUILD_DIR)
mkdir -p $@
$(LIBZ_FILE): | $(LIBZ_BUILD_DIR)
wget -O $@ $(LIBZ_URL)
$(LIBZ_DIR): $(LIBZ_FILE)
tar zxvf $(LIBZ_FILE) -C $(LIBZ_BUILD_DIR)
$(LIBZ_PC): | $(LIBZ_DIR)
cd $(LIBZ_DIR) && \
CFLAGS="$(CFLAGS) -fPIC" \
./configure \
--static \
--archs="$(ARCH)"
$(LIBZ_LIB): $(LIBZ_PC)
CFLAGS="$(CFLAGS) -fPIC" \
make \
-C $(LIBZ_DIR) \
-j
libz: $(LIBZ_LIB)
######### LIBPNG ######## ######### LIBPNG ########
$(LIBPNG_BUILD_DIR): | $(BUILD_DIR) $(LIBPNG_BUILD_DIR): | $(BUILD_DIR)
@ -73,11 +115,21 @@ $(LIBPNG_FILE): | $(LIBPNG_BUILD_DIR)
$(LIBPNG_DIR): $(LIBPNG_FILE) $(LIBPNG_DIR): $(LIBPNG_FILE)
tar zxvf $(LIBPNG_FILE) -C $(LIBPNG_BUILD_DIR) tar zxvf $(LIBPNG_FILE) -C $(LIBPNG_BUILD_DIR)
$(LIBPNG_MAKEFILE): | $(LIBPNG_DIR) $(LIBPNG_MAKEFILE): $(LIBZ_LIB) | $(LIBPNG_DIR)
cd $(LIBPNG_DIR) && ./configure cd $(LIBPNG_DIR) && \
CFLAGS="$(CFLAGS) -I$(LIBZ_DIR)" \
LDFLAGS="-L$(LIBZ_DIR)" \
./configure \
--host="$(ARCH)"
$(LIBPNG_LIB): $(LIBPNG_MAKEFILE) $(LIBPNG_LIB): $(LIBPNG_MAKEFILE)
make -C $(LIBPNG_DIR) CFLAGS="$(CFLAGS) -I$(LIBZ_DIR)" \
LDFLAGS="-L$(LIBZ_DIR)" \
make \
-C $(LIBPNG_DIR) \
-j
png: $(LIBPNG_LIB)
######### TEST ######## ######### TEST ########
@ -86,11 +138,21 @@ $(TEST_BIN): $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB)
$(CFLAGS) \ $(CFLAGS) \
$(LDFLAGS) \ $(LDFLAGS) \
-o $@ \ -o $@ \
$(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) \ $(HARNESS_OBJ) $(PNGTEST_OBJ) $(LIBPNG_LIB) $(LIBZ_LIB) \
-lz \
$(TEST_BIN_LDFLAGS) \ $(TEST_BIN_LDFLAGS) \
test_bin: $(TEST_BIN)
dowload: $(LIBZ_FILE) $(LIBPNG_FILE) $(HARNESS_FILE) $(PNGTEST_FILE)
clean: clean:
rm -rf $(LIBZ_DIR)
rm -rf $(LIBPNG_DIR)
rm -f $(HARNESS_OBJ)
rm -f $(PNGTEST_OBJ)
rm -f $(TEST_BIN)
clean_all:
rm -rf $(BUILD_DIR) rm -rf $(BUILD_DIR)
qemu: $(TEST_BIN) qemu: $(TEST_BIN)

24
frida_mode/test/unstable/GNUmakefile
View File

@ -4,7 +4,7 @@ BUILD_DIR:=$(PWD)build/
UNSTABLE_DATA_DIR:=$(BUILD_DIR)in/ UNSTABLE_DATA_DIR:=$(BUILD_DIR)in/
UNSTABLE_DATA_FILE:=$(UNSTABLE_DATA_DIR)in UNSTABLE_DATA_FILE:=$(UNSTABLE_DATA_DIR)in
UNSTABLE_BIN:=$(BUILD_DIR)unstable TEST_BIN:=$(BUILD_DIR)unstable
UNSTABLE_SRC:=$(PWD)unstable.c UNSTABLE_SRC:=$(PWD)unstable.c
QEMU_OUT:=$(BUILD_DIR)qemu-out QEMU_OUT:=$(BUILD_DIR)qemu-out
@ -42,7 +42,7 @@ endif
.PHONY: all 32 clean qemu frida .PHONY: all 32 clean qemu frida
all: $(UNSTABLE_BIN) all: $(TEST_BIN)
make -C $(ROOT)frida_mode/ make -C $(ROOT)frida_mode/
32: 32:
@ -57,14 +57,14 @@ $(UNSTABLE_DATA_DIR): | $(BUILD_DIR)
$(UNSTABLE_DATA_FILE): | $(UNSTABLE_DATA_DIR) $(UNSTABLE_DATA_FILE): | $(UNSTABLE_DATA_DIR)
echo -n "000" > $@ echo -n "000" > $@
$(UNSTABLE_BIN): $(UNSTABLE_SRC) | $(BUILD_DIR) $(TEST_BIN): $(UNSTABLE_SRC) | $(BUILD_DIR)
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
clean: clean:
rm -rf $(BUILD_DIR) rm -rf $(BUILD_DIR)
qemu: $(UNSTABLE_BIN) $(UNSTABLE_DATA_FILE) qemu: $(TEST_BIN) $(UNSTABLE_DATA_FILE)
AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \ AFL_QEMU_PERSISTENT_ADDR=$(AFL_QEMU_PERSISTENT_ADDR) \
$(ROOT)afl-fuzz \ $(ROOT)afl-fuzz \
-D \ -D \
@ -72,9 +72,9 @@ qemu: $(UNSTABLE_BIN) $(UNSTABLE_DATA_FILE)
-i $(UNSTABLE_DATA_DIR) \ -i $(UNSTABLE_DATA_DIR) \
-o $(QEMU_OUT) \ -o $(QEMU_OUT) \
-- \ -- \
$(UNSTABLE_BIN) @@ $(TEST_BIN) @@
frida: $(UNSTABLE_BIN) $(UNSTABLE_DATA_FILE) frida: $(TEST_BIN) $(UNSTABLE_DATA_FILE)
AFL_DEBUG=1 \ AFL_DEBUG=1 \
AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
AFL_FRIDA_INST_TRACE_UNIQUE=1 \ AFL_FRIDA_INST_TRACE_UNIQUE=1 \
@ -85,9 +85,9 @@ frida: $(UNSTABLE_BIN) $(UNSTABLE_DATA_FILE)
-i $(UNSTABLE_DATA_DIR) \ -i $(UNSTABLE_DATA_DIR) \
-o $(FRIDA_OUT) \ -o $(FRIDA_OUT) \
-- \ -- \
$(UNSTABLE_BIN) @@ $(TEST_BIN) @@
frida_coverage: $(UNSTABLE_BIN) $(UNSTABLE_DATA_FILE) frida_coverage: $(TEST_BIN) $(UNSTABLE_DATA_FILE)
AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
AFL_FRIDA_OUTPUT_STDOUT=/tmp/stdout.txt \ AFL_FRIDA_OUTPUT_STDOUT=/tmp/stdout.txt \
AFL_FRIDA_OUTPUT_STDERR=/tmp/stderr.txt \ AFL_FRIDA_OUTPUT_STDERR=/tmp/stderr.txt \
@ -98,9 +98,9 @@ frida_coverage: $(UNSTABLE_BIN) $(UNSTABLE_DATA_FILE)
-i $(UNSTABLE_DATA_DIR) \ -i $(UNSTABLE_DATA_DIR) \
-o $(FRIDA_OUT) \ -o $(FRIDA_OUT) \
-- \ -- \
$(UNSTABLE_BIN) @@ $(TEST_BIN) @@
frida_unstable: $(UNSTABLE_BIN) $(UNSTABLE_DATA_FILE) frida_unstable: $(TEST_BIN) $(UNSTABLE_DATA_FILE)
AFL_DEBUG=1 \ AFL_DEBUG=1 \
AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \ AFL_FRIDA_PERSISTENT_ADDR=$(AFL_FRIDA_PERSISTENT_ADDR) \
AFL_FRIDA_OUTPUT_STDOUT=/tmp/stdout.txt \ AFL_FRIDA_OUTPUT_STDOUT=/tmp/stdout.txt \
@ -112,10 +112,10 @@ frida_unstable: $(UNSTABLE_BIN) $(UNSTABLE_DATA_FILE)
-i $(UNSTABLE_DATA_DIR) \ -i $(UNSTABLE_DATA_DIR) \
-o $(FRIDA_OUT) \ -o $(FRIDA_OUT) \
-- \ -- \
$(UNSTABLE_BIN) @@ $(TEST_BIN) @@
debug: debug:
gdb \ gdb \
--ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \ --ex 'set environment LD_PRELOAD=$(ROOT)afl-frida-trace.so' \
--ex 'set disassembly-flavor intel' \ --ex 'set disassembly-flavor intel' \
--args $(UNSTABLE_BIN) $(UNSTABLE_DATA_FILE) --args $(TEST_BIN) $(UNSTABLE_DATA_FILE)

3
include/afl-fuzz.h
View File

@ -386,7 +386,8 @@ typedef struct afl_env_vars {
afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast, afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new, afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems, afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems,
afl_keep_timeouts, afl_pizza_mode, afl_no_crash_readme; afl_keep_timeouts, afl_pizza_mode, afl_no_crash_readme,
afl_no_startup_calibration;
u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
*afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,

7
include/config.h
View File

@ -26,7 +26,7 @@
/* Version string: */ /* Version string: */
// c = release, a = volatile github dev, e = experimental branch // c = release, a = volatile github dev, e = experimental branch
#define VERSION "++4.02c" #define VERSION "++4.03a"
/****************************************************** /******************************************************
* * * *
@ -153,8 +153,9 @@
/* Number of calibration cycles per every new test case (and for test /* Number of calibration cycles per every new test case (and for test
cases that show variable behavior): */ cases that show variable behavior): */
#define CAL_CYCLES 8U #define CAL_CYCLES_FAST 3U
#define CAL_CYCLES_LONG 20U #define CAL_CYCLES 7U
#define CAL_CYCLES_LONG 12U
/* Number of subsequent timeouts before abandoning an input file: */ /* Number of subsequent timeouts before abandoning an input file: */

2
include/envs.h
View File

@ -165,6 +165,7 @@ static char *afl_environment_variables[] = {
"AFL_NO_FORKSRV", "AFL_NO_FORKSRV",
"AFL_NO_UI", "AFL_NO_UI",
"AFL_NO_PYTHON", "AFL_NO_PYTHON",
"AFL_NO_STARTUP_CALIBRATION",
"AFL_UNTRACER_FILE", "AFL_UNTRACER_FILE",
"AFL_LLVM_USE_TRACE_PC", "AFL_LLVM_USE_TRACE_PC",
"AFL_MAP_SIZE", "AFL_MAP_SIZE",
@ -197,6 +198,7 @@ static char *afl_environment_variables[] = {
"AFL_QEMU_INST_RANGES", "AFL_QEMU_INST_RANGES",
"AFL_QEMU_EXCLUDE_RANGES", "AFL_QEMU_EXCLUDE_RANGES",
"AFL_QEMU_SNAPSHOT", "AFL_QEMU_SNAPSHOT",
"AFL_QEMU_TRACK_UNSTABLE",
"AFL_QUIET", "AFL_QUIET",
"AFL_RANDOM_ALLOC_CANARY", "AFL_RANDOM_ALLOC_CANARY",
"AFL_REAL_PATH", "AFL_REAL_PATH",

2
include/types.h
View File

@ -57,7 +57,7 @@ typedef uint128_t u128;
#define FS_OPT_SHDMEM_FUZZ 0x01000000 #define FS_OPT_SHDMEM_FUZZ 0x01000000
#define FS_OPT_NEWCMPLOG 0x02000000 #define FS_OPT_NEWCMPLOG 0x02000000
#define FS_OPT_OLD_AFLPP_WORKAROUND 0x0f000000 #define FS_OPT_OLD_AFLPP_WORKAROUND 0x0f000000
// FS_OPT_MAX_MAPSIZE is 8388608 = 0x800000 = 2^23 = 1 << 22 // FS_OPT_MAX_MAPSIZE is 8388608 = 0x800000 = 2^23 = 1 << 23
#define FS_OPT_MAX_MAPSIZE ((0x00fffffeU >> 1) + 1) #define FS_OPT_MAX_MAPSIZE ((0x00fffffeU >> 1) + 1)
#define FS_OPT_GET_MAPSIZE(x) (((x & 0x00fffffe) >> 1) + 1) #define FS_OPT_GET_MAPSIZE(x) (((x & 0x00fffffe) >> 1) + 1)
#define FS_OPT_SET_MAPSIZE(x) \ #define FS_OPT_SET_MAPSIZE(x) \

18
instrumentation/afl-compiler-rt.o.c
View File

@ -288,11 +288,18 @@ static void __afl_map_shm(void) {
__afl_map_size = ++__afl_final_loc; // as we count starting 0 __afl_map_size = ++__afl_final_loc; // as we count starting 0
if (getenv("AFL_DUMP_MAP_SIZE")) {
printf("%u\n", __afl_map_size);
exit(-1);
}
if (__afl_final_loc > MAP_SIZE) { if (__afl_final_loc > MAP_SIZE) {
char *ptr; char *ptr;
u32 val = 0; u32 val = 0;
if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) val = atoi(ptr); if ((ptr = getenv("AFL_MAP_SIZE")) != NULL) { val = atoi(ptr); }
if (val < __afl_final_loc) { if (val < __afl_final_loc) {
if (__afl_final_loc > FS_OPT_MAX_MAPSIZE) { if (__afl_final_loc > FS_OPT_MAX_MAPSIZE) {
@ -325,6 +332,15 @@ static void __afl_map_shm(void) {
} }
} else {
if (getenv("AFL_DUMP_MAP_SIZE")) {
printf("%u\n", MAP_SIZE);
exit(-1);
}
} }
if (!id_str && __afl_area_ptr_dummy == __afl_area_initial) { if (!id_str && __afl_area_ptr_dummy == __afl_area_initial) {

2
qemu_mode/QEMUAFL_VERSION
View File

@ -1 +1 @@
a120c3feb5 12682ea816

2
qemu_mode/qemuafl

@ -1 +1 @@
Subproject commit a120c3feb573d4cade292cdeb7c1f6b1ce109efe Subproject commit 12682ea8169604a6c0f9b2b36eaa53ff7dcc7fd2

120
src/afl-cc.c
View File

@ -51,7 +51,7 @@ static u32 cc_par_cnt = 1; /* Param count, including argv0 */
static u8 clang_mode; /* Invoked as afl-clang*? */ static u8 clang_mode; /* Invoked as afl-clang*? */
static u8 llvm_fullpath[PATH_MAX]; static u8 llvm_fullpath[PATH_MAX];
static u8 instrument_mode, instrument_opt_mode, ngram_size, ctx_k, lto_mode; static u8 instrument_mode, instrument_opt_mode, ngram_size, ctx_k, lto_mode;
static u8 compiler_mode, plusplus_mode, have_instr_env = 0; static u8 compiler_mode, plusplus_mode, have_instr_env = 0, need_aflpplib = 0;
static u8 have_gcc, have_llvm, have_gcc_plugin, have_lto, have_instr_list = 0; static u8 have_gcc, have_llvm, have_gcc_plugin, have_lto, have_instr_list = 0;
static u8 *lto_flag = AFL_CLANG_FLTO, *argvnull; static u8 *lto_flag = AFL_CLANG_FLTO, *argvnull;
static u8 debug; static u8 debug;
@ -310,6 +310,71 @@ static u8 *find_object(u8 *obj, u8 *argv0) {
} }
void parse_fsanitize(char *string) {
char *p, *ptr = string + strlen("-fsanitize=");
char *new = malloc(strlen(string) + 1);
char *tmp = malloc(strlen(ptr));
u32 count = 0, len, ende = 0;
if (!new || !tmp) { FATAL("could not aquire memory"); }
strcpy(new, "-fsanitize=");
do {
p = strchr(ptr, ',');
if (!p) {
p = ptr + strlen(ptr) + 1;
ende = 1;
}
len = p - ptr;
if (len) {
strncpy(tmp, ptr, len);
tmp[len] = 0;
// fprintf(stderr, "Found: %s\n", tmp);
ptr += len + 1;
if (*tmp) {
u32 copy = 1;
if (!strcmp(tmp, "fuzzer")) {
need_aflpplib = 1;
copy = 0;
} else if (!strncmp(tmp, "fuzzer", 6)) {
copy = 0;
}
if (copy) {
if (count) { strcat(new, ","); }
strcat(new, tmp);
++count;
}
}
} else {
ptr++; /*fprintf(stderr, "NO!\n"); */
}
} while (!ende);
strcpy(string, new);
// fprintf(stderr, "string: %s\n", string);
// fprintf(stderr, "new: %s\n", new);
}
/* Copy argv to cc_params, making the necessary edits. */ /* Copy argv to cc_params, making the necessary edits. */
static void edit_params(u32 argc, char **argv, char **envp) { static void edit_params(u32 argc, char **argv, char **envp) {
@ -433,13 +498,10 @@ static void edit_params(u32 argc, char **argv, char **envp) {
alloc_printf("-fplugin=%s/afl-gcc-cmptrs-pass.so", obj_path); alloc_printf("-fplugin=%s/afl-gcc-cmptrs-pass.so", obj_path);
cc_params[cc_par_cnt++] = fplugin_arg; cc_params[cc_par_cnt++] = fplugin_arg;
} else {
fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path);
cc_params[cc_par_cnt++] = fplugin_arg;
} }
fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path);
cc_params[cc_par_cnt++] = fplugin_arg;
cc_params[cc_par_cnt++] = "-fno-if-conversion"; cc_params[cc_par_cnt++] = "-fno-if-conversion";
cc_params[cc_par_cnt++] = "-fno-if-conversion2"; cc_params[cc_par_cnt++] = "-fno-if-conversion2";
@ -759,6 +821,8 @@ static void edit_params(u32 argc, char **argv, char **envp) {
} }
if (compiler_mode == GCC_PLUGIN && !strcmp(cur, "-pipe")) { continue; }
if (!strcmp(cur, "-z") || !strcmp(cur, "-Wl,-z")) { if (!strcmp(cur, "-z") || !strcmp(cur, "-Wl,-z")) {
u8 *param = *(argv + 1); u8 *param = *(argv + 1);
@ -779,20 +843,35 @@ static void edit_params(u32 argc, char **argv, char **envp) {
} }
if ((!strncmp(cur, "-fsanitize=fuzzer-", strlen("-fsanitize=fuzzer-")) || if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list=")) {
!strncmp(cur, "-fsanitize-coverage", strlen("-fsanitize-coverage"))) &&
(strncmp(cur, "sanitize-coverage-allow", have_instr_list = 1;
strlen("sanitize-coverage-allow")) &&
strncmp(cur, "sanitize-coverage-deny", }
strlen("sanitize-coverage-deny")) &&
instrument_mode != INSTRUMENT_LLVMNATIVE)) { if (!strncmp(cur, "-fsanitize=", strlen("-fsanitize=")) &&
strchr(cur, ',')) {
parse_fsanitize(cur);
if (!cur || strlen(cur) <= strlen("-fsanitize=")) { continue; }
} else if ((!strncmp(cur, "-fsanitize=fuzzer-",
strlen("-fsanitize=fuzzer-")) ||
!strncmp(cur, "-fsanitize-coverage",
strlen("-fsanitize-coverage"))) &&
(strncmp(cur, "sanitize-coverage-allow",
strlen("sanitize-coverage-allow")) &&
strncmp(cur, "sanitize-coverage-deny",
strlen("sanitize-coverage-deny")) &&
instrument_mode != INSTRUMENT_LLVMNATIVE)) {
if (!be_quiet) { WARNF("Found '%s' - stripping!", cur); } if (!be_quiet) { WARNF("Found '%s' - stripping!", cur); }
continue; continue;
} }
if (!strcmp(cur, "-fsanitize=fuzzer")) { if (need_aflpplib || !strcmp(cur, "-fsanitize=fuzzer")) {
u8 *afllib = find_object("libAFLDriver.a", argv[0]); u8 *afllib = find_object("libAFLDriver.a", argv[0]);
@ -823,7 +902,15 @@ static void edit_params(u32 argc, char **argv, char **envp) {
} }
continue; if (need_aflpplib) {
need_aflpplib = 0;
} else {
continue;
}
} }
@ -831,9 +918,6 @@ static void edit_params(u32 argc, char **argv, char **envp) {
if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32; if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32;
if (!strcmp(cur, "-m64")) bit_mode = 64; if (!strcmp(cur, "-m64")) bit_mode = 64;
if (!strncmp(cur, "-fsanitize-coverage-", 20) && strstr(cur, "list="))
have_instr_list = 1;
if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory")) if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory"))
asan_set = 1; asan_set = 1;

10
src/afl-fuzz-queue.c
View File

@ -795,8 +795,14 @@ void cull_queue(afl_state_t *afl) {
u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
u32 avg_exec_us = afl->total_cal_us / afl->total_cal_cycles; u32 cal_cycles = afl->total_cal_cycles;
u32 avg_bitmap_size = afl->total_bitmap_size / afl->total_bitmap_entries; u32 bitmap_entries = afl->total_bitmap_entries;
if (unlikely(!cal_cycles)) { cal_cycles = 1; }
if (unlikely(!bitmap_entries)) { bitmap_entries = 1; }
u32 avg_exec_us = afl->total_cal_us / cal_cycles;
u32 avg_bitmap_size = afl->total_bitmap_size / bitmap_entries;
u32 perf_score = 100; u32 perf_score = 100;
/* Adjust score based on execution speed of this path, compared to the /* Adjust score based on execution speed of this path, compared to the

2
src/afl-fuzz-run.c
View File

@ -363,7 +363,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
++q->cal_failed; ++q->cal_failed;
afl->stage_name = "calibration"; afl->stage_name = "calibration";
afl->stage_max = afl->afl_env.afl_cal_fast ? 3 : CAL_CYCLES; afl->stage_max = afl->afl_env.afl_cal_fast ? CAL_CYCLES_FAST : CAL_CYCLES;
/* Make sure the forkserver is up before we do anything, and let's not /* Make sure the forkserver is up before we do anything, and let's not
count its spin-up time toward binary calibration. */ count its spin-up time toward binary calibration. */

13
src/afl-fuzz-state.c
View File

@ -265,6 +265,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
afl->afl_env.afl_cmplog_only_new = afl->afl_env.afl_cmplog_only_new =
get_afl_env(afl_environment_variables[i]) ? 1 : 0; get_afl_env(afl_environment_variables[i]) ? 1 : 0;
} else if (!strncmp(env, "AFL_NO_STARTUP_CALIBRATION",
afl_environment_variable_len)) {
afl->afl_env.afl_no_startup_calibration =
get_afl_env(afl_environment_variables[i]) ? 1 : 0;
} else if (!strncmp(env, "AFL_NO_UI", afl_environment_variable_len)) { } else if (!strncmp(env, "AFL_NO_UI", afl_environment_variable_len)) {
afl->afl_env.afl_no_ui = afl->afl_env.afl_no_ui =
@ -597,11 +604,7 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
} }
if (afl->afl_env.afl_pizza_mode == 0) { if (afl->afl_env.afl_pizza_mode) {
afl->afl_env.afl_pizza_mode = 1;
} else {
afl->pizza_is_served = 1; afl->pizza_is_served = 1;

14
src/afl-fuzz.c
View File

@ -273,6 +273,7 @@ static void usage(u8 *argv0, int more_help) {
"AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n" "AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n"
"AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n" "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n"
"AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n" "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n"
"AFL_NO_STARTUP_CALIBRATION: no initial seed calibration, start fuzzing at once\n"
"AFL_NO_UI: switch status screen off\n" "AFL_NO_UI: switch status screen off\n"
DYN_COLOR DYN_COLOR
@ -2150,7 +2151,16 @@ int main(int argc, char **argv_orig, char **envp) {
memset(afl->virgin_tmout, 255, map_size); memset(afl->virgin_tmout, 255, map_size);
memset(afl->virgin_crash, 255, map_size); memset(afl->virgin_crash, 255, map_size);
perform_dry_run(afl); if (likely(!afl->afl_env.afl_no_startup_calibration)) {
perform_dry_run(afl);
} else {
ACTF("skipping initial seed calibration due option override");
usleep(1000);
}
if (afl->q_testcase_max_cache_entries) { if (afl->q_testcase_max_cache_entries) {
@ -2550,7 +2560,7 @@ stop_fuzzing:
write_bitmap(afl); write_bitmap(afl);
save_auto(afl); save_auto(afl);
if (afl->afl_env.afl_pizza_mode) { if (afl->pizza_is_served) {
SAYF(CURSOR_SHOW cLRD "\n\n+++ Baking aborted %s +++\n" cRST, SAYF(CURSOR_SHOW cLRD "\n\n+++ Baking aborted %s +++\n" cRST,
afl->stop_soon == 2 ? "programmatically" : "by the chef"); afl->stop_soon == 2 ? "programmatically" : "by the chef");

7
src/afl-showmap.c
View File

@ -1240,7 +1240,12 @@ int main(int argc, char **argv_orig, char **envp) {
u32 save_be_quiet = be_quiet; u32 save_be_quiet = be_quiet;
be_quiet = !debug; be_quiet = !debug;
fsrv->map_size = 4194304; // dummy temporary value if (map_size > 4194304) {
fsrv->map_size = map_size;
}
else {
fsrv->map_size = 4194304; // dummy temporary value
}
u32 new_map_size = u32 new_map_size =
afl_fsrv_get_mapsize(fsrv, use_argv, &stop_soon, afl_fsrv_get_mapsize(fsrv, use_argv, &stop_soon,
(get_afl_env("AFL_DEBUG_CHILD") || (get_afl_env("AFL_DEBUG_CHILD") ||

18
utils/libtokencap/libtokencap.so.c
View File

@ -354,7 +354,7 @@ static void __tokencap_dump(const u8 *ptr, size_t len, u8 is_text) {
#undef strcmp #undef strcmp
int strcmp(const char *str1, const char *str2) { __attribute__((hot)) int strcmp(const char *str1, const char *str2) {
if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1); if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1); if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
@ -378,7 +378,7 @@ int strcmp(const char *str1, const char *str2) {
#undef strncmp #undef strncmp
int strncmp(const char *str1, const char *str2, size_t len) { __attribute__((hot)) int strncmp(const char *str1, const char *str2, size_t len) {
if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1); if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1); if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
@ -404,7 +404,7 @@ int strncmp(const char *str1, const char *str2, size_t len) {
#undef strcasecmp #undef strcasecmp
int strcasecmp(const char *str1, const char *str2) { __attribute__((hot)) int strcasecmp(const char *str1, const char *str2) {
if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1); if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1); if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
@ -428,7 +428,7 @@ int strcasecmp(const char *str1, const char *str2) {
#undef strncasecmp #undef strncasecmp
int strncasecmp(const char *str1, const char *str2, size_t len) { __attribute__((hot)) int strncasecmp(const char *str1, const char *str2, size_t len) {
if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1); if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1); if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
@ -454,7 +454,7 @@ int strncasecmp(const char *str1, const char *str2, size_t len) {
#undef memcmp #undef memcmp
int memcmp(const void *mem1, const void *mem2, size_t len) { __attribute__((hot)) int memcmp(const void *mem1, const void *mem2, size_t len) {
if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0); if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0); if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
@ -481,7 +481,7 @@ int memcmp(const void *mem1, const void *mem2, size_t len) {
#undef bcmp #undef bcmp
int bcmp(const void *mem1, const void *mem2, size_t len) { __attribute__((hot)) int bcmp(const void *mem1, const void *mem2, size_t len) {
if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0); if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0); if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
@ -508,7 +508,7 @@ int bcmp(const void *mem1, const void *mem2, size_t len) {
#undef strstr #undef strstr
char *strstr(const char *haystack, const char *needle) { __attribute__((hot)) char *strstr(const char *haystack, const char *needle) {
if (__tokencap_is_ro(haystack)) if (__tokencap_is_ro(haystack))
__tokencap_dump(haystack, strlen(haystack), 1); __tokencap_dump(haystack, strlen(haystack), 1);
@ -537,7 +537,7 @@ char *strstr(const char *haystack, const char *needle) {
#undef strcasestr #undef strcasestr
char *strcasestr(const char *haystack, const char *needle) { __attribute__((hot)) char *strcasestr(const char *haystack, const char *needle) {
if (__tokencap_is_ro(haystack)) if (__tokencap_is_ro(haystack))
__tokencap_dump(haystack, strlen(haystack), 1); __tokencap_dump(haystack, strlen(haystack), 1);
@ -566,7 +566,7 @@ char *strcasestr(const char *haystack, const char *needle) {
#undef memmem #undef memmem
void *memmem(const void *haystack, size_t haystack_len, const void *needle, __attribute__((hot)) void *memmem(const void *haystack, size_t haystack_len, const void *needle,
size_t needle_len) { size_t needle_len) {
if (__tokencap_is_ro(haystack)) __tokencap_dump(haystack, haystack_len, 1); if (__tokencap_is_ro(haystack)) __tokencap_dump(haystack, haystack_len, 1);