added afl_custom_mutator_only

TODO

@@ -4,8 +4,6 @@ Roadmap 2.54d:
 afl-fuzz:
  - enable python mutator for MOpt
  - enable custom mutator for MOpt
- - make custom mutator to call other mutators as well unless
-   AFL_CUSTOM_MUTATOR_ONLY=1 is set
  - add superion?
 
 remote feature

docs/ChangeLog

@@ -18,6 +18,8 @@ Version ++2.54d (dev):
 ----------------------
 
   - persistent mode for QEMU (see qemu_mode/README.md)
+  - custom mutator library is now a standard mutator, to exclusivly use it
+    add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour)
   - no more unlinking the input file, this way the input file can also be a
     FIFO or disk partition
   - reducing duplicate code in afl-fuzz

docs/custom_mutator.txt

@@ -18,8 +18,13 @@ environment variable. The library must export the afl_custom_mutator() function
 must be compiled as a shared object. For example:
      $CC -shared -Wall -O3 <lib-name>.c -o <lib-name>.so
 
-AFL will call the afl_custom_mutator() function every time it needs to mutate
+Note: unless AFL_CUSTOM_MUTATOR_ONLY is set, its state mutator like any others,
-a test case. For some cases, the format of the mutated data returned from
+so it will be used for some test cases, and other mutators for others.
+
+Only if AFL_CUSTOM_MUTATOR_ONLY is set the afl_custom_mutator() function will
+be called every time it needs to mutate test case!
+
+For some cases, the format of the mutated data returned from
 the custom mutator is not suitable to directly execute the target with this input.
 For example, when using libprotobuf-mutator, the data returned is in a protobuf
 format which corresponds to a given grammar. In order to execute the target,

docs/env_variables.txt

@@ -202,8 +202,9 @@ checks or alter some of the more exotic semantics of the tool:
     for more.
 
   - Setting AFL_CUSTOM_MUTATOR_LIBRARY to a shared library with
-    afl_custom_mutator() export will run all mutations solely to this function.
+    afl_custom_mutator() export run additional mutations though this library.
-    see docs/custom_mutator.txt
+    If AFL_CUSTOM_MUTATOR_ONLY is also set, all mutations will solely be
+    performed with/from the libary. see docs/custom_mutator.txt
 
   - For AFL_PYTHON_MODULE and AFL_PYTHON_ONLY - they require to be compiled
     with -DUSE_PYTHON. Please see docs/python_mutators.txt

include/afl-fuzz.h

@@ -251,6 +251,7 @@ extern u64 mem_limit;                   /* Memory cap for child (MB)        */
 
 extern u8 cal_cycles,                   /* Calibration cycles defaults      */
     cal_cycles_long, debug,             /* Debug mode                       */
+    custom_only,                        /* Custom mutator only mode         */
     python_only;                        /* Python-only mode                 */
 
 extern u32 stats_update_freq;           /* Stats update frequency (execs)   */

src/afl-fuzz-globals.c

@@ -84,6 +84,7 @@ u64 mem_limit = MEM_LIMIT;              /* Memory cap for child (MB)        */
 
 u8 cal_cycles = CAL_CYCLES,             /* Calibration cycles defaults      */
     cal_cycles_long = CAL_CYCLES_LONG, debug,                 /* Debug mode */
+    custom_only,                        /* Custom mutator only mode         */
     python_only;                        /* Python-only mode                 */
 
 u32 stats_update_freq = 1;              /* Stats update frequency (execs)   */

src/afl-fuzz-one.c

@@ -516,7 +516,14 @@ u8 fuzz_one_original(char** argv) {
 
     stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt;
     stage_cycles[STAGE_CUSTOM_MUTATOR] += stage_max;
-    goto abandon_entry;
+
+    if (custom_only) {
+
+      /* Skip other stages */
+      ret_val = 0;
+      goto abandon_entry;
+
+    }
 
   }
 

src/afl-fuzz.c

@@ -622,6 +622,16 @@ int main(int argc, char** argv) {
 
   }
 
+  if (getenv("AFL_CUSTOM_MUTATOR_ONLY")) {
+
+    /* This ensures we don't proceed to havoc/splice */
+    custom_only = 1;
+
+    /* Ensure we also skip all deterministic steps */
+    skip_deterministic = 1;
+
+  }
+
   get_core_count();
 
 #ifdef HAVE_AFFINITY