added afl_custom_mutator_only

2025-06-14 02:58:08 +00:00 · 2019-09-16 16:17:16 +02:00
parent 46ac559003
commit 428b88a82a
8 changed files with 33 additions and 8 deletions
--- a/2
+++ b/2
@ -4,8 +4,6 @@ Roadmap 2.54d:
 afl-fuzz:
 - enable python mutator for MOpt
 - enable custom mutator for MOpt
- - make custom mutator to call other mutators as well unless
-   AFL_CUSTOM_MUTATOR_ONLY=1 is set
 - add superion?

 remote feature
--- a/docs/ChangeLog
+++ b/docs/ChangeLog
@ -18,6 +18,8 @@ Version ++2.54d (dev):
 ----------------------

  - persistent mode for QEMU (see qemu_mode/README.md)
+  - custom mutator library is now a standard mutator, to exclusivly use it
+    add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour)
  - no more unlinking the input file, this way the input file can also be a
    FIFO or disk partition
  - reducing duplicate code in afl-fuzz
--- a/docs/custom_mutator.txt
+++ b/docs/custom_mutator.txt
@ -18,8 +18,13 @@ environment variable. The library must export the afl_custom_mutator() function
 must be compiled as a shared object. For example:
     $CC -shared -Wall -O3 <lib-name>.c -o <lib-name>.so

-AFL will call the afl_custom_mutator() function every time it needs to mutate
-a test case. For some cases, the format of the mutated data returned from
+Note: unless AFL_CUSTOM_MUTATOR_ONLY is set, its state mutator like any others,
+so it will be used for some test cases, and other mutators for others.
+
+Only if AFL_CUSTOM_MUTATOR_ONLY is set the afl_custom_mutator() function will
+be called every time it needs to mutate test case!
+
+For some cases, the format of the mutated data returned from
 the custom mutator is not suitable to directly execute the target with this input.
 For example, when using libprotobuf-mutator, the data returned is in a protobuf
 format which corresponds to a given grammar. In order to execute the target,
--- a/docs/env_variables.txt
+++ b/docs/env_variables.txt
@ -202,8 +202,9 @@ checks or alter some of the more exotic semantics of the tool:
    for more.

  - Setting AFL_CUSTOM_MUTATOR_LIBRARY to a shared library with
-    afl_custom_mutator() export will run all mutations solely to this function.
-    see docs/custom_mutator.txt
+    afl_custom_mutator() export run additional mutations though this library.
+    If AFL_CUSTOM_MUTATOR_ONLY is also set, all mutations will solely be
+    performed with/from the libary. see docs/custom_mutator.txt

  - For AFL_PYTHON_MODULE and AFL_PYTHON_ONLY - they require to be compiled
    with -DUSE_PYTHON. Please see docs/python_mutators.txt
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -251,6 +251,7 @@ extern u64 mem_limit;                   /* Memory cap for child (MB)        */

 extern u8 cal_cycles,                   /* Calibration cycles defaults      */
    cal_cycles_long, debug,             /* Debug mode                       */
+    custom_only,                        /* Custom mutator only mode         */
    python_only;                        /* Python-only mode                 */

 extern u32 stats_update_freq;           /* Stats update frequency (execs)   */
--- a/src/afl-fuzz-globals.c
+++ b/src/afl-fuzz-globals.c
@ -84,6 +84,7 @@ u64 mem_limit = MEM_LIMIT;              /* Memory cap for child (MB)        */

 u8 cal_cycles = CAL_CYCLES,             /* Calibration cycles defaults      */
    cal_cycles_long = CAL_CYCLES_LONG, debug,                 /* Debug mode */
+    custom_only,                        /* Custom mutator only mode         */
    python_only;                        /* Python-only mode                 */

 u32 stats_update_freq = 1;              /* Stats update frequency (execs)   */
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@ -516,10 +516,17 @@ u8 fuzz_one_original(char** argv) {

    stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt;
    stage_cycles[STAGE_CUSTOM_MUTATOR] += stage_max;
+
+    if (custom_only) {
+
+      /* Skip other stages */
+      ret_val = 0;
      goto abandon_entry;

    }

+  }
+
  /* Skip right away if -d is given, if it has not been chosen sufficiently
     often to warrant the expensive deterministic stage (fuzz_level), or
     if it has gone through deterministic testing in earlier, resumed runs
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -622,6 +622,16 @@ int main(int argc, char** argv) {

  }

+  if (getenv("AFL_CUSTOM_MUTATOR_ONLY")) {
+
+    /* This ensures we don't proceed to havoc/splice */
+    custom_only = 1;
+
+    /* Ensure we also skip all deterministic steps */
+    skip_deterministic = 1;
+
+  }
+
  get_core_count();

 #ifdef HAVE_AFFINITY