ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-18 04:38:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
vanhauser-thc
2021-10-17 20:31:02 +02:00
parent bf0fbc24ad
commit 462149de64
2 changed files with 53 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
instrumentation/afl-compiler-rt.o.c
View File

@ -1944,15 +1944,8 @@ void __cmplog_rtn_hook_n(u8 *ptr1, u8 *ptr2, u32 len) {
void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u32 len) { void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u32 len) {
/* /*
u32 i;
if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return; if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return;
fprintf(stderr, "rtn_strn len=%u arg0=", len); fprintf(stderr, "rtn_strn len=%u arg0=%s arg1=%s\n", len, ptr1, ptr2);
for (i = 0; i < len; i++)
fprintf(stderr, "%02x", ptr1[i]);
fprintf(stderr, " arg1=");
for (i = 0; i < len; i++)
fprintf(stderr, "%02x", ptr2[i]);
fprintf(stderr, "\n");
*/ */
if (likely(!__afl_cmp_map)) return; if (likely(!__afl_cmp_map)) return;
@ -2005,15 +1998,8 @@ void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u32 len) {
void __cmplog_rtn_hook_str(u8 *ptr1, u8 *ptr2) { void __cmplog_rtn_hook_str(u8 *ptr1, u8 *ptr2) {
/* /*
u32 i;
if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return; if (area_is_valid(ptr1, 32) <= 0 || area_is_valid(ptr2, 32) <= 0) return;
fprintf(stderr, "rtn_str arg0="); fprintf(stderr, "rtn_str arg0=%s arg1=%s\n", ptr1, ptr2);
for (i = 0; i < len; i++)
fprintf(stderr, "%02x", ptr1[i]);
fprintf(stderr, " arg1=");
for (i = 0; i < len; i++)
fprintf(stderr, "%02x", ptr2[i]);
fprintf(stderr, "\n");
*/ */
if (likely(!__afl_cmp_map)) return; if (likely(!__afl_cmp_map)) return;

87
src/afl-fuzz-redqueen.c
View File

@ -1455,25 +1455,25 @@ static u8 cmp_extend_encodingN(afl_state_t *afl, struct cmp_header *h,
#ifdef _DEBUG #ifdef _DEBUG
fprintf(stderr, "TestUN: %u>=%u (len=%u idx=%u attr=%u off=%lu) (%u) ", fprintf(stderr, "TestUN: %u>=%u (len=%u idx=%u attr=%u off=%lu) (%u) ",
its_len, shape, len, idx, attr, off, do_reverse); its_len, hshape, len, idx, attr, off, do_reverse);
u32 i; u32 i;
u8 *o_r = (u8 *)&changed_val; u8 *o_r = (u8 *)&changed_val;
for (i = 0; i < shape; i++) for (i = 0; i < hshape; i++)
fprintf(stderr, "%02x", ptr[i]); fprintf(stderr, "%02x", ptr[i]);
fprintf(stderr, "=="); fprintf(stderr, "==");
for (i = 0; i < shape; i++) for (i = 0; i < hshape; i++)
fprintf(stderr, "%02x", p[off + i]); fprintf(stderr, "%02x", p[off + i]);
fprintf(stderr, " "); fprintf(stderr, " ");
for (i = 0; i < shape; i++) for (i = 0; i < hshape; i++)
fprintf(stderr, "%02x", o_ptr[i]); fprintf(stderr, "%02x", o_ptr[i]);
fprintf(stderr, "=="); fprintf(stderr, "==");
for (i = 0; i < shape; i++) for (i = 0; i < hshape; i++)
fprintf(stderr, "%02x", o_p[off + i]); fprintf(stderr, "%02x", o_p[off + i]);
fprintf(stderr, " <= "); fprintf(stderr, " <= ");
for (i = 0; i < shape; i++) for (i = 0; i < hshape; i++)
fprintf(stderr, "%02x", r[off + i]); fprintf(stderr, "%02x", r[off + i]);
fprintf(stderr, "<-"); fprintf(stderr, "<-");
for (i = 0; i < shape; i++) for (i = 0; i < hshape; i++)
fprintf(stderr, "%02x", o_r[off + i]); fprintf(stderr, "%02x", o_r[off + i]);
fprintf(stderr, "\n"); fprintf(stderr, "\n");
#endif #endif
@ -1850,39 +1850,46 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
is_n, hshape); is_n, hshape);
#endif #endif
u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2); // we only learn 16 bit +
if (o->v0 != orig_o->v0) { same0 = 8; } if (hshape > 1) {
if (o->v1 != orig_o->v1) { same1 = 8; }
u8 same0 = 0, same1 = 0, result = 1 + 2 + (found_one << 2);
if (o->v0 != orig_o->v0) { same0 = 8; }
if (o->v1 != orig_o->v1) { same1 = 8; }
#ifdef WORD_SIZE_64 #ifdef WORD_SIZE_64
if (unlikely(is_n)) { if (unlikely(is_n)) {
if (DICT_ADD_STRATEGY >= same0 + result) { if (DICT_ADD_STRATEGY >= same0 + result) {
try_to_add_to_dictN(afl, s128_v0, hshape); try_to_add_to_dictN(afl, s128_v0, hshape);
} }
if (DICT_ADD_STRATEGY >= same1 + result) { if (DICT_ADD_STRATEGY >= same1 + result) {
try_to_add_to_dictN(afl, s128_v1, hshape); try_to_add_to_dictN(afl, s128_v1, hshape);
} }
} else } else
#endif #endif
{ {
if (DICT_ADD_STRATEGY >= same0 + result) { if (DICT_ADD_STRATEGY >= same0 + result) {
try_to_add_to_dict(afl, o->v0, hshape); // fprintf(stderr, "add v0 0x%llx\n", o->v0);
try_to_add_to_dict(afl, o->v0, hshape);
} }
if (DICT_ADD_STRATEGY >= same1 + result) { if (DICT_ADD_STRATEGY >= same1 + result) {
try_to_add_to_dict(afl, o->v1, hshape); // fprintf(stderr, "add v1 0x%llx\n", o->v1);
try_to_add_to_dict(afl, o->v1, hshape);
}
} }
@ -2428,18 +2435,22 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
} }
/* /*
struct cmp_header *hh = &afl->orig_cmp_map->headers[key]; struct cmp_header *hh = &afl->orig_cmp_map->headers[key];
fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits, fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits, h->id,
h->id, hshape, h->attribute); hshape, h->attribute);
for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v0[j]); for (j = 0; j < 8; j++)
fprintf(stderr, " v1="); fprintf(stderr, "%02x", o->v0[j]);
for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v1[j]); fprintf(stderr, " v1=");
fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=", for (j = 0; j < 8; j++)
hh->hits, hh->id, hshape, hh->attribute); fprintf(stderr, "%02x", o->v1[j]);
for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v0[j]); fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=", hh->hits,
fprintf(stderr, " o1="); hh->id, hshape, hh->attribute);
for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v1[j]); for (j = 0; j < 8; j++)
fprintf(stderr, "\n"); fprintf(stderr, "%02x", orig_o->v0[j]);
fprintf(stderr, " o1=");
for (j = 0; j < 8; j++)
fprintf(stderr, "%02x", orig_o->v1[j]);
fprintf(stderr, "\n");
*/ */
t = taint; t = taint;
@ -2547,12 +2558,14 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
if (DICT_ADD_STRATEGY >= same0 + result) { if (DICT_ADD_STRATEGY >= same0 + result) {
// fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0);
maybe_add_auto(afl, o->v0, l0); maybe_add_auto(afl, o->v0, l0);
} }
if (DICT_ADD_STRATEGY >= same1 + result) { if (DICT_ADD_STRATEGY >= same1 + result) {
// fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1);
maybe_add_auto(afl, o->v1, l1); maybe_add_auto(afl, o->v1, l1);
} }
@ -2727,11 +2740,13 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) {
if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) { if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) {
// fprintf(stderr, "INS %u\n", k);
afl->stage_max += afl->stage_max +=
MIN((u32)(afl->shm.cmp_map->headers[k].hits), (u32)CMP_MAP_H); MIN((u32)(afl->shm.cmp_map->headers[k].hits), (u32)CMP_MAP_H);
} else { } else {
// fprintf(stderr, "RTN %u\n", k);
afl->stage_max += afl->stage_max +=
MIN((u32)(afl->shm.cmp_map->headers[k].hits), (u32)CMP_MAP_RTN_H); MIN((u32)(afl->shm.cmp_map->headers[k].hits), (u32)CMP_MAP_RTN_H);