ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 19:08:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix update_bitmap_score when no current trace is present

Browse Source
This commit is contained in:
vanhauser-thc
2025-04-09 14:21:42 +02:00
parent 891b7f48f0
commit 4ff2673895
8 changed files with 65 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/Changelog.md
View File

@ -11,6 +11,7 @@
- memory leak fixes by @kcwu - thanks! - memory leak fixes by @kcwu - thanks!
- some more nits and small memory saves thanks to @kcwu - some more nits and small memory saves thanks to @kcwu
- remove deprecated files from queue/.state - remove deprecated files from queue/.state
- fix bitmap update function if no current trace is present
- frida_mode: - frida_mode:
- fixes for new MacOS + M4 hardware - fixes for new MacOS + M4 hardware

2
include/afl-fuzz.h
View File

@ -1186,7 +1186,7 @@ void deinit_py(void *);
void mark_as_det_done(afl_state_t *, struct queue_entry *); void mark_as_det_done(afl_state_t *, struct queue_entry *);
void add_to_queue(afl_state_t *, u8 *, u32, u8); void add_to_queue(afl_state_t *, u8 *, u32, u8);
void destroy_queue(afl_state_t *); void destroy_queue(afl_state_t *);
void update_bitmap_score(afl_state_t *, struct queue_entry *); void update_bitmap_score(afl_state_t *, struct queue_entry *, bool);
void cull_queue(afl_state_t *); void cull_queue(afl_state_t *);
u32 calculate_score(afl_state_t *, struct queue_entry *); u32 calculate_score(afl_state_t *, struct queue_entry *);

6
src/afl-fuzz-bitmap.c
View File

@ -490,8 +490,7 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
u8 fn[PATH_MAX]; u8 fn[PATH_MAX];
u8 *queue_fn = ""; u8 *queue_fn = "";
u8 new_bits = 0, keeping = 0, res, classified = 0, is_timeout = 0, u8 new_bits = 0, keeping = 0, res, is_timeout = 0, need_hash = 1;
need_hash = 1;
s32 fd; s32 fd;
u64 cksum = 0; u64 cksum = 0;
u32 cksum_simplified = 0, cksum_unique = 0; u32 cksum_simplified = 0, cksum_unique = 0;
@ -508,7 +507,6 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) { if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) {
classify_counts(&afl->fsrv); classify_counts(&afl->fsrv);
classified = 1;
need_hash = 0; need_hash = 0;
cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
@ -632,7 +630,6 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
afl->san_case_status |= NON_COV_INCREASE_BUG; afl->san_case_status |= NON_COV_INCREASE_BUG;
fault = san_fault; fault = san_fault;
classified = new_bits;
goto may_save_fault; goto may_save_fault;
} }
@ -640,7 +637,6 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
} }
fault = san_fault; fault = san_fault;
classified = new_bits;
save_to_queue: save_to_queue:

2
src/afl-fuzz-mutators.c
View File

@ -636,7 +636,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf,
q->len = out_len; q->len = out_len;
memcpy(afl->fsrv.trace_bits, afl->clean_trace_custom, afl->fsrv.map_size); memcpy(afl->fsrv.trace_bits, afl->clean_trace_custom, afl->fsrv.map_size);
update_bitmap_score(afl, q); update_bitmap_score(afl, q, true);
} }

10
src/afl-fuzz-queue.c
View File

@ -794,7 +794,8 @@ void destroy_queue(afl_state_t *afl) {
previous contender, or if the contender has a more favorable speed x size previous contender, or if the contender has a more favorable speed x size
factor. */ factor. */
void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { void update_bitmap_score(afl_state_t *afl, struct queue_entry *q,
bool have_trace) {
u32 i; u32 i;
u64 fav_factor; u64 fav_factor;
@ -824,6 +825,8 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
} }
if (have_trace) {
/* For every byte set in afl->fsrv.trace_bits[], see if there is a previous /* For every byte set in afl->fsrv.trace_bits[], see if there is a previous
winner, and how it compares to us. */ winner, and how it compares to us. */
for (i = 0; i < afl->fsrv.map_size; ++i) { for (i = 0; i < afl->fsrv.map_size; ++i) {
@ -867,7 +870,8 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
if (likely(fav_factor > top_rated_fav_factor)) { continue; } if (likely(fav_factor > top_rated_fav_factor)) { continue; }
/* Looks like we're going to win. Decrease ref count for the /* Looks like we're going to win. Decrease ref count for the
previous winner, discard its afl->fsrv.trace_bits[] if necessary. */ previous winner, discard its afl->fsrv.trace_bits[] if necessary.
*/
if (!--afl->top_rated[i]->tc_ref) { if (!--afl->top_rated[i]->tc_ref) {
@ -899,6 +903,8 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
} }
}
/* The second part of the mechanism discussed above is a routine that /* The second part of the mechanism discussed above is a routine that
goes over afl->top_rated[] entries, and then sequentially grabs winners for goes over afl->top_rated[] entries, and then sequentially grabs winners for
previously-unseen bytes (temp_v) and marks them as favored, at least previously-unseen bytes (temp_v) and marks them as favored, at least

4
src/afl-fuzz-run.c
View File

@ -652,7 +652,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
afl->total_bitmap_size += q->bitmap_size; afl->total_bitmap_size += q->bitmap_size;
++afl->total_bitmap_entries; ++afl->total_bitmap_entries;
update_bitmap_score(afl, q); update_bitmap_score(afl, q, true);
/* If this case didn't result in new output from the instrumentation, tell /* If this case didn't result in new output from the instrumentation, tell
parent. This is a non-critical problem, but something to warn the user parent. This is a non-critical problem, but something to warn the user
@ -1161,7 +1161,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
queue_testcase_retake_mem(afl, q, in_buf, q->len, orig_len); queue_testcase_retake_mem(afl, q, in_buf, q->len, orig_len);
memcpy(afl->fsrv.trace_bits, afl->clean_trace, afl->fsrv.map_size); memcpy(afl->fsrv.trace_bits, afl->clean_trace, afl->fsrv.map_size);
update_bitmap_score(afl, q); update_bitmap_score(afl, q, true);
} }

4
src/afl-fuzz.c
View File

@ -2857,7 +2857,7 @@ int main(int argc, char **argv_orig, char **envp) {
afl->total_bitmap_size += q->bitmap_size; afl->total_bitmap_size += q->bitmap_size;
++afl->total_bitmap_entries; ++afl->total_bitmap_entries;
update_bitmap_score(afl, q); update_bitmap_score(afl, q, false);
if (q->was_fuzzed) { --afl->pending_not_fuzzed; } if (q->was_fuzzed) { --afl->pending_not_fuzzed; }
@ -3231,7 +3231,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (likely(!afl->queue_buf[i]->disabled)) { if (likely(!afl->queue_buf[i]->disabled)) {
update_bitmap_score(afl, afl->queue_buf[i]); update_bitmap_score(afl, afl->queue_buf[i], false);
} }

3
src/afl-showmap.c
View File

@ -159,10 +159,11 @@ void show_stats(afl_state_t *afl) {
} }
void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { void update_bitmap_score(afl_state_t *afl, struct queue_entry *q, bool x) {
(void)afl; (void)afl;
(void)q; (void)q;
(void)x;
} }