ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-16 03:48:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix cmplog screen update crash

Browse Source
This commit is contained in:
vanhauser-thc
2021-06-11 10:44:06 +02:00
parent a7340a1ac6
commit 63504f7b7e
3 changed files with 63 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/Changelog.md
View File

@ -9,9 +9,9 @@ Want to stay in the loop on major new features? Join our mailing list by
sending a mail to <afl-users+subscribe@googlegroups.com>. sending a mail to <afl-users+subscribe@googlegroups.com>.
### Version ++3.14a (release) ### Version ++3.14a (release)
- Fix for llvm 13
- afl-fuzz: - afl-fuzz:
- fix -F when a '/' was part of the parameter - fix -F when a '/' was part of the parameter
- fixed a crash for cmplog for very slow inputs
- removed implied -D determinstic from -M main - removed implied -D determinstic from -M main
- if the target becomes unavailable check out out/default/error.txt for - if the target becomes unavailable check out out/default/error.txt for
an indicator why an indicator why
@ -21,6 +21,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- We do support llvm versions from 3.8 again - We do support llvm versions from 3.8 again
- afl_analyze - afl_analyze
- fix timeout handling and support forkserver - fix timeout handling and support forkserver
- Fix for llvm 13
- ensure afl-compiler-rt is built for gcc_module - ensure afl-compiler-rt is built for gcc_module
- afl-analyze now uses the forkserver for increased performance - afl-analyze now uses the forkserver for increased performance

2
src/afl-common.c
View File

@ -751,6 +751,8 @@ void read_bitmap(u8 *fname, u8 *map, size_t len) {
} }
/* Get unix time in milliseconds */
u64 get_cur_time(void) { u64 get_cur_time(void) {
struct timeval tv; struct timeval tv;

91
src/afl-fuzz-redqueen.c
View File

@ -252,7 +252,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len,
u64 start_time = get_cur_time(); u64 start_time = get_cur_time();
#endif #endif
u32 screen_update = 1000000 / afl->queue_cur->exec_us; u32 screen_update;
u64 orig_hit_cnt, new_hit_cnt, exec_cksum; u64 orig_hit_cnt, new_hit_cnt, exec_cksum;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes; orig_hit_cnt = afl->queued_paths + afl->unique_crashes;
@ -261,6 +261,24 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len,
afl->stage_max = (len << 1); afl->stage_max = (len << 1);
afl->stage_cur = 0; afl->stage_cur = 0;
if (likely(afl->queue_cur->exec_us)) {
if (likely((100000 / 2) >= afl->queue_cur->exec_us)) {
screen_update = 100000 / afl->queue_cur->exec_us;
} else {
screen_update = 1;
}
} else {
screen_update = 100000;
}
// in colorization we do not classify counts, hence we have to calculate // in colorization we do not classify counts, hence we have to calculate
// the original checksum. // the original checksum.
if (unlikely(get_exec_checksum(afl, buf, len, &exec_cksum))) { if (unlikely(get_exec_checksum(afl, buf, len, &exec_cksum))) {
@ -905,17 +923,16 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
// test for arithmetic, eg. "if ((user_val - 0x1111) == 0x1234) ..." // test for arithmetic, eg. "if ((user_val - 0x1111) == 0x1234) ..."
s64 diff = pattern - b_val; s64 diff = pattern - b_val;
s64 o_diff = o_pattern - o_b_val; s64 o_diff = o_pattern - o_b_val;
/* /* fprintf(stderr, "DIFF1 idx=%03u shape=%02u %llx-%llx=%lx\n", idx,
fprintf(stderr, "DIFF1 idx=%03u shape=%02u %llx-%llx=%lx\n", idx, h->shape + 1, o_pattern, o_b_val, o_diff);
h->shape + 1, o_pattern, o_b_val, o_diff); fprintf(stderr, "DIFF1 %016llx %llx-%llx=%lx\n", repl, pattern,
fprintf(stderr, "DIFF1 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff); */
b_val, diff);*/
if (diff == o_diff && diff) { if (diff == o_diff && diff) {
// this could be an arithmetic transformation // this could be an arithmetic transformation
u64 new_repl = (u64)((s64)repl - diff); u64 new_repl = (u64)((s64)repl - diff);
// fprintf(stderr, "SAME DIFF %llx->%llx\n", repl, new_repl); // fprintf(stderr, "SAME DIFF %llx->%llx\n", repl, new_repl);
if (unlikely(cmp_extend_encoding( if (unlikely(cmp_extend_encoding(
afl, h, pattern, new_repl, o_pattern, repl, IS_TRANSFORM, idx, afl, h, pattern, new_repl, o_pattern, repl, IS_TRANSFORM, idx,
@ -935,15 +952,17 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
diff = pattern ^ b_val; diff = pattern ^ b_val;
s64 o_diff = o_pattern ^ o_b_val; s64 o_diff = o_pattern ^ o_b_val;
/* fprintf(stderr, "DIFF2 idx=%03u shape=%02u %llx-%llx=%lx\n", /* fprintf(stderr, "DIFF2 idx=%03u shape=%02u %llx-%llx=%lx\n",
idx, h->shape + 1, o_pattern, o_b_val, o_diff); fprintf(stderr, idx, h->shape + 1, o_pattern, o_b_val, o_diff);
"DIFF2 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff);*/ fprintf(stderr,
"DIFF2 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff);
*/
if (diff == o_diff && diff) { if (diff == o_diff && diff) {
// this could be a XOR transformation // this could be a XOR transformation
u64 new_repl = (u64)((s64)repl ^ diff); u64 new_repl = (u64)((s64)repl ^ diff);
// fprintf(stderr, "SAME DIFF %llx->%llx\n", repl, new_repl); // fprintf(stderr, "SAME DIFF %llx->%llx\n", repl, new_repl);
if (unlikely(cmp_extend_encoding( if (unlikely(cmp_extend_encoding(
afl, h, pattern, new_repl, o_pattern, repl, IS_TRANSFORM, idx, afl, h, pattern, new_repl, o_pattern, repl, IS_TRANSFORM, idx,
@ -982,15 +1001,17 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
} }
/* fprintf(stderr, "DIFF3 idx=%03u shape=%02u %llx-%llx=%lx\n", /* fprintf(stderr, "DIFF3 idx=%03u shape=%02u %llx-%llx=%lx\n",
idx, h->shape + 1, o_pattern, o_b_val, o_diff); fprintf(stderr, idx, h->shape + 1, o_pattern, o_b_val, o_diff);
"DIFF3 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff);*/ fprintf(stderr,
"DIFF3 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff);
*/
if (o_diff && diff) { if (o_diff && diff) {
// this could be a lower to upper // this could be a lower to upper
u64 new_repl = (repl & (0x5f5f5f5f5f5f5f5f & mask)); u64 new_repl = (repl & (0x5f5f5f5f5f5f5f5f & mask));
// fprintf(stderr, "SAME DIFF %llx->%llx\n", repl, new_repl); // fprintf(stderr, "SAME DIFF %llx->%llx\n", repl, new_repl);
if (unlikely(cmp_extend_encoding( if (unlikely(cmp_extend_encoding(
afl, h, pattern, new_repl, o_pattern, repl, IS_TRANSFORM, idx, afl, h, pattern, new_repl, o_pattern, repl, IS_TRANSFORM, idx,
@ -1029,15 +1050,17 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
} }
/* fprintf(stderr, "DIFF4 idx=%03u shape=%02u %llx-%llx=%lx\n", /* fprintf(stderr, "DIFF4 idx=%03u shape=%02u %llx-%llx=%lx\n",
idx, h->shape + 1, o_pattern, o_b_val, o_diff); fprintf(stderr, idx, h->shape + 1, o_pattern, o_b_val, o_diff);
"DIFF4 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff);*/ fprintf(stderr,
"DIFF4 %016llx %llx-%llx=%lx\n", repl, pattern, b_val, diff);
*/
if (o_diff && diff) { if (o_diff && diff) {
// this could be a lower to upper // this could be a lower to upper
u64 new_repl = (repl | (0x2020202020202020 & mask)); u64 new_repl = (repl | (0x2020202020202020 & mask));
// fprintf(stderr, "SAME DIFF %llx->%llx\n", repl, new_repl); // fprintf(stderr, "SAME DIFF %llx->%llx\n", repl, new_repl);
if (unlikely(cmp_extend_encoding( if (unlikely(cmp_extend_encoding(
afl, h, pattern, new_repl, o_pattern, repl, IS_TRANSFORM, idx, afl, h, pattern, new_repl, o_pattern, repl, IS_TRANSFORM, idx,
@ -1383,7 +1406,8 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
} }
//#endif /* CMPLOG_SOLVE_ARITHMETIC //#endif /*
// CMPLOG_SOLVE_ARITHMETIC
return 0; return 0;
@ -2152,7 +2176,8 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl,
memcpy(buf + idx, tmp, i + 1); memcpy(buf + idx, tmp, i + 1);
if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; }
// fprintf(stderr, "RTN ATTEMPT tohex %u result %u\n", tohex, *status); // fprintf(stderr, "RTN ATTEMPT tohex %u result %u\n", tohex,
// *status);
} }
@ -2235,7 +2260,8 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl,
for (j = 0; j <= i; j++) for (j = 0; j <= i; j++)
buf[idx + j] = repl[j] - arith_val[j]; buf[idx + j] = repl[j] - arith_val[j];
if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; } if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; }
// fprintf(stderr, "RTN ATTEMPT arith %u result %u\n", arith, *status); // fprintf(stderr, "RTN ATTEMPT arith %u result %u\n", arith,
// *status);
} }
@ -2328,16 +2354,17 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
/* /*
struct cmp_header *hh = &afl->orig_cmp_map->headers[key]; struct cmp_header *hh = &afl->orig_cmp_map->headers[key];
fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits, h->id, fprintf(stderr, "RTN N hits=%u id=%u shape=%u attr=%u v0=", h->hits,
h->shape, h->attribute); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", h->id, h->shape, h->attribute);
o->v0[j]); fprintf(stderr, " v1="); for (j = 0; j < 8; j++) fprintf(stderr, for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v0[j]);
"%02x", o->v1[j]); fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u fprintf(stderr, " v1=");
o0=", hh->hits, hh->id, hh->shape, hh->attribute); for (j = 0; j < 8; j++) for (j = 0; j < 8; j++) fprintf(stderr, "%02x", o->v1[j]);
fprintf(stderr, "%02x", orig_o->v0[j]); fprintf(stderr, "\nRTN O hits=%u id=%u shape=%u attr=%u o0=",
fprintf(stderr, " o1="); hh->hits, hh->id, hh->shape, hh->attribute);
for (j = 0; j < 8; j++) for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v0[j]);
fprintf(stderr, "%02x", orig_o->v1[j]); fprintf(stderr, " o1=");
fprintf(stderr, "\n"); for (j = 0; j < 8; j++) fprintf(stderr, "%02x", orig_o->v1[j]);
fprintf(stderr, "\n");
*/ */
t = taint; t = taint;