ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-18 04:38:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

add cmplog compatability check

Browse Source
This commit is contained in:
vanhauser-thc
2021-10-31 12:29:45 +01:00
parent e2ca7a6397
commit 639d108512
4 changed files with 22 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/types.h
View File

@ -46,6 +46,7 @@ typedef uint128_t u128;
#define FS_ERROR_SHM_OPEN 4 #define FS_ERROR_SHM_OPEN 4
#define FS_ERROR_SHMAT 8 #define FS_ERROR_SHMAT 8
#define FS_ERROR_MMAP 16 #define FS_ERROR_MMAP 16
#define FS_ERROR_OLD_CMPLOG 32
/* Reporting options */ /* Reporting options */
#define FS_OPT_ENABLED 0x80000001 #define FS_OPT_ENABLED 0x80000001
@ -53,6 +54,7 @@ typedef uint128_t u128;
#define FS_OPT_SNAPSHOT 0x20000000 #define FS_OPT_SNAPSHOT 0x20000000
#define FS_OPT_AUTODICT 0x10000000 #define FS_OPT_AUTODICT 0x10000000
#define FS_OPT_SHDMEM_FUZZ 0x01000000 #define FS_OPT_SHDMEM_FUZZ 0x01000000
#define FS_OPT_NEWCMPLOG 0x02000000
#define FS_OPT_OLD_AFLPP_WORKAROUND 0x0f000000 #define FS_OPT_OLD_AFLPP_WORKAROUND 0x0f000000
// FS_OPT_MAX_MAPSIZE is 8388608 = 0x800000 = 2^23 = 1 << 22 // FS_OPT_MAX_MAPSIZE is 8388608 = 0x800000 = 2^23 = 1 << 22
#define FS_OPT_MAX_MAPSIZE ((0x00fffffeU >> 1) + 1) #define FS_OPT_MAX_MAPSIZE ((0x00fffffeU >> 1) + 1)

9
instrumentation/afl-compiler-rt.o.c
View File

@ -679,7 +679,7 @@ static void __afl_start_snapshots(void) {
/* Phone home and tell the parent that we're OK. If parent isn't there, /* Phone home and tell the parent that we're OK. If parent isn't there,
assume we're not running in forkserver mode and just execute program. */ assume we're not running in forkserver mode and just execute program. */
status |= (FS_OPT_ENABLED | FS_OPT_SNAPSHOT); status |= (FS_OPT_ENABLED | FS_OPT_SNAPSHOT | FS_OPT_NEWCMPLOG);
if (__afl_sharedmem_fuzzing != 0) status |= FS_OPT_SHDMEM_FUZZ; if (__afl_sharedmem_fuzzing != 0) status |= FS_OPT_SHDMEM_FUZZ;
if (__afl_map_size <= FS_OPT_MAX_MAPSIZE) if (__afl_map_size <= FS_OPT_MAX_MAPSIZE)
status |= (FS_OPT_SET_MAPSIZE(__afl_map_size) | FS_OPT_MAPSIZE); status |= (FS_OPT_SET_MAPSIZE(__afl_map_size) | FS_OPT_MAPSIZE);
@ -945,7 +945,12 @@ static void __afl_start_forkserver(void) {
} }
if (__afl_sharedmem_fuzzing != 0) { status_for_fsrv |= FS_OPT_SHDMEM_FUZZ; } if (__afl_sharedmem_fuzzing != 0) { status_for_fsrv |= FS_OPT_SHDMEM_FUZZ; }
if (status_for_fsrv) { status_for_fsrv |= (FS_OPT_ENABLED); } if (status_for_fsrv) {
status_for_fsrv |= (FS_OPT_ENABLED | FS_OPT_NEWCMPLOG);
}
memcpy(tmp, &status_for_fsrv, 4); memcpy(tmp, &status_for_fsrv, 4);
/* Phone home and tell the parent that we're OK. If parent isn't there, /* Phone home and tell the parent that we're OK. If parent isn't there,

11
src/afl-forkserver.c
View File

@ -342,6 +342,11 @@ static void report_error_and_exit(int error) {
"the fuzzing target reports that the mmap() call to the shared " "the fuzzing target reports that the mmap() call to the shared "
"memory failed."); "memory failed.");
break; break;
case FS_ERROR_OLD_CMPLOG:
FATAL(
"the -c cmplog target was instrumented with an too old afl++ "
"version, you need to recompile it.");
break;
default: default:
FATAL("unknown error code %d from fuzzing target!", error); FATAL("unknown error code %d from fuzzing target!", error);
@ -651,6 +656,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
if ((status & FS_OPT_OLD_AFLPP_WORKAROUND) == FS_OPT_OLD_AFLPP_WORKAROUND) if ((status & FS_OPT_OLD_AFLPP_WORKAROUND) == FS_OPT_OLD_AFLPP_WORKAROUND)
status = (status & 0xf0ffffff); status = (status & 0xf0ffffff);
if ((status & FS_OPT_NEWCMPLOG) == 0 && fsrv->cmplog_binary) {
report_error_and_exit(FS_ERROR_OLD_CMPLOG);
}
if ((status & FS_OPT_SNAPSHOT) == FS_OPT_SNAPSHOT) { if ((status & FS_OPT_SNAPSHOT) == FS_OPT_SNAPSHOT) {
fsrv->snapshot = 1; fsrv->snapshot = 1;

140
src/afl-fuzz-redqueen.c
View File

@ -28,8 +28,6 @@
#include "afl-fuzz.h" #include "afl-fuzz.h"
#include "cmplog.h" #include "cmplog.h"
#define VARIANT 6
//#define _DEBUG //#define _DEBUG
//#define CMPLOG_INTROSPECTION //#define CMPLOG_INTROSPECTION
@ -1855,7 +1853,6 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
// we only learn 16 bit + // we only learn 16 bit +
if (hshape > 1) { if (hshape > 1) {
#if VARIANT == 6
if (!found_one || afl->queue_cur->is_ascii) { if (!found_one || afl->queue_cur->is_ascii) {
#ifdef WORD_SIZE_64 #ifdef WORD_SIZE_64
@ -1890,75 +1887,6 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
} }
#else
u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0,
result = 1 + (found_one << 2);
if (o->v0 != orig_o->v0) { same0 = 8; }
if (o->v1 != orig_o->v1) { same1 = 8; }
if (o->v0 != o->v1) { same2 = 8; }
if (orig_o->v0 != orig_o->v1) { same3 = 8; }
if (check_if_text_buf((u8 *)&o->v0, hshape) < hshape) same0 += 2;
if (check_if_text_buf((u8 *)&o->v1, hshape) < hshape) same1 += 2;
if (!same2 && !same3) {
#ifdef WORD_SIZE_64
if (unlikely(is_n)) {
if (
#if VARIANT == 1
!(!same0 && same1) &&
#endif
DICT_ADD_STRATEGY >= same0 + result) {
try_to_add_to_dictN(afl, s128_v0, hshape);
}
if (
#if VARIANT == 1
!(same0 && !same1) &&
#endif
DICT_ADD_STRATEGY >= same1 + result) {
try_to_add_to_dictN(afl, s128_v1, hshape);
}
} else
#endif
{
if (
#if VARIANT == 1
!(!same0 && same1) &&
#endif
DICT_ADD_STRATEGY >= same0 + result) {
// fprintf(stderr, "add v0 0x%llx\n", o->v0);
try_to_add_to_dict(afl, o->v0, hshape);
}
if (
#if VARIANT == 1
!(same0 && !same1) &&
#endif
DICT_ADD_STRATEGY >= same1 + result) {
// fprintf(stderr, "add v1 0x%llx\n", o->v1);
try_to_add_to_dict(afl, o->v1, hshape);
}
}
}
#endif
} }
cmp_fuzz_next_iter: cmp_fuzz_next_iter:
@ -2606,7 +2534,6 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
// if (unlikely(!afl->pass_stats[key].total)) { // if (unlikely(!afl->pass_stats[key].total)) {
#if VARIANT == 6
if ((!found_one && (lvl & LVL1)) || afl->queue_cur->is_ascii) { if ((!found_one && (lvl & LVL1)) || afl->queue_cur->is_ascii) {
// if (unlikely(!afl->pass_stats[key].total)) { // if (unlikely(!afl->pass_stats[key].total)) {
@ -2643,73 +2570,6 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
} }
#else
if (lvl & LVL1) {
u8 is_txt = 0, l0 = o->v0_len, ol0 = orig_o->v0_len, l1 = o->v1_len,
ol1 = orig_o->v1_len;
if (l0 >= 0x80 || ol0 >= 0x80) {
is_txt = 1;
l0 -= 0x80;
l1 -= 0x80;
ol0 -= 0x80;
ol1 -= 0x80;
}
if (l0 == 0 || l1 == 0 || ol0 == 0 || ol1 == 0 || l0 > 31 || l1 > 31 ||
ol0 > 31 || ol1 > 31) {
l0 = l1 = ol0 = ol1 = hshape;
}
u8 same0 = 0, same1 = 0, same2 = 0, same3 = 0,
result = 1 + (found_one << 2);
if (l0 != ol0 || memcmp(o->v0, orig_o->v0, l0) != 0) { same0 = 8; }
if (l1 != ol1 || memcmp(o->v1, orig_o->v1, l1) != 0) { same1 = 8; }
if (l0 != l1 || memcmp(o->v0, o->v1, l0) != 0) { same2 = 8; }
if (ol0 != ol1 || memcmp(orig_o->v0, orig_o->v1, l0) != 0) { same3 = 8; }
if (!is_txt && check_if_text_buf((u8 *)&o->v0, l0) < l0) { same0 += 2; }
if (!is_txt && check_if_text_buf((u8 *)&o->v1, l1) < l1) { same1 += 2; }
if (
#if VARIANT < 3
!(same0 && !same1) &&
#endif
#if VARIANT == 4
(!same2 && same3)
#else
(DICT_ADD_STRATEGY >= same0 + result)
#endif
) {
// fprintf(stderr, "add v0 [%u]\"%s\"\n", l0, o->v0);
maybe_add_auto(afl, o->v0, l0);
}
if (
#if VARIANT < 3
!(!same0 && same1) &&
#endif
#if VARIANT == 4
(same2 && !same3)
#else
(DICT_ADD_STRATEGY >= same1 + result)
#endif
) {
// fprintf(stderr, "add v1 [%u]\"%s\"\n", l1, o->v1);
maybe_add_auto(afl, o->v1, l1);
}
}
#endif
rtn_fuzz_next_iter: rtn_fuzz_next_iter:
afl->stage_cur++; afl->stage_cur++;