ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-09 08:41:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

enhanced radamsa integration

Browse Source
This commit is contained in:
van Hauser 2019-10-24 16:53:30 +02:00
parent 4183bc35b2
commit 6e5143681c
4 changed files with 95 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/afl-fuzz.h
View File

@ -159,7 +159,8 @@ enum {
/* 15 */ STAGE_HAVOC, /* 15 */ STAGE_HAVOC,
/* 16 */ STAGE_SPLICE, /* 16 */ STAGE_SPLICE,
/* 17 */ STAGE_PYTHON, /* 17 */ STAGE_PYTHON,
/* 18 */ STAGE_CUSTOM_MUTATOR /* 18 */ STAGE_RADAMSA,
/* 19 */ STAGE_CUSTOM_MUTATOR
}; };

142
src/afl-fuzz-one.c
View File

@ -483,6 +483,9 @@ u8 fuzz_one_original(char** argv) {
if (perf_score == 0) goto abandon_entry; if (perf_score == 0) goto abandon_entry;
if (use_radamsa > 1)
goto radamsa_stage;
if (custom_mutator) { if (custom_mutator) {
stage_short = "custom"; stage_short = "custom";
@ -540,22 +543,30 @@ u8 fuzz_one_original(char** argv) {
perf_score < (queue_cur->depth * 30 <= havoc_max_mult * 100 perf_score < (queue_cur->depth * 30 <= havoc_max_mult * 100
? queue_cur->depth * 30 ? queue_cur->depth * 30
: havoc_max_mult * 100)) || : havoc_max_mult * 100)) ||
queue_cur->passed_det) queue_cur->passed_det) {
if (use_radamsa > 1)
goto radamsa_stage;
else
#ifdef USE_PYTHON #ifdef USE_PYTHON
goto python_stage; goto python_stage;
#else #else
goto havoc_stage; goto havoc_stage;
#endif #endif
}
/* Skip deterministic fuzzing if exec path checksum puts this out of scope /* Skip deterministic fuzzing if exec path checksum puts this out of scope
for this master instance. */ for this master instance. */
if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) {
if (use_radamsa > 1)
goto radamsa_stage;
else
#ifdef USE_PYTHON #ifdef USE_PYTHON
goto python_stage; goto python_stage;
#else #else
goto havoc_stage; goto havoc_stage;
#endif #endif
}
doing_det = 1; doing_det = 1;
@ -1731,61 +1742,11 @@ havoc_stage:
for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) {
if (use_radamsa && UR(RADAMSA_CHANCE) == 0) {
u32 max_len = temp_len + choose_block_len(HAVOC_BLK_XL);
u8* new_buf = ck_alloc_nozero(max_len);
u32 new_len = radamsa_mutate(out_buf, temp_len, new_buf, max_len, get_rand_seed());
if (new_len) {
temp_len = new_len;
ck_free(out_buf);
out_buf = new_buf;
} else {
ck_free(new_buf);
}
goto havoc_run_point;
}
u32 use_stacking = 1 << (1 + UR(HAVOC_STACK_POW2)); u32 use_stacking = 1 << (1 + UR(HAVOC_STACK_POW2));
stage_cur_val = use_stacking; stage_cur_val = use_stacking;
for (i = 0; i < use_stacking; ++i) { for (i = 0; i < use_stacking; ++i) {
/*if (use_radamsa && UR(RADAMSA_CHANCE) == 0) {
// Ramdsa stage stacked with the AFL havoc mutations.
// This is very slow, I maintain the commendted code for future or
// particular uses.
u32 max_len = temp_len + choose_block_len(HAVOC_BLK_XL);
u8* new_buf = ck_alloc_nozero(max_len);
u32 new_len = radamsa_mutate(out_buf, temp_len, new_buf, max_len, get_rand_seed());
if (new_len) {
temp_len = new_len;
ck_free(out_buf);
out_buf = new_buf;
} else {
ck_free(new_buf);
}
continue;
}*/
switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) {
@ -2161,8 +2122,6 @@ havoc_stage:
} }
havoc_run_point:
if (common_fuzz_stuff(argv, out_buf, temp_len)) goto abandon_entry; if (common_fuzz_stuff(argv, out_buf, temp_len)) goto abandon_entry;
/* out_buf might have been mangled a bit, so let's restore it to its /* out_buf might have been mangled a bit, so let's restore it to its
@ -2307,10 +2266,13 @@ retry_splicing:
out_buf = ck_alloc_nozero(len); out_buf = ck_alloc_nozero(len);
memcpy(out_buf, in_buf, len); memcpy(out_buf, in_buf, len);
if (use_radamsa > 1)
goto radamsa_stage;
else
#ifdef USE_PYTHON #ifdef USE_PYTHON
goto python_stage; goto python_stage;
#else #else
goto havoc_stage; goto havoc_stage;
#endif #endif
} }
@ -2318,7 +2280,67 @@ retry_splicing:
#endif /* !IGNORE_FINDS */ #endif /* !IGNORE_FINDS */
ret_val = 0; ret_val = 0;
goto radamsa_stage;
radamsa_stage:
if (!use_radamsa)
goto abandon_entry;
stage_name = "radamsa";
stage_short = "radamsa";
stage_max = (HAVOC_CYCLES * perf_score / havoc_div / 100) << use_radamsa;
if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN;
orig_hit_cnt = queued_paths + unique_crashes;
/* Read the additional testcase into a new buffer. */
u8 *save_buf = ck_alloc_nozero(len);
memcpy(save_buf, out_buf, len);
u32 max_len = len + choose_block_len(HAVOC_BLK_XL);
u8* new_buf = ck_alloc_nozero(max_len);
u8 *tmp_buf;
for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) {
u32 new_len = radamsa_mutate(save_buf, len, new_buf, max_len, get_rand_seed());
if (new_len) {
temp_len = new_len;
tmp_buf = new_buf;
} else {
tmp_buf = save_buf; // nope but I dont care
temp_len = len;
}
if (common_fuzz_stuff(argv, tmp_buf, temp_len)) {
ck_free(save_buf);
ck_free(new_buf);
goto abandon_entry;
}
}
ck_free(save_buf);
ck_free(new_buf);
new_hit_cnt = queued_paths + unique_crashes;
stage_finds[STAGE_RADAMSA] += new_hit_cnt - orig_hit_cnt;
stage_cycles[STAGE_RADAMSA] += stage_max;
ret_val = 0;
goto abandon_entry;
/* we are through with this queue entry - for this iteration */
abandon_entry: abandon_entry:
splicing_with = -1; splicing_with = -1;

5
src/afl-fuzz-stats.c
View File

@ -576,10 +576,11 @@ void show_stats(void) {
" imported : " cRST "%-10s" bSTG bV "\n", " imported : " cRST "%-10s" bSTG bV "\n",
tmp, sync_id ? DI(queued_imported) : (u8*)"n/a"); tmp, sync_id ? DI(queued_imported) : (u8*)"n/a");
sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s", DI(stage_finds[STAGE_HAVOC]), sprintf(tmp, "%s/%s, %s/%s, %s/%s, %s/%s, %s/%s", DI(stage_finds[STAGE_HAVOC]),
DI(stage_cycles[STAGE_HAVOC]), DI(stage_finds[STAGE_SPLICE]), DI(stage_cycles[STAGE_HAVOC]), DI(stage_finds[STAGE_SPLICE]),
DI(stage_cycles[STAGE_SPLICE]), DI(stage_finds[STAGE_PYTHON]), DI(stage_cycles[STAGE_SPLICE]), DI(stage_finds[STAGE_PYTHON]),
DI(stage_cycles[STAGE_PYTHON]), DI(stage_finds[STAGE_CUSTOM_MUTATOR]), DI(stage_cycles[STAGE_PYTHON]), DI(stage_finds[STAGE_RADAMSA]),
DI(stage_cycles[STAGE_RADAMSA]), DI(stage_finds[STAGE_CUSTOM_MUTATOR]),
DI(stage_cycles[STAGE_CUSTOM_MUTATOR])); DI(stage_cycles[STAGE_CUSTOM_MUTATOR]));
SAYF(bV bSTOP "havoc/custom : " cRST "%-36s " bSTG bV bSTOP, tmp); SAYF(bV bSTOP "havoc/custom : " cRST "%-36s " bSTG bV bSTOP, tmp);

11
src/afl-fuzz.c
View File

@ -55,7 +55,10 @@ static void usage(u8* argv0) {
" -m megs - memory limit for child process (%d MB)\n" " -m megs - memory limit for child process (%d MB)\n"
" -Q - use binary-only instrumentation (QEMU mode)\n" " -Q - use binary-only instrumentation (QEMU mode)\n"
" -U - use unicorn-based instrumentation (Unicorn mode)\n" " -U - use unicorn-based instrumentation (Unicorn mode)\n"
" -W - use qemu-based instrumentation with Wine (Wine mode)\n" " -W - use qemu-based instrumentation with Wine (Wine mode)\n\n"
"Mutator settings:\n"
" -R[R] - add Radamsa as mutator, add another -R to exclusivly run it\n"
" -L minutes - use MOpt(imize) mode and set the limit time for " " -L minutes - use MOpt(imize) mode and set the limit time for "
"entering the\n" "entering the\n"
" pacemaker mode (minutes of no new paths, 0 = " " pacemaker mode (minutes of no new paths, 0 = "
@ -514,8 +517,10 @@ int main(int argc, char** argv) {
case 'R': case 'R':
if (use_radamsa) FATAL("Multiple -R options not supported"); if (use_radamsa)
use_radamsa = 1; use_radamsa = 2;
else
use_radamsa = 1;
break; break;