ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 19:08:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

code format

Browse Source
This commit is contained in:
Dominik Maier
2020-10-06 15:38:36 +02:00
parent a4b60ca5b6
commit 74dc227c44
5 changed files with 48 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
include/afl-fuzz.h
View File

@ -669,7 +669,8 @@ typedef struct afl_state {
/* How many queue entries currently have cached testcases */ /* How many queue entries currently have cached testcases */
u32 q_testcase_cache_count; u32 q_testcase_cache_count;
/* Refs to each queue entry with cached testcase (for eviction, if cache_count is too large) */ /* Refs to each queue entry with cached testcase (for eviction, if cache_count
* is too large) */
struct queue_entry *q_testcase_cache[TESTCASE_CACHE_SIZE]; struct queue_entry *q_testcase_cache[TESTCASE_CACHE_SIZE];
} afl_state_t; } afl_state_t;

3
include/config.h
View File

@ -300,7 +300,8 @@ Decrease if RAM usage is high. */
#define TESTCASE_CACHE_SIZE 2048 #define TESTCASE_CACHE_SIZE 2048
#if TESTCASE_CACHE_SIZE < 4 #if TESTCASE_CACHE_SIZE < 4
#error "Dangerously low cache size: Set TESTCASE_CACHE_SIZE to 4 or more in config.h! #error \
"Dangerously low cache size: Set TESTCASE_CACHE_SIZE to 4 or more in config.h!
#endif #endif
/* Maximum line length passed from GCC to 'as' and used for parsing /* Maximum line length passed from GCC to 'as' and used for parsing

22
src/afl-fuzz-one.c
View File

@ -1710,8 +1710,10 @@ custom_mutator_stage:
target_len, max_seed_size); target_len, max_seed_size);
if (new_buf) { if (new_buf) {
queue_testcase_release(afl, target); queue_testcase_release(afl, target);
new_buf = NULL; new_buf = NULL;
} }
if (unlikely(!mutated_buf)) { if (unlikely(!mutated_buf)) {
@ -2302,7 +2304,9 @@ havoc_stage:
u32 tid; u32 tid;
do { do {
tid = rand_below(afl, afl->queued_paths); tid = rand_below(afl, afl->queued_paths);
} while (tid == afl->current_entry); } while (tid == afl->current_entry);
struct queue_entry *target = afl->queue_buf[tid]; struct queue_entry *target = afl->queue_buf[tid];
@ -2310,12 +2314,13 @@ havoc_stage:
/* Make sure that the target has a reasonable length. */ /* Make sure that the target has a reasonable length. */
while (target && (target->len < 2 || target == afl->queue_cur)) { while (target && (target->len < 2 || target == afl->queue_cur)) {
target = target->next; target = target->next;
} }
if (!target) { break; } if (!target) { break; }
u32 new_len = target->len; u32 new_len = target->len;
/* Get the testcase contents for splicing. */ /* Get the testcase contents for splicing. */
@ -2323,16 +2328,21 @@ havoc_stage:
u8 overwrite = 0; u8 overwrite = 0;
if (temp_len >= 2 && rand_below(afl, 2)) { if (temp_len >= 2 && rand_below(afl, 2)) {
overwrite = 1; overwrite = 1;
}
else if (temp_len + HAVOC_BLK_XL >= MAX_FILE) { } else if (temp_len + HAVOC_BLK_XL >= MAX_FILE) {
if (temp_len >= 2) { if (temp_len >= 2) {
overwrite = 1; overwrite = 1;
} else { } else {
queue_testcase_release(afl, target); queue_testcase_release(afl, target);
new_buf = NULL; new_buf = NULL;
break; break;
} }
} }
@ -2497,7 +2507,8 @@ retry_splicing:
the last differing byte. Bail out if the difference is just a single the last differing byte. Bail out if the difference is just a single
byte or so. */ byte or so. */
locate_diffs(in_buf, splice_buf, MIN(len, (s64)target->len), &f_diff, &l_diff); locate_diffs(in_buf, splice_buf, MIN(len, (s64)target->len), &f_diff,
&l_diff);
if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) { goto retry_splicing; } if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) { goto retry_splicing; }
@ -4503,7 +4514,8 @@ pacemaker_fuzzing:
len = target->len; len = target->len;
memcpy(new_buf, in_buf, split_at); memcpy(new_buf, in_buf, split_at);
memcpy(new_buf + split_at, splicing_buf + split_at, target->len - split_at); memcpy(new_buf + split_at, splicing_buf + split_at,
target->len - split_at);
afl_swap_bufs(AFL_BUF_PARAM(in), AFL_BUF_PARAM(in_scratch)); afl_swap_bufs(AFL_BUF_PARAM(in), AFL_BUF_PARAM(in_scratch));
in_buf = new_buf; in_buf = new_buf;
out_buf = afl_realloc(AFL_BUF_PARAM(out), len); out_buf = afl_realloc(AFL_BUF_PARAM(out), len);

28
src/afl-fuzz-queue.c
View File

@ -770,19 +770,28 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
/* Tell afl that this testcase may be evicted from the cache */ /* Tell afl that this testcase may be evicted from the cache */
inline void queue_testcase_release(afl_state_t *afl, struct queue_entry *q) { inline void queue_testcase_release(afl_state_t *afl, struct queue_entry *q) {
(void)afl; (void)afl;
q->testcase_refs--; q->testcase_refs--;
if (unlikely(q->testcase_refs < 0)) { FATAL("Testcase refcount smaller than 0"); } if (unlikely(q->testcase_refs < 0)) {
FATAL("Testcase refcount smaller than 0");
}
} }
/* Returns the testcase buf from the file behind this queue entry. /* Returns the testcase buf from the file behind this queue entry.
Increases the refcount. */ Increases the refcount. */
u8 *queue_testcase_take(afl_state_t *afl, struct queue_entry *q) { u8 *queue_testcase_take(afl_state_t *afl, struct queue_entry *q) {
if (!q->testcase_buf) { if (!q->testcase_buf) {
u32 tid = 0; u32 tid = 0;
/* Buf not cached, let's do that now */ /* Buf not cached, let's do that now */
if (likely(afl->q_testcase_cache_count == TESTCASE_CACHE_SIZE)) { if (likely(afl->q_testcase_cache_count == TESTCASE_CACHE_SIZE)) {
/* Cache full. We neet to evict one to map one. /* Cache full. We neet to evict one to map one.
Get a random one which is not in use */ Get a random one which is not in use */
do { do {
@ -797,19 +806,17 @@ u8 *queue_testcase_take(afl_state_t *afl, struct queue_entry *q) {
old_cached->testcase_buf = NULL; old_cached->testcase_buf = NULL;
} else { } else {
tid = afl->q_testcase_cache_count; tid = afl->q_testcase_cache_count;
afl->q_testcase_cache_count++; afl->q_testcase_cache_count++;
} }
/* Map the test case into memory. */ /* Map the test case into memory. */
int fd = open(q->fname, O_RDONLY); int fd = open(q->fname, O_RDONLY);
if (unlikely(fd < 0)) { if (unlikely(fd < 0)) { PFATAL("Unable to open '%s'", q->fname); }
PFATAL("Unable to open '%s'", q->fname);
}
u32 len = q->len; u32 len = q->len;
@ -827,8 +834,15 @@ u8 *queue_testcase_take(afl_state_t *afl, struct queue_entry *q) {
afl->q_testcase_cache[tid] = q; afl->q_testcase_cache[tid] = q;
} }
q->testcase_refs++; q->testcase_refs++;
if (!q->testcase_buf) { FATAL("Testcase buf is NULL, this should never happen"); } if (!q->testcase_buf) {
FATAL("Testcase buf is NULL, this should never happen");
}
return q->testcase_buf; return q->testcase_buf;
} }

2
src/afl-fuzz.c
View File

@ -1153,7 +1153,9 @@ int main(int argc, char **argv_orig, char **envp) {
if (extras_dir_cnt) { if (extras_dir_cnt) {
for (i = 0; i < extras_dir_cnt; i++) { for (i = 0; i < extras_dir_cnt; i++) {
load_extras(afl, extras_dir[i]); load_extras(afl, extras_dir[i]);
} }
dedup_extras(afl); dedup_extras(afl);