ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 11:08:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

remove radamsa, add radamsa custom mutator

Browse Source
This commit is contained in:
van Hauser
2020-06-25 16:51:29 +02:00
parent 4a3305c007
commit 8178f4dfdd
23 changed files with 62480 additions and 31205 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
GNUmakefile
View File

@ -282,8 +282,8 @@ help:
@echo "HELP --- the following make targets exist:" @echo "HELP --- the following make targets exist:"
@echo "==========================================" @echo "=========================================="
@echo "all: just the main afl++ binaries" @echo "all: just the main afl++ binaries"
@echo "binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap, radamsa" @echo "binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap"
@echo "source-only: everything for source code fuzzing: llvm_mode, gcc_plugin, libdislocator, libtokencap, radamsa" @echo "source-only: everything for source code fuzzing: llvm_mode, gcc_plugin, libdislocator, libtokencap"
@echo "distrib: everything (for both binary-only and source code fuzzing)" @echo "distrib: everything (for both binary-only and source code fuzzing)"
@echo "man: creates simple man pages from the help option of the programs" @echo "man: creates simple man pages from the help option of the programs"
@echo "install: installs everything you have compiled with the build option above" @echo "install: installs everything you have compiled with the build option above"
@ -376,12 +376,6 @@ src/afl-forkserver.o : $(COMM_HDR) src/afl-forkserver.c include/forkserver.h
src/afl-sharedmem.o : $(COMM_HDR) src/afl-sharedmem.c include/sharedmem.h src/afl-sharedmem.o : $(COMM_HDR) src/afl-sharedmem.c include/sharedmem.h
$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-sharedmem.c -o src/afl-sharedmem.o $(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-sharedmem.c -o src/afl-sharedmem.o
radamsa: src/third_party/libradamsa/libradamsa.so
cp src/third_party/libradamsa/libradamsa.so .
src/third_party/libradamsa/libradamsa.so: src/third_party/libradamsa/libradamsa.c src/third_party/libradamsa/radamsa.h
$(MAKE) -C src/third_party/libradamsa/ CFLAGS="$(CFLAGS)"
afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86 afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86
$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS) $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS)
@ -462,6 +456,8 @@ code-format:
./.custom-format.py -i gcc_plugin/*.c ./.custom-format.py -i gcc_plugin/*.c
#./.custom-format.py -i gcc_plugin/*.h #./.custom-format.py -i gcc_plugin/*.h
./.custom-format.py -i gcc_plugin/*.cc ./.custom-format.py -i gcc_plugin/*.cc
./.custom-format.py -i custom_mutators/*/*.c
./.custom-format.py -i custom_mutators/*/*.h
./.custom-format.py -i examples/*/*.c ./.custom-format.py -i examples/*/*.c
./.custom-format.py -i examples/*/*.h ./.custom-format.py -i examples/*/*.h
./.custom-format.py -i test/*.c ./.custom-format.py -i test/*.c
@ -514,7 +510,6 @@ clean:
$(MAKE) -C examples/argv_fuzzing clean $(MAKE) -C examples/argv_fuzzing clean
$(MAKE) -C qemu_mode/unsigaction clean $(MAKE) -C qemu_mode/unsigaction clean
$(MAKE) -C qemu_mode/libcompcov clean $(MAKE) -C qemu_mode/libcompcov clean
$(MAKE) -C src/third_party/libradamsa/ clean
rm -rf qemu_mode/qemu-3.1.1 rm -rf qemu_mode/qemu-3.1.1
ifeq "$(IN_REPO)" "1" ifeq "$(IN_REPO)" "1"
test -d unicorn_mode/unicornafl && $(MAKE) -C unicorn_mode/unicornafl clean || true test -d unicorn_mode/unicornafl && $(MAKE) -C unicorn_mode/unicornafl clean || true
@ -528,7 +523,7 @@ deepclean: clean
rm -rf unicorn_mode/unicornafl rm -rf unicorn_mode/unicornafl
git reset --hard >/dev/null 2>&1 || true git reset --hard >/dev/null 2>&1 || true
distrib: all radamsa distrib: all
-$(MAKE) -C llvm_mode -$(MAKE) -C llvm_mode
-$(MAKE) -C gcc_plugin -$(MAKE) -C gcc_plugin
$(MAKE) -C libdislocator $(MAKE) -C libdislocator
@ -539,7 +534,7 @@ distrib: all radamsa
-cd qemu_mode && sh ./build_qemu_support.sh -cd qemu_mode && sh ./build_qemu_support.sh
cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
binary-only: all radamsa binary-only: all
$(MAKE) -C libdislocator $(MAKE) -C libdislocator
$(MAKE) -C libtokencap $(MAKE) -C libtokencap
$(MAKE) -C examples/afl_network_proxy $(MAKE) -C examples/afl_network_proxy
@ -548,7 +543,7 @@ binary-only: all radamsa
-cd qemu_mode && sh ./build_qemu_support.sh -cd qemu_mode && sh ./build_qemu_support.sh
cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
source-only: all radamsa source-only: all
-$(MAKE) -C llvm_mode -$(MAKE) -C llvm_mode
-$(MAKE) -C gcc_plugin -$(MAKE) -C gcc_plugin
$(MAKE) -C libdislocator $(MAKE) -C libdislocator
@ -587,7 +582,6 @@ install: all $(MANPAGES)
if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi
if [ -f libtokencap.so ]; then set -e; install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH); fi if [ -f libtokencap.so ]; then set -e; install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH); fi
if [ -f libcompcov.so ]; then set -e; install -m 755 libcompcov.so $${DESTDIR}$(HELPER_PATH); fi if [ -f libcompcov.so ]; then set -e; install -m 755 libcompcov.so $${DESTDIR}$(HELPER_PATH); fi
if [ -f libradamsa.so ]; then set -e; install -m 755 libradamsa.so $${DESTDIR}$(HELPER_PATH); fi
if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi
if [ -f socketfuzz32.so -o -f socketfuzz64.so ]; then $(MAKE) -C examples/socket_fuzzing install; fi if [ -f socketfuzz32.so -o -f socketfuzz64.so ]; then $(MAKE) -C examples/socket_fuzzing install; fi
if [ -f argvfuzz32.so -o -f argvfuzz64.so ]; then $(MAKE) -C examples/argv_fuzzing install; fi if [ -f argvfuzz32.so -o -f argvfuzz64.so ]; then $(MAKE) -C examples/argv_fuzzing install; fi

6
README.md
View File

@ -54,7 +54,7 @@
* Win32 PE binary-only fuzzing with QEMU and Wine * Win32 PE binary-only fuzzing with QEMU and Wine
* Radamsa mutator (enable with `-R` to add or `-RR` to run it exclusively). * Radamsa mutator (as a custom mutator).
* QBDI mode to fuzz android native libraries via QBDI framework * QBDI mode to fuzz android native libraries via QBDI framework
@ -167,8 +167,8 @@ is what you should choose.
These build targets exist: These build targets exist:
* all: just the main afl++ binaries * all: just the main afl++ binaries
* binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap, radamsa * binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap
* source-only: everything for source code fuzzing: llvm_mode, libdislocator, libtokencap, radamsa * source-only: everything for source code fuzzing: llvm_mode, libdislocator, libtokencap
* distrib: everything (for both binary-only and source code fuzzing) * distrib: everything (for both binary-only and source code fuzzing)
* man: creates simple man pages from the help option of the programs * man: creates simple man pages from the help option of the programs
* install: installs everything you have compiled with the build options above * install: installs everything you have compiled with the build options above

12
custom_mutators/README.md Normal file
View File

@ -0,0 +1,12 @@
# production ready custom mutators
This directory holds ready to use custom mutators.
Just type "make" in the individual subdirectories.
Use with e.g.
`AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/radamsa/radamsa-mutator.so afl-fuzz ....`
and add `AFL_CUSTOM_MUTATOR_ONLY=1` if you only want to use the custom mutator.
Multiple custom mutators can be used by seperating their paths with `:` in the environment variable.

14
src/third_party/libradamsa/GNUmakefile → custom_mutators/radamsa/GNUmakefile
View File

@ -1,15 +1,15 @@
CUR_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) CUR_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
all: libradamsa.so all: radamsa-mutator.so
# These can be overriden: # These can be overriden:
CFLAGS ?= -march=native $(CFLAGS_FLTO) CFLAGS ?= $(CFLAGS_FLTO)
# These are required: (otherwise radamsa gets very very slooooow) # These are required: (otherwise radamsa gets very very slooooow)
CFLAGS += -O3 -funroll-loops CFLAGS += -O3 -funroll-loops
libradamsa.so: libradamsa.a #libradamsa.so: libradamsa.a
$(CC) $(CFLAGS) -shared libradamsa.a -o libradamsa.so # $(CC) $(CFLAGS) -shared libradamsa.a -o libradamsa.so
libradamsa.a: libradamsa.c radamsa.h libradamsa.a: libradamsa.c radamsa.h
@echo " ***************************************************************" @echo " ***************************************************************"
@ -17,10 +17,14 @@ libradamsa.a: libradamsa.c radamsa.h
@echo " ***************************************************************" @echo " ***************************************************************"
$(CC) -fPIC $(CFLAGS) -I $(CUR_DIR) -o libradamsa.a -c libradamsa.c $(CC) -fPIC $(CFLAGS) -I $(CUR_DIR) -o libradamsa.a -c libradamsa.c
radamsa-mutator.so: radamsa-mutator.c libradamsa.a
$(CC) $(CFLAGS) -g -I. -I../../include -shared -fPIC -c radamsa-mutator.c
$(CC) $(CFLAGS) -shared -fPIC -o radamsa-mutator.so radamsa-mutator.o libradamsa.a
test: libradamsa.a libradamsa-test.c test: libradamsa.a libradamsa-test.c
$(CC) $(CFLAGS) -I $(CUR_DIR) -o libradamsa-test libradamsa-test.c libradamsa.a $(CC) $(CFLAGS) -I $(CUR_DIR) -o libradamsa-test libradamsa-test.c libradamsa.a
./libradamsa-test libradamsa-test.c | grep "library test passed" ./libradamsa-test libradamsa-test.c | grep "library test passed"
rm /tmp/libradamsa-*.fuzz rm /tmp/libradamsa-*.fuzz
clean: clean:
rm -f libradamsa.a libradamsa.so libradamsa-test rm -f radamsa-mutator.so libradamsa.a libradamsa-test *.o *~ core

0
src/third_party/libradamsa/LICENSE → custom_mutators/radamsa/LICENSE
View File

2
src/third_party/libradamsa/README.md → custom_mutators/radamsa/README.md
View File

@ -1,4 +1,4 @@
# libradamsa # custum mutator: libradamsa
Pretranslated radamsa library. This code belongs to the radamsa author. Pretranslated radamsa library. This code belongs to the radamsa author.

342
custom_mutators/radamsa/custom_mutator_helpers.h Normal file
View File

@ -0,0 +1,342 @@
#ifndef CUSTOM_MUTATOR_HELPERS
#define CUSTOM_MUTATOR_HELPERS
#include "config.h"
#include "types.h"
#include <stdlib.h>
#define INITIAL_GROWTH_SIZE (64)
#define RAND_BELOW(limit) (rand() % (limit))
/* Use in a struct: creates a name_buf and a name_size variable. */
#define BUF_VAR(type, name) \
type * name##_buf; \
size_t name##_size;
/* this filles in `&structptr->something_buf, &structptr->something_size`. */
#define BUF_PARAMS(struct, name) \
(void **)&struct->name##_buf, &struct->name##_size
typedef struct {
} afl_t;
static void surgical_havoc_mutate(u8 *out_buf, s32 begin, s32 end) {
static s8 interesting_8[] = {INTERESTING_8};
static s16 interesting_16[] = {INTERESTING_8, INTERESTING_16};
static s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32};
switch (RAND_BELOW(12)) {
case 0: {
/* Flip a single bit somewhere. Spooky! */
s32 bit_idx = ((RAND_BELOW(end - begin) + begin) << 3) + RAND_BELOW(8);
out_buf[bit_idx >> 3] ^= 128 >> (bit_idx & 7);
break;
}
case 1: {
/* Set byte to interesting value. */
u8 val = interesting_8[RAND_BELOW(sizeof(interesting_8))];
out_buf[(RAND_BELOW(end - begin) + begin)] = val;
break;
}
case 2: {
/* Set word to interesting value, randomly choosing endian. */
if (end - begin < 2) break;
s32 byte_idx = (RAND_BELOW(end - begin) + begin);
if (byte_idx >= end - 1) break;
switch (RAND_BELOW(2)) {
case 0:
*(u16 *)(out_buf + byte_idx) =
interesting_16[RAND_BELOW(sizeof(interesting_16) >> 1)];
break;
case 1:
*(u16 *)(out_buf + byte_idx) =
SWAP16(interesting_16[RAND_BELOW(sizeof(interesting_16) >> 1)]);
break;
}
break;
}
case 3: {
/* Set dword to interesting value, randomly choosing endian. */
if (end - begin < 4) break;
s32 byte_idx = (RAND_BELOW(end - begin) + begin);
if (byte_idx >= end - 3) break;
switch (RAND_BELOW(2)) {
case 0:
*(u32 *)(out_buf + byte_idx) =
interesting_32[RAND_BELOW(sizeof(interesting_32) >> 2)];
break;
case 1:
*(u32 *)(out_buf + byte_idx) =
SWAP32(interesting_32[RAND_BELOW(sizeof(interesting_32) >> 2)]);
break;
}
break;
}
case 4: {
/* Set qword to interesting value, randomly choosing endian. */
if (end - begin < 8) break;
s32 byte_idx = (RAND_BELOW(end - begin) + begin);
if (byte_idx >= end - 7) break;
switch (RAND_BELOW(2)) {
case 0:
*(u64 *)(out_buf + byte_idx) =
(s64)interesting_32[RAND_BELOW(sizeof(interesting_32) >> 2)];
break;
case 1:
*(u64 *)(out_buf + byte_idx) = SWAP64(
(s64)interesting_32[RAND_BELOW(sizeof(interesting_32) >> 2)]);
break;
}
break;
}
case 5: {
/* Randomly subtract from byte. */
out_buf[(RAND_BELOW(end - begin) + begin)] -= 1 + RAND_BELOW(ARITH_MAX);
break;
}
case 6: {
/* Randomly add to byte. */
out_buf[(RAND_BELOW(end - begin) + begin)] += 1 + RAND_BELOW(ARITH_MAX);
break;
}
case 7: {
/* Randomly subtract from word, random endian. */
if (end - begin < 2) break;
s32 byte_idx = (RAND_BELOW(end - begin) + begin);
if (byte_idx >= end - 1) break;
if (RAND_BELOW(2)) {
*(u16 *)(out_buf + byte_idx) -= 1 + RAND_BELOW(ARITH_MAX);
} else {
u16 num = 1 + RAND_BELOW(ARITH_MAX);
*(u16 *)(out_buf + byte_idx) =
SWAP16(SWAP16(*(u16 *)(out_buf + byte_idx)) - num);
}
break;
}
case 8: {
/* Randomly add to word, random endian. */
if (end - begin < 2) break;
s32 byte_idx = (RAND_BELOW(end - begin) + begin);
if (byte_idx >= end - 1) break;
if (RAND_BELOW(2)) {
*(u16 *)(out_buf + byte_idx) += 1 + RAND_BELOW(ARITH_MAX);
} else {
u16 num = 1 + RAND_BELOW(ARITH_MAX);
*(u16 *)(out_buf + byte_idx) =
SWAP16(SWAP16(*(u16 *)(out_buf + byte_idx)) + num);
}
break;
}
case 9: {
/* Randomly subtract from dword, random endian. */
if (end - begin < 4) break;
s32 byte_idx = (RAND_BELOW(end - begin) + begin);
if (byte_idx >= end - 3) break;
if (RAND_BELOW(2)) {
*(u32 *)(out_buf + byte_idx) -= 1 + RAND_BELOW(ARITH_MAX);
} else {
u32 num = 1 + RAND_BELOW(ARITH_MAX);
*(u32 *)(out_buf + byte_idx) =
SWAP32(SWAP32(*(u32 *)(out_buf + byte_idx)) - num);
}
break;
}
case 10: {
/* Randomly add to dword, random endian. */
if (end - begin < 4) break;
s32 byte_idx = (RAND_BELOW(end - begin) + begin);
if (byte_idx >= end - 3) break;
if (RAND_BELOW(2)) {
*(u32 *)(out_buf + byte_idx) += 1 + RAND_BELOW(ARITH_MAX);
} else {
u32 num = 1 + RAND_BELOW(ARITH_MAX);
*(u32 *)(out_buf + byte_idx) =
SWAP32(SWAP32(*(u32 *)(out_buf + byte_idx)) + num);
}
break;
}
case 11: {
/* Just set a random byte to a random value. Because,
why not. We use XOR with 1-255 to eliminate the
possibility of a no-op. */
out_buf[(RAND_BELOW(end - begin) + begin)] ^= 1 + RAND_BELOW(255);
break;
}
}
}
/* This function calculates the next power of 2 greater or equal its argument.
@return The rounded up power of 2 (if no overflow) or 0 on overflow.
*/
static inline size_t next_pow2(size_t in) {
if (in == 0 || in > (size_t)-1)
return 0; /* avoid undefined behaviour under-/overflow */
size_t out = in - 1;
out |= out >> 1;
out |= out >> 2;
out |= out >> 4;
out |= out >> 8;
out |= out >> 16;
return out + 1;
}
/* This function makes sure *size is > size_needed after call.
It will realloc *buf otherwise.
*size will grow exponentially as per:
https://blog.mozilla.org/nnethercote/2014/11/04/please-grow-your-buffers-exponentially/
Will return NULL and free *buf if size_needed is <1 or realloc failed.
@return For convenience, this function returns *buf.
*/
static inline void *maybe_grow(void **buf, size_t *size, size_t size_needed) {
/* No need to realloc */
if (likely(size_needed && *size >= size_needed)) return *buf;
/* No initial size was set */
if (size_needed < INITIAL_GROWTH_SIZE) size_needed = INITIAL_GROWTH_SIZE;
/* grow exponentially */
size_t next_size = next_pow2(size_needed);
/* handle overflow */
if (!next_size) { next_size = size_needed; }
/* alloc */
*buf = realloc(*buf, next_size);
*size = *buf ? next_size : 0;
return *buf;
}
/* Swaps buf1 ptr and buf2 ptr, as well as their sizes */
static inline void swap_bufs(void **buf1, size_t *size1, void **buf2,
size_t *size2) {
void * scratch_buf = *buf1;
size_t scratch_size = *size1;
*buf1 = *buf2;
*size1 = *size2;
*buf2 = scratch_buf;
*size2 = scratch_size;
}
#undef INITIAL_GROWTH_SIZE
#endif

81
custom_mutators/radamsa/libradamsa-test.c Normal file
View File

@ -0,0 +1,81 @@
#include <radamsa.h>
#include <stdio.h>
#include <inttypes.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
size_t filesize(char *filename) {
struct stat st;
stat(filename, &st);
return st.st_size;
}
#define BUFSIZE 1024 * 1024
void fail(char *why) {
printf("fail: %s\n", why);
exit(1);
}
void write_output(char *data, size_t len, int num) {
char path[32];
int fd;
int wrote;
sprintf(path, "/tmp/libradamsa-%d.fuzz", num);
fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
printf("Opened %s -> %d\n", path, fd);
if (fd < 0) { fail("failed to open output file"); }
wrote = write(fd, data, len);
printf("wrote %d of %zu bytes\n", wrote, len);
if (wrote != len) { fail("failed to write all of output at once"); }
close(fd);
printf("Wrote %zu bytes to %s\n", len, path);
}
int main(int nargs, char **argv) {
char * spath = argv[1];
int fd = open(spath, O_RDONLY, 0);
size_t len;
char * input;
char * output;
int seed = 0;
if (fd < 0) { fail("cannot open input file"); }
len = filesize(spath);
input = malloc(len);
output = malloc(BUFSIZE);
if (!input || !output) { fail("failed to allocate buffers\n"); }
radamsa_init();
if (len != read(fd, input, len)) {
fail("failed to read the entire sample at once");
}
while (seed++ < 100) {
size_t n;
n = radamsa((uint8_t *)input, len, (uint8_t *)output, BUFSIZE, seed);
write_output(output, n, seed);
printf("Fuzzed %zu -> %zu bytes\n", len, n);
}
printf("library test passed\n");
free(output);
free(input);
return 0;
}

61880
custom_mutators/radamsa/libradamsa.c Normal file
View File

File diff suppressed because it is too large Load Diff

70
custom_mutators/radamsa/radamsa-mutator.c Normal file
View File

@ -0,0 +1,70 @@
// This simple example just creates random buffer <= 100 filled with 'A'
// needs -I /path/to/AFLplusplus/include
//#include "custom_mutator_helpers.h"
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include "radamsa.h"
#include "custom_mutator_helpers.h"
typedef struct my_mutator {
afl_t *afl;
u8 *mutator_buf;
unsigned int seed;
} my_mutator_t;
my_mutator_t *afl_custom_init(afl_t *afl, unsigned int seed) {
srand(seed);
my_mutator_t *data = calloc(1, sizeof(my_mutator_t));
if (!data) {
perror("afl_custom_init alloc");
return NULL;
}
if ((data->mutator_buf = malloc(MAX_FILE)) == NULL) {
perror("mutator_buf alloc");
return NULL;
}
data->afl = afl;
data->seed = seed;
radamsa_init();
return data;
}
size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
u8 **out_buf, uint8_t *add_buf, size_t add_buf_size,
size_t max_size) {
*out_buf = data->mutator_buf;
return radamsa(buf, buf_size, data->mutator_buf, max_size, data->seed++);
}
/**
* Deinitialize everything
*
* @param data The data ptr from afl_custom_init
*/
void afl_custom_deinit(my_mutator_t *data) {
free(data->mutator_buf);
free(data);
}

10
custom_mutators/radamsa/radamsa.h Normal file
View File

@ -0,0 +1,10 @@
#include <inttypes.h>
#include <stddef.h>
void radamsa_init(void);
size_t radamsa(uint8_t *ptr, size_t len, uint8_t *target, size_t max,
unsigned int seed);
size_t radamsa_inplace(uint8_t *ptr, size_t len, size_t max, unsigned int seed);

4
docs/Changelog.md
View File

@ -47,7 +47,9 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- Unicornafl - Unicornafl
- Added powerPC support from unicorn/next - Added powerPC support from unicorn/next
- rust bindings! - rust bindings!
- Allow running in /tmp (only unsafe with umask 0) - we moved radamsa to be a custom mutator in ./custom_mutators/. It is not
compiled by default anymore.
- allow running in /tmp (only unsafe with umask 0)
- persistent mode shared memory testcase handover (instead of via - persistent mode shared memory testcase handover (instead of via
files/stdin) - 10-100% performance increase files/stdin) - 10-100% performance increase
- General support for 64 bit PowerPC, RiscV, Sparc etc. - General support for 64 bit PowerPC, RiscV, Sparc etc.

9
docs/README.radamsa.md
View File

@ -1,9 +0,0 @@
# libradamsa
Pretranslated radamsa library. This code belongs to the radamsa author.
> Original repository: https://gitlab.com/akihe/radamsa
> Source commit: 7b2cc2d0
> The code here is adapted for AFL++ with minor changes respect the original version

12
include/afl-fuzz.h
View File

@ -188,10 +188,11 @@ enum {
/* 15 */ STAGE_HAVOC, /* 15 */ STAGE_HAVOC,
/* 16 */ STAGE_SPLICE, /* 16 */ STAGE_SPLICE,
/* 17 */ STAGE_PYTHON, /* 17 */ STAGE_PYTHON,
/* 18 */ STAGE_RADAMSA, /* 18 */ STAGE_CUSTOM_MUTATOR,
/* 19 */ STAGE_CUSTOM_MUTATOR, /* 19 */ STAGE_COLORIZATION,
/* 20 */ STAGE_COLORIZATION, /* 20 */ STAGE_ITS,
/* 21 */ STAGE_ITS,
STAGE_NUM_MAX
}; };
@ -427,9 +428,6 @@ typedef struct afl_state {
u8 schedule; /* Power schedule (default: EXPLORE)*/ u8 schedule; /* Power schedule (default: EXPLORE)*/
u8 havoc_max_mult; u8 havoc_max_mult;
u8 use_radamsa;
size_t (*radamsa_mutate_ptr)(u8 *, size_t, u8 *, size_t, u32);
u8 skip_deterministic, /* Skip deterministic stages? */ u8 skip_deterministic, /* Skip deterministic stages? */
use_splicing, /* Recombine input files? */ use_splicing, /* Recombine input files? */
non_instrumented_mode, /* Run in non-instrumented mode? */ non_instrumented_mode, /* Run in non-instrumented mode? */

4
src/afl-fuzz-mutators.c
View File

@ -44,7 +44,7 @@ void setup_custom_mutators(afl_state_t *afl) {
FATAL( FATAL(
"MOpt and custom mutator are mutually exclusive. We accept pull " "MOpt and custom mutator are mutually exclusive. We accept pull "
"requests that integrates MOpt with the optional mutators " "requests that integrates MOpt with the optional mutators "
"(custom/radamsa/redqueen/...)."); "(custom/redqueen/...).");
u8 *fn_token = (u8 *)strsep((char **)&fn, ";:,"); u8 *fn_token = (u8 *)strsep((char **)&fn, ";:,");
@ -89,7 +89,7 @@ void setup_custom_mutators(afl_state_t *afl) {
FATAL( FATAL(
"MOpt and Python mutator are mutually exclusive. We accept pull " "MOpt and Python mutator are mutually exclusive. We accept pull "
"requests that integrates MOpt with the optional mutators " "requests that integrates MOpt with the optional mutators "
"(custom/radamsa/redqueen/...)."); "(custom/redqueen/...).");
} }

62
src/afl-fuzz-one.c
View File

@ -554,8 +554,6 @@ u8 fuzz_one_original(afl_state_t *afl) {
if (unlikely(perf_score == 0)) { goto abandon_entry; } if (unlikely(perf_score == 0)) { goto abandon_entry; }
if (unlikely(afl->use_radamsa > 1)) { goto radamsa_stage; }
if (afl->shm.cmplog_mode && !afl->queue_cur->fully_colorized) { if (afl->shm.cmplog_mode && !afl->queue_cur->fully_colorized) {
if (input_to_state_stage(afl, in_buf, out_buf, len, if (input_to_state_stage(afl, in_buf, out_buf, len,
@ -1685,6 +1683,7 @@ custom_mutator_stage:
retry_external_pick: retry_external_pick:
/* Pick a random other queue entry for passing to external API */ /* Pick a random other queue entry for passing to external API */
do { do {
tid = rand_below(afl, afl->queued_paths); tid = rand_below(afl, afl->queued_paths);
@ -1709,7 +1708,7 @@ custom_mutator_stage:
/* Make sure that the target has a reasonable length. */ /* Make sure that the target has a reasonable length. */
while (target && (target->len < 2 || target == afl->queue_cur) && while (target && (target->len < 2 || target == afl->queue_cur) &&
afl->queued_paths > 1) { afl->queued_paths > 3) {
target = target->next; target = target->next;
++afl->splicing_with; ++afl->splicing_with;
@ -2426,63 +2425,6 @@ retry_splicing:
#endif /* !IGNORE_FINDS */ #endif /* !IGNORE_FINDS */
ret_val = 0; ret_val = 0;
goto radamsa_stage;
radamsa_stage:
if (likely(!afl->use_radamsa || !afl->radamsa_mutate_ptr)) {
goto abandon_entry;
}
afl->stage_name = "radamsa";
afl->stage_short = "radamsa";
afl->stage_max = (HAVOC_CYCLES * perf_score / afl->havoc_div / 100)
<< afl->use_radamsa;
if (afl->stage_max < HAVOC_MIN) { afl->stage_max = HAVOC_MIN; }
orig_hit_cnt = afl->queued_paths + afl->unique_crashes;
/* Read the additional testcase.
We'll reuse in_scratch, as it is free at this point.
*/
u8 *save_buf = ck_maybe_grow(BUF_PARAMS(in_scratch), len);
memcpy(save_buf, out_buf, len);
u32 max_len = len + choose_block_len(afl, HAVOC_BLK_XL);
u8 *new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), max_len);
u8 *tmp_buf;
for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
u32 new_len = afl->radamsa_mutate_ptr(save_buf, len, new_buf, max_len,
rand_get_seed(afl));
if (new_len) {
temp_len = new_len;
tmp_buf = new_buf;
} else {
tmp_buf = save_buf; // nope but I dont care
temp_len = len;
}
if (common_fuzz_stuff(afl, tmp_buf, temp_len)) { goto abandon_entry; }
}
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
afl->stage_finds[STAGE_RADAMSA] += new_hit_cnt - orig_hit_cnt;
afl->stage_cycles[STAGE_RADAMSA] += afl->stage_max;
ret_val = 0;
goto abandon_entry;
/* we are through with this queue entry - for this iteration */ /* we are through with this queue entry - for this iteration */
abandon_entry: abandon_entry:

25
src/afl-fuzz-stats.c
View File

@ -746,15 +746,13 @@ void show_stats(afl_state_t *afl) {
afl->sync_id ? u_stringify_int(IB(0), afl->queued_imported) afl->sync_id ? u_stringify_int(IB(0), afl->queued_imported)
: (u8 *)"n/a"); : (u8 *)"n/a");
sprintf(tmp, "%s/%s, %s/%s, %s/%s", sprintf(tmp, "%s/%s, %s/%s",
u_stringify_int(IB(0), afl->stage_finds[STAGE_HAVOC]), u_stringify_int(IB(0), afl->stage_finds[STAGE_HAVOC]),
u_stringify_int(IB(2), afl->stage_cycles[STAGE_HAVOC]), u_stringify_int(IB(2), afl->stage_cycles[STAGE_HAVOC]),
u_stringify_int(IB(3), afl->stage_finds[STAGE_SPLICE]), u_stringify_int(IB(3), afl->stage_finds[STAGE_SPLICE]),
u_stringify_int(IB(4), afl->stage_cycles[STAGE_SPLICE]), u_stringify_int(IB(4), afl->stage_cycles[STAGE_SPLICE]));
u_stringify_int(IB(5), afl->stage_finds[STAGE_RADAMSA]),
u_stringify_int(IB(6), afl->stage_cycles[STAGE_RADAMSA]));
SAYF(bV bSTOP " havoc/rad : " cRST "%-36s " bSTG bV bSTOP, tmp); SAYF(bV bSTOP "havoc/splice : " cRST "%-36s " bSTG bV bSTOP, tmp);
if (t_bytes) { if (t_bytes) {
@ -835,18 +833,19 @@ void show_stats(afl_state_t *afl) {
} }
if (afl->custom_mutators_count) { // if (afl->custom_mutators_count) {
sprintf(tmp, "%s/%s", //
u_stringify_int(IB(0), afl->stage_finds[STAGE_CUSTOM_MUTATOR]), // sprintf(tmp, "%s/%s",
u_stringify_int(IB(1), afl->stage_cycles[STAGE_CUSTOM_MUTATOR])); // u_stringify_int(IB(0), afl->stage_finds[STAGE_CUSTOM_MUTATOR]),
SAYF(bV bSTOP " custom mut. : " cRST "%-36s " bSTG bV RESET_G1, tmp); // u_stringify_int(IB(1), afl->stage_cycles[STAGE_CUSTOM_MUTATOR]));
// SAYF(bV bSTOP " custom mut. : " cRST "%-36s " bSTG bV RESET_G1, tmp);
} else { //
//} else {
SAYF(bV bSTOP " trim : " cRST "%-36s " bSTG bV RESET_G1, tmp); SAYF(bV bSTOP " trim : " cRST "%-36s " bSTG bV RESET_G1, tmp);
} //}
/* Provide some CPU utilization stats. */ /* Provide some CPU utilization stats. */

112
src/afl-fuzz.c
View File

@ -46,63 +46,6 @@ static void at_exit() {
} }
static u8 *get_libradamsa_path(u8 *own_loc) {
u8 *tmp, *cp, *rsl, *own_copy;
tmp = getenv("AFL_PATH");
if (tmp) {
cp = alloc_printf("%s/libradamsa.so", tmp);
if (access(cp, X_OK)) { FATAL("Unable to find '%s'", cp); }
return cp;
}
own_copy = ck_strdup(own_loc);
rsl = strrchr(own_copy, '/');
if (rsl) {
*rsl = 0;
cp = alloc_printf("%s/libradamsa.so", own_copy);
ck_free(own_copy);
if (!access(cp, X_OK)) { return cp; }
} else {
ck_free(own_copy);
}
if (!access(AFL_PATH "/libradamsa.so", X_OK)) {
return ck_strdup(AFL_PATH "/libradamsa.so");
}
if (!access(BIN_PATH "/libradamsa.so", X_OK)) {
return ck_strdup(BIN_PATH "/libradamsa.so");
}
SAYF(
"\n" cLRD "[-] " cRST
"Oops, unable to find the 'libradamsa.so' binary. The binary must be "
"built\n"
" separately using 'make radamsa'. If you already have the binary "
"installed,\n you may need to specify AFL_PATH in the environment.\n");
FATAL("Failed to locate 'libradamsa.so'.");
}
/* Display usage hints. */ /* Display usage hints. */
static void usage(afl_state_t *afl, u8 *argv0, int more_help) { static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
@ -130,8 +73,6 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
"mode)\n\n" "mode)\n\n"
"Mutator settings:\n" "Mutator settings:\n"
" -R[R] - add Radamsa as mutator, add another -R to exclusivly "
"run it\n"
" -L minutes - use MOpt(imize) mode and set the time limit for " " -L minutes - use MOpt(imize) mode and set the time limit for "
"entering the\n" "entering the\n"
" pacemaker mode (minutes of no new paths). 0 = " " pacemaker mode (minutes of no new paths). 0 = "
@ -794,15 +735,9 @@ int main(int argc, char **argv_orig, char **envp) {
case 'R': case 'R':
if (afl->use_radamsa) { FATAL(
"Radamsa is now a custom mutator, please use that "
afl->use_radamsa = 2; "(custom_mutators/radamsa/).");
} else {
afl->use_radamsa = 1;
}
break; break;
@ -845,47 +780,6 @@ int main(int argc, char **argv_orig, char **envp) {
} }
if (afl->use_radamsa) {
if (afl->limit_time_sig > 0) {
FATAL(
"MOpt and Radamsa are mutually exclusive unless you specify -L -1. "
"We accept pull requests that integrates MOpt with the optional "
"mutators (custom/radamsa/redqueen/...).");
}
if (afl->limit_time_sig && afl->use_radamsa > 1) {
FATAL("Radamsa in radamsa-only mode can not run together with -L");
}
OKF("Using Radamsa add-on");
u8 * libradamsa_path = get_libradamsa_path(argv[0]);
void *handle = dlopen(libradamsa_path, RTLD_NOW);
ck_free(libradamsa_path);
if (!handle) { FATAL("Failed to dlopen() libradamsa"); }
void (*radamsa_init_ptr)(void) = dlsym(handle, "radamsa_init");
afl->radamsa_mutate_ptr = dlsym(handle, "radamsa");
if (!radamsa_init_ptr || !afl->radamsa_mutate_ptr) {
FATAL("Failed to dlsym() libradamsa");
}
/* radamsa_init installs some signal handlers, call it before
setup_signal_handlers so that AFL++ can then replace those signal
handlers */
radamsa_init_ptr();
}
#if defined(__SANITIZE_ADDRESS__) #if defined(__SANITIZE_ADDRESS__)
if (afl->fsrv.mem_limit) { if (afl->fsrv.mem_limit) {

3
src/third_party/libradamsa/.gitignore vendored
View File

@ -1,3 +0,0 @@
*.a
*.o
libradamsa-test

75
src/third_party/libradamsa/libradamsa-test.c vendored
View File

@ -1,75 +0,0 @@
#include <radamsa.h>
#include <stdio.h>
#include <inttypes.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
size_t filesize(char* filename) {
struct stat st;
stat(filename, &st);
return st.st_size;
}
#define BUFSIZE 1024*1024
void fail(char *why) {
printf("fail: %s\n", why);
exit(1);
}
void write_output(char *data, size_t len, int num) {
char path[32];
int fd;
int wrote;
sprintf(path, "/tmp/libradamsa-%d.fuzz", num);
fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
printf("Opened %s -> %d\n", path, fd);
if (fd < 0) {
fail("failed to open output file");
}
wrote = write(fd, data, len);
printf("wrote %d of %zu bytes\n", wrote, len);
if (wrote != len) {
fail("failed to write all of output at once");
}
close(fd);
printf("Wrote %zu bytes to %s\n", len, path);
}
int main(int nargs, char **argv) {
char *spath = argv[1];
int fd = open(spath, O_RDONLY, 0);
size_t len;
char *input;
char *output;
int seed = 0;
if (fd < 0) {
fail("cannot open input file");
}
len = filesize(spath);
input = malloc(len);
output = malloc(BUFSIZE);
if (!input || !output) {
fail("failed to allocate buffers\n");
}
radamsa_init();
if (len != read(fd, input, len)) {
fail("failed to read the entire sample at once");
}
while(seed++ < 100) {
size_t n;
n = radamsa((uint8_t *) input, len, (uint8_t *) output, BUFSIZE, seed);
write_output(output, n, seed);
printf("Fuzzed %zu -> %zu bytes\n", len, n);
}
printf("library test passed\n");
free(output);
free(input);
return 0;
}

30853
src/third_party/libradamsa/libradamsa.c vendored
View File

File diff suppressed because it is too large Load Diff

13
src/third_party/libradamsa/radamsa.h vendored
View File

@ -1,13 +0,0 @@
#include <inttypes.h>
#include <stddef.h>
void radamsa_init(void);
size_t radamsa(uint8_t *ptr, size_t len,
uint8_t *target, size_t max,
unsigned int seed);
size_t radamsa_inplace(uint8_t *ptr,
size_t len,
size_t max,
unsigned int seed);

74
test/test.sh
View File

@ -637,43 +637,43 @@ test -e ../libdislocator.so && {
INCOMPLETE=1 INCOMPLETE=1
} }
rm -f test-compcov rm -f test-compcov
test -e ../libradamsa.so && { #test -e ../libradamsa.so && {
# on FreeBSD need to set AFL_CC # # on FreeBSD need to set AFL_CC
test `uname -s` = 'FreeBSD' && { # test `uname -s` = 'FreeBSD' && {
if type clang >/dev/null; then # if type clang >/dev/null; then
export AFL_CC=`command -v clang` # export AFL_CC=`command -v clang`
else # else
export AFL_CC=`$LLVM_CONFIG --bindir`/clang # export AFL_CC=`$LLVM_CONFIG --bindir`/clang
fi # fi
} # }
test -e test-instr.plain || ../afl-clang-fast -o test-instr.plain ../test-instr.c > /dev/null 2>&1 # test -e test-instr.plain || ../afl-clang-fast -o test-instr.plain ../test-instr.c > /dev/null 2>&1
test -e test-instr.plain || ../afl-gcc-fast -o test-instr.plain ../test-instr.c > /dev/null 2>&1 # test -e test-instr.plain || ../afl-gcc-fast -o test-instr.plain ../test-instr.c > /dev/null 2>&1
test -e test-instr.plain || ../${AFL_GCC} -o test-instr.plain ../test-instr.c > /dev/null 2>&1 # test -e test-instr.plain || ../${AFL_GCC} -o test-instr.plain ../test-instr.c > /dev/null 2>&1
test -e test-instr.plain && { # test -e test-instr.plain && {
mkdir -p in # mkdir -p in
printf 1 > in/in # printf 1 > in/in
$ECHO "$GREY[*] running afl-fuzz with radamsa, this will take approx 10 seconds" # $ECHO "$GREY[*] running afl-fuzz with radamsa, this will take approx 10 seconds"
{ # {
../afl-fuzz -RR -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain # ../afl-fuzz -RR -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain
} >>errors 2>&1 # } >>errors 2>&1
test -n "$( ls out/queue/id:000001* 2>/dev/null )" && { # test -n "$( ls out/queue/id:000001* 2>/dev/null )" && {
$ECHO "$GREEN[+] libradamsa performs good - and very slow - mutations" # $ECHO "$GREEN[+] libradamsa performs good - and very slow - mutations"
} || { # } || {
echo CUT------------------------------------------------------------------CUT # echo CUT------------------------------------------------------------------CUT
cat errors # cat errors
echo CUT------------------------------------------------------------------CUT # echo CUT------------------------------------------------------------------CUT
$ECHO "$RED[!] libradamsa failed" # $ECHO "$RED[!] libradamsa failed"
CODE=1 # CODE=1
} # }
rm -rf in out errors test-instr.plain # rm -rf in out errors test-instr.plain
} || { # } || {
$ECHO "$YELLOW[-] compilation of test target failed, cannot test libradamsa" # $ECHO "$YELLOW[-] compilation of test target failed, cannot test libradamsa"
INCOMPLETE=1 # INCOMPLETE=1
} # }
} || { #} || {
$ECHO "$YELLOW[-] libradamsa is not compiled, cannot test" # $ECHO "$YELLOW[-] libradamsa is not compiled, cannot test"
INCOMPLETE=1 # INCOMPLETE=1
} #}
test -z "$AFL_CC" && { test -z "$AFL_CC" && {
if type gcc >/dev/null; then if type gcc >/dev/null; then