AFL_EXITPOINT support

docs/Changelog.md

@@ -24,6 +24,7 @@
     - Make AFL_DUMP_MAP_SIZE work even if the target has sanitizer issues
   - qemuafl:
     - Better MIPS persistent mode support
+    - `AFL_EXITPOINT` support added
   - afl-cmin:
     - New afl-cmin.py which is much faster, will be executed by default via
       afl-cmin if it executes successfully (thanks to @kcwu!)

docs/fuzzing_binary-only_targets.md

@@ -16,7 +16,8 @@ FRIDA mode and QEMU mode in persistent mode are the fastest - if persistent mode
 is possible and the stability is high enough.
 
 Otherwise, try Zafl, RetroWrite, Dyninst, and if these fail, too, then try
-standard FRIDA/QEMU mode with `AFL_ENTRYPOINT` to where you need it.
+standard FRIDA/QEMU mode with `AFL_ENTRYPOINT` + `AFL_EXITPOINT` to where you
+need it.
 
 If your target is non-linux, then use unicorn_mode.
 

include/envs.h

@@ -34,18 +34,19 @@ static char *afl_environment_variables[] = {
     "AFL_DISABLE_TRIM", "AFL_NO_TRIM", "AFL_DISABLE_LLVM_INSTRUMENTATION",
     "AFL_DONT_OPTIMIZE", "AFL_DRIVER_STDERR_DUPLICATE_FILENAME",
     "AFL_DUMB_FORKSRV", "AFL_EARLY_FORKSERVER", "AFL_ENTRYPOINT",
-    "AFL_EXIT_WHEN_DONE", "AFL_EXIT_ON_TIME", "AFL_EXIT_ON_SEED_ISSUES",
+    "AFL_EXITPOINT", "AFL_EXIT_WHEN_DONE", "AFL_EXIT_ON_TIME",
-    "AFL_FAST_CAL", "AFL_FINAL_SYNC", "AFL_FORCE_UI", "AFL_FRIDA_DEBUG_MAPS",
+    "AFL_EXIT_ON_SEED_ISSUES", "AFL_FAST_CAL", "AFL_FINAL_SYNC", "AFL_FORCE_UI",
-    "AFL_FRIDA_DRIVER_NO_HOOK", "AFL_FRIDA_EXCLUDE_RANGES",
+    "AFL_FRIDA_DEBUG_MAPS", "AFL_FRIDA_DRIVER_NO_HOOK",
-    "AFL_FRIDA_INST_CACHE_SIZE", "AFL_FRIDA_INST_COVERAGE_ABSOLUTE",
+    "AFL_FRIDA_EXCLUDE_RANGES", "AFL_FRIDA_INST_CACHE_SIZE",
-    "AFL_FRIDA_INST_COVERAGE_FILE", "AFL_FRIDA_INST_DEBUG_FILE",
+    "AFL_FRIDA_INST_COVERAGE_ABSOLUTE", "AFL_FRIDA_INST_COVERAGE_FILE",
-    "AFL_FRIDA_INST_INSN", "AFL_FRIDA_INST_JIT", "AFL_FRIDA_INST_NO_CACHE",
+    "AFL_FRIDA_INST_DEBUG_FILE", "AFL_FRIDA_INST_INSN", "AFL_FRIDA_INST_JIT",
-    "AFL_FRIDA_INST_NO_DYNAMIC_LOAD", "AFL_FRIDA_INST_NO_OPTIMIZE",
+    "AFL_FRIDA_INST_NO_CACHE", "AFL_FRIDA_INST_NO_DYNAMIC_LOAD",
-    "AFL_FRIDA_INST_NO_PREFETCH", "AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH",
+    "AFL_FRIDA_INST_NO_OPTIMIZE", "AFL_FRIDA_INST_NO_PREFETCH",
-    "AFL_FRIDA_INST_NO_SUPPRESS", "AFL_FRIDA_INST_RANGES",
+    "AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH", "AFL_FRIDA_INST_NO_SUPPRESS",
-    "AFL_FRIDA_INST_REGS_FILE", "AFL_FRIDA_INST_SEED", "AFL_FRIDA_INST_TRACE",
+    "AFL_FRIDA_INST_RANGES", "AFL_FRIDA_INST_REGS_FILE", "AFL_FRIDA_INST_SEED",
-    "AFL_FRIDA_INST_TRACE_UNIQUE", "AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE",
+    "AFL_FRIDA_INST_TRACE", "AFL_FRIDA_INST_TRACE_UNIQUE",
-    "AFL_FRIDA_JS_SCRIPT", "AFL_FRIDA_OUTPUT_STDOUT", "AFL_FRIDA_OUTPUT_STDERR",
+    "AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE", "AFL_FRIDA_JS_SCRIPT",
+    "AFL_FRIDA_OUTPUT_STDOUT", "AFL_FRIDA_OUTPUT_STDERR",
     "AFL_FRIDA_PERSISTENT_ADDR", "AFL_FRIDA_PERSISTENT_CNT",
     "AFL_FRIDA_PERSISTENT_DEBUG", "AFL_FRIDA_PERSISTENT_HOOK",
     "AFL_FRIDA_PERSISTENT_RET", "AFL_FRIDA_STALKER_ADJACENT_BLOCKS",

qemu_mode/QEMUAFL_VERSION

@@ -1 +1 @@
-c43dd6e036
+0d45c0b84a

qemu_mode/README.md

@@ -68,6 +68,11 @@ which can be a huge speed improvement.
 
 For an example, see [README.deferred_initialization_example.md](README.deferred_initialization_example.md).
 
+Note that there is also `AFL_EXITPOINT` which you can set to an address that
+will trigger a termination of the qemu forked instance when the block that
+contains this address is reached. Read again: when the block where the address
+is is reached!
+
 ## 4) Persistent mode
 
 AFL++'s QEMU mode now supports also persistent mode for x86, x86_64, arm, and