ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-12 10:08:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

update honggfuzz custom mutator. make update is all it takes to stay current :)

Browse Source
This commit is contained in:
van Hauser
2020-08-04 23:33:35 +02:00
parent c8354d7516
commit 8ed6207b5c
4 changed files with 261 additions and 337 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
custom_mutators/honggfuzz/Makefile
View File

@ -7,6 +7,8 @@ honggfuzz.so: honggfuzz.c input.h mangle.c ../../src/afl-performance.c
$(CC) $(CFLAGS) -I../../include -I. -shared -o honggfuzz.so honggfuzz.c mangle.c ../../src/afl-performance.c
update:
@# seriously? --unlink is a dud option? sigh ...
rm -f mangle.c mangle.h honggfuzz.h
wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.c
wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.h
wget --unlink https://github.com/google/honggfuzz/raw/master/honggfuzz.h

87
custom_mutators/honggfuzz/honggfuzz.h
View File

@ -39,10 +39,9 @@
#include "libhfcommon/util.h"
#define PROG_NAME "honggfuzz"
#define PROG_VERSION "2.2"
#define PROG_VERSION "2.3"
/* Name of the template which will be replaced with the proper name of the file
*/
/* Name of the template which will be replaced with the proper name of the file */
#define _HF_FILE_PLACEHOLDER "___FILE___"
/* Default name of the report created with some architectures */
@ -63,8 +62,7 @@
/* Number of crash verifier iterations before tag crash as stable */
#define _HF_VERIFIER_ITER 5
/* Size (in bytes) for report data to be stored in stack before written to file
*/
/* Size (in bytes) for report data to be stored in stack before written to file */
#define _HF_REPORT_SIZE 32768
/* Perf bitmap size */
@ -105,30 +103,24 @@ static const uint8_t HFReadyTag = 'R';
/* Maximum number of active fuzzing threads */
#define _HF_THREAD_MAX 1024U
/* Persistent-binary signature - if found within file, it means it's a
* persistent mode binary */
/* Persistent-binary signature - if found within file, it means it's a persistent mode binary */
#define _HF_PERSISTENT_SIG "\x01_LIBHFUZZ_PERSISTENT_BINARY_SIGNATURE_\x02\xFF"
/* HF NetDriver signature - if found within file, it means it's a
* NetDriver-based binary */
/* HF NetDriver signature - if found within file, it means it's a NetDriver-based binary */
#define _HF_NETDRIVER_SIG "\x01_LIBHFUZZ_NETDRIVER_BINARY_SIGNATURE_\x02\xFF"
/* printf() nonmonetary separator. According to MacOSX's man it's supported
* there as well */
/* printf() nonmonetary separator. According to MacOSX's man it's supported there as well */
#define _HF_NONMON_SEP "'"
typedef enum {
_HF_DYNFILE_NONE = 0x0,
_HF_DYNFILE_INSTR_COUNT = 0x1,
_HF_DYNFILE_BRANCH_COUNT = 0x2,
_HF_DYNFILE_BTS_EDGE = 0x10,
_HF_DYNFILE_IPT_BLOCK = 0x20,
_HF_DYNFILE_SOFT = 0x40,
} dynFileMethod_t;
typedef struct {
uint64_t cpuInstrCnt;
uint64_t cpuBranchCnt;
uint64_t bbCnt;
@ -136,29 +128,23 @@ typedef struct {
uint64_t softCntPc;
uint64_t softCntEdge;
uint64_t softCntCmp;
} hwcnt_t;
typedef enum {
_HF_STATE_UNSET = 0,
_HF_STATE_STATIC,
_HF_STATE_DYNAMIC_DRY_RUN,
_HF_STATE_DYNAMIC_MAIN,
_HF_STATE_DYNAMIC_MINIMIZE,
} fuzzState_t;
typedef enum {
HF_MAYBE = -1,
HF_NO = 0,
HF_YES = 1,
} tristate_t;
struct _dynfile_t {
size_t size;
uint64_t cov[4];
size_t idx;
@ -169,21 +155,17 @@ struct _dynfile_t {
uint32_t refs;
uint8_t* data;
TAILQ_ENTRY(_dynfile_t) pointers;
};
typedef struct _dynfile_t dynfile_t;
struct strings_t {
size_t len;
TAILQ_ENTRY(strings_t) pointers;
char s[];
};
typedef struct {
uint8_t pcGuardMap[_HF_PC_GUARD_MAX];
uint8_t bbMapPc[_HF_PERF_BITMAP_SIZE_16M];
uint32_t bbMapCmp[_HF_PERF_BITMAP_SIZE_16M];
@ -194,36 +176,26 @@ typedef struct {
uint64_t pidTotalPC[_HF_THREAD_MAX];
uint64_t pidTotalEdge[_HF_THREAD_MAX];
uint64_t pidTotalCmp[_HF_THREAD_MAX];
} feedback_t;
typedef struct {
uint32_t cnt;
struct {
uint8_t val[32];
uint32_t len;
} valArr[1024 * 16];
} cmpfeedback_t;
typedef struct {
struct {
size_t threadsMax;
size_t threadsFinished;
uint32_t threadsActiveCnt;
pthread_t mainThread;
pid_t mainPid;
pthread_t threads[_HF_THREAD_MAX];
} threads;
struct {
const char* inputDir;
const char* outputDir;
DIR* inputDirPtr;
@ -242,11 +214,8 @@ typedef struct {
dynfile_t* dynfileq2Current;
TAILQ_HEAD(dyns_t, _dynfile_t) dynfileq;
bool exportFeedback;
} io;
struct {
int argc;
const char* const* cmdline;
bool nullifyStdio;
@ -265,47 +234,32 @@ typedef struct {
char* env_ptrs[128];
char env_vals[128][4096];
sigset_t waitSigSet;
} exe;
struct {
time_t timeStart;
time_t runEndTime;
time_t tmOut;
time_t lastCovUpdate;
int64_t timeOfLongestUnitUSecs;
bool tmoutVTALRM;
} timing;
struct {
struct {
uint8_t val[256];
size_t len;
} dictionary[1024];
size_t dictionaryCnt;
const char* dictionaryFile;
size_t mutationsMax;
unsigned mutationsPerRun;
size_t maxInputSz;
} mutate;
struct {
bool useScreen;
char cmdline_txt[65];
int64_t lastDisplayUSecs;
} display;
struct {
bool useVerifier;
bool exitUponCrash;
const char* reportFile;
@ -313,18 +267,12 @@ typedef struct {
bool only_printable;
bool minimize;
bool switchingToFDM;
} cfg;
struct {
bool enable;
bool del_report;
} sanitizer;
struct {
fuzzState_t state;
feedback_t* covFeedbackMap;
int covFeedbackFd;
@ -338,42 +286,31 @@ typedef struct {
uint64_t maxCov[4];
dynFileMethod_t dynFileMethod;
hwcnt_t hwCnts;
} feedback;
struct {
size_t mutationsCnt;
size_t crashesCnt;
size_t uniqueCrashesCnt;
size_t verifiedCrashesCnt;
size_t blCrashesCnt;
size_t timeoutedCnt;
} cnts;
struct {
bool enabled;
int serverSocket;
int clientSocket;
} socketFuzzer;
struct {
pthread_rwlock_t dynfileq;
pthread_mutex_t feedback;
pthread_mutex_t report;
pthread_mutex_t state;
pthread_mutex_t input;
pthread_mutex_t timing;
} mutex;
/* For the Linux code */
struct {
int exeFd;
uint64_t dynamicCutOffAddr;
bool disableRandomization;
@ -388,12 +325,9 @@ typedef struct {
tristate_t useNetNs;
bool kernelOnly;
bool useClone;
} arch_linux;
/* For the NetBSD code */
struct {
void* ignoreAddr;
const char* symsBlFile;
char** symsBl;
@ -401,22 +335,17 @@ typedef struct {
const char* symsWlFile;
char** symsWl;
size_t symsWlCnt;
} arch_netbsd;
} honggfuzz_t;
typedef enum {
_HF_RS_UNKNOWN = 0,
_HF_RS_WAITING_FOR_INITIAL_READY = 1,
_HF_RS_WAITING_FOR_READY = 2,
_HF_RS_SEND_DATA = 3,
} runState_t;
typedef struct {
honggfuzz_t* global;
pid_t pid;
int64_t timeStartedUSecs;
@ -444,17 +373,13 @@ typedef struct {
hwcnt_t hwCnts;
struct {
/* For Linux code */
uint8_t* perfMmapBuf;
uint8_t* perfMmapAux;
int cpuInstrFd;
int cpuBranchFd;
int cpuIptBtsFd;
} arch_linux;
} run_t;
#endif

34
custom_mutators/honggfuzz/mangle.c
View File

@ -51,7 +51,7 @@ static inline size_t mangle_LenLeft(run_t *run, size_t off) {
}
/* Get a random value between <1:max> with x^2 distribution */
/* Get a random value <1:max>, but prefer smaller ones - up to 4KiB */
static inline size_t mangle_getLen(size_t max) {
if (max > _HF_INPUT_MAX_SIZE) {
@ -64,27 +64,25 @@ static inline size_t mangle_getLen(size_t max) {
if (max == 0) { LOG_F("max == 0"); }
if (max == 1) { return 1; }
const uint64_t max2 = (uint64_t)max * max;
const uint64_t max3 = (uint64_t)max * max * max;
const uint64_t rnd = util_rndGet(1, max2 - 1);
/* Give 50% chance the the uniform distribution */
switch (util_rndGet(0, 9)) {
uint64_t ret = rnd * rnd;
ret /= max3;
ret += 1;
if (ret < 1) {
LOG_F("ret (%" PRIu64 ") < 1, max:%zu, rnd:%" PRIu64, ret, max, rnd);
case 0:
return (size_t)util_rndGet(1, HF_MIN(16, max));
case 1:
return (size_t)util_rndGet(1, HF_MIN(64, max));
case 2:
return (size_t)util_rndGet(1, HF_MIN(256, max));
case 3:
return (size_t)util_rndGet(1, HF_MIN(1024, max));
case 4:
return (size_t)util_rndGet(1, HF_MIN(4096, max));
default:
break;
}
if (ret > max) {
LOG_F("ret (%" PRIu64 ") > max (%zu), rnd:%" PRIu64, ret, max, rnd);
}
return (size_t)ret;
return (size_t)util_rndGet(1, max);
}

1
custom_mutators/honggfuzz/mangle.h
View File

@ -29,4 +29,3 @@
extern void mangle_mangleContent(run_t* run, int speed_factor);
#endif