ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-15 03:18:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

cmplog config.h -> -l option

Browse Source
This commit is contained in:
vanhauser-thc
2021-02-21 17:53:09 +01:00
parent b957218a3a
commit 974aab6cf6
5 changed files with 85 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
include/afl-fuzz.h
View File

@ -649,6 +649,7 @@ typedef struct afl_state {
u32 cmplog_max_filesize;
u32 cmplog_lvl;
u32 colorize_success;
u8 cmplog_enable_arith, cmplog_enable_transform;
struct afl_pass_stat *pass_stats;
struct cmp_map * orig_cmp_map;

9
include/config.h
View File

@ -42,13 +42,8 @@
*
*/
/* Enable arithmetic compare solving for both branches */
#define CMPLOG_SOLVE_ARITHMETIC
/* Enable transform following (XOR/ADD/SUB manipulations, hex en/decoding) */
#define CMPLOG_SOLVE_TRANSFORM
/* if TRANSFORM is enabled, this additionally enables base64 en/decoding */
/* if TRANSFORM is enabled with '-l T', this additionally enables base64
encoding/decoding */
// #define CMPLOG_SOLVE_TRANSFORM_BASE64
/* If a redqueen pass finds more than one solution, try to combine them? */

39
src/afl-fuzz-redqueen.c
View File

@ -30,7 +30,6 @@
//#define _DEBUG
//#define CMPLOG_INTROSPECTION
#define CMPLOG_COMBINE
// CMP attribute enum
enum {
@ -523,7 +522,7 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) {
}
#ifdef CMPLOG_SOLVE_TRANSFORM
//#ifdef CMPLOG_SOLVE_TRANSFORM
static int strntoll(const char *str, size_t sz, char **end, int base,
long long *out) {
@ -723,7 +722,7 @@ static void to_base64(u8 *src, u8 *dst, u32 dst_len) {
#endif
#endif
//#endif
static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
u64 pattern, u64 repl, u64 o_pattern,
@ -748,9 +747,9 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
// o_pattern, pattern, repl, changed_val, idx, taint_len,
// h->shape + 1, attr);
#ifdef CMPLOG_SOLVE_TRANSFORM
//#ifdef CMPLOG_SOLVE_TRANSFORM
// reverse atoi()/strnu?toll() is expensive, so we only to it in lvl 3
if (lvl & LVL3) {
if (afl->cmplog_enable_transform && (lvl & LVL3)) {
u8 * endptr;
u8 use_num = 0, use_unum = 0;
@ -1060,7 +1059,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
}
#endif
//#endif
// we only allow this for ascii2integer (above) so leave if this is the case
if (unlikely(pattern == o_pattern)) { return 0; }
@ -1215,8 +1214,12 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
// 16 = modified float, 32 = modified integer (modified = wont match
// in original buffer)
#ifdef CMPLOG_SOLVE_ARITHMETIC
if (lvl < LVL3 || attr == IS_TRANSFORM) { return 0; }
//#ifdef CMPLOG_SOLVE_ARITHMETIC
if (!afl->cmplog_enable_arith || lvl < LVL3 || attr == IS_TRANSFORM) {
return 0;
}
if (!(attr & (IS_GREATER | IS_LESSER)) || SHAPE_BYTES(h->shape) < 4) {
@ -1380,7 +1383,7 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
}
#endif /* CMPLOG_SOLVE_ARITHMETIC */
//#endif /* CMPLOG_SOLVE_ARITHMETIC
return 0;
@ -1857,9 +1860,9 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl,
#ifndef CMPLOG_COMBINE
(void)(cbuf);
#endif
#ifndef CMPLOG_SOLVE_TRANSFORM
(void)(changed_val);
#endif
//#ifndef CMPLOG_SOLVE_TRANSFORM
// (void)(changed_val);
//#endif
u8 save[40];
u32 saved_idx = idx, pre, from = 0, to = 0, i, j;
@ -1939,11 +1942,11 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl,
}
#ifdef CMPLOG_SOLVE_TRANSFORM
//#ifdef CMPLOG_SOLVE_TRANSFORM
if (*status == 1) return 0;
if (lvl & LVL3) {
if (afl->cmplog_enable_transform && (lvl & LVL3)) {
u32 toupper = 0, tolower = 0, xor = 0, arith = 0, tohex = 0, fromhex = 0;
#ifdef CMPLOG_SOLVE_TRANSFORM_BASE64
@ -2273,7 +2276,7 @@ static u8 rtn_extend_encoding(afl_state_t *afl, u8 *pattern, u8 *repl,
}
#endif
//#endif
return 0;
@ -2606,9 +2609,9 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) {
} else if ((lvl & LVL1)
#ifdef CMPLOG_SOLVE_TRANSFORM
|| (lvl & LVL3)
#endif
//#ifdef CMPLOG_SOLVE_TRANSFORM
|| ((lvl & LVL3) && afl->cmplog_enable_transform)
//#endif
) {
if (unlikely(rtn_fuzz(afl, k, orig_buf, buf, cbuf, len, lvl, taint))) {

46
src/afl-fuzz.c
View File

@ -103,7 +103,8 @@ static void usage(u8 *argv0, int more_help) {
" quad -- see docs/power_schedules.md\n"
" -f file - location read by the fuzzed program (default: stdin "
"or @@)\n"
" -t msec - timeout for each run (auto-scaled, 50-... ms, default %u ms)\n"
" -t msec - timeout for each run (auto-scaled, 50-... ms, default "
"%u ms)\n"
" add a '+' to skip over seeds running longer.\n"
" -m megs - memory limit for child process (%u MB, 0 = no limit "
"[default])\n"
@ -123,10 +124,10 @@ static void usage(u8 *argv0, int more_help) {
" -c program - enable CmpLog by specifying a binary compiled for "
"it.\n"
" if using QEMU, just use -c 0.\n"
" -l cmplog_level - set the complexity/intensivity of CmpLog.\n"
" Values: 1 (basic), 2 (larger files) and 3 "
"(transform)\n\n"
" -l cmplog_opts - CmpLog configuration values (e.g. \"2AT\"):\n"
" 1=small files (default), 2=larger files, 3=all "
"files,\n"
" A=arithmetic solving, T=tranformational solving.\n\n"
"Fuzzing behavior settings:\n"
" -Z - sequential queue selection instead of weighted "
"random\n"
@ -813,13 +814,36 @@ int main(int argc, char **argv_orig, char **envp) {
case 'l': {
if (optarg) { afl->cmplog_lvl = atoi(optarg); }
if (afl->cmplog_lvl < 1 || afl->cmplog_lvl > CMPLOG_LVL_MAX) {
if (!optarg) { FATAL("missing parameter for 'l'"); }
char *c = optarg;
while (*c) {
FATAL(
"Bad complog level value, accepted values are 1 (default), 2 and "
"%u.",
CMPLOG_LVL_MAX);
switch (*c) {
case '0':
case '1':
afl->cmplog_lvl = 1;
break;
case '2':
afl->cmplog_lvl = 2;
break;
case '3':
afl->cmplog_lvl = 3;
break;
case 'a':
case 'A':
afl->cmplog_enable_arith = 1;
break;
case 't':
case 'T':
afl->cmplog_enable_transform = 1;
break;
default:
FATAL("Unknown option value '%c' in -l %s", *c, optarg);
}
++c;
}