ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-13 10:38:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

making AFL_MAP_SIZE obsolete

Browse Source
This commit is contained in:
van Hauser
2021-02-01 12:01:23 +01:00
parent 522eacce71
commit 981ffb27a8
15 changed files with 211 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
src/afl-forkserver.c
View File

@ -682,11 +682,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
if ((status & FS_OPT_AUTODICT) == FS_OPT_AUTODICT) {
if (ignore_autodict) {
if (!be_quiet) { WARNF("Ignoring offered AUTODICT feature."); }
} else {
if (!ignore_autodict) {
if (fsrv->add_extra_func == NULL || fsrv->afl_ptr == NULL) {
@ -969,7 +965,9 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
}
static void afl_fsrv_kill(afl_forkserver_t *fsrv) {
/* Stop the forkserver and child */
void afl_fsrv_kill(afl_forkserver_t *fsrv) {
if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->kill_signal); }
if (fsrv->fsrv_pid > 0) {
@ -979,13 +977,28 @@ static void afl_fsrv_kill(afl_forkserver_t *fsrv) {
}
close(fsrv->fsrv_ctl_fd);
close(fsrv->fsrv_st_fd);
fsrv->fsrv_pid = -1;
fsrv->child_pid = -1;
}
/* Get the map size from the target forkserver */
u32 afl_fsrv_get_mapsize(afl_forkserver_t *fsrv, char **argv,
volatile u8 *stop_soon_p, u8 debug_child_output) {
afl_fsrv_start(fsrv, argv, stop_soon_p, debug_child_output);
return fsrv->map_size;
}
/* Delete the current testcase and write the buf to the testcase file */
void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
if (fsrv->shmem_fuzz) {
if (likely(fsrv->use_shmem_fuzz && fsrv->shmem_fuzz)) {
if (unlikely(len > MAX_FILE)) len = MAX_FILE;
@ -1042,6 +1055,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
}
// fprintf(stderr, "WRITE %d %u\n", fd, len);
ck_write(fd, buf, len, fsrv->out_file);
if (fsrv->use_stdin) {

14
src/afl-fuzz-init.c
View File

@ -766,13 +766,16 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
}
if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) {
/*
if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) {
u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
afl->queue_top->n_fuzz_entry = cksum % N_FUZZ_SIZE;
afl->n_fuzz[afl->queue_top->n_fuzz_entry] = 1;
u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size,
HASH_CONST); afl->queue_top->n_fuzz_entry = cksum % N_FUZZ_SIZE;
afl->n_fuzz[afl->queue_top->n_fuzz_entry] = 1;
}
}
*/
}
@ -2490,6 +2493,7 @@ void setup_testcase_shmem(afl_state_t *afl) {
// we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR
u8 *map = afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(u32), 1);
afl->shm_fuzz->shmemfuzz_mode = 1;
if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }

73
src/afl-fuzz.c
View File

@ -342,7 +342,6 @@ int main(int argc, char **argv_orig, char **envp) {
afl->debug = debug;
afl_fsrv_init(&afl->fsrv);
if (debug) { afl->fsrv.debug = true; }
read_afl_environment(afl, envp);
if (afl->shm.map_size) { afl->fsrv.map_size = afl->shm.map_size; }
exit_1 = !!afl->afl_env.afl_bench_just_one;
@ -702,7 +701,6 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->in_bitmap) { FATAL("Multiple -B options not supported"); }
afl->in_bitmap = optarg;
read_bitmap(afl->in_bitmap, afl->virgin_bits, afl->fsrv.map_size);
break;
case 'C': /* crash mode */
@ -1369,13 +1367,6 @@ int main(int argc, char **argv_orig, char **envp) {
set_scheduler_mode(SCHEDULER_MODE_LOW_LATENCY);
#endif
afl->fsrv.trace_bits =
afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode);
if (!afl->in_bitmap) { memset(afl->virgin_bits, 255, afl->fsrv.map_size); }
memset(afl->virgin_tmout, 255, afl->fsrv.map_size);
memset(afl->virgin_crash, 255, afl->fsrv.map_size);
init_count_class16();
if (afl->is_main_node && check_main_node_exists(afl) == 1) {
@ -1542,6 +1533,70 @@ int main(int argc, char **argv_orig, char **envp) {
}
afl->argv = use_argv;
afl->fsrv.trace_bits =
afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode);
if (!afl->non_instrumented_mode) {
afl->fsrv.map_size = 4194304; // dummy temporary value
u32 new_map_size = afl_fsrv_get_mapsize(
&afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child);
if (new_map_size && new_map_size != 4194304) {
// only reinitialize when it makes sense
if (map_size != new_map_size) {
// if (map_size < new_map_size ||
// (new_map_size > map_size && new_map_size - map_size >
// MAP_SIZE)) {
OKF("Re-initializing maps to %u bytes", new_map_size);
afl->virgin_bits = ck_realloc(afl->virgin_bits, map_size);
afl->virgin_tmout = ck_realloc(afl->virgin_tmout, map_size);
afl->virgin_crash = ck_realloc(afl->virgin_crash, map_size);
afl->var_bytes = ck_realloc(afl->var_bytes, map_size);
afl->top_rated = ck_realloc(afl->top_rated, map_size * sizeof(void *));
afl->clean_trace = ck_realloc(afl->clean_trace, map_size);
afl->clean_trace_custom = ck_realloc(afl->clean_trace_custom, map_size);
afl->first_trace = ck_realloc(afl->first_trace, map_size);
afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, map_size);
afl_shm_deinit(&afl->shm);
afl_fsrv_kill(&afl->fsrv);
afl->fsrv.map_size = new_map_size;
afl->fsrv.trace_bits = afl_shm_init(&afl->shm, afl->fsrv.map_size,
afl->non_instrumented_mode);
setenv("AFL_NO_AUTODICT", "1", 1); // loaded already
afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon,
afl->afl_env.afl_debug_child);
}
map_size = new_map_size;
}
afl->fsrv.map_size = map_size;
}
// after we have the correct bitmap size we can read the bitmap -B option
// and set the virgin maps
if (!afl->in_bitmap) {
memset(afl->virgin_bits, 255, afl->fsrv.map_size);
} else {
read_bitmap(afl->in_bitmap, afl->virgin_bits, afl->fsrv.map_size);
}
memset(afl->virgin_tmout, 255, afl->fsrv.map_size);
memset(afl->virgin_crash, 255, afl->fsrv.map_size);
if (afl->cmplog_binary) {

14
src/afl-sharedmem.c
View File

@ -66,9 +66,17 @@ static list_t shm_list = {.element_prealloc_count = 0};
void afl_shm_deinit(sharedmem_t *shm) {
if (shm == NULL) return;
if (shm == NULL) { return; }
list_remove(&shm_list, shm);
if (shm->shmemfuzz_mode) {
unsetenv(SHM_FUZZ_ENV_VAR);
} else {
unsetenv(SHM_ENV_VAR);
}
#ifdef USEMMAP
if (shm->map != NULL) {
@ -94,6 +102,8 @@ void afl_shm_deinit(sharedmem_t *shm) {
if (shm->cmplog_mode) {
unsetenv(CMPLOG_SHM_ENV_VAR);
if (shm->cmp_map != NULL) {
munmap(shm->cmp_map, shm->map_size);

41
src/afl-showmap.c
View File

@ -86,7 +86,8 @@ static u8 quiet_mode, /* Hide non-essential messages? */
remove_shm = 1, /* remove shmem? */
collect_coverage, /* collect coverage */
have_coverage, /* have coverage? */
no_classify; /* do not classify counts */
no_classify, /* do not classify counts */
debug; /* debug mode */
static volatile u8 stop_soon, /* Ctrl-C pressed? */
child_crashed; /* Child crashed? */
@ -743,6 +744,7 @@ int main(int argc, char **argv_orig, char **envp) {
char **argv = argv_cpy_dup(argc, argv_orig);
afl_forkserver_t fsrv_var = {0};
if (getenv("AFL_DEBUG")) { debug = 1; }
fsrv = &fsrv_var;
afl_fsrv_init(fsrv);
map_size = get_map_size();
@ -991,14 +993,16 @@ int main(int argc, char **argv_orig, char **envp) {
// if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); }
setenv("AFL_NO_AUTODICT", "1", 1);
/* initialize cmplog_mode */
shm.cmplog_mode = 0;
fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
setup_signal_handlers();
set_up_environment(fsrv);
fsrv->target_path = find_binary(argv[optind]);
fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
if (!quiet_mode) {
@ -1051,6 +1055,7 @@ int main(int argc, char **argv_orig, char **envp) {
/* initialize cmplog_mode */
shm_fuzz->cmplog_mode = 0;
u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1);
shm_fuzz->shmemfuzz_mode = 1;
if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }
#ifdef USEMMAP
setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1);
@ -1063,6 +1068,38 @@ int main(int argc, char **argv_orig, char **envp) {
fsrv->shmem_fuzz_len = (u32 *)map;
fsrv->shmem_fuzz = map + sizeof(u32);
u32 save_be_quiet = be_quiet;
be_quiet = debug;
fsrv->map_size = 4194304; // dummy temporary value
u32 new_map_size = afl_fsrv_get_mapsize(
fsrv, use_argv, &stop_soon,
(get_afl_env("AFL_DEBUG_CHILD") || get_afl_env("AFL_DEBUG_CHILD_OUTPUT"))
? 1
: 0);
be_quiet = save_be_quiet;
if (new_map_size) {
// only reinitialize when it makes sense
if (map_size < new_map_size ||
(new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) {
if (!be_quiet)
ACTF("Aquired new map size for target: %u bytes\n", new_map_size);
afl_shm_deinit(&shm);
afl_fsrv_kill(fsrv);
fsrv->map_size = new_map_size;
fsrv->trace_bits = afl_shm_init(&shm, new_map_size, 0);
}
map_size = new_map_size;
}
fsrv->map_size = map_size;
if (in_dir) {
DIR * dir_in, *dir_out = NULL;

37
src/afl-tmin.c
View File

@ -79,7 +79,8 @@ static u8 crash_mode, /* Crash-centric mode? */
edges_only, /* Ignore hit counts? */
exact_mode, /* Require path match for crashes? */
remove_out_file, /* remove out_file on exit? */
remove_shm = 1; /* remove shmem on exit? */
remove_shm = 1, /* remove shmem on exit? */
debug; /* debug mode */
static volatile u8 stop_soon; /* Ctrl-C pressed? */
@ -878,6 +879,7 @@ int main(int argc, char **argv_orig, char **envp) {
char **argv = argv_cpy_dup(argc, argv_orig);
afl_forkserver_t fsrv_var = {0};
if (getenv("AFL_DEBUG")) { debug = 1; }
fsrv = &fsrv_var;
afl_fsrv_init(fsrv);
map_size = get_map_size();
@ -1074,6 +1076,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (optind == argc || !in_file || !output_file) { usage(argv[0]); }
check_environment_vars(envp);
setenv("AFL_NO_AUTODICT", "1", 1);
if (fsrv->qemu_mode && getenv("AFL_USE_QASAN")) {
@ -1102,7 +1105,6 @@ int main(int argc, char **argv_orig, char **envp) {
/* initialize cmplog_mode */
shm.cmplog_mode = 0;
fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
atexit(at_exit_handler);
setup_signal_handlers();
@ -1110,6 +1112,7 @@ int main(int argc, char **argv_orig, char **envp) {
set_up_environment(fsrv);
fsrv->target_path = find_binary(argv[optind]);
fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
detect_file_args(argv + optind, out_file, &fsrv->use_stdin);
if (fsrv->qemu_mode) {
@ -1181,6 +1184,7 @@ int main(int argc, char **argv_orig, char **envp) {
/* initialize cmplog_mode */
shm_fuzz->cmplog_mode = 0;
u8 *map = afl_shm_init(shm_fuzz, MAX_FILE + sizeof(u32), 1);
shm_fuzz->shmemfuzz_mode = 1;
if (!map) { FATAL("BUG: Zero return from afl_shm_init."); }
#ifdef USEMMAP
setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1);
@ -1195,12 +1199,39 @@ int main(int argc, char **argv_orig, char **envp) {
read_initial_file();
afl_fsrv_start(
fsrv->map_size = 4194304; // dummy temporary value
u32 new_map_size = afl_fsrv_get_mapsize(
fsrv, use_argv, &stop_soon,
(get_afl_env("AFL_DEBUG_CHILD") || get_afl_env("AFL_DEBUG_CHILD_OUTPUT"))
? 1
: 0);
if (new_map_size) {
if (map_size < new_map_size ||
(new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) {
if (!be_quiet)
ACTF("Aquired new map size for target: %u bytes\n", new_map_size);
afl_shm_deinit(&shm);
afl_fsrv_kill(fsrv);
fsrv->map_size = new_map_size;
fsrv->trace_bits = afl_shm_init(&shm, new_map_size, 0);
afl_fsrv_start(fsrv, use_argv, &stop_soon,
(get_afl_env("AFL_DEBUG_CHILD") ||
get_afl_env("AFL_DEBUG_CHILD_OUTPUT"))
? 1
: 0);
}
map_size = new_map_size;
}
fsrv->map_size = map_size;
if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz)
shm_fuzz = deinit_shmem(fsrv, shm_fuzz);