ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 11:08:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

clang-tidy readability-braces (#323)

Browse Source
This commit is contained in:
Dominik Maier
2020-04-19 16:42:40 +02:00
parent 22cdad2d20
commit 9bb0733eb5
35 changed files with 2925 additions and 1281 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.clang-format
View File

@ -10,7 +10,7 @@ AlignOperands: true
AlignTrailingComments: true
AllowAllParametersOfDeclarationOnNextLine: true
AllowShortBlocksOnASingleLine: true
AllowShortCaseLabelsOnASingleLine: true
AllowShortCaseLabelsOnASingleLine: false
AllowShortFunctionsOnASingleLine: false
AllowShortIfStatementsOnASingleLine: true
AllowShortLoopsOnASingleLine: false

3
examples/qemu_persistent_hook/test.c
View File

@ -16,7 +16,8 @@ int target_func(unsigned char *buf, int size) {
}
break;
default: break;
default:
break;
}

8
include/afl-fuzz.h
View File

@ -956,7 +956,7 @@ static inline u32 rand_below(afl_state_t *afl, u32 limit) {
static inline u32 get_rand_seed(afl_state_t *afl) {
if (unlikely(afl->fixed_seed)) return (u32)afl->init_seed;
if (unlikely(afl->fixed_seed)) { return (u32)afl->init_seed; }
return afl->rand_seed[0];
}
@ -967,8 +967,12 @@ static inline u32 get_rand_seed(afl_state_t *afl) {
static inline u64 next_p2(u64 val) {
u64 ret = 1;
while (val > ret)
while (val > ret) {
ret <<= 1;
}
return ret;
}

28
include/alloc-inl.h
View File

@ -87,7 +87,7 @@ static inline void *DFL_ck_alloc_nozero(u32 size) {
void *ret;
if (!size) return NULL;
if (!size) { return NULL; }
ALLOC_CHECK_SIZE(size);
ret = malloc(size);
@ -103,7 +103,7 @@ static inline void *DFL_ck_alloc(u32 size) {
void *mem;
if (!size) return NULL;
if (!size) { return NULL; }
mem = DFL_ck_alloc_nozero(size);
return memset(mem, 0, size);
@ -115,7 +115,7 @@ static inline void *DFL_ck_alloc(u32 size) {
static inline void DFL_ck_free(void *mem) {
if (!mem) return;
if (!mem) { return; }
free(mem);
@ -165,7 +165,7 @@ static inline u8 *DFL_ck_strdup(u8 *str) {
u8 *ret;
u32 size;
if (!str) return NULL;
if (!str) { return NULL; }
size = strlen((char *)str) + 1;
@ -184,7 +184,7 @@ static inline void *DFL_ck_memdup(void *mem, u32 size) {
void *ret;
if (!mem || !size) return NULL;
if (!mem || !size) { return NULL; }
ALLOC_CHECK_SIZE(size);
ret = malloc(size);
@ -201,7 +201,7 @@ static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) {
u8 *ret;
if (!mem || !size) return NULL;
if (!mem || !size) { return NULL; }
ALLOC_CHECK_SIZE(size);
ret = malloc(size + 1);
@ -772,8 +772,12 @@ static inline void TRK_ck_free(void *ptr, const char *file, const char *func,
*/
static inline size_t next_pow2(size_t in) {
if (in == 0 || in > (size_t)-1)
if (in == 0 || in > (size_t)-1) {
return 0; /* avoid undefined behaviour under-/overflow */
}
size_t out = in - 1;
out |= out >> 1;
out |= out >> 2;
@ -794,10 +798,10 @@ static inline size_t next_pow2(size_t in) {
static inline void *maybe_grow(void **buf, size_t *size, size_t size_needed) {
/* No need to realloc */
if (likely(size_needed && *size >= size_needed)) return *buf;
if (likely(size_needed && *size >= size_needed)) { return *buf; }
/* No initial size was set */
if (size_needed < INITIAL_GROWTH_SIZE) size_needed = INITIAL_GROWTH_SIZE;
if (size_needed < INITIAL_GROWTH_SIZE) { size_needed = INITIAL_GROWTH_SIZE; }
/* grow exponentially */
size_t next_size = next_pow2(size_needed);
@ -824,13 +828,13 @@ static inline void *ck_maybe_grow(void **buf, size_t *size,
size_t size_needed) {
/* Oops. found a bug? */
if (unlikely(size_needed < 1)) FATAL("cannot grow to non-positive size");
if (unlikely(size_needed < 1)) { FATAL("cannot grow to non-positive size"); }
/* No need to realloc */
if (likely(*size >= size_needed)) return *buf;
if (likely(*size >= size_needed)) { return *buf; }
/* No initial size was set */
if (size_needed < INITIAL_GROWTH_SIZE) size_needed = INITIAL_GROWTH_SIZE;
if (size_needed < INITIAL_GROWTH_SIZE) { size_needed = INITIAL_GROWTH_SIZE; }
/* grow exponentially */
size_t next_size = next_pow2(size_needed);

2
include/android-ashmem.h
View File

@ -109,3 +109,5 @@ static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) {
#endif
#endif

1
include/forkserver.h
View File

@ -30,6 +30,7 @@
#include <stdio.h>
#include <stdbool.h>
#include "types.h"
#include "types.h"
typedef struct afl_forkserver {

2
include/list.h
View File

@ -83,7 +83,7 @@ static inline void list_append(list_t *list, void *el) {
element_t *el_box = NULL;
PRE_ALLOC(el_box, list->element_prealloc_buf, LIST_PREALLOC_SIZE,
list->element_prealloc_count);
if (!el_box) FATAL("failed to allocate list element");
if (!el_box) { FATAL("failed to allocate list element"); }
el_box->data = el;
el_box->next = head;
el_box->prev = head->prev;

3
libtokencap/libtokencap.so.c
View File

@ -274,7 +274,8 @@ static void __tokencap_dump(const u8 *ptr, size_t len, u8 is_text) {
pos += 4;
break;
default: buf[pos++] = ptr[i];
default:
buf[pos++] = ptr[i];
}

19
llvm_mode/cmplog-instructions-pass.cc
View File

@ -360,11 +360,20 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
switch (max_size) {
case 8: IRB.CreateCall(cmplogHookIns1, args, "tmp"); break;
case 16: IRB.CreateCall(cmplogHookIns2, args, "tmp"); break;
case 32: IRB.CreateCall(cmplogHookIns4, args, "tmp"); break;
case 64: IRB.CreateCall(cmplogHookIns8, args, "tmp"); break;
default: break;
case 8:
IRB.CreateCall(cmplogHookIns1, args, "tmp");
break;
case 16:
IRB.CreateCall(cmplogHookIns2, args, "tmp");
break;
case 32:
IRB.CreateCall(cmplogHookIns4, args, "tmp");
break;
case 64:
IRB.CreateCall(cmplogHookIns8, args, "tmp");
break;
default:
break;
}

41
llvm_mode/split-compares-pass.so.cc
View File

@ -318,10 +318,18 @@ bool SplitComparesTransform::simplifyCompares(Module &M) {
CmpInst::Predicate new_pred;
switch (pred) {
case CmpInst::ICMP_UGE: new_pred = CmpInst::ICMP_UGT; break;
case CmpInst::ICMP_SGE: new_pred = CmpInst::ICMP_SGT; break;
case CmpInst::ICMP_ULE: new_pred = CmpInst::ICMP_ULT; break;
case CmpInst::ICMP_SLE: new_pred = CmpInst::ICMP_SLT; break;
case CmpInst::ICMP_UGE:
new_pred = CmpInst::ICMP_UGT;
break;
case CmpInst::ICMP_SGE:
new_pred = CmpInst::ICMP_SGT;
break;
case CmpInst::ICMP_ULE:
new_pred = CmpInst::ICMP_ULT;
break;
case CmpInst::ICMP_SLE:
new_pred = CmpInst::ICMP_SLT;
break;
default: // keep the compiler happy
continue;
@ -384,10 +392,18 @@ bool SplitComparesTransform::simplifyCompares(Module &M) {
CmpInst::Predicate new_pred;
switch (pred) {
case CmpInst::FCMP_UGE: new_pred = CmpInst::FCMP_UGT; break;
case CmpInst::FCMP_OGE: new_pred = CmpInst::FCMP_OGT; break;
case CmpInst::FCMP_ULE: new_pred = CmpInst::FCMP_ULT; break;
case CmpInst::FCMP_OLE: new_pred = CmpInst::FCMP_OLT; break;
case CmpInst::FCMP_UGE:
new_pred = CmpInst::FCMP_UGT;
break;
case CmpInst::FCMP_OGE:
new_pred = CmpInst::FCMP_OGT;
break;
case CmpInst::FCMP_ULE:
new_pred = CmpInst::FCMP_ULT;
break;
case CmpInst::FCMP_OLE:
new_pred = CmpInst::FCMP_OLT;
break;
default: // keep the compiler happy
continue;
@ -855,7 +871,8 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) {
icmp_exponent_result =
BinaryOperator::Create(Instruction::Xor, icmp_exponent, t_s0);
break;
default: continue;
default:
continue;
}
@ -958,7 +975,8 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) {
icmp_fraction_result =
BinaryOperator::Create(Instruction::Xor, icmp_fraction, t_s0);
break;
default: continue;
default:
continue;
}
@ -1004,7 +1022,8 @@ size_t SplitComparesTransform::splitFPCompares(Module &M) {
PN->addIncoming(icmp_exponent_result, signequal_bb);
PN->addIncoming(icmp_fraction_result, middle_bb);
break;
default: continue;
default:
continue;
}

4
qbdi_mode/demo-so.c
View File

@ -29,7 +29,9 @@ int target_func(char *buf, int size) {
}
break;
default: puts("default action"); break;
default:
puts("default action");
break;
}

6
qemu_mode/libcompcov/compcovtest.cc
View File

@ -51,9 +51,11 @@ int main() {
switch (z) {
case 0xBEEF: break;
case 0xBEEF:
break;
default: return 4;
default:
return 4;
}

34
qemu_mode/patches/afl-qemu-cpu-translate-inl.h
View File

@ -55,11 +55,20 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2,
switch (ot & MO_SIZE) {
case MO_64: gen_helper_afl_cmplog_64(cur_loc_v, arg1, arg2); break;
case MO_32: gen_helper_afl_cmplog_32(cur_loc_v, arg1, arg2); break;
case MO_16: gen_helper_afl_cmplog_16(cur_loc_v, arg1, arg2); break;
case MO_8: gen_helper_afl_cmplog_8(cur_loc_v, arg1, arg2); break;
default: break;
case MO_64:
gen_helper_afl_cmplog_64(cur_loc_v, arg1, arg2);
break;
case MO_32:
gen_helper_afl_cmplog_32(cur_loc_v, arg1, arg2);
break;
case MO_16:
gen_helper_afl_cmplog_16(cur_loc_v, arg1, arg2);
break;
case MO_8:
gen_helper_afl_cmplog_8(cur_loc_v, arg1, arg2);
break;
default:
break;
}
@ -78,10 +87,17 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv arg1, TCGv arg2,
switch (ot & MO_SIZE) {
case MO_64: gen_helper_afl_compcov_64(cur_loc_v, arg1, arg2); break;
case MO_32: gen_helper_afl_compcov_32(cur_loc_v, arg1, arg2); break;
case MO_16: gen_helper_afl_compcov_16(cur_loc_v, arg1, arg2); break;
default: break;
case MO_64:
gen_helper_afl_compcov_64(cur_loc_v, arg1, arg2);
break;
case MO_32:
gen_helper_afl_compcov_32(cur_loc_v, arg1, arg2);
break;
case MO_16:
gen_helper_afl_compcov_16(cur_loc_v, arg1, arg2);
break;
default:
break;
}

282
src/afl-analyze.c
View File

@ -122,7 +122,7 @@ static void classify_counts(u8 *mem) {
while (i--) {
if (*mem) *mem = 1;
if (*mem) { *mem = 1; }
mem++;
}
@ -147,8 +147,11 @@ static inline u8 anything_set(void) {
u32 *ptr = (u32 *)trace_bits;
u32 i = (map_size >> 2);
while (i--)
if (*(ptr++)) return 1;
while (i--) {
if (*(ptr++)) { return 1; }
}
return 0;
@ -169,13 +172,16 @@ static void read_initial_file(void) {
struct stat st;
s32 fd = open(in_file, O_RDONLY);
if (fd < 0) PFATAL("Unable to open '%s'", in_file);
if (fd < 0) { PFATAL("Unable to open '%s'", in_file); }
if (fstat(fd, &st) || !st.st_size) FATAL("Zero-sized input file.");
if (fstat(fd, &st) || !st.st_size) { FATAL("Zero-sized input file."); }
if (st.st_size >= TMIN_MAX_FILE) {
if (st.st_size >= TMIN_MAX_FILE)
FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024);
}
in_len = st.st_size;
in_data = ck_alloc_nozero(in_len);
@ -197,7 +203,7 @@ static s32 write_to_file(u8 *path, u8 *mem, u32 len) {
ret = open(path, O_RDWR | O_CREAT | O_EXCL, 0600);
if (ret < 0) PFATAL("Unable to create '%s'", path);
if (ret < 0) { PFATAL("Unable to create '%s'", path); }
ck_write(ret, mem, len, path);
@ -225,7 +231,7 @@ static u32 analyze_run_target(char **argv, u8 *mem, u32 len, u8 first_run) {
child_pid = fork();
if (child_pid < 0) PFATAL("fork() failed");
if (child_pid < 0) { PFATAL("fork() failed"); }
if (!child_pid) {
@ -278,7 +284,7 @@ static u32 analyze_run_target(char **argv, u8 *mem, u32 len, u8 first_run) {
setitimer(ITIMER_REAL, &it, NULL);
if (waitpid(child_pid, &status, 0) <= 0) FATAL("waitpid() failed");
if (waitpid(child_pid, &status, 0) <= 0) { FATAL("waitpid() failed"); }
child_pid = 0;
it.it_value.tv_sec = 0;
@ -290,9 +296,12 @@ static u32 analyze_run_target(char **argv, u8 *mem, u32 len, u8 first_run) {
/* Clean up bitmap, analyze exit condition, etc. */
if (*(u32 *)trace_bits == EXEC_FAIL_SIG)
if (*(u32 *)trace_bits == EXEC_FAIL_SIG) {
FATAL("Unable to execute '%s'", argv[0]);
}
classify_counts(trace_bits);
total_execs++;
@ -325,7 +334,7 @@ static u32 analyze_run_target(char **argv, u8 *mem, u32 len, u8 first_run) {
}
if (first_run) orig_cksum = cksum;
if (first_run) { orig_cksum = cksum; }
return cksum;
@ -340,9 +349,12 @@ static void show_char(u8 val) {
switch (val) {
case 0 ... 32:
case 127 ... 255: SAYF("#%02x", val); break;
case 127 ... 255:
SAYF("#%02x", val);
break;
default: SAYF(" %c ", val);
default:
SAYF(" %c ", val);
}
@ -387,7 +399,12 @@ static void dump_hex(u8 *buf, u32 len, u8 *b_data) {
while (i + rlen < len && (b_data[i] >> 7) == (b_data[i + rlen] >> 7)) {
if (rtype < (b_data[i + rlen] & 0x0f)) rtype = b_data[i + rlen] & 0x0f;
if (rtype < (b_data[i + rlen] & 0x0f)) {
rtype = b_data[i + rlen] & 0x0f;
}
rlen++;
}
@ -454,9 +471,11 @@ static void dump_hex(u8 *buf, u32 len, u8 *b_data) {
case 1:
case 3:
case 5 ... MAX_AUTO_EXTRA - 1: break;
case 5 ... MAX_AUTO_EXTRA - 1:
break;
default: rtype = RESP_SUSPECT;
default:
rtype = RESP_SUSPECT;
}
@ -472,36 +491,60 @@ static void dump_hex(u8 *buf, u32 len, u8 *b_data) {
if (!((i + off) % 16)) {
if (off) SAYF(cRST cLCY ">");
if (off) { SAYF(cRST cLCY ">"); }
if (use_hex_offsets) {
if (use_hex_offsets)
SAYF(cRST cGRA "%s[%06x] " cRST, (i + off) ? "\n" : "", i + off);
else
} else {
SAYF(cRST cGRA "%s[%06u] " cRST, (i + off) ? "\n" : "", i + off);
}
}
switch (rtype) {
case RESP_NONE: SAYF(cLGR bgGRA); break;
case RESP_MINOR: SAYF(cBRI bgGRA); break;
case RESP_VARIABLE: SAYF(cBLK bgCYA); break;
case RESP_FIXED: SAYF(cBLK bgMGN); break;
case RESP_LEN: SAYF(cBLK bgLGN); break;
case RESP_CKSUM: SAYF(cBLK bgYEL); break;
case RESP_SUSPECT: SAYF(cBLK bgLRD); break;
case RESP_NONE:
SAYF(cLGR bgGRA);
break;
case RESP_MINOR:
SAYF(cBRI bgGRA);
break;
case RESP_VARIABLE:
SAYF(cBLK bgCYA);
break;
case RESP_FIXED:
SAYF(cBLK bgMGN);
break;
case RESP_LEN:
SAYF(cBLK bgLGN);
break;
case RESP_CKSUM:
SAYF(cBLK bgYEL);
break;
case RESP_SUSPECT:
SAYF(cBLK bgLRD);
break;
}
show_char(in_data[i + off]);
if (off != rlen - 1 && (i + off + 1) % 16)
if (off != rlen - 1 && (i + off + 1) % 16) {
SAYF(" ");
else
} else {
SAYF(cRST " ");
}
}
#else
if (use_hex_offsets)
@ -511,13 +554,27 @@ static void dump_hex(u8 *buf, u32 len, u8 *b_data) {
switch (rtype) {
case RESP_NONE: SAYF("no-op block\n"); break;
case RESP_MINOR: SAYF("superficial content\n"); break;
case RESP_VARIABLE: SAYF("critical stream\n"); break;
case RESP_FIXED: SAYF("\"magic value\" section\n"); break;
case RESP_LEN: SAYF("suspected length field\n"); break;
case RESP_CKSUM: SAYF("suspected cksum or magic int\n"); break;
case RESP_SUSPECT: SAYF("suspected checksummed block\n"); break;
case RESP_NONE:
SAYF("no-op block\n");
break;
case RESP_MINOR:
SAYF("superficial content\n");
break;
case RESP_VARIABLE:
SAYF("critical stream\n");
break;
case RESP_FIXED:
SAYF("\"magic value\" section\n");
break;
case RESP_LEN:
SAYF("suspected length field\n");
break;
case RESP_CKSUM:
SAYF("suspected cksum or magic int\n");
break;
case RESP_SUSPECT:
SAYF("suspected checksummed block\n");
break;
}
@ -594,16 +651,21 @@ static void analyze(char **argv) {
b_data[i] = RESP_FIXED;
} else
} else {
b_data[i] = RESP_VARIABLE;
}
/* When all checksums change, flip most significant bit of b_data. */
if (prev_xff != xor_ff && prev_x01 != xor_01 && prev_s10 != sub_10 &&
prev_a10 != add_10)
prev_a10 != add_10) {
seq_byte ^= 0x80;
}
b_data[i] |= seq_byte;
prev_xff = xor_ff;
@ -620,10 +682,13 @@ static void analyze(char **argv) {
OKF("Analysis complete. Interesting bits: %0.02f%% of the input file.",
100.0 - ((double)boring_len * 100) / in_len);
if (exec_hangs)
if (exec_hangs) {
WARNF(cLRD "Encountered %u timeouts - results may be skewed." cRST,
exec_hangs);
}
ck_free(b_data);
}
@ -634,7 +699,7 @@ static void handle_stop_sig(int sig) {
stop_soon = 1;
if (child_pid > 0) kill(child_pid, SIGKILL);
if (child_pid > 0) { kill(child_pid, SIGKILL); }
}
@ -645,7 +710,7 @@ static void set_up_environment(void) {
u8 *x;
dev_null_fd = open("/dev/null", O_RDWR);
if (dev_null_fd < 0) PFATAL("Unable to open /dev/null");
if (dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); }
if (!prog_in) {
@ -654,7 +719,7 @@ static void set_up_environment(void) {
if (access(use_dir, R_OK | W_OK | X_OK)) {
use_dir = get_afl_env("TMPDIR");
if (!use_dir) use_dir = "/tmp";
if (!use_dir) { use_dir = "/tmp"; }
}
@ -668,27 +733,39 @@ static void set_up_environment(void) {
if (x) {
if (!strstr(x, "abort_on_error=1"))
if (!strstr(x, "abort_on_error=1")) {
FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!");
if (!strstr(x, "symbolize=0"))
}
if (!strstr(x, "symbolize=0")) {
FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!");
}
}
x = get_afl_env("MSAN_OPTIONS");
if (x) {
if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR)))
if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) {
FATAL("Custom MSAN_OPTIONS set without exit_code=" STRINGIFY(
MSAN_ERROR) " - please fix!");
if (!strstr(x, "symbolize=0"))
}
if (!strstr(x, "symbolize=0")) {
FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!");
}
}
setenv("ASAN_OPTIONS",
"abort_on_error=1:"
"detect_leaks=0:"
@ -713,20 +790,28 @@ static void set_up_environment(void) {
s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) {
if (afl_preload[i] == ',')
if (afl_preload[i] == ',') {
PFATAL(
"Comma (',') is not allowed in AFL_PRELOAD when -Q is "
"specified!");
}
if (qemu_preload)
}
if (qemu_preload) {
buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
qemu_preload, afl_preload, afl_preload);
else
} else {
buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
afl_preload, afl_preload);
}
setenv("QEMU_SET_ENV", buf, 1);
ck_free(buf);
@ -820,26 +905,26 @@ int main(int argc, char **argv, char **envp) {
SAYF(cCYA "afl-analyze" VERSION cRST " by Michal Zalewski\n");
while ((opt = getopt(argc, argv, "+i:f:m:t:eQUWh")) > 0)
while ((opt = getopt(argc, argv, "+i:f:m:t:eQUWh")) > 0) {
switch (opt) {
case 'i':
if (in_file) FATAL("Multiple -i options not supported");
if (in_file) { FATAL("Multiple -i options not supported"); }
in_file = optarg;
break;
case 'f':
if (prog_in) FATAL("Multiple -f options not supported");
if (prog_in) { FATAL("Multiple -f options not supported"); }
use_stdin = 0;
prog_in = optarg;
break;
case 'e':
if (edges_only) FATAL("Multiple -e options not supported");
if (edges_only) { FATAL("Multiple -e options not supported"); }
edges_only = 1;
break;
@ -847,7 +932,7 @@ int main(int argc, char **argv, char **envp) {
u8 suffix = 'M';
if (mem_limit_given) FATAL("Multiple -m options not supported");
if (mem_limit_given) { FATAL("Multiple -m options not supported"); }
mem_limit_given = 1;
if (!optarg) { FATAL("Wrong usage of -m"); }
@ -860,66 +945,83 @@ int main(int argc, char **argv, char **envp) {
}
if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 ||
optarg[0] == '-')
optarg[0] == '-') {
FATAL("Bad syntax used for -m");
switch (suffix) {
case 'T': mem_limit *= 1024 * 1024; break;
case 'G': mem_limit *= 1024; break;
case 'k': mem_limit /= 1024; break;
case 'M': break;
default: FATAL("Unsupported suffix or bad syntax for -m");
}
if (mem_limit < 5) FATAL("Dangerously low value of -m");
switch (suffix) {
case 'T':
mem_limit *= 1024 * 1024;
break;
case 'G':
mem_limit *= 1024;
break;
case 'k':
mem_limit /= 1024;
break;
case 'M':
break;
default:
FATAL("Unsupported suffix or bad syntax for -m");
}
if (mem_limit < 5) { FATAL("Dangerously low value of -m"); }
if (sizeof(rlim_t) == 4 && mem_limit > 2000) {
if (sizeof(rlim_t) == 4 && mem_limit > 2000)
FATAL("Value of -m out of range on 32-bit systems");
}
}
break;
case 't':
if (timeout_given) FATAL("Multiple -t options not supported");
if (timeout_given) { FATAL("Multiple -t options not supported"); }
timeout_given = 1;
if (!optarg) FATAL("Wrong usage of -t");
if (!optarg) { FATAL("Wrong usage of -t"); }
exec_tmout = atoi(optarg);
if (exec_tmout < 10 || optarg[0] == '-')
if (exec_tmout < 10 || optarg[0] == '-') {
FATAL("Dangerously low value of -t");
}
break;
case 'Q':
if (qemu_mode) FATAL("Multiple -Q options not supported");
if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU;
if (qemu_mode) { FATAL("Multiple -Q options not supported"); }
if (!mem_limit_given) { mem_limit = MEM_LIMIT_QEMU; }
qemu_mode = 1;
break;
case 'U':
if (unicorn_mode) FATAL("Multiple -U options not supported");
if (!mem_limit_given) mem_limit = MEM_LIMIT_UNICORN;
if (unicorn_mode) { FATAL("Multiple -U options not supported"); }
if (!mem_limit_given) { mem_limit = MEM_LIMIT_UNICORN; }
unicorn_mode = 1;
break;
case 'W': /* Wine+QEMU mode */
if (use_wine) FATAL("Multiple -W options not supported");
if (use_wine) { FATAL("Multiple -W options not supported"); }
qemu_mode = 1;
use_wine = 1;
if (!mem_limit_given) mem_limit = 0;
if (!mem_limit_given) { mem_limit = 0; }
break;
@ -928,11 +1030,14 @@ int main(int argc, char **argv, char **envp) {
return -1;
break;
default: usage(argv[0]);
default:
usage(argv[0]);
}
if (optind == argc || !in_file) usage(argv[0]);
}
if (optind == argc || !in_file) { usage(argv[0]); }
map_size = get_map_size();
@ -952,17 +1057,24 @@ int main(int argc, char **argv, char **envp) {
if (qemu_mode) {
if (use_wine)
if (use_wine) {
use_argv =
get_wine_argv(argv[0], &target_path, argc - optind, argv + optind);
else
} else {
use_argv =
get_qemu_argv(argv[0], &target_path, argc - optind, argv + optind);
} else
}
} else {
use_argv = argv + optind;
}
SAYF("\n");
read_initial_file();
@ -972,17 +1084,23 @@ int main(int argc, char **argv, char **envp) {
analyze_run_target(use_argv, in_data, in_len, 1);
if (child_timed_out)
if (child_timed_out) {
FATAL("Target binary times out (adjusting -t may help).");
if (get_afl_env("AFL_SKIP_BIN_CHECK") == NULL && !anything_set())
}
if (get_afl_env("AFL_SKIP_BIN_CHECK") == NULL && !anything_set()) {
FATAL("No instrumentation detected.");
}
analyze(use_argv);
OKF("We're done here. Have a nice day!\n");
if (target_path) ck_free(target_path);
if (target_path) { ck_free(target_path); }
afl_shm_deinit(&shm);

110
src/afl-as.c
View File

@ -126,9 +126,9 @@ static void edit_params(int argc, char **argv) {
is not set. We need to check these non-standard variables to properly
handle the pass_thru logic later on. */
if (!tmp_dir) tmp_dir = getenv("TEMP");
if (!tmp_dir) tmp_dir = getenv("TMP");
if (!tmp_dir) tmp_dir = "/tmp";
if (!tmp_dir) { tmp_dir = getenv("TEMP"); }
if (!tmp_dir) { tmp_dir = getenv("TMP"); }
if (!tmp_dir) { tmp_dir = "/tmp"; }
as_params = ck_alloc((argc + 32) * sizeof(u8 *));
@ -138,11 +138,16 @@ static void edit_params(int argc, char **argv) {
for (i = 1; i < argc - 1; i++) {
if (!strcmp(argv[i], "--64"))
if (!strcmp(argv[i], "--64")) {
use_64bit = 1;
else if (!strcmp(argv[i], "--32"))
} else if (!strcmp(argv[i], "--32")) {
use_64bit = 0;
}
#ifdef __APPLE__
/* The Apple case is a bit different... */
@ -195,11 +200,16 @@ static void edit_params(int argc, char **argv) {
}
if (input_file[1])
if (input_file[1]) {
FATAL("Incorrect use (not called through afl-gcc?)");
else
} else {
input_file = NULL;
}
} else {
/* Check if this looks like a standard invocation as a part of an attempt
@ -210,13 +220,18 @@ static void edit_params(int argc, char **argv) {
if (strncmp(input_file, tmp_dir, strlen(tmp_dir)) &&
strncmp(input_file, "/var/tmp/", 9) &&
strncmp(input_file, "/tmp/", 5) &&
getenv("AFL_AS_FORCE_INSTRUMENT") == NULL)
getenv("AFL_AS_FORCE_INSTRUMENT") == NULL) {
pass_thru = 1;
else if (getenv("AFL_AS_FORCE_INSTRUMENT"))
} else if (getenv("AFL_AS_FORCE_INSTRUMENT")) {
unsetenv("AFL_AS_FORCE_INSTRUMENT");
}
}
modified_file =
alloc_printf("%s/.afl-%u-%u.s", tmp_dir, getpid(), (u32)time(NULL));
@ -251,19 +266,21 @@ static void add_instrumentation(void) {
if (input_file) {
inf = fopen(input_file, "r");
if (!inf) PFATAL("Unable to read '%s'", input_file);
if (!inf) { PFATAL("Unable to read '%s'", input_file); }
} else
} else {
inf = stdin;
}
outfd = open(modified_file, O_WRONLY | O_EXCL | O_CREAT, 0600);
if (outfd < 0) PFATAL("Unable to write to '%s'", modified_file);
if (outfd < 0) { PFATAL("Unable to write to '%s'", modified_file); }
outf = fdopen(outfd, "w");
if (!outf) PFATAL("fdopen() failed");
if (!outf) { PFATAL("fdopen() failed"); }
while (fgets(line, MAX_LINE, inf)) {
@ -287,7 +304,7 @@ static void add_instrumentation(void) {
fputs(line, outf);
if (pass_thru) continue;
if (pass_thru) { continue; }
/* All right, this is where the actual fun begins. For one, we only want to
instrument the .text section. So, let's keep track of that in processed
@ -300,9 +317,12 @@ static void add_instrumentation(void) {
around them, so we use that as a signal. */
if (!clang_mode && instr_ok && !strncmp(line + 2, "p2align ", 8) &&
isdigit(line[10]) && line[11] == '\n')
isdigit(line[10]) && line[11] == '\n') {
skip_next_label = 1;
}
if (!strncmp(line + 2, "text\n", 5) ||
!strncmp(line + 2, "section\t.text", 13) ||
!strncmp(line + 2, "section\t__TEXT,__text", 21) ||
@ -330,23 +350,23 @@ static void add_instrumentation(void) {
if (strstr(line, ".code")) {
if (strstr(line, ".code32")) skip_csect = use_64bit;
if (strstr(line, ".code64")) skip_csect = !use_64bit;
if (strstr(line, ".code32")) { skip_csect = use_64bit; }
if (strstr(line, ".code64")) { skip_csect = !use_64bit; }
}
/* Detect syntax changes, as could happen with hand-written assembly.
Skip Intel blocks, resume instrumentation when back to AT&T. */
if (strstr(line, ".intel_syntax")) skip_intel = 1;
if (strstr(line, ".att_syntax")) skip_intel = 0;
if (strstr(line, ".intel_syntax")) { skip_intel = 1; }
if (strstr(line, ".att_syntax")) { skip_intel = 0; }
/* Detect and skip ad-hoc __asm__ blocks, likewise skipping them. */
if (line[0] == '#' || line[1] == '#') {
if (strstr(line, "#APP")) skip_app = 1;
if (strstr(line, "#NO_APP")) skip_app = 0;
if (strstr(line, "#APP")) { skip_app = 1; }
if (strstr(line, "#NO_APP")) { skip_app = 0; }
}
@ -375,9 +395,12 @@ static void add_instrumentation(void) {
*/
if (skip_intel || skip_app || skip_csect || !instr_ok || line[0] == '#' ||
line[0] == ' ')
line[0] == ' ') {
continue;
}
/* Conditional branch instruction (jnz, etc). We append the instrumentation
right after the branch (to instrument the not-taken path) and at the
branch destination label (handled later on). */
@ -449,13 +472,18 @@ static void add_instrumentation(void) {
.Lfunc_begin0-style exception handling calculations (a problem on
MacOS X). */
if (!skip_next_label)
if (!skip_next_label) {
instrument_next = 1;
else
} else {
skip_next_label = 0;
}
}
} else {
/* Function label (always instrumented, deferred mode). */
@ -468,17 +496,19 @@ static void add_instrumentation(void) {
}
if (ins_lines) fputs(use_64bit ? main_payload_64 : main_payload_32, outf);
if (ins_lines) { fputs(use_64bit ? main_payload_64 : main_payload_32, outf); }
if (input_file) fclose(inf);
if (input_file) { fclose(inf); }
fclose(outf);
if (!be_quiet) {
if (!ins_lines)
if (!ins_lines) {
WARNF("No instrumentation targets found%s.",
pass_thru ? " (pass-thru mode)" : "");
else {
} else {
char modeline[100];
snprintf(modeline, sizeof(modeline), "%s%s%s%s",
@ -514,10 +544,12 @@ int main(int argc, char **argv) {
SAYF(cCYA "afl-as" VERSION cRST " by Michal Zalewski\n");
} else
} else {
be_quiet = 1;
}
if (argc < 2 || (argc == 2 && strcmp(argv[1], "-h") == 0)) {
fprintf(
@ -565,14 +597,20 @@ int main(int argc, char **argv) {
if (inst_ratio_str) {
if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || inst_ratio > 100)
if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || inst_ratio > 100) {
FATAL("Bad value of AFL_INST_RATIO (must be between 0 and 100)");
}
if (getenv(AS_LOOP_ENV_VAR))
}
if (getenv(AS_LOOP_ENV_VAR)) {
FATAL("Endless loop when calling 'as' (remove '.' from your PATH)");
}
setenv(AS_LOOP_ENV_VAR, "1", 1);
/* When compiling with ASAN, we don't have a particularly elegant way to skip
@ -582,11 +620,11 @@ int main(int argc, char **argv) {
if (getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) {
sanitizer = 1;
if (!getenv("AFL_INST_RATIO")) inst_ratio /= 3;
if (!getenv("AFL_INST_RATIO")) { inst_ratio /= 3; }
}
if (!just_version) add_instrumentation();
if (!just_version) { add_instrumentation(); }
if (!(pid = fork())) {
@ -595,11 +633,11 @@ int main(int argc, char **argv) {
}
if (pid < 0) PFATAL("fork() failed");
if (pid < 0) { PFATAL("fork() failed"); }
if (waitpid(pid, &status, 0) <= 0) PFATAL("waitpid() failed");
if (waitpid(pid, &status, 0) <= 0) { PFATAL("waitpid() failed"); }
if (!getenv("AFL_KEEP_ASSEMBLY")) unlink(modified_file);
if (!getenv("AFL_KEEP_ASSEMBLY")) { unlink(modified_file); }
exit(WEXITSTATUS(status));

55
src/afl-common.c
View File

@ -101,7 +101,7 @@ void detect_file_args(char **argv, u8 *prog_in, u8 *use_stdin) {
if (aa_loc) {
if (!prog_in) FATAL("@@ syntax is not supported by this tool.");
if (!prog_in) { FATAL("@@ syntax is not supported by this tool."); }
*use_stdin = 0;
@ -198,7 +198,7 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
cp = alloc_printf("%s/afl-qemu-trace", tmp);
if (access(cp, X_OK)) FATAL("Unable to find '%s'", tmp);
if (access(cp, X_OK)) { FATAL("Unable to find '%s'", tmp); }
*target_path_p = new_argv[0] = cp;
return new_argv;
@ -230,7 +230,7 @@ char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) {
if (cp) ck_free(cp);
if (cp) { ck_free(cp); }
*target_path_p = new_argv[0] = ck_strdup(BIN_PATH "/afl-qemu-trace");
return new_argv;
@ -277,13 +277,13 @@ char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
cp = alloc_printf("%s/afl-qemu-trace", tmp);
if (access(cp, X_OK)) FATAL("Unable to find '%s'", tmp);
if (access(cp, X_OK)) { FATAL("Unable to find '%s'", tmp); }
ck_free(cp);
cp = alloc_printf("%s/afl-wine-trace", tmp);
if (access(cp, X_OK)) FATAL("Unable to find '%s'", tmp);
if (access(cp, X_OK)) { FATAL("Unable to find '%s'", tmp); }
*target_path_p = new_argv[0] = cp;
return new_argv;
@ -416,15 +416,22 @@ u8 *find_binary(u8 *fname) {
ck_free(cur_elem);
if (!stat(target_path, &st) && S_ISREG(st.st_mode) &&
(st.st_mode & 0111) && st.st_size >= 4)
(st.st_mode & 0111) && st.st_size >= 4) {
break;
}
ck_free(target_path);
target_path = NULL;
}
if (!target_path) FATAL("Program '%s' not found or not executable", fname);
if (!target_path) {
FATAL("Program '%s' not found or not executable", fname);
}
}
@ -434,7 +441,7 @@ u8 *find_binary(u8 *fname) {
void check_environment_vars(char **envp) {
if (be_quiet) return;
if (be_quiet) { return; }
int index = 0, found = 0;
char *env, *val;
@ -448,24 +455,30 @@ void check_environment_vars(char **envp) {
} else if (strncmp(env, "AFL_", 4) == 0) {
int i = 0, match = 0;
while (match == 0 && afl_environment_variables[i] != NULL)
while (match == 0 && afl_environment_variables[i] != NULL) {
if (strncmp(env, afl_environment_variables[i],
strlen(afl_environment_variables[i])) == 0 &&
env[strlen(afl_environment_variables[i])] == '=') {
match = 1;
if ((val = getenv(afl_environment_variables[i])) && !*val)
if ((val = getenv(afl_environment_variables[i])) && !*val) {
WARNF(
"AFL environment variable %s defined but is empty, this can "
"lead to unexpected consequences",
afl_environment_variables[i]);
}
} else {
i++;
}
}
if (match == 0) {
WARNF("Mistyped AFL environment variable: %s", env);
@ -477,7 +490,7 @@ void check_environment_vars(char **envp) {
}
if (found) sleep(2);
if (found) { sleep(2); }
}
@ -485,10 +498,16 @@ char *get_afl_env(char *env) {
char *val;
if ((val = getenv(env)) != NULL)
if (!be_quiet)
if ((val = getenv(env)) != NULL) {
if (!be_quiet) {
OKF("Loaded environment variable %s with value %s", env, val);
}
}
return val;
}
@ -499,7 +518,7 @@ void read_bitmap(u8 *fname, u8 *map, size_t len) {
s32 fd = open(fname, O_RDONLY);
if (fd < 0) PFATAL("Unable to open '%s'", fname);
if (fd < 0) { PFATAL("Unable to open '%s'", fname); }
ck_read(fd, map, len, fname);
@ -906,9 +925,13 @@ u32 get_map_size() {
if ((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE"))) {
map_size = atoi(ptr);
if (map_size < 8 || map_size > (1 << 29))
if (map_size < 8 || map_size > (1 << 29)) {
FATAL("illegal AFL_MAP_SIZE %u, must be between 2^3 and 2^30", map_size);
if (map_size % 8) map_size = (((map_size >> 3) + 1) << 3);
}
if (map_size % 8) { map_size = (((map_size >> 3) + 1) << 3); }
}

120
src/afl-forkserver.c
View File

@ -128,12 +128,16 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) {
unsigned char tmp[4] = {0, 0, 0, 0};
pid_t child_pid = -1;
if (!be_quiet) ACTF("Using Fauxserver:");
if (!be_quiet) { ACTF("Using Fauxserver:"); }
/* Phone home and tell the parent that we're OK. If parent isn't there,
assume we're not running in forkserver mode and just execute program. */
if (write(FORKSRV_FD + 1, tmp, 4) != 4) abort(); // TODO: Abort?
if (write(FORKSRV_FD + 1, tmp, 4) != 4) {
abort(); // TODO: Abort?
}
void (*old_sigchld_handler)(int) = signal(SIGCHLD, SIG_DFL);
@ -144,13 +148,13 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) {
/* Wait for parent by reading from the pipe. Exit if read fails. */
if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(0);
if (read(FORKSRV_FD, &was_killed, 4) != 4) { exit(0); }
/* Create a clone of our process. */
child_pid = fork();
if (child_pid < 0) PFATAL("Fork failed");
if (child_pid < 0) { PFATAL("Fork failed"); }
/* In child process: close fds, resume execution. */
@ -177,7 +181,7 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) {
/* In parent process: write PID to AFL. */
if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(0);
if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) { exit(0); }
/* after child exited, get and relay exit status to parent through waitpid.
*/
@ -191,7 +195,7 @@ static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) {
/* Relay wait status to AFL pipe, then loop back. */
if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(0);
if (write(FORKSRV_FD + 1, &status, 4) != 4) { exit(0); }
}
@ -212,25 +216,28 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
int status;
s32 rlen;
if (!be_quiet) ACTF("Spinning up the fork server...");
if (!be_quiet) { ACTF("Spinning up the fork server..."); }
if (fsrv->use_fauxsrv) {
/* TODO: Come up with sone nice way to initalize this all */
if (fsrv->init_child_func != fsrv_exec_child)
if (fsrv->init_child_func != fsrv_exec_child) {
FATAL("Different forkserver not compatible with fauxserver");
}
fsrv->init_child_func = afl_fauxsrv_execv;
}
if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed");
if (pipe(st_pipe) || pipe(ctl_pipe)) { PFATAL("pipe() failed"); }
fsrv->last_run_timed_out = 0;
fsrv->fsrv_pid = fork();
if (fsrv->fsrv_pid < 0) PFATAL("fork() failed");
if (fsrv->fsrv_pid < 0) { PFATAL("fork() failed"); }
if (!fsrv->fsrv_pid) {
@ -295,8 +302,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
/* Set up control and status pipes, close the unneeded original fds. */
if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed");
if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed");
if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) { PFATAL("dup2() failed"); }
if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) { PFATAL("dup2() failed"); }
close(ctl_pipe[0]);
close(ctl_pipe[1]);
@ -308,12 +315,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
#ifndef HAVE_ARC4RANDOM
close(fsrv->dev_urandom_fd);
#endif
if (fsrv->plot_file != NULL) fclose(fsrv->plot_file);
if (fsrv->plot_file != NULL) { fclose(fsrv->plot_file); }
/* This should improve performance a bit, since it stops the linker from
doing extra work post-fork(). */
if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0);
if (!getenv("LD_BIND_LAZY")) { setenv("LD_BIND_NOW", "1", 0); }
/* Set sane defaults for ASAN if nothing else specified. */
@ -391,17 +398,20 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
if (rlen == 4) {
if (!be_quiet) OKF("All right - fork server is up.");
if (!be_quiet) { OKF("All right - fork server is up."); }
if ((status & FS_OPT_ENABLED) == FS_OPT_ENABLED) {
if (!be_quiet && getenv("AFL_DEBUG"))
if (!be_quiet && getenv("AFL_DEBUG")) {
ACTF("Extended forkserver functions received (%08x).", status);
}
if ((status & FS_OPT_SNAPSHOT) == FS_OPT_SNAPSHOT) {
fsrv->snapshot = 1;
if (!be_quiet) ACTF("Using SNAPSHOT feature.");
if (!be_quiet) { ACTF("Using SNAPSHOT feature."); }
}
@ -409,7 +419,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
u32 tmp_map_size = FS_OPT_GET_MAPSIZE(status);
if (!fsrv->map_size) fsrv->map_size = MAP_SIZE;
if (!fsrv->map_size) { fsrv->map_size = MAP_SIZE; }
if (unlikely(tmp_map_size % 8)) {
@ -419,13 +429,17 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
}
if (!be_quiet) ACTF("Target map size: %u", tmp_map_size);
if (tmp_map_size > fsrv->map_size)
if (!be_quiet) { ACTF("Target map size: %u", tmp_map_size); }
if (tmp_map_size > fsrv->map_size) {
FATAL(
"Target's coverage map size of %u is larger than the one this "
"afl++ is set with (%u) (change MAP_SIZE_POW2 in config.h and "
"recompile or set AFL_MAP_SIZE)\n",
tmp_map_size, fsrv->map_size);
}
fsrv->map_size = tmp_map_size;
}
@ -436,27 +450,44 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
// this is not afl-fuzz - we deny and return
status = (0xffffffff ^ (FS_OPT_ENABLED | FS_OPT_AUTODICT));
if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4)
if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) {
FATAL("Writing to forkserver failed.");
}
return;
}
if (!be_quiet) ACTF("Using AUTODICT feature.");
if (!be_quiet) { ACTF("Using AUTODICT feature."); }
status = (FS_OPT_ENABLED | FS_OPT_AUTODICT);
if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4)
if (write(fsrv->fsrv_ctl_fd, &status, 4) != 4) {
FATAL("Writing to forkserver failed.");
if (read(fsrv->fsrv_st_fd, &status, 4) != 4)
}
if (read(fsrv->fsrv_st_fd, &status, 4) != 4) {
FATAL("Reading from forkserver failed.");
if (status < 2 || (u32)status > 0xffffff)
}
if (status < 2 || (u32)status > 0xffffff) {
FATAL("Dictionary has an illegal size: %d", status);
}
u32 len = status, offset = 0, count = 0;
u8 *dict = ck_alloc(len);
if (dict == NULL)
if (dict == NULL) {
FATAL("Could not allocate %u bytes of autodictionary memory", len);
}
while (len != 0) {
rlen = read(fsrv->fsrv_st_fd, dict + offset, len);
@ -486,7 +517,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
}
if (!be_quiet) ACTF("Loaded %u autodictionary entries", count);
if (!be_quiet) { ACTF("Loaded %u autodictionary entries", count); }
ck_free(dict);
}
@ -497,10 +528,13 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
}
if (fsrv->last_run_timed_out)
if (fsrv->last_run_timed_out) {
FATAL("Timeout while initializing fork server (adjusting -t may help)");
if (waitpid(fsrv->fsrv_pid, &status, 0) <= 0) PFATAL("waitpid() failed");
}
if (waitpid(fsrv->fsrv_pid, &status, 0) <= 0) { PFATAL("waitpid() failed"); }
if (WIFSIGNALED(status)) {
@ -580,9 +614,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
}
if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG)
if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) {
FATAL("Unable to execute target application ('%s')", argv[0]);
}
if (fsrv->mem_limit && fsrv->mem_limit < 500 && fsrv->uses_asan) {
SAYF("\n" cLRD "[-] " cRST
@ -651,7 +688,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
static void afl_fsrv_kill(afl_forkserver_t *fsrv) {
if (fsrv->child_pid > 0) kill(fsrv->child_pid, SIGKILL);
if (fsrv->child_pid > 0) { kill(fsrv->child_pid, SIGKILL); }
if (fsrv->fsrv_pid > 0) {
kill(fsrv->fsrv_pid, SIGKILL);
@ -680,7 +717,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
}
if (fd < 0) PFATAL("Unable to create '%s'", fsrv->out_file);
if (fd < 0) { PFATAL("Unable to create '%s'", fsrv->out_file); }
} else {
@ -692,7 +729,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
if (!fsrv->out_file) {
if (ftruncate(fd, len)) PFATAL("ftruncate() failed");
if (ftruncate(fd, len)) { PFATAL("ftruncate() failed"); }
lseek(fd, 0, SEEK_SET);
} else {
@ -727,7 +764,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
if ((res = write(fsrv->fsrv_ctl_fd, &fsrv->last_run_timed_out, 4)) != 4) {
if (*stop_soon_p) return 0;
if (*stop_soon_p) { return 0; }
RPFATAL(res, "Unable to request new process from fork server (OOM?)");
}
@ -736,12 +773,12 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
if ((res = read(fsrv->fsrv_st_fd, &fsrv->child_pid, 4)) != 4) {
if (*stop_soon_p) return 0;
if (*stop_soon_p) { return 0; }
RPFATAL(res, "Unable to request new process from fork server (OOM?)");
}
if (fsrv->child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)");
if (fsrv->child_pid <= 0) { FATAL("Fork server is misbehaving (OOM?)"); }
exec_ms = read_timed(fsrv->fsrv_st_fd, &status, 4, timeout, stop_soon_p);
@ -752,13 +789,13 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
kill(fsrv->child_pid, SIGKILL);
fsrv->last_run_timed_out = 1;
if (read(fsrv->fsrv_st_fd, &status, 4) < 4) exec_ms = 0;
if (read(fsrv->fsrv_st_fd, &status, 4) < 4) { exec_ms = 0; }
}
if (!exec_ms) {
if (*stop_soon_p) return 0;
if (*stop_soon_p) { return 0; }
SAYF("\n" cLRD "[-] " cRST
"Unable to communicate with fork server. Some possible reasons:\n\n"
" - You've run out of memory. Use -m to increase the the memory "
@ -784,7 +821,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
}
if (!WIFSTOPPED(status)) fsrv->child_pid = 0;
if (!WIFSTOPPED(status)) { fsrv->child_pid = 0; }
fsrv->total_execs++;
@ -800,9 +837,12 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
fsrv->last_kill_signal = WTERMSIG(status);
if (fsrv->last_run_timed_out && fsrv->last_kill_signal == SIGKILL)
if (fsrv->last_run_timed_out && fsrv->last_kill_signal == SIGKILL) {
return FSRV_RUN_TMOUT;
}
return FSRV_RUN_CRASH;
}

109
src/afl-fuzz-bitmap.c
View File

@ -35,13 +35,13 @@ void write_bitmap(afl_state_t *afl) {
u8 fname[PATH_MAX];
s32 fd;
if (!afl->bitmap_changed) return;
if (!afl->bitmap_changed) { return; }
afl->bitmap_changed = 0;
snprintf(fname, PATH_MAX, "%s/fuzz_bitmap", afl->out_dir);
fd = open(fname, O_WRONLY | O_CREAT | O_TRUNC, 0600);
if (fd < 0) PFATAL("Unable to open '%s'", fname);
if (fd < 0) { PFATAL("Unable to open '%s'", fname); }
ck_write(fd, afl->virgin_bits, afl->fsrv.map_size, fname);
@ -102,11 +102,16 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) {
(cur[1] && vir[1] == 0xff) || (cur[2] && vir[2] == 0xff) ||
(cur[3] && vir[3] == 0xff) || (cur[4] && vir[4] == 0xff) ||
(cur[5] && vir[5] == 0xff) || (cur[6] && vir[6] == 0xff) ||
(cur[7] && vir[7] == 0xff))
(cur[7] && vir[7] == 0xff)) {
ret = 2;
else
} else {
ret = 1;
}
#else
if (*virgin == 0xffffffff || (cur[0] && vir[0] == 0xff) ||
@ -129,9 +134,12 @@ u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) {
}
if (unlikely(ret) && likely(virgin_map == afl->virgin_bits))
if (unlikely(ret) && likely(virgin_map == afl->virgin_bits)) {
afl->bitmap_changed = 1;
}
return ret;
}
@ -183,11 +191,11 @@ u32 count_bytes(afl_state_t *afl, u8 *mem) {
u32 v = *(ptr++);
if (!v) continue;
if (v & 0x000000ff) ++ret;
if (v & 0x0000ff00) ++ret;
if (v & 0x00ff0000) ++ret;
if (v & 0xff000000) ++ret;
if (!v) { continue; }
if (v & 0x000000ff) { ++ret; }
if (v & 0x0000ff00) { ++ret; }
if (v & 0x00ff0000) { ++ret; }
if (v & 0xff000000) { ++ret; }
}
@ -211,11 +219,11 @@ u32 count_non_255_bytes(afl_state_t *afl, u8 *mem) {
/* This is called on the virgin bitmap, so optimize for the most likely
case. */
if (v == 0xffffffff) continue;
if ((v & 0x000000ff) != 0x000000ff) ++ret;
if ((v & 0x0000ff00) != 0x0000ff00) ++ret;
if ((v & 0x00ff0000) != 0x00ff0000) ++ret;
if ((v & 0xff000000) != 0xff000000) ++ret;
if (v == 0xffffffff) { continue; }
if ((v & 0x000000ff) != 0x000000ff) { ++ret; }
if ((v & 0x0000ff00) != 0x0000ff00) { ++ret; }
if ((v & 0x00ff0000) != 0x00ff0000) { ++ret; }
if ((v & 0xff000000) != 0xff000000) { ++ret; }
}
@ -257,10 +265,12 @@ void simplify_trace(afl_state_t *afl, u64 *mem) {
mem8[6] = simplify_lookup[mem8[6]];
mem8[7] = simplify_lookup[mem8[7]];
} else
} else {
*mem = 0x0101010101010101ULL;
}
++mem;
}
@ -322,11 +332,17 @@ void init_count_class16(void) {
u32 b1, b2;
for (b1 = 0; b1 < 256; b1++)
for (b2 = 0; b2 < 256; b2++)
for (b1 = 0; b1 < 256; b1++) {
for (b2 = 0; b2 < 256; b2++) {
count_class_lookup16[(b1 << 8) + b2] =
(count_class_lookup8[b1] << 8) | count_class_lookup8[b2];
}
}
}
#ifdef WORD_SIZE_64
@ -397,7 +413,7 @@ void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) {
while (i < afl->fsrv.map_size) {
if (*(src++)) dst[i >> 3] |= 1 << (i & 7);
if (*(src++)) { dst[i >> 3] |= 1 << (i & 7); }
++i;
}
@ -423,27 +439,35 @@ u8 *describe_op(afl_state_t *afl, u8 hnb) {
sprintf(ret + strlen(ret), ",time:%llu", get_cur_time() - afl->start_time);
if (afl->splicing_with >= 0)
if (afl->splicing_with >= 0) {
sprintf(ret + strlen(ret), "+%06d", afl->splicing_with);
}
sprintf(ret + strlen(ret), ",op:%s", afl->stage_short);
if (afl->stage_cur_byte >= 0) {
sprintf(ret + strlen(ret), ",pos:%d", afl->stage_cur_byte);
if (afl->stage_val_type != STAGE_VAL_NONE)
if (afl->stage_val_type != STAGE_VAL_NONE) {
sprintf(ret + strlen(ret), ",val:%s%+d",
(afl->stage_val_type == STAGE_VAL_BE) ? "be:" : "",
afl->stage_cur_val);
} else
}
} else {
sprintf(ret + strlen(ret), ",rep:%d", afl->stage_cur_val);
}
if (hnb == 2) strcat(ret, ",+cov");
}
if (hnb == 2) { strcat(ret, ",+cov"); }
return ret;
@ -467,7 +491,7 @@ static void write_crash_readme(afl_state_t *afl) {
/* Do not die on errors here - that would be impolite. */
if (unlikely(fd < 0)) return;
if (unlikely(fd < 0)) { return; }
f = fdopen(fd, "w");
@ -512,7 +536,7 @@ static void write_crash_readme(afl_state_t *afl) {
u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
if (unlikely(len == 0)) return 0;
if (unlikely(len == 0)) { return 0; }
u8 *queue_fn = "";
u8 hnb = '\0';
@ -545,7 +569,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
if (!(hnb = has_new_bits(afl, afl->virgin_bits))) {
if (unlikely(afl->crash_mode)) ++afl->total_crashes;
if (unlikely(afl->crash_mode)) { ++afl->total_crashes; }
return 0;
}
@ -578,11 +602,14 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
res = calibrate_case(afl, afl->queue_top, mem, afl->queue_cycle - 1, 0);
if (unlikely(res == FSRV_RUN_ERROR))
if (unlikely(res == FSRV_RUN_ERROR)) {
FATAL("Unable to execute target application");
}
fd = open(queue_fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
if (unlikely(fd < 0)) PFATAL("Unable to create '%s'", queue_fn);
if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", queue_fn); }
ck_write(fd, mem, len, queue_fn);
close(fd);
@ -601,7 +628,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
++afl->total_tmouts;
if (afl->unique_hangs >= KEEP_UNIQUE_HANG) return keeping;
if (afl->unique_hangs >= KEEP_UNIQUE_HANG) { return keeping; }
if (likely(!afl->dumb_mode)) {
@ -611,7 +638,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
simplify_trace(afl, (u32 *)afl->fsrv.trace_bits);
#endif /* ^WORD_SIZE_64 */
if (!has_new_bits(afl, afl->virgin_tmout)) return keeping;
if (!has_new_bits(afl, afl->virgin_tmout)) { return keeping; }
}
@ -631,9 +658,13 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
timeout actually uncovers a crash. Make sure we don't discard it if
so. */
if (!afl->stop_soon && new_fault == FSRV_RUN_CRASH) goto keep_as_crash;
if (!afl->stop_soon && new_fault == FSRV_RUN_CRASH) {
if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) return keeping;
goto keep_as_crash;
}
if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { return keeping; }
}
@ -665,7 +696,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
++afl->total_crashes;
if (afl->unique_crashes >= KEEP_UNIQUE_CRASH) return keeping;
if (afl->unique_crashes >= KEEP_UNIQUE_CRASH) { return keeping; }
if (likely(!afl->dumb_mode)) {
@ -675,11 +706,11 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
simplify_trace(afl, (u32 *)afl->fsrv.trace_bits);
#endif /* ^WORD_SIZE_64 */
if (!has_new_bits(afl, afl->virgin_crash)) return keeping;
if (!has_new_bits(afl, afl->virgin_crash)) { return keeping; }
}
if (unlikely(!afl->unique_crashes)) write_crash_readme(afl);
if (unlikely(!afl->unique_crashes)) { write_crash_readme(afl); }
#ifndef SIMPLE_FILES
@ -715,9 +746,11 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
break;
case FSRV_RUN_ERROR: FATAL("Unable to execute target application");
case FSRV_RUN_ERROR:
FATAL("Unable to execute target application");
default: return keeping;
default:
return keeping;
}
@ -725,7 +758,7 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
test case, too. */
fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
if (unlikely(fd < 0)) PFATAL("Unable to create '%s'", fn);
if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", fn); }
ck_write(fd, mem, len, fn);
close(fd);

13
src/afl-fuzz-cmplog.c
View File

@ -37,9 +37,12 @@ void cmplog_exec_child(afl_forkserver_t *fsrv, char **argv) {
setenv("___AFL_EINS_ZWEI_POLIZEI___", "1", 1);
if (!fsrv->qemu_mode && argv[0] != fsrv->cmplog_binary)
if (!fsrv->qemu_mode && argv[0] != fsrv->cmplog_binary) {
argv[0] = fsrv->cmplog_binary;
}
execv(argv[0], argv);
}
@ -54,7 +57,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
size_t post_len =
afl->post_handler(afl->post_data, out_buf, len, &post_buf);
if (!post_buf || !post_len) return 0;
if (!post_buf || !post_len) { return 0; }
out_buf = post_buf;
len = post_len;
@ -64,7 +67,7 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
fault = fuzz_run_target(afl, &afl->cmplog_fsrv, afl->fsrv.exec_tmout);
if (afl->stop_soon) return 1;
if (afl->stop_soon) { return 1; }
if (fault == FSRV_RUN_TMOUT) {
@ -75,10 +78,12 @@ u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
}
} else
} else {
afl->subseq_tmouts = 0;
}
/* Users can hit us with SIGUSR1 to request the current input
to be abandoned. */

180
src/afl-fuzz-extras.c
View File

@ -59,7 +59,7 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
f = fopen(fname, "r");
if (!f) PFATAL("Unable to open '%s'", fname);
if (!f) { PFATAL("Unable to open '%s'", fname); }
while ((lptr = fgets(buf, MAX_LINE, f))) {
@ -70,57 +70,79 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
/* Trim on left and right. */
while (isspace(*lptr))
while (isspace(*lptr)) {
++lptr;
}
rptr = lptr + strlen(lptr) - 1;
while (rptr >= lptr && isspace(*rptr))
while (rptr >= lptr && isspace(*rptr)) {
--rptr;
}
++rptr;
*rptr = 0;
/* Skip empty lines and comments. */
if (!*lptr || *lptr == '#') continue;
if (!*lptr || *lptr == '#') { continue; }
/* All other lines must end with '"', which we can consume. */
--rptr;
if (rptr < lptr || *rptr != '"')
if (rptr < lptr || *rptr != '"') {
FATAL("Malformed name=\"value\" pair in line %u.", cur_line);
}
*rptr = 0;
/* Skip alphanumerics and dashes (label). */
while (isalnum(*lptr) || *lptr == '_')
while (isalnum(*lptr) || *lptr == '_') {
++lptr;
}
/* If @number follows, parse that. */
if (*lptr == '@') {
++lptr;
if (atoi(lptr) > dict_level) continue;
while (isdigit(*lptr))
if (atoi(lptr) > dict_level) { continue; }
while (isdigit(*lptr)) {
++lptr;
}
}
/* Skip whitespace and = signs. */
while (isspace(*lptr) || *lptr == '=')
while (isspace(*lptr) || *lptr == '=') {
++lptr;
}
/* Consume opening '"'. */
if (*lptr != '"')
if (*lptr != '"') {
FATAL("Malformed name=\"keyword\" pair in line %u.", cur_line);
}
++lptr;
if (!*lptr) FATAL("Empty keyword in line %u.", cur_line);
if (!*lptr) { FATAL("Empty keyword in line %u.", cur_line); }
/* Okay, let's allocate memory and copy data between "...", handling
\xNN escaping, \\, and \". */
@ -130,7 +152,7 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
wptr = afl->extras[afl->extras_cnt].data = ck_alloc(rptr - lptr);
if (!wptr) PFATAL("no mem for data");
if (!wptr) { PFATAL("no mem for data"); }
while (*lptr) {
@ -154,9 +176,12 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
}
if (*lptr != 'x' || !isxdigit(lptr[1]) || !isxdigit(lptr[2]))
if (*lptr != 'x' || !isxdigit(lptr[1]) || !isxdigit(lptr[2])) {
FATAL("Invalid escaping (not \\xNN) in line %u.", cur_line);
}
*(wptr++) = ((strchr(hexdigits, tolower(lptr[1])) - hexdigits) << 4) |
(strchr(hexdigits, tolower(lptr[2])) - hexdigits);
@ -165,7 +190,9 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
break;
default: *(wptr++) = *(lptr++); ++klen;
default:
*(wptr++) = *(lptr++);
++klen;
}
@ -173,14 +200,17 @@ void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
afl->extras[afl->extras_cnt].len = klen;
if (afl->extras[afl->extras_cnt].len > MAX_DICT_FILE)
if (afl->extras[afl->extras_cnt].len > MAX_DICT_FILE) {
FATAL(
"Keyword too big in line %u (%s, limit is %s)", cur_line,
stringify_mem_size(val_bufs[0], sizeof(val_bufs[0]), klen),
stringify_mem_size(val_bufs[1], sizeof(val_bufs[1]), MAX_DICT_FILE));
if (*min_len > klen) *min_len = klen;
if (*max_len < klen) *max_len = klen;
}
if (*min_len > klen) { *min_len = klen; }
if (*max_len < klen) { *max_len = klen; }
++afl->extras_cnt;
@ -227,7 +257,7 @@ void load_extras(afl_state_t *afl, u8 *dir) {
}
if (x) FATAL("Dictionary levels not supported for directories.");
if (x) { FATAL("Dictionary levels not supported for directories."); }
while ((de = readdir(d))) {
@ -235,7 +265,11 @@ void load_extras(afl_state_t *afl, u8 *dir) {
u8 * fn = alloc_printf("%s/%s", dir, de->d_name);
s32 fd;
if (lstat(fn, &st) || access(fn, R_OK)) PFATAL("Unable to access '%s'", fn);
if (lstat(fn, &st) || access(fn, R_OK)) {
PFATAL("Unable to access '%s'", fn);
}
/* This also takes care of . and .. */
if (!S_ISREG(st.st_mode) || !st.st_size) {
@ -245,14 +279,17 @@ void load_extras(afl_state_t *afl, u8 *dir) {
}
if (st.st_size > MAX_DICT_FILE)
if (st.st_size > MAX_DICT_FILE) {
FATAL(
"Extra '%s' is too big (%s, limit is %s)", fn,
stringify_mem_size(val_bufs[0], sizeof(val_bufs[0]), st.st_size),
stringify_mem_size(val_bufs[1], sizeof(val_bufs[1]), MAX_DICT_FILE));
if (min_len > st.st_size) min_len = st.st_size;
if (max_len < st.st_size) max_len = st.st_size;
}
if (min_len > st.st_size) { min_len = st.st_size; }
if (max_len < st.st_size) { max_len = st.st_size; }
afl->extras = ck_realloc_block(
afl->extras, (afl->extras_cnt + 1) * sizeof(struct extra_data));
@ -262,7 +299,7 @@ void load_extras(afl_state_t *afl, u8 *dir) {
fd = open(fn, O_RDONLY);
if (fd < 0) PFATAL("Unable to open '%s'", fn);
if (fd < 0) { PFATAL("Unable to open '%s'", fn); }
ck_read(fd, afl->extras[afl->extras_cnt].data, st.st_size, fn);
@ -277,7 +314,7 @@ void load_extras(afl_state_t *afl, u8 *dir) {
check_and_sort:
if (!afl->extras_cnt) FATAL("No usable files in '%s'", dir);
if (!afl->extras_cnt) { FATAL("No usable files in '%s'", dir); }
qsort(afl->extras, afl->extras_cnt, sizeof(struct extra_data),
compare_extras_len);
@ -286,22 +323,32 @@ check_and_sort:
stringify_mem_size(val_bufs[0], sizeof(val_bufs[0]), min_len),
stringify_mem_size(val_bufs[1], sizeof(val_bufs[1]), max_len));
if (max_len > 32)
if (max_len > 32) {
WARNF("Some tokens are relatively large (%s) - consider trimming.",
stringify_mem_size(val_bufs[0], sizeof(val_bufs[0]), max_len));
if (afl->extras_cnt > MAX_DET_EXTRAS)
}
if (afl->extras_cnt > MAX_DET_EXTRAS) {
WARNF("More than %d tokens - will use them probabilistically.",
MAX_DET_EXTRAS);
}
}
/* Helper function for maybe_add_auto(afl, ) */
static inline u8 memcmp_nocase(u8 *m1, u8 *m2, u32 len) {
while (len--)
if (tolower(*(m1++)) ^ tolower(*(m2++))) return 1;
while (len--) {
if (tolower(*(m1++)) ^ tolower(*(m2++))) { return 1; }
}
return 0;
}
@ -318,14 +365,17 @@ void maybe_add_auto(void *afl_tmp, u8 *mem, u32 len) {
/* Allow users to specify that they don't want auto dictionaries. */
if (!MAX_AUTO_EXTRAS || !USE_AUTO_EXTRAS) return;
if (!MAX_AUTO_EXTRAS || !USE_AUTO_EXTRAS) { return; }
/* Skip runs of identical bytes. */
for (i = 1; i < len; ++i)
if (mem[0] ^ mem[i]) break;
for (i = 1; i < len; ++i) {
if (i == len) return;
if (mem[0] ^ mem[i]) { break; }
}
if (i == len) { return; }
/* Reject builtin interesting values. */
@ -333,33 +383,51 @@ void maybe_add_auto(void *afl_tmp, u8 *mem, u32 len) {
i = sizeof(interesting_16) >> 1;
while (i--)
while (i--) {
if (*((u16 *)mem) == interesting_16[i] ||
*((u16 *)mem) == SWAP16(interesting_16[i]))
*((u16 *)mem) == SWAP16(interesting_16[i])) {
return;
}
}
}
if (len == 4) {
i = sizeof(interesting_32) >> 2;
while (i--)
while (i--) {
if (*((u32 *)mem) == interesting_32[i] ||
*((u32 *)mem) == SWAP32(interesting_32[i]))
*((u32 *)mem) == SWAP32(interesting_32[i])) {
return;
}
}
}
/* Reject anything that matches existing extras. Do a case-insensitive
match. We optimize by exploiting the fact that extras[] are sorted
by size. */
for (i = 0; i < afl->extras_cnt; ++i)
if (afl->extras[i].len >= len) break;
for (i = 0; i < afl->extras_cnt; ++i) {
for (; i < afl->extras_cnt && afl->extras[i].len == len; ++i)
if (!memcmp_nocase(afl->extras[i].data, mem, len)) return;
if (afl->extras[i].len >= len) { break; }
}
for (; i < afl->extras_cnt && afl->extras[i].len == len; ++i) {
if (!memcmp_nocase(afl->extras[i].data, mem, len)) { return; }
}
/* Last but not least, check afl->a_extras[] for matches. There are no
guarantees of a particular sort order. */
@ -423,7 +491,7 @@ void save_auto(afl_state_t *afl) {
u32 i;
if (!afl->auto_changed) return;
if (!afl->auto_changed) { return; }
afl->auto_changed = 0;
for (i = 0; i < MIN(USE_AUTO_EXTRAS, afl->a_extras_cnt); ++i) {
@ -434,7 +502,7 @@ void save_auto(afl_state_t *afl) {
fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600);
if (fd < 0) PFATAL("Unable to create '%s'", fn);
if (fd < 0) { PFATAL("Unable to create '%s'", fn); }
ck_write(fd, afl->a_extras[i].data, afl->a_extras[i].len, fn);
@ -461,7 +529,7 @@ void load_auto(afl_state_t *afl) {
if (fd < 0) {
if (errno != ENOENT) PFATAL("Unable to open '%s'", fn);
if (errno != ENOENT) { PFATAL("Unable to open '%s'", fn); }
ck_free(fn);
break;
@ -472,21 +540,29 @@ void load_auto(afl_state_t *afl) {
len = read(fd, tmp, MAX_AUTO_EXTRA + 1);
if (len < 0) PFATAL("Unable to read from '%s'", fn);
if (len < 0) { PFATAL("Unable to read from '%s'", fn); }
if (len >= MIN_AUTO_EXTRA && len <= MAX_AUTO_EXTRA) {
if (len >= MIN_AUTO_EXTRA && len <= MAX_AUTO_EXTRA)
maybe_add_auto((u8 *)afl, tmp, len);
}
close(fd);
ck_free(fn);
}
if (i)
if (i) {
OKF("Loaded %u auto-discovered dictionary tokens.", i);
else
} else {
OKF("No auto-generated dictionary tokens to reuse.");
}
}
/* Destroy extras. */
@ -495,14 +571,20 @@ void destroy_extras(afl_state_t *afl) {
u32 i;
for (i = 0; i < afl->extras_cnt; ++i)
for (i = 0; i < afl->extras_cnt; ++i) {
ck_free(afl->extras[i].data);
}
ck_free(afl->extras);
for (i = 0; i < afl->a_extras_cnt; ++i)
for (i = 0; i < afl->a_extras_cnt; ++i) {
ck_free(afl->a_extras[i].data);
}
ck_free(afl->a_extras);
}

442
src/afl-fuzz-init.c
View File

File diff suppressed because it is too large Load Diff

119
src/afl-fuzz-mutators.c
View File

@ -35,12 +35,15 @@ void setup_custom_mutator(afl_state_t *afl) {
if (fn) {
if (afl->limit_time_sig)
if (afl->limit_time_sig) {
FATAL(
"MOpt and custom mutator are mutually exclusive. We accept pull "
"requests that integrates MOpt with the optional mutators "
"(custom/radamsa/redquenn/...).");
}
load_custom_mutator(afl, fn);
return;
@ -53,12 +56,15 @@ void setup_custom_mutator(afl_state_t *afl) {
if (module_name) {
if (afl->limit_time_sig)
if (afl->limit_time_sig) {
FATAL(
"MOpt and Python mutator are mutually exclusive. We accept pull "
"requests that integrates MOpt with the optional mutators "
"(custom/radamsa/redqueen/...).");
}
load_custom_mutator_py(afl, module_name);
}
@ -76,7 +82,7 @@ void destroy_custom_mutator(afl_state_t *afl) {
afl->mutator->afl_custom_deinit(afl->mutator->data);
if (afl->mutator->dh) dlclose(afl->mutator->dh);
if (afl->mutator->dh) { dlclose(afl->mutator->dh); }
if (afl->mutator->pre_save_buf) {
@ -104,20 +110,26 @@ void load_custom_mutator(afl_state_t *afl, const char *fn) {
ACTF("Loading custom mutator library from '%s'...", fn);
dh = dlopen(fn, RTLD_NOW);
if (!dh) FATAL("%s", dlerror());
if (!dh) { FATAL("%s", dlerror()); }
afl->mutator->dh = dh;
/* Mutator */
/* "afl_custom_init", required */
afl->mutator->afl_custom_init = dlsym(dh, "afl_custom_init");
if (!afl->mutator->afl_custom_init)
if (!afl->mutator->afl_custom_init) {
FATAL("Symbol 'afl_custom_init' not found.");
}
/* "afl_custom_deinit", required */
afl->mutator->afl_custom_deinit = dlsym(dh, "afl_custom_deinit");
if (!afl->mutator->afl_custom_deinit)
if (!afl->mutator->afl_custom_deinit) {
FATAL("Symbol 'afl_custom_deinit' not found.");
}
/* "afl_custom_fuzz" or "afl_custom_mutator", required */
afl->mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_fuzz");
if (!afl->mutator->afl_custom_fuzz) {
@ -126,32 +138,47 @@ void load_custom_mutator(afl_state_t *afl, const char *fn) {
WARNF("Symbol 'afl_custom_fuzz' not found. Try 'afl_custom_mutator'.");
afl->mutator->afl_custom_fuzz = dlsym(dh, "afl_custom_mutator");
if (!afl->mutator->afl_custom_fuzz)
if (!afl->mutator->afl_custom_fuzz) {
FATAL("Symbol 'afl_custom_mutator' not found.");
}
}
/* "afl_custom_pre_save", optional */
afl->mutator->afl_custom_pre_save = dlsym(dh, "afl_custom_pre_save");
if (!afl->mutator->afl_custom_pre_save)
if (!afl->mutator->afl_custom_pre_save) {
WARNF("Symbol 'afl_custom_pre_save' not found.");
}
u8 notrim = 0;
/* "afl_custom_init_trim", optional */
afl->mutator->afl_custom_init_trim = dlsym(dh, "afl_custom_init_trim");
if (!afl->mutator->afl_custom_init_trim)
if (!afl->mutator->afl_custom_init_trim) {
WARNF("Symbol 'afl_custom_init_trim' not found.");
}
/* "afl_custom_trim", optional */
afl->mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim");
if (!afl->mutator->afl_custom_trim)
if (!afl->mutator->afl_custom_trim) {
WARNF("Symbol 'afl_custom_trim' not found.");
}
/* "afl_custom_post_trim", optional */
afl->mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim");
if (!afl->mutator->afl_custom_post_trim)
if (!afl->mutator->afl_custom_post_trim) {
WARNF("Symbol 'afl_custom_post_trim' not found.");
}
if (notrim) {
afl->mutator->afl_custom_init_trim = NULL;
@ -166,33 +193,48 @@ void load_custom_mutator(afl_state_t *afl, const char *fn) {
/* "afl_custom_havoc_mutation", optional */
afl->mutator->afl_custom_havoc_mutation =
dlsym(dh, "afl_custom_havoc_mutation");
if (!afl->mutator->afl_custom_havoc_mutation)
if (!afl->mutator->afl_custom_havoc_mutation) {
WARNF("Symbol 'afl_custom_havoc_mutation' not found.");
}
/* "afl_custom_havoc_mutation", optional */
afl->mutator->afl_custom_havoc_mutation_probability =
dlsym(dh, "afl_custom_havoc_mutation_probability");
if (!afl->mutator->afl_custom_havoc_mutation_probability)
if (!afl->mutator->afl_custom_havoc_mutation_probability) {
WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found.");
}
/* "afl_custom_queue_get", optional */
afl->mutator->afl_custom_queue_get = dlsym(dh, "afl_custom_queue_get");
if (!afl->mutator->afl_custom_queue_get)
if (!afl->mutator->afl_custom_queue_get) {
WARNF("Symbol 'afl_custom_queue_get' not found.");
}
/* "afl_custom_queue_new_entry", optional */
afl->mutator->afl_custom_queue_new_entry =
dlsym(dh, "afl_custom_queue_new_entry");
if (!afl->mutator->afl_custom_queue_new_entry)
if (!afl->mutator->afl_custom_queue_new_entry) {
WARNF("Symbol 'afl_custom_queue_new_entry' not found");
}
OKF("Custom mutator '%s' installed successfully.", fn);
/* Initialize the custom mutator */
if (afl->mutator->afl_custom_init)
if (afl->mutator->afl_custom_init) {
afl->mutator->data =
afl->mutator->afl_custom_init(afl, rand_below(afl, 0xFFFFFFFF));
}
}
u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
@ -210,12 +252,19 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
afl->stage_cur = 0;
afl->stage_max =
afl->mutator->afl_custom_init_trim(afl->mutator->data, in_buf, q->len);
if (unlikely(afl->stage_max) < 0)
if (unlikely(afl->stage_max) < 0) {
FATAL("custom_init_trim error ret: %d", afl->stage_max);
if (afl->not_on_tty && afl->debug)
}
if (afl->not_on_tty && afl->debug) {
SAYF("[Custom Trimming] START: Max %d iterations, %u bytes", afl->stage_max,
q->len);
}
while (afl->stage_cur < afl->stage_max) {
u8 *retbuf = NULL;
@ -227,13 +276,18 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
size_t retlen = afl->mutator->afl_custom_trim(afl->mutator->data, &retbuf);
if (unlikely(!retbuf))
if (unlikely(!retbuf)) {
FATAL("custom_trim failed (ret %zd)", retlen);
else if (unlikely(retlen > orig_len))
} else if (unlikely(retlen > orig_len)) {
FATAL(
"Trimmed data returned by custom mutator is larger than original "
"data");
}
write_to_testcase(afl, retbuf, retlen);
fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
@ -263,32 +317,45 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
afl->stage_cur =
afl->mutator->afl_custom_post_trim(afl->mutator->data, 1);
if (afl->not_on_tty && afl->debug)
if (afl->not_on_tty && afl->debug) {
SAYF("[Custom Trimming] SUCCESS: %d/%d iterations (now at %u bytes)",
afl->stage_cur, afl->stage_max, q->len);
}
} else {
/* Tell the custom mutator that the trimming was unsuccessful */
afl->stage_cur =
afl->mutator->afl_custom_post_trim(afl->mutator->data, 0);
if (unlikely(afl->stage_cur < 0))
if (unlikely(afl->stage_cur < 0)) {
FATAL("Error ret in custom_post_trim: %d", afl->stage_cur);
if (afl->not_on_tty && afl->debug)
}
if (afl->not_on_tty && afl->debug) {
SAYF("[Custom Trimming] FAILURE: %d/%d iterations", afl->stage_cur,
afl->stage_max);
}
}
/* Since this can be slow, update the screen every now and then. */
if (!(trim_exec++ % afl->stats_update_freq)) show_stats(afl);
if (!(trim_exec++ % afl->stats_update_freq)) { show_stats(afl); }
}
if (afl->not_on_tty && afl->debug)
if (afl->not_on_tty && afl->debug) {
SAYF("[Custom Trimming] DONE: %u bytes -> %u bytes", orig_len, q->len);
}
/* If we have made changes to in_buf, we also need to update the on-disk
version of the test case. */
@ -300,7 +367,7 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, 0600);
if (fd < 0) PFATAL("Unable to create '%s'", q->fname);
if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); }
ck_write(fd, in_buf, q->len, q->fname);
close(fd);

683
src/afl-fuzz-one.c
View File

File diff suppressed because it is too large Load Diff

66
src/afl-fuzz-python.c
View File

@ -111,10 +111,10 @@ static size_t fuzz_py(void *py_mutator, u8 *buf, size_t buf_size, u8 **out_buf,
static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) {
if (!module_name) return NULL;
if (!module_name) { return NULL; }
py_mutator_t *py = calloc(1, sizeof(py_mutator_t));
if (!py) PFATAL("Could not allocate memory for python mutator!");
if (!py) { PFATAL("Could not allocate memory for python mutator!"); }
Py_Initialize();
@ -160,12 +160,12 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) {
if (py_idx == PY_FUNC_PRE_SAVE) {
// Implenting the pre_save API is optional for now
if (PyErr_Occurred()) PyErr_Print();
if (PyErr_Occurred()) { PyErr_Print(); }
} else if (py_idx >= PY_FUNC_INIT_TRIM && py_idx <= PY_FUNC_TRIM) {
// Implementing the trim API is optional for now
if (PyErr_Occurred()) PyErr_Print();
if (PyErr_Occurred()) { PyErr_Print(); }
py_notrim = 1;
} else if ((py_idx >= PY_FUNC_HAVOC_MUTATION) &&
@ -173,11 +173,11 @@ static py_mutator_t *init_py_module(afl_state_t *afl, u8 *module_name) {
(py_idx <= PY_FUNC_QUEUE_NEW_ENTRY)) {
// Implenting the havoc and queue API is optional for now
if (PyErr_Occurred()) PyErr_Print();
if (PyErr_Occurred()) { PyErr_Print(); }
} else {
if (PyErr_Occurred()) PyErr_Print();
if (PyErr_Occurred()) { PyErr_Print(); }
fprintf(stderr,
"Cannot find/call function with index %d in external "
"Python module.\n",
@ -222,9 +222,12 @@ void finalize_py_module(void *py_mutator) {
deinit_py(py_mutator);
u32 i;
for (i = 0; i < PY_FUNC_COUNT; ++i)
for (i = 0; i < PY_FUNC_COUNT; ++i) {
Py_XDECREF(py->py_functions[i]);
}
Py_DECREF(py->py_module);
}
@ -308,38 +311,67 @@ void load_custom_mutator_py(afl_state_t *afl, char *module_name) {
PyObject **py_functions = py_mutator->py_functions;
if (py_functions[PY_FUNC_INIT]) afl->mutator->afl_custom_init = unsupported;
if (py_functions[PY_FUNC_INIT]) {
if (py_functions[PY_FUNC_DEINIT]) afl->mutator->afl_custom_deinit = deinit_py;
afl->mutator->afl_custom_init = unsupported;
}
if (py_functions[PY_FUNC_DEINIT]) {
afl->mutator->afl_custom_deinit = deinit_py;
}
/* "afl_custom_fuzz" should not be NULL, but the interface of Python mutator
is quite different from the custom mutator. */
afl->mutator->afl_custom_fuzz = fuzz_py;
if (py_functions[PY_FUNC_PRE_SAVE])
if (py_functions[PY_FUNC_PRE_SAVE]) {
afl->mutator->afl_custom_pre_save = pre_save_py;
if (py_functions[PY_FUNC_INIT_TRIM])
}
if (py_functions[PY_FUNC_INIT_TRIM]) {
afl->mutator->afl_custom_init_trim = init_trim_py;
if (py_functions[PY_FUNC_POST_TRIM])
}
if (py_functions[PY_FUNC_POST_TRIM]) {
afl->mutator->afl_custom_post_trim = post_trim_py;
if (py_functions[PY_FUNC_TRIM]) afl->mutator->afl_custom_trim = trim_py;
}
if (py_functions[PY_FUNC_TRIM]) { afl->mutator->afl_custom_trim = trim_py; }
if (py_functions[PY_FUNC_HAVOC_MUTATION]) {
if (py_functions[PY_FUNC_HAVOC_MUTATION])
afl->mutator->afl_custom_havoc_mutation = havoc_mutation_py;
if (py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY])
}
if (py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY]) {
afl->mutator->afl_custom_havoc_mutation_probability =
havoc_mutation_probability_py;
if (py_functions[PY_FUNC_QUEUE_GET])
}
if (py_functions[PY_FUNC_QUEUE_GET]) {
afl->mutator->afl_custom_queue_get = queue_get_py;
if (py_functions[PY_FUNC_QUEUE_NEW_ENTRY])
}
if (py_functions[PY_FUNC_QUEUE_NEW_ENTRY]) {
afl->mutator->afl_custom_queue_new_entry = queue_new_entry_py;
}
OKF("Python mutator '%s' installed successfully.", module_name);
/* Initialize the custom mutator */

207
src/afl-fuzz-queue.c
View File

@ -38,7 +38,7 @@ void mark_as_det_done(afl_state_t *afl, struct queue_entry *q) {
strrchr(q->fname, '/') + 1);
fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
if (fd < 0) PFATAL("Unable to create '%s'", fn);
if (fd < 0) { PFATAL("Unable to create '%s'", fn); }
close(fd);
q->passed_det = 1;
@ -61,7 +61,7 @@ void mark_as_variable(afl_state_t *afl, struct queue_entry *q) {
if (symlink(ldest, fn)) {
s32 fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
if (fd < 0) PFATAL("Unable to create '%s'", fn);
if (fd < 0) { PFATAL("Unable to create '%s'", fn); }
close(fd);
}
@ -77,7 +77,7 @@ void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) {
u8 fn[PATH_MAX];
if (state == q->fs_redundant) return;
if (state == q->fs_redundant) { return; }
q->fs_redundant = state;
@ -89,12 +89,12 @@ void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) {
s32 fd;
fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
if (fd < 0) PFATAL("Unable to create '%s'", fn);
if (fd < 0) { PFATAL("Unable to create '%s'", fn); }
close(fd);
} else {
if (unlink(fn)) PFATAL("Unable to remove '%s'", fn);
if (unlink(fn)) { PFATAL("Unable to remove '%s'", fn); }
}
@ -113,17 +113,19 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
q->n_fuzz = 1;
q->trace_mini = NULL;
if (q->depth > afl->max_depth) afl->max_depth = q->depth;
if (q->depth > afl->max_depth) { afl->max_depth = q->depth; }
if (afl->queue_top) {
afl->queue_top->next = q;
afl->queue_top = q;
} else
} else {
afl->q_prev100 = afl->queue = afl->queue_top = q;
}
++afl->queued_paths;
++afl->pending_not_fuzzed;
@ -143,7 +145,7 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
u8 *fname_orig = NULL;
/* At the initialization stage, queue_cur is NULL */
if (afl->queue_cur) fname_orig = afl->queue_cur->fname;
if (afl->queue_cur) { fname_orig = afl->queue_cur->fname; }
afl->mutator->afl_custom_queue_new_entry(afl->mutator->data, fname,
fname_orig);
@ -188,14 +190,19 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
u64 fuzz_p2 = next_pow2(q->n_fuzz);
if (afl->schedule == MMOPT || afl->schedule == RARE ||
unlikely(afl->fixed_seed))
unlikely(afl->fixed_seed)) {
fav_factor = q->len << 2;
else
} else {
fav_factor = q->exec_us * q->len;
}
/* For every byte set in afl->fsrv.trace_bits[], see if there is a previous
winner, and how it compares to us. */
for (i = 0; i < afl->fsrv.map_size; ++i)
for (i = 0; i < afl->fsrv.map_size; ++i) {
if (afl->fsrv.trace_bits[i]) {
@ -206,29 +213,43 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
u64 top_rated_fuzz_p2 = next_pow2(afl->top_rated[i]->n_fuzz);
if (afl->schedule == MMOPT || afl->schedule == RARE ||
unlikely(afl->fixed_seed))
unlikely(afl->fixed_seed)) {
top_rated_fav_factor = afl->top_rated[i]->len << 2;
else
} else {
top_rated_fav_factor =
afl->top_rated[i]->exec_us * afl->top_rated[i]->len;
if (fuzz_p2 > top_rated_fuzz_p2)
}
if (fuzz_p2 > top_rated_fuzz_p2) {
continue;
else if (fuzz_p2 == top_rated_fuzz_p2)
if (fav_factor > top_rated_fav_factor) continue;
} else if (fuzz_p2 == top_rated_fuzz_p2) {
if (fav_factor > top_rated_fav_factor) { continue; }
}
if (afl->schedule == MMOPT || afl->schedule == RARE ||
unlikely(afl->fixed_seed)) {
if (fav_factor > afl->top_rated[i]->len << 2) continue;
if (fav_factor > afl->top_rated[i]->len << 2) { continue; }
} else {
if (fav_factor > afl->top_rated[i]->exec_us * afl->top_rated[i]->len)
if (fav_factor >
afl->top_rated[i]->exec_us * afl->top_rated[i]->len) {
continue;
}
}
/* Looks like we're going to win. Decrease ref count for the
previous winner, discard its afl->fsrv.trace_bits[] if necessary. */
@ -258,6 +279,8 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
}
}
}
/* The second part of the mechanism discussed above is a routine that
@ -273,7 +296,7 @@ void cull_queue(afl_state_t *afl) {
u32 i;
u8 * temp_v = afl->map_tmp_buf;
if (afl->dumb_mode || !afl->score_changed) return;
if (afl->dumb_mode || !afl->score_changed) { return; }
afl->score_changed = 0;
@ -294,25 +317,38 @@ void cull_queue(afl_state_t *afl) {
/* Let's see if anything in the bitmap isn't captured in temp_v.
If yes, and if it has a afl->top_rated[] contender, let's use it. */
for (i = 0; i < afl->fsrv.map_size; ++i)
for (i = 0; i < afl->fsrv.map_size; ++i) {
if (afl->top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) {
u32 j = len;
/* Remove all bits belonging to the current entry from temp_v. */
while (j--)
if (afl->top_rated[i]->trace_mini[j])
while (j--) {
if (afl->top_rated[i]->trace_mini[j]) {
temp_v[j] &= ~afl->top_rated[i]->trace_mini[j];
}
}
afl->top_rated[i]->favored = 1;
++afl->queued_favored;
if (afl->top_rated[i]->fuzz_level == 0 || !afl->top_rated[i]->was_fuzzed)
if (afl->top_rated[i]->fuzz_level == 0 ||
!afl->top_rated[i]->was_fuzzed) {
++afl->pending_favored;
}
}
}
q = afl->queue;
while (q) {
@ -347,39 +383,67 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
if (afl->schedule != MMOPT && afl->schedule != RARE &&
likely(!afl->fixed_seed)) {
if (q->exec_us * 0.1 > avg_exec_us)
if (q->exec_us * 0.1 > avg_exec_us) {
perf_score = 10;
else if (q->exec_us * 0.25 > avg_exec_us)
} else if (q->exec_us * 0.25 > avg_exec_us) {
perf_score = 25;
else if (q->exec_us * 0.5 > avg_exec_us)
} else if (q->exec_us * 0.5 > avg_exec_us) {
perf_score = 50;
else if (q->exec_us * 0.75 > avg_exec_us)
} else if (q->exec_us * 0.75 > avg_exec_us) {
perf_score = 75;
else if (q->exec_us * 4 < avg_exec_us)
} else if (q->exec_us * 4 < avg_exec_us) {
perf_score = 300;
else if (q->exec_us * 3 < avg_exec_us)
} else if (q->exec_us * 3 < avg_exec_us) {
perf_score = 200;
else if (q->exec_us * 2 < avg_exec_us)
} else if (q->exec_us * 2 < avg_exec_us) {
perf_score = 150;
}
}
/* Adjust score based on bitmap size. The working theory is that better
coverage translates to better targets. Multiplier from 0.25x to 3x. */
if (q->bitmap_size * 0.3 > avg_bitmap_size)
if (q->bitmap_size * 0.3 > avg_bitmap_size) {
perf_score *= 3;
else if (q->bitmap_size * 0.5 > avg_bitmap_size)
} else if (q->bitmap_size * 0.5 > avg_bitmap_size) {
perf_score *= 2;
else if (q->bitmap_size * 0.75 > avg_bitmap_size)
} else if (q->bitmap_size * 0.75 > avg_bitmap_size) {
perf_score *= 1.5;
else if (q->bitmap_size * 3 < avg_bitmap_size)
} else if (q->bitmap_size * 3 < avg_bitmap_size) {
perf_score *= 0.25;
else if (q->bitmap_size * 2 < avg_bitmap_size)
} else if (q->bitmap_size * 2 < avg_bitmap_size) {
perf_score *= 0.5;
else if (q->bitmap_size * 1.5 < avg_bitmap_size)
} else if (q->bitmap_size * 1.5 < avg_bitmap_size) {
perf_score *= 0.75;
}
/* Adjust score based on handicap. Handicap is proportional to how late
in the game we learned about this path. Latecomers are allowed to run
for a bit longer until they catch up with the rest. */
@ -402,11 +466,19 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
switch (q->depth) {
case 0 ... 3: break;
case 4 ... 7: perf_score *= 2; break;
case 8 ... 13: perf_score *= 3; break;
case 14 ... 25: perf_score *= 4; break;
default: perf_score *= 5;
case 0 ... 3:
break;
case 4 ... 7:
perf_score *= 2;
break;
case 8 ... 13:
perf_score *= 3;
break;
case 14 ... 25:
perf_score *= 4;
break;
default:
perf_score *= 5;
}
@ -418,9 +490,12 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
switch (afl->schedule) {
case EXPLORE: break;
case EXPLORE:
break;
case EXPLOIT: factor = MAX_FACTOR; break;
case EXPLOIT:
factor = MAX_FACTOR;
break;
case COE:
fuzz_total = 0;
@ -435,16 +510,21 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
}
if (unlikely(!n_paths)) FATAL("Queue state corrupt");
if (unlikely(!n_paths)) { FATAL("Queue state corrupt"); }
fuzz_mu = fuzz_total / n_paths;
if (fuzz <= fuzz_mu) {
if (q->fuzz_level < 16)
if (q->fuzz_level < 16) {
factor = ((u32)(1 << q->fuzz_level));
else
} else {
factor = MAX_FACTOR;
}
} else {
factor = 0;
@ -454,13 +534,21 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
break;
case FAST:
if (q->fuzz_level < 16)
if (q->fuzz_level < 16) {
factor = ((u32)(1 << q->fuzz_level)) / (fuzz == 0 ? 1 : fuzz);
else
} else {
factor = MAX_FACTOR / (fuzz == 0 ? 1 : next_pow2(fuzz));
}
break;
case LIN: factor = q->fuzz_level / (fuzz == 0 ? 1 : fuzz); break;
case LIN:
factor = q->fuzz_level / (fuzz == 0 ? 1 : fuzz);
break;
case QUAD:
factor = q->fuzz_level * q->fuzz_level / (fuzz == 0 ? 1 : fuzz);
@ -477,7 +565,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
(afl->max_depth - q->depth)) / 5));
*/
// put focus on the last 5 entries
if (afl->max_depth - q->depth < 5) perf_score *= 2;
if (afl->max_depth - q->depth < 5) { perf_score *= 2; }
break;
@ -493,26 +581,35 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
break;
default: PFATAL("Unknown Power Schedule");
default:
PFATAL("Unknown Power Schedule");
}
if (factor > MAX_FACTOR) factor = MAX_FACTOR;
if (factor > MAX_FACTOR) { factor = MAX_FACTOR; }
perf_score *= factor / POWER_BETA;
// MOpt mode
if (afl->limit_time_sig != 0 && afl->max_depth - q->depth < 3)
if (afl->limit_time_sig != 0 && afl->max_depth - q->depth < 3) {
perf_score *= 2;
else if (perf_score < 1)
} else if (perf_score < 1) {
// Add a lower bound to AFLFast's energy assignment strategies
perf_score = 1;
}
/* Make sure that we don't go over limit. */
if (perf_score > afl->havoc_max_mult * 100)
if (perf_score > afl->havoc_max_mult * 100) {
perf_score = afl->havoc_max_mult * 100;
}
return perf_score;
}

259
src/afl-fuzz-redqueen.c
View File

@ -73,20 +73,25 @@ static struct range *pop_biggest_range(struct range **ranges) {
if (rmax) {
if (prev_rmax)
if (prev_rmax) {
prev_rmax->next = rmax->next;
else
} else {
*ranges = rmax->next;
}
}
return rmax;
}
static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u32 *cksum) {
if (unlikely(common_fuzz_stuff(afl, buf, len))) return 1;
if (unlikely(common_fuzz_stuff(afl, buf, len))) { return 1; }
*cksum = hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
return 0;
@ -96,9 +101,12 @@ static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u32 *cksum) {
static void rand_replace(afl_state_t *afl, u8 *buf, u32 len) {
u32 i;
for (i = 0; i < len; ++i)
for (i = 0; i < len; ++i) {
buf[i] = rand_below(afl, 256);
}
}
static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
@ -131,9 +139,12 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
u32 cksum;
u64 start_us = get_cur_time_us();
if (unlikely(get_exec_checksum(afl, buf, len, &cksum)))
if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) {
goto checksum_fail;
}
u64 stop_us = get_cur_time_us();
/* Discard if the mutations change the paths or if it is too decremental
@ -159,7 +170,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
}
if (afl->stage_cur < afl->stage_max) afl->queue_cur->fully_colorized = 1;
if (afl->stage_cur < afl->stage_max) { afl->queue_cur->fully_colorized = 1; }
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
afl->stage_finds[STAGE_COLORIZATION] += new_hit_cnt - orig_hit_cnt;
@ -192,7 +203,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
}
if (fd < 0) PFATAL("Unable to create '%s'", afl->queue_cur->fname);
if (fd < 0) { PFATAL("Unable to create '%s'", afl->queue_cur->fname); }
ck_write(fd, buf, len, afl->queue_cur->fname);
afl->queue_cur->len = len; // no-op, just to be 100% safe
@ -204,7 +215,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
return 0;
checksum_fail:
if (rng) ck_free(rng);
if (rng) { ck_free(rng); }
ck_free(backup);
while (ranges) {
@ -230,15 +241,20 @@ static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) {
orig_hit_cnt = afl->queued_paths + afl->unique_crashes;
if (unlikely(common_fuzz_stuff(afl, buf, len))) return 1;
if (unlikely(common_fuzz_stuff(afl, buf, len))) { return 1; }
new_hit_cnt = afl->queued_paths + afl->unique_crashes;
if (unlikely(new_hit_cnt != orig_hit_cnt))
if (unlikely(new_hit_cnt != orig_hit_cnt)) {
*status = 1;
else
} else {
*status = 2;
}
return 0;
}
@ -265,66 +281,84 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
if (its_len >= 8 && *buf_64 == pattern && *o_buf_64 == o_pattern) {
*buf_64 = repl;
if (unlikely(its_fuzz(afl, buf, len, status))) return 1;
if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; }
*buf_64 = pattern;
}
// reverse encoding
if (do_reverse)
if (do_reverse) {
if (unlikely(cmp_extend_encoding(afl, h, SWAP64(pattern), SWAP64(repl),
SWAP64(o_pattern), idx, orig_buf, buf,
len, 0, status)))
len, 0, status))) {
return 1;
}
}
}
if (SHAPE_BYTES(h->shape) == 4 || *status == 2) {
if (its_len >= 4 && *buf_32 == (u32)pattern &&
*o_buf_32 == (u32)o_pattern) {
*buf_32 = (u32)repl;
if (unlikely(its_fuzz(afl, buf, len, status))) return 1;
if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; }
*buf_32 = pattern;
}
// reverse encoding
if (do_reverse)
if (do_reverse) {
if (unlikely(cmp_extend_encoding(afl, h, SWAP32(pattern), SWAP32(repl),
SWAP32(o_pattern), idx, orig_buf, buf,
len, 0, status)))
len, 0, status))) {
return 1;
}
}
}
if (SHAPE_BYTES(h->shape) == 2 || *status == 2) {
if (its_len >= 2 && *buf_16 == (u16)pattern &&
*o_buf_16 == (u16)o_pattern) {
*buf_16 = (u16)repl;
if (unlikely(its_fuzz(afl, buf, len, status))) return 1;
if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; }
*buf_16 = (u16)pattern;
}
// reverse encoding
if (do_reverse)
if (do_reverse) {
if (unlikely(cmp_extend_encoding(afl, h, SWAP16(pattern), SWAP16(repl),
SWAP16(o_pattern), idx, orig_buf, buf,
len, 0, status)))
len, 0, status))) {
return 1;
}
}
}
if (SHAPE_BYTES(h->shape) == 1 || *status == 2) {
if (its_len >= 1 && *buf_8 == (u8)pattern && *o_buf_8 == (u8)o_pattern) {
*buf_8 = (u8)repl;
if (unlikely(its_fuzz(afl, buf, len, status))) return 1;
if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; }
*buf_8 = (u8)pattern;
}
@ -343,14 +377,21 @@ static void try_to_add_to_dict(afl_state_t *afl, u64 v, u8 shape) {
u8 cons_ff = 0, cons_0 = 0;
for (k = 0; k < shape; ++k) {
if (b[k] == 0)
if (b[k] == 0) {
++cons_0;
else if (b[k] == 0xff)
} else if (b[k] == 0xff) {
++cons_0;
else
} else {
cons_0 = cons_ff = 0;
if (cons_0 > 1 || cons_ff > 1) return;
}
if (cons_0 > 1 || cons_ff > 1) { return; }
}
@ -359,7 +400,8 @@ static void try_to_add_to_dict(afl_state_t *afl, u64 v, u8 shape) {
u64 rev;
switch (shape) {
case 1: break;
case 1:
break;
case 2:
rev = SWAP16((u16)v);
maybe_add_auto((u8 *)afl, (u8 *)&rev, shape);
@ -383,7 +425,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
u32 i, j, idx;
u32 loggeds = h->hits;
if (h->hits > CMP_MAP_H) loggeds = CMP_MAP_H;
if (h->hits > CMP_MAP_H) { loggeds = CMP_MAP_H; }
u8 status = 0;
// opt not in the paper
@ -410,12 +452,12 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
} else {
if (s_v0 != o->v0) s_v0_fixed = 0;
if (s_v1 != o->v1) s_v1_fixed = 0;
if (s_v0 + 1 != o->v0) s_v0_inc = 0;
if (s_v1 + 1 != o->v1) s_v1_inc = 0;
if (s_v0 - 1 != o->v0) s_v0_dec = 0;
if (s_v1 - 1 != o->v1) s_v1_dec = 0;
if (s_v0 != o->v0) { s_v0_fixed = 0; }
if (s_v1 != o->v1) { s_v1_fixed = 0; }
if (s_v0 + 1 != o->v0) { s_v0_inc = 0; }
if (s_v1 + 1 != o->v1) { s_v1_inc = 0; }
if (s_v0 - 1 != o->v0) { s_v0_dec = 0; }
if (s_v1 - 1 != o->v1) { s_v1_dec = 0; }
s_v0 = o->v0;
s_v1 = o->v1;
@ -424,32 +466,56 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
struct cmp_operands *orig_o = &afl->orig_cmp_map->log[key][i];
// opt not in the paper
for (j = 0; j < i; ++j)
for (j = 0; j < i; ++j) {
if (afl->shm.cmp_map->log[key][j].v0 == o->v0 &&
afl->shm.cmp_map->log[key][i].v1 == o->v1)
afl->shm.cmp_map->log[key][i].v1 == o->v1) {
goto cmp_fuzz_next_iter;
}
}
for (idx = 0; idx < len && fails < 8; ++idx) {
if (unlikely(cmp_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx,
orig_buf, buf, len, 1, &status)))
return 1;
if (status == 2)
++fails;
else if (status == 1)
break;
orig_buf, buf, len, 1, &status))) {
if (unlikely(cmp_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx,
orig_buf, buf, len, 1, &status)))
return 1;
if (status == 2)
}
if (status == 2) {
++fails;
else if (status == 1)
} else if (status == 1) {
break;
}
if (status == 1) found_one = 1;
if (unlikely(cmp_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx,
orig_buf, buf, len, 1, &status))) {
return 1;
}
if (status == 2) {
++fails;
} else if (status == 1) {
break;
}
}
if (status == 1) { found_one = 1; }
// If failed, add to dictionary
if (fails == 8) {
@ -481,7 +547,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
}
if (afl->pass_stats[key].total < 0xff) afl->pass_stats[key].total++;
if (afl->pass_stats[key].total < 0xff) { afl->pass_stats[key].total++; }
return 0;
@ -502,11 +568,14 @@ static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h,
for (i = 0; i < its_len; ++i) {
if (pattern[idx + i] != buf[idx + i] ||
o_pattern[idx + i] != orig_buf[idx + i] || *status == 1)
o_pattern[idx + i] != orig_buf[idx + i] || *status == 1) {
break;
}
buf[idx + i] = repl[idx + i];
if (unlikely(its_fuzz(afl, buf, len, status))) return 1;
if (unlikely(its_fuzz(afl, buf, len, status))) { return 1; }
}
@ -521,7 +590,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
u32 i, j, idx;
u32 loggeds = h->hits;
if (h->hits > CMP_MAP_RTN_H) loggeds = CMP_MAP_RTN_H;
if (h->hits > CMP_MAP_RTN_H) { loggeds = CMP_MAP_RTN_H; }
u8 status = 0;
// opt not in the paper
@ -539,32 +608,56 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
&((struct cmpfn_operands *)afl->orig_cmp_map->log[key])[i];
// opt not in the paper
for (j = 0; j < i; ++j)
for (j = 0; j < i; ++j) {
if (!memcmp(&((struct cmpfn_operands *)afl->shm.cmp_map->log[key])[j], o,
sizeof(struct cmpfn_operands)))
sizeof(struct cmpfn_operands))) {
goto rtn_fuzz_next_iter;
}
}
for (idx = 0; idx < len && fails < 8; ++idx) {
if (unlikely(rtn_extend_encoding(afl, h, o->v0, o->v1, orig_o->v0, idx,
orig_buf, buf, len, &status)))
return 1;
if (status == 2)
++fails;
else if (status == 1)
break;
orig_buf, buf, len, &status))) {
if (unlikely(rtn_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx,
orig_buf, buf, len, &status)))
return 1;
if (status == 2)
}
if (status == 2) {
++fails;
else if (status == 1)
} else if (status == 1) {
break;
}
if (status == 1) found_one = 1;
if (unlikely(rtn_extend_encoding(afl, h, o->v1, o->v0, orig_o->v1, idx,
orig_buf, buf, len, &status))) {
return 1;
}
if (status == 2) {
++fails;
} else if (status == 1) {
break;
}
}
if (status == 1) { found_one = 1; }
// If failed, add to dictionary
if (fails == 8) {
@ -589,7 +682,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
}
if (afl->pass_stats[key].total < 0xff) afl->pass_stats[key].total++;
if (afl->pass_stats[key].total < 0xff) { afl->pass_stats[key].total++; }
return 0;
@ -602,25 +695,31 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len,
u32 exec_cksum) {
u8 r = 1;
if (afl->orig_cmp_map == NULL)
if (afl->orig_cmp_map == NULL) {
afl->orig_cmp_map = ck_alloc_nozero(sizeof(struct cmp_map));
if (afl->pass_stats == NULL)
}
if (afl->pass_stats == NULL) {
afl->pass_stats = ck_alloc(sizeof(struct afl_pass_stat) * CMP_MAP_W);
}
// do it manually, forkserver clear only afl->fsrv.trace_bits
memset(afl->shm.cmp_map->headers, 0, sizeof(afl->shm.cmp_map->headers));
if (unlikely(common_fuzz_cmplog_stuff(afl, buf, len))) return 1;
if (unlikely(common_fuzz_cmplog_stuff(afl, buf, len))) { return 1; }
memcpy(afl->orig_cmp_map, afl->shm.cmp_map, sizeof(struct cmp_map));
if (unlikely(colorization(afl, buf, len, exec_cksum))) return 1;
if (unlikely(colorization(afl, buf, len, exec_cksum))) { return 1; }
// do it manually, forkserver clear only afl->fsrv.trace_bits
memset(afl->shm.cmp_map->headers, 0, sizeof(afl->shm.cmp_map->headers));
if (unlikely(common_fuzz_cmplog_stuff(afl, buf, len))) return 1;
if (unlikely(common_fuzz_cmplog_stuff(afl, buf, len))) { return 1; }
u64 orig_hit_cnt, new_hit_cnt;
u64 orig_execs = afl->fsrv.total_execs;
@ -634,33 +733,41 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len,
u32 k;
for (k = 0; k < CMP_MAP_W; ++k) {
if (!afl->shm.cmp_map->headers[k].hits) continue;
if (!afl->shm.cmp_map->headers[k].hits) { continue; }
if (afl->pass_stats[k].total &&
(rand_below(afl, afl->pass_stats[k].total) >=
afl->pass_stats[k].faileds ||
afl->pass_stats[k].total == 0xff))
afl->pass_stats[k].total == 0xff)) {
afl->shm.cmp_map->headers[k].hits = 0; // blacklist this cmp
if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS)
}
if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) {
afl->stage_max += MIN((u32)afl->shm.cmp_map->headers[k].hits, CMP_MAP_H);
else
} else {
afl->stage_max +=
MIN((u32)afl->shm.cmp_map->headers[k].hits, CMP_MAP_RTN_H);
}
}
for (k = 0; k < CMP_MAP_W; ++k) {
if (!afl->shm.cmp_map->headers[k].hits) continue;
if (!afl->shm.cmp_map->headers[k].hits) { continue; }
if (afl->shm.cmp_map->headers[k].type == CMP_TYPE_INS) {
if (unlikely(cmp_fuzz(afl, k, orig_buf, buf, len))) goto exit_its;
if (unlikely(cmp_fuzz(afl, k, orig_buf, buf, len))) { goto exit_its; }
} else {
if (unlikely(rtn_fuzz(afl, k, orig_buf, buf, len))) goto exit_its;
if (unlikely(rtn_fuzz(afl, k, orig_buf, buf, len))) { goto exit_its; }
}

118
src/afl-fuzz-run.c
View File

@ -72,9 +72,12 @@ void write_to_testcase(afl_state_t *afl, void *mem, u32 len) {
size_t new_size = afl->mutator->afl_custom_pre_save(afl->mutator->data, mem,
len, &new_buf);
if (unlikely(!new_buf))
if (unlikely(!new_buf)) {
FATAL("Custom_pre_save failed (ret: %lu)", (long unsigned)new_size);
}
/* everything as planned. use the new data. */
afl_fsrv_write_to_testcase(&afl->fsrv, new_buf, new_size);
@ -108,27 +111,34 @@ static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at,
}
if (fd < 0) PFATAL("Unable to create '%s'", afl->fsrv.out_file);
if (fd < 0) { PFATAL("Unable to create '%s'", afl->fsrv.out_file); }
} else
} else {
lseek(fd, 0, SEEK_SET);
if (skip_at) ck_write(fd, mem, skip_at, afl->fsrv.out_file);
}
if (skip_at) { ck_write(fd, mem, skip_at, afl->fsrv.out_file); }
u8 *memu8 = mem;
if (tail_len)
if (tail_len) {
ck_write(fd, memu8 + skip_at + skip_len, tail_len, afl->fsrv.out_file);
}
if (!afl->fsrv.out_file) {
if (ftruncate(fd, len - skip_len)) PFATAL("ftruncate() failed");
if (ftruncate(fd, len - skip_len)) { PFATAL("ftruncate() failed"); }
lseek(fd, 0, SEEK_SET);
} else
} else {
close(fd);
}
}
/* Calibrate a new test case. This is done when processing the input directory
@ -151,10 +161,13 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
trying to calibrate already-added finds. This helps avoid trouble due
to intermittent latency. */
if (!from_queue || afl->resuming_fuzz)
if (!from_queue || afl->resuming_fuzz) {
use_tmout = MAX(afl->fsrv.exec_tmout + CAL_TMOUT_ADD,
afl->fsrv.exec_tmout * CAL_TMOUT_PERC / 100);
}
++q->cal_failed;
afl->stage_name = "calibration";
@ -177,18 +190,24 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
}
if (q->exec_cksum)
if (q->exec_cksum) {
memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size);
}
start_us = get_cur_time_us();
for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
u32 cksum;
if (!first_run && !(afl->stage_cur % afl->stats_update_freq))
if (!first_run && !(afl->stage_cur % afl->stats_update_freq)) {
show_stats(afl);
}
write_to_testcase(afl, use_mem, q->len);
fault = fuzz_run_target(afl, &afl->fsrv, use_tmout);
@ -196,7 +215,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
/* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed,
we want to bail out quickly. */
if (afl->stop_soon || fault != afl->crash_mode) goto abort_calibration;
if (afl->stop_soon || fault != afl->crash_mode) { goto abort_calibration; }
if (!afl->dumb_mode && !afl->stage_cur &&
!count_bytes(afl, afl->fsrv.trace_bits)) {
@ -211,7 +230,7 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
if (q->exec_cksum != cksum) {
u8 hnb = has_new_bits(afl, afl->virgin_bits);
if (hnb > new_bits) new_bits = hnb;
if (hnb > new_bits) { new_bits = hnb; }
if (q->exec_cksum) {
@ -220,11 +239,14 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
for (i = 0; i < afl->fsrv.map_size; ++i) {
if (unlikely(!afl->var_bytes[i]) &&
unlikely(afl->first_trace[i] != afl->fsrv.trace_bits[i]))
unlikely(afl->first_trace[i] != afl->fsrv.trace_bits[i])) {
afl->var_bytes[i] = 1;
}
}
var_detected = 1;
afl->stage_max = CAL_CYCLES_LONG;
@ -261,9 +283,12 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
parent. This is a non-critical problem, but something to warn the user
about. */
if (!afl->dumb_mode && first_run && !fault && !new_bits)
if (!afl->dumb_mode && first_run && !fault && !new_bits) {
fault = FSRV_RUN_NOBITS;
}
abort_calibration:
if (new_bits == 2 && !q->has_new_cov) {
@ -292,7 +317,7 @@ abort_calibration:
afl->stage_cur = old_sc;
afl->stage_max = old_sm;
if (!first_run) show_stats(afl);
if (!first_run) { show_stats(afl); }
return fault;
@ -307,7 +332,7 @@ void sync_fuzzers(afl_state_t *afl) {
u32 sync_cnt = 0;
sd = opendir(afl->sync_dir);
if (!sd) PFATAL("Unable to open '%s'", afl->sync_dir);
if (!sd) { PFATAL("Unable to open '%s'", afl->sync_dir); }
afl->stage_max = afl->stage_cur = 0;
afl->cur_depth = 0;
@ -326,9 +351,12 @@ void sync_fuzzers(afl_state_t *afl) {
/* Skip dot files and our own output directory. */
if (sd_ent->d_name[0] == '.' || !strcmp(afl->sync_id, sd_ent->d_name))
if (sd_ent->d_name[0] == '.' || !strcmp(afl->sync_id, sd_ent->d_name)) {
continue;
}
/* Skip anything that doesn't have a queue/ subdirectory. */
qd_path = alloc_printf("%s/%s/queue", afl->sync_dir, sd_ent->d_name);
@ -347,9 +375,13 @@ void sync_fuzzers(afl_state_t *afl) {
id_fd = open(qd_synced_path, O_RDWR | O_CREAT, 0600);
if (id_fd < 0) PFATAL("Unable to create '%s'", qd_synced_path);
if (id_fd < 0) { PFATAL("Unable to create '%s'", qd_synced_path); }
if (read(id_fd, &min_accept, sizeof(u32)) > 0) lseek(id_fd, 0, SEEK_SET);
if (read(id_fd, &min_accept, sizeof(u32)) > 0) {
lseek(id_fd, 0, SEEK_SET);
}
next_min_accept = min_accept;
@ -372,14 +404,20 @@ void sync_fuzzers(afl_state_t *afl) {
if (qd_ent->d_name[0] == '.' ||
sscanf(qd_ent->d_name, CASE_PREFIX "%06u", &afl->syncing_case) != 1 ||
afl->syncing_case < min_accept)
afl->syncing_case < min_accept) {
continue;
}
/* OK, sounds like a new one. Let's give it a try. */
if (afl->syncing_case >= next_min_accept)
if (afl->syncing_case >= next_min_accept) {
next_min_accept = afl->syncing_case + 1;
}
path = alloc_printf("%s/%s", qd_path, qd_ent->d_name);
/* Allow this to fail in case the other fuzzer is resuming or so... */
@ -393,7 +431,7 @@ void sync_fuzzers(afl_state_t *afl) {
}
if (fstat(fd, &st)) PFATAL("fstat() failed");
if (fstat(fd, &st)) { PFATAL("fstat() failed"); }
/* Ignore zero-sized or oversized files. */
@ -402,7 +440,7 @@ void sync_fuzzers(afl_state_t *afl) {
u8 fault;
u8 *mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
if (mem == MAP_FAILED) PFATAL("Unable to mmap '%s'", path);
if (mem == MAP_FAILED) { PFATAL("Unable to mmap '%s'", path); }
/* See what happens. We rely on save_if_interesting() to catch major
errors and save the test case. */
@ -411,7 +449,7 @@ void sync_fuzzers(afl_state_t *afl) {
fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
if (afl->stop_soon) goto close_sync;
if (afl->stop_soon) { goto close_sync; }
afl->syncing_party = sd_ent->d_name;
afl->queued_imported +=
@ -420,7 +458,7 @@ void sync_fuzzers(afl_state_t *afl) {
munmap(mem, st.st_size);
if (!(afl->stage_cur++ % afl->stats_update_freq)) show_stats(afl);
if (!(afl->stage_cur++ % afl->stats_update_freq)) { show_stats(afl); }
}
@ -450,9 +488,12 @@ void sync_fuzzers(afl_state_t *afl) {
u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
/* Custom mutator trimmer */
if (afl->mutator && afl->mutator->afl_custom_trim)
if (afl->mutator && afl->mutator->afl_custom_trim) {
return trim_case_custom(afl, q, in_buf);
}
u8 needs_write = 0, fault = 0;
u32 trim_exec = 0;
u32 remove_len;
@ -464,7 +505,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
detected, it will still work to some extent, so we don't check for
this. */
if (q->len < 5) return 0;
if (q->len < 5) { return 0; }
afl->stage_name = afl->stage_name_buf;
afl->bytes_trim_in += q->len;
@ -499,7 +540,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
++afl->trim_execs;
if (afl->stop_soon || fault == FSRV_RUN_ERROR) goto abort_trimming;
if (afl->stop_soon || fault == FSRV_RUN_ERROR) { goto abort_trimming; }
/* Note that we don't keep track of crashes or hangs here; maybe TODO?
*/
@ -531,13 +572,15 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
}
} else
} else {
remove_pos += remove_len;
}
/* Since this can be slow, update the screen every now and then. */
if (!(trim_exec++ % afl->stats_update_freq)) show_stats(afl);
if (!(trim_exec++ % afl->stats_update_freq)) { show_stats(afl); }
++afl->stage_cur;
}
@ -564,7 +607,7 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
}
if (fd < 0) PFATAL("Unable to create '%s'", q->fname);
if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); }
ck_write(fd, in_buf, q->len, q->fname);
close(fd);
@ -595,7 +638,7 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
size_t post_len =
afl->post_handler(afl->post_data, out_buf, len, &post_buf);
if (!post_buf || !post_len) return 0;
if (!post_buf || !post_len) { return 0; }
out_buf = post_buf;
len = post_len;
@ -605,7 +648,7 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
if (afl->stop_soon) return 1;
if (afl->stop_soon) { return 1; }
if (fault == FSRV_RUN_TMOUT) {
@ -616,10 +659,12 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
}
} else
} else {
afl->subseq_tmouts = 0;
}
/* Users can hit us with SIGUSR1 to request the current input
to be abandoned. */
@ -636,9 +681,12 @@ u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
afl->queued_discovered += save_if_interesting(afl, out_buf, len, fault);
if (!(afl->stage_cur % afl->stats_update_freq) ||
afl->stage_cur + 1 == afl->stage_max)
afl->stage_cur + 1 == afl->stage_max) {
show_stats(afl);
}
return 0;
}

30
src/afl-fuzz-state.c
View File

@ -81,7 +81,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
and out_size are NULL/0 by default. */
memset(afl, 0, sizeof(afl_state_t));
if (!map_size) afl->shm.map_size = MAP_SIZE;
if (!map_size) { afl->shm.map_size = MAP_SIZE; }
afl->w_init = 0.9;
afl->w_end = 0.3;
@ -344,12 +344,14 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
}
} else
} else {
i++;
}
}
if (match == 0) {
WARNF("Mistyped AFL environment variable: %s", env);
@ -361,7 +363,7 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
}
if (found) sleep(2);
if (found) { sleep(2); }
}
@ -369,18 +371,18 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
void afl_state_deinit(afl_state_t *afl) {
if (afl->post_deinit) afl->post_deinit(afl->post_data);
if (afl->in_place_resume) ck_free(afl->in_dir);
if (afl->sync_id) ck_free(afl->out_dir);
if (afl->pass_stats) ck_free(afl->pass_stats);
if (afl->orig_cmp_map) ck_free(afl->orig_cmp_map);
if (afl->post_deinit) { afl->post_deinit(afl->post_data); }
if (afl->in_place_resume) { ck_free(afl->in_dir); }
if (afl->sync_id) { ck_free(afl->out_dir); }
if (afl->pass_stats) { ck_free(afl->pass_stats); }
if (afl->orig_cmp_map) { ck_free(afl->orig_cmp_map); }
if (afl->out_buf) free(afl->out_buf);
if (afl->out_scratch_buf) free(afl->out_scratch_buf);
if (afl->eff_buf) free(afl->eff_buf);
if (afl->in_buf) free(afl->in_buf);
if (afl->in_scratch_buf) free(afl->in_scratch_buf);
if (afl->ex_buf) free(afl->ex_buf);
if (afl->out_buf) { free(afl->out_buf); }
if (afl->out_scratch_buf) { free(afl->out_scratch_buf); }
if (afl->eff_buf) { free(afl->eff_buf); }
if (afl->in_buf) { free(afl->in_buf); }
if (afl->in_scratch_buf) { free(afl->in_scratch_buf); }
if (afl->ex_buf) { free(afl->ex_buf); }
ck_free(afl->virgin_bits);
ck_free(afl->virgin_tmout);

204
src/afl-fuzz-stats.c
View File

@ -43,11 +43,11 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600);
if (fd < 0) PFATAL("Unable to create '%s'", fn);
if (fd < 0) { PFATAL("Unable to create '%s'", fn); }
f = fdopen(fd, "w");
if (!f) PFATAL("fdopen() failed");
if (!f) { PFATAL("fdopen() failed"); }
/* Keep last values in case we're called from another context
where exec/sec stats and such are not readily available. */
@ -65,7 +65,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
}
if (getrusage(RUSAGE_CHILDREN, &rus)) rus.ru_maxrss = 0;
if (getrusage(RUSAGE_CHILDREN, &rus)) { rus.ru_maxrss = 0; }
fprintf(
f,
@ -153,9 +153,12 @@ void maybe_update_plot_file(afl_state_t *afl, double bitmap_cvg, double eps) {
afl->plot_prev_uc == afl->unique_crashes &&
afl->plot_prev_uh == afl->unique_hangs &&
afl->plot_prev_md == afl->max_depth) ||
unlikely(!afl->queue_cycle))
unlikely(!afl->queue_cycle)) {
return;
}
afl->plot_prev_qp = afl->queued_paths;
afl->plot_prev_pf = afl->pending_favored;
afl->plot_prev_pnf = afl->pending_not_fuzzed;
@ -190,10 +193,10 @@ static void check_term_size(afl_state_t *afl) {
afl->term_too_small = 0;
if (ioctl(1, TIOCGWINSZ, &ws)) return;
if (ioctl(1, TIOCGWINSZ, &ws)) { return; }
if (ws.ws_row == 0 || ws.ws_col == 0) return;
if (ws.ws_row < 24 || ws.ws_col < 79) afl->term_too_small = 1;
if (ws.ws_row == 0 || ws.ws_col == 0) { return; }
if (ws.ws_row < 24 || ws.ws_col < 79) { afl->term_too_small = 1; }
}
@ -241,12 +244,15 @@ void show_stats(afl_state_t *afl) {
/* If not enough time has passed since last UI update, bail out. */
if (cur_ms - afl->stats_last_ms < 1000 / UI_TARGET_HZ &&
!afl->force_ui_update)
!afl->force_ui_update) {
return;
}
/* Check if we're past the 10 minute mark. */
if (cur_ms - afl->start_time > 10 * 60 * 1000) afl->run_over10m = 1;
if (cur_ms - afl->start_time > 10 * 60 * 1000) { afl->run_over10m = 1; }
/* Calculate smoothed exec speed stats. */
@ -263,9 +269,13 @@ void show_stats(afl_state_t *afl) {
/* If there is a dramatic (5x+) jump in speed, reset the indicator
more quickly. */
if (cur_avg * 5 < afl->stats_avg_exec || cur_avg / 5 > afl->stats_avg_exec)
if (cur_avg * 5 < afl->stats_avg_exec ||
cur_avg / 5 > afl->stats_avg_exec) {
afl->stats_avg_exec = cur_avg;
}
afl->stats_avg_exec = afl->stats_avg_exec * (1.0 - 1.0 / AVG_SMOOTHING) +
cur_avg * (1.0 / AVG_SMOOTHING);
@ -277,18 +287,23 @@ void show_stats(afl_state_t *afl) {
/* Tell the callers when to contact us (as measured in execs). */
afl->stats_update_freq = afl->stats_avg_exec / (UI_TARGET_HZ * 10);
if (!afl->stats_update_freq) afl->stats_update_freq = 1;
if (!afl->stats_update_freq) { afl->stats_update_freq = 1; }
/* Do some bitmap stats. */
t_bytes = count_non_255_bytes(afl, afl->virgin_bits);
t_byte_ratio = ((double)t_bytes * 100) / afl->fsrv.map_size;
if (likely(t_bytes) && unlikely(afl->var_byte_count))
if (likely(t_bytes) && unlikely(afl->var_byte_count)) {
stab_ratio = 100 - (((double)afl->var_byte_count * 100) / t_bytes);
else
} else {
stab_ratio = 100;
}
/* Roughly every minute, update fuzzer stats and save auto tokens. */
if (cur_ms - afl->stats_last_stats_ms > STATS_UPDATE_SEC * 1000) {
@ -312,19 +327,25 @@ void show_stats(afl_state_t *afl) {
/* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */
if (!afl->dumb_mode && afl->cycles_wo_finds > 100 &&
!afl->pending_not_fuzzed && afl->afl_env.afl_exit_when_done)
!afl->pending_not_fuzzed && afl->afl_env.afl_exit_when_done) {
afl->stop_soon = 2;
if (afl->total_crashes && afl->afl_env.afl_bench_until_crash)
}
if (afl->total_crashes && afl->afl_env.afl_bench_until_crash) {
afl->stop_soon = 2;
}
/* If we're not on TTY, bail out. */
if (afl->not_on_tty) return;
if (afl->not_on_tty) { return; }
/* If we haven't started doing things, bail out. */
if (!afl->queue_cur) return;
if (!afl->queue_cur) { return; }
/* Compute some mildly useful bitmap stats. */
@ -402,26 +423,35 @@ void show_stats(afl_state_t *afl) {
u64 min_wo_finds = (cur_ms - afl->last_path_time) / 1000 / 60;
/* First queue cycle: don't stop now! */
if (afl->queue_cycle == 1 || min_wo_finds < 15)
if (afl->queue_cycle == 1 || min_wo_finds < 15) {
strcpy(tmp, cMGN);
else
} else
/* Subsequent cycles, but we're still making finds. */
if (afl->cycles_wo_finds < 25 || min_wo_finds < 30)
if (afl->cycles_wo_finds < 25 || min_wo_finds < 30) {
strcpy(tmp, cYEL);
else
} else
/* No finds for a long time and no test cases to try. */
if (afl->cycles_wo_finds > 100 && !afl->pending_not_fuzzed &&
min_wo_finds > 120)
min_wo_finds > 120) {
strcpy(tmp, cLGN);
/* Default: cautiously OK to stop? */
else
} else {
strcpy(tmp, cLBL);
}
}
u_stringify_time_diff(time_tmp, cur_ms, afl->start_time);
SAYF(bV bSTOP " run time : " cRST "%-33s " bSTG bV bSTOP
" cycles done : %s%-5s " bSTG bV "\n",
@ -439,18 +469,20 @@ void show_stats(afl_state_t *afl) {
} else {
if (afl->dumb_mode)
if (afl->dumb_mode) {
SAYF(bV bSTOP " last new path : " cPIN "n/a" cRST
" (non-instrumented mode) ");
else
} else {
SAYF(bV bSTOP " last new path : " cRST "none yet " cLRD
"(odd, check syntax!) ");
}
}
SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n",
u_stringify_int(IB(0), afl->queued_paths));
@ -605,7 +637,8 @@ void show_stats(afl_state_t *afl) {
" levels : " cRST "%-10s" bSTG bV "\n",
tmp, u_stringify_int(IB(0), afl->max_depth));
if (!afl->skip_deterministic)
if (!afl->skip_deterministic) {
sprintf(tmp, "%s/%s, %s/%s, %s/%s",
u_stringify_int(IB(0), afl->stage_finds[STAGE_FLIP8]),
u_stringify_int(IB(1), afl->stage_cycles[STAGE_FLIP8]),
@ -614,11 +647,14 @@ void show_stats(afl_state_t *afl) {
u_stringify_int(IB(4), afl->stage_finds[STAGE_FLIP32]),
u_stringify_int(IB(5), afl->stage_cycles[STAGE_FLIP32]));
}
SAYF(bV bSTOP " byte flips : " cRST "%-36s " bSTG bV bSTOP
" pending : " cRST "%-10s" bSTG bV "\n",
tmp, u_stringify_int(IB(0), afl->pending_not_fuzzed));
if (!afl->skip_deterministic)
if (!afl->skip_deterministic) {
sprintf(tmp, "%s/%s, %s/%s, %s/%s",
u_stringify_int(IB(0), afl->stage_finds[STAGE_ARITH8]),
u_stringify_int(IB(1), afl->stage_cycles[STAGE_ARITH8]),
@ -627,11 +663,14 @@ void show_stats(afl_state_t *afl) {
u_stringify_int(IB(4), afl->stage_finds[STAGE_ARITH32]),
u_stringify_int(IB(5), afl->stage_cycles[STAGE_ARITH32]));
}
SAYF(bV bSTOP " arithmetics : " cRST "%-36s " bSTG bV bSTOP
" pend fav : " cRST "%-10s" bSTG bV "\n",
tmp, u_stringify_int(IB(0), afl->pending_favored));
if (!afl->skip_deterministic)
if (!afl->skip_deterministic) {
sprintf(tmp, "%s/%s, %s/%s, %s/%s",
u_stringify_int(IB(0), afl->stage_finds[STAGE_INTEREST8]),
u_stringify_int(IB(1), afl->stage_cycles[STAGE_INTEREST8]),
@ -640,11 +679,14 @@ void show_stats(afl_state_t *afl) {
u_stringify_int(IB(4), afl->stage_finds[STAGE_INTEREST32]),
u_stringify_int(IB(5), afl->stage_cycles[STAGE_INTEREST32]));
}
SAYF(bV bSTOP " known ints : " cRST "%-36s " bSTG bV bSTOP
" own finds : " cRST "%-10s" bSTG bV "\n",
tmp, u_stringify_int(IB(0), afl->queued_discovered));
if (!afl->skip_deterministic)
if (!afl->skip_deterministic) {
sprintf(tmp, "%s/%s, %s/%s, %s/%s",
u_stringify_int(IB(0), afl->stage_finds[STAGE_EXTRAS_UO]),
u_stringify_int(IB(1), afl->stage_cycles[STAGE_EXTRAS_UO]),
@ -653,6 +695,8 @@ void show_stats(afl_state_t *afl) {
u_stringify_int(IB(4), afl->stage_finds[STAGE_EXTRAS_AO]),
u_stringify_int(IB(5), afl->stage_cycles[STAGE_EXTRAS_AO]));
}
SAYF(bV bSTOP " dictionary : " cRST "%-36s " bSTG bV bSTOP
" imported : " cRST "%-10s" bSTG bV "\n",
tmp,
@ -669,11 +713,16 @@ void show_stats(afl_state_t *afl) {
SAYF(bV bSTOP " havoc/rad : " cRST "%-36s " bSTG bV bSTOP, tmp);
if (t_bytes)
if (t_bytes) {
sprintf(tmp, "%0.02f%%", stab_ratio);
else
} else {
strcpy(tmp, "n/a");
}
SAYF(" stability : %s%-10s" bSTG bV "\n",
(stab_ratio < 85 && afl->var_byte_count > 40)
? cLRD
@ -769,14 +818,17 @@ void show_stats(afl_state_t *afl) {
/* If we could still run one or more processes, use green. */
if (afl->cpu_core_count > 1 && cur_runnable + 1 <= afl->cpu_core_count)
if (afl->cpu_core_count > 1 && cur_runnable + 1 <= afl->cpu_core_count) {
cpu_color = cLGN;
}
/* If we're clearly oversubscribed, use red. */
if (!afl->no_cpu_meter_red && cur_utilization >= 150) cpu_color = cLRD;
if (!afl->no_cpu_meter_red && cur_utilization >= 150) { cpu_color = cLRD; }
if (afl->fsrv.snapshot) spacing = snap;
if (afl->fsrv.snapshot) { spacing = snap; }
#ifdef HAVE_AFFINITY
@ -799,10 +851,12 @@ void show_stats(afl_state_t *afl) {
#endif /* ^HAVE_AFFINITY */
} else
} else {
SAYF("\r");
}
/* Last line */
SAYF(SET_G1 "\n" bSTG bLB bH30 bH20 bH2 bRB bSTOP cRST RESET_G1);
@ -829,17 +883,21 @@ void show_init_stats(afl_state_t *afl) {
u8 val_bufs[4][STRINGIFY_VAL_SIZE_MAX];
#define IB(i) val_bufs[(i)], sizeof(val_bufs[(i)])
if (afl->total_cal_cycles) avg_us = afl->total_cal_us / afl->total_cal_cycles;
if (afl->total_cal_cycles) {
avg_us = afl->total_cal_us / afl->total_cal_cycles;
}
while (q) {
if (!min_us || q->exec_us < min_us) min_us = q->exec_us;
if (q->exec_us > max_us) max_us = q->exec_us;
if (!min_us || q->exec_us < min_us) { min_us = q->exec_us; }
if (q->exec_us > max_us) { max_us = q->exec_us; }
if (!min_bits || q->bitmap_size < min_bits) min_bits = q->bitmap_size;
if (q->bitmap_size > max_bits) max_bits = q->bitmap_size;
if (!min_bits || q->bitmap_size < min_bits) { min_bits = q->bitmap_size; }
if (q->bitmap_size > max_bits) { max_bits = q->bitmap_size; }
if (q->len > max_len) max_len = q->len;
if (q->len > max_len) { max_len = q->len; }
q = q->next;
@ -847,40 +905,63 @@ void show_init_stats(afl_state_t *afl) {
SAYF("\n");
if (avg_us > ((afl->fsrv.qemu_mode || afl->unicorn_mode) ? 50000 : 10000))
if (avg_us > ((afl->fsrv.qemu_mode || afl->unicorn_mode) ? 50000 : 10000)) {
WARNF(cLRD "The target binary is pretty slow! See %s/perf_tips.md.",
doc_path);
}
/* Let's keep things moving with slow binaries. */
if (avg_us > 50000)
if (avg_us > 50000) {
afl->havoc_div = 10; /* 0-19 execs/sec */
else if (avg_us > 20000)
} else if (avg_us > 20000) {
afl->havoc_div = 5; /* 20-49 execs/sec */
else if (avg_us > 10000)
} else if (avg_us > 10000) {
afl->havoc_div = 2; /* 50-100 execs/sec */
}
if (!afl->resuming_fuzz) {
if (max_len > 50 * 1024)
if (max_len > 50 * 1024) {
WARNF(cLRD "Some test cases are huge (%s) - see %s/perf_tips.md!",
stringify_mem_size(IB(0), max_len), doc_path);
else if (max_len > 10 * 1024)
} else if (max_len > 10 * 1024) {
WARNF("Some test cases are big (%s) - see %s/perf_tips.md.",
stringify_mem_size(IB(0), max_len), doc_path);
if (afl->useless_at_start && !afl->in_bitmap)
}
if (afl->useless_at_start && !afl->in_bitmap) {
WARNF(cLRD "Some test cases look useless. Consider using a smaller set.");
if (afl->queued_paths > 100)
}
if (afl->queued_paths > 100) {
WARNF(cLRD
"You probably have far too many input files! Consider trimming "
"down.");
else if (afl->queued_paths > 20)
} else if (afl->queued_paths > 20) {
WARNF("You have lots of input files; try starting small.");
}
}
OKF("Here are some useful stats:\n\n"
cGRA " Test case count : " cRST
@ -903,20 +984,30 @@ void show_init_stats(afl_state_t *afl) {
random scheduler jitter is less likely to have any impact, and because
our patience is wearing thin =) */
if (avg_us > 50000)
if (avg_us > 50000) {
afl->fsrv.exec_tmout = avg_us * 2 / 1000;
else if (avg_us > 10000)
} else if (avg_us > 10000) {
afl->fsrv.exec_tmout = avg_us * 3 / 1000;
else
} else {
afl->fsrv.exec_tmout = avg_us * 5 / 1000;
}
afl->fsrv.exec_tmout = MAX(afl->fsrv.exec_tmout, max_us / 1000);
afl->fsrv.exec_tmout =
(afl->fsrv.exec_tmout + EXEC_TM_ROUND) / EXEC_TM_ROUND * EXEC_TM_ROUND;
if (afl->fsrv.exec_tmout > EXEC_TIMEOUT)
if (afl->fsrv.exec_tmout > EXEC_TIMEOUT) {
afl->fsrv.exec_tmout = EXEC_TIMEOUT;
}
ACTF("No -t option specified, so I'll use exec timeout of %u ms.",
afl->fsrv.exec_tmout);
@ -932,9 +1023,12 @@ void show_init_stats(afl_state_t *afl) {
/* In dumb mode, re-running every timing out test case with a generous time
limit is very expensive, so let's select a more conservative default. */
if (afl->dumb_mode && !(afl->afl_env.afl_hang_tmout))
if (afl->dumb_mode && !(afl->afl_env.afl_hang_tmout)) {
afl->hang_tmout = MIN(EXEC_TIMEOUT, afl->fsrv.exec_tmout * 2 + 100);
}
OKF("All set and ready to roll!");
#undef IB

435
src/afl-fuzz.c
View File

@ -37,7 +37,7 @@ static u8 *get_libradamsa_path(u8 *own_loc) {
cp = alloc_printf("%s/libradamsa.so", tmp);
if (access(cp, X_OK)) FATAL("Unable to find '%s'", cp);
if (access(cp, X_OK)) { FATAL("Unable to find '%s'", cp); }
return cp;
@ -53,12 +53,14 @@ static u8 *get_libradamsa_path(u8 *own_loc) {
cp = alloc_printf("%s/libradamsa.so", own_copy);
ck_free(own_copy);
if (!access(cp, X_OK)) return cp;
if (!access(cp, X_OK)) { return cp; }
} else
} else {
ck_free(own_copy);
}
if (!access(AFL_PATH "/libradamsa.so", X_OK)) {
return ck_strdup(AFL_PATH "/libradamsa.so");
@ -148,7 +150,8 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
"case\n\n",
argv0, EXEC_TIMEOUT, MEM_LIMIT);
if (more_help > 1)
if (more_help > 1) {
SAYF(
"Environment variables used:\n"
"LD_BIND_LAZY: do not set LD_BIND_NOW env var for target\n"
@ -193,11 +196,15 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
//"AFL_DEFER_FORKSRV: not supported anymore -> no effect, just a warning\n"
"\n"
);
else
} else {
SAYF(
"To view also the supported environment variables of afl-fuzz please "
"use \"-hh\".\n\n");
}
#ifdef USE_PYTHON
SAYF("Compiled with %s module support, see docs/custom_mutator.md\n",
(char *)PYTHON_VERSION);
@ -216,13 +223,13 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
static int stricmp(char const *a, char const *b) {
if (!a || !b) FATAL("Null reference");
if (!a || !b) { FATAL("Null reference"); }
for (;; ++a, ++b) {
int d;
d = tolower(*a) - tolower(*b);
if (d != 0 || !*a) return d;
if (d != 0 || !*a) { return d; }
}
@ -247,14 +254,14 @@ int main(int argc, char **argv_orig, char **envp) {
afl_state_t *afl = calloc(1, sizeof(afl_state_t));
if (!afl) { FATAL("Could not create afl state"); }
if (get_afl_env("AFL_DEBUG")) afl->debug = 1;
if (get_afl_env("AFL_DEBUG")) { afl->debug = 1; }
map_size = get_map_size();
afl_state_init(afl, map_size);
afl_fsrv_init(&afl->fsrv);
read_afl_environment(afl, envp);
if (afl->shm.map_size) afl->fsrv.map_size = afl->shm.map_size;
if (afl->shm.map_size) { afl->fsrv.map_size = afl->shm.map_size; }
exit_1 = !!afl->afl_env.afl_bench_just_one;
SAYF(cCYA "afl-fuzz" VERSION cRST
@ -266,11 +273,14 @@ int main(int argc, char **argv_orig, char **envp) {
afl->init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid();
while ((opt = getopt(argc, argv,
"+c:i:I:o:f:m:t:T:dnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) > 0)
"+c:i:I:o:f:m:t:T:dnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:")) >
0) {
switch (opt) {
case 'I': afl->infoexec = optarg; break;
case 'I':
afl->infoexec = optarg;
break;
case 'c': {
@ -334,7 +344,7 @@ int main(int argc, char **argv_orig, char **envp) {
case 'e':
if (afl->file_extension) FATAL("Multiple -e options not supported");
if (afl->file_extension) { FATAL("Multiple -e options not supported"); }
afl->file_extension = optarg;
@ -342,16 +352,16 @@ int main(int argc, char **argv_orig, char **envp) {
case 'i': /* input dir */
if (afl->in_dir) FATAL("Multiple -i options not supported");
if (afl->in_dir) { FATAL("Multiple -i options not supported"); }
afl->in_dir = optarg;
if (!strcmp(afl->in_dir, "-")) afl->in_place_resume = 1;
if (!strcmp(afl->in_dir, "-")) { afl->in_place_resume = 1; }
break;
case 'o': /* output dir */
if (afl->out_dir) FATAL("Multiple -o options not supported");
if (afl->out_dir) { FATAL("Multiple -o options not supported"); }
afl->out_dir = optarg;
break;
@ -359,7 +369,7 @@ int main(int argc, char **argv_orig, char **envp) {
u8 *c;
if (afl->sync_id) FATAL("Multiple -S or -M options not supported");
if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
afl->sync_id = ck_strdup(optarg);
if ((c = strchr(afl->sync_id, ':'))) {
@ -368,11 +378,14 @@ int main(int argc, char **argv_orig, char **envp) {
if (sscanf(c + 1, "%u/%u", &afl->master_id, &afl->master_max) != 2 ||
!afl->master_id || !afl->master_max ||
afl->master_id > afl->master_max || afl->master_max > 1000000)
afl->master_id > afl->master_max || afl->master_max > 1000000) {
FATAL("Bogus master ID passed to -M");
}
}
afl->force_deterministic = 1;
}
@ -381,20 +394,20 @@ int main(int argc, char **argv_orig, char **envp) {
case 'S':
if (afl->sync_id) FATAL("Multiple -S or -M options not supported");
if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
afl->sync_id = ck_strdup(optarg);
break;
case 'f': /* target file */
if (afl->fsrv.out_file) FATAL("Multiple -f options not supported");
if (afl->fsrv.out_file) { FATAL("Multiple -f options not supported"); }
afl->fsrv.out_file = ck_strdup(optarg);
afl->fsrv.use_stdin = 0;
break;
case 'x': /* dictionary */
if (extras_dir) FATAL("Multiple -x options not supported");
if (extras_dir) { FATAL("Multiple -x options not supported"); }
extras_dir = optarg;
break;
@ -402,19 +415,27 @@ int main(int argc, char **argv_orig, char **envp) {
u8 suffix = 0;
if (afl->timeout_given) FATAL("Multiple -t options not supported");
if (afl->timeout_given) { FATAL("Multiple -t options not supported"); }
if (sscanf(optarg, "%u%c", &afl->fsrv.exec_tmout, &suffix) < 1 ||
optarg[0] == '-')
optarg[0] == '-') {
FATAL("Bad syntax used for -t");
if (afl->fsrv.exec_tmout < 5) FATAL("Dangerously low value of -t");
}
if (afl->fsrv.exec_tmout < 5) { FATAL("Dangerously low value of -t"); }
if (suffix == '+') {
if (suffix == '+')
afl->timeout_given = 2;
else
} else {
afl->timeout_given = 1;
}
break;
}
@ -423,10 +444,10 @@ int main(int argc, char **argv_orig, char **envp) {
u8 suffix = 'M';
if (mem_limit_given) FATAL("Multiple -m options not supported");
if (mem_limit_given) { FATAL("Multiple -m options not supported"); }
mem_limit_given = 1;
if (!optarg) FATAL("Wrong usage of -m");
if (!optarg) { FATAL("Wrong usage of -m"); }
if (!strcmp(optarg, "none")) {
@ -436,32 +457,51 @@ int main(int argc, char **argv_orig, char **envp) {
}
if (sscanf(optarg, "%llu%c", &afl->fsrv.mem_limit, &suffix) < 1 ||
optarg[0] == '-')
optarg[0] == '-') {
FATAL("Bad syntax used for -m");
switch (suffix) {
case 'T': afl->fsrv.mem_limit *= 1024 * 1024; break;
case 'G': afl->fsrv.mem_limit *= 1024; break;
case 'k': afl->fsrv.mem_limit /= 1024; break;
case 'M': break;
default: FATAL("Unsupported suffix or bad syntax for -m");
}
if (afl->fsrv.mem_limit < 5) FATAL("Dangerously low value of -m");
switch (suffix) {
case 'T':
afl->fsrv.mem_limit *= 1024 * 1024;
break;
case 'G':
afl->fsrv.mem_limit *= 1024;
break;
case 'k':
afl->fsrv.mem_limit /= 1024;
break;
case 'M':
break;
default:
FATAL("Unsupported suffix or bad syntax for -m");
}
if (afl->fsrv.mem_limit < 5) { FATAL("Dangerously low value of -m"); }
if (sizeof(rlim_t) == 4 && afl->fsrv.mem_limit > 2000) {
if (sizeof(rlim_t) == 4 && afl->fsrv.mem_limit > 2000)
FATAL("Value of -m out of range on 32-bit systems");
}
}
break;
case 'd': /* skip deterministic */
if (afl->skip_deterministic) FATAL("Multiple -d options not supported");
if (afl->skip_deterministic) {
FATAL("Multiple -d options not supported");
}
afl->skip_deterministic = 1;
afl->use_splicing = 1;
break;
@ -479,7 +519,7 @@ int main(int argc, char **argv_orig, char **envp) {
I only used this once or twice to get variants of a particular
file, so I'm not making this an official setting. */
if (afl->in_bitmap) FATAL("Multiple -B options not supported");
if (afl->in_bitmap) { FATAL("Multiple -B options not supported"); }
afl->in_bitmap = optarg;
read_bitmap(afl->in_bitmap, afl->virgin_bits, afl->fsrv.map_size);
@ -487,85 +527,99 @@ int main(int argc, char **argv_orig, char **envp) {
case 'C': /* crash mode */
if (afl->crash_mode) FATAL("Multiple -C options not supported");
if (afl->crash_mode) { FATAL("Multiple -C options not supported"); }
afl->crash_mode = FSRV_RUN_CRASH;
break;
case 'n': /* dumb mode */
if (afl->dumb_mode) FATAL("Multiple -n options not supported");
if (afl->afl_env.afl_dumb_forksrv)
if (afl->dumb_mode) { FATAL("Multiple -n options not supported"); }
if (afl->afl_env.afl_dumb_forksrv) {
afl->dumb_mode = 2;
else
} else {
afl->dumb_mode = 1;
}
break;
case 'T': /* banner */
if (afl->use_banner) FATAL("Multiple -T options not supported");
if (afl->use_banner) { FATAL("Multiple -T options not supported"); }
afl->use_banner = optarg;
break;
case 'Q': /* QEMU mode */
if (afl->fsrv.qemu_mode) FATAL("Multiple -Q options not supported");
if (afl->fsrv.qemu_mode) { FATAL("Multiple -Q options not supported"); }
afl->fsrv.qemu_mode = 1;
if (!mem_limit_given) afl->fsrv.mem_limit = MEM_LIMIT_QEMU;
if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_QEMU; }
break;
case 'N': /* Unicorn mode */
if (afl->no_unlink) FATAL("Multiple -N options not supported");
if (afl->no_unlink) { FATAL("Multiple -N options not supported"); }
afl->no_unlink = 1;
break;
case 'U': /* Unicorn mode */
if (afl->unicorn_mode) FATAL("Multiple -U options not supported");
if (afl->unicorn_mode) { FATAL("Multiple -U options not supported"); }
afl->unicorn_mode = 1;
if (!mem_limit_given) afl->fsrv.mem_limit = MEM_LIMIT_UNICORN;
if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_UNICORN; }
break;
case 'W': /* Wine+QEMU mode */
if (afl->use_wine) FATAL("Multiple -W options not supported");
if (afl->use_wine) { FATAL("Multiple -W options not supported"); }
afl->fsrv.qemu_mode = 1;
afl->use_wine = 1;
if (!mem_limit_given) afl->fsrv.mem_limit = 0;
if (!mem_limit_given) { afl->fsrv.mem_limit = 0; }
break;
case 'V': {
afl->most_time_key = 1;
if (sscanf(optarg, "%llu", &afl->most_time) < 1 || optarg[0] == '-')
if (sscanf(optarg, "%llu", &afl->most_time) < 1 || optarg[0] == '-') {
FATAL("Bad syntax used for -V");
}
} break;
case 'E': {
afl->most_execs_key = 1;
if (sscanf(optarg, "%llu", &afl->most_execs) < 1 || optarg[0] == '-')
if (sscanf(optarg, "%llu", &afl->most_execs) < 1 || optarg[0] == '-') {
FATAL("Bad syntax used for -E");
}
} break;
case 'L': { /* MOpt mode */
if (afl->limit_time_sig) FATAL("Multiple -L options not supported");
if (afl->limit_time_sig) { FATAL("Multiple -L options not supported"); }
afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT;
if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1)
if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1) {
FATAL("Bad syntax used for -L");
}
if (afl->limit_time_puppet == -1) {
afl->limit_time_sig = -1;
@ -583,19 +637,23 @@ int main(int argc, char **argv_orig, char **envp) {
u64 limit_time_puppet2 = afl->limit_time_puppet * 60 * 1000;
if (limit_time_puppet2 < afl->limit_time_puppet)
if (limit_time_puppet2 < afl->limit_time_puppet) {
FATAL("limit_time overflow");
}
afl->limit_time_puppet = limit_time_puppet2;
SAYF("limit_time_puppet %d\n", afl->limit_time_puppet);
afl->swarm_now = 0;
if (afl->limit_time_puppet == 0) afl->key_puppet = 1;
if (afl->limit_time_puppet == 0) { afl->key_puppet = 1; }
int i;
int tmp_swarm = 0;
if (afl->g_now > afl->g_max) afl->g_now = 0;
if (afl->g_now > afl->g_max) { afl->g_now = 0; }
afl->w_now = (afl->w_init - afl->w_end) * (afl->g_max - afl->g_now) /
(afl->g_max) +
afl->w_end;
@ -643,11 +701,16 @@ int main(int argc, char **argv_orig, char **envp) {
afl->x_now[tmp_swarm][i] += afl->v_now[tmp_swarm][i];
if (afl->x_now[tmp_swarm][i] > v_max)
if (afl->x_now[tmp_swarm][i] > v_max) {
afl->x_now[tmp_swarm][i] = v_max;
else if (afl->x_now[tmp_swarm][i] < v_min)
} else if (afl->x_now[tmp_swarm][i] < v_min) {
afl->x_now[tmp_swarm][i] = v_min;
}
x_temp += afl->x_now[tmp_swarm][i];
}
@ -655,21 +718,29 @@ int main(int argc, char **argv_orig, char **envp) {
for (i = 0; i < operator_num; ++i) {
afl->x_now[tmp_swarm][i] = afl->x_now[tmp_swarm][i] / x_temp;
if (likely(i != 0))
if (likely(i != 0)) {
afl->probability_now[tmp_swarm][i] =
afl->probability_now[tmp_swarm][i - 1] +
afl->x_now[tmp_swarm][i];
else
} else {
afl->probability_now[tmp_swarm][i] = afl->x_now[tmp_swarm][i];
}
}
if (afl->probability_now[tmp_swarm][operator_num - 1] < 0.99 ||
afl->probability_now[tmp_swarm][operator_num - 1] > 1.01)
afl->probability_now[tmp_swarm][operator_num - 1] > 1.01) {
FATAL("ERROR probability");
}
}
for (i = 0; i < operator_num; ++i) {
afl->core_operator_finds_puppet[i] = 0;
@ -682,25 +753,37 @@ int main(int argc, char **argv_orig, char **envp) {
} break;
case 'h': show_help++; break; // not needed
case 'h':
show_help++;
break; // not needed
case 'R':
if (afl->use_radamsa)
if (afl->use_radamsa) {
afl->use_radamsa = 2;
else
} else {
afl->use_radamsa = 1;
}
break;
default:
if (!show_help) show_help = 1;
if (!show_help) { show_help = 1; }
}
if (optind == argc || !afl->in_dir || !afl->out_dir || show_help)
}
if (optind == argc || !afl->in_dir || !afl->out_dir || show_help) {
usage(afl, argv[0], show_help);
}
OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" "
"Eißfeldt, Andrea Fioraldi and Dominik Maier");
OKF("afl++ is open source, get it at "
@ -711,40 +794,57 @@ int main(int argc, char **argv_orig, char **envp) {
OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL");
if (afl->sync_id && afl->force_deterministic &&
afl->afl_env.afl_custom_mutator_only)
afl->afl_env.afl_custom_mutator_only) {
WARNF(
"Using -M master with the AFL_CUSTOM_MUTATOR_ONLY mutator options will "
"result in no deterministic mutations being done!");
if (afl->fixed_seed) OKF("Running with fixed seed: %u", (u32)afl->init_seed);
}
if (afl->fixed_seed) {
OKF("Running with fixed seed: %u", (u32)afl->init_seed);
}
srandom((u32)afl->init_seed);
srand((u32)afl->init_seed); // in case it is a different implementation
if (afl->use_radamsa) {
if (afl->limit_time_sig > 0)
if (afl->limit_time_sig > 0) {
FATAL(
"MOpt and Radamsa are mutually exclusive unless you specify -L -1. "
"We accept pull requests that integrates MOpt with the optional "
"mutators (custom/radamsa/redqueen/...).");
if (afl->limit_time_sig && afl->use_radamsa > 1)
}
if (afl->limit_time_sig && afl->use_radamsa > 1) {
FATAL("Radamsa in radamsa-only mode can not run together with -L");
}
OKF("Using Radamsa add-on");
u8 * libradamsa_path = get_libradamsa_path(argv[0]);
void *handle = dlopen(libradamsa_path, RTLD_NOW);
ck_free(libradamsa_path);
if (!handle) FATAL("Failed to dlopen() libradamsa");
if (!handle) { FATAL("Failed to dlopen() libradamsa"); }
void (*radamsa_init_ptr)(void) = dlsym(handle, "radamsa_init");
afl->radamsa_mutate_ptr = dlsym(handle, "radamsa");
if (!radamsa_init_ptr || !afl->radamsa_mutate_ptr)
if (!radamsa_init_ptr || !afl->radamsa_mutate_ptr) {
FATAL("Failed to dlsym() libradamsa");
}
/* randamsa_init installs some signal hadlers, call it before
setup_signal_handlers so that AFL++ can then replace those signal
handlers */
@ -767,80 +867,113 @@ int main(int argc, char **argv_orig, char **envp) {
afl->power_name = power_names[afl->schedule];
if (afl->sync_id) fix_up_sync(afl);
if (afl->sync_id) { fix_up_sync(afl); }
if (!strcmp(afl->in_dir, afl->out_dir)) {
if (!strcmp(afl->in_dir, afl->out_dir))
FATAL("Input and output directories can't be the same");
if (afl->dumb_mode) {
if (afl->crash_mode) FATAL("-C and -n are mutually exclusive");
if (afl->fsrv.qemu_mode) FATAL("-Q and -n are mutually exclusive");
if (afl->unicorn_mode) FATAL("-U and -n are mutually exclusive");
}
if (get_afl_env("AFL_DISABLE_TRIM")) afl->disable_trim = 1;
if (afl->dumb_mode) {
if (afl->crash_mode) { FATAL("-C and -n are mutually exclusive"); }
if (afl->fsrv.qemu_mode) { FATAL("-Q and -n are mutually exclusive"); }
if (afl->unicorn_mode) { FATAL("-U and -n are mutually exclusive"); }
}
if (get_afl_env("AFL_DISABLE_TRIM")) { afl->disable_trim = 1; }
if (getenv("AFL_NO_UI") && getenv("AFL_FORCE_UI")) {
if (getenv("AFL_NO_UI") && getenv("AFL_FORCE_UI"))
FATAL("AFL_NO_UI and AFL_FORCE_UI are mutually exclusive");
if (strchr(argv[optind], '/') == NULL && !afl->unicorn_mode)
}
if (strchr(argv[optind], '/') == NULL && !afl->unicorn_mode) {
WARNF(cLRD
"Target binary called without a prefixed path, make sure you are "
"fuzzing the right binary: " cRST "%s",
argv[optind]);
}
ACTF("Getting to work...");
switch (afl->schedule) {
case FAST: OKF("Using exponential power schedule (FAST)"); break;
case COE: OKF("Using cut-off exponential power schedule (COE)"); break;
case FAST:
OKF("Using exponential power schedule (FAST)");
break;
case COE:
OKF("Using cut-off exponential power schedule (COE)");
break;
case EXPLOIT:
OKF("Using exploitation-based constant power schedule (EXPLOIT)");
break;
case LIN: OKF("Using linear power schedule (LIN)"); break;
case QUAD: OKF("Using quadratic power schedule (QUAD)"); break;
case MMOPT: OKF("Using modified MOpt power schedule (MMOPT)"); break;
case RARE: OKF("Using rare edge focus power schedule (RARE)"); break;
case LIN:
OKF("Using linear power schedule (LIN)");
break;
case QUAD:
OKF("Using quadratic power schedule (QUAD)");
break;
case MMOPT:
OKF("Using modified MOpt power schedule (MMOPT)");
break;
case RARE:
OKF("Using rare edge focus power schedule (RARE)");
break;
case EXPLORE:
OKF("Using exploration-based constant power schedule (EXPLORE, default)");
break;
default: FATAL("Unknown power schedule"); break;
default:
FATAL("Unknown power schedule");
break;
}
if (get_afl_env("AFL_NO_FORKSRV")) afl->no_forkserver = 1;
if (get_afl_env("AFL_NO_CPU_RED")) afl->no_cpu_meter_red = 1;
if (get_afl_env("AFL_NO_ARITH")) afl->no_arith = 1;
if (get_afl_env("AFL_SHUFFLE_QUEUE")) afl->shuffle_queue = 1;
if (get_afl_env("AFL_FAST_CAL")) afl->fast_cal = 1;
if (get_afl_env("AFL_NO_FORKSRV")) { afl->no_forkserver = 1; }
if (get_afl_env("AFL_NO_CPU_RED")) { afl->no_cpu_meter_red = 1; }
if (get_afl_env("AFL_NO_ARITH")) { afl->no_arith = 1; }
if (get_afl_env("AFL_SHUFFLE_QUEUE")) { afl->shuffle_queue = 1; }
if (get_afl_env("AFL_FAST_CAL")) { afl->fast_cal = 1; }
if (afl->afl_env.afl_autoresume) {
afl->autoresume = 1;
if (afl->in_place_resume) SAYF("AFL_AUTORESUME has no effect for '-i -'");
if (afl->in_place_resume) {
SAYF("AFL_AUTORESUME has no effect for '-i -'");
}
}
if (afl->afl_env.afl_hang_tmout) {
afl->hang_tmout = atoi(afl->afl_env.afl_hang_tmout);
if (!afl->hang_tmout) FATAL("Invalid value of AFL_HANG_TMOUT");
if (!afl->hang_tmout) { FATAL("Invalid value of AFL_HANG_TMOUT"); }
}
if (afl->dumb_mode == 2 && afl->no_forkserver)
if (afl->dumb_mode == 2 && afl->no_forkserver) {
FATAL("AFL_DUMB_FORKSRV and AFL_NO_FORKSRV are mutually exclusive");
}
afl->fsrv.use_fauxsrv = afl->dumb_mode == 1 || afl->no_forkserver;
if (getenv("LD_PRELOAD"))
if (getenv("LD_PRELOAD")) {
WARNF(
"LD_PRELOAD is set, are you sure that is what to you want to do "
"instead of using AFL_PRELOAD?");
}
if (afl->afl_env.afl_preload) {
if (afl->fsrv.qemu_mode) {
@ -852,20 +985,28 @@ int main(int argc, char **argv_orig, char **envp) {
s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) {
if (afl_preload[i] == ',')
if (afl_preload[i] == ',') {
PFATAL(
"Comma (',') is not allowed in AFL_PRELOAD when -Q is "
"specified!");
}
if (qemu_preload)
}
if (qemu_preload) {
buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
qemu_preload, afl_preload, afl_preload);
else
} else {
buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
afl_preload, afl_preload);
}
setenv("QEMU_SET_ENV", buf, 1);
ck_free(buf);
@ -879,15 +1020,18 @@ int main(int argc, char **argv_orig, char **envp) {
}
if (getenv("AFL_LD_PRELOAD"))
if (getenv("AFL_LD_PRELOAD")) {
FATAL("Use AFL_PRELOAD instead of AFL_LD_PRELOAD");
}
save_cmdline(afl, argc, argv);
fix_up_banner(afl, argv[optind]);
check_if_tty(afl);
if (afl->afl_env.afl_force_ui) afl->not_on_tty = 0;
if (afl->afl_env.afl_force_ui) { afl->not_on_tty = 0; }
if (afl->afl_env.afl_cal_fast) {
@ -921,7 +1065,7 @@ int main(int argc, char **argv_orig, char **envp) {
setup_post(afl);
if (!afl->in_bitmap) memset(afl->virgin_bits, 255, afl->fsrv.map_size);
if (!afl->in_bitmap) { memset(afl->virgin_bits, 255, afl->fsrv.map_size); }
memset(afl->virgin_tmout, 255, afl->fsrv.map_size);
memset(afl->virgin_crash, 255, afl->fsrv.map_size);
@ -938,9 +1082,9 @@ int main(int argc, char **argv_orig, char **envp) {
pivot_inputs(afl);
if (extras_dir) load_extras(afl, extras_dir);
if (extras_dir) { load_extras(afl, extras_dir); }
if (!afl->timeout_given) find_timeout(afl);
if (!afl->timeout_given) { find_timeout(afl); }
if ((afl->tmp_dir = afl->afl_env.afl_tmpdir) != NULL &&
!afl->in_place_resume) {
@ -959,16 +1103,21 @@ int main(int argc, char **argv_orig, char **envp) {
}
/* there is still a race condition here, but well ... */
if (access(tmpfile, F_OK) != -1)
if (access(tmpfile, F_OK) != -1) {
FATAL(
"AFL_TMPDIR already has an existing temporary input file: %s - if "
"this is not from another instance, then just remove the file.",
tmpfile);
} else
}
} else {
afl->tmp_dir = afl->out_dir;
}
/* If we don't have a file name chosen yet, use a safe default. */
if (!afl->fsrv.out_file) {
@ -1005,13 +1154,17 @@ int main(int argc, char **argv_orig, char **envp) {
}
if (!afl->fsrv.out_file) setup_stdio_file(afl);
if (!afl->fsrv.out_file) { setup_stdio_file(afl); }
if (afl->cmplog_binary) {
if (afl->unicorn_mode)
if (afl->unicorn_mode) {
FATAL("CmpLog and Unicorn mode are not compatible at the moment, sorry");
if (!afl->fsrv.qemu_mode) check_binary(afl, afl->cmplog_binary);
}
if (!afl->fsrv.qemu_mode) { check_binary(afl, afl->cmplog_binary); }
}
@ -1021,13 +1174,18 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->fsrv.qemu_mode) {
if (afl->use_wine)
if (afl->use_wine) {
use_argv = get_wine_argv(argv[0], &afl->fsrv.target_path, argc - optind,
argv + optind);
else
} else {
use_argv = get_qemu_argv(argv[0], &afl->fsrv.target_path, argc - optind,
argv + optind);
}
} else {
use_argv = argv + optind;
@ -1062,7 +1220,7 @@ int main(int argc, char **argv_orig, char **envp) {
maybe_update_plot_file(afl, 0, 0);
save_auto(afl);
if (afl->stop_soon) goto stop_fuzzing;
if (afl->stop_soon) { goto stop_fuzzing; }
/* Woop woop woop */
@ -1070,7 +1228,7 @@ int main(int argc, char **argv_orig, char **envp) {
sleep(4);
afl->start_time += 4000;
if (afl->stop_soon) goto stop_fuzzing;
if (afl->stop_soon) { goto stop_fuzzing; }
}
@ -1112,34 +1270,44 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->queued_paths == prev_queued) {
if (afl->use_splicing)
if (afl->use_splicing) {
++afl->cycles_wo_finds;
else
} else {
afl->use_splicing = 1;
} else
}
} else {
afl->cycles_wo_finds = 0;
}
prev_queued = afl->queued_paths;
if (afl->sync_id && afl->queue_cycle == 1 &&
afl->afl_env.afl_import_first)
afl->afl_env.afl_import_first) {
sync_fuzzers(afl);
}
}
skipped_fuzz = fuzz_one(afl);
if (!skipped_fuzz && !afl->stop_soon && afl->sync_id) {
if (!(sync_interval_cnt++ % SYNC_INTERVAL)) sync_fuzzers(afl);
if (!(sync_interval_cnt++ % SYNC_INTERVAL)) { sync_fuzzers(afl); }
}
if (!afl->stop_soon && exit_1) afl->stop_soon = 2;
if (!afl->stop_soon && exit_1) { afl->stop_soon = 2; }
if (afl->stop_soon) break;
if (afl->stop_soon) { break; }
afl->queue_cur = afl->queue_cur->next;
++afl->current_entry;
@ -1159,11 +1327,18 @@ stop_fuzzing:
SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted %s +++\n" cRST,
afl->stop_soon == 2 ? "programmatically" : "by user");
if (afl->most_time_key == 2)
if (afl->most_time_key == 2) {
SAYF(cYEL "[!] " cRST "Time limit was reached\n");
if (afl->most_execs_key == 2)
}
if (afl->most_execs_key == 2) {
SAYF(cYEL "[!] " cRST "Execution limit was reached\n");
}
/* Running for more than 30 minutes but still doing first cycle? */
if (afl->queue_cycle == 1 &&
@ -1182,7 +1357,7 @@ stop_fuzzing:
destroy_custom_mutator(afl);
afl_shm_deinit(&afl->shm);
afl_fsrv_deinit(&afl->fsrv);
if (afl->orig_cmdline) ck_free(afl->orig_cmdline);
if (afl->orig_cmdline) { ck_free(afl->orig_cmdline); }
ck_free(afl->fsrv.target_path);
ck_free(afl->fsrv.out_file);
ck_free(afl->sync_id);

59
src/afl-gcc.c
View File

@ -128,11 +128,16 @@ static void edit_params(u32 argc, char **argv) {
cc_params = ck_alloc((argc + 128) * sizeof(u8 *));
name = strrchr(argv[0], '/');
if (!name)
if (!name) {
name = argv[0];
else
} else {
++name;
}
if (!strncmp(name, "afl-clang", 9)) {
clang_mode = 1;
@ -211,7 +216,7 @@ static void edit_params(u32 argc, char **argv) {
if (!strncmp(cur, "-B", 2)) {
if (!be_quiet) WARNF("-B is already set, overriding");
if (!be_quiet) { WARNF("-B is already set, overriding"); }
if (!cur[2] && argc > 1) {
@ -224,18 +229,22 @@ static void edit_params(u32 argc, char **argv) {
}
if (!strcmp(cur, "-integrated-as")) continue;
if (!strcmp(cur, "-integrated-as")) { continue; }
if (!strcmp(cur, "-pipe")) continue;
if (!strcmp(cur, "-pipe")) { continue; }
#if defined(__FreeBSD__) && defined(WORD_SIZE_64)
if (!strcmp(cur, "-m32")) m32_set = 1;
#endif
if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory"))
if (!strcmp(cur, "-fsanitize=address") ||
!strcmp(cur, "-fsanitize=memory")) {
asan_set = 1;
if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;
}
if (strstr(cur, "FORTIFY_SOURCE")) { fortify_set = 1; }
cc_params[cc_par_cnt++] = cur;
@ -244,13 +253,13 @@ static void edit_params(u32 argc, char **argv) {
cc_params[cc_par_cnt++] = "-B";
cc_params[cc_par_cnt++] = as_path;
if (clang_mode) cc_params[cc_par_cnt++] = "-no-integrated-as";
if (clang_mode) { cc_params[cc_par_cnt++] = "-no-integrated-as"; }
if (getenv("AFL_HARDEN")) {
cc_params[cc_par_cnt++] = "-fstack-protector-all";
if (!fortify_set) cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2";
if (!fortify_set) { cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2"; }
}
@ -262,21 +271,35 @@ static void edit_params(u32 argc, char **argv) {
} else if (getenv("AFL_USE_ASAN")) {
if (getenv("AFL_USE_MSAN")) FATAL("ASAN and MSAN are mutually exclusive");
if (getenv("AFL_USE_MSAN")) {
FATAL("ASAN and MSAN are mutually exclusive");
}
if (getenv("AFL_HARDEN")) {
if (getenv("AFL_HARDEN"))
FATAL("ASAN and AFL_HARDEN are mutually exclusive");
}
cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
cc_params[cc_par_cnt++] = "-fsanitize=address";
} else if (getenv("AFL_USE_MSAN")) {
if (getenv("AFL_USE_ASAN")) FATAL("ASAN and MSAN are mutually exclusive");
if (getenv("AFL_USE_ASAN")) {
FATAL("ASAN and MSAN are mutually exclusive");
}
if (getenv("AFL_HARDEN")) {
if (getenv("AFL_HARDEN"))
FATAL("MSAN and AFL_HARDEN are mutually exclusive");
}
cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
cc_params[cc_par_cnt++] = "-fsanitize=memory";
@ -386,10 +409,12 @@ int main(int argc, char **argv) {
"afl-gcc is deprecated, llvm_mode is much faster and has more "
"options\n");
} else
} else {
be_quiet = 1;
}
if (argc < 2) {
SAYF(
@ -416,7 +441,11 @@ int main(int argc, char **argv) {
((ptr = getenv("AFL_MAP_SIZE")) || (ptr = getenv("AFL_MAPSIZE")))) {
u32 map_size = atoi(ptr);
if (map_size != MAP_SIZE) FATAL("AFL_MAP_SIZE is not supported by afl-gcc");
if (map_size != MAP_SIZE) {
FATAL("AFL_MAP_SIZE is not supported by afl-gcc");
}
}

20
src/afl-gotcpu.c
View File

@ -102,8 +102,12 @@ repeat_loop:
v1 = CTEST_BUSY_CYCLES;
while (v1--)
while (v1--) {
v2++;
}
sched_yield();
en_t = get_cur_time_us();
@ -154,7 +158,7 @@ int main(int argc, char **argv) {
s32 fr = fork();
if (fr < 0) PFATAL("fork failed");
if (fr < 0) { PFATAL("fork failed"); }
if (!fr) {
@ -192,8 +196,12 @@ int main(int argc, char **argv) {
#endif
#if defined(__linux__)
if (sched_setaffinity(0, sizeof(c), &c))
if (sched_setaffinity(0, sizeof(c), &c)) {
PFATAL("sched_setaffinity failed for cpu %d", i);
}
#endif
util_perc = measure_preemption(CTEST_CORE_TRG_MS);
@ -221,10 +229,10 @@ int main(int argc, char **argv) {
for (i = 0; i < cpu_cnt; i++) {
int ret;
if (waitpid(-1, &ret, 0) < 0) PFATAL("waitpid failed");
if (waitpid(-1, &ret, 0) < 0) { PFATAL("waitpid failed"); }
if (WEXITSTATUS(ret) == 0) idle_cpus++;
if (WEXITSTATUS(ret) <= 1) maybe_cpus++;
if (WEXITSTATUS(ret) == 0) { idle_cpus++; }
if (WEXITSTATUS(ret) <= 1) { maybe_cpus++; }
}

18
src/afl-sharedmem.c
View File

@ -86,7 +86,7 @@ void afl_shm_deinit(sharedmem_t *shm) {
#else
shmctl(shm->shm_id, IPC_RMID, NULL);
if (shm->cmplog_mode) shmctl(shm->cmplog_shm_id, IPC_RMID, NULL);
if (shm->cmplog_mode) { shmctl(shm->cmplog_shm_id, IPC_RMID, NULL); }
#endif
shm->map = NULL;
@ -152,14 +152,14 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) {
shm->shm_id = shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | 0600);
if (shm->shm_id < 0) PFATAL("shmget() failed");
if (shm->shm_id < 0) { PFATAL("shmget() failed"); }
if (shm->cmplog_mode) {
shm->cmplog_shm_id = shmget(IPC_PRIVATE, sizeof(struct cmp_map),
IPC_CREAT | IPC_EXCL | 0600);
if (shm->cmplog_shm_id < 0) PFATAL("shmget() failed");
if (shm->cmplog_shm_id < 0) { PFATAL("shmget() failed"); }
}
@ -170,7 +170,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) {
fork server commands. This should be replaced with better auto-detection
later on, perhaps? */
if (!dumb_mode) setenv(SHM_ENV_VAR, shm_str, 1);
if (!dumb_mode) { setenv(SHM_ENV_VAR, shm_str, 1); }
ck_free(shm_str);
@ -178,7 +178,7 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) {
shm_str = alloc_printf("%d", shm->cmplog_shm_id);
if (!dumb_mode) setenv(CMPLOG_SHM_ENV_VAR, shm_str, 1);
if (!dumb_mode) { setenv(CMPLOG_SHM_ENV_VAR, shm_str, 1); }
ck_free(shm_str);
@ -186,13 +186,17 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, unsigned char dumb_mode) {
shm->map = shmat(shm->shm_id, NULL, 0);
if (shm->map == (void *)-1 || !shm->map) PFATAL("shmat() failed");
if (shm->map == (void *)-1 || !shm->map) { PFATAL("shmat() failed"); }
if (shm->cmplog_mode) {
shm->cmp_map = shmat(shm->cmplog_shm_id, NULL, 0);
if (shm->cmp_map == (void *)-1 || !shm->cmp_map) PFATAL("shmat() failed");
if (shm->cmp_map == (void *)-1 || !shm->cmp_map) {
PFATAL("shmat() failed");
}
}

258
src/afl-showmap.c
View File

@ -121,7 +121,7 @@ static void classify_counts(afl_forkserver_t *fsrv) {
while (i--) {
if (*mem) *mem = 1;
if (*mem) { *mem = 1; }
mem++;
}
@ -143,7 +143,7 @@ static void classify_counts(afl_forkserver_t *fsrv) {
static void at_exit_handler(void) {
if (stdin_file) unlink(stdin_file);
if (stdin_file) { unlink(stdin_file); }
}
@ -161,25 +161,28 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) {
fd = open(outfile, O_WRONLY);
if (fd < 0) PFATAL("Unable to open '%s'", out_file);
if (fd < 0) { PFATAL("Unable to open '%s'", out_file); }
} else if (!strcmp(outfile, "-")) {
fd = dup(1);
if (fd < 0) PFATAL("Unable to open stdout");
if (fd < 0) { PFATAL("Unable to open stdout"); }
} else {
unlink(outfile); /* Ignore errors */
fd = open(outfile, O_WRONLY | O_CREAT | O_EXCL, 0600);
if (fd < 0) PFATAL("Unable to create '%s'", outfile);
if (fd < 0) { PFATAL("Unable to create '%s'", outfile); }
}
if (binary_mode) {
for (i = 0; i < map_size; i++)
if (fsrv->trace_bits[i]) ret++;
for (i = 0; i < map_size; i++) {
if (fsrv->trace_bits[i]) { ret++; }
}
ck_write(fd, fsrv->trace_bits, map_size, outfile);
close(fd);
@ -188,29 +191,31 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) {
FILE *f = fdopen(fd, "w");
if (!f) PFATAL("fdopen() failed");
if (!f) { PFATAL("fdopen() failed"); }
for (i = 0; i < map_size; i++) {
if (!fsrv->trace_bits[i]) continue;
if (!fsrv->trace_bits[i]) { continue; }
ret++;
total += fsrv->trace_bits[i];
if (highest < fsrv->trace_bits[i]) highest = fsrv->trace_bits[i];
if (highest < fsrv->trace_bits[i]) { highest = fsrv->trace_bits[i]; }
if (cmin_mode) {
if (fsrv->last_run_timed_out) break;
if (!caa && child_crashed != cco) break;
if (fsrv->last_run_timed_out) { break; }
if (!caa && child_crashed != cco) { break; }
fprintf(f, "%u%u\n", fsrv->trace_bits[i], i);
} else
} else {
fprintf(f, "%06u:%u\n", i, fsrv->trace_bits[i]);
}
}
fclose(f);
}
@ -251,11 +256,14 @@ static u32 read_file(u8 *in_file) {
struct stat st;
s32 fd = open(in_file, O_RDONLY);
if (fd < 0) WARNF("Unable to open '%s'", in_file);
if (fd < 0) { WARNF("Unable to open '%s'", in_file); }
if (fstat(fd, &st) || !st.st_size) {
if (fstat(fd, &st) || !st.st_size)
WARNF("Zero-sized input file '%s'.", in_file);
}
in_len = st.st_size;
in_data = ck_alloc_nozero(in_len);
@ -276,13 +284,13 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) {
static struct itimerval it;
int status = 0;
if (!quiet_mode) SAYF("-- Program output begins --\n" cRST);
if (!quiet_mode) { SAYF("-- Program output begins --\n" cRST); }
MEM_BARRIER();
fsrv->child_pid = fork();
if (fsrv->child_pid < 0) PFATAL("fork() failed");
if (fsrv->child_pid < 0) { PFATAL("fork() failed"); }
if (!fsrv->child_pid) {
@ -319,14 +327,19 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) {
}
if (!keep_cores)
if (!keep_cores) {
r.rlim_max = r.rlim_cur = 0;
else
} else {
r.rlim_max = r.rlim_cur = RLIM_INFINITY;
}
setrlimit(RLIMIT_CORE, &r); /* Ignore errors */
if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0);
if (!getenv("LD_BIND_LAZY")) { setenv("LD_BIND_NOW", "1", 0); }
setsid();
@ -349,7 +362,7 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) {
setitimer(ITIMER_REAL, &it, NULL);
if (waitpid(fsrv->child_pid, &status, 0) <= 0) FATAL("waitpid() failed");
if (waitpid(fsrv->child_pid, &status, 0) <= 0) { FATAL("waitpid() failed"); }
fsrv->child_pid = 0;
it.it_value.tv_sec = 0;
@ -360,28 +373,41 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) {
/* Clean up bitmap, analyze exit condition, etc. */
if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG)
if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) {
FATAL("Unable to execute '%s'", argv[0]);
}
classify_counts(fsrv);
if (!quiet_mode) SAYF(cRST "-- Program output ends --\n");
if (!quiet_mode) { SAYF(cRST "-- Program output ends --\n"); }
if (!fsrv->last_run_timed_out && !stop_soon && WIFSIGNALED(status)) {
if (!fsrv->last_run_timed_out && !stop_soon && WIFSIGNALED(status))
child_crashed = 1;
}
if (!quiet_mode) {
if (fsrv->last_run_timed_out)
if (fsrv->last_run_timed_out) {
SAYF(cLRD "\n+++ Program timed off +++\n" cRST);
else if (stop_soon)
} else if (stop_soon) {
SAYF(cLRD "\n+++ Program aborted by user +++\n" cRST);
else if (child_crashed)
} else if (child_crashed) {
SAYF(cLRD "\n+++ Program killed by signal %u +++\n" cRST,
WTERMSIG(status));
}
}
}
/* Handle Ctrl-C and the like. */
@ -421,20 +447,28 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) {
if (afl_preload[i] == ',')
if (afl_preload[i] == ',') {
PFATAL(
"Comma (',') is not allowed in AFL_PRELOAD when -Q is "
"specified!");
}
if (qemu_preload)
}
if (qemu_preload) {
buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
qemu_preload, afl_preload, afl_preload);
else
} else {
buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
afl_preload, afl_preload);
}
setenv("QEMU_SET_ENV", buf, 1);
ck_free(buf);
@ -549,20 +583,20 @@ int main(int argc, char **argv_orig, char **envp) {
doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;
if (getenv("AFL_QUIET") != NULL) be_quiet = 1;
if (getenv("AFL_QUIET") != NULL) { be_quiet = 1; }
while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqZQUWbcrh")) > 0)
while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqZQUWbcrh")) > 0) {
switch (opt) {
case 'i':
if (in_dir) FATAL("Multiple -i options not supported");
if (in_dir) { FATAL("Multiple -i options not supported"); }
in_dir = optarg;
break;
case 'o':
if (out_file) FATAL("Multiple -o options not supported");
if (out_file) { FATAL("Multiple -o options not supported"); }
out_file = optarg;
break;
@ -570,10 +604,10 @@ int main(int argc, char **argv_orig, char **envp) {
u8 suffix = 'M';
if (mem_limit_given) FATAL("Multiple -m options not supported");
if (mem_limit_given) { FATAL("Multiple -m options not supported"); }
mem_limit_given = 1;
if (!optarg) FATAL("Wrong usage of -m");
if (!optarg) { FATAL("Wrong usage of -m"); }
if (!strcmp(optarg, "none")) {
@ -583,27 +617,41 @@ int main(int argc, char **argv_orig, char **envp) {
}
if (sscanf(optarg, "%llu%c", &fsrv->mem_limit, &suffix) < 1 ||
optarg[0] == '-')
optarg[0] == '-') {
FATAL("Bad syntax used for -m");
switch (suffix) {
case 'T': fsrv->mem_limit *= 1024 * 1024; break;
case 'G': fsrv->mem_limit *= 1024; break;
case 'k': fsrv->mem_limit /= 1024; break;
case 'M': break;
default: FATAL("Unsupported suffix or bad syntax for -m");
}
if (fsrv->mem_limit < 5) FATAL("Dangerously low value of -m");
switch (suffix) {
case 'T':
fsrv->mem_limit *= 1024 * 1024;
break;
case 'G':
fsrv->mem_limit *= 1024;
break;
case 'k':
fsrv->mem_limit /= 1024;
break;
case 'M':
break;
default:
FATAL("Unsupported suffix or bad syntax for -m");
}
if (fsrv->mem_limit < 5) { FATAL("Dangerously low value of -m"); }
if (sizeof(rlim_t) == 4 && fsrv->mem_limit > 2000) {
if (sizeof(rlim_t) == 4 && fsrv->mem_limit > 2000)
FATAL("Value of -m out of range on 32-bit systems");
}
}
break;
case 'f': // only in here to avoid a compiler warning for use_stdin
@ -615,32 +663,35 @@ int main(int argc, char **argv_orig, char **envp) {
case 't':
if (timeout_given) FATAL("Multiple -t options not supported");
if (timeout_given) { FATAL("Multiple -t options not supported"); }
timeout_given = 1;
if (!optarg) FATAL("Wrong usage of -t");
if (!optarg) { FATAL("Wrong usage of -t"); }
if (strcmp(optarg, "none")) {
fsrv->exec_tmout = atoi(optarg);
if (fsrv->exec_tmout < 20 || optarg[0] == '-')
if (fsrv->exec_tmout < 20 || optarg[0] == '-') {
FATAL("Dangerously low value of -t");
}
}
break;
case 'e':
if (edges_only) FATAL("Multiple -e options not supported");
if (raw_instr_output) FATAL("-e and -r are mutually exclusive");
if (edges_only) { FATAL("Multiple -e options not supported"); }
if (raw_instr_output) { FATAL("-e and -r are mutually exclusive"); }
edges_only = 1;
break;
case 'q':
if (quiet_mode) FATAL("Multiple -q options not supported");
if (quiet_mode) { FATAL("Multiple -q options not supported"); }
quiet_mode = 1;
break;
@ -660,27 +711,27 @@ int main(int argc, char **argv_orig, char **envp) {
case 'Q':
if (fsrv->qemu_mode) FATAL("Multiple -Q options not supported");
if (!mem_limit_given) fsrv->mem_limit = MEM_LIMIT_QEMU;
if (fsrv->qemu_mode) { FATAL("Multiple -Q options not supported"); }
if (!mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_QEMU; }
fsrv->qemu_mode = 1;
break;
case 'U':
if (unicorn_mode) FATAL("Multiple -U options not supported");
if (!mem_limit_given) fsrv->mem_limit = MEM_LIMIT_UNICORN;
if (unicorn_mode) { FATAL("Multiple -U options not supported"); }
if (!mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_UNICORN; }
unicorn_mode = 1;
break;
case 'W': /* Wine+QEMU mode */
if (use_wine) FATAL("Multiple -W options not supported");
if (use_wine) { FATAL("Multiple -W options not supported"); }
fsrv->qemu_mode = 1;
use_wine = 1;
if (!mem_limit_given) fsrv->mem_limit = 0;
if (!mem_limit_given) { fsrv->mem_limit = 0; }
break;
@ -694,14 +745,14 @@ int main(int argc, char **argv_orig, char **envp) {
case 'c':
if (keep_cores) FATAL("Multiple -c options not supported");
if (keep_cores) { FATAL("Multiple -c options not supported"); }
keep_cores = 1;
break;
case 'r':
if (raw_instr_output) FATAL("Multiple -r options not supported");
if (edges_only) FATAL("-e and -r are mutually exclusive");
if (raw_instr_output) { FATAL("Multiple -r options not supported"); }
if (edges_only) { FATAL("-e and -r are mutually exclusive"); }
raw_instr_output = 1;
break;
@ -710,11 +761,14 @@ int main(int argc, char **argv_orig, char **envp) {
return -1;
break;
default: usage(argv[0]);
default:
usage(argv[0]);
}
if (optind == argc || !out_file) usage(argv[0]);
}
if (optind == argc || !out_file) { usage(argv[0]); }
check_environment_vars(envp);
@ -735,7 +789,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (in_dir) {
if (at_file) PFATAL("Options -A and -i are mutually exclusive");
if (at_file) { PFATAL("Options -A and -i are mutually exclusive"); }
detect_file_args(argv + optind, "", &fsrv->use_stdin);
} else {
@ -744,22 +798,32 @@ int main(int argc, char **argv_orig, char **envp) {
}
for (i = optind; i < argc; i++)
if (strcmp(argv[i], "@@") == 0) arg_offset = i;
for (i = optind; i < argc; i++) {
if (strcmp(argv[i], "@@") == 0) { arg_offset = i; }
}
if (fsrv->qemu_mode) {
if (use_wine)
if (use_wine) {
use_argv = get_wine_argv(argv[0], &fsrv->target_path, argc - optind,
argv + optind);
else
} else {
use_argv = get_qemu_argv(argv[0], &fsrv->target_path, argc - optind,
argv + optind);
} else
}
} else {
use_argv = argv + optind;
}
if (in_dir) {
DIR * dir_in, *dir_out;
@ -771,20 +835,30 @@ int main(int argc, char **argv_orig, char **envp) {
#endif
fsrv->dev_null_fd = open("/dev/null", O_RDWR);
if (fsrv->dev_null_fd < 0) PFATAL("Unable to open /dev/null");
if (fsrv->dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); }
if (!(dir_in = opendir(in_dir))) PFATAL("cannot open directory %s", in_dir);
if (!(dir_in = opendir(in_dir))) {
PFATAL("cannot open directory %s", in_dir);
}
if (!(dir_out = opendir(out_file))) {
if (mkdir(out_file, 0700)) {
if (!(dir_out = opendir(out_file)))
if (mkdir(out_file, 0700))
PFATAL("cannot create output directory %s", out_file);
}
}
u8 *use_dir = ".";
if (access(use_dir, R_OK | W_OK | X_OK)) {
use_dir = get_afl_env("TMPDIR");
if (!use_dir) use_dir = "/tmp";
if (!use_dir) { use_dir = "/tmp"; }
}
@ -792,7 +866,7 @@ int main(int argc, char **argv_orig, char **envp) {
unlink(stdin_file);
atexit(at_exit_handler);
fsrv->out_fd = open(stdin_file, O_RDWR | O_CREAT | O_EXCL, 0600);
if (fsrv->out_fd < 0) PFATAL("Unable to create '%s'", out_file);
if (fsrv->out_fd < 0) { PFATAL("Unable to create '%s'", out_file); }
if (arg_offset && argv[arg_offset] != stdin_file) {
@ -805,8 +879,12 @@ int main(int argc, char **argv_orig, char **envp) {
int i = optind;
SAYF(cMGN "[D]" cRST " %s:", fsrv->target_path);
while (argv[i] != NULL)
while (argv[i] != NULL) {
SAYF(" \"%s\"", argv[i++]);
}
SAYF("\n");
SAYF(cMGN "[D]" cRST " %d - %d = %d, %s\n", arg_offset, optind,
arg_offset - optind, infile);
@ -818,11 +896,19 @@ int main(int argc, char **argv_orig, char **envp) {
while (done == 0 && (dir_ent = readdir(dir_in))) {
if (dir_ent->d_name[0] == '.')
if (dir_ent->d_name[0] == '.') {
continue; // skip anything that starts with '.'
}
#if defined(DT_REG) /* Posix and Solaris do not know d_type and DT_REG */
if (dir_ent->d_type != DT_REG) continue; // only regular files
if (dir_ent->d_type != DT_REG) {
continue; // only regular files
}
#endif
snprintf(infile, sizeof(infile), "%s/%s", in_dir, dir_ent->d_name);
@ -843,10 +929,10 @@ int main(int argc, char **argv_orig, char **envp) {
}
if (!quiet_mode) OKF("Processed %llu input files.", fsrv->total_execs);
if (!quiet_mode) { OKF("Processed %llu input files.", fsrv->total_execs); }
closedir(dir_in);
if (dir_out) closedir(dir_out);
if (dir_out) { closedir(dir_out); }
} else {
@ -857,7 +943,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (!quiet_mode) {
if (!tcnt) FATAL("No instrumentation detected" cRST);
if (!tcnt) { FATAL("No instrumentation detected" cRST); }
OKF("Captured %u tuples (highest value %u, total values %u) in '%s'." cRST,
tcnt, highest, total, out_file);
@ -875,13 +961,13 @@ int main(int argc, char **argv_orig, char **envp) {
u32 ret = child_crashed * 2 + fsrv->last_run_timed_out;
if (fsrv->target_path) ck_free(fsrv->target_path);
if (fsrv->target_path) { ck_free(fsrv->target_path); }
afl_fsrv_deinit(fsrv);
if (stdin_file) ck_free(stdin_file);
if (stdin_file) { ck_free(stdin_file); }
argv_cpy_free(argv);
if (fsrv->qemu_mode) free(use_argv[2]);
if (fsrv->qemu_mode) { free(use_argv[2]); }
exit(ret);

266
src/afl-tmin.c
View File

@ -108,7 +108,7 @@ static void apply_mask(u32 *mem, u32 *mask) {
u32 i = (map_size >> 2);
if (!mask) return;
if (!mask) { return; }
while (i--) {
@ -129,7 +129,7 @@ static void classify_counts(afl_forkserver_t *fsrv) {
while (i--) {
if (*mem) *mem = 1;
if (*mem) { *mem = 1; }
mem++;
}
@ -154,8 +154,11 @@ static inline u8 anything_set(afl_forkserver_t *fsrv) {
u32 *ptr = (u32 *)fsrv->trace_bits;
u32 i = (map_size >> 2);
while (i--)
if (*(ptr++)) return 1;
while (i--) {
if (*(ptr++)) { return 1; }
}
return 0;
@ -174,13 +177,16 @@ static void read_initial_file(void) {
struct stat st;
s32 fd = open(in_file, O_RDONLY);
if (fd < 0) PFATAL("Unable to open '%s'", in_file);
if (fd < 0) { PFATAL("Unable to open '%s'", in_file); }
if (fstat(fd, &st) || !st.st_size) FATAL("Zero-sized input file.");
if (fstat(fd, &st) || !st.st_size) { FATAL("Zero-sized input file."); }
if (st.st_size >= TMIN_MAX_FILE) {
if (st.st_size >= TMIN_MAX_FILE)
FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024);
}
in_len = st.st_size;
in_data = ck_alloc_nozero(in_len);
@ -202,7 +208,7 @@ static s32 write_to_file(u8 *path, u8 *mem, u32 len) {
ret = open(path, O_RDWR | O_CREAT | O_EXCL, 0600);
if (ret < 0) PFATAL("Unable to create '%s'", path);
if (ret < 0) { PFATAL("Unable to create '%s'", path); }
ck_write(ret, mem, len, path);
@ -223,7 +229,7 @@ static u8 tmin_run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len,
fsrv_run_result_t ret =
afl_fsrv_run_target(fsrv, fsrv->exec_tmout, &stop_soon);
if (ret == FSRV_RUN_ERROR) FATAL("Couldn't run child");
if (ret == FSRV_RUN_ERROR) { FATAL("Couldn't run child"); }
if (stop_soon) {
@ -239,9 +245,14 @@ static u8 tmin_run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len,
switch (ret) {
case FSRV_RUN_TMOUT: return 1;
case FSRV_RUN_CRASH: missed_crashes++; return 0;
default: missed_hangs++; return 0;
case FSRV_RUN_TMOUT:
return 1;
case FSRV_RUN_CRASH:
missed_crashes++;
return 0;
default:
missed_hangs++;
return 0;
}
@ -261,11 +272,11 @@ static u8 tmin_run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len,
if (ret == FSRV_RUN_CRASH) {
if (first_run) crash_mode = 1;
if (first_run) { crash_mode = 1; }
if (crash_mode) {
if (!exact_mode) return 1;
if (!exact_mode) { return 1; }
} else {
@ -287,13 +298,13 @@ static u8 tmin_run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len,
}
if (ret == FSRV_RUN_NOINST) FATAL("Binary not instrumented?");
if (ret == FSRV_RUN_NOINST) { FATAL("Binary not instrumented?"); }
u32 cksum = hash32(fsrv->trace_bits, fsrv->map_size, HASH_CONST);
if (first_run) orig_cksum = cksum;
if (first_run) { orig_cksum = cksum; }
if (orig_cksum == cksum) return 1;
if (orig_cksum == cksum) { return 1; }
missed_paths++;
return 0;
@ -320,7 +331,7 @@ static void minimize(afl_forkserver_t *fsrv, char **argv) {
set_len = next_pow2(in_len / TMIN_SET_STEPS);
set_pos = 0;
if (set_len < TMIN_SET_MIN_SIZE) set_len = TMIN_SET_MIN_SIZE;
if (set_len < TMIN_SET_MIN_SIZE) { set_len = TMIN_SET_MIN_SIZE; }
ACTF(cBRI "Stage #0: " cRST "One-time block normalization...");
@ -328,8 +339,11 @@ static void minimize(afl_forkserver_t *fsrv, char **argv) {
u32 use_len = MIN(set_len, in_len - set_pos);
for (i = 0; i < use_len; i++)
if (in_data[set_pos + i] != '0') break;
for (i = 0; i < use_len; i++) {
if (in_data[set_pos + i] != '0') { break; }
}
if (i != use_len) {
@ -374,7 +388,7 @@ next_pass:
next_del_blksize:
if (!del_len) del_len = 1;
if (!del_len) { del_len = 1; }
del_pos = 0;
prev_del = 1;
@ -387,7 +401,7 @@ next_del_blksize:
s32 tail_len;
tail_len = in_len - del_pos - del_len;
if (tail_len < 0) tail_len = 0;
if (tail_len < 0) { tail_len = 0; }
/* If we have processed at least one full block (initially, prev_del == 1),
and we did so without deleting the previous one, and we aren't at the
@ -420,12 +434,14 @@ next_del_blksize:
changed_any = 1;
} else
} else {
del_pos += del_len;
}
}
if (del_len > 1 && in_len >= 1) {
del_len /= 2;
@ -435,11 +451,14 @@ next_del_blksize:
OKF("Block removal complete, %u bytes deleted.", stage_o_len - in_len);
if (!in_len && changed_any)
if (!in_len && changed_any) {
WARNF(cLRD
"Down to zero bytes - check the command line and mem limit!" cRST);
if (cur_pass > 1 && !changed_any) goto finalize_all;
}
if (cur_pass > 1 && !changed_any) { goto finalize_all; }
/*************************
* ALPHABET MINIMIZATION *
@ -453,7 +472,7 @@ next_del_blksize:
for (i = 0; i < in_len; i++) {
if (!alpha_map[in_data[i]]) alpha_size++;
if (!alpha_map[in_data[i]]) { alpha_size++; }
alpha_map[in_data[i]]++;
}
@ -466,12 +485,15 @@ next_del_blksize:
u32 r;
u8 res;
if (i == '0' || !alpha_map[i]) continue;
if (i == '0' || !alpha_map[i]) { continue; }
memcpy(tmp_buf, in_data, in_len);
for (r = 0; r < in_len; r++)
if (tmp_buf[r] == i) tmp_buf[r] = '0';
for (r = 0; r < in_len; r++) {
if (tmp_buf[r] == i) { tmp_buf[r] = '0'; }
}
res = tmin_run_target(fsrv, argv, tmp_buf, in_len, 0);
@ -506,7 +528,7 @@ next_del_blksize:
u8 res, orig = tmp_buf[i];
if (orig == '0') continue;
if (orig == '0') { continue; }
tmp_buf[i] = '0';
res = tmin_run_target(fsrv, argv, tmp_buf, in_len, 0);
@ -517,22 +539,24 @@ next_del_blksize:
alpha_del2++;
changed_any = 1;
} else
} else {
tmp_buf[i] = orig;
}
}
alpha_d_total += alpha_del2;
OKF("Character minimization done, %u byte%s replaced.", alpha_del2,
alpha_del2 == 1 ? "" : "s");
if (changed_any) goto next_pass;
if (changed_any) { goto next_pass; }
finalize_all:
if (tmp_buf) ck_free(tmp_buf);
if (tmp_buf) { ck_free(tmp_buf); }
if (hang_mode) {
@ -558,9 +582,12 @@ finalize_all:
missed_hangs ? cLRD : "", missed_hangs);
if (fsrv->total_execs > 50 && missed_hangs * 10 > fsrv->total_execs &&
!hang_mode)
!hang_mode) {
WARNF(cLRD "Frequent timeouts - results may be skewed." cRST);
}
}
/* Handle Ctrl-C and the like. */
@ -579,7 +606,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
u8 *x;
fsrv->dev_null_fd = open("/dev/null", O_RDWR);
if (fsrv->dev_null_fd < 0) PFATAL("Unable to open /dev/null");
if (fsrv->dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); }
if (!out_file) {
@ -588,7 +615,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
if (access(use_dir, R_OK | W_OK | X_OK)) {
use_dir = get_afl_env("TMPDIR");
if (!use_dir) use_dir = "/tmp";
if (!use_dir) { use_dir = "/tmp"; }
}
@ -600,7 +627,7 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
fsrv->out_fd = open(out_file, O_RDWR | O_CREAT | O_EXCL, 0600);
if (fsrv->out_fd < 0) PFATAL("Unable to create '%s'", out_file);
if (fsrv->out_fd < 0) { PFATAL("Unable to create '%s'", out_file); }
/* Set sane defaults... */
@ -608,27 +635,39 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
if (x) {
if (!strstr(x, "abort_on_error=1"))
if (!strstr(x, "abort_on_error=1")) {
FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!");
if (!strstr(x, "symbolize=0"))
}
if (!strstr(x, "symbolize=0")) {
FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!");
}
}
x = get_afl_env("MSAN_OPTIONS");
if (x) {
if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR)))
if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) {
FATAL("Custom MSAN_OPTIONS set without exit_code=" STRINGIFY(
MSAN_ERROR) " - please fix!");
if (!strstr(x, "symbolize=0"))
}
if (!strstr(x, "symbolize=0")) {
FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!");
}
}
setenv("ASAN_OPTIONS",
"abort_on_error=1:"
"detect_leaks=0:"
@ -653,20 +692,28 @@ static void set_up_environment(afl_forkserver_t *fsrv) {
s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) {
if (afl_preload[i] == ',')
if (afl_preload[i] == ',') {
PFATAL(
"Comma (',') is not allowed in AFL_PRELOAD when -Q is "
"specified!");
}
if (qemu_preload)
}
if (qemu_preload) {
buf = alloc_printf("%s,LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
qemu_preload, afl_preload, afl_preload);
else
} else {
buf = alloc_printf("LD_PRELOAD=%s,DYLD_INSERT_LIBRARIES=%s",
afl_preload, afl_preload);
}
setenv("QEMU_SET_ENV", buf, 1);
ck_free(buf);
@ -772,40 +819,44 @@ int main(int argc, char **argv_orig, char **envp) {
SAYF(cCYA "afl-tmin" VERSION cRST " by Michal Zalewski\n");
while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeQUWHh")) > 0)
while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeQUWHh")) > 0) {
switch (opt) {
case 'i':
if (in_file) FATAL("Multiple -i options not supported");
if (in_file) { FATAL("Multiple -i options not supported"); }
in_file = optarg;
break;
case 'o':
if (output_file) FATAL("Multiple -o options not supported");
if (output_file) { FATAL("Multiple -o options not supported"); }
output_file = optarg;
break;
case 'f':
if (out_file) FATAL("Multiple -f options not supported");
if (out_file) { FATAL("Multiple -f options not supported"); }
fsrv->use_stdin = 0;
out_file = optarg;
break;
case 'e':
if (edges_only) FATAL("Multiple -e options not supported");
if (hang_mode)
if (edges_only) { FATAL("Multiple -e options not supported"); }
if (hang_mode) {
FATAL("Edges only and hang mode are mutually exclusive.");
}
edges_only = 1;
break;
case 'x':
if (exit_crash) FATAL("Multiple -x options not supported");
if (exit_crash) { FATAL("Multiple -x options not supported"); }
exit_crash = 1;
break;
@ -813,10 +864,10 @@ int main(int argc, char **argv_orig, char **envp) {
u8 suffix = 'M';
if (mem_limit_given) FATAL("Multiple -m options not supported");
if (mem_limit_given) { FATAL("Multiple -m options not supported"); }
mem_limit_given = 1;
if (!optarg) FATAL("Wrong usage of -m");
if (!optarg) { FATAL("Wrong usage of -m"); }
if (!strcmp(optarg, "none")) {
@ -826,66 +877,83 @@ int main(int argc, char **argv_orig, char **envp) {
}
if (sscanf(optarg, "%llu%c", &fsrv->mem_limit, &suffix) < 1 ||
optarg[0] == '-')
optarg[0] == '-') {
FATAL("Bad syntax used for -m");
switch (suffix) {
case 'T': fsrv->mem_limit *= 1024 * 1024; break;
case 'G': fsrv->mem_limit *= 1024; break;
case 'k': fsrv->mem_limit /= 1024; break;
case 'M': break;
default: FATAL("Unsupported suffix or bad syntax for -m");
}
if (fsrv->mem_limit < 5) FATAL("Dangerously low value of -m");
switch (suffix) {
case 'T':
fsrv->mem_limit *= 1024 * 1024;
break;
case 'G':
fsrv->mem_limit *= 1024;
break;
case 'k':
fsrv->mem_limit /= 1024;
break;
case 'M':
break;
default:
FATAL("Unsupported suffix or bad syntax for -m");
}
if (fsrv->mem_limit < 5) { FATAL("Dangerously low value of -m"); }
if (sizeof(rlim_t) == 4 && fsrv->mem_limit > 2000) {
if (sizeof(rlim_t) == 4 && fsrv->mem_limit > 2000)
FATAL("Value of -m out of range on 32-bit systems");
}
}
break;
case 't':
if (timeout_given) FATAL("Multiple -t options not supported");
if (timeout_given) { FATAL("Multiple -t options not supported"); }
timeout_given = 1;
if (!optarg) FATAL("Wrong usage of -t");
if (!optarg) { FATAL("Wrong usage of -t"); }
fsrv->exec_tmout = atoi(optarg);
if (fsrv->exec_tmout < 10 || optarg[0] == '-')
if (fsrv->exec_tmout < 10 || optarg[0] == '-') {
FATAL("Dangerously low value of -t");
}
break;
case 'Q':
if (fsrv->qemu_mode) FATAL("Multiple -Q options not supported");
if (!mem_limit_given) fsrv->mem_limit = MEM_LIMIT_QEMU;
if (fsrv->qemu_mode) { FATAL("Multiple -Q options not supported"); }
if (!mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_QEMU; }
fsrv->qemu_mode = 1;
break;
case 'U':
if (unicorn_mode) FATAL("Multiple -Q options not supported");
if (!mem_limit_given) fsrv->mem_limit = MEM_LIMIT_UNICORN;
if (unicorn_mode) { FATAL("Multiple -Q options not supported"); }
if (!mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_UNICORN; }
unicorn_mode = 1;
break;
case 'W': /* Wine+QEMU mode */
if (use_wine) FATAL("Multiple -W options not supported");
if (use_wine) { FATAL("Multiple -W options not supported"); }
fsrv->qemu_mode = 1;
use_wine = 1;
if (!mem_limit_given) fsrv->mem_limit = 0;
if (!mem_limit_given) { fsrv->mem_limit = 0; }
break;
@ -893,9 +961,13 @@ int main(int argc, char **argv_orig, char **envp) {
/* Minimizes a testcase to the minimum that still times out */
if (hang_mode) FATAL("Multipe -H options not supported");
if (edges_only)
if (hang_mode) { FATAL("Multipe -H options not supported"); }
if (edges_only) {
FATAL("Edges only and hang mode are mutually exclusive.");
}
hang_mode = 1;
break;
@ -914,7 +986,7 @@ int main(int argc, char **argv_orig, char **envp) {
The option may be extended and made more official if it proves
to be useful. */
if (mask_bitmap) FATAL("Multiple -B options not supported");
if (mask_bitmap) { FATAL("Multiple -B options not supported"); }
mask_bitmap = ck_alloc(map_size);
read_bitmap(optarg, mask_bitmap, map_size);
break;
@ -924,11 +996,14 @@ int main(int argc, char **argv_orig, char **envp) {
return -1;
break;
default: usage(argv[0]);
default:
usage(argv[0]);
}
if (optind == argc || !in_file || !output_file) usage(argv[0]);
}
if (optind == argc || !in_file || !output_file) { usage(argv[0]); }
check_environment_vars(envp);
@ -945,17 +1020,24 @@ int main(int argc, char **argv_orig, char **envp) {
if (fsrv->qemu_mode) {
if (use_wine)
if (use_wine) {
use_argv = get_wine_argv(argv[0], &fsrv->target_path, argc - optind,
argv + optind);
else
} else {
use_argv = get_qemu_argv(argv[0], &fsrv->target_path, argc - optind,
argv + optind);
} else
}
} else {
use_argv = argv + optind;
}
exact_mode = !!get_afl_env("AFL_TMIN_EXACT");
if (hang_mode && exact_mode) {
@ -977,17 +1059,23 @@ int main(int argc, char **argv_orig, char **envp) {
tmin_run_target(fsrv, use_argv, in_data, in_len, 1);
if (hang_mode && !fsrv->last_run_timed_out)
if (hang_mode && !fsrv->last_run_timed_out) {
FATAL(
"Target binary did not time out but hang minimization mode "
"(-H) was set (-t %u).",
fsrv->exec_tmout);
if (fsrv->last_run_timed_out && !hang_mode)
}
if (fsrv->last_run_timed_out && !hang_mode) {
FATAL(
"Target binary times out (adjusting -t may help). Use -H to minimize a "
"hang.");
}
if (hang_mode) {
OKF("Program hangs as expected, minimizing in " cCYA "hang" cRST " mode.");
@ -997,7 +1085,7 @@ int main(int argc, char **argv_orig, char **envp) {
OKF("Program terminates normally, minimizing in " cCYA "instrumented" cRST
" mode.");
if (!anything_set(fsrv)) FATAL("No instrumentation detected.");
if (!anything_set(fsrv)) { FATAL("No instrumentation detected."); }
} else {
@ -1012,7 +1100,7 @@ int main(int argc, char **argv_orig, char **envp) {
ACTF("Writing output to '%s'...", output_file);
unlink(out_file);
if (out_file) ck_free(out_file);
if (out_file) { ck_free(out_file); }
out_file = NULL;
close(write_to_file(output_file, in_data, in_len));
@ -1021,9 +1109,9 @@ int main(int argc, char **argv_orig, char **envp) {
afl_shm_deinit(&shm);
afl_fsrv_deinit(fsrv);
if (fsrv->target_path) ck_free(fsrv->target_path);
if (mask_bitmap) ck_free(mask_bitmap);
if (in_data) ck_free(in_data);
if (fsrv->target_path) { ck_free(fsrv->target_path); }
if (mask_bitmap) { ck_free(mask_bitmap); }
if (in_data) { ck_free(in_data); }
argv_cpy_free(argv);