ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 02:58:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

added AFL_CMPLOG_ONLY_NEW feature

Browse Source
This commit is contained in:
van Hauser
2021-01-30 15:39:47 +01:00
parent 3b3565269d
commit 9d08f0d098
14 changed files with 163 additions and 142 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/Changelog.md
View File

@ -20,6 +20,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
transformations (e.g. toupper, tolower, to/from hex, xor, transformations (e.g. toupper, tolower, to/from hex, xor,
arithmetics, etc.). this is costly hence new command line option arithmetics, etc.). this is costly hence new command line option
-l that sets the intensity (values 1 to 3). recommended is 1 or 2. -l that sets the intensity (values 1 to 3). recommended is 1 or 2.
- added `AFL_CMPLOG_ONLY_NEW` to not use cmplog on initial testcases from
`-i` or resumes (as these have most likely already been done)
- fix crash for very, very fast targets+systems (thanks to mhlakhani - fix crash for very, very fast targets+systems (thanks to mhlakhani
for reporting) for reporting)
- if determinstic mode is active (-D, or -M without -d) then we sync - if determinstic mode is active (-D, or -M without -d) then we sync

5
docs/env_variables.md
View File

@ -287,6 +287,11 @@ checks or alter some of the more exotic semantics of the tool:
the target. This must be equal or larger than the size the target was the target. This must be equal or larger than the size the target was
compiled with. compiled with.
- `AFL_CMPLOG_ONLY_NEW` will only perform the expensive cmplog feature for
newly found testcases and not for testcases that are loaded on startup
(`-i in`). This is an important feature to set when resuming a fuzzing
session.
- `AFL_TESTCACHE_SIZE` allows you to override the size of `#define TESTCASE_CACHE` - `AFL_TESTCACHE_SIZE` allows you to override the size of `#define TESTCASE_CACHE`
in config.h. Recommended values are 50-250MB - or more if your fuzzing in config.h. Recommended values are 50-250MB - or more if your fuzzing
finds a huge amount of paths for large inputs. finds a huge amount of paths for large inputs.

2
include/afl-fuzz.h
View File

@ -384,7 +384,7 @@ typedef struct afl_env_vars {
afl_dumb_forksrv, afl_import_first, afl_custom_mutator_only, afl_no_ui, afl_dumb_forksrv, afl_import_first, afl_custom_mutator_only, afl_no_ui,
afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one, afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one,
afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast, afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
afl_cycle_schedules, afl_expand_havoc, afl_statsd; afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new;
u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
*afl_hang_tmout, *afl_forksrv_init_tmout, *afl_skip_crashes, *afl_preload, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_skip_crashes, *afl_preload,

2
include/common.h
View File

@ -47,7 +47,7 @@ void argv_cpy_free(char **argv);
char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv); char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv);
char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv); char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv);
char * get_afl_env(char *env); char * get_afl_env(char *env);
u8 *get_libqasan_path(u8 *own_loc); u8 * get_libqasan_path(u8 *own_loc);
extern u8 be_quiet; extern u8 be_quiet;
extern u8 *doc_path; /* path to documentation dir */ extern u8 *doc_path; /* path to documentation dir */

1
include/envs.h
View File

@ -28,6 +28,7 @@ static char *afl_environment_variables[] = {
"AFL_CC", "AFL_CC",
"AFL_CMIN_ALLOW_ANY", "AFL_CMIN_ALLOW_ANY",
"AFL_CMIN_CRASHES_ONLY", "AFL_CMIN_CRASHES_ONLY",
"AFL_CMPLOG_ONLY_NEW",
"AFL_CODE_END", "AFL_CODE_END",
"AFL_CODE_START", "AFL_CODE_START",
"AFL_COMPCOV_BINNAME", "AFL_COMPCOV_BINNAME",

22
src/afl-analyze.c
View File

@ -1079,28 +1079,28 @@ int main(int argc, char **argv_orig, char **envp) {
if (optind == argc || !in_file) { usage(argv[0]); } if (optind == argc || !in_file) { usage(argv[0]); }
if (qemu_mode && getenv("AFL_USE_QASAN")) { if (qemu_mode && getenv("AFL_USE_QASAN")) {
u8* preload = getenv("AFL_PRELOAD"); u8 *preload = getenv("AFL_PRELOAD");
u8* libqasan = get_libqasan_path(argv_orig[0]); u8 *libqasan = get_libqasan_path(argv_orig[0]);
if (!preload) { if (!preload) {
setenv("AFL_PRELOAD", libqasan, 0); setenv("AFL_PRELOAD", libqasan, 0);
} else { } else {
u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2); u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2);
strcpy(result, libqasan); strcpy(result, libqasan);
strcat(result, " "); strcat(result, " ");
strcat(result, preload); strcat(result, preload);
setenv("AFL_PRELOAD", result, 1); setenv("AFL_PRELOAD", result, 1);
ck_free(result); ck_free(result);
} }
ck_free(libqasan); ck_free(libqasan);
} }
map_size = get_map_size(); map_size = get_map_size();

6
src/afl-common.c
View File

@ -364,11 +364,7 @@ u8 *get_libqasan_path(u8 *own_loc) {
cp = alloc_printf("%s/libqasan.so", own_copy); cp = alloc_printf("%s/libqasan.so", own_copy);
ck_free(own_copy); ck_free(own_copy);
if (!access(cp, X_OK)) { if (!access(cp, X_OK)) { return cp; }
return cp;
}
} else { } else {

3
src/afl-fuzz-init.c
View File

@ -25,6 +25,7 @@
#include "afl-fuzz.h" #include "afl-fuzz.h"
#include <limits.h> #include <limits.h>
#include "cmplog.h"
#ifdef HAVE_AFFINITY #ifdef HAVE_AFFINITY
@ -833,6 +834,8 @@ void perform_dry_run(afl_state_t *afl) {
} }
if (afl->afl_env.afl_cmplog_only_new) { q->colorized = CMPLOG_LVL_MAX; }
u8 *fn = strrchr(q->fname, '/') + 1; u8 *fn = strrchr(q->fname, '/') + 1;
ACTF("Attempting dry run with '%s'...", fn); ACTF("Attempting dry run with '%s'...", fn);

5
src/afl-fuzz-one.c
View File

@ -26,6 +26,7 @@
#include "afl-fuzz.h" #include "afl-fuzz.h"
#include <string.h> #include <string.h>
#include <limits.h> #include <limits.h>
#include "cmplog.h"
/* MOpt */ /* MOpt */
@ -553,7 +554,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
if (unlikely(len < 4)) { if (unlikely(len < 4)) {
afl->queue_cur->colorized = 0xff; afl->queue_cur->colorized = CMPLOG_LVL_MAX;
} else { } else {
@ -2981,7 +2982,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
if (unlikely(len < 4)) { if (unlikely(len < 4)) {
afl->queue_cur->colorized = 0xff; afl->queue_cur->colorized = CMPLOG_LVL_MAX;
} else { } else {

167
src/afl-fuzz-redqueen.c
View File

@ -1118,7 +1118,11 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
#ifdef ARITHMETIC_LESSER_GREATER #ifdef ARITHMETIC_LESSER_GREATER
if (lvl < LVL3 || attr == IS_TRANSFORM) { return 0; } if (lvl < LVL3 || attr == IS_TRANSFORM) { return 0; }
if (!(attr & (IS_GREATER | IS_LESSER)) || SHAPE_BYTES(h->shape) < 4) { return 0; } if (!(attr & (IS_GREATER | IS_LESSER)) || SHAPE_BYTES(h->shape) < 4) {
return 0;
}
// transform >= to < and <= to > // transform >= to < and <= to >
if ((attr & IS_EQUAL) && (attr & (IS_GREATER | IS_LESSER))) { if ((attr & IS_EQUAL) && (attr & (IS_GREATER | IS_LESSER))) {
@ -1138,110 +1142,110 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
// lesser/greater FP comparison // lesser/greater FP comparison
if (attr >= IS_FP && attr < IS_FP_MOD) { if (attr >= IS_FP && attr < IS_FP_MOD) {
u64 repl_new; u64 repl_new;
if (attr & IS_GREATER) { if (attr & IS_GREATER) {
if (SHAPE_BYTES(h->shape) == 4 && its_len >= 4) { if (SHAPE_BYTES(h->shape) == 4 && its_len >= 4) {
float *f = (float *)&repl; float *f = (float *)&repl;
float g = *f; float g = *f;
g += 1.0; g += 1.0;
u32 *r = (u32 *)&g; u32 *r = (u32 *)&g;
repl_new = (u32)*r; repl_new = (u32)*r;
} else if (SHAPE_BYTES(h->shape) == 8 && its_len >= 8) { } else if (SHAPE_BYTES(h->shape) == 8 && its_len >= 8) {
double *f = (double *)&repl; double *f = (double *)&repl;
double g = *f; double g = *f;
g += 1.0; g += 1.0;
u64 *r = (u64 *)&g; u64 *r = (u64 *)&g;
repl_new = *r; repl_new = *r;
} else {
return 0;
}
changed_val = repl_new;
if (unlikely(cmp_extend_encoding(
afl, h, pattern, repl_new, o_pattern, changed_val, 16, idx,
taint_len, orig_buf, buf, cbuf, len, 1, lvl, status))) {
return 1;
}
} else { } else {
if (SHAPE_BYTES(h->shape) == 4) { return 0;
float *f = (float *)&repl;
float g = *f;
g -= 1.0;
u32 *r = (u32 *)&g;
repl_new = (u32)*r;
} else if (SHAPE_BYTES(h->shape) == 8) {
double *f = (double *)&repl;
double g = *f;
g -= 1.0;
u64 *r = (u64 *)&g;
repl_new = *r;
} else {
return 0;
}
changed_val = repl_new;
if (unlikely(cmp_extend_encoding(
afl, h, pattern, repl_new, o_pattern, changed_val, 16, idx,
taint_len, orig_buf, buf, cbuf, len, 1, lvl, status))) {
return 1;
}
} }
// transform double to float, llvm likes to do that internally ... changed_val = repl_new;
if (SHAPE_BYTES(h->shape) == 8 && its_len >= 4) {
if (unlikely(cmp_extend_encoding(
afl, h, pattern, repl_new, o_pattern, changed_val, 16, idx,
taint_len, orig_buf, buf, cbuf, len, 1, lvl, status))) {
return 1;
}
} else {
if (SHAPE_BYTES(h->shape) == 4) {
float *f = (float *)&repl;
float g = *f;
g -= 1.0;
u32 *r = (u32 *)&g;
repl_new = (u32)*r;
} else if (SHAPE_BYTES(h->shape) == 8) {
double *f = (double *)&repl; double *f = (double *)&repl;
float g = (float)*f; double g = *f;
repl_new = 0; g -= 1.0;
#if (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__) u64 *r = (u64 *)&g;
memcpy((char *)&repl_new, (char *)&g, 4); repl_new = *r;
#else
memcpy(((char *)&repl_new) + 4, (char *)&g, 4);
#endif
changed_val = repl_new;
h->shape = 3; // modify shape
// fprintf(stderr, "DOUBLE2FLOAT %llx\n", repl_new); } else {
if (unlikely(cmp_extend_encoding( return 0;
afl, h, pattern, repl_new, o_pattern, changed_val, 16, idx,
taint_len, orig_buf, buf, cbuf, len, 1, lvl, status))) {
h->shape = 7; // recover shape }
return 1;
} changed_val = repl_new;
h->shape = 7; // recover shape if (unlikely(cmp_extend_encoding(
afl, h, pattern, repl_new, o_pattern, changed_val, 16, idx,
taint_len, orig_buf, buf, cbuf, len, 1, lvl, status))) {
return 1;
} }
} }
// transform double to float, llvm likes to do that internally ...
if (SHAPE_BYTES(h->shape) == 8 && its_len >= 4) {
double *f = (double *)&repl;
float g = (float)*f;
repl_new = 0;
#if (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__)
memcpy((char *)&repl_new, (char *)&g, 4);
#else
memcpy(((char *)&repl_new) + 4, (char *)&g, 4);
#endif
changed_val = repl_new;
h->shape = 3; // modify shape
// fprintf(stderr, "DOUBLE2FLOAT %llx\n", repl_new);
if (unlikely(cmp_extend_encoding(
afl, h, pattern, repl_new, o_pattern, changed_val, 16, idx,
taint_len, orig_buf, buf, cbuf, len, 1, lvl, status))) {
h->shape = 7; // recover shape
return 1;
}
h->shape = 7; // recover shape
}
}
else if (attr < IS_FP) { else if (attr < IS_FP) {
// lesser/greater integer comparison // lesser/greater integer comparison
@ -1707,6 +1711,7 @@ static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
try_to_add_to_dictN(afl, s128_v1, SHAPE_BYTES(h->shape)); try_to_add_to_dictN(afl, s128_v1, SHAPE_BYTES(h->shape));
} else } else
#endif #endif
{ {

7
src/afl-fuzz-state.c
View File

@ -236,6 +236,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
afl->afl_env.afl_custom_mutator_only = afl->afl_env.afl_custom_mutator_only =
get_afl_env(afl_environment_variables[i]) ? 1 : 0; get_afl_env(afl_environment_variables[i]) ? 1 : 0;
} else if (!strncmp(env, "AFL_CMPLOG_ONLY_NEW",
afl_environment_variable_len)) {
afl->afl_env.afl_cmplog_only_new =
get_afl_env(afl_environment_variables[i]) ? 1 : 0;
} else if (!strncmp(env, "AFL_NO_UI", afl_environment_variable_len)) { } else if (!strncmp(env, "AFL_NO_UI", afl_environment_variable_len)) {
afl->afl_env.afl_no_ui = afl->afl_env.afl_no_ui =

35
src/afl-fuzz.c
View File

@ -181,6 +181,7 @@ static void usage(u8 *argv0, int more_help) {
"AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists\n" "AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists\n"
"AFL_BENCH_JUST_ONE: run the target just once\n" "AFL_BENCH_JUST_ONE: run the target just once\n"
"AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found\n" "AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found\n"
"AFL_CMPLOG_ONLY_NEW: do not run cmplog on initial testcases (good for resumes!)\n"
"AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n" "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n"
"AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs\n" "AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs\n"
"AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators\n" "AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators\n"
@ -326,8 +327,9 @@ int main(int argc, char **argv_orig, char **envp) {
"compile time)"); "compile time)");
} }
#endif #endif
char **argv = argv_cpy_dup(argc, argv_orig); char **argv = argv_cpy_dup(argc, argv_orig);
afl_state_t *afl = calloc(1, sizeof(afl_state_t)); afl_state_t *afl = calloc(1, sizeof(afl_state_t));
@ -356,8 +358,7 @@ int main(int argc, char **argv_orig, char **envp) {
while ((opt = getopt( while ((opt = getopt(
argc, argv, argc, argv,
"+b:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNo:p:RQs:S:t:T:UV:Wx:Z")) > "+b:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNo:p:RQs:S:t:T:UV:Wx:Z")) > 0) {
0) {
switch (opt) { switch (opt) {
@ -984,31 +985,31 @@ int main(int argc, char **argv_orig, char **envp) {
usage(argv[0], show_help); usage(argv[0], show_help);
} }
if (afl->fsrv.qemu_mode && getenv("AFL_USE_QASAN")) { if (afl->fsrv.qemu_mode && getenv("AFL_USE_QASAN")) {
u8* preload = getenv("AFL_PRELOAD"); u8 *preload = getenv("AFL_PRELOAD");
u8* libqasan = get_libqasan_path(argv_orig[0]); u8 *libqasan = get_libqasan_path(argv_orig[0]);
if (!preload) { if (!preload) {
setenv("AFL_PRELOAD", libqasan, 0); setenv("AFL_PRELOAD", libqasan, 0);
} else { } else {
u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2); u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2);
strcpy(result, libqasan); strcpy(result, libqasan);
strcat(result, " "); strcat(result, " ");
strcat(result, preload); strcat(result, preload);
setenv("AFL_PRELOAD", result, 1); setenv("AFL_PRELOAD", result, 1);
ck_free(result); ck_free(result);
} }
afl->afl_env.afl_preload = (u8 *)getenv("AFL_PRELOAD"); afl->afl_env.afl_preload = (u8 *)getenv("AFL_PRELOAD");
ck_free(libqasan); ck_free(libqasan);
} }
if (afl->fsrv.mem_limit && afl->shm.cmplog_mode) afl->fsrv.mem_limit += 260; if (afl->fsrv.mem_limit && afl->shm.cmplog_mode) afl->fsrv.mem_limit += 260;
@ -1270,7 +1271,7 @@ int main(int argc, char **argv_orig, char **envp) {
"instead of using AFL_PRELOAD?"); "instead of using AFL_PRELOAD?");
} }
if (afl->afl_env.afl_preload) { if (afl->afl_env.afl_preload) {
if (afl->fsrv.qemu_mode) { if (afl->fsrv.qemu_mode) {
@ -1322,7 +1323,7 @@ int main(int argc, char **argv_orig, char **envp) {
FATAL("Use AFL_PRELOAD instead of AFL_LD_PRELOAD"); FATAL("Use AFL_PRELOAD instead of AFL_LD_PRELOAD");
} }
save_cmdline(afl, argc, argv); save_cmdline(afl, argc, argv);
fix_up_banner(afl, argv[optind]); fix_up_banner(afl, argv[optind]);

24
src/afl-showmap.c
View File

@ -942,30 +942,30 @@ int main(int argc, char **argv_orig, char **envp) {
} }
if (optind == argc || !out_file) { usage(argv[0]); } if (optind == argc || !out_file) { usage(argv[0]); }
if (fsrv->qemu_mode && getenv("AFL_USE_QASAN")) { if (fsrv->qemu_mode && getenv("AFL_USE_QASAN")) {
u8* preload = getenv("AFL_PRELOAD"); u8 *preload = getenv("AFL_PRELOAD");
u8* libqasan = get_libqasan_path(argv_orig[0]); u8 *libqasan = get_libqasan_path(argv_orig[0]);
if (!preload) { if (!preload) {
setenv("AFL_PRELOAD", libqasan, 0); setenv("AFL_PRELOAD", libqasan, 0);
} else { } else {
u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2); u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2);
strcpy(result, libqasan); strcpy(result, libqasan);
strcat(result, " "); strcat(result, " ");
strcat(result, preload); strcat(result, preload);
setenv("AFL_PRELOAD", result, 1); setenv("AFL_PRELOAD", result, 1);
ck_free(result); ck_free(result);
} }
ck_free(libqasan); ck_free(libqasan);
} }
if (in_dir) { if (in_dir) {

24
src/afl-tmin.c
View File

@ -1074,30 +1074,30 @@ int main(int argc, char **argv_orig, char **envp) {
if (optind == argc || !in_file || !output_file) { usage(argv[0]); } if (optind == argc || !in_file || !output_file) { usage(argv[0]); }
check_environment_vars(envp); check_environment_vars(envp);
if (fsrv->qemu_mode && getenv("AFL_USE_QASAN")) { if (fsrv->qemu_mode && getenv("AFL_USE_QASAN")) {
u8* preload = getenv("AFL_PRELOAD"); u8 *preload = getenv("AFL_PRELOAD");
u8* libqasan = get_libqasan_path(argv_orig[0]); u8 *libqasan = get_libqasan_path(argv_orig[0]);
if (!preload) { if (!preload) {
setenv("AFL_PRELOAD", libqasan, 0); setenv("AFL_PRELOAD", libqasan, 0);
} else { } else {
u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2); u8 *result = ck_alloc(strlen(libqasan) + strlen(preload) + 2);
strcpy(result, libqasan); strcpy(result, libqasan);
strcat(result, " "); strcat(result, " ");
strcat(result, preload); strcat(result, preload);
setenv("AFL_PRELOAD", result, 1); setenv("AFL_PRELOAD", result, 1);
ck_free(result); ck_free(result);
} }
ck_free(libqasan); ck_free(libqasan);
} }
/* initialize cmplog_mode */ /* initialize cmplog_mode */