ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-10 17:21:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

merge cmplog

Browse Source
This commit is contained in:
van Hauser 2021-01-15 16:56:40 +01:00
parent fba8790e32
commit a0e884cf8b
13 changed files with 2092 additions and 429 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
include/afl-fuzz.h
View File

@ -145,12 +145,22 @@ extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN];
extern s32
interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN];
struct tainted {
u32 pos;
u32 len;
struct tainted *next;
struct tainted *prev;
};
struct queue_entry {
u8 *fname; /* File name for the test case */
u32 len; /* Input length */
u8 cal_failed; /* Calibration failed? */
u8 colorized, /* Do not run redqueen stage again */
cal_failed; /* Calibration failed? */
bool trim_done, /* Trimmed? */
was_fuzzed, /* historical, but needed for MOpt */
passed_det, /* Deterministic stages passed? */
@ -158,7 +168,6 @@ struct queue_entry {
var_behavior, /* Variable behavior? */
favored, /* Currently favored? */
fs_redundant, /* Marked as redundant in the fs? */
fully_colorized, /* Do not run redqueen stage again */
is_ascii, /* Is the input just ascii text? */
disabled; /* Is disabled from fuzz selection */
@ -183,7 +192,11 @@ struct queue_entry {
u8 *testcase_buf; /* The testcase buffer, if loaded. */
struct queue_entry *next; /* Next element, if any */
u8 * cmplog_colorinput; /* the result buf of colorization */
struct tainted *taint; /* Taint information from CmpLog */
struct queue_entry *mother, /* queue entry this based on */
*next; /* Next element, if any */
};
@ -636,6 +649,8 @@ typedef struct afl_state {
/* cmplog forkserver ids */
s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd;
u32 cmplog_prev_timed_out;
u32 cmplog_max_filesize;
u32 cmplog_lvl;
struct afl_pass_stat *pass_stats;
struct cmp_map * orig_cmp_map;

17
include/cmplog.h
View File

@ -30,8 +30,10 @@
#include "config.h"
#define CMPLOG_LVL_MAX 3
#define CMP_MAP_W 65536
#define CMP_MAP_H 256
#define CMP_MAP_H 32
#define CMP_MAP_RTN_H (CMP_MAP_H / 4)
#define SHAPE_BYTES(x) (x + 1)
@ -41,13 +43,12 @@
struct cmp_header {
unsigned hits : 20;
unsigned cnt : 20;
unsigned id : 16;
unsigned shape : 5; // from 0 to 31
unsigned hits : 24;
unsigned id : 24;
unsigned shape : 5;
unsigned type : 1;
unsigned attribute : 4;
unsigned reserved : 6;
} __attribute__((packed));
@ -55,6 +56,8 @@ struct cmp_operands {
u64 v0;
u64 v1;
u64 v0_128;
u64 v1_128;
};

24
include/debug.h
View File

@ -295,8 +295,8 @@ static inline const char *colorfilter(const char *x) {
\
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \
"\n[-] PROGRAM ABORT : " cRST x); \
SAYF(cLRD "\n Location : " cRST "%s(), %s:%d\n\n", __func__, \
__FILE__, __LINE__); \
SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", __func__, \
__FILE__, (u32)__LINE__); \
exit(1); \
\
} while (0)
@ -308,8 +308,8 @@ static inline const char *colorfilter(const char *x) {
\
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \
"\n[-] PROGRAM ABORT : " cRST x); \
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%d\n\n", __func__, \
__FILE__, __LINE__); \
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", __func__, \
__FILE__, (u32)__LINE__); \
abort(); \
\
} while (0)
@ -322,8 +322,8 @@ static inline const char *colorfilter(const char *x) {
fflush(stdout); \
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \
"\n[-] SYSTEM ERROR : " cRST x); \
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%d\n", __func__, \
__FILE__, __LINE__); \
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", __func__, \
__FILE__, (u32)__LINE__); \
SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \
exit(1); \
\
@ -344,12 +344,12 @@ static inline const char *colorfilter(const char *x) {
/* Show a prefixed debug output. */
#define DEBUGF(x...) \
do { \
\
SAYF(cMGN "[D] " cBRI "DEBUG: " cRST x); \
SAYF(cRST ""); \
\
#define DEBUGF(x...) \
do { \
\
fprintf(stderr, cMGN "[D] " cBRI "DEBUG: " cRST x); \
fprintf(stderr, cRST ""); \
\
} while (0)
/* Error-checking versions of read() and write() that call RPFATAL() as

43
include/types.h
View File

@ -26,9 +26,11 @@
#include <stdint.h>
#include <stdlib.h>
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
typedef unsigned __int128 uint128_t;
typedef uint128_t u128;
/* Extended forkserver option values */
@ -57,10 +59,12 @@ typedef uint32_t u32;
typedef unsigned long long u64;
typedef int8_t s8;
typedef int16_t s16;
typedef int32_t s32;
typedef int64_t s64;
typedef int8_t s8;
typedef int16_t s16;
typedef int32_t s32;
typedef int64_t s64;
typedef __int128 int128_t;
typedef int128_t s128;
#ifndef MIN
#define MIN(a, b) \
@ -114,6 +118,31 @@ typedef int64_t s64;
\
})
// It is impossible to define 128 bit constants, so ...
#define SWAPN(_x, _l) \
({ \
\
u128 _res = (_x), _ret; \
char *d = (char *)&_ret, *s = (char *)&_res; \
int i; \
for (i = 0; i < 16; i++) \
d[15 - i] = s[i]; \
u32 sr = 128U - ((_l) << 3U); \
(_ret >>= sr); \
(u128) _ret; \
\
})
#define SWAPNN(_x, _y, _l) \
({ \
\
char *d = (char *)(_x), *s = (char *)(_y); \
u32 i, l = (_l)-1; \
for (i = 0; i <= l; i++) \
d[l - i] = s[i]; \
\
})
#ifdef AFL_LLVM_PASS
#if defined(__linux__) || !defined(__ANDROID__)
#define AFL_SR(s) (srandom(s))

89
instrumentation/afl-compiler-rt.o.c
View File

@ -161,7 +161,7 @@ void send_forkserver_error(int error) {
u32 status;
if (!error || error > 0xffff) return;
status = (FS_OPT_ERROR | FS_OPT_SET_ERROR(error));
if (write(FORKSRV_FD + 1, (char *)&status, 4) != 4) return;
if (write(FORKSRV_FD + 1, (char *)&status, 4) != 4) { return; }
}
@ -544,11 +544,11 @@ static void __afl_start_snapshots(void) {
if (__afl_dictionary_len && __afl_dictionary) status |= FS_OPT_AUTODICT;
memcpy(tmp, &status, 4);
if (write(FORKSRV_FD + 1, tmp, 4) != 4) return;
if (write(FORKSRV_FD + 1, tmp, 4) != 4) { return; }
if (__afl_sharedmem_fuzzing || (__afl_dictionary_len && __afl_dictionary)) {
if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1);
if (read(FORKSRV_FD, &was_killed, 4) != 4) { _exit(1); }
if (getenv("AFL_DEBUG")) {
@ -1207,7 +1207,9 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) {
///// CmpLog instrumentation
void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2) {
void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr) {
// fprintf(stderr, "hook1 arg0=%02x arg1=%02x attr=%u\n", arg1, arg2, attr);
if (unlikely(!__afl_cmp_map)) return;
@ -1216,6 +1218,7 @@ void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2) {
k &= CMP_MAP_W - 1;
__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
__afl_cmp_map->headers[k].attribute = attr;
u32 hits = __afl_cmp_map->headers[k].hits;
__afl_cmp_map->headers[k].hits = hits + 1;
@ -1230,7 +1233,7 @@ void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2) {
}
void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2) {
void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2, uint8_t attr) {
if (unlikely(!__afl_cmp_map)) return;
@ -1239,6 +1242,7 @@ void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2) {
k &= CMP_MAP_W - 1;
__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
__afl_cmp_map->headers[k].attribute = attr;
u32 hits = __afl_cmp_map->headers[k].hits;
__afl_cmp_map->headers[k].hits = hits + 1;
@ -1251,7 +1255,9 @@ void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2) {
}
void __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2) {
void __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2, uint8_t attr) {
// fprintf(stderr, "hook4 arg0=%x arg1=%x attr=%u\n", arg1, arg2, attr);
if (unlikely(!__afl_cmp_map)) return;
@ -1260,6 +1266,7 @@ void __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2) {
k &= CMP_MAP_W - 1;
__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
__afl_cmp_map->headers[k].attribute = attr;
u32 hits = __afl_cmp_map->headers[k].hits;
__afl_cmp_map->headers[k].hits = hits + 1;
@ -1272,7 +1279,9 @@ void __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2) {
}
void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2) {
void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2, uint8_t attr) {
// fprintf(stderr, "hook8 arg0=%lx arg1=%lx attr=%u\n", arg1, arg2, attr);
if (unlikely(!__afl_cmp_map)) return;
@ -1281,6 +1290,7 @@ void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2) {
k &= CMP_MAP_W - 1;
__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
__afl_cmp_map->headers[k].attribute = attr;
u32 hits = __afl_cmp_map->headers[k].hits;
__afl_cmp_map->headers[k].hits = hits + 1;
@ -1293,16 +1303,77 @@ void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2) {
}
// support for u24 to u120 via llvm _ExitInt(). size is in bytes minus 1
void __cmplog_ins_hookN(uint128_t arg1, uint128_t arg2, uint8_t attr,
uint8_t size) {
// fprintf(stderr, "hookN arg0=%llx:%llx arg1=%llx:%llx bytes=%u attr=%u\n",
// (u64)(arg1 >> 64), (u64)arg1, (u64)(arg2 >> 64), (u64)arg2, size + 1,
// attr);
if (unlikely(!__afl_cmp_map)) return;
uintptr_t k = (uintptr_t)__builtin_return_address(0);
k = (k >> 4) ^ (k << 8);
k &= CMP_MAP_W - 1;
__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
__afl_cmp_map->headers[k].attribute = attr;
u32 hits = __afl_cmp_map->headers[k].hits;
__afl_cmp_map->headers[k].hits = hits + 1;
__afl_cmp_map->headers[k].shape = size;
hits &= CMP_MAP_H - 1;
__afl_cmp_map->log[k][hits].v0 = (u64)arg1;
__afl_cmp_map->log[k][hits].v1 = (u64)arg2;
if (size > 7) {
__afl_cmp_map->log[k][hits].v0_128 = (u64)(arg1 >> 64);
__afl_cmp_map->log[k][hits].v1_128 = (u64)(arg2 >> 64);
}
}
void __cmplog_ins_hook16(uint128_t arg1, uint128_t arg2, uint8_t attr) {
if (unlikely(!__afl_cmp_map)) return;
uintptr_t k = (uintptr_t)__builtin_return_address(0);
k = (k >> 4) ^ (k << 8);
k &= CMP_MAP_W - 1;
__afl_cmp_map->headers[k].type = CMP_TYPE_INS;
__afl_cmp_map->headers[k].attribute = attr;
u32 hits = __afl_cmp_map->headers[k].hits;
__afl_cmp_map->headers[k].hits = hits + 1;
__afl_cmp_map->headers[k].shape = 15;
hits &= CMP_MAP_H - 1;
__afl_cmp_map->log[k][hits].v0 = (u64)arg1;
__afl_cmp_map->log[k][hits].v1 = (u64)arg2;
__afl_cmp_map->log[k][hits].v0_128 = (u64)(arg1 >> 64);
__afl_cmp_map->log[k][hits].v1_128 = (u64)(arg2 >> 64);
}
#if defined(__APPLE__)
#pragma weak __sanitizer_cov_trace_const_cmp1 = __cmplog_ins_hook1
#pragma weak __sanitizer_cov_trace_const_cmp2 = __cmplog_ins_hook2
#pragma weak __sanitizer_cov_trace_const_cmp4 = __cmplog_ins_hook4
#pragma weak __sanitizer_cov_trace_const_cmp8 = __cmplog_ins_hook8
#pragma weak __sanitizer_cov_trace_const_cmp16 = __cmplog_ins_hook16
#pragma weak __sanitizer_cov_trace_cmp1 = __cmplog_ins_hook1
#pragma weak __sanitizer_cov_trace_cmp2 = __cmplog_ins_hook2
#pragma weak __sanitizer_cov_trace_cmp4 = __cmplog_ins_hook4
#pragma weak __sanitizer_cov_trace_cmp8 = __cmplog_ins_hook8
#pragma weak __sanitizer_cov_trace_cmp16 = __cmplog_ins_hook16
#else
void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2)
__attribute__((alias("__cmplog_ins_hook1")));
@ -1312,6 +1383,8 @@ void __sanitizer_cov_trace_const_cmp4(uint32_t arg1, uint32_t arg2)
__attribute__((alias("__cmplog_ins_hook4")));
void __sanitizer_cov_trace_const_cmp8(uint64_t arg1, uint64_t arg2)
__attribute__((alias("__cmplog_ins_hook8")));
void __sanitizer_cov_trace_const_cmp16(uint128_t arg1, uint128_t arg2)
__attribute__((alias("__cmplog_ins_hook16")));
void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2)
__attribute__((alias("__cmplog_ins_hook1")));
@ -1321,6 +1394,8 @@ void __sanitizer_cov_trace_cmp4(uint32_t arg1, uint32_t arg2)
__attribute__((alias("__cmplog_ins_hook4")));
void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2)
__attribute__((alias("__cmplog_ins_hook8")));
void __sanitizer_cov_trace_cmp16(uint128_t arg1, uint128_t arg2)
__attribute__((alias("__cmplog_ins_hook16")));
#endif /* defined(__APPLE__) */
void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) {

582
instrumentation/cmplog-instructions-pass.cc
View File

@ -85,9 +85,25 @@ class CmpLogInstructions : public ModulePass {
char CmpLogInstructions::ID = 0;
template <class Iterator>
Iterator Unique(Iterator first, Iterator last) {
while (first != last) {
Iterator next(first);
last = std::remove(++next, last, *first);
first = next;
}
return last;
}
bool CmpLogInstructions::hookInstrs(Module &M) {
std::vector<Instruction *> icomps;
std::vector<SwitchInst *> switches;
LLVMContext & C = M.getContext();
Type * VoidTy = Type::getVoidTy(C);
@ -95,13 +111,15 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
IntegerType *Int16Ty = IntegerType::getInt16Ty(C);
IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
IntegerType *Int64Ty = IntegerType::getInt64Ty(C);
IntegerType *Int128Ty = IntegerType::getInt128Ty(C);
#if LLVM_VERSION_MAJOR < 9
Constant *
#else
FunctionCallee
#endif
c1 = M.getOrInsertFunction("__cmplog_ins_hook1", VoidTy, Int8Ty, Int8Ty
c1 = M.getOrInsertFunction("__cmplog_ins_hook1", VoidTy, Int8Ty, Int8Ty,
Int8Ty
#if LLVM_VERSION_MAJOR < 5
,
NULL
@ -118,7 +136,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
#else
FunctionCallee
#endif
c2 = M.getOrInsertFunction("__cmplog_ins_hook2", VoidTy, Int16Ty, Int16Ty
c2 = M.getOrInsertFunction("__cmplog_ins_hook2", VoidTy, Int16Ty, Int16Ty,
Int8Ty
#if LLVM_VERSION_MAJOR < 5
,
NULL
@ -135,7 +154,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
#else
FunctionCallee
#endif
c4 = M.getOrInsertFunction("__cmplog_ins_hook4", VoidTy, Int32Ty, Int32Ty
c4 = M.getOrInsertFunction("__cmplog_ins_hook4", VoidTy, Int32Ty, Int32Ty,
Int8Ty
#if LLVM_VERSION_MAJOR < 5
,
NULL
@ -152,7 +172,8 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
#else
FunctionCallee
#endif
c8 = M.getOrInsertFunction("__cmplog_ins_hook8", VoidTy, Int64Ty, Int64Ty
c8 = M.getOrInsertFunction("__cmplog_ins_hook8", VoidTy, Int64Ty, Int64Ty,
Int8Ty
#if LLVM_VERSION_MAJOR < 5
,
NULL
@ -164,6 +185,42 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
FunctionCallee cmplogHookIns8 = c8;
#endif
#if LLVM_VERSION_MAJOR < 9
Constant *
#else
FunctionCallee
#endif
c16 = M.getOrInsertFunction("__cmplog_ins_hook16", VoidTy, Int128Ty,
Int128Ty, Int8Ty
#if LLVM_VERSION_MAJOR < 5
,
NULL
#endif
);
#if LLVM_VERSION_MAJOR < 9
Function *cmplogHookIns16 = cast<Function>(c16);
#else
FunctionCallee cmplogHookIns16 = c16;
#endif
#if LLVM_VERSION_MAJOR < 9
Constant *
#else
FunctionCallee
#endif
cN = M.getOrInsertFunction("__cmplog_ins_hookN", VoidTy, Int128Ty,
Int128Ty, Int8Ty, Int8Ty
#if LLVM_VERSION_MAJOR < 5
,
NULL
#endif
);
#if LLVM_VERSION_MAJOR < 9
Function *cmplogHookInsN = cast<Function>(cN);
#else
FunctionCallee cmplogHookInsN = cN;
#endif
/* iterate over all functions, bbs and instruction and add suitable calls */
for (auto &F : M) {
@ -174,33 +231,208 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
for (auto &IN : BB) {
CmpInst *selectcmpInst = nullptr;
if ((selectcmpInst = dyn_cast<CmpInst>(&IN))) {
if (selectcmpInst->getPredicate() == CmpInst::ICMP_EQ ||
selectcmpInst->getPredicate() == CmpInst::ICMP_NE ||
selectcmpInst->getPredicate() == CmpInst::ICMP_UGT ||
selectcmpInst->getPredicate() == CmpInst::ICMP_SGT ||
selectcmpInst->getPredicate() == CmpInst::ICMP_ULT ||
selectcmpInst->getPredicate() == CmpInst::ICMP_SLT ||
selectcmpInst->getPredicate() == CmpInst::ICMP_UGE ||
selectcmpInst->getPredicate() == CmpInst::ICMP_SGE ||
selectcmpInst->getPredicate() == CmpInst::ICMP_ULE ||
selectcmpInst->getPredicate() == CmpInst::ICMP_SLE ||
selectcmpInst->getPredicate() == CmpInst::FCMP_OGE ||
selectcmpInst->getPredicate() == CmpInst::FCMP_UGE ||
selectcmpInst->getPredicate() == CmpInst::FCMP_OLE ||
selectcmpInst->getPredicate() == CmpInst::FCMP_ULE ||
selectcmpInst->getPredicate() == CmpInst::FCMP_OGT ||
selectcmpInst->getPredicate() == CmpInst::FCMP_UGT ||
selectcmpInst->getPredicate() == CmpInst::FCMP_OLT ||
selectcmpInst->getPredicate() == CmpInst::FCMP_ULT ||
selectcmpInst->getPredicate() == CmpInst::FCMP_UEQ ||
selectcmpInst->getPredicate() == CmpInst::FCMP_OEQ ||
selectcmpInst->getPredicate() == CmpInst::FCMP_UNE ||
selectcmpInst->getPredicate() == CmpInst::FCMP_ONE) {
icomps.push_back(selectcmpInst);
icomps.push_back(selectcmpInst);
}
SwitchInst *switchInst = nullptr;
if ((switchInst = dyn_cast<SwitchInst>(BB.getTerminator()))) {
if (switchInst->getNumCases() > 1) { switches.push_back(switchInst); }
}
}
}
}
// unique the collected switches
switches.erase(Unique(switches.begin(), switches.end()), switches.end());
// Instrument switch values for cmplog
if (switches.size()) {
if (!be_quiet)
errs() << "Hooking " << switches.size() << " switch instructions\n";
for (auto &SI : switches) {
Value * Val = SI->getCondition();
unsigned int max_size = Val->getType()->getIntegerBitWidth(), cast_size;
unsigned char do_cast = 0;
if (!SI->getNumCases() || max_size <= 8) {
// if (!be_quiet) errs() << "skip trivial switch..\n";
continue;
}
IRBuilder<> IRB(SI->getParent());
IRB.SetInsertPoint(SI);
if (max_size % 8) {
max_size = (((max_size / 8) + 1) * 8);
do_cast = 1;
}
if (max_size > 128) {
if (!be_quiet) {
fprintf(stderr,
"Cannot handle this switch bit size: %u (truncating)\n",
max_size);
}
max_size = 128;
do_cast = 1;
}
// do we need to cast?
switch (max_size) {
case 8:
case 16:
case 32:
case 64:
case 128:
cast_size = max_size;
break;
default:
cast_size = 128;
do_cast = 1;
}
Value *CompareTo = Val;
if (do_cast) {
ConstantInt *cint = dyn_cast<ConstantInt>(Val);
if (cint) {
uint64_t val = cint->getZExtValue();
// fprintf(stderr, "ConstantInt: %lu\n", val);
switch (cast_size) {
case 8:
CompareTo = ConstantInt::get(Int8Ty, val);
break;
case 16:
CompareTo = ConstantInt::get(Int16Ty, val);
break;
case 32:
CompareTo = ConstantInt::get(Int32Ty, val);
break;
case 64:
CompareTo = ConstantInt::get(Int64Ty, val);
break;
case 128:
CompareTo = ConstantInt::get(Int128Ty, val);
break;
}
} else {
CompareTo = IRB.CreateBitCast(Val, IntegerType::get(C, cast_size));
}
}
for (SwitchInst::CaseIt i = SI->case_begin(), e = SI->case_end(); i != e;
++i) {
#if LLVM_VERSION_MAJOR < 5
ConstantInt *cint = i.getCaseValue();
#else
ConstantInt *cint = i->getCaseValue();
#endif
if (cint) {
std::vector<Value *> args;
args.push_back(CompareTo);
Value *new_param = cint;
if (do_cast) {
uint64_t val = cint->getZExtValue();
// fprintf(stderr, "ConstantInt: %lu\n", val);
switch (cast_size) {
case 8:
new_param = ConstantInt::get(Int8Ty, val);
break;
case 16:
new_param = ConstantInt::get(Int16Ty, val);
break;
case 32:
new_param = ConstantInt::get(Int32Ty, val);
break;
case 64:
new_param = ConstantInt::get(Int64Ty, val);
break;
case 128:
new_param = ConstantInt::get(Int128Ty, val);
break;
}
}
if (new_param) {
args.push_back(new_param);
ConstantInt *attribute = ConstantInt::get(Int8Ty, 1);
args.push_back(attribute);
if (cast_size != max_size) {
ConstantInt *bitsize =
ConstantInt::get(Int8Ty, (max_size / 8) - 1);
args.push_back(bitsize);
}
switch (cast_size) {
case 8:
IRB.CreateCall(cmplogHookIns1, args);
break;
case 16:
IRB.CreateCall(cmplogHookIns2, args);
break;
case 32:
IRB.CreateCall(cmplogHookIns4, args);
break;
case 64:
IRB.CreateCall(cmplogHookIns8, args);
break;
case 128:
if (max_size == 128) {
IRB.CreateCall(cmplogHookIns16, args);
} else {
IRB.CreateCall(cmplogHookInsN, args);
}
break;
}
}
@ -212,101 +444,279 @@ bool CmpLogInstructions::hookInstrs(Module &M) {
}
if (!icomps.size()) return false;
// if (!be_quiet) errs() << "Hooking " << icomps.size() << " cmp
// instructions\n";
if (icomps.size()) {
for (auto &selectcmpInst : icomps) {
// if (!be_quiet) errs() << "Hooking " << icomps.size() <<
// " cmp instructions\n";
IRBuilder<> IRB(selectcmpInst->getParent());
IRB.SetInsertPoint(selectcmpInst);
for (auto &selectcmpInst : icomps) {
auto op0 = selectcmpInst->getOperand(0);
auto op1 = selectcmpInst->getOperand(1);
IRBuilder<> IRB(selectcmpInst->getParent());
IRB.SetInsertPoint(selectcmpInst);
IntegerType * intTyOp0 = NULL;
IntegerType * intTyOp1 = NULL;
unsigned max_size = 0;
std::vector<Value *> args;
Value *op0 = selectcmpInst->getOperand(0);
Value *op1 = selectcmpInst->getOperand(1);
if (selectcmpInst->getOpcode() == Instruction::FCmp) {
IntegerType * intTyOp0 = NULL;
IntegerType * intTyOp1 = NULL;
unsigned max_size = 0, cast_size = 0;
unsigned char attr = 0, do_cast = 0;
std::vector<Value *> args;
auto ty0 = op0->getType();
if (ty0->isHalfTy()
CmpInst *cmpInst = dyn_cast<CmpInst>(selectcmpInst);
if (!cmpInst) { continue; }
switch (cmpInst->getPredicate()) {
case CmpInst::ICMP_NE:
case CmpInst::FCMP_UNE:
case CmpInst::FCMP_ONE:
break;
case CmpInst::ICMP_EQ:
case CmpInst::FCMP_UEQ:
case CmpInst::FCMP_OEQ:
attr += 1;
break;
case CmpInst::ICMP_UGT:
case CmpInst::ICMP_SGT:
case CmpInst::FCMP_OGT:
case CmpInst::FCMP_UGT:
attr += 2;
break;
case CmpInst::ICMP_UGE:
case CmpInst::ICMP_SGE:
case CmpInst::FCMP_OGE:
case CmpInst::FCMP_UGE:
attr += 3;
break;
case CmpInst::ICMP_ULT:
case CmpInst::ICMP_SLT:
case CmpInst::FCMP_OLT:
case CmpInst::FCMP_ULT:
attr += 4;
break;
case CmpInst::ICMP_ULE:
case CmpInst::ICMP_SLE:
case CmpInst::FCMP_OLE:
case CmpInst::FCMP_ULE:
attr += 5;
break;
default:
break;
}
if (selectcmpInst->getOpcode() == Instruction::FCmp) {
auto ty0 = op0->getType();
if (ty0->isHalfTy()
#if LLVM_VERSION_MAJOR >= 11
|| ty0->isBFloatTy()
|| ty0->isBFloatTy()
#endif
)
max_size = 16;
else if (ty0->isFloatTy())
max_size = 32;
else if (ty0->isDoubleTy())
max_size = 64;
)
max_size = 16;
else if (ty0->isFloatTy())
max_size = 32;
else if (ty0->isDoubleTy())
max_size = 64;
else if (ty0->isX86_FP80Ty())
max_size = 80;
else if (ty0->isFP128Ty() || ty0->isPPC_FP128Ty())
max_size = 128;
if (max_size) {
attr += 8;
do_cast = 1;
Value *V0 = IRB.CreateBitCast(op0, IntegerType::get(C, max_size));
intTyOp0 = dyn_cast<IntegerType>(V0->getType());
Value *V1 = IRB.CreateBitCast(op1, IntegerType::get(C, max_size));
intTyOp1 = dyn_cast<IntegerType>(V1->getType());
} else {
intTyOp0 = dyn_cast<IntegerType>(op0->getType());
intTyOp1 = dyn_cast<IntegerType>(op1->getType());
if (intTyOp0 && intTyOp1) {
max_size = intTyOp0->getBitWidth() > intTyOp1->getBitWidth()
? intTyOp0->getBitWidth()
: intTyOp1->getBitWidth();
args.push_back(V0);
args.push_back(V1);
} else {
max_size = 0;
}
}
} else {
if (!max_size) { continue; }
intTyOp0 = dyn_cast<IntegerType>(op0->getType());
intTyOp1 = dyn_cast<IntegerType>(op1->getType());
// _ExtInt() with non-8th values
if (max_size % 8) {
if (intTyOp0 && intTyOp1) {
max_size = (((max_size / 8) + 1) * 8);
do_cast = 1;
}
if (max_size > 128) {
if (!be_quiet) {
fprintf(stderr,
"Cannot handle this compare bit size: %u (truncating)\n",
max_size);
}
max_size = 128;
do_cast = 1;
}
// do we need to cast?
switch (max_size) {
case 8:
case 16:
case 32:
case 64:
case 128:
cast_size = max_size;
break;
default:
cast_size = 128;
do_cast = 1;
}
if (do_cast) {
// F*cking LLVM optimized out any kind of bitcasts of ConstantInt values
// creating illegal calls. WTF. So we have to work around this.
ConstantInt *cint = dyn_cast<ConstantInt>(op0);
if (cint) {
uint64_t val = cint->getZExtValue();
// fprintf(stderr, "ConstantInt: %lu\n", val);
ConstantInt *new_param = NULL;
switch (cast_size) {
case 8:
new_param = ConstantInt::get(Int8Ty, val);
break;
case 16:
new_param = ConstantInt::get(Int16Ty, val);
break;
case 32:
new_param = ConstantInt::get(Int32Ty, val);
break;
case 64:
new_param = ConstantInt::get(Int64Ty, val);
break;
case 128:
new_param = ConstantInt::get(Int128Ty, val);
break;
}
if (!new_param) { continue; }
args.push_back(new_param);
} else {
Value *V0 = IRB.CreateBitCast(op0, IntegerType::get(C, cast_size));
args.push_back(V0);
}
cint = dyn_cast<ConstantInt>(op1);
if (cint) {
uint64_t val = cint->getZExtValue();
ConstantInt *new_param = NULL;
switch (cast_size) {
case 8:
new_param = ConstantInt::get(Int8Ty, val);
break;
case 16:
new_param = ConstantInt::get(Int16Ty, val);
break;
case 32:
new_param = ConstantInt::get(Int32Ty, val);
break;
case 64:
new_param = ConstantInt::get(Int64Ty, val);
break;
case 128:
new_param = ConstantInt::get(Int128Ty, val);
break;
}
if (!new_param) { continue; }
args.push_back(new_param);
} else {
Value *V1 = IRB.CreateBitCast(op1, IntegerType::get(C, cast_size));
args.push_back(V1);
}
} else {
max_size = intTyOp0->getBitWidth() > intTyOp1->getBitWidth()
? intTyOp0->getBitWidth()
: intTyOp1->getBitWidth();
args.push_back(op0);
args.push_back(op1);
}
}
ConstantInt *attribute = ConstantInt::get(Int8Ty, attr);
args.push_back(attribute);
if (max_size < 8 || max_size > 64 || !intTyOp0 || !intTyOp1) continue;
if (cast_size != max_size) {
switch (max_size) {
ConstantInt *bitsize = ConstantInt::get(Int8Ty, (max_size / 8) - 1);
args.push_back(bitsize);
case 8:
IRB.CreateCall(cmplogHookIns1, args);
break;
case 16:
IRB.CreateCall(cmplogHookIns2, args);
break;
case 32:
IRB.CreateCall(cmplogHookIns4, args);
break;
case 64:
IRB.CreateCall(cmplogHookIns8, args);
break;
default:
break;
}
// fprintf(stderr, "_ExtInt(%u) castTo %u with attr %u didcast %u\n",
// max_size, cast_size, attr, do_cast);
switch (cast_size) {
case 8:
IRB.CreateCall(cmplogHookIns1, args);
break;
case 16:
IRB.CreateCall(cmplogHookIns2, args);
break;
case 32:
IRB.CreateCall(cmplogHookIns4, args);
break;
case 64:
IRB.CreateCall(cmplogHookIns8, args);
break;
case 128:
if (max_size == 128) {
IRB.CreateCall(cmplogHookIns16, args);
} else {
IRB.CreateCall(cmplogHookInsN, args);
}
break;
}
}
}
return true;
if (switches.size() || icomps.size())
return true;
else
return false;
}

55
src/afl-cc.c
View File

@ -528,10 +528,10 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] = alloc_printf(
"-Wl,-mllvm=-load=%s/cmplog-routines-pass.so", obj_path);
cc_params[cc_par_cnt++] = alloc_printf(
"-Wl,-mllvm=-load=%s/split-switches-pass.so", obj_path);
cc_params[cc_par_cnt++] = alloc_printf(
"-Wl,-mllvm=-load=%s/cmplog-instructions-pass.so", obj_path);
cc_params[cc_par_cnt++] = alloc_printf(
"-Wl,-mllvm=-load=%s/split-switches-pass.so", obj_path);
} else {
@ -541,6 +541,12 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] =
alloc_printf("%s/cmplog-routines-pass.so", obj_path);
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] =
alloc_printf("%s/cmplog-instructions-pass.so", obj_path);
// reuse split switches from laf
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load";
@ -548,12 +554,6 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] =
alloc_printf("%s/split-switches-pass.so", obj_path);
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] =
alloc_printf("%s/cmplog-instructions-pass.so", obj_path);
}
cc_params[cc_par_cnt++] = "-fno-inline";
@ -792,10 +792,8 @@ static void edit_params(u32 argc, char **argv, char **envp) {
}
#if defined(USEMMAP)
#if !defined(__HAIKU__)
#if defined(USEMMAP) && !defined(__HAIKU__)
cc_params[cc_par_cnt++] = "-lrt";
#endif
#endif
cc_params[cc_par_cnt++] = "-D__AFL_HAVE_MANUAL_CONTROL=1";
@ -858,6 +856,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] =
"-D__AFL_COVERAGE_DISCARD()=__afl_coverage_discard()";
cc_params[cc_par_cnt++] = "-D__AFL_COVERAGE_ABORT()=__afl_coverage_abort()";
cc_params[cc_par_cnt++] =
"-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : "
"__afl_fuzz_alt_ptr)";
@ -967,10 +966,8 @@ static void edit_params(u32 argc, char **argv, char **envp) {
alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path);
#endif
#if defined(USEMMAP)
#if !defined(__HAIKU__)
#if defined(USEMMAP) && !defined(__HAIKU__)
cc_params[cc_par_cnt++] = "-lrt";
#endif
#endif
}
@ -1278,7 +1275,6 @@ int main(int argc, char **argv, char **envp) {
}
// this is a hidden option
if (strncasecmp(ptr2, "llvmnative", strlen("llvmnative")) == 0 ||
strncasecmp(ptr2, "llvm-native", strlen("llvm-native")) == 0) {
@ -1349,29 +1345,28 @@ int main(int argc, char **argv, char **envp) {
if (strncasecmp(ptr2, "ngram", strlen("ngram")) == 0) {
ptr2 += strlen("ngram");
while (*ptr2 && (*ptr2 < '0' || *ptr2 > '9'))
ptr2++;
u8 *ptr3 = ptr2 + strlen("ngram");
while (*ptr3 && (*ptr3 < '0' || *ptr3 > '9'))
ptr3++;
if (!*ptr2) {
if (!*ptr3) {
if ((ptr2 = getenv("AFL_LLVM_NGRAM_SIZE")) == NULL)
if ((ptr3 = getenv("AFL_LLVM_NGRAM_SIZE")) == NULL)
FATAL(
"you must set the NGRAM size with (e.g. for value 2) "
"AFL_LLVM_INSTRUMENT=ngram-2");
}
ngram_size = atoi(ptr2);
ngram_size = atoi(ptr3);
if (ngram_size < 2 || ngram_size > NGRAM_SIZE_MAX)
FATAL(
"NGRAM instrumentation option must be between 2 and "
"NGRAM_SIZE_MAX "
"(%u)",
"NGRAM_SIZE_MAX (%u)",
NGRAM_SIZE_MAX);
instrument_opt_mode |= (INSTRUMENT_OPT_NGRAM);
ptr2 = alloc_printf("%u", ngram_size);
setenv("AFL_LLVM_NGRAM_SIZE", ptr2, 1);
u8 *ptr4 = alloc_printf("%u", ngram_size);
setenv("AFL_LLVM_NGRAM_SIZE", ptr4, 1);
}
@ -1507,6 +1502,7 @@ int main(int argc, char **argv, char **envp) {
"((instrumentation/README.ngram.md)\n"
" INSTRIM: Dominator tree (for LLVM <= 6.0) "
"(instrumentation/README.instrim.md)\n\n");
#undef NATIVE_MSG
SAYF(
@ -1641,16 +1637,15 @@ int main(int argc, char **argv, char **envp) {
if (have_lto)
SAYF("afl-cc LTO with ld=%s %s\n", AFL_REAL_LD, AFL_CLANG_FLTO);
if (have_llvm)
SAYF("afl-cc LLVM version %d using binary path \"%s\".\n", LLVM_MAJOR,
SAYF("afl-cc LLVM version %d using the binary path \"%s\".\n", LLVM_MAJOR,
LLVM_BINDIR);
#endif
#if defined(USEMMAP)
#ifdef USEMMAP
#if !defined(__HAIKU__)
cc_params[cc_par_cnt++] = "-lrt";
SAYF("Compiled with shm_open support (adds -lrt when linking).\n");
#else
SAYF("Compiled with shm_open support.\n");
#else
SAYF("Compiled with shm_open support (adds -lrt when linking).\n");
#endif
#else
SAYF("Compiled with shmat support.\n");

38
src/afl-fuzz-init.c
View File

@ -729,6 +729,30 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
add_to_queue(afl, fn2, st.st_size >= MAX_FILE ? MAX_FILE : st.st_size,
passed_det);
if (unlikely(afl->shm.cmplog_mode)) {
if (afl->cmplog_lvl == 1) {
if (!afl->cmplog_max_filesize ||
afl->cmplog_max_filesize < st.st_size) {
afl->cmplog_max_filesize = st.st_size;
}
} else if (afl->cmplog_lvl == 2) {
if (!afl->cmplog_max_filesize ||
afl->cmplog_max_filesize > st.st_size) {
afl->cmplog_max_filesize = st.st_size;
}
}
}
if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) {
u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
@ -756,6 +780,20 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
}
if (unlikely(afl->shm.cmplog_mode)) {
if (afl->cmplog_max_filesize < 1024) {
afl->cmplog_max_filesize = 1024;
} else {
afl->cmplog_max_filesize = (((afl->cmplog_max_filesize >> 10) + 1) << 10);
}
}
afl->last_path_time = 0;
afl->queued_at_start = afl->queued_paths;

81
src/afl-fuzz-one.c
View File

@ -165,7 +165,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) {
/* See if one-byte adjustments to any byte could produce this result. */
for (i = 0; i < blen; ++i) {
for (i = 0; (u8)i < blen; ++i) {
u8 a = old_val >> (8 * i), b = new_val >> (8 * i);
@ -193,7 +193,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) {
diffs = 0;
for (i = 0; i < blen / 2; ++i) {
for (i = 0; (u8)i < blen / 2; ++i) {
u16 a = old_val >> (16 * i), b = new_val >> (16 * i);
@ -290,7 +290,7 @@ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) {
/* See if two-byte insertions over old_val could give us new_val. */
for (i = 0; (s32)i < blen - 1; ++i) {
for (i = 0; (u8)i < blen - 1; ++i) {
for (j = 0; j < sizeof(interesting_16) / 2; ++j) {
@ -545,14 +545,31 @@ u8 fuzz_one_original(afl_state_t *afl) {
else
orig_perf = perf_score = calculate_score(afl, afl->queue_cur);
if (unlikely(perf_score == 0)) { goto abandon_entry; }
if (unlikely(perf_score <= 0)) { goto abandon_entry; }
if (unlikely(afl->shm.cmplog_mode && !afl->queue_cur->fully_colorized)) {
if (unlikely(afl->shm.cmplog_mode &&
afl->queue_cur->colorized < afl->cmplog_lvl &&
(u32)len <= afl->cmplog_max_filesize)) {
if (input_to_state_stage(afl, in_buf, out_buf, len,
afl->queue_cur->exec_cksum)) {
if (unlikely(len < 4)) {
goto abandon_entry;
afl->queue_cur->colorized = 0xff;
} else {
if (afl->cmplog_lvl == 3 ||
(afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) ||
!(afl->fsrv.total_execs % afl->queued_paths) ||
get_cur_time() - afl->last_path_time > 15000) {
if (input_to_state_stage(afl, in_buf, out_buf, len,
afl->queue_cur->exec_cksum)) {
goto abandon_entry;
}
}
}
@ -2796,7 +2813,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
}
s32 len, temp_len;
u32 len, temp_len;
u32 i;
u32 j;
u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0;
@ -2952,14 +2969,31 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
else
orig_perf = perf_score = calculate_score(afl, afl->queue_cur);
if (unlikely(perf_score == 0)) { goto abandon_entry; }
if (unlikely(perf_score <= 0)) { goto abandon_entry; }
if (unlikely(afl->shm.cmplog_mode && !afl->queue_cur->fully_colorized)) {
if (unlikely(afl->shm.cmplog_mode &&
afl->queue_cur->colorized < afl->cmplog_lvl &&
(u32)len <= afl->cmplog_max_filesize)) {
if (input_to_state_stage(afl, in_buf, out_buf, len,
afl->queue_cur->exec_cksum)) {
if (unlikely(len < 4)) {
goto abandon_entry;
afl->queue_cur->colorized = 0xff;
} else {
if (afl->cmplog_lvl == 3 ||
(afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) ||
!(afl->fsrv.total_execs % afl->queued_paths) ||
get_cur_time() - afl->last_path_time > 15000) {
if (input_to_state_stage(afl, in_buf, out_buf, len,
afl->queue_cur->exec_cksum)) {
goto abandon_entry;
}
}
}
@ -3315,7 +3349,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 1; ++i) {
for (i = 0; i < len - 1; ++i) {
/* Let's consult the effector map... */
@ -3357,7 +3391,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 3; ++i) {
for (i = 0; i < len - 3; ++i) {
/* Let's consult the effector map... */
if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] &&
@ -3489,7 +3523,7 @@ skip_bitflip:
orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 1; ++i) {
for (i = 0; i < len - 1; ++i) {
u16 orig = *(u16 *)(out_buf + i);
@ -3615,7 +3649,7 @@ skip_bitflip:
orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 3; ++i) {
for (i = 0; i < len - 3; ++i) {
u32 orig = *(u32 *)(out_buf + i);
@ -3805,7 +3839,7 @@ skip_arith:
orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 1; ++i) {
for (i = 0; i < len - 1; ++i) {
u16 orig = *(u16 *)(out_buf + i);
@ -3891,7 +3925,7 @@ skip_arith:
orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 3; ++i) {
for (i = 0; i < len - 3; ++i) {
u32 orig = *(u32 *)(out_buf + i);
@ -4120,7 +4154,7 @@ skip_user_extras:
/* See the comment in the earlier code; extras are sorted by size. */
if ((s32)(afl->a_extras[j].len) > (s32)(len - i) ||
if ((afl->a_extras[j].len) > (len - i) ||
!memcmp(afl->a_extras[j].data, out_buf + i, afl->a_extras[j].len) ||
!memchr(eff_map + EFF_APOS(i), 1,
EFF_SPAN_ALEN(i, afl->a_extras[j].len))) {
@ -4837,7 +4871,7 @@ pacemaker_fuzzing:
u32 copy_from, copy_to, copy_len;
copy_len = choose_block_len(afl, new_len - 1);
if ((s32)copy_len > temp_len) copy_len = temp_len;
if (copy_len > temp_len) copy_len = temp_len;
copy_from = rand_below(afl, new_len - copy_len + 1);
copy_to = rand_below(afl, temp_len - copy_len + 1);
@ -5033,8 +5067,7 @@ pacemaker_fuzzing:
the last differing byte. Bail out if the difference is just a single
byte or so. */
locate_diffs(in_buf, new_buf, MIN(len, (s32)target->len), &f_diff,
&l_diff);
locate_diffs(in_buf, new_buf, MIN(len, target->len), &f_diff, &l_diff);
if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) {

1
src/afl-fuzz-queue.c
View File

@ -433,6 +433,7 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
q->passed_det = passed_det;
q->trace_mini = NULL;
q->testcase_buf = NULL;
q->mother = afl->queue_cur;
#ifdef INTROSPECTION
q->bitsmap_size = afl->bitsmap_size;

1509
src/afl-fuzz-redqueen.c
View File

File diff suppressed because it is too large Load Diff

1
src/afl-fuzz-state.c
View File

@ -102,6 +102,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
afl->stats_update_freq = 1;
afl->stats_avg_exec = 0;
afl->skip_deterministic = 1;
afl->cmplog_lvl = 1;
#ifndef NO_SPLICING
afl->use_splicing = 1;
#endif

60
src/afl-fuzz.c
View File

@ -77,13 +77,8 @@ static void at_exit() {
}
int kill_signal = SIGKILL;
/* AFL_KILL_SIGNAL should already be a valid int at this point */
if (getenv("AFL_KILL_SIGNAL")) {
kill_signal = atoi(getenv("AFL_KILL_SIGNAL"));
}
if ((ptr = getenv("AFL_KILL_SIGNAL"))) { kill_signal = atoi(ptr); }
if (pid1 > 0) { kill(pid1, kill_signal); }
if (pid2 > 0) { kill(pid2, kill_signal); }
@ -103,13 +98,14 @@ static void usage(u8 *argv0, int more_help) {
"Execution control settings:\n"
" -p schedule - power schedules compute a seed's performance score:\n"
" <fast(default), rare, exploit, seek, mmopt, coe, "
"explore,\n"
" lin, quad> -- see docs/power_schedules.md\n"
" fast(default), explore, exploit, seek, rare, mmopt, "
"coe, lin\n"
" quad -- see docs/power_schedules.md\n"
" -f file - location read by the fuzzed program (default: stdin "
"or @@)\n"
" -t msec - timeout for each run (auto-scaled, 50-%u ms)\n"
" -m megs - memory limit for child process (%u MB, 0 = no limit)\n"
" -m megs - memory limit for child process (%u MB, 0 = no limit "
"[default])\n"
" -Q - use binary-only instrumentation (QEMU mode)\n"
" -U - use unicorn-based instrumentation (Unicorn mode)\n"
" -W - use qemu-based instrumentation with Wine (Wine "
@ -125,7 +121,9 @@ static void usage(u8 *argv0, int more_help) {
" See docs/README.MOpt.md\n"
" -c program - enable CmpLog by specifying a binary compiled for "
"it.\n"
" if using QEMU, just use -c 0.\n\n"
" if using QEMU, just use -c 0.\n"
" -l cmplog_level - set the complexity/intensivity of CmpLog.\n"
" Values: 1 (default), 2 (intensive) and 3 (heavy)\n\n"
"Fuzzing behavior settings:\n"
" -Z - sequential queue selection instead of weighted "
@ -337,7 +335,6 @@ int main(int argc, char **argv_orig, char **envp) {
if (get_afl_env("AFL_DEBUG")) { debug = afl->debug = 1; }
// map_size = get_map_size();
afl_state_init(afl, map_size);
afl->debug = debug;
afl_fsrv_init(&afl->fsrv);
@ -358,7 +355,8 @@ int main(int argc, char **argv_orig, char **envp) {
while ((opt = getopt(
argc, argv,
"+b:c:i:I:o:f:F:m:t:T:dDnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:Z")) > 0) {
"+b:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNo:p:P:RQs:S:t:T:UV:Wx:Z")) >
0) {
switch (opt) {
@ -787,6 +785,26 @@ int main(int argc, char **argv_orig, char **envp) {
} break;
case 'l': {
afl->cmplog_lvl = atoi(optarg);
if (afl->cmplog_lvl < 1 || afl->cmplog_lvl > CMPLOG_LVL_MAX) {
FATAL(
"Bad complog level value, accepted values are 1 (default), 2 and "
"%u.",
CMPLOG_LVL_MAX);
}
if (afl->cmplog_lvl == CMPLOG_LVL_MAX) {
afl->cmplog_max_filesize = MAX_FILE;
}
} break;
case 'L': { /* MOpt mode */
if (afl->limit_time_sig) { FATAL("Multiple -L options not supported"); }
@ -1635,6 +1653,14 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->use_splicing) {
++afl->cycles_wo_finds;
if (unlikely(afl->shm.cmplog_mode &&
afl->cmplog_max_filesize < MAX_FILE)) {
afl->cmplog_max_filesize <<= 4;
}
switch (afl->expand_havoc) {
case 0:
@ -1652,6 +1678,7 @@ int main(int argc, char **argv_orig, char **envp) {
}
afl->expand_havoc = 2;
if (afl->cmplog_lvl < 2) afl->cmplog_lvl = 2;
break;
case 2:
// if (!have_p) afl->schedule = EXPLOIT;
@ -1665,11 +1692,14 @@ int main(int argc, char **argv_orig, char **envp) {
afl->expand_havoc = 4;
break;
case 4:
// if not in sync mode, enable deterministic mode?
// if (!afl->sync_id) afl->skip_deterministic = 0;
afl->expand_havoc = 5;
if (afl->cmplog_lvl < 3) afl->cmplog_lvl = 3;
break;
case 5:
// if not in sync mode, enable deterministic mode?
if (!afl->sync_id) afl->skip_deterministic = 0;
afl->expand_havoc = 6;
case 6:
// nothing else currently
break;