ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 11:08:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

merge cmplog

Browse Source
This commit is contained in:
van Hauser
2021-01-15 16:56:40 +01:00
parent fba8790e32
commit a0e884cf8b
13 changed files with 2092 additions and 429 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
src/afl-cc.c
View File

@ -528,10 +528,10 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] = alloc_printf(
"-Wl,-mllvm=-load=%s/cmplog-routines-pass.so", obj_path);
cc_params[cc_par_cnt++] = alloc_printf(
"-Wl,-mllvm=-load=%s/split-switches-pass.so", obj_path);
cc_params[cc_par_cnt++] = alloc_printf(
"-Wl,-mllvm=-load=%s/cmplog-instructions-pass.so", obj_path);
cc_params[cc_par_cnt++] = alloc_printf(
"-Wl,-mllvm=-load=%s/split-switches-pass.so", obj_path);
} else {
@ -541,6 +541,12 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] =
alloc_printf("%s/cmplog-routines-pass.so", obj_path);
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] =
alloc_printf("%s/cmplog-instructions-pass.so", obj_path);
// reuse split switches from laf
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load";
@ -548,12 +554,6 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] =
alloc_printf("%s/split-switches-pass.so", obj_path);
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] =
alloc_printf("%s/cmplog-instructions-pass.so", obj_path);
}
cc_params[cc_par_cnt++] = "-fno-inline";
@ -792,10 +792,8 @@ static void edit_params(u32 argc, char **argv, char **envp) {
}
#if defined(USEMMAP)
#if !defined(__HAIKU__)
#if defined(USEMMAP) && !defined(__HAIKU__)
cc_params[cc_par_cnt++] = "-lrt";
#endif
#endif
cc_params[cc_par_cnt++] = "-D__AFL_HAVE_MANUAL_CONTROL=1";
@ -858,6 +856,7 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] =
"-D__AFL_COVERAGE_DISCARD()=__afl_coverage_discard()";
cc_params[cc_par_cnt++] = "-D__AFL_COVERAGE_ABORT()=__afl_coverage_abort()";
cc_params[cc_par_cnt++] =
"-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : "
"__afl_fuzz_alt_ptr)";
@ -967,10 +966,8 @@ static void edit_params(u32 argc, char **argv, char **envp) {
alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path);
#endif
#if defined(USEMMAP)
#if !defined(__HAIKU__)
#if defined(USEMMAP) && !defined(__HAIKU__)
cc_params[cc_par_cnt++] = "-lrt";
#endif
#endif
}
@ -1278,7 +1275,6 @@ int main(int argc, char **argv, char **envp) {
}
// this is a hidden option
if (strncasecmp(ptr2, "llvmnative", strlen("llvmnative")) == 0 ||
strncasecmp(ptr2, "llvm-native", strlen("llvm-native")) == 0) {
@ -1349,29 +1345,28 @@ int main(int argc, char **argv, char **envp) {
if (strncasecmp(ptr2, "ngram", strlen("ngram")) == 0) {
ptr2 += strlen("ngram");
while (*ptr2 && (*ptr2 < '0' || *ptr2 > '9'))
ptr2++;
u8 *ptr3 = ptr2 + strlen("ngram");
while (*ptr3 && (*ptr3 < '0' || *ptr3 > '9'))
ptr3++;
if (!*ptr2) {
if (!*ptr3) {
if ((ptr2 = getenv("AFL_LLVM_NGRAM_SIZE")) == NULL)
if ((ptr3 = getenv("AFL_LLVM_NGRAM_SIZE")) == NULL)
FATAL(
"you must set the NGRAM size with (e.g. for value 2) "
"AFL_LLVM_INSTRUMENT=ngram-2");
}
ngram_size = atoi(ptr2);
ngram_size = atoi(ptr3);
if (ngram_size < 2 || ngram_size > NGRAM_SIZE_MAX)
FATAL(
"NGRAM instrumentation option must be between 2 and "
"NGRAM_SIZE_MAX "
"(%u)",
"NGRAM_SIZE_MAX (%u)",
NGRAM_SIZE_MAX);
instrument_opt_mode |= (INSTRUMENT_OPT_NGRAM);
ptr2 = alloc_printf("%u", ngram_size);
setenv("AFL_LLVM_NGRAM_SIZE", ptr2, 1);
u8 *ptr4 = alloc_printf("%u", ngram_size);
setenv("AFL_LLVM_NGRAM_SIZE", ptr4, 1);
}
@ -1507,6 +1502,7 @@ int main(int argc, char **argv, char **envp) {
"((instrumentation/README.ngram.md)\n"
" INSTRIM: Dominator tree (for LLVM <= 6.0) "
"(instrumentation/README.instrim.md)\n\n");
#undef NATIVE_MSG
SAYF(
@ -1641,16 +1637,15 @@ int main(int argc, char **argv, char **envp) {
if (have_lto)
SAYF("afl-cc LTO with ld=%s %s\n", AFL_REAL_LD, AFL_CLANG_FLTO);
if (have_llvm)
SAYF("afl-cc LLVM version %d using binary path \"%s\".\n", LLVM_MAJOR,
SAYF("afl-cc LLVM version %d using the binary path \"%s\".\n", LLVM_MAJOR,
LLVM_BINDIR);
#endif
#if defined(USEMMAP)
#ifdef USEMMAP
#if !defined(__HAIKU__)
cc_params[cc_par_cnt++] = "-lrt";
SAYF("Compiled with shm_open support (adds -lrt when linking).\n");
#else
SAYF("Compiled with shm_open support.\n");
#else
SAYF("Compiled with shm_open support (adds -lrt when linking).\n");
#endif
#else
SAYF("Compiled with shmat support.\n");

38
src/afl-fuzz-init.c
View File

@ -729,6 +729,30 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
add_to_queue(afl, fn2, st.st_size >= MAX_FILE ? MAX_FILE : st.st_size,
passed_det);
if (unlikely(afl->shm.cmplog_mode)) {
if (afl->cmplog_lvl == 1) {
if (!afl->cmplog_max_filesize ||
afl->cmplog_max_filesize < st.st_size) {
afl->cmplog_max_filesize = st.st_size;
}
} else if (afl->cmplog_lvl == 2) {
if (!afl->cmplog_max_filesize ||
afl->cmplog_max_filesize > st.st_size) {
afl->cmplog_max_filesize = st.st_size;
}
}
}
if (unlikely(afl->schedule >= FAST && afl->schedule <= RARE)) {
u64 cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
@ -756,6 +780,20 @@ void read_testcases(afl_state_t *afl, u8 *directory) {
}
if (unlikely(afl->shm.cmplog_mode)) {
if (afl->cmplog_max_filesize < 1024) {
afl->cmplog_max_filesize = 1024;
} else {
afl->cmplog_max_filesize = (((afl->cmplog_max_filesize >> 10) + 1) << 10);
}
}
afl->last_path_time = 0;
afl->queued_at_start = afl->queued_paths;

81
src/afl-fuzz-one.c
View File

@ -165,7 +165,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) {
/* See if one-byte adjustments to any byte could produce this result. */
for (i = 0; i < blen; ++i) {
for (i = 0; (u8)i < blen; ++i) {
u8 a = old_val >> (8 * i), b = new_val >> (8 * i);
@ -193,7 +193,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) {
diffs = 0;
for (i = 0; i < blen / 2; ++i) {
for (i = 0; (u8)i < blen / 2; ++i) {
u16 a = old_val >> (16 * i), b = new_val >> (16 * i);
@ -290,7 +290,7 @@ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) {
/* See if two-byte insertions over old_val could give us new_val. */
for (i = 0; (s32)i < blen - 1; ++i) {
for (i = 0; (u8)i < blen - 1; ++i) {
for (j = 0; j < sizeof(interesting_16) / 2; ++j) {
@ -545,14 +545,31 @@ u8 fuzz_one_original(afl_state_t *afl) {
else
orig_perf = perf_score = calculate_score(afl, afl->queue_cur);
if (unlikely(perf_score == 0)) { goto abandon_entry; }
if (unlikely(perf_score <= 0)) { goto abandon_entry; }
if (unlikely(afl->shm.cmplog_mode && !afl->queue_cur->fully_colorized)) {
if (unlikely(afl->shm.cmplog_mode &&
afl->queue_cur->colorized < afl->cmplog_lvl &&
(u32)len <= afl->cmplog_max_filesize)) {
if (input_to_state_stage(afl, in_buf, out_buf, len,
afl->queue_cur->exec_cksum)) {
if (unlikely(len < 4)) {
goto abandon_entry;
afl->queue_cur->colorized = 0xff;
} else {
if (afl->cmplog_lvl == 3 ||
(afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) ||
!(afl->fsrv.total_execs % afl->queued_paths) ||
get_cur_time() - afl->last_path_time > 15000) {
if (input_to_state_stage(afl, in_buf, out_buf, len,
afl->queue_cur->exec_cksum)) {
goto abandon_entry;
}
}
}
@ -2796,7 +2813,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
}
s32 len, temp_len;
u32 len, temp_len;
u32 i;
u32 j;
u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0;
@ -2952,14 +2969,31 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
else
orig_perf = perf_score = calculate_score(afl, afl->queue_cur);
if (unlikely(perf_score == 0)) { goto abandon_entry; }
if (unlikely(perf_score <= 0)) { goto abandon_entry; }
if (unlikely(afl->shm.cmplog_mode && !afl->queue_cur->fully_colorized)) {
if (unlikely(afl->shm.cmplog_mode &&
afl->queue_cur->colorized < afl->cmplog_lvl &&
(u32)len <= afl->cmplog_max_filesize)) {
if (input_to_state_stage(afl, in_buf, out_buf, len,
afl->queue_cur->exec_cksum)) {
if (unlikely(len < 4)) {
goto abandon_entry;
afl->queue_cur->colorized = 0xff;
} else {
if (afl->cmplog_lvl == 3 ||
(afl->cmplog_lvl == 2 && afl->queue_cur->tc_ref) ||
!(afl->fsrv.total_execs % afl->queued_paths) ||
get_cur_time() - afl->last_path_time > 15000) {
if (input_to_state_stage(afl, in_buf, out_buf, len,
afl->queue_cur->exec_cksum)) {
goto abandon_entry;
}
}
}
@ -3315,7 +3349,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 1; ++i) {
for (i = 0; i < len - 1; ++i) {
/* Let's consult the effector map... */
@ -3357,7 +3391,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 3; ++i) {
for (i = 0; i < len - 3; ++i) {
/* Let's consult the effector map... */
if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] &&
@ -3489,7 +3523,7 @@ skip_bitflip:
orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 1; ++i) {
for (i = 0; i < len - 1; ++i) {
u16 orig = *(u16 *)(out_buf + i);
@ -3615,7 +3649,7 @@ skip_bitflip:
orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 3; ++i) {
for (i = 0; i < len - 3; ++i) {
u32 orig = *(u32 *)(out_buf + i);
@ -3805,7 +3839,7 @@ skip_arith:
orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 1; ++i) {
for (i = 0; i < len - 1; ++i) {
u16 orig = *(u16 *)(out_buf + i);
@ -3891,7 +3925,7 @@ skip_arith:
orig_hit_cnt = new_hit_cnt;
for (i = 0; (s32)i < len - 3; ++i) {
for (i = 0; i < len - 3; ++i) {
u32 orig = *(u32 *)(out_buf + i);
@ -4120,7 +4154,7 @@ skip_user_extras:
/* See the comment in the earlier code; extras are sorted by size. */
if ((s32)(afl->a_extras[j].len) > (s32)(len - i) ||
if ((afl->a_extras[j].len) > (len - i) ||
!memcmp(afl->a_extras[j].data, out_buf + i, afl->a_extras[j].len) ||
!memchr(eff_map + EFF_APOS(i), 1,
EFF_SPAN_ALEN(i, afl->a_extras[j].len))) {
@ -4837,7 +4871,7 @@ pacemaker_fuzzing:
u32 copy_from, copy_to, copy_len;
copy_len = choose_block_len(afl, new_len - 1);
if ((s32)copy_len > temp_len) copy_len = temp_len;
if (copy_len > temp_len) copy_len = temp_len;
copy_from = rand_below(afl, new_len - copy_len + 1);
copy_to = rand_below(afl, temp_len - copy_len + 1);
@ -5033,8 +5067,7 @@ pacemaker_fuzzing:
the last differing byte. Bail out if the difference is just a single
byte or so. */
locate_diffs(in_buf, new_buf, MIN(len, (s32)target->len), &f_diff,
&l_diff);
locate_diffs(in_buf, new_buf, MIN(len, target->len), &f_diff, &l_diff);
if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) {

1
src/afl-fuzz-queue.c
View File

@ -433,6 +433,7 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
q->passed_det = passed_det;
q->trace_mini = NULL;
q->testcase_buf = NULL;
q->mother = afl->queue_cur;
#ifdef INTROSPECTION
q->bitsmap_size = afl->bitsmap_size;

1509
src/afl-fuzz-redqueen.c
View File

File diff suppressed because it is too large Load Diff

1
src/afl-fuzz-state.c
View File

@ -102,6 +102,7 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
afl->stats_update_freq = 1;
afl->stats_avg_exec = 0;
afl->skip_deterministic = 1;
afl->cmplog_lvl = 1;
#ifndef NO_SPLICING
afl->use_splicing = 1;
#endif

60
src/afl-fuzz.c
View File

@ -77,13 +77,8 @@ static void at_exit() {
}
int kill_signal = SIGKILL;
/* AFL_KILL_SIGNAL should already be a valid int at this point */
if (getenv("AFL_KILL_SIGNAL")) {
kill_signal = atoi(getenv("AFL_KILL_SIGNAL"));
}
if ((ptr = getenv("AFL_KILL_SIGNAL"))) { kill_signal = atoi(ptr); }
if (pid1 > 0) { kill(pid1, kill_signal); }
if (pid2 > 0) { kill(pid2, kill_signal); }
@ -103,13 +98,14 @@ static void usage(u8 *argv0, int more_help) {
"Execution control settings:\n"
" -p schedule - power schedules compute a seed's performance score:\n"
" <fast(default), rare, exploit, seek, mmopt, coe, "
"explore,\n"
" lin, quad> -- see docs/power_schedules.md\n"
" fast(default), explore, exploit, seek, rare, mmopt, "
"coe, lin\n"
" quad -- see docs/power_schedules.md\n"
" -f file - location read by the fuzzed program (default: stdin "
"or @@)\n"
" -t msec - timeout for each run (auto-scaled, 50-%u ms)\n"
" -m megs - memory limit for child process (%u MB, 0 = no limit)\n"
" -m megs - memory limit for child process (%u MB, 0 = no limit "
"[default])\n"
" -Q - use binary-only instrumentation (QEMU mode)\n"
" -U - use unicorn-based instrumentation (Unicorn mode)\n"
" -W - use qemu-based instrumentation with Wine (Wine "
@ -125,7 +121,9 @@ static void usage(u8 *argv0, int more_help) {
" See docs/README.MOpt.md\n"
" -c program - enable CmpLog by specifying a binary compiled for "
"it.\n"
" if using QEMU, just use -c 0.\n\n"
" if using QEMU, just use -c 0.\n"
" -l cmplog_level - set the complexity/intensivity of CmpLog.\n"
" Values: 1 (default), 2 (intensive) and 3 (heavy)\n\n"
"Fuzzing behavior settings:\n"
" -Z - sequential queue selection instead of weighted "
@ -337,7 +335,6 @@ int main(int argc, char **argv_orig, char **envp) {
if (get_afl_env("AFL_DEBUG")) { debug = afl->debug = 1; }
// map_size = get_map_size();
afl_state_init(afl, map_size);
afl->debug = debug;
afl_fsrv_init(&afl->fsrv);
@ -358,7 +355,8 @@ int main(int argc, char **argv_orig, char **envp) {
while ((opt = getopt(
argc, argv,
"+b:c:i:I:o:f:F:m:t:T:dDnCB:S:M:x:QNUWe:p:s:V:E:L:hRP:Z")) > 0) {
"+b:B:c:CdDe:E:hi:I:f:F:l:L:m:M:nNo:p:P:RQs:S:t:T:UV:Wx:Z")) >
0) {
switch (opt) {
@ -787,6 +785,26 @@ int main(int argc, char **argv_orig, char **envp) {
} break;
case 'l': {
afl->cmplog_lvl = atoi(optarg);
if (afl->cmplog_lvl < 1 || afl->cmplog_lvl > CMPLOG_LVL_MAX) {
FATAL(
"Bad complog level value, accepted values are 1 (default), 2 and "
"%u.",
CMPLOG_LVL_MAX);
}
if (afl->cmplog_lvl == CMPLOG_LVL_MAX) {
afl->cmplog_max_filesize = MAX_FILE;
}
} break;
case 'L': { /* MOpt mode */
if (afl->limit_time_sig) { FATAL("Multiple -L options not supported"); }
@ -1635,6 +1653,14 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->use_splicing) {
++afl->cycles_wo_finds;
if (unlikely(afl->shm.cmplog_mode &&
afl->cmplog_max_filesize < MAX_FILE)) {
afl->cmplog_max_filesize <<= 4;
}
switch (afl->expand_havoc) {
case 0:
@ -1652,6 +1678,7 @@ int main(int argc, char **argv_orig, char **envp) {
}
afl->expand_havoc = 2;
if (afl->cmplog_lvl < 2) afl->cmplog_lvl = 2;
break;
case 2:
// if (!have_p) afl->schedule = EXPLOIT;
@ -1665,11 +1692,14 @@ int main(int argc, char **argv_orig, char **envp) {
afl->expand_havoc = 4;
break;
case 4:
// if not in sync mode, enable deterministic mode?
// if (!afl->sync_id) afl->skip_deterministic = 0;
afl->expand_havoc = 5;
if (afl->cmplog_lvl < 3) afl->cmplog_lvl = 3;
break;
case 5:
// if not in sync mode, enable deterministic mode?
if (!afl->sync_id) afl->skip_deterministic = 0;
afl->expand_havoc = 6;
case 6:
// nothing else currently
break;