ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 19:08:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

code format

Browse Source
This commit is contained in:
Andrea Fioraldi
2020-02-07 20:44:36 +01:00
parent 420b1aa859
commit aa2cb66ea2
8 changed files with 149 additions and 132 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
examples/qemu_persistent_hook/read_into_rdi.c
View File

@ -6,6 +6,7 @@
#define h2g(x) ((uint64_t)(x)-guest_base) #define h2g(x) ((uint64_t)(x)-guest_base)
enum { enum {
R_EAX = 0, R_EAX = 0,
R_ECX = 1, R_ECX = 1,
R_EDX = 2, R_EDX = 2,
@ -31,6 +32,7 @@ enum {
R_CH = 5, R_CH = 5,
R_DH = 6, R_DH = 6,
R_BH = 7, R_BH = 7,
}; };
void afl_persistent_hook(uint64_t* regs, uint64_t guest_base) { void afl_persistent_hook(uint64_t* regs, uint64_t guest_base) {
@ -40,3 +42,4 @@ void afl_persistent_hook(uint64_t* regs, uint64_t guest_base) {
printf("readed %ld bytes\n", r); printf("readed %ld bytes\n", r);
} }

12
examples/qemu_persistent_hook/test.c
View File

@ -6,16 +6,15 @@ int target_func(char *buf, int size) {
switch (buf[0]) { switch (buf[0]) {
case 1: case 1:
if (buf[1] == '\x44') { if (buf[1] == '\x44') { puts("a"); }
puts("a");
}
break; break;
case 0xff: case 0xff:
if (buf[2] == '\xff') { if (buf[2] == '\xff') {
if (buf[1] == '\x44') {
puts("b"); if (buf[1] == '\x44') { puts("b"); }
}
} }
break; break;
default: break; default: break;
@ -32,3 +31,4 @@ int main() {
target_func(data, 1024); target_func(data, 1024);
} }

19
qemu_mode/patches/afl-qemu-cpu-inl.h
View File

@ -250,7 +250,9 @@ static void afl_setup(void) {
#ifdef AFL_QEMU_STATIC_BUILD #ifdef AFL_QEMU_STATIC_BUILD
fprintf(stderr, "[AFL] ERROR: you cannot use AFL_QEMU_PERSISTENT_HOOK when afl-qemu-trace is static\n"); fprintf(stderr,
"[AFL] ERROR: you cannot use AFL_QEMU_PERSISTENT_HOOK when "
"afl-qemu-trace is static\n");
exit(1); exit(1);
#else #else
@ -259,14 +261,22 @@ static void afl_setup(void) {
void *plib = dlopen(getenv("AFL_QEMU_PERSISTENT_HOOK"), RTLD_NOW); void *plib = dlopen(getenv("AFL_QEMU_PERSISTENT_HOOK"), RTLD_NOW);
if (!plib) { if (!plib) {
fprintf(stderr, "[AFL] ERROR: invalid AFL_QEMU_PERSISTENT_HOOK=%s\n", getenv("AFL_QEMU_PERSISTENT_HOOK"));
fprintf(stderr, "[AFL] ERROR: invalid AFL_QEMU_PERSISTENT_HOOK=%s\n",
getenv("AFL_QEMU_PERSISTENT_HOOK"));
exit(1); exit(1);
} }
afl_persistent_hook_ptr = dlsym(plib, "afl_persistent_hook"); afl_persistent_hook_ptr = dlsym(plib, "afl_persistent_hook");
if (!afl_persistent_hook_ptr) { if (!afl_persistent_hook_ptr) {
fprintf(stderr, "[AFL] ERROR: failed to find the function \"afl_persistent_hook\" in %s\n", getenv("AFL_QEMU_PERSISTENT_HOOK"));
fprintf(stderr,
"[AFL] ERROR: failed to find the function "
"\"afl_persistent_hook\" in %s\n",
getenv("AFL_QEMU_PERSISTENT_HOOK"));
exit(1); exit(1);
} }
#endif #endif
@ -402,9 +412,12 @@ static void afl_forkserver(CPUState *cpu) {
if (WIFSTOPPED(status)) if (WIFSTOPPED(status))
child_stopped = 1; child_stopped = 1;
else if (unlikely(first_run && is_persistent)) { else if (unlikely(first_run && is_persistent)) {
fprintf(stderr, "[AFL] ERROR: no persistent iteration executed\n"); fprintf(stderr, "[AFL] ERROR: no persistent iteration executed\n");
exit(12); // Persistent is wrong exit(12); // Persistent is wrong
} }
first_run = 0; first_run = 0;
if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7); if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7);

8
qemu_mode/patches/afl-qemu-cpu-translate-inl.h
View File

@ -153,14 +153,12 @@ static void afl_cmplog_64(target_ulong cur_loc, target_ulong arg1,
} }
static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2, static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2,
TCGMemOp ot, int is_imm) { TCGMemOp ot, int is_imm) {
void *func; void *func;
if (cur_loc > afl_end_code || cur_loc < afl_start_code) if (cur_loc > afl_end_code || cur_loc < afl_start_code) return;
return;
if (__afl_cmp_map) { if (__afl_cmp_map) {
@ -254,7 +252,6 @@ static void log_x86_sp_content(void) {
}*/ }*/
static void callback_to_persistent_hook(void) { static void callback_to_persistent_hook(void) {
afl_persistent_hook_ptr(persistent_saved_gpr, guest_base); afl_persistent_hook_ptr(persistent_saved_gpr, guest_base);
@ -288,8 +285,7 @@ static void i386_restore_state_for_persistent(TCGv* cpu_regs) {
tcg_gen_afl_call0(&afl_persistent_loop); tcg_gen_afl_call0(&afl_persistent_loop);
if (afl_persistent_hook_ptr) if (afl_persistent_hook_ptr) tcg_gen_afl_call0(callback_to_persistent_hook);
tcg_gen_afl_call0(callback_to_persistent_hook);
// restore GRP registers // restore GRP registers
for (i = 0; i < CPU_NB_REGS; ++i) { for (i = 0; i < CPU_NB_REGS; ++i) {

21
src/afl-fuzz-redqueen.c
View File

@ -122,8 +122,7 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) {
while ((rng = pop_biggest_range(&ranges)) != NULL && stage_cur) { while ((rng = pop_biggest_range(&ranges)) != NULL && stage_cur) {
u32 s = rng->end - rng->start; u32 s = rng->end - rng->start;
if (s == 0) if (s == 0) goto empty_range;
goto empty_range;
memcpy(backup, buf + rng->start, s); memcpy(backup, buf + rng->start, s);
rand_replace(buf + rng->start, s); rand_replace(buf + rng->start, s);
@ -137,7 +136,9 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) {
ranges = add_range(ranges, rng->start + s / 2 + 1, rng->end); ranges = add_range(ranges, rng->start + s / 2 + 1, rng->end);
memcpy(buf + rng->start, backup, s); memcpy(buf + rng->start, backup, s);
} else needs_write = 1; } else
needs_write = 1;
empty_range: empty_range:
ck_free(rng); ck_free(rng);
@ -310,12 +311,14 @@ void try_to_add_to_dict(u64 v, u8 shape) {
u8 cons_ff = 0, cons_0 = 0; u8 cons_ff = 0, cons_0 = 0;
for (k = 0; k < shape; ++k) { for (k = 0; k < shape; ++k) {
if (b[k] == 0) ++cons_0; if (b[k] == 0)
else if (b[k] == 0xff) ++cons_0; ++cons_0;
else cons_0 = cons_ff = 0; else if (b[k] == 0xff)
++cons_0;
else
cons_0 = cons_ff = 0;
if (cons_0 > 1 || cons_ff > 1) if (cons_0 > 1 || cons_ff > 1) return;
return;
} }
@ -323,6 +326,7 @@ void try_to_add_to_dict(u64 v, u8 shape) {
u64 rev; u64 rev;
switch (shape) { switch (shape) {
case 1: break; case 1: break;
case 2: case 2:
rev = SWAP16((u16)v); rev = SWAP16((u16)v);
@ -336,6 +340,7 @@ void try_to_add_to_dict(u64 v, u8 shape) {
rev = SWAP64(v); rev = SWAP64(v);
maybe_add_auto((u8*)&rev, shape); maybe_add_auto((u8*)&rev, shape);
break; break;
} }
} }