code format

examples/qemu_persistent_hook/read_into_rdi.c

@@ -2,35 +2,37 @@
 #include <stdio.h>
 #include <unistd.h>
 
-#define g2h(x) ((void *)((unsigned long)(x) + guest_base))
+#define g2h(x) ((void*)((unsigned long)(x) + guest_base))
-#define h2g(x) ((uint64_t)(x) - guest_base)
+#define h2g(x) ((uint64_t)(x)-guest_base)
 
 enum {
-    R_EAX = 0,
-    R_ECX = 1,
-    R_EDX = 2,
-    R_EBX = 3,
-    R_ESP = 4,
-    R_EBP = 5,
-    R_ESI = 6,
-    R_EDI = 7,
-    R_R8 = 8,
-    R_R9 = 9,
-    R_R10 = 10,
-    R_R11 = 11,
-    R_R12 = 12,
-    R_R13 = 13,
-    R_R14 = 14,
-    R_R15 = 15,
 
-    R_AL = 0,
+  R_EAX = 0,
-    R_CL = 1,
+  R_ECX = 1,
-    R_DL = 2,
+  R_EDX = 2,
-    R_BL = 3,
+  R_EBX = 3,
-    R_AH = 4,
+  R_ESP = 4,
-    R_CH = 5,
+  R_EBP = 5,
-    R_DH = 6,
+  R_ESI = 6,
-    R_BH = 7,
+  R_EDI = 7,
+  R_R8 = 8,
+  R_R9 = 9,
+  R_R10 = 10,
+  R_R11 = 11,
+  R_R12 = 12,
+  R_R13 = 13,
+  R_R14 = 14,
+  R_R15 = 15,
+
+  R_AL = 0,
+  R_CL = 1,
+  R_DL = 2,
+  R_BL = 3,
+  R_AH = 4,
+  R_CH = 5,
+  R_DH = 6,
+  R_BH = 7,
+
 };
 
 void afl_persistent_hook(uint64_t* regs, uint64_t guest_base) {
@@ -40,3 +42,4 @@ void afl_persistent_hook(uint64_t* regs, uint64_t guest_base) {
   printf("readed %ld bytes\n", r);
 
 }
+

examples/qemu_persistent_hook/test.c

@@ -6,16 +6,15 @@ int target_func(char *buf, int size) {
   switch (buf[0]) {
 
     case 1:
-      if (buf[1] == '\x44') {
+      if (buf[1] == '\x44') { puts("a"); }
-        puts("a");
-      }
       break;
     case 0xff:
       if (buf[2] == '\xff') {
-        if (buf[1] == '\x44') {
+
-          puts("b");
+        if (buf[1] == '\x44') { puts("b"); }
-        }
+
       }
+
       break;
     default: break;
 
@@ -32,3 +31,4 @@ int main() {
   target_func(data, 1024);
 
 }
+

qemu_mode/patches/afl-qemu-common.h

@@ -59,7 +59,7 @@
 #define INC_AFL_AREA(loc) afl_area_ptr[loc]++
 #endif
 
-typedef void (*afl_persistent_hook_fn)(uint64_t* regs, uint64_t guest_base);
+typedef void (*afl_persistent_hook_fn)(uint64_t *regs, uint64_t guest_base);
 
 /* Declared in afl-qemu-cpu-inl.h */
 
@@ -81,7 +81,7 @@ extern afl_persistent_hook_fn afl_persistent_hook_ptr;
 
 extern __thread abi_ulong afl_prev_loc;
 
-extern struct cmp_map* __afl_cmp_map;
+extern struct cmp_map *__afl_cmp_map;
 extern __thread u32    __afl_cmp_counter;
 
 void afl_debug_dump_saved_regs();

qemu_mode/patches/afl-qemu-cpu-inl.h

@@ -82,7 +82,7 @@ u8 afl_compcov_level;
 
 __thread abi_ulong afl_prev_loc;
 
-struct cmp_map* __afl_cmp_map;
+struct cmp_map *__afl_cmp_map;
 __thread u32    __afl_cmp_counter;
 
 /* Set in the child process in forkserver mode: */
@@ -188,7 +188,7 @@ static void afl_setup(void) {
 
   }
 
-  if (getenv("___AFL_EINS_ZWEI_POLIZEI___")) { // CmpLog forkserver
+  if (getenv("___AFL_EINS_ZWEI_POLIZEI___")) {  // CmpLog forkserver
 
     id_str = getenv(CMPLOG_SHM_ENV_VAR);
 
@@ -198,7 +198,7 @@ static void afl_setup(void) {
 
       __afl_cmp_map = shmat(shm_id, NULL, 0);
 
-      if (__afl_cmp_map == (void*)-1) exit(1);
+      if (__afl_cmp_map == (void *)-1) exit(1);
 
     }
 
@@ -250,23 +250,33 @@ static void afl_setup(void) {
 
 #ifdef AFL_QEMU_STATIC_BUILD
 
-    fprintf(stderr, "[AFL] ERROR: you cannot use AFL_QEMU_PERSISTENT_HOOK when afl-qemu-trace is static\n");
+    fprintf(stderr,
+            "[AFL] ERROR: you cannot use AFL_QEMU_PERSISTENT_HOOK when "
+            "afl-qemu-trace is static\n");
     exit(1);
 
 #else
 
     persistent_save_gpr = 1;
 
-    void* plib = dlopen(getenv("AFL_QEMU_PERSISTENT_HOOK"), RTLD_NOW);
+    void *plib = dlopen(getenv("AFL_QEMU_PERSISTENT_HOOK"), RTLD_NOW);
     if (!plib) {
-      fprintf(stderr, "[AFL] ERROR: invalid AFL_QEMU_PERSISTENT_HOOK=%s\n", getenv("AFL_QEMU_PERSISTENT_HOOK"));
+
+      fprintf(stderr, "[AFL] ERROR: invalid AFL_QEMU_PERSISTENT_HOOK=%s\n",
+              getenv("AFL_QEMU_PERSISTENT_HOOK"));
       exit(1);
+
     }
 
     afl_persistent_hook_ptr = dlsym(plib, "afl_persistent_hook");
     if (!afl_persistent_hook_ptr) {
-      fprintf(stderr, "[AFL] ERROR: failed to find the function \"afl_persistent_hook\" in %s\n", getenv("AFL_QEMU_PERSISTENT_HOOK"));
+
+      fprintf(stderr,
+              "[AFL] ERROR: failed to find the function "
+              "\"afl_persistent_hook\" in %s\n",
+              getenv("AFL_QEMU_PERSISTENT_HOOK"));
       exit(1);
+
     }
 
 #endif
@@ -402,9 +412,12 @@ static void afl_forkserver(CPUState *cpu) {
     if (WIFSTOPPED(status))
       child_stopped = 1;
     else if (unlikely(first_run && is_persistent)) {
+
       fprintf(stderr, "[AFL] ERROR: no persistent iteration executed\n");
       exit(12);  // Persistent is wrong
+
     }
+
     first_run = 0;
 
     if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7);

qemu_mode/patches/afl-qemu-cpu-translate-inl.h

@@ -153,14 +153,12 @@ static void afl_cmplog_64(target_ulong cur_loc, target_ulong arg1,
 
 }
 
-
 static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2,
                             TCGMemOp ot, int is_imm) {
 
   void *func;
 
-  if (cur_loc > afl_end_code || cur_loc < afl_start_code)
+  if (cur_loc > afl_end_code || cur_loc < afl_start_code) return;
-    return;
 
   if (__afl_cmp_map) {
 
@@ -254,14 +252,13 @@ static void log_x86_sp_content(void) {
 
 }*/
 
-
 static void callback_to_persistent_hook(void) {
 
   afl_persistent_hook_ptr(persistent_saved_gpr, guest_base);
 
 }
 
-static void i386_restore_state_for_persistent(TCGv* cpu_regs) {
+static void i386_restore_state_for_persistent(TCGv *cpu_regs) {
 
   if (persistent_save_gpr) {
 
@@ -288,8 +285,7 @@ static void i386_restore_state_for_persistent(TCGv* cpu_regs) {
 
     tcg_gen_afl_call0(&afl_persistent_loop);
 
-    if (afl_persistent_hook_ptr)
+    if (afl_persistent_hook_ptr) tcg_gen_afl_call0(callback_to_persistent_hook);
-      tcg_gen_afl_call0(callback_to_persistent_hook);
 
     // restore GRP registers
     for (i = 0; i < CPU_NB_REGS; ++i) {

src/afl-fuzz-redqueen.c

@@ -122,8 +122,7 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) {
   while ((rng = pop_biggest_range(&ranges)) != NULL && stage_cur) {
 
     u32 s = rng->end - rng->start;
-    if (s == 0)
+    if (s == 0) goto empty_range;
-      goto empty_range;
 
     memcpy(backup, buf + rng->start, s);
     rand_replace(buf + rng->start, s);
@@ -137,9 +136,11 @@ u8 colorization(u8* buf, u32 len, u32 exec_cksum) {
       ranges = add_range(ranges, rng->start + s / 2 + 1, rng->end);
       memcpy(buf + rng->start, backup, s);
 
-    } else needs_write = 1;
+    } else
 
-empty_range:
+      needs_write = 1;
+
+  empty_range:
     ck_free(rng);
     --stage_cur;
 
@@ -169,7 +170,7 @@ empty_range:
 
     } else {
 
-      unlink(queue_cur->fname);                                    /* ignore errors */
+      unlink(queue_cur->fname);                            /* ignore errors */
       fd = open(queue_cur->fname, O_WRONLY | O_CREAT | O_EXCL, 0600);
 
     }
@@ -177,7 +178,7 @@ empty_range:
     if (fd < 0) PFATAL("Unable to create '%s'", queue_cur->fname);
 
     ck_write(fd, buf, len, queue_cur->fname);
-    queue_cur->len = len; // no-op, just to be 100% safe
+    queue_cur->len = len;  // no-op, just to be 100% safe
 
     close(fd);
 
@@ -307,15 +308,17 @@ void try_to_add_to_dict(u64 v, u8 shape) {
   u8* b = (u8*)&v;
 
   u32 k;
-  u8 cons_ff = 0, cons_0 = 0;
+  u8  cons_ff = 0, cons_0 = 0;
   for (k = 0; k < shape; ++k) {
 
-    if (b[k] == 0) ++cons_0;
+    if (b[k] == 0)
-    else if (b[k] == 0xff) ++cons_0;
+      ++cons_0;
-    else cons_0 = cons_ff = 0;
+    else if (b[k] == 0xff)
+      ++cons_0;
+    else
+      cons_0 = cons_ff = 0;
 
-    if (cons_0 > 1 || cons_ff > 1)
+    if (cons_0 > 1 || cons_ff > 1) return;
-      return;
 
   }
 
@@ -323,6 +326,7 @@ void try_to_add_to_dict(u64 v, u8 shape) {
 
   u64 rev;
   switch (shape) {
+
     case 1: break;
     case 2:
       rev = SWAP16((u16)v);
@@ -336,6 +340,7 @@ void try_to_add_to_dict(u64 v, u8 shape) {
       rev = SWAP64(v);
       maybe_add_auto((u8*)&rev, shape);
       break;
+
   }
 
 }

src/afl-fuzz-stats.c

@@ -334,9 +334,9 @@ void show_stats(void) {
 
   /* Lord, forgive me this. */
 
-  SAYF(SET_G1 bSTG bLT bH bSTOP                         cCYA
+  SAYF(SET_G1 bSTG bLT bH bSTOP cCYA
        " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA
-       " overall results " bSTG bH2 bH2                 bRT "\n");
+       " overall results " bSTG bH2 bH2 bRT "\n");
 
   if (dumb_mode) {
 
@@ -413,9 +413,9 @@ void show_stats(void) {
                 "   uniq hangs : " cRST "%-6s" bSTG         bV "\n",
        DTD(cur_ms, last_hang_time), tmp);
 
-  SAYF(bVR bH bSTOP                                          cCYA
+  SAYF(bVR bH bSTOP            cCYA
        " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA
-       " map coverage " bSTG bH bHT bH20 bH2                 bVL "\n");
+       " map coverage " bSTG bH bHT bH20 bH2 bVL "\n");
 
   /* This gets funny because we want to print several variable-length variables
      together, but then cram them into a fixed-width field - so we need to
@@ -443,9 +443,9 @@ void show_stats(void) {
 
   SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp);
 
-  SAYF(bVR bH bSTOP                                         cCYA
+  SAYF(bVR bH bSTOP            cCYA
        " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA
-       " findings in depth " bSTG bH10 bH5 bH2 bH2          bVL "\n");
+       " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n");
 
   sprintf(tmp, "%s (%0.02f%%)", DI(queued_favored),
           ((double)queued_favored) * 100 / queued_paths);
@@ -514,7 +514,7 @@ void show_stats(void) {
 
   /* Aaaalmost there... hold on! */
 
-  SAYF(bVR bH cCYA                                                     bSTOP
+  SAYF(bVR bH cCYA                      bSTOP
        " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA
        " path geometry " bSTG bH5 bH2 bVL "\n");