ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-15 19:38:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1821 from junwha0511/crashing-seeds-as-new-crash

Browse Source 
Implement an option for treating crashing seeds as new crash
This commit is contained in:
van Hauser
2023-08-09 14:39:25 +00:00
committed by GitHub
parent 7f3b0a9503 fcdfe9e990
commit b4bd33961c
6 changed files with 102 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/env_variables.md
View File

@ -365,6 +365,9 @@ checks or alter some of the more exotic semantics of the tool:
- `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which
does not allow crashes or timeout seeds in the initial -i corpus. does not allow crashes or timeout seeds in the initial -i corpus.
- `AFL_CRASHING_SEEDS_AS_NEW_CRASH` will treat crashing seeds as new crash. these
crashes will be written to crashes folder as op:dry_run, and orig:<seed_file_name>.
- `AFL_EXIT_ON_TIME` causes afl-fuzz to terminate if no new paths were found - `AFL_EXIT_ON_TIME` causes afl-fuzz to terminate if no new paths were found
within a specified period of time (in seconds). May be convenient for some within a specified period of time (in seconds). May be convenient for some
types of automated jobs. types of automated jobs.

3
include/afl-fuzz.h
View File

@ -1,3 +1,4 @@
/* /*
american fuzzy lop++ - fuzzer header american fuzzy lop++ - fuzzer header
------------------------------------ ------------------------------------
@ -408,7 +409,7 @@ typedef struct afl_env_vars {
*afl_max_det_extras, *afl_statsd_host, *afl_statsd_port, *afl_max_det_extras, *afl_statsd_host, *afl_statsd_port,
*afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size, *afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size,
*afl_testcache_entries, *afl_child_kill_signal, *afl_fsrv_kill_signal, *afl_testcache_entries, *afl_child_kill_signal, *afl_fsrv_kill_signal,
*afl_target_env, *afl_persistent_record, *afl_exit_on_time; *afl_target_env, *afl_persistent_record, *afl_exit_on_time, *afl_crashing_seeds_as_new_crash;
s32 afl_pizza_mode; s32 afl_pizza_mode;

1
include/envs.h
View File

@ -35,6 +35,7 @@ static char *afl_environment_variables[] = {
"AFL_COMPCOV_BINNAME", "AFL_COMPCOV_BINNAME",
"AFL_COMPCOV_LEVEL", "AFL_COMPCOV_LEVEL",
"AFL_CRASH_EXITCODE", "AFL_CRASH_EXITCODE",
"AFL_CRASHING_SEEDS_AS_NEW_CRASH",
"AFL_CUSTOM_MUTATOR_LIBRARY", "AFL_CUSTOM_MUTATOR_LIBRARY",
"AFL_CUSTOM_MUTATOR_ONLY", "AFL_CUSTOM_MUTATOR_ONLY",
"AFL_CUSTOM_INFO_PROGRAM", "AFL_CUSTOM_INFO_PROGRAM",

111
src/afl-fuzz-init.c
View File

@ -1057,9 +1057,18 @@ void perform_dry_run(afl_state_t *afl) {
fn, (int)(s8)afl->fsrv.crash_exitcode); fn, (int)(s8)afl->fsrv.crash_exitcode);
} else { } else {
if (afl->afl_env.afl_crashing_seeds_as_new_crash) {
WARNF(
"Test case '%s' results in a crash, "
"as AFL_CRASHING_SEEDS_AS_NEW_CRASH is set, "
"saving as a new crash", fn);
} else {
WARNF("Test case '%s' results in a crash, skipping", fn); WARNF("Test case '%s' results in a crash, skipping", fn);
}
} }
if (afl->afl_env.afl_exit_on_seed_issues) { if (afl->afl_env.afl_exit_on_seed_issues) {
@ -1078,38 +1087,94 @@ void perform_dry_run(afl_state_t *afl) {
} }
q->disabled = 1; /* Crashing seeds will be regarded as new crashes on startup */
q->perf_score = 0; if (afl->afl_env.afl_crashing_seeds_as_new_crash) {
++afl->total_crashes;
u32 i = 0; if (likely(!afl->non_instrumented_mode)) {
while (unlikely(i < afl->queued_items && afl->queue_buf[i] &&
afl->queue_buf[i]->disabled)) {
++i; classify_counts(&afl->fsrv);
simplify_trace(afl, afl->fsrv.trace_bits);
} if (!has_new_bits(afl, afl->virgin_crash)) { break; }
if (i < afl->queued_items && afl->queue_buf[i]) { }
afl->queue = afl->queue_buf[i];
if (unlikely(!afl->saved_crashes) &&
(afl->afl_env.afl_no_crash_readme != 1)) {
write_crash_readme(afl);
}
u8 crash_fn[PATH_MAX];
u8 *use_name = strstr(q->fname, ",orig:");
afl->stage_name = "dry_run";
afl->stage_short = "dry_run";
#ifndef SIMPLE_FILES
snprintf(crash_fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s%s", afl->out_dir,
afl->saved_crashes, afl->fsrv.last_kill_signal,
describe_op(afl, 0, NAME_MAX - strlen("id:000000,sig:00,") - strlen(use_name)), use_name);
#else
snprintf(crash_fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir,
afl->saved_crashes, afl->fsrv.last_kill_signal);
#endif
++afl->saved_crashes;
fd = open(crash_fn, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
if (unlikely(fd < 0)) { PFATAL("Unable to create '%s'", crash_fn); }
ck_write(fd, use_mem, read_len, crash_fn);
close(fd);
afl->last_crash_time = get_cur_time();
afl->last_crash_execs = afl->fsrv.total_execs;
} else { } else {
afl->queue = afl->queue_buf[0]; u32 i = 0;
while (unlikely(i < afl->queued_items && afl->queue_buf[i] &&
afl->queue_buf[i]->disabled)) {
++i;
}
if (i < afl->queued_items && afl->queue_buf[i]) {
afl->queue = afl->queue_buf[i];
} else {
afl->queue = afl->queue_buf[0];
}
afl->max_depth = 0;
for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
if (!afl->queue_buf[i]->disabled &&
afl->queue_buf[i]->depth > afl->max_depth)
afl->max_depth = afl->queue_buf[i]->depth;
}
} }
q->disabled = 1;
q->perf_score = 0;
afl->max_depth = 0; break;
for (i = 0; i < afl->queued_items && likely(afl->queue_buf[i]); i++) {
if (!afl->queue_buf[i]->disabled &&
afl->queue_buf[i]->depth > afl->max_depth)
afl->max_depth = afl->queue_buf[i]->depth;
}
break;
case FSRV_RUN_ERROR: case FSRV_RUN_ERROR:
FATAL("Unable to execute target application ('%s')", afl->argv[0]); FATAL("Unable to execute target application ('%s')", afl->argv[0]);

7
src/afl-fuzz-state.c
View File

@ -200,6 +200,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
afl->afl_env.afl_exit_on_time = afl->afl_env.afl_exit_on_time =
(u8 *)get_afl_env(afl_environment_variables[i]); (u8 *)get_afl_env(afl_environment_variables[i]);
} else if (!strncmp(env, "AFL_CRASHING_SEEDS_AS_NEW_CRASH",
afl_environment_variable_len)) {
afl->afl_env.afl_crashing_seeds_as_new_crash =
atoi((u8 *)get_afl_env(afl_environment_variables[i]));
} else if (!strncmp(env, "AFL_NO_AFFINITY", } else if (!strncmp(env, "AFL_NO_AFFINITY",
afl_environment_variable_len)) { afl_environment_variable_len)) {

2
src/afl-fuzz.c
View File

@ -1592,7 +1592,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (get_afl_env("AFL_NO_ARITH")) { afl->no_arith = 1; } if (get_afl_env("AFL_NO_ARITH")) { afl->no_arith = 1; }
if (get_afl_env("AFL_SHUFFLE_QUEUE")) { afl->shuffle_queue = 1; } if (get_afl_env("AFL_SHUFFLE_QUEUE")) { afl->shuffle_queue = 1; }
if (get_afl_env("AFL_EXPAND_HAVOC_NOW")) { afl->expand_havoc = 1; } if (get_afl_env("AFL_EXPAND_HAVOC_NOW")) { afl->expand_havoc = 1; }
if (afl->afl_env.afl_autoresume) { if (afl->afl_env.afl_autoresume) {
afl->autoresume = 1; afl->autoresume = 1;