afl-fuzz mutation documentation feature

2025-06-14 11:08:06 +00:00 · 2019-09-22 13:21:15 +02:00
parent f097f780af
commit b4ca95a9fa
7 changed files with 55 additions and 0 deletions
--- a/7
+++ b/7
@ -92,6 +92,8 @@ help:
 	@echo "distrib: everything (for both binary-only and source code fuzzing)"
 	@echo "install: installs everything you have compiled with the build option above"
 	@echo "clean: cleans everything. for qemu_mode and unicorn_mode it means it deletes all downloads as well"
+	@echo "tests: this runs the test framework. It is more catered for the developers, but if you run into problems this helps pinpointing the problem"
+	@echo "document: creates afl-fuzz-document which will only do one run and save all manipulated inputs into out/queue/mutations"
 	@echo "help: shows these build options :-)"
 	@echo "=========================================="
 	@echo "Recommended: \"distrib\" or \"source-only\", then \"install\""
@ -176,6 +178,11 @@ afl-gotcpu: src/afl-gotcpu.c $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)


+# document all mutations and only do one run (use with only one input file!)
+document: include/afl-fuzz.h $(AFL_FUZZ_FILES) afl-common.o afl-sharedmem.o afl-forkserver.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS afl-common.o afl-sharedmem.o afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS)
+
+
 code-format:
 	./.custom-format.py -i src/*.c
 	./.custom-format.py -i include/*.h
--- a/docs/ChangeLog
+++ b/docs/ChangeLog
@ -27,6 +27,8 @@ Version ++2.54d (dev):
  - fuzzing strategy yields for custom mutator were missing from the UI, added them :)
  - added "make tests" which will perform checks to see that all functionality
    is working as expected. this is currently the starting point, its not complete :)
+  - added mutation documentation feature ("make document"), creates afl-fuzz-document
+    and saves all mutations of the first run on the first file into out/queue/mutations
  - libtokencap and libdislocator now compile to the afl_root directory and are
    installed to the .../lib/afl directory when present during make install
  - reducing duplicate code in afl-fuzz
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -682,5 +682,10 @@ static u64 get_cur_time_us(void) {

 }

+#ifdef _AFL_DOCUMENT_MUTATIONS
+  extern u8 do_document;
+  extern u32 document_counter;
+#endif
+
 #endif

--- a/src/afl-fuzz-globals.c
+++ b/src/afl-fuzz-globals.c
@ -259,3 +259,7 @@ PyObject *py_functions[PY_FUNC_COUNT];

 #endif

+#ifdef _AFL_DOCUMENT_MUTATIONS
+  u8 do_document;
+  u32 document_counter;
+#endif
--- a/src/afl-fuzz-one.c
+++ b/src/afl-fuzz-one.c
@ -4231,6 +4231,7 @@ pacemaker_fuzzing:

 #define core_fuzzing(a) common_fuzzing((a), MOpt_globals_core)

+
 void pso_updating(void) {

  g_now += 1;
@ -4310,6 +4311,22 @@ void pso_updating(void) {
 u8 fuzz_one(char** argv) {

  int key_val_lv = 0;
+
+#ifdef _AFL_DOCUMENT_MUTATIONS
+  if (do_document == 0) {
+    char *fn = alloc_printf("%s/mutations", out_dir);
+    if (fn) {
+      do_document = mkdir(fn, 0700); // if it exists we do not care
+      do_document = 1;
+      ck_free(fn);
+    } else
+      PFATAL("malloc()");
+  } else {
+    do_document = 2;
+    stop_soon = 2;
+  }
+#endif
+
  if (limit_time_sig == 0) {

    key_val_lv = fuzz_one_original(argv);
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@ -251,6 +251,18 @@ void write_to_testcase(void* mem, u32 len) {

  s32 fd = out_fd;

+#ifdef _AFL_DOCUMENT_MUTATIONS
+  s32 doc_fd;
+  char *fn = alloc_printf("%s/mutations/%09u:%s", out_dir, document_counter++, describe_op(0));
+  if (fn != NULL) {
+    if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600)) >= 0) {
+      if (write(doc_fd, mem, len) != len) PFATAL("write to mutation file failed: %s", fn);
+      close(doc_fd);
+    }
+    ck_free(fn);
+  }
+#endif
+
  if (out_file) {

    // unlink(out_file);                                     /* Ignore errors.
--- a/test/test.sh
+++ b/test/test.sh
@ -27,10 +27,18 @@ test -z "$ECHO" && { echo Error: echo command does not support -e option ; exit

 export AFL_EXIT_WHEN_DONE=1
 export AFL_SKIP_CPUFREQ=1
+unset AFL_QUIET
 unset AFL_DEBUG
 unset AFL_HARDEN
+unset AFL_USE_ASAN
+unset AFL_USE_MSAN
+unset AFL_CC
+unset AFL_PRELOAD
 unset AFL_LLVM_WHITELIST
 unset AFL_LLVM_INSTRIM
+unset AFL_LLVM_LAF_SPLIT_SWITCHES
+unset AFL_LLVM_LAF_TRANSFORM_COMPARES
+unset AFL_LLVM_LAF_SPLIT_COMPARES

 GREY="\\x1b[1;90m"
 BLUE="\\x1b[1;94m"