ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-08 16:21:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

code format

Browse Source
This commit is contained in:
Dominik Maier 2020-03-19 19:23:58 +01:00
parent 51a346bcbe
commit b6fa63abdf
13 changed files with 74 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
include/afl-fuzz.h
View File

@ -109,7 +109,8 @@
#define CASE_PREFIX "id_" #define CASE_PREFIX "id_"
#endif /* ^!SIMPLE_FILES */ #endif /* ^!SIMPLE_FILES */
#define STAGE_BUF_SIZE (64) /* usable size of the stage name buf in afl_state */ #define STAGE_BUF_SIZE (64) /* usable size of the stage name buf in afl_state \
*/
extern s8 interesting_8[INTERESTING_8_LEN]; extern s8 interesting_8[INTERESTING_8_LEN];
extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN]; extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN];
@ -542,7 +543,7 @@ typedef struct afl_state {
/* cmplog forkserver ids */ /* cmplog forkserver ids */
s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd;
u32 cmplog_prev_timed_out; u32 cmplog_prev_timed_out;
u8 describe_op_buf_256[256]; /* describe_op will use this to return a string u8 describe_op_buf_256[256]; /* describe_op will use this to return a string
up to 256 */ up to 256 */
@ -559,13 +560,13 @@ typedef struct afl_state {
#endif #endif
/* statis file */ /* statis file */
double last_bitmap_cvg, last_stability, last_eps; double last_bitmap_cvg, last_stability, last_eps;
/* plot file saves from last run */ /* plot file saves from last run */
u32 plot_prev_qp, plot_prev_pf, plot_prev_pnf, plot_prev_ce, plot_prev_md; u32 plot_prev_qp, plot_prev_pf, plot_prev_pnf, plot_prev_ce, plot_prev_md;
u64 plot_prev_qc, plot_prev_uc, plot_prev_uh; u64 plot_prev_qc, plot_prev_uc, plot_prev_uh;
u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs; u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs;
double stats_avg_exec; double stats_avg_exec;
u8 clean_trace[MAP_SIZE]; u8 clean_trace[MAP_SIZE];
@ -800,9 +801,9 @@ u8 has_new_bits(afl_state_t *, u8 *);
/* Misc */ /* Misc */
u8 *DI(u64); u8 * DI(u64);
u8 *DF(double); u8 * DF(double);
u8 *DMS(u64); u8 * DMS(u64);
void DTD(u8 *, size_t, u64, u64); void DTD(u8 *, size_t, u64, u64);
/* Extras */ /* Extras */

4
qemu_mode/patches/afl-qemu-tcg-runtime-inl.h
View File

@ -185,8 +185,8 @@ void HELPER(afl_cmplog_rtn)(CPUArchState *env) {
if (!area_is_mapped(stack, sizeof(target_ulong) * 2)) return; if (!area_is_mapped(stack, sizeof(target_ulong) * 2)) return;
// when this hook is executed, the retaddr is not on stack yet // when this hook is executed, the retaddr is not on stack yet
void *ptr1 = g2h(stack[0]); void * ptr1 = g2h(stack[0]);
void *ptr2 = g2h(stack[1]); void * ptr2 = g2h(stack[1]);
#else #else

2
src/afl-forkserver.c
View File

@ -168,7 +168,7 @@ void afl_fsrv_init(afl_forkserver_t *fsrv) {
static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) { static void afl_fauxsrv_execv(afl_forkserver_t *fsrv, char **argv) {
unsigned char tmp[4] = {0}; unsigned char tmp[4] = {0};
pid_t child_pid = -1; pid_t child_pid = -1;
/* Phone home and tell the parent that we're OK. If parent isn't there, /* Phone home and tell the parent that we're OK. If parent isn't there,
assume we're not running in forkserver mode and just execute program. */ assume we're not running in forkserver mode and just execute program. */

15
src/afl-fuzz-cmplog.c
View File

@ -32,9 +32,9 @@
void init_cmplog_forkserver(afl_state_t *afl) { void init_cmplog_forkserver(afl_state_t *afl) {
struct timeval timeout; struct timeval timeout;
int st_pipe[2], ctl_pipe[2]; int st_pipe[2], ctl_pipe[2];
int status; int status;
s32 rlen; s32 rlen;
ACTF("Spinning up the cmplog fork server..."); ACTF("Spinning up the cmplog fork server...");
@ -373,9 +373,9 @@ void init_cmplog_forkserver(afl_state_t *afl) {
u8 run_cmplog_target(afl_state_t *afl, u32 timeout) { u8 run_cmplog_target(afl_state_t *afl, u32 timeout) {
struct timeval it; struct timeval it;
int status = 0; int status = 0;
int sret; int sret;
u64 exec_ms; u64 exec_ms;
u32 tb4; u32 tb4;
s32 res; s32 res;
@ -394,7 +394,8 @@ u8 run_cmplog_target(afl_state_t *afl, u32 timeout) {
/* Since we always have a forkserver (or a fauxserver) running, we can simply /* Since we always have a forkserver (or a fauxserver) running, we can simply
tell them to have at it and read back the pid from it.*/ tell them to have at it and read back the pid from it.*/
if ((res = write(afl->cmplog_fsrv_ctl_fd, &afl->cmplog_prev_timed_out, 4)) != 4) { if ((res = write(afl->cmplog_fsrv_ctl_fd, &afl->cmplog_prev_timed_out, 4)) !=
4) {
if (afl->stop_soon) return 0; if (afl->stop_soon) return 0;
RPFATAL(res, RPFATAL(res,

4
src/afl-fuzz-init.c
View File

@ -797,7 +797,7 @@ void pivot_inputs(afl_state_t *afl) {
u32 find_start_position(afl_state_t *afl) { u32 find_start_position(afl_state_t *afl) {
u8 tmp[4096] = {0}; /* Ought to be enough for anybody. */ u8 tmp[4096] = {0}; /* Ought to be enough for anybody. */
u8 *fn, *off; u8 *fn, *off;
s32 fd, i; s32 fd, i;
@ -834,7 +834,7 @@ u32 find_start_position(afl_state_t *afl) {
void find_timeout(afl_state_t *afl) { void find_timeout(afl_state_t *afl) {
u8 tmp[4096] = {0}; /* Ought to be enough for anybody. */ u8 tmp[4096] = {0}; /* Ought to be enough for anybody. */
u8 *fn, *off; u8 *fn, *off;
s32 fd, i; s32 fd, i;

4
src/afl-fuzz-misc.c
View File

@ -166,8 +166,8 @@ u8 *DMS(u64 val) {
void DTD(u8 *buf, size_t len, u64 cur_ms, u64 event_ms) { void DTD(u8 *buf, size_t len, u64 cur_ms, u64 event_ms) {
u64 delta; u64 delta;
s32 t_d, t_h, t_m, t_s; s32 t_d, t_h, t_m, t_s;
if (!event_ms) snprintf(buf, len, "none seen yet"); if (!event_ms) snprintf(buf, len, "none seen yet");

3
src/afl-fuzz-mutators.c
View File

@ -196,7 +196,8 @@ u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
u32 trim_exec = 0; u32 trim_exec = 0;
u32 orig_len = q->len; u32 orig_len = q->len;
if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; if (afl->stage_name != afl->stage_name_buf)
afl->stage_name = afl->stage_name_buf;
afl->bytes_trim_in += q->len; afl->bytes_trim_in += q->len;
/* Initialize trimming in the custom mutator */ /* Initialize trimming in the custom mutator */

13
src/afl-fuzz-one.c
View File

@ -1680,7 +1680,8 @@ havoc_stage:
perf_score = orig_perf; perf_score = orig_perf;
snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "splice %u", splice_cycle); snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "splice %u", splice_cycle);
if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; if (afl->stage_name != afl->stage_name_buf)
afl->stage_name = afl->stage_name_buf;
afl->stage_short = "splice"; afl->stage_short = "splice";
afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100; afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100;
@ -3573,9 +3574,10 @@ pacemaker_fuzzing:
perf_score = orig_perf; perf_score = orig_perf;
snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, MOpt_globals.splice_stageformat, snprintf(afl->stage_name_buf, STAGE_BUF_SIZE,
splice_cycle); MOpt_globals.splice_stageformat, splice_cycle);
if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; if (afl->stage_name != afl->stage_name_buf)
afl->stage_name = afl->stage_name_buf;
afl->stage_short = MOpt_globals.splice_stagenameshort; afl->stage_short = MOpt_globals.splice_stagenameshort;
afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100; afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100;
@ -3623,7 +3625,8 @@ pacemaker_fuzzing:
} else { } else {
perf_score = orig_perf; perf_score = orig_perf;
snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, MOpt_globals.splice_stageformat, splice_cycle); snprintf(afl->stage_name_buf, STAGE_BUF_SIZE,
MOpt_globals.splice_stageformat, splice_cycle);
afl->stage_name = afl->stage_name_buf; afl->stage_name = afl->stage_name_buf;
afl->stage_short = MOpt_globals.splice_stagenameshort; afl->stage_short = MOpt_globals.splice_stagenameshort;
afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100; afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100;

2
src/afl-fuzz-queue.c
View File

@ -254,7 +254,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
void cull_queue(afl_state_t *afl) { void cull_queue(afl_state_t *afl) {
struct queue_entry *q; struct queue_entry *q;
u8 temp_v[MAP_SIZE >> 3]; u8 temp_v[MAP_SIZE >> 3];
u32 i; u32 i;
if (afl->dumb_mode || !afl->score_changed) return; if (afl->dumb_mode || !afl->score_changed) return;

16
src/afl-fuzz-run.c
View File

@ -38,8 +38,8 @@ u8 run_target(afl_state_t *afl, u32 timeout) {
fd_set readfds; fd_set readfds;
struct timeval it; struct timeval it;
int status = 0; int status = 0;
u32 tb4; u32 tb4;
afl->fsrv.child_timed_out = 0; afl->fsrv.child_timed_out = 0;
@ -361,7 +361,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
for (i = 0; i < MAP_SIZE; ++i) { for (i = 0; i < MAP_SIZE; ++i) {
if (!afl->var_bytes[i] && afl->first_trace[i] != afl->fsrv.trace_bits[i]) { if (!afl->var_bytes[i] &&
afl->first_trace[i] != afl->fsrv.trace_bits[i]) {
afl->var_bytes[i] = 1; afl->var_bytes[i] = 1;
afl->stage_max = CAL_CYCLES_LONG; afl->stage_max = CAL_CYCLES_LONG;
@ -500,7 +501,8 @@ void sync_fuzzers(afl_state_t *afl) {
snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "sync %u", ++sync_cnt); snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "sync %u", ++sync_cnt);
if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; if (afl->stage_name != afl->stage_name_buf)
afl->stage_name = afl->stage_name_buf;
afl->stage_cur = 0; afl->stage_cur = 0;
afl->stage_max = 0; afl->stage_max = 0;
@ -607,7 +609,8 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
if (q->len < 5) return 0; if (q->len < 5) return 0;
if (afl->stage_name != afl->stage_name_buf) afl->stage_name = afl->stage_name_buf; if (afl->stage_name != afl->stage_name_buf)
afl->stage_name = afl->stage_name_buf;
afl->bytes_trim_in += q->len; afl->bytes_trim_in += q->len;
/* Select initial chunk len, starting with large steps. */ /* Select initial chunk len, starting with large steps. */
@ -623,7 +626,8 @@ u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
u32 remove_pos = remove_len; u32 remove_pos = remove_len;
snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "trim %s/%s", DI(remove_len), DI(remove_len)); snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "trim %s/%s", DI(remove_len),
DI(remove_len));
afl->stage_cur = 0; afl->stage_cur = 0;
afl->stage_max = q->len / remove_len; afl->stage_max = q->len / remove_len;

46
src/afl-fuzz-stats.c
View File

@ -192,20 +192,22 @@ static void check_term_size(afl_state_t *afl) {
void show_stats(afl_state_t *afl) { void show_stats(afl_state_t *afl) {
double t_byte_ratio, stab_ratio; double t_byte_ratio, stab_ratio;
u64 cur_ms; u64 cur_ms;
u32 t_bytes, t_bits; u32 t_bytes, t_bits;
u32 banner_len, banner_pad; u32 banner_len, banner_pad;
u8 tmp[256]; u8 tmp[256];
u8 time_tmp[64]; u8 time_tmp[64];
cur_ms = get_cur_time(); cur_ms = get_cur_time();
/* If not enough time has passed since last UI update, bail out. */ /* If not enough time has passed since last UI update, bail out. */
if (cur_ms - afl->stats_last_ms < 1000 / UI_TARGET_HZ && !afl->force_ui_update) return; if (cur_ms - afl->stats_last_ms < 1000 / UI_TARGET_HZ &&
!afl->force_ui_update)
return;
/* Check if we're past the 10 minute mark. */ /* Check if we're past the 10 minute mark. */
@ -215,18 +217,22 @@ void show_stats(afl_state_t *afl) {
if (!afl->stats_last_execs) { if (!afl->stats_last_execs) {
afl->stats_avg_exec = ((double)afl->total_execs) * 1000 / (cur_ms - afl->start_time); afl->stats_avg_exec =
((double)afl->total_execs) * 1000 / (cur_ms - afl->start_time);
} else { } else {
double cur_avg = ((double)(afl->total_execs - afl->stats_last_execs)) * 1000 / (cur_ms - afl->stats_last_ms); double cur_avg = ((double)(afl->total_execs - afl->stats_last_execs)) *
1000 / (cur_ms - afl->stats_last_ms);
/* If there is a dramatic (5x+) jump in speed, reset the indicator /* If there is a dramatic (5x+) jump in speed, reset the indicator
more quickly. */ more quickly. */
if (cur_avg * 5 < afl->stats_avg_exec || cur_avg / 5 > afl->stats_avg_exec) afl->stats_avg_exec = cur_avg; if (cur_avg * 5 < afl->stats_avg_exec || cur_avg / 5 > afl->stats_avg_exec)
afl->stats_avg_exec = cur_avg;
afl->stats_avg_exec = afl->stats_avg_exec * (1.0 - 1.0 / AVG_SMOOTHING) + cur_avg * (1.0 / AVG_SMOOTHING); afl->stats_avg_exec = afl->stats_avg_exec * (1.0 - 1.0 / AVG_SMOOTHING) +
cur_avg * (1.0 / AVG_SMOOTHING);
} }
@ -348,9 +354,9 @@ void show_stats(afl_state_t *afl) {
/* Lord, forgive me this. */ /* Lord, forgive me this. */
SAYF(SET_G1 bSTG bLT bH bSTOP cCYA SAYF(SET_G1 bSTG bLT bH bSTOP cCYA
" process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA
" overall results " bSTG bH2 bH2 bRT "\n"); " overall results " bSTG bH2 bH2 bRT "\n");
if (afl->dumb_mode) { if (afl->dumb_mode) {
@ -383,7 +389,8 @@ void show_stats(afl_state_t *afl) {
DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->start_time); DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->start_time);
SAYF(bV bSTOP " run time : " cRST "%-33s " bSTG bV bSTOP SAYF(bV bSTOP " run time : " cRST "%-33s " bSTG bV bSTOP
" cycles done : %s%-5s " bSTG bV "\n", time_tmp, tmp, DI(afl->queue_cycle - 1)); " cycles done : %s%-5s " bSTG bV "\n",
time_tmp, tmp, DI(afl->queue_cycle - 1));
/* We want to warn people about not seeing new paths after a full cycle, /* We want to warn people about not seeing new paths after a full cycle,
except when resuming fuzzing or running in non-instrumented mode. */ except when resuming fuzzing or running in non-instrumented mode. */
@ -420,18 +427,20 @@ void show_stats(afl_state_t *afl) {
DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->last_crash_time); DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->last_crash_time);
SAYF(bV bSTOP " last uniq crash : " cRST "%-33s " bSTG bV bSTOP SAYF(bV bSTOP " last uniq crash : " cRST "%-33s " bSTG bV bSTOP
" uniq crashes : %s%-6s" bSTG bV "\n", time_tmp, afl->unique_crashes ? cLRD : cRST, tmp); " uniq crashes : %s%-6s" bSTG bV "\n",
time_tmp, afl->unique_crashes ? cLRD : cRST, tmp);
sprintf(tmp, "%s%s", DI(afl->unique_hangs), sprintf(tmp, "%s%s", DI(afl->unique_hangs),
(afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : "");
DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->last_hang_time); DTD(time_tmp, sizeof(time_tmp), cur_ms, afl->last_hang_time);
SAYF(bV bSTOP " last uniq hang : " cRST "%-33s " bSTG bV bSTOP SAYF(bV bSTOP " last uniq hang : " cRST "%-33s " bSTG bV bSTOP
" uniq hangs : " cRST "%-6s" bSTG bV "\n", time_tmp, tmp); " uniq hangs : " cRST "%-6s" bSTG bV "\n",
time_tmp, tmp);
SAYF(bVR bH bSTOP cCYA SAYF(bVR bH bSTOP cCYA
" cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA
" map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); " map coverage " bSTG bH bHT bH20 bH2 bVL "\n");
/* This gets funny because we want to print several variable-length variables /* This gets funny because we want to print several variable-length variables
together, but then cram them into a fixed-width field - so we need to together, but then cram them into a fixed-width field - so we need to
@ -460,9 +469,9 @@ void show_stats(afl_state_t *afl) {
SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp);
SAYF(bVR bH bSTOP cCYA SAYF(bVR bH bSTOP cCYA
" stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA
" findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n");
sprintf(tmp, "%s (%0.02f%%)", DI(afl->queued_favored), sprintf(tmp, "%s (%0.02f%%)", DI(afl->queued_favored),
((double)afl->queued_favored) * 100 / afl->queued_paths); ((double)afl->queued_favored) * 100 / afl->queued_paths);
@ -526,13 +535,14 @@ void show_stats(afl_state_t *afl) {
} }
sprintf(tmp, "%s (%s%s unique)", DI(afl->total_tmouts), sprintf(tmp, "%s (%s%s unique)", DI(afl->total_tmouts),
DI(afl->unique_tmouts), (afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); DI(afl->unique_tmouts),
(afl->unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : "");
SAYF(bSTG bV bSTOP " total tmouts : " cRST "%-22s" bSTG bV "\n", tmp); SAYF(bSTG bV bSTOP " total tmouts : " cRST "%-22s" bSTG bV "\n", tmp);
/* Aaaalmost there... hold on! */ /* Aaaalmost there... hold on! */
SAYF(bVR bH cCYA bSTOP SAYF(bVR bH cCYA bSTOP
" fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA
" path geometry " bSTG bH5 bH2 bVL "\n"); " path geometry " bSTG bH5 bH2 bVL "\n");

2
src/afl-showmap.c
View File

@ -264,7 +264,7 @@ static u8 run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem,
u32 len) { u32 len) {
struct itimerval it; struct itimerval it;
int status = 0; int status = 0;
memset(fsrv->trace_bits, 0, MAP_SIZE); memset(fsrv->trace_bits, 0, MAP_SIZE);
MEM_BARRIER(); MEM_BARRIER();

2
src/afl-tmin.c
View File

@ -399,7 +399,7 @@ static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len,
u8 first_run) { u8 first_run) {
struct itimerval it; struct itimerval it;
int status = 0; int status = 0;
u32 cksum; u32 cksum;