From dc0369eb10a92edd62ca2f0a473920ec36dfea53 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Thu, 2 Apr 2020 22:14:39 +0200 Subject: [PATCH 1/7] fix make install regarding MANPAGES target --- GNUmakefile | 2 -- 1 file changed, 2 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index 1409b428..c03d635c 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -183,8 +183,6 @@ endif all: test_x86 test_shm test_python ready $(PROGS) afl-as test_build all_done man: $(MANPAGES) - -$(MAKE) -C llvm_mode - -$(MAKE) -C gcc_plugin tests: source-only @cd test ; ./test.sh From 97cae2df9975589eb05a543f92c6ba232242fd7b Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 2 Apr 2020 23:33:55 +0200 Subject: [PATCH 2/7] no random timing for -s fixed_seed --- src/afl-fuzz-queue.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 61bf62f5..92cbab6f 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -186,7 +186,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { u64 fav_factor; u64 fuzz_p2 = next_pow2(q->n_fuzz); - if (afl->schedule == MMOPT || afl->schedule == RARE) + if (afl->schedule == MMOPT || afl->schedule == RARE || unlikely(afl->fixed_seed)) fav_factor = q->len << 2; else fav_factor = q->exec_us * q->len; @@ -203,7 +203,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { u64 top_rated_fav_factor; u64 top_rated_fuzz_p2 = next_pow2(afl->top_rated[i]->n_fuzz); - if (afl->schedule == MMOPT || afl->schedule == RARE) + if (afl->schedule == MMOPT || afl->schedule == RARE || unlikely(afl->fixed_seed)) top_rated_fav_factor = afl->top_rated[i]->len << 2; else top_rated_fav_factor = @@ -214,8 +214,17 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { else if (fuzz_p2 == top_rated_fuzz_p2) if (fav_factor > top_rated_fav_factor) continue; - if (fav_factor > afl->top_rated[i]->exec_us * afl->top_rated[i]->len) - continue; + if (afl->schedule == MMOPT || afl->schedule == RARE || unlikely(afl->fixed_seed)) { + + if (fav_factor > afl->top_rated[i]->len << 2) + continue; + + } else { + + if (fav_factor > afl->top_rated[i]->exec_us * afl->top_rated[i]->len) + continue; + + } /* Looks like we're going to win. Decrease ref count for the previous winner, discard its afl->fsrv.trace_bits[] if necessary. */ @@ -330,7 +339,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { // Longer execution time means longer work on the input, the deeper in // coverage, the better the fuzzing, right? -mh - if (afl->schedule != MMOPT && afl->schedule != RARE) { + if (afl->schedule != MMOPT && afl->schedule != RARE && likely(!afl->fixed_seed)) { if (q->exec_us * 0.1 > avg_exec_us) perf_score = 10; From ffb4767fc1adf2383173e5655d4f1fcf7e0982b6 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Fri, 3 Apr 2020 09:39:09 +0200 Subject: [PATCH 3/7] custom mutator readme --- examples/custom_mutators/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/examples/custom_mutators/README.md b/examples/custom_mutators/README.md index 93f824cd..32acbd30 100644 --- a/examples/custom_mutators/README.md +++ b/examples/custom_mutators/README.md @@ -20,3 +20,9 @@ common.py - this can be used for common functions and helpers. wrapper_afl_min.py - mutation of XML documents, loads XmlMutatorMin.py XmlMutatorMin.py - module for XML mutation + +custom_mutator_helpers.h is an header that defines some helper routines +like surgical_havoc_mutate() that allow to perform a randomly chosen +mutation from a subset of the havoc mutations. +If you do so, you have to specify -I /path/to/AFLplusplus/include when +compiling. From 5340f2f2eba643d43311eba207e8185723dd2f06 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 3 Apr 2020 10:31:37 +0200 Subject: [PATCH 4/7] code format, small improvements --- docs/status_screen.md | 2 ++ src/afl-fuzz-bitmap.c | 18 ++++++++---------- src/afl-fuzz-queue.c | 19 +++++++++++-------- src/afl-fuzz-run.c | 9 +++------ src/afl-fuzz-stats.c | 8 ++++---- 5 files changed, 28 insertions(+), 28 deletions(-) diff --git a/docs/status_screen.md b/docs/status_screen.md index 8b3d5bda..a66558b9 100644 --- a/docs/status_screen.md +++ b/docs/status_screen.md @@ -400,6 +400,8 @@ directory. This includes: - `exec_timeout` - the -t command line value - `slowest_exec_ms` - real time of the slowest execution in ms - `peak_rss_mb` - max rss usage reached during fuzzing in MB + - `edges_found` - how many edges have been found + - `var_byte_count` - how many edges are non-deterministic - `afl_banner` - banner text (e.g. the target name) - `afl_version` - the version of afl used - `target_mode` - default, persistent, qemu, unicorn, dumb diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index 8ca286b2..63c3a2c2 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -177,8 +177,6 @@ u32 count_bits(u8 *mem) { } -#define FF(_b) (0xff << ((_b) << 3)) - /* Count the number of bytes set in the bitmap. Called fairly sporadically, mostly to update the status screen or calibrate and examine confirmed new paths. */ @@ -194,10 +192,10 @@ u32 count_bytes(u8 *mem) { u32 v = *(ptr++); if (!v) continue; - if (v & FF(0)) ++ret; - if (v & FF(1)) ++ret; - if (v & FF(2)) ++ret; - if (v & FF(3)) ++ret; + if (v & 0x000000ff) ++ret; + if (v & 0x0000ff00) ++ret; + if (v & 0x00ff0000) ++ret; + if (v & 0xff000000) ++ret; } @@ -222,10 +220,10 @@ u32 count_non_255_bytes(u8 *mem) { case. */ if (v == 0xffffffff) continue; - if ((v & FF(0)) != FF(0)) ++ret; - if ((v & FF(1)) != FF(1)) ++ret; - if ((v & FF(2)) != FF(2)) ++ret; - if ((v & FF(3)) != FF(3)) ++ret; + if ((v & 0x000000ff) != 0x000000ff) ++ret; + if ((v & 0x0000ff00) != 0x0000ff00) ++ret; + if ((v & 0x00ff0000) != 0x00ff0000) ++ret; + if ((v & 0xff000000) != 0xff000000) ++ret; } diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 92cbab6f..6c687ae4 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -186,7 +186,8 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { u64 fav_factor; u64 fuzz_p2 = next_pow2(q->n_fuzz); - if (afl->schedule == MMOPT || afl->schedule == RARE || unlikely(afl->fixed_seed)) + if (afl->schedule == MMOPT || afl->schedule == RARE || + unlikely(afl->fixed_seed)) fav_factor = q->len << 2; else fav_factor = q->exec_us * q->len; @@ -203,7 +204,8 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { u64 top_rated_fav_factor; u64 top_rated_fuzz_p2 = next_pow2(afl->top_rated[i]->n_fuzz); - if (afl->schedule == MMOPT || afl->schedule == RARE || unlikely(afl->fixed_seed)) + if (afl->schedule == MMOPT || afl->schedule == RARE || + unlikely(afl->fixed_seed)) top_rated_fav_factor = afl->top_rated[i]->len << 2; else top_rated_fav_factor = @@ -214,16 +216,16 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) { else if (fuzz_p2 == top_rated_fuzz_p2) if (fav_factor > top_rated_fav_factor) continue; - if (afl->schedule == MMOPT || afl->schedule == RARE || unlikely(afl->fixed_seed)) { + if (afl->schedule == MMOPT || afl->schedule == RARE || + unlikely(afl->fixed_seed)) { - if (fav_factor > afl->top_rated[i]->len << 2) - continue; + if (fav_factor > afl->top_rated[i]->len << 2) continue; - } else { + } else { if (fav_factor > afl->top_rated[i]->exec_us * afl->top_rated[i]->len) continue; - + } /* Looks like we're going to win. Decrease ref count for the @@ -339,7 +341,8 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { // Longer execution time means longer work on the input, the deeper in // coverage, the better the fuzzing, right? -mh - if (afl->schedule != MMOPT && afl->schedule != RARE && likely(!afl->fixed_seed)) { + if (afl->schedule != MMOPT && afl->schedule != RARE && + likely(!afl->fixed_seed)) { if (q->exec_us * 0.1 > avg_exec_us) perf_score = 10; diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c index 5875eb68..47f6e9d9 100644 --- a/src/afl-fuzz-run.c +++ b/src/afl-fuzz-run.c @@ -354,17 +354,14 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem, for (i = 0; i < MAP_SIZE; ++i) { - if (!afl->var_bytes[i] && - afl->first_trace[i] != afl->fsrv.trace_bits[i]) { - + if (unlikely(!afl->var_bytes[i]) && + unlikely(afl->first_trace[i] != afl->fsrv.trace_bits[i])) afl->var_bytes[i] = 1; - afl->stage_max = CAL_CYCLES_LONG; - - } } var_detected = 1; + afl->stage_max = CAL_CYCLES_LONG; } else { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 77bbe023..d9f8c99c 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -98,8 +98,8 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, "exec_timeout : %u\n" "slowest_exec_ms : %u\n" "peak_rss_mb : %lu\n" + "edges_found : %u\n" "var_byte_count : %u\n" - "found_edges : %u\n" "afl_banner : %s\n" "afl_version : " VERSION "\n" @@ -122,7 +122,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability, #else (unsigned long int)(rus.ru_maxrss >> 10), #endif - afl->var_byte_count, t_bytes, afl->use_banner, + t_bytes, afl->var_byte_count, afl->use_banner, afl->unicorn_mode ? "unicorn" : "", afl->qemu_mode ? "qemu " : "", afl->dumb_mode ? " dumb " : "", afl->no_forkserver ? "no_fsrv " : "", afl->crash_mode ? "crash " : "", @@ -260,8 +260,8 @@ void show_stats(afl_state_t *afl) { t_bytes = count_non_255_bytes(afl->virgin_bits); t_byte_ratio = ((double)t_bytes * 100) / MAP_SIZE; - if (t_bytes) - stab_ratio = 100 - (((double)afl->var_byte_count) * 100) / t_bytes; + if (likely(t_bytes) && unlikely(afl->var_byte_count)) + stab_ratio = 100 - (((double)afl->var_byte_count * 100) / t_bytes); else stab_ratio = 100; From 3f2859ec1623b772bd5df39274946cfcc3c29e00 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 3 Apr 2020 10:43:52 +0200 Subject: [PATCH 5/7] unit tests cleaning --- GNUmakefile | 5 ++++- test/unittests/unit_list.c | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/GNUmakefile b/GNUmakefile index c03d635c..ff27e125 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -337,7 +337,10 @@ unit_preallocable: test/unittests/unit_preallocable.o $(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka ./test/unittests/unit_preallocable -unit: unit_maybe_alloc unit_preallocable unit_list +unit_clean: + @rm -f ./test/unittests/unit_preallocable ./test/unittests/unit_list ./test/unittests/unit_maybe_alloc test/unittests/*.o + +unit: unit_maybe_alloc unit_preallocable unit_list unit_clean code-format: ./.custom-format.py -i src/*.c diff --git a/test/unittests/unit_list.c b/test/unittests/unit_list.c index 03217112..11d3227c 100644 --- a/test/unittests/unit_list.c +++ b/test/unittests/unit_list.c @@ -90,7 +90,7 @@ static void test_long_list(void **state) { LIST_FOREACH(&testlist, u32, { result1 += *el; }); - printf("removing %d\n", vals[50]); + //printf("removing %d\n", vals[50]); list_remove(&testlist, &vals[50]); LIST_FOREACH(&testlist, u32, { From 6b5d5b11b0ecaeb018070f39174b1d001aa0cb4d Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 3 Apr 2020 14:00:29 +0200 Subject: [PATCH 6/7] update todo --- TODO.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/TODO.md b/TODO.md index 1a34fba4..569735fe 100644 --- a/TODO.md +++ b/TODO.md @@ -2,7 +2,15 @@ ## Roadmap 2.63 - - get "no global vars" working + - complete custom_mutator API changes and documentation + - fix stability calculation bug + - libradamsa as a custom module? + + +## Roadmap 2.64 + + - context sensitive branch coverage in llvm_mode + ## Further down the road From 064131887b73f59b1512ab898d5fb3f7d3b700c4 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 3 Apr 2020 14:17:31 +0200 Subject: [PATCH 7/7] update todo --- TODO.md | 1 + 1 file changed, 1 insertion(+) diff --git a/TODO.md b/TODO.md index 569735fe..91297332 100644 --- a/TODO.md +++ b/TODO.md @@ -10,6 +10,7 @@ ## Roadmap 2.64 - context sensitive branch coverage in llvm_mode + - random crc32 HASH_CONST per run? because with 65536 paths we have collisions ## Further down the road