ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-09 16:51:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' of https://github.com/vanhauser-thc/AFLplusplus into dev

Browse Source
This commit is contained in:
hexcoder- 2020-04-04 00:17:31 +02:00
commit b9851cdabe
9 changed files with 55 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
GNUmakefile
View File

@ -183,8 +183,6 @@ endif
all: test_x86 test_shm test_python ready $(PROGS) afl-as test_build all_done all: test_x86 test_shm test_python ready $(PROGS) afl-as test_build all_done
man: $(MANPAGES) man: $(MANPAGES)
-$(MAKE) -C llvm_mode
-$(MAKE) -C gcc_plugin
tests: source-only tests: source-only
@cd test ; ./test.sh @cd test ; ./test.sh
@ -339,7 +337,10 @@ unit_preallocable: test/unittests/unit_preallocable.o
$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka $(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
./test/unittests/unit_preallocable ./test/unittests/unit_preallocable
unit: unit_maybe_alloc unit_preallocable unit_list unit_clean:
@rm -f ./test/unittests/unit_preallocable ./test/unittests/unit_list ./test/unittests/unit_maybe_alloc test/unittests/*.o
unit: unit_maybe_alloc unit_preallocable unit_list unit_clean
code-format: code-format:
./.custom-format.py -i src/*.c ./.custom-format.py -i src/*.c

11
TODO.md
View File

@ -2,7 +2,16 @@
## Roadmap 2.63 ## Roadmap 2.63
- get "no global vars" working - complete custom_mutator API changes and documentation
- fix stability calculation bug
- libradamsa as a custom module?
## Roadmap 2.64
- context sensitive branch coverage in llvm_mode
- random crc32 HASH_CONST per run? because with 65536 paths we have collisions
## Further down the road ## Further down the road

2
docs/status_screen.md
View File

@ -400,6 +400,8 @@ directory. This includes:
- `exec_timeout` - the -t command line value - `exec_timeout` - the -t command line value
- `slowest_exec_ms` - real time of the slowest execution in ms - `slowest_exec_ms` - real time of the slowest execution in ms
- `peak_rss_mb` - max rss usage reached during fuzzing in MB - `peak_rss_mb` - max rss usage reached during fuzzing in MB
- `edges_found` - how many edges have been found
- `var_byte_count` - how many edges are non-deterministic
- `afl_banner` - banner text (e.g. the target name) - `afl_banner` - banner text (e.g. the target name)
- `afl_version` - the version of afl used - `afl_version` - the version of afl used
- `target_mode` - default, persistent, qemu, unicorn, dumb - `target_mode` - default, persistent, qemu, unicorn, dumb

6
examples/custom_mutators/README.md
View File

@ -20,3 +20,9 @@ common.py - this can be used for common functions and helpers.
wrapper_afl_min.py - mutation of XML documents, loads XmlMutatorMin.py wrapper_afl_min.py - mutation of XML documents, loads XmlMutatorMin.py
XmlMutatorMin.py - module for XML mutation XmlMutatorMin.py - module for XML mutation
custom_mutator_helpers.h is an header that defines some helper routines
like surgical_havoc_mutate() that allow to perform a randomly chosen
mutation from a subset of the havoc mutations.
If you do so, you have to specify -I /path/to/AFLplusplus/include when
compiling.

18
src/afl-fuzz-bitmap.c
View File

@ -177,8 +177,6 @@ u32 count_bits(u8 *mem) {
} }
#define FF(_b) (0xff << ((_b) << 3))
/* Count the number of bytes set in the bitmap. Called fairly sporadically, /* Count the number of bytes set in the bitmap. Called fairly sporadically,
mostly to update the status screen or calibrate and examine confirmed mostly to update the status screen or calibrate and examine confirmed
new paths. */ new paths. */
@ -194,10 +192,10 @@ u32 count_bytes(u8 *mem) {
u32 v = *(ptr++); u32 v = *(ptr++);
if (!v) continue; if (!v) continue;
if (v & FF(0)) ++ret; if (v & 0x000000ff) ++ret;
if (v & FF(1)) ++ret; if (v & 0x0000ff00) ++ret;
if (v & FF(2)) ++ret; if (v & 0x00ff0000) ++ret;
if (v & FF(3)) ++ret; if (v & 0xff000000) ++ret;
} }
@ -222,10 +220,10 @@ u32 count_non_255_bytes(u8 *mem) {
case. */ case. */
if (v == 0xffffffff) continue; if (v == 0xffffffff) continue;
if ((v & FF(0)) != FF(0)) ++ret; if ((v & 0x000000ff) != 0x000000ff) ++ret;
if ((v & FF(1)) != FF(1)) ++ret; if ((v & 0x0000ff00) != 0x0000ff00) ++ret;
if ((v & FF(2)) != FF(2)) ++ret; if ((v & 0x00ff0000) != 0x00ff0000) ++ret;
if ((v & FF(3)) != FF(3)) ++ret; if ((v & 0xff000000) != 0xff000000) ++ret;
} }

18
src/afl-fuzz-queue.c
View File

@ -186,7 +186,8 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
u64 fav_factor; u64 fav_factor;
u64 fuzz_p2 = next_pow2(q->n_fuzz); u64 fuzz_p2 = next_pow2(q->n_fuzz);
if (afl->schedule == MMOPT || afl->schedule == RARE) if (afl->schedule == MMOPT || afl->schedule == RARE ||
unlikely(afl->fixed_seed))
fav_factor = q->len << 2; fav_factor = q->len << 2;
else else
fav_factor = q->exec_us * q->len; fav_factor = q->exec_us * q->len;
@ -203,7 +204,8 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
u64 top_rated_fav_factor; u64 top_rated_fav_factor;
u64 top_rated_fuzz_p2 = next_pow2(afl->top_rated[i]->n_fuzz); u64 top_rated_fuzz_p2 = next_pow2(afl->top_rated[i]->n_fuzz);
if (afl->schedule == MMOPT || afl->schedule == RARE) if (afl->schedule == MMOPT || afl->schedule == RARE ||
unlikely(afl->fixed_seed))
top_rated_fav_factor = afl->top_rated[i]->len << 2; top_rated_fav_factor = afl->top_rated[i]->len << 2;
else else
top_rated_fav_factor = top_rated_fav_factor =
@ -214,9 +216,18 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
else if (fuzz_p2 == top_rated_fuzz_p2) else if (fuzz_p2 == top_rated_fuzz_p2)
if (fav_factor > top_rated_fav_factor) continue; if (fav_factor > top_rated_fav_factor) continue;
if (afl->schedule == MMOPT || afl->schedule == RARE ||
unlikely(afl->fixed_seed)) {
if (fav_factor > afl->top_rated[i]->len << 2) continue;
} else {
if (fav_factor > afl->top_rated[i]->exec_us * afl->top_rated[i]->len) if (fav_factor > afl->top_rated[i]->exec_us * afl->top_rated[i]->len)
continue; continue;
}
/* Looks like we're going to win. Decrease ref count for the /* Looks like we're going to win. Decrease ref count for the
previous winner, discard its afl->fsrv.trace_bits[] if necessary. */ previous winner, discard its afl->fsrv.trace_bits[] if necessary. */
@ -330,7 +341,8 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
// Longer execution time means longer work on the input, the deeper in // Longer execution time means longer work on the input, the deeper in
// coverage, the better the fuzzing, right? -mh // coverage, the better the fuzzing, right? -mh
if (afl->schedule != MMOPT && afl->schedule != RARE) { if (afl->schedule != MMOPT && afl->schedule != RARE &&
likely(!afl->fixed_seed)) {
if (q->exec_us * 0.1 > avg_exec_us) if (q->exec_us * 0.1 > avg_exec_us)
perf_score = 10; perf_score = 10;

9
src/afl-fuzz-run.c
View File

@ -354,17 +354,14 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
for (i = 0; i < MAP_SIZE; ++i) { for (i = 0; i < MAP_SIZE; ++i) {
if (!afl->var_bytes[i] && if (unlikely(!afl->var_bytes[i]) &&
afl->first_trace[i] != afl->fsrv.trace_bits[i]) { unlikely(afl->first_trace[i] != afl->fsrv.trace_bits[i]))
afl->var_bytes[i] = 1; afl->var_bytes[i] = 1;
afl->stage_max = CAL_CYCLES_LONG;
}
} }
var_detected = 1; var_detected = 1;
afl->stage_max = CAL_CYCLES_LONG;
} else { } else {

8
src/afl-fuzz-stats.c
View File

@ -98,8 +98,8 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
"exec_timeout : %u\n" "exec_timeout : %u\n"
"slowest_exec_ms : %u\n" "slowest_exec_ms : %u\n"
"peak_rss_mb : %lu\n" "peak_rss_mb : %lu\n"
"edges_found : %u\n"
"var_byte_count : %u\n" "var_byte_count : %u\n"
"found_edges : %u\n"
"afl_banner : %s\n" "afl_banner : %s\n"
"afl_version : " VERSION "afl_version : " VERSION
"\n" "\n"
@ -122,7 +122,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
#else #else
(unsigned long int)(rus.ru_maxrss >> 10), (unsigned long int)(rus.ru_maxrss >> 10),
#endif #endif
afl->var_byte_count, t_bytes, afl->use_banner, t_bytes, afl->var_byte_count, afl->use_banner,
afl->unicorn_mode ? "unicorn" : "", afl->qemu_mode ? "qemu " : "", afl->unicorn_mode ? "unicorn" : "", afl->qemu_mode ? "qemu " : "",
afl->dumb_mode ? " dumb " : "", afl->no_forkserver ? "no_fsrv " : "", afl->dumb_mode ? " dumb " : "", afl->no_forkserver ? "no_fsrv " : "",
afl->crash_mode ? "crash " : "", afl->crash_mode ? "crash " : "",
@ -260,8 +260,8 @@ void show_stats(afl_state_t *afl) {
t_bytes = count_non_255_bytes(afl->virgin_bits); t_bytes = count_non_255_bytes(afl->virgin_bits);
t_byte_ratio = ((double)t_bytes * 100) / MAP_SIZE; t_byte_ratio = ((double)t_bytes * 100) / MAP_SIZE;
if (t_bytes) if (likely(t_bytes) && unlikely(afl->var_byte_count))
stab_ratio = 100 - (((double)afl->var_byte_count) * 100) / t_bytes; stab_ratio = 100 - (((double)afl->var_byte_count * 100) / t_bytes);
else else
stab_ratio = 100; stab_ratio = 100;

2
test/unittests/unit_list.c
View File

@ -90,7 +90,7 @@ static void test_long_list(void **state) {
LIST_FOREACH(&testlist, u32, { LIST_FOREACH(&testlist, u32, {
result1 += *el; result1 += *el;
}); });
printf("removing %d\n", vals[50]); //printf("removing %d\n", vals[50]);
list_remove(&testlist, &vals[50]); list_remove(&testlist, &vals[50]);
LIST_FOREACH(&testlist, u32, { LIST_FOREACH(&testlist, u32, {