mirror of
https://github.com/AFLplusplus/AFLplusplus.git
synced 2025-06-09 16:51:34 +00:00
Merge pull request #1383 from AFLplusplus/keep_tout
Keep timeouts option
This commit is contained in:
van Hauser
GitHub
commit
c208dcf9c5
@ -23,6 +23,9 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
|
|||||||
- add AFL_EARLY_FORKSERVER to install the forkserver as earliest as
|
- add AFL_EARLY_FORKSERVER to install the forkserver as earliest as
|
||||||
possible in the target (for afl-gcc-fast/afl-clang-fast/
|
possible in the target (for afl-gcc-fast/afl-clang-fast/
|
||||||
afl-clang-lto)
|
afl-clang-lto)
|
||||||
|
- "saved timeouts" was wrong information, timeouts are still thrown
|
||||||
|
away by default even if they have new coverage (hangs are always
|
||||||
|
kept), unless AFL_KEEP_TIMEOUTS are set
|
||||||
- document and auto-activate pizza mode on condition
|
- document and auto-activate pizza mode on condition
|
||||||
- afl-cc:
|
- afl-cc:
|
||||||
- converted all passed to use the new llvm pass manager for llvm 11+
|
- converted all passed to use the new llvm pass manager for llvm 11+
|
||||||
|
|||||||
@ -349,6 +349,9 @@ checks or alter some of the more exotic semantics of the tool:
|
|||||||
- Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is
|
- Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is
|
||||||
usually a bad idea!
|
usually a bad idea!
|
||||||
|
|
||||||
|
- Setting `AFL_KEEP_TIMEOUTS` will keep longer running inputs if they reach
|
||||||
|
new coverage
|
||||||
|
|
||||||
- `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which
|
- `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which
|
||||||
does not allow crashes or timeout seeds in the initial -i corpus.
|
does not allow crashes or timeout seeds in the initial -i corpus.
|
||||||
|
|
||||||
|
|||||||
@ -911,16 +911,17 @@ normal fuzzing campaigns as these are much shorter runnings.
|
|||||||
* Keep the generated corpus, use afl-cmin and reuse it every time!
|
* Keep the generated corpus, use afl-cmin and reuse it every time!
|
||||||
|
|
||||||
2. Additionally randomize the AFL++ compilation options, e.g.:
|
2. Additionally randomize the AFL++ compilation options, e.g.:
|
||||||
* 40% for `AFL_LLVM_CMPLOG`
|
* 30% for `AFL_LLVM_CMPLOG`
|
||||||
* 10% for `AFL_LLVM_LAF_ALL`
|
* 5% for `AFL_LLVM_LAF_ALL`
|
||||||
|
|
||||||
3. Also randomize the afl-fuzz runtime options, e.g.:
|
3. Also randomize the afl-fuzz runtime options, e.g.:
|
||||||
* 65% for `AFL_DISABLE_TRIM`
|
* 65% for `AFL_DISABLE_TRIM`
|
||||||
|
* 50% for `AFL_KEEP_TIMEOUTS`
|
||||||
* 50% use a dictionary generated by `AFL_LLVM_DICT2FILE`
|
* 50% use a dictionary generated by `AFL_LLVM_DICT2FILE`
|
||||||
* 40% use MOpt (`-L 0`)
|
* 40% use MOpt (`-L 0`)
|
||||||
* 40% for `AFL_EXPAND_HAVOC_NOW`
|
* 40% for `AFL_EXPAND_HAVOC_NOW`
|
||||||
* 20% for old queue processing (`-Z`)
|
* 20% for old queue processing (`-Z`)
|
||||||
* for CMPLOG targets, 60% for `-l 2`, 40% for `-l 3`
|
* for CMPLOG targets, 70% for `-l 2`, 10% for `-l 3`, 20% for `-l 2AT`
|
||||||
|
|
||||||
4. Do *not* run any `-M` modes, just running `-S` modes is better for CI
|
4. Do *not* run any `-M` modes, just running `-S` modes is better for CI
|
||||||
fuzzing. `-M` enables old queue handling etc. which is good for a fuzzing
|
fuzzing. `-M` enables old queue handling etc. which is good for a fuzzing
|
||||||
|
|||||||
@ -385,7 +385,7 @@ typedef struct afl_env_vars {
|
|||||||
afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
|
afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
|
||||||
afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
|
afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
|
||||||
afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems,
|
afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems,
|
||||||
afl_pizza_mode;
|
afl_keep_timeouts, afl_pizza_mode;
|
||||||
|
|
||||||
u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
|
u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
|
||||||
*afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,
|
*afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,
|
||||||
|
|||||||
@ -106,6 +106,7 @@ static char *afl_environment_variables[] = {
|
|||||||
"AFL_INPUT_LEN_MAX",
|
"AFL_INPUT_LEN_MAX",
|
||||||
"AFL_INST_LIBS",
|
"AFL_INST_LIBS",
|
||||||
"AFL_INST_RATIO",
|
"AFL_INST_RATIO",
|
||||||
|
"AFL_KEEP_TIMEOUTS",
|
||||||
"AFL_KILL_SIGNAL",
|
"AFL_KILL_SIGNAL",
|
||||||
"AFL_KEEP_TRACES",
|
"AFL_KEEP_TRACES",
|
||||||
"AFL_KEEP_ASSEMBLY",
|
"AFL_KEEP_ASSEMBLY",
|
||||||
|
|||||||
@ -292,6 +292,15 @@ void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) {
|
|||||||
|
|
||||||
u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) {
|
u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) {
|
||||||
|
|
||||||
|
u8 is_timeout = 0;
|
||||||
|
|
||||||
|
if (new_bits & 0xf0) {
|
||||||
|
|
||||||
|
new_bits -= 0x80;
|
||||||
|
is_timeout = 1;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
size_t real_max_len =
|
size_t real_max_len =
|
||||||
MIN(max_description_len, sizeof(afl->describe_op_buf_256));
|
MIN(max_description_len, sizeof(afl->describe_op_buf_256));
|
||||||
u8 *ret = afl->describe_op_buf_256;
|
u8 *ret = afl->describe_op_buf_256;
|
||||||
@ -325,6 +334,7 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) {
|
|||||||
ret[len_current] = '\0';
|
ret[len_current] = '\0';
|
||||||
|
|
||||||
ssize_t size_left = real_max_len - len_current - strlen(",+cov") - 2;
|
ssize_t size_left = real_max_len - len_current - strlen(",+cov") - 2;
|
||||||
|
if (is_timeout) { size_left -= strlen(",+tout"); }
|
||||||
if (unlikely(size_left <= 0)) FATAL("filename got too long");
|
if (unlikely(size_left <= 0)) FATAL("filename got too long");
|
||||||
|
|
||||||
const char *custom_description =
|
const char *custom_description =
|
||||||
@ -370,6 +380,8 @@ u8 *describe_op(afl_state_t *afl, u8 new_bits, size_t max_description_len) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (is_timeout) { strcat(ret, ",+tout"); }
|
||||||
|
|
||||||
if (new_bits == 2) { strcat(ret, ",+cov"); }
|
if (new_bits == 2) { strcat(ret, ",+cov"); }
|
||||||
|
|
||||||
if (unlikely(strlen(ret) >= max_description_len))
|
if (unlikely(strlen(ret) >= max_description_len))
|
||||||
@ -447,7 +459,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
|
|||||||
|
|
||||||
u8 fn[PATH_MAX];
|
u8 fn[PATH_MAX];
|
||||||
u8 *queue_fn = "";
|
u8 *queue_fn = "";
|
||||||
u8 new_bits = 0, keeping = 0, res, classified = 0;
|
u8 new_bits = 0, keeping = 0, res, classified = 0, is_timeout = 0;
|
||||||
s32 fd;
|
s32 fd;
|
||||||
u64 cksum = 0;
|
u64 cksum = 0;
|
||||||
|
|
||||||
@ -481,11 +493,14 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
|
|||||||
|
|
||||||
classified = new_bits;
|
classified = new_bits;
|
||||||
|
|
||||||
|
save_to_queue:
|
||||||
|
|
||||||
#ifndef SIMPLE_FILES
|
#ifndef SIMPLE_FILES
|
||||||
|
|
||||||
queue_fn = alloc_printf(
|
queue_fn =
|
||||||
"%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items,
|
alloc_printf("%s/queue/id:%06u,%s", afl->out_dir, afl->queued_items,
|
||||||
describe_op(afl, new_bits, NAME_MAX - strlen("id:000000,")));
|
describe_op(afl, new_bits + is_timeout,
|
||||||
|
NAME_MAX - strlen("id:000000,")));
|
||||||
|
|
||||||
#else
|
#else
|
||||||
|
|
||||||
@ -596,7 +611,7 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
++afl->saved_tmouts;
|
is_timeout = 0x80;
|
||||||
#ifdef INTROSPECTION
|
#ifdef INTROSPECTION
|
||||||
if (afl->custom_mutators_count && afl->current_custom_fuzz) {
|
if (afl->custom_mutators_count && afl->current_custom_fuzz) {
|
||||||
|
|
||||||
@ -647,7 +662,20 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) { return keeping; }
|
if (afl->stop_soon || new_fault != FSRV_RUN_TMOUT) {
|
||||||
|
|
||||||
|
if (afl->afl_env.afl_keep_timeouts) {
|
||||||
|
|
||||||
|
++afl->saved_tmouts;
|
||||||
|
goto save_to_queue;
|
||||||
|
|
||||||
|
} else {
|
||||||
|
|
||||||
|
return keeping;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -222,6 +222,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
|
|||||||
afl->afl_env.afl_hang_tmout =
|
afl->afl_env.afl_hang_tmout =
|
||||||
(u8 *)get_afl_env(afl_environment_variables[i]);
|
(u8 *)get_afl_env(afl_environment_variables[i]);
|
||||||
|
|
||||||
|
} else if (!strncmp(env, "AFL_KEEP_TIMEOUTS",
|
||||||
|
|
||||||
|
afl_environment_variable_len)) {
|
||||||
|
|
||||||
|
afl->afl_env.afl_keep_timeouts =
|
||||||
|
get_afl_env(afl_environment_variables[i]) ? 1 : 0;
|
||||||
|
|
||||||
} else if (!strncmp(env, "AFL_SKIP_BIN_CHECK",
|
} else if (!strncmp(env, "AFL_SKIP_BIN_CHECK",
|
||||||
|
|
||||||
afl_environment_variable_len)) {
|
afl_environment_variable_len)) {
|
||||||
|
|||||||
@ -1 +1 @@
|
|||||||
Subproject commit a44fa94488d01aba60401ccf81f8bebcce685bf2
|
Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e
|
||||||
Loading…
x
Reference in New Issue
Block a user