make afl-cmin actually work with subdirectories

2025-06-08 16:21:32 +00:00 · 2021-06-16 13:03:42 +02:00 · 2021-06-16 13:03:42 +02:00 · c46f8c1f70
commit c46f8c1f70
parent a6c0b5f766
4 changed files with 54 additions and 42 deletions
--- a/42
+++ b/42
@ -296,13 +296,13 @@ BEGIN {
    exit 1
  }
-  if (0 == system( "test -d "in_dir"/default" )) {
+  #if (0 == system( "test -d "in_dir"/default" )) {
-    in_dir = in_dir "/default"
+  #  in_dir = in_dir "/default"
-  }
+  #}
-
+  #
-  if (0 == system( "test -d "in_dir"/queue" )) {
+  #if (0 == system( "test -d "in_dir"/queue" )) {
-    in_dir = in_dir "/queue"
+  #  in_dir = in_dir "/queue"
-  }
+  #}
  system("rm -rf "trace_dir" 2>/dev/null");
  system("rm "out_dir"/id[:_]* 2>/dev/null")
@ -355,30 +355,35 @@ BEGIN {
  } else {
    stat_format = "-f '%z %N'" # *BSD, MacOS
  }
-  cmdline = "(cd "in_dir" && find . \\( ! -name . -a -type d -prune \\) -o -type f -exec stat "stat_format" \\{\\} + | sort -k1n -k2r)"
+  cmdline = "(cd "in_dir" && find . \\( ! -name \".*\" -a -type d \\) -o -type f -exec stat "stat_format" \\{\\} + | sort -k1n -k2r)"
  #cmdline = "ls "in_dir" | (cd "in_dir" && xargs stat "stat_format" 2>/dev/null) | sort -k1n -k2r"
  #cmdline = "(cd "in_dir" && stat "stat_format" *) | sort -k1n -k2r"
  #cmdline = "(cd "in_dir" && ls | xargs stat "stat_format" ) | sort -k1n -k2r"
  while (cmdline | getline) {
    sub(/^[0-9]+ (\.\/)?/,"",$0)
-    infilesSmallToBig[i++] = $0
+    infilesSmallToBigFull[i] = $0
    sub(/.*\//, "", $0)
    infilesSmallToBig[i] = $0
    infilesSmallToBigMap[infilesSmallToBig[i]] = infilesSmallToBigFull[i]
    infilesSmallToBigFullMap[infilesSmallToBigFull[i]] = infilesSmallToBig[i]
    i++
  }
  in_count = i
-  first_file = infilesSmallToBig[0]
+  first_file = infilesSmallToBigFull[0]
-  # Make sure that we're not dealing with a directory.
+  #if (0 == system("test -d ""\""in_dir"/"first_file"\"")) {
  #  print "[-] Error: The input directory is empty or contains subdirectories - please fix." > "/dev/stderr"
  #  exit 1
  #}
-  if (0 == system("test -d ""\""in_dir"/"first_file"\"")) {
+  system(">\""in_dir"/.afl-cmin.test\"")
-    print "[-] Error: The input directory is empty or contains subdirectories - please fix." > "/dev/stderr"
+  if (0 == system("ln \""in_dir"/.afl-cmin.test\" "trace_dir"/.link_test")) {
    exit 1
  }
  if (0 == system("ln \""in_dir"/"first_file"\" "trace_dir"/.link_test")) {
    cp_tool = "ln"
  } else {
    cp_tool = "cp"
  }
  system("rm -f \""in_dir"/.afl-cmin.test\"")
  if (!ENVIRON["AFL_SKIP_BIN_CHECK"]) {
    # Make sure that we can actually get anything out of afl-showmap before we
@ -511,7 +516,8 @@ BEGIN {
    # copy file unless already done
    if (! (fn in file_already_copied)) {
-      system(cp_tool" \""in_dir"/"fn"\" \""out_dir"/"fn"\"")
+      realfile = infilesSmallToBigMap[fn]
      system(cp_tool" \""in_dir"/"realfile"\" \""out_dir"/"fn"\"")
      file_already_copied[fn] = ""
      ++out_count
      #printf "tuple nr %d (%d cnt=%d) -> %s\n",tcnt,key,key_count[key],fn > trace_dir"/.log"
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -31,8 +31,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
  - afl_analyze:
    - fix timeout handling
    - add forkserver support for better performance
-  - afl-cmin, afl-cmin.bash and afl-showmap -i do now descend into
+  - afl-cmin and afl-showmap -i do now descend into subdirectories
-    subdirectories (like afl-fuzz does)
+    (like afl-fuzz does) - note that afl-cmin.bash does not!
  - ensure afl-compiler-rt is built for gcc_module
 ### Version ++3.13c (release)
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@ -1019,7 +1019,7 @@ static void __afl_start_forkserver(void) {
      if (read(FORKSRV_FD, &was_killed, 4) != 4) {
-        write_error("read from afl-fuzz");
+        //write_error("read from afl-fuzz");
        _exit(1);
      }
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@ -233,7 +233,11 @@ static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) {
  u8 cco = !!getenv("AFL_CMIN_CRASHES_ONLY"),
     caa = !!getenv("AFL_CMIN_ALLOW_ANY");
-  if (!outfile) { FATAL("Output filename not set (Bug in AFL++?)"); }
+  if (!outfile || !*outfile) {
    FATAL("Output filename not set (Bug in AFL++?)");
  }
  if (cmin_mode &&
      (fsrv->last_run_timed_out || (!caa && child_crashed != cco))) {
@ -753,7 +757,9 @@ u32 execute_testcases(u8 *dir) {
    }
-    // DO
+    if (!collect_coverage)
      snprintf(outfile, sizeof(outfile), "%s/%s", out_file, nl[i]->d_name);
    if (read_file(fn2)) {
      if (wait_for_gdb) {
@ -800,31 +806,31 @@ static void usage(u8 *argv0) {
      "\n%s [ options ] -- /path/to/target_app [ ... ]\n\n"
      "Required parameters:\n"
-      "  -o file       - file to write the trace data to\n\n"
+      "  -o file    - file to write the trace data to\n\n"
      "Execution control settings:\n"
-      "  -t msec       - timeout for each run (none)\n"
+      "  -t msec    - timeout for each run (none)\n"
-      "  -m megs       - memory limit for child process (%u MB)\n"
+      "  -m megs    - memory limit for child process (%u MB)\n"
-      "  -O            - use binary-only instrumentation (FRIDA mode)\n"
+      "  -O         - use binary-only instrumentation (FRIDA mode)\n"
-      "  -Q            - use binary-only instrumentation (QEMU mode)\n"
+      "  -Q         - use binary-only instrumentation (QEMU mode)\n"
-      "  -U            - use Unicorn-based instrumentation (Unicorn mode)\n"
+      "  -U         - use Unicorn-based instrumentation (Unicorn mode)\n"
-      "  -W            - use qemu-based instrumentation with Wine (Wine mode)\n"
+      "  -W         - use qemu-based instrumentation with Wine (Wine mode)\n"
-      "                  (Not necessary, here for consistency with other afl-* "
+      "               (Not necessary, here for consistency with other afl-* "
      "tools)\n\n"
      "Other settings:\n"
-      "  -i dir        - process all files in this directory, must be combined "
+      "  -i dir     - process all files below this directory, must be combined "
      "with -o.\n"
-      "                  With -C, -o is a file, without -C it must be a "
+      "               With -C, -o is a file, without -C it must be a "
      "directory\n"
-      "                  and each bitmap will be written there individually.\n"
+      "               and each bitmap will be written there individually.\n"
-      "  -C            - collect coverage, writes all edges to -o and gives a "
+      "  -C         - collect coverage, writes all edges to -o and gives a "
      "summary\n"
-      "                  Must be combined with -i.\n"
+      "               Must be combined with -i.\n"
-      "  -q            - sink program's output and don't show messages\n"
+      "  -q         - sink program's output and don't show messages\n"
-      "  -e            - show edge coverage only, ignore hit counts\n"
+      "  -e         - show edge coverage only, ignore hit counts\n"
-      "  -r            - show real tuple values instead of AFL filter values\n"
+      "  -r         - show real tuple values instead of AFL filter values\n"
-      "  -s            - do not classify the map\n"
+      "  -s         - do not classify the map\n"
-      "  -c            - allow core dumps\n\n"
+      "  -c         - allow core dumps\n\n"
      "This tool displays raw tuple data captured by AFL instrumentation.\n"
      "For additional help, consult %s/README.md.\n\n"
@ -1259,7 +1265,7 @@ int main(int argc, char **argv_orig, char **envp) {
    } else {
-      if ((coverage_map = (u8 *)malloc(map_size)) == NULL)
+      if ((coverage_map = (u8 *)malloc(map_size + 64)) == NULL)
        FATAL("coult not grab memory");
      edges_only = false;
      raw_instr_output = true;