ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-15 03:18:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

fixes and debug

Browse Source
This commit is contained in:
vanhauser-thc
2024-05-16 12:30:53 +02:00
parent bd4c9a5eab
commit c510ba6863
5 changed files with 46 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
include/envs.h
View File

@ -21,19 +21,20 @@ static char *afl_environment_variables[] = {
"AFL_BENCH_UNTIL_CRASH", "AFL_CAL_FAST", "AFL_CC", "AFL_CC_COMPILER", "AFL_BENCH_UNTIL_CRASH", "AFL_CAL_FAST", "AFL_CC", "AFL_CC_COMPILER",
"AFL_CMIN_ALLOW_ANY", "AFL_CMIN_CRASHES_ONLY", "AFL_CMPLOG_ONLY_NEW", "AFL_CMIN_ALLOW_ANY", "AFL_CMIN_CRASHES_ONLY", "AFL_CMPLOG_ONLY_NEW",
"AFL_CODE_END", "AFL_CODE_START", "AFL_COMPCOV_BINNAME", "AFL_CODE_END", "AFL_CODE_START", "AFL_COMPCOV_BINNAME",
"AFL_DUMP_CYCLOMATIC_COMPLEXITY", "AFL_DUMP_VULNERABILITY_COMPLEXITY", "AFL_DUMP_QUEUE_ON_EXIT", "AFL_DUMP_CYCLOMATIC_COMPLEXITY",
"AFL_CMPLOG_MAX_LEN", "AFL_COMPCOV_LEVEL", "AFL_DUMP_VULNERABILITY_COMPLEXITY", "AFL_CMPLOG_MAX_LEN",
"AFL_CRASH_EXITCODE", "AFL_CRASHING_SEEDS_AS_NEW_CRASH", "AFL_COMPCOV_LEVEL", "AFL_CRASH_EXITCODE",
"AFL_CUSTOM_MUTATOR_LIBRARY", "AFL_CUSTOM_MUTATOR_ONLY", "AFL_CRASHING_SEEDS_AS_NEW_CRASH", "AFL_CUSTOM_MUTATOR_LIBRARY",
"AFL_CUSTOM_INFO_PROGRAM", "AFL_CUSTOM_INFO_PROGRAM_ARGV", "AFL_CUSTOM_MUTATOR_ONLY", "AFL_CUSTOM_INFO_PROGRAM",
"AFL_CUSTOM_INFO_PROGRAM_INPUT", "AFL_CUSTOM_INFO_OUT", "AFL_CXX", "AFL_CUSTOM_INFO_PROGRAM_ARGV", "AFL_CUSTOM_INFO_PROGRAM_INPUT",
"AFL_CYCLE_SCHEDULES", "AFL_DEBUG", "AFL_DEBUG_CHILD", "AFL_DEBUG_GDB", "AFL_CUSTOM_INFO_OUT", "AFL_CXX", "AFL_CYCLE_SCHEDULES", "AFL_DEBUG",
"AFL_DEBUG_UNICORN", "AFL_DISABLE_REDUNDANT", "AFL_NO_REDUNDANT", "AFL_DEBUG_CHILD", "AFL_DEBUG_GDB", "AFL_DEBUG_UNICORN",
"AFL_DISABLE_TRIM", "AFL_NO_TRIM", "AFL_DISABLE_LLVM_INSTRUMENTATION", "AFL_DISABLE_REDUNDANT", "AFL_NO_REDUNDANT", "AFL_DISABLE_TRIM",
"AFL_DONT_OPTIMIZE", "AFL_DRIVER_STDERR_DUPLICATE_FILENAME", "AFL_NO_TRIM", "AFL_DISABLE_LLVM_INSTRUMENTATION", "AFL_DONT_OPTIMIZE",
"AFL_DUMB_FORKSRV", "AFL_EARLY_FORKSERVER", "AFL_ENTRYPOINT", "AFL_DRIVER_STDERR_DUPLICATE_FILENAME", "AFL_DUMB_FORKSRV",
"AFL_EXIT_WHEN_DONE", "AFL_EXIT_ON_TIME", "AFL_EXIT_ON_SEED_ISSUES", "AFL_EARLY_FORKSERVER", "AFL_ENTRYPOINT", "AFL_EXIT_WHEN_DONE",
"AFL_FAST_CAL", "AFL_FINAL_SYNC", "AFL_FORCE_UI", "AFL_FRIDA_DEBUG_MAPS", "AFL_EXIT_ON_TIME", "AFL_EXIT_ON_SEED_ISSUES", "AFL_FAST_CAL",
"AFL_FINAL_SYNC", "AFL_FORCE_UI", "AFL_FRIDA_DEBUG_MAPS",
"AFL_FRIDA_DRIVER_NO_HOOK", "AFL_FRIDA_EXCLUDE_RANGES", "AFL_FRIDA_DRIVER_NO_HOOK", "AFL_FRIDA_EXCLUDE_RANGES",
"AFL_FRIDA_INST_CACHE_SIZE", "AFL_FRIDA_INST_COVERAGE_ABSOLUTE", "AFL_FRIDA_INST_CACHE_SIZE", "AFL_FRIDA_INST_COVERAGE_ABSOLUTE",
"AFL_FRIDA_INST_COVERAGE_FILE", "AFL_FRIDA_INST_DEBUG_FILE", "AFL_FRIDA_INST_COVERAGE_FILE", "AFL_FRIDA_INST_DEBUG_FILE",

3
src/afl-forkserver.c
View File

@ -578,7 +578,8 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
void *nyx_config = fsrv->nyx_handlers->nyx_config_load(fsrv->target_path); void *nyx_config = fsrv->nyx_handlers->nyx_config_load(fsrv->target_path);
fsrv->nyx_handlers->nyx_config_set_workdir_path(nyx_config, workdir_path); fsrv->nyx_handlers->nyx_config_set_workdir_path(nyx_config, workdir_path);
fsrv->nyx_handlers->nyx_config_set_input_buffer_size(nyx_config, fsrv->max_length); fsrv->nyx_handlers->nyx_config_set_input_buffer_size(nyx_config,
fsrv->max_length);
fsrv->nyx_handlers->nyx_config_set_input_buffer_write_protection(nyx_config, fsrv->nyx_handlers->nyx_config_set_input_buffer_write_protection(nyx_config,
true); true);

9
src/afl-fuzz-queue.c
View File

@ -76,7 +76,7 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q,
if (likely(afl->schedule < RARE)) { weight *= (avg_exec_us / q->exec_us); } if (likely(afl->schedule < RARE)) { weight *= (avg_exec_us / q->exec_us); }
weight *= (log(q->bitmap_size) / avg_bitmap_size); weight *= (log(q->bitmap_size) / avg_bitmap_size);
weight *= (1 + (q->tc_ref / avg_top_size)); weight *= (1 + (q->tc_ref / avg_top_size));
if (avg_score != 0.0) { weight *= (log(q->score) / avg_score); } if (unlikely(avg_score != 0.0)) { weight *= (log(q->score) / avg_score); }
if (unlikely(weight < 0.1)) { weight = 0.1; } if (unlikely(weight < 0.1)) { weight = 0.1; }
if (unlikely(q->favored)) { weight *= 5; } if (unlikely(q->favored)) { weight *= 5; }
@ -92,7 +92,7 @@ double compute_weight(afl_state_t *afl, struct queue_entry *q,
void create_alias_table(afl_state_t *afl) { void create_alias_table(afl_state_t *afl) {
u32 n = afl->queued_items, i = 0, nSmall = 0, nLarge = n - 1, u32 n = afl->queued_items, i = 0, nSmall = 0, nLarge = n - 1,
explore = afl->fuzz_mode; exploit = afl->fuzz_mode;
double sum = 0; double sum = 0;
double *P = (double *)afl_realloc(AFL_BUF_PARAM(out), n * sizeof(double)); double *P = (double *)afl_realloc(AFL_BUF_PARAM(out), n * sizeof(double));
@ -133,7 +133,7 @@ void create_alias_table(afl_state_t *afl) {
avg_exec_us += q->exec_us; avg_exec_us += q->exec_us;
avg_bitmap_size += log(q->bitmap_size); avg_bitmap_size += log(q->bitmap_size);
avg_top_size += q->tc_ref; avg_top_size += q->tc_ref;
if (!explore) { avg_score += q->score; } if (exploit) { avg_score += q->score; }
++active; ++active;
} }
@ -144,7 +144,7 @@ void create_alias_table(afl_state_t *afl) {
avg_bitmap_size /= active; avg_bitmap_size /= active;
avg_top_size /= active; avg_top_size /= active;
if (!explore) { avg_score /= active; } if (exploit) { avg_score /= active; }
for (i = 0; i < n; i++) { for (i = 0; i < n; i++) {
@ -603,6 +603,7 @@ void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
q->testcase_buf = NULL; q->testcase_buf = NULL;
q->mother = afl->queue_cur; q->mother = afl->queue_cur;
q->score = afl->current_score; q->score = afl->current_score;
if (unlikely(!q->score)) { q->score = 1; }
#ifdef INTROSPECTION #ifdef INTROSPECTION
q->bitsmap_size = afl->bitsmap_size; q->bitsmap_size = afl->bitsmap_size;

2
src/afl-fuzz-run.c
View File

@ -606,6 +606,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
} }
q->exec_us = diff_us / afl->stage_max; q->exec_us = diff_us / afl->stage_max;
if (unlikely(!q->exec_us)) { q->exec_us = 1; }
q->bitmap_size = count_bytes(afl, afl->fsrv.trace_bits); q->bitmap_size = count_bytes(afl, afl->fsrv.trace_bits);
q->handicap = handicap; q->handicap = handicap;
q->cal_failed = 0; q->cal_failed = 0;

24
src/afl-fuzz.c
View File

@ -1806,7 +1806,7 @@ int main(int argc, char **argv_orig, char **envp) {
afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver; afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver;
afl->fsrv.max_length = afl->max_length; afl->fsrv.max_length = afl->max_length;
#ifdef __linux__ #ifdef __linux__
if (!afl->fsrv.nyx_mode) { if (!afl->fsrv.nyx_mode) {
@ -3067,6 +3067,28 @@ stop_fuzzing:
} }
if (getenv("AFL_DUMP_QUEUE_ON_EXIT")) {
fprintf(stderr, "\nQUEUE DUMP:\n");
for (u32 k = 0; k < afl->queued_items; ++k) {
struct queue_entry *q = afl->queue_buf[k];
fprintf(
stderr,
"item=%u fname=%s len=%u exec_us=%llu has_new_cov=%u var_behavior=%u "
"favored=%u fs_redundant=%u disabled=%u bitmap_size=%u fuzz_level=%u "
"mother=%d perf_score=%.2f weight=%.2f score=%u\n",
k, q->fname, q->len, q->exec_us, q->has_new_cov, q->var_behavior,
q->favored, q->fs_redundant, q->disabled, q->bitmap_size,
q->fuzz_level, q->mother == NULL ? -1 : (int)q->mother->id,
q->perf_score, q->weight, q->score);
}
fprintf(stderr, "\n");
}
if (frida_afl_preload) { ck_free(frida_afl_preload); } if (frida_afl_preload) { ck_free(frida_afl_preload); }
fclose(afl->fsrv.plot_file); fclose(afl->fsrv.plot_file);