ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 11:08:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix colorization

Browse Source
This commit is contained in:
van Hauser
2021-01-17 15:18:20 +01:00
parent a0e884cf8b
commit c71ce79963
7 changed files with 65 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
GNUmakefile
View File

@ -428,8 +428,8 @@ src/afl-sharedmem.o : $(COMM_HDR) src/afl-sharedmem.c include/sharedmem.h
afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86 afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86
$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS) -lm $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS) -lm
afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS) $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(LDFLAGS)
afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86 afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(LDFLAGS) $(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(LDFLAGS)

4
include/afl-fuzz.h
View File

@ -1136,9 +1136,9 @@ void read_foreign_testcases(afl_state_t *, int);
u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len); u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len);
/* RedQueen */ /* RedQueen */
u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len);
u64 exec_cksum);
/* our RNG wrapper */
AFL_RAND_RETURN rand_next(afl_state_t *afl); AFL_RAND_RETURN rand_next(afl_state_t *afl);
/* probability between 0.0 and 1.0 */ /* probability between 0.0 and 1.0 */

3
instrumentation/afl-compiler-rt.o.c
View File

@ -1209,7 +1209,8 @@ void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) {
void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr) { void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr) {
// fprintf(stderr, "hook1 arg0=%02x arg1=%02x attr=%u\n", arg1, arg2, attr); // fprintf(stderr, "hook1 arg0=%02x arg1=%02x attr=%u\n",
// (u8) arg1, (u8) arg2, attr);
if (unlikely(!__afl_cmp_map)) return; if (unlikely(!__afl_cmp_map)) return;

6
src/afl-fuzz-one.c
View File

@ -562,8 +562,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
!(afl->fsrv.total_execs % afl->queued_paths) || !(afl->fsrv.total_execs % afl->queued_paths) ||
get_cur_time() - afl->last_path_time > 15000) { get_cur_time() - afl->last_path_time > 15000) {
if (input_to_state_stage(afl, in_buf, out_buf, len, if (input_to_state_stage(afl, in_buf, out_buf, len)) {
afl->queue_cur->exec_cksum)) {
goto abandon_entry; goto abandon_entry;
@ -2986,8 +2985,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
!(afl->fsrv.total_execs % afl->queued_paths) || !(afl->fsrv.total_execs % afl->queued_paths) ||
get_cur_time() - afl->last_path_time > 15000) { get_cur_time() - afl->last_path_time > 15000) {
if (input_to_state_stage(afl, in_buf, out_buf, len, if (input_to_state_stage(afl, in_buf, out_buf, len)) {
afl->queue_cur->exec_cksum)) {
goto abandon_entry; goto abandon_entry;

42
src/afl-fuzz-redqueen.c
View File

@ -88,7 +88,7 @@ static struct range *pop_biggest_range(struct range **ranges) {
static void dump(char *txt, u8 *buf, u32 len) { static void dump(char *txt, u8 *buf, u32 len) {
u32 i; u32 i;
fprintf(stderr, "DUMP %s %llx ", txt, hash64(buf, len, 0)); fprintf(stderr, "DUMP %s %llx ", txt, hash64(buf, len, HASH_CONST));
for (i = 0; i < len; i++) for (i = 0; i < len; i++)
fprintf(stderr, "%02x", buf[i]); fprintf(stderr, "%02x", buf[i]);
fprintf(stderr, "\n"); fprintf(stderr, "\n");
@ -117,6 +117,7 @@ static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u64 *cksum) {
if (unlikely(common_fuzz_stuff(afl, buf, len))) { return 1; } if (unlikely(common_fuzz_stuff(afl, buf, len))) { return 1; }
*cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST); *cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
return 0; return 0;
} }
@ -200,7 +201,7 @@ static void type_replace(afl_state_t *afl, u8 *buf, u32 len) {
} }
static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 exec_cksum, static u8 colorization(afl_state_t *afl, u8 *buf, u32 len,
struct tainted **taints) { struct tainted **taints) {
struct range * ranges = add_range(NULL, 0, len - 1), *rng; struct range * ranges = add_range(NULL, 0, len - 1), *rng;
@ -208,18 +209,31 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 exec_cksum,
u8 * backup = ck_alloc_nozero(len); u8 * backup = ck_alloc_nozero(len);
u8 * changed = ck_alloc_nozero(len); u8 * changed = ck_alloc_nozero(len);
u64 orig_hit_cnt, new_hit_cnt; u64 orig_hit_cnt, new_hit_cnt, exec_cksum;
orig_hit_cnt = afl->queued_paths + afl->unique_crashes; orig_hit_cnt = afl->queued_paths + afl->unique_crashes;
afl->stage_name = "colorization"; afl->stage_name = "colorization";
afl->stage_short = "colorization"; afl->stage_short = "colorization";
afl->stage_max = (len << 1); afl->stage_max = (len << 1);
afl->stage_cur = 0; afl->stage_cur = 0;
// in colorization we do not classify counts, hence we have to calculate
// the original checksum!
if (unlikely(get_exec_checksum(afl, buf, len, &exec_cksum))) {
goto checksum_fail;
}
memcpy(backup, buf, len); memcpy(backup, buf, len);
memcpy(changed, buf, len); memcpy(changed, buf, len);
type_replace(afl, changed, len); type_replace(afl, changed, len);
#ifdef _DEBUG
dump("ORIG", buf, len);
dump("CHAN", changed, len);
#endif
while ((rng = pop_biggest_range(&ranges)) != NULL && while ((rng = pop_biggest_range(&ranges)) != NULL &&
afl->stage_cur < afl->stage_max) { afl->stage_cur < afl->stage_max) {
@ -227,7 +241,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u64 exec_cksum,
memcpy(buf + rng->start, changed + rng->start, s); memcpy(buf + rng->start, changed + rng->start, s);
u64 cksum; u64 cksum = 0;
u64 start_us = get_cur_time_us(); u64 start_us = get_cur_time_us();
if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) { if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) {
@ -704,8 +718,8 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
// if (its_len >= 1 && (attr <= 1 || attr >= 8)) // if (its_len >= 1 && (attr <= 1 || attr >= 8))
// fprintf(stderr, // fprintf(stderr,
// "TestU8: %u>=1 %x==%x %x==%x (idx=%u attr=%u) <= %x<-%x\n", // "TestU8: %u>=1 %x==%x %x==%x (idx=%u attr=%u) <= %x<-%x\n",
// its_len, *buf_8, pattern, *o_buf_8, o_pattern, idx, attr, // its_len, *buf_8, (u8)pattern, *o_buf_8, (u8)o_pattern, idx,
// repl, changed_val); // attr, (u8)repl, (u8)changed_val);
if (its_len >= 1 && if (its_len >= 1 &&
((*buf_8 == (u8)pattern && *o_buf_8 == (u8)o_pattern) || ((*buf_8 == (u8)pattern && *o_buf_8 == (u8)o_pattern) ||
@ -1659,8 +1673,7 @@ static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u8 *cbuf,
///// Input to State stage ///// Input to State stage
// afl->queue_cur->exec_cksum // afl->queue_cur->exec_cksum
u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len, u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len) {
u64 exec_cksum) {
u8 r = 1; u8 r = 1;
if (unlikely(!afl->orig_cmp_map)) { if (unlikely(!afl->orig_cmp_map)) {
@ -1686,7 +1699,7 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len,
if (!afl->queue_cur->taint || !afl->queue_cur->cmplog_colorinput) { if (!afl->queue_cur->taint || !afl->queue_cur->cmplog_colorinput) {
if (unlikely(colorization(afl, buf, len, exec_cksum, &taint))) { return 1; } if (unlikely(colorization(afl, buf, len, &taint))) { return 1; }
// no taint? still try, create a dummy to prevent again colorization // no taint? still try, create a dummy to prevent again colorization
if (!taint) { if (!taint) {
@ -1696,6 +1709,10 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len,
} }
#ifdef _DEBUG
dump("NEW ", buf, len);
#endif
} else { } else {
buf = afl->queue_cur->cmplog_colorinput; buf = afl->queue_cur->cmplog_colorinput;
@ -1705,11 +1722,6 @@ u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len,
} }
#ifdef _DEBUG
dump("ORIG", orig_buf, len);
dump("NEW ", buf, len);
#endif
struct tainted *t = taint; struct tainted *t = taint;
while (t) { while (t) {

2
src/afl-fuzz.c
View File

@ -1094,6 +1094,8 @@ int main(int argc, char **argv_orig, char **envp) {
} }
if (afl->shm.cmplog_mode) { OKF("CmpLog level: %u", afl->cmplog_lvl); }
/* Dynamically allocate memory for AFLFast schedules */ /* Dynamically allocate memory for AFLFast schedules */
if (afl->schedule >= FAST && afl->schedule <= RARE) { if (afl->schedule >= FAST && afl->schedule <= RARE) {

25
src/afl-showmap.c
View File

@ -42,6 +42,7 @@
#include "sharedmem.h" #include "sharedmem.h"
#include "forkserver.h" #include "forkserver.h"
#include "common.h" #include "common.h"
#include "hash.h"
#include <stdio.h> #include <stdio.h>
#include <unistd.h> #include <unistd.h>
@ -86,7 +87,8 @@ static u8 quiet_mode, /* Hide non-essential messages? */
binary_mode, /* Write output as a binary map */ binary_mode, /* Write output as a binary map */
keep_cores, /* Allow coredumps? */ keep_cores, /* Allow coredumps? */
remove_shm = 1, /* remove shmem? */ remove_shm = 1, /* remove shmem? */
collect_coverage; /* collect coverage */ collect_coverage, /* collect coverage */
no_classify; /* do not classify counts */
static volatile u8 stop_soon, /* Ctrl-C pressed? */ static volatile u8 stop_soon, /* Ctrl-C pressed? */
child_crashed; /* Child crashed? */ child_crashed; /* Child crashed? */
@ -317,7 +319,9 @@ static void showmap_run_target_forkserver(afl_forkserver_t *fsrv, u8 *mem,
} }
classify_counts(fsrv); if (fsrv->trace_bits[0] == 1) { fsrv->trace_bits[0] = 0; }
if (!no_classify) { classify_counts(fsrv); }
if (!quiet_mode) { SAYF(cRST "-- Program output ends --\n"); } if (!quiet_mode) { SAYF(cRST "-- Program output ends --\n"); }
@ -490,7 +494,9 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) {
} }
classify_counts(fsrv); if (fsrv->trace_bits[0] == 1) { fsrv->trace_bits[0] = 0; }
if (!no_classify) { classify_counts(fsrv); }
if (!quiet_mode) { SAYF(cRST "-- Program output ends --\n"); } if (!quiet_mode) { SAYF(cRST "-- Program output ends --\n"); }
@ -680,6 +686,7 @@ static void usage(u8 *argv0) {
" -q - sink program's output and don't show messages\n" " -q - sink program's output and don't show messages\n"
" -e - show edge coverage only, ignore hit counts\n" " -e - show edge coverage only, ignore hit counts\n"
" -r - show real tuple values instead of AFL filter values\n" " -r - show real tuple values instead of AFL filter values\n"
" -s - do not classify the map\n"
" -c - allow core dumps\n\n" " -c - allow core dumps\n\n"
"This tool displays raw tuple data captured by AFL instrumentation.\n" "This tool displays raw tuple data captured by AFL instrumentation.\n"
@ -729,10 +736,14 @@ int main(int argc, char **argv_orig, char **envp) {
if (getenv("AFL_QUIET") != NULL) { be_quiet = 1; } if (getenv("AFL_QUIET") != NULL) { be_quiet = 1; }
while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZQUWbcrh")) > 0) { while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZQUWbcrsh")) > 0) {
switch (opt) { switch (opt) {
case 's':
no_classify = 1;
break;
case 'C': case 'C':
collect_coverage = 1; collect_coverage = 1;
quiet_mode = 1; quiet_mode = 1;
@ -1213,6 +1224,12 @@ int main(int argc, char **argv_orig, char **envp) {
showmap_run_target(fsrv, use_argv); showmap_run_target(fsrv, use_argv);
tcnt = write_results_to_file(fsrv, out_file); tcnt = write_results_to_file(fsrv, out_file);
if (!quiet_mode) {
OKF("Hash of coverage map: %llx",
hash64(fsrv->trace_bits, fsrv->map_size, HASH_CONST));
}
} }