ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 02:58:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

unified pointer placement

Browse Source
This commit is contained in:
Dominik Maier
2020-03-10 22:04:05 +01:00
parent 2832cb643d
commit cc1d6b33b1
46 changed files with 1040 additions and 1043 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.clang-format
View File

@ -52,7 +52,7 @@ ConstructorInitializerAllOnOneLineOrOnePerLine: true
ConstructorInitializerIndentWidth: 4 ConstructorInitializerIndentWidth: 4
ContinuationIndentWidth: 4 ContinuationIndentWidth: 4
Cpp11BracedListStyle: true Cpp11BracedListStyle: true
DerivePointerAlignment: true DerivePointerAlignment: false
DisableFormat: false DisableFormat: false
ExperimentalAutoDetectBinPacking: false ExperimentalAutoDetectBinPacking: false
FixNamespaceComments: true FixNamespaceComments: true

6
examples/argv_fuzzing/argv-fuzz-inl.h
View File

@ -55,12 +55,12 @@
#define MAX_CMDLINE_LEN 100000 #define MAX_CMDLINE_LEN 100000
#define MAX_CMDLINE_PAR 50000 #define MAX_CMDLINE_PAR 50000
static char** afl_init_argv(int* argc) { static char **afl_init_argv(int *argc) {
static char in_buf[MAX_CMDLINE_LEN]; static char in_buf[MAX_CMDLINE_LEN];
static char* ret[MAX_CMDLINE_PAR]; static char *ret[MAX_CMDLINE_PAR];
char* ptr = in_buf; char *ptr = in_buf;
int rc = 0; int rc = 0;
if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0) {} if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0) {}

2
examples/persistent_demo/persistent_demo.c
View File

@ -30,7 +30,7 @@
/* Main entry point. */ /* Main entry point. */
int main(int argc, char** argv) { int main(int argc, char **argv) {
ssize_t len; /* how much input did we read? */ ssize_t len; /* how much input did we read? */
char buf[100]; /* Example-only buffer, you'd replace it with other global or char buf[100]; /* Example-only buffer, you'd replace it with other global or

8
examples/post_library/post_library.so.c
View File

@ -76,11 +76,11 @@
/* The actual postprocessor routine called by afl-fuzz: */ /* The actual postprocessor routine called by afl-fuzz: */
const unsigned char* afl_postprocess(const unsigned char* in_buf, const unsigned char *afl_postprocess(const unsigned char *in_buf,
unsigned int* len) { unsigned int *len) {
static unsigned char* saved_buf; static unsigned char *saved_buf;
unsigned char* new_buf; unsigned char *new_buf;
/* Skip execution altogether for buffers shorter than 6 bytes (just to /* Skip execution altogether for buffers shorter than 6 bytes (just to
show how it's done). We can trust *len to be sane. */ show how it's done). We can trust *len to be sane. */

14
examples/post_library/post_library_png.so.c
View File

@ -35,13 +35,13 @@
#define UP4K(_i) ((((_i) >> 12) + 1) << 12) #define UP4K(_i) ((((_i) >> 12) + 1) << 12)
const unsigned char* afl_postprocess(const unsigned char* in_buf, const unsigned char *afl_postprocess(const unsigned char *in_buf,
unsigned int* len) { unsigned int * len) {
static unsigned char* saved_buf; static unsigned char *saved_buf;
static unsigned int saved_len; static unsigned int saved_len;
unsigned char* new_buf = (unsigned char*)in_buf; unsigned char *new_buf = (unsigned char *)in_buf;
unsigned int pos = 8; unsigned int pos = 8;
/* Don't do anything if there's not enough room for the PNG header /* Don't do anything if there's not enough room for the PNG header
@ -58,7 +58,7 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
/* Chunk length is the first big-endian dword in the chunk. */ /* Chunk length is the first big-endian dword in the chunk. */
chunk_len = ntohl(*(uint32_t*)(in_buf + pos)); chunk_len = ntohl(*(uint32_t *)(in_buf + pos));
/* Bail out if chunk size is too big or goes past EOF. */ /* Bail out if chunk size is too big or goes past EOF. */
@ -71,7 +71,7 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
/* The in-file checksum is the last dword past the chunk data. */ /* The in-file checksum is the last dword past the chunk data. */
file_cksum = *(uint32_t*)(in_buf + pos + 8 + chunk_len); file_cksum = *(uint32_t *)(in_buf + pos + 8 + chunk_len);
/* If the checksums do not match, we need to fix the file. */ /* If the checksums do not match, we need to fix the file. */
@ -98,7 +98,7 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
} }
*(uint32_t*)(new_buf + pos + 8 + chunk_len) = real_cksum; *(uint32_t *)(new_buf + pos + 8 + chunk_len) = real_cksum;
} }

4
examples/qemu_persistent_hook/read_into_rdi.c
View File

@ -2,7 +2,7 @@
#include <stdio.h> #include <stdio.h>
#include <unistd.h> #include <unistd.h>
#define g2h(x) ((void*)((unsigned long)(x) + guest_base)) #define g2h(x) ((void *)((unsigned long)(x) + guest_base))
#define h2g(x) ((uint64_t)(x)-guest_base) #define h2g(x) ((uint64_t)(x)-guest_base)
enum { enum {
@ -35,7 +35,7 @@ enum {
}; };
void afl_persistent_hook(uint64_t* regs, uint64_t guest_base) { void afl_persistent_hook(uint64_t *regs, uint64_t guest_base) {
// In this example the register RDI is pointing to the memory location // In this example the register RDI is pointing to the memory location
// of the target buffer, and the length of the input is in RAX. // of the target buffer, and the length of the input is in RAX.

32
gcc_plugin/afl-gcc-fast.c
View File

@ -37,17 +37,17 @@
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
static u8* obj_path; /* Path to runtime libraries */ static u8 *obj_path; /* Path to runtime libraries */
static u8** cc_params; /* Parameters passed to the real CC */ static u8 **cc_params; /* Parameters passed to the real CC */
static u32 cc_par_cnt = 1; /* Param count, including argv0 */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */
u8 use_stdin = 0; /* dummy */ u8 use_stdin = 0; /* dummy */
u8 be_quiet; u8 be_quiet;
/* Try to find the runtime libraries. If that fails, abort. */ /* Try to find the runtime libraries. If that fails, abort. */
static void find_obj(u8* argv0) { static void find_obj(u8 *argv0) {
u8* afl_path = getenv("AFL_PATH"); u8 *afl_path = getenv("AFL_PATH");
u8 *slash, *tmp; u8 *slash, *tmp;
if (afl_path) { if (afl_path) {
@ -70,7 +70,7 @@ static void find_obj(u8* argv0) {
if (slash) { if (slash) {
u8* dir; u8 *dir;
*slash = 0; *slash = 0;
dir = ck_strdup(argv0); dir = ck_strdup(argv0);
@ -106,12 +106,12 @@ static void find_obj(u8* argv0) {
/* Copy argv to cc_params, making the necessary edits. */ /* Copy argv to cc_params, making the necessary edits. */
static void edit_params(u32 argc, char** argv) { static void edit_params(u32 argc, char **argv) {
u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1; u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1;
u8* name; u8 *name;
cc_params = ck_alloc((argc + 128) * sizeof(u8*)); cc_params = ck_alloc((argc + 128) * sizeof(u8 *));
name = strrchr(argv[0], '/'); name = strrchr(argv[0], '/');
if (!name) if (!name)
@ -121,17 +121,17 @@ static void edit_params(u32 argc, char** argv) {
if (!strcmp(name, "afl-g++-fast")) { if (!strcmp(name, "afl-g++-fast")) {
u8* alt_cxx = getenv("AFL_CXX"); u8 *alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx ? alt_cxx : (u8*)AFL_GCC_CXX; cc_params[0] = alt_cxx ? alt_cxx : (u8 *)AFL_GCC_CXX;
} else { } else {
u8* alt_cc = getenv("AFL_CC"); u8 *alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc ? alt_cc : (u8*)AFL_GCC_CC; cc_params[0] = alt_cc ? alt_cc : (u8 *)AFL_GCC_CC;
} }
char* fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path); char *fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path);
cc_params[cc_par_cnt++] = fplugin_arg; cc_params[cc_par_cnt++] = fplugin_arg;
/* Detect stray -v calls from ./configure scripts. */ /* Detect stray -v calls from ./configure scripts. */
@ -140,7 +140,7 @@ static void edit_params(u32 argc, char** argv) {
while (--argc) { while (--argc) {
u8* cur = *(++argv); u8 *cur = *(++argv);
#if defined(__x86_64__) #if defined(__x86_64__)
if (!strcmp(cur, "-m32")) FATAL("-m32 is not supported"); if (!strcmp(cur, "-m32")) FATAL("-m32 is not supported");
@ -297,7 +297,7 @@ static void edit_params(u32 argc, char** argv) {
/* Main entry point */ /* Main entry point */
int main(int argc, char** argv, char** envp) { int main(int argc, char **argv, char **envp) {
if (argc < 2 || strcmp(argv[1], "-h") == 0) { if (argc < 2 || strcmp(argv[1], "-h") == 0) {
@ -378,7 +378,7 @@ int main(int argc, char** argv, char** envp) {
} }
*/ */
execvp(cc_params[0], (char**)cc_params); execvp(cc_params[0], (char **)cc_params);
FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]); FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);

2
gcc_plugin/afl-gcc-rt.o.c
View File

@ -86,7 +86,7 @@ static void __afl_map_shm(void) {
if (id_str) { if (id_str) {
#ifdef USEMMAP #ifdef USEMMAP
const char * shm_file_path = id_str; const char *shm_file_path = id_str;
int shm_fd = -1; int shm_fd = -1;
unsigned char *shm_base = NULL; unsigned char *shm_base = NULL;

6
include/afl-as.h
View File

@ -108,7 +108,7 @@
*/ */
static const u8* trampoline_fmt_32 = static const u8 *trampoline_fmt_32 =
"\n" "\n"
"/* --- AFL TRAMPOLINE (32-BIT) --- */\n" "/* --- AFL TRAMPOLINE (32-BIT) --- */\n"
@ -131,7 +131,7 @@ static const u8* trampoline_fmt_32 =
"/* --- END --- */\n" "/* --- END --- */\n"
"\n"; "\n";
static const u8* trampoline_fmt_64 = static const u8 *trampoline_fmt_64 =
"\n" "\n"
"/* --- AFL TRAMPOLINE (64-BIT) --- */\n" "/* --- AFL TRAMPOLINE (64-BIT) --- */\n"
@ -152,7 +152,7 @@ static const u8* trampoline_fmt_64 =
"/* --- END --- */\n" "/* --- END --- */\n"
"\n"; "\n";
static const u8* main_payload_32 = static const u8*main_payload_32 =
"\n" "\n"
"/* --- AFL MAIN PAYLOAD (32-BIT) --- */\n" "/* --- AFL MAIN PAYLOAD (32-BIT) --- */\n"

258
include/afl-fuzz.h
View File

@ -115,7 +115,7 @@ extern s32
struct queue_entry { struct queue_entry {
u8* fname; /* File name for the test case */ u8 *fname; /* File name for the test case */
u32 len; /* Input length */ u32 len; /* Input length */
u8 cal_failed, /* Calibration failed? */ u8 cal_failed, /* Calibration failed? */
@ -137,7 +137,7 @@ struct queue_entry {
n_fuzz, /* Number of fuzz, does not overflow */ n_fuzz, /* Number of fuzz, does not overflow */
depth; /* Path depth */ depth; /* Path depth */
u8* trace_mini; /* Trace bytes, if kept */ u8 *trace_mini; /* Trace bytes, if kept */
u32 tc_ref; /* Trace bytes ref count */ u32 tc_ref; /* Trace bytes ref count */
struct queue_entry *next, /* Next element, if any */ struct queue_entry *next, /* Next element, if any */
@ -147,7 +147,7 @@ struct queue_entry {
struct extra_data { struct extra_data {
u8* data; /* Dictionary token data */ u8 *data; /* Dictionary token data */
u32 len; /* Dictionary token length */ u32 len; /* Dictionary token length */
u32 hit_cnt; /* Use count in the corpus */ u32 hit_cnt; /* Use count in the corpus */
@ -234,7 +234,7 @@ enum {
}; };
extern u8* doc_path; /* gath to documentation dir */ extern u8 *doc_path; /* gath to documentation dir */
/* Python stuff */ /* Python stuff */
#ifdef USE_PYTHON #ifdef USE_PYTHON
@ -284,22 +284,22 @@ enum {
typedef struct MOpt_globals { typedef struct MOpt_globals {
u64* finds; u64 *finds;
u64* finds_v2; u64 *finds_v2;
u64* cycles; u64 *cycles;
u64* cycles_v2; u64 *cycles_v2;
u64* cycles_v3; u64 *cycles_v3;
u32 is_pilot_mode; u32 is_pilot_mode;
u64* pTime; u64 *pTime;
u64 period; u64 period;
char* havoc_stagename; char *havoc_stagename;
char* splice_stageformat; char *splice_stageformat;
char* havoc_stagenameshort; char *havoc_stagenameshort;
char* splice_stagenameshort; char *splice_stagenameshort;
} MOpt_globals_t; } MOpt_globals_t;
extern char* power_names[POWER_SCHEDULES_NUM]; extern char *power_names[POWER_SCHEDULES_NUM];
typedef struct afl_state { typedef struct afl_state {
@ -309,7 +309,7 @@ typedef struct afl_state {
afl_forkserver_t fsrv; afl_forkserver_t fsrv;
sharedmem_t shm; sharedmem_t shm;
char** argv; /* argv if needed */ char **argv; /* argv if needed */
/* MOpt: /* MOpt:
Lots of globals, but mostly for the status UI and other things where it Lots of globals, but mostly for the status UI and other things where it
@ -378,7 +378,7 @@ typedef struct afl_state {
u8 havoc_max_mult; u8 havoc_max_mult;
u8 use_radamsa; u8 use_radamsa;
size_t (*radamsa_mutate_ptr)(u8*, size_t, u8*, size_t, u32); size_t (*radamsa_mutate_ptr)(u8 *, size_t, u8 *, size_t, u32);
u8 skip_deterministic, /* Skip deterministic stages? */ u8 skip_deterministic, /* Skip deterministic stages? */
force_deterministic, /* Force deterministic stages? */ force_deterministic, /* Force deterministic stages? */
@ -503,23 +503,23 @@ typedef struct afl_state {
*queue_top, /* Top of the list */ *queue_top, /* Top of the list */
*q_prev100; /* Previous 100 marker */ *q_prev100; /* Previous 100 marker */
struct queue_entry* top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ struct queue_entry *top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */
struct extra_data* extras; /* Extra tokens to fuzz with */ struct extra_data *extras; /* Extra tokens to fuzz with */
u32 extras_cnt; /* Total number of tokens read */ u32 extras_cnt; /* Total number of tokens read */
struct extra_data* a_extras; /* Automatically selected extras */ struct extra_data *a_extras; /* Automatically selected extras */
u32 a_extras_cnt; /* Total number of tokens available */ u32 a_extras_cnt; /* Total number of tokens available */
u8* (*post_handler)(u8* buf, u32* len); u8 *(*post_handler)(u8 *buf, u32 *len);
/* CmpLog */ /* CmpLog */
char* cmplog_binary; char *cmplog_binary;
s32 cmplog_child_pid, cmplog_fsrv_pid; s32 cmplog_child_pid, cmplog_fsrv_pid;
/* Custom mutators */ /* Custom mutators */
struct custom_mutator* mutator; struct custom_mutator *mutator;
/* cmplog forkserver ids */ /* cmplog forkserver ids */
s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd; s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd;
@ -529,8 +529,8 @@ typedef struct afl_state {
#ifdef USE_PYTHON #ifdef USE_PYTHON
/* Python Mutators */ /* Python Mutators */
PyObject* py_module; PyObject *py_module;
PyObject* py_functions[PY_FUNC_COUNT]; PyObject *py_functions[PY_FUNC_COUNT];
#endif #endif
#ifdef _AFL_DOCUMENT_MUTATIONS #ifdef _AFL_DOCUMENT_MUTATIONS
@ -547,8 +547,8 @@ extern list_t afl_states;
struct custom_mutator { struct custom_mutator {
const char* name; const char *name;
void* dh; void *dh;
/* hooks for the custom mutator function */ /* hooks for the custom mutator function */
@ -559,7 +559,7 @@ struct custom_mutator {
* *
* @param seed Seed used for the mutation. * @param seed Seed used for the mutation.
*/ */
void (*afl_custom_init)(afl_state_t* afl, unsigned int seed); void (*afl_custom_init)(afl_state_t *afl, unsigned int seed);
/** /**
* Perform custom mutations on a given input * Perform custom mutations on a given input
@ -575,8 +575,8 @@ struct custom_mutator {
* not produce data larger than max_size. * not produce data larger than max_size.
* @return Size of the mutated output. * @return Size of the mutated output.
*/ */
size_t (*afl_custom_fuzz)(afl_state_t* afl, u8** buf, size_t buf_size, size_t (*afl_custom_fuzz)(afl_state_t *afl, u8 **buf, size_t buf_size,
u8* add_buf, size_t add_buf_size, size_t max_size); u8 *add_buf, size_t add_buf_size, size_t max_size);
/** /**
* A post-processing function to use right before AFL writes the test case to * A post-processing function to use right before AFL writes the test case to
@ -592,8 +592,8 @@ struct custom_mutator {
* will release the memory after saving the test case. * will release the memory after saving the test case.
* @return Size of the output buffer after processing * @return Size of the output buffer after processing
*/ */
size_t (*afl_custom_pre_save)(afl_state_t* afl, u8* buf, size_t buf_size, size_t (*afl_custom_pre_save)(afl_state_t *afl, u8 *buf, size_t buf_size,
u8** out_buf); u8 **out_buf);
/** /**
* This method is called at the start of each trimming operation and receives * This method is called at the start of each trimming operation and receives
@ -615,7 +615,7 @@ struct custom_mutator {
* @param buf_size Size of the test case * @param buf_size Size of the test case
* @return The amount of possible iteration steps to trim the input * @return The amount of possible iteration steps to trim the input
*/ */
u32 (*afl_custom_init_trim)(afl_state_t* afl, u8* buf, size_t buf_size); u32 (*afl_custom_init_trim)(afl_state_t *afl, u8 *buf, size_t buf_size);
/** /**
* This method is called for each trimming operation. It doesn't have any * This method is called for each trimming operation. It doesn't have any
@ -633,7 +633,7 @@ struct custom_mutator {
* the memory after saving the test case. * the memory after saving the test case.
* @param[out] out_buf_size Pointer to the size of the trimmed test case * @param[out] out_buf_size Pointer to the size of the trimmed test case
*/ */
void (*afl_custom_trim)(afl_state_t* afl, u8** out_buf, size_t* out_buf_size); void (*afl_custom_trim)(afl_state_t *afl, u8 **out_buf, size_t *out_buf_size);
/** /**
* This method is called after each trim operation to inform you if your * This method is called after each trim operation to inform you if your
@ -646,7 +646,7 @@ struct custom_mutator {
* @return The next trim iteration index (from 0 to the maximum amount of * @return The next trim iteration index (from 0 to the maximum amount of
* steps returned in init_trim) * steps returned in init_trim)
*/ */
u32 (*afl_custom_post_trim)(afl_state_t* afl, u8 success); u32 (*afl_custom_post_trim)(afl_state_t *afl, u8 success);
/** /**
* Perform a single custom mutation on a given input. * Perform a single custom mutation on a given input.
@ -661,7 +661,7 @@ struct custom_mutator {
* not produce data larger than max_size. * not produce data larger than max_size.
* @return Size of the mutated output. * @return Size of the mutated output.
*/ */
size_t (*afl_custom_havoc_mutation)(afl_state_t* afl, u8** buf, size_t (*afl_custom_havoc_mutation)(afl_state_t *afl, u8 **buf,
size_t buf_size, size_t max_size); size_t buf_size, size_t max_size);
/** /**
@ -672,7 +672,7 @@ struct custom_mutator {
* *
* @return The probability (0-100). * @return The probability (0-100).
*/ */
u8 (*afl_custom_havoc_mutation_probability)(afl_state_t* afl); u8 (*afl_custom_havoc_mutation_probability)(afl_state_t *afl);
/** /**
* Determine whether the fuzzer should fuzz the current queue entry or not. * Determine whether the fuzzer should fuzz the current queue entry or not.
@ -683,7 +683,7 @@ struct custom_mutator {
* @return Return True(1) if the fuzzer will fuzz the queue entry, and * @return Return True(1) if the fuzzer will fuzz the queue entry, and
* False(0) otherwise. * False(0) otherwise.
*/ */
u8 (*afl_custom_queue_get)(afl_state_t* afl, const u8* filename); u8 (*afl_custom_queue_get)(afl_state_t *afl, const u8 *filename);
/** /**
* Allow for additional analysis (e.g. calling a different tool that does a * Allow for additional analysis (e.g. calling a different tool that does a
@ -695,148 +695,148 @@ struct custom_mutator {
* @param filename_orig_queue File name of the original queue entry. This * @param filename_orig_queue File name of the original queue entry. This
* argument can be NULL while initializing the fuzzer * argument can be NULL while initializing the fuzzer
*/ */
void (*afl_custom_queue_new_entry)(afl_state_t* afl, void (*afl_custom_queue_new_entry)(afl_state_t *afl,
const u8* filename_new_queue, const u8 *filename_new_queue,
const u8* filename_orig_queue); const u8 *filename_orig_queue);
}; };
void afl_state_init(afl_state_t*); void afl_state_init(afl_state_t *);
void afl_state_deinit(afl_state_t*); void afl_state_deinit(afl_state_t *);
/**** Prototypes ****/ /**** Prototypes ****/
/* Custom mutators */ /* Custom mutators */
void setup_custom_mutator(afl_state_t*); void setup_custom_mutator(afl_state_t *);
void destroy_custom_mutator(afl_state_t*); void destroy_custom_mutator(afl_state_t *);
u8 trim_case_custom(afl_state_t*, struct queue_entry* q, u8* in_buf); u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 *in_buf);
/* Python */ /* Python */
#ifdef USE_PYTHON #ifdef USE_PYTHON
int init_py_module(afl_state_t*, u8*); int init_py_module(afl_state_t *, u8 *);
void finalize_py_module(afl_state_t*); void finalize_py_module(afl_state_t *);
void init_py(afl_state_t*, unsigned int); void init_py(afl_state_t *, unsigned int);
size_t fuzz_py(afl_state_t*, u8**, size_t, u8*, size_t, size_t); size_t fuzz_py(afl_state_t *, u8 **, size_t, u8 *, size_t, size_t);
size_t pre_save_py(afl_state_t*, u8*, size_t, u8**); size_t pre_save_py(afl_state_t *, u8 *, size_t, u8 **);
u32 init_trim_py(afl_state_t*, u8*, size_t); u32 init_trim_py(afl_state_t *, u8 *, size_t);
u32 post_trim_py(afl_state_t*, u8); u32 post_trim_py(afl_state_t *, u8);
void trim_py(afl_state_t*, u8**, size_t*); void trim_py(afl_state_t *, u8 **, size_t *);
size_t havoc_mutation_py(afl_state_t*, u8**, size_t, size_t); size_t havoc_mutation_py(afl_state_t *, u8 **, size_t, size_t);
u8 havoc_mutation_probability_py(afl_state_t*); u8 havoc_mutation_probability_py(afl_state_t *);
u8 queue_get_py(afl_state_t*, const u8*); u8 queue_get_py(afl_state_t *, const u8 *);
void queue_new_entry_py(afl_state_t*, const u8*, const u8*); void queue_new_entry_py(afl_state_t *, const u8 *, const u8 *);
#endif #endif
/* Queue */ /* Queue */
void mark_as_det_done(afl_state_t*, struct queue_entry*); void mark_as_det_done(afl_state_t *, struct queue_entry *);
void mark_as_variable(afl_state_t*, struct queue_entry*); void mark_as_variable(afl_state_t *, struct queue_entry *);
void mark_as_redundant(afl_state_t*, struct queue_entry*, u8); void mark_as_redundant(afl_state_t *, struct queue_entry *, u8);
void add_to_queue(afl_state_t*, u8*, u32, u8); void add_to_queue(afl_state_t *, u8 *, u32, u8);
void destroy_queue(afl_state_t*); void destroy_queue(afl_state_t *);
void update_bitmap_score(afl_state_t*, struct queue_entry*); void update_bitmap_score(afl_state_t *, struct queue_entry *);
void cull_queue(afl_state_t*); void cull_queue(afl_state_t *);
u32 calculate_score(afl_state_t*, struct queue_entry*); u32 calculate_score(afl_state_t *, struct queue_entry *);
/* Bitmap */ /* Bitmap */
void read_bitmap(afl_state_t*, u8*); void read_bitmap(afl_state_t *, u8 *);
void write_bitmap(afl_state_t*); void write_bitmap(afl_state_t *);
u32 count_bits(u8*); u32 count_bits(u8 *);
u32 count_bytes(u8*); u32 count_bytes(u8 *);
u32 count_non_255_bytes(u8*); u32 count_non_255_bytes(u8 *);
#ifdef WORD_SIZE_64 #ifdef WORD_SIZE_64
void simplify_trace(u64*); void simplify_trace(u64 *);
void classify_counts(u64*); void classify_counts(u64 *);
#else #else
void simplify_trace(u32*); void simplify_trace(u32 *);
void classify_counts(u32*); void classify_counts(u32 *);
#endif #endif
void init_count_class16(void); void init_count_class16(void);
void minimize_bits(u8*, u8*); void minimize_bits(u8 *, u8 *);
#ifndef SIMPLE_FILES #ifndef SIMPLE_FILES
u8* describe_op(afl_state_t*, u8); u8 *describe_op(afl_state_t *, u8);
#endif #endif
u8 save_if_interesting(afl_state_t*, void*, u32, u8); u8 save_if_interesting(afl_state_t *, void *, u32, u8);
u8 has_new_bits(afl_state_t*, u8*); u8 has_new_bits(afl_state_t *, u8 *);
/* Misc */ /* Misc */
u8* DI(u64); u8 *DI(u64);
u8* DF(double); u8 *DF(double);
u8* DMS(u64); u8 *DMS(u64);
u8* DTD(u64, u64); u8 *DTD(u64, u64);
/* Extras */ /* Extras */
void load_extras_file(afl_state_t*, u8*, u32*, u32*, u32); void load_extras_file(afl_state_t *, u8 *, u32 *, u32 *, u32);
void load_extras(afl_state_t*, u8*); void load_extras(afl_state_t *, u8 *);
void maybe_add_auto(afl_state_t*, u8*, u32); void maybe_add_auto(afl_state_t *, u8 *, u32);
void save_auto(afl_state_t*); void save_auto(afl_state_t *);
void load_auto(afl_state_t*); void load_auto(afl_state_t *);
void destroy_extras(afl_state_t*); void destroy_extras(afl_state_t *);
/* Stats */ /* Stats */
void write_stats_file(afl_state_t*, double, double, double); void write_stats_file(afl_state_t *, double, double, double);
void maybe_update_plot_file(afl_state_t*, double, double); void maybe_update_plot_file(afl_state_t *, double, double);
void show_stats(afl_state_t*); void show_stats(afl_state_t *);
void show_init_stats(afl_state_t*); void show_init_stats(afl_state_t *);
/* Run */ /* Run */
u8 run_target(afl_state_t*, u32); u8 run_target(afl_state_t *, u32);
void write_to_testcase(afl_state_t*, void*, u32); void write_to_testcase(afl_state_t *, void *, u32);
u8 calibrate_case(afl_state_t*, struct queue_entry*, u8*, u32, u8); u8 calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8);
void sync_fuzzers(afl_state_t*); void sync_fuzzers(afl_state_t *);
u8 trim_case(afl_state_t*, struct queue_entry*, u8*); u8 trim_case(afl_state_t *, struct queue_entry *, u8 *);
u8 common_fuzz_stuff(afl_state_t*, u8*, u32); u8 common_fuzz_stuff(afl_state_t *, u8 *, u32);
/* Fuzz one */ /* Fuzz one */
u8 fuzz_one_original(afl_state_t*); u8 fuzz_one_original(afl_state_t *);
u8 pilot_fuzzing(afl_state_t*); u8 pilot_fuzzing(afl_state_t *);
u8 core_fuzzing(afl_state_t*); u8 core_fuzzing(afl_state_t *);
void pso_updating(afl_state_t*); void pso_updating(afl_state_t *);
u8 fuzz_one(afl_state_t*); u8 fuzz_one(afl_state_t *);
/* Init */ /* Init */
#ifdef HAVE_AFFINITY #ifdef HAVE_AFFINITY
void bind_to_free_cpu(afl_state_t*); void bind_to_free_cpu(afl_state_t *);
#endif #endif
void setup_post(afl_state_t*); void setup_post(afl_state_t *);
void read_testcases(afl_state_t*); void read_testcases(afl_state_t *);
void perform_dry_run(afl_state_t*); void perform_dry_run(afl_state_t *);
void pivot_inputs(afl_state_t*); void pivot_inputs(afl_state_t *);
u32 find_start_position(afl_state_t*); u32 find_start_position(afl_state_t *);
void find_timeout(afl_state_t*); void find_timeout(afl_state_t *);
double get_runnable_processes(void); double get_runnable_processes(void);
void nuke_resume_dir(afl_state_t*); void nuke_resume_dir(afl_state_t *);
void setup_dirs_fds(afl_state_t*); void setup_dirs_fds(afl_state_t *);
void setup_cmdline_file(afl_state_t*, char**); void setup_cmdline_file(afl_state_t *, char **);
void setup_stdio_file(afl_state_t*); void setup_stdio_file(afl_state_t *);
void check_crash_handling(void); void check_crash_handling(void);
void check_cpu_governor(afl_state_t*); void check_cpu_governor(afl_state_t *);
void get_core_count(afl_state_t*); void get_core_count(afl_state_t *);
void fix_up_sync(afl_state_t*); void fix_up_sync(afl_state_t *);
void check_asan_opts(void); void check_asan_opts(void);
void check_binary(afl_state_t*, u8*); void check_binary(afl_state_t *, u8 *);
void fix_up_banner(afl_state_t*, u8*); void fix_up_banner(afl_state_t *, u8 *);
void check_if_tty(afl_state_t*); void check_if_tty(afl_state_t *);
void setup_signal_handlers(void); void setup_signal_handlers(void);
void save_cmdline(afl_state_t*, u32, char**); void save_cmdline(afl_state_t *, u32, char **);
/* CmpLog */ /* CmpLog */
void init_cmplog_forkserver(afl_state_t* afl); void init_cmplog_forkserver(afl_state_t *afl);
u8 common_fuzz_cmplog_stuff(afl_state_t* afl, u8* out_buf, u32 len); u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len);
/* RedQueen */ /* RedQueen */
u8 input_to_state_stage(afl_state_t* afl, u8* orig_buf, u8* buf, u32 len, u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len,
u32 exec_cksum); u32 exec_cksum);
/**** Inline routines ****/ /**** Inline routines ****/
@ -844,7 +844,7 @@ u8 input_to_state_stage(afl_state_t* afl, u8* orig_buf, u8* buf, u32 len,
/* Generate a random number (from 0 to limit - 1). This may /* Generate a random number (from 0 to limit - 1). This may
have slight bias. */ have slight bias. */
static inline u32 UR(afl_state_t* afl, u32 limit) { static inline u32 UR(afl_state_t *afl, u32 limit) {
#ifdef HAVE_ARC4RANDOM #ifdef HAVE_ARC4RANDOM
if (afl->fixed_seed) { return random() % limit; } if (afl->fixed_seed) { return random() % limit; }
@ -867,7 +867,7 @@ static inline u32 UR(afl_state_t* afl, u32 limit) {
} }
static inline u32 get_rand_seed(afl_state_t* afl) { static inline u32 get_rand_seed(afl_state_t *afl) {
if (afl->fixed_seed) return (u32)afl->init_seed; if (afl->fixed_seed) return (u32)afl->init_seed;
return afl->rand_seed[0]; return afl->rand_seed[0];

130
include/alloc-inl.h
View File

@ -45,11 +45,11 @@
#define alloc_printf(_str...) \ #define alloc_printf(_str...) \
({ \ ({ \
\ \
u8* _tmp; \ u8 *_tmp; \
s32 _len = snprintf(NULL, 0, _str); \ s32 _len = snprintf(NULL, 0, _str); \
if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \
_tmp = ck_alloc(_len + 1); \ _tmp = ck_alloc(_len + 1); \
snprintf((char*)_tmp, _len + 1, _str); \ snprintf((char *)_tmp, _len + 1, _str); \
_tmp; \ _tmp; \
\ \
}) })
@ -80,9 +80,9 @@
/* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized /* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized
requests. */ requests. */
static inline void* DFL_ck_alloc_nozero(u32 size) { static inline void *DFL_ck_alloc_nozero(u32 size) {
u8* ret; u8 *ret;
if (!size) return NULL; if (!size) return NULL;
@ -90,15 +90,15 @@ static inline void* DFL_ck_alloc_nozero(u32 size) {
ret = malloc(size); ret = malloc(size);
ALLOC_CHECK_RESULT(ret, size); ALLOC_CHECK_RESULT(ret, size);
return (void*)ret; return (void *)ret;
} }
/* Allocate a buffer, returning zeroed memory. */ /* Allocate a buffer, returning zeroed memory. */
static inline void* DFL_ck_alloc(u32 size) { static inline void *DFL_ck_alloc(u32 size) {
void* mem; void *mem;
if (!size) return NULL; if (!size) return NULL;
mem = DFL_ck_alloc_nozero(size); mem = DFL_ck_alloc_nozero(size);
@ -110,7 +110,7 @@ static inline void* DFL_ck_alloc(u32 size) {
/* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD /* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD
is set, the old memory will be also clobbered with 0xFF. */ is set, the old memory will be also clobbered with 0xFF. */
static inline void DFL_ck_free(void* mem) { static inline void DFL_ck_free(void *mem) {
if (!mem) return; if (!mem) return;
@ -122,9 +122,9 @@ static inline void DFL_ck_free(void* mem) {
With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the
old memory is clobbered with 0xFF. */ old memory is clobbered with 0xFF. */
static inline void* DFL_ck_realloc(void* orig, u32 size) { static inline void *DFL_ck_realloc(void *orig, u32 size) {
u8* ret; u8 *ret;
if (!size) { if (!size) {
@ -142,14 +142,14 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) {
ALLOC_CHECK_RESULT(ret, size); ALLOC_CHECK_RESULT(ret, size);
return (void*)ret; return (void *)ret;
} }
/* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up /* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up
repeated small reallocs without complicating the user code). */ repeated small reallocs without complicating the user code). */
static inline void* DFL_ck_realloc_block(void* orig, u32 size) { static inline void *DFL_ck_realloc_block(void *orig, u32 size) {
return DFL_ck_realloc(orig, size); return DFL_ck_realloc(orig, size);
@ -157,14 +157,14 @@ static inline void* DFL_ck_realloc_block(void* orig, u32 size) {
/* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */ /* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */
static inline u8* DFL_ck_strdup(u8* str) { static inline u8 *DFL_ck_strdup(u8 *str) {
u8* ret; u8 *ret;
u32 size; u32 size;
if (!str) return NULL; if (!str) return NULL;
size = strlen((char*)str) + 1; size = strlen((char *)str) + 1;
ALLOC_CHECK_SIZE(size); ALLOC_CHECK_SIZE(size);
ret = malloc(size); ret = malloc(size);
@ -177,9 +177,9 @@ static inline u8* DFL_ck_strdup(u8* str) {
/* Create a buffer with a copy of a memory block. Returns NULL for zero-sized /* Create a buffer with a copy of a memory block. Returns NULL for zero-sized
or NULL inputs. */ or NULL inputs. */
static inline void* DFL_ck_memdup(void* mem, u32 size) { static inline void *DFL_ck_memdup(void *mem, u32 size) {
u8* ret; u8 *ret;
if (!mem || !size) return NULL; if (!mem || !size) return NULL;
@ -194,9 +194,9 @@ static inline void* DFL_ck_memdup(void* mem, u32 size) {
/* Create a buffer with a block of text, appending a NUL terminator at the end. /* Create a buffer with a block of text, appending a NUL terminator at the end.
Returns NULL for zero-sized or NULL inputs. */ Returns NULL for zero-sized or NULL inputs. */
static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) { static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) {
u8* ret; u8 *ret;
if (!mem || !size) return NULL; if (!mem || !size) return NULL;
@ -233,11 +233,11 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
#define alloc_printf(_str...) \ #define alloc_printf(_str...) \
({ \ ({ \
\ \
u8* _tmp; \ u8 *_tmp; \
s32 _len = snprintf(NULL, 0, _str); \ s32 _len = snprintf(NULL, 0, _str); \
if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \
_tmp = ck_alloc(_len + 1); \ _tmp = ck_alloc(_len + 1); \
snprintf((char*)_tmp, _len + 1, _str); \ snprintf((char *)_tmp, _len + 1, _str); \
_tmp; \ _tmp; \
\ \
}) })
@ -269,9 +269,9 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
/* Positions of guard tokens in relation to the user-visible pointer. */ /* Positions of guard tokens in relation to the user-visible pointer. */
#define ALLOC_C1(_ptr) (((u32*)(_ptr))[-2]) #define ALLOC_C1(_ptr) (((u32 *)(_ptr))[-2])
#define ALLOC_S(_ptr) (((u32*)(_ptr))[-1]) #define ALLOC_S(_ptr) (((u32 *)(_ptr))[-1])
#define ALLOC_C2(_ptr) (((u8*)(_ptr))[ALLOC_S(_ptr)]) #define ALLOC_C2(_ptr) (((u8 *)(_ptr))[ALLOC_S(_ptr)])
#define ALLOC_OFF_HEAD 8 #define ALLOC_OFF_HEAD 8
#define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1) #define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1)
@ -314,9 +314,9 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
/* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized /* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized
requests. */ requests. */
static inline void* DFL_ck_alloc_nozero(u32 size) { static inline void *DFL_ck_alloc_nozero(u32 size) {
void* ret; void *ret;
if (!size) return NULL; if (!size) return NULL;
@ -336,9 +336,9 @@ static inline void* DFL_ck_alloc_nozero(u32 size) {
/* Allocate a buffer, returning zeroed memory. */ /* Allocate a buffer, returning zeroed memory. */
static inline void* DFL_ck_alloc(u32 size) { static inline void *DFL_ck_alloc(u32 size) {
void* mem; void *mem;
if (!size) return NULL; if (!size) return NULL;
mem = DFL_ck_alloc_nozero(size); mem = DFL_ck_alloc_nozero(size);
@ -350,7 +350,7 @@ static inline void* DFL_ck_alloc(u32 size) {
/* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD /* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD
is set, the old memory will be also clobbered with 0xFF. */ is set, the old memory will be also clobbered with 0xFF. */
static inline void DFL_ck_free(void* mem) { static inline void DFL_ck_free(void *mem) {
if (!mem) return; if (!mem) return;
@ -373,9 +373,9 @@ static inline void DFL_ck_free(void* mem) {
With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the
old memory is clobbered with 0xFF. */ old memory is clobbered with 0xFF. */
static inline void* DFL_ck_realloc(void* orig, u32 size) { static inline void *DFL_ck_realloc(void *orig, u32 size) {
void* ret; void *ret;
u32 old_size = 0; u32 old_size = 0;
if (!size) { if (!size) {
@ -443,7 +443,7 @@ static inline void* DFL_ck_realloc(void* orig, u32 size) {
/* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up /* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up
repeated small reallocs without complicating the user code). */ repeated small reallocs without complicating the user code). */
static inline void* DFL_ck_realloc_block(void* orig, u32 size) { static inline void *DFL_ck_realloc_block(void *orig, u32 size) {
#ifndef DEBUG_BUILD #ifndef DEBUG_BUILD
@ -465,14 +465,14 @@ static inline void* DFL_ck_realloc_block(void* orig, u32 size) {
/* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */ /* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */
static inline u8* DFL_ck_strdup(u8* str) { static inline u8 *DFL_ck_strdup(u8 *str) {
void* ret; void *ret;
u32 size; u32 size;
if (!str) return NULL; if (!str) return NULL;
size = strlen((char*)str) + 1; size = strlen((char *)str) + 1;
ALLOC_CHECK_SIZE(size); ALLOC_CHECK_SIZE(size);
ret = malloc(size + ALLOC_OFF_TOTAL); ret = malloc(size + ALLOC_OFF_TOTAL);
@ -491,9 +491,9 @@ static inline u8* DFL_ck_strdup(u8* str) {
/* Create a buffer with a copy of a memory block. Returns NULL for zero-sized /* Create a buffer with a copy of a memory block. Returns NULL for zero-sized
or NULL inputs. */ or NULL inputs. */
static inline void* DFL_ck_memdup(void* mem, u32 size) { static inline void *DFL_ck_memdup(void *mem, u32 size) {
void* ret; void *ret;
if (!mem || !size) return NULL; if (!mem || !size) return NULL;
@ -514,9 +514,9 @@ static inline void* DFL_ck_memdup(void* mem, u32 size) {
/* Create a buffer with a block of text, appending a NUL terminator at the end. /* Create a buffer with a block of text, appending a NUL terminator at the end.
Returns NULL for zero-sized or NULL inputs. */ Returns NULL for zero-sized or NULL inputs. */
static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) { static inline u8 *DFL_ck_memdup_str(u8 *mem, u32 size) {
u8* ret; u8 *ret;
if (!mem || !size) return NULL; if (!mem || !size) return NULL;
@ -564,7 +564,7 @@ static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
struct TRK_obj { struct TRK_obj {
void* ptr; void *ptr;
char *file, *func; char *file, *func;
u32 line; u32 line;
@ -572,14 +572,14 @@ struct TRK_obj {
#ifdef AFL_MAIN #ifdef AFL_MAIN
struct TRK_obj* TRK[ALLOC_BUCKETS]; struct TRK_obj *TRK[ALLOC_BUCKETS];
u32 TRK_cnt[ALLOC_BUCKETS]; u32 TRK_cnt[ALLOC_BUCKETS];
#define alloc_report() TRK_report() #define alloc_report() TRK_report()
#else #else
extern struct TRK_obj* TRK[ALLOC_BUCKETS]; extern struct TRK_obj *TRK[ALLOC_BUCKETS];
extern u32 TRK_cnt[ALLOC_BUCKETS]; extern u32 TRK_cnt[ALLOC_BUCKETS];
#define alloc_report() #define alloc_report()
@ -592,7 +592,7 @@ extern u32 TRK_cnt[ALLOC_BUCKETS];
/* Add a new entry to the list of allocated objects. */ /* Add a new entry to the list of allocated objects. */
static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func, static inline void TRK_alloc_buf(void *ptr, const char *file, const char *func,
u32 line) { u32 line) {
u32 i, bucket; u32 i, bucket;
@ -608,8 +608,8 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
if (!TRK[bucket][i].ptr) { if (!TRK[bucket][i].ptr) {
TRK[bucket][i].ptr = ptr; TRK[bucket][i].ptr = ptr;
TRK[bucket][i].file = (char*)file; TRK[bucket][i].file = (char *)file;
TRK[bucket][i].func = (char*)func; TRK[bucket][i].func = (char *)func;
TRK[bucket][i].line = line; TRK[bucket][i].line = line;
return; return;
@ -621,8 +621,8 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
TRK[bucket], (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj)); TRK[bucket], (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj));
TRK[bucket][i].ptr = ptr; TRK[bucket][i].ptr = ptr;
TRK[bucket][i].file = (char*)file; TRK[bucket][i].file = (char *)file;
TRK[bucket][i].func = (char*)func; TRK[bucket][i].func = (char *)func;
TRK[bucket][i].line = line; TRK[bucket][i].line = line;
TRK_cnt[bucket]++; TRK_cnt[bucket]++;
@ -631,7 +631,7 @@ static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
/* Remove entry from the list of allocated objects. */ /* Remove entry from the list of allocated objects. */
static inline void TRK_free_buf(void* ptr, const char* file, const char* func, static inline void TRK_free_buf(void *ptr, const char *file, const char *func,
u32 line) { u32 line) {
u32 i, bucket; u32 i, bucket;
@ -674,63 +674,63 @@ static inline void TRK_report(void) {
/* Simple wrappers for non-debugging functions: */ /* Simple wrappers for non-debugging functions: */
static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func, static inline void *TRK_ck_alloc(u32 size, const char *file, const char *func,
u32 line) { u32 line) {
void* ret = DFL_ck_alloc(size); void *ret = DFL_ck_alloc(size);
TRK_alloc_buf(ret, file, func, line); TRK_alloc_buf(ret, file, func, line);
return ret; return ret;
} }
static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file, static inline void *TRK_ck_realloc(void *orig, u32 size, const char *file,
const char* func, u32 line) { const char *func, u32 line) {
void* ret = DFL_ck_realloc(orig, size); void *ret = DFL_ck_realloc(orig, size);
TRK_free_buf(orig, file, func, line); TRK_free_buf(orig, file, func, line);
TRK_alloc_buf(ret, file, func, line); TRK_alloc_buf(ret, file, func, line);
return ret; return ret;
} }
static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file, static inline void *TRK_ck_realloc_block(void *orig, u32 size, const char *file,
const char* func, u32 line) { const char *func, u32 line) {
void* ret = DFL_ck_realloc_block(orig, size); void *ret = DFL_ck_realloc_block(orig, size);
TRK_free_buf(orig, file, func, line); TRK_free_buf(orig, file, func, line);
TRK_alloc_buf(ret, file, func, line); TRK_alloc_buf(ret, file, func, line);
return ret; return ret;
} }
static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func, static inline void *TRK_ck_strdup(u8 *str, const char *file, const char *func,
u32 line) { u32 line) {
void* ret = DFL_ck_strdup(str); void *ret = DFL_ck_strdup(str);
TRK_alloc_buf(ret, file, func, line); TRK_alloc_buf(ret, file, func, line);
return ret; return ret;
} }
static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file, static inline void *TRK_ck_memdup(void *mem, u32 size, const char *file,
const char* func, u32 line) { const char *func, u32 line) {
void* ret = DFL_ck_memdup(mem, size); void *ret = DFL_ck_memdup(mem, size);
TRK_alloc_buf(ret, file, func, line); TRK_alloc_buf(ret, file, func, line);
return ret; return ret;
} }
static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file, static inline void *TRK_ck_memdup_str(void *mem, u32 size, const char *file,
const char* func, u32 line) { const char *func, u32 line) {
void* ret = DFL_ck_memdup_str(mem, size); void *ret = DFL_ck_memdup_str(mem, size);
TRK_alloc_buf(ret, file, func, line); TRK_alloc_buf(ret, file, func, line);
return ret; return ret;
} }
static inline void TRK_ck_free(void* ptr, const char* file, const char* func, static inline void TRK_ck_free(void *ptr, const char *file, const char *func,
u32 line) { u32 line) {
TRK_free_buf(ptr, file, func, line); TRK_free_buf(ptr, file, func, line);

14
include/common.h
View File

@ -31,15 +31,15 @@
#include "types.h" #include "types.h"
#include "stdbool.h" #include "stdbool.h"
void detect_file_args(char** argv, u8* prog_in, u8* use_stdin); void detect_file_args(char **argv, u8 *prog_in, u8 *use_stdin);
void check_environment_vars(char** env); void check_environment_vars(char **env);
char** argv_cpy_dup(int argc, char** argv); char **argv_cpy_dup(int argc, char **argv);
void argv_cpy_free(char** argv); void argv_cpy_free(char **argv);
char** get_qemu_argv(u8* own_loc, u8** target_path_p, int argc, char** argv); char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv);
char** get_wine_argv(u8* own_loc, u8** target_path_p, int argc, char** argv); char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv);
char* get_afl_env(char* env); char * get_afl_env(char *env);
/* Get unix time in milliseconds */ /* Get unix time in milliseconds */

8
include/hash.h
View File

@ -34,9 +34,9 @@
#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) #define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r))))
static inline u32 hash32(const void* key, u32 len, u32 seed) { static inline u32 hash32(const void *key, u32 len, u32 seed) {
const u64* data = (u64*)key; const u64 *data = (u64 *)key;
u64 h1 = seed ^ len; u64 h1 = seed ^ len;
len >>= 3; len >>= 3;
@ -69,9 +69,9 @@ static inline u32 hash32(const void* key, u32 len, u32 seed) {
#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) #define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r))))
static inline u32 hash32(const void* key, u32 len, u32 seed) { static inline u32 hash32(const void *key, u32 len, u32 seed) {
const u32* data = (u32*)key; const u32 *data = (u32 *)key;
u32 h1 = seed ^ len; u32 h1 = seed ^ len;
len >>= 2; len >>= 2;

4
include/list.h
View File

@ -43,7 +43,7 @@ typedef struct list_element {
struct list_element *prev; struct list_element *prev;
struct list_element *next; struct list_element *next;
void * data; void *data;
} element_t; } element_t;
@ -100,7 +100,7 @@ static void list_append(list_t *list, void *el) {
#define LIST_FOREACH(list, type, block) \ #define LIST_FOREACH(list, type, block) \
do { \ do { \
\ \
list_t * li = (list); \ list_t *li = (list); \
element_t *head = get_head((li)); \ element_t *head = get_head((li)); \
element_t *el_box = (head)->next; \ element_t *el_box = (head)->next; \
if (!el_box) FATAL("foreach over uninitialized list"); \ if (!el_box) FATAL("foreach over uninitialized list"); \

54
libdislocator/libdislocator.so.c
View File

@ -56,7 +56,7 @@
\ \
srand(time(NULL)); \ srand(time(NULL)); \
u32 i; \ u32 i; \
u8* ptr = (u8*)p; \ u8 *ptr = (u8 *)p; \
for (i = 0; i < l; i++) \ for (i = 0; i < l; i++) \
ptr[i] = rand() % INT_MAX; \ ptr[i] = rand() % INT_MAX; \
\ \
@ -136,8 +136,8 @@ typedef struct {
#define TAIL_ALLOC_CANARY 0xAC #define TAIL_ALLOC_CANARY 0xAC
#define PTR_C(_p) (((u32*)(_p))[-1]) #define PTR_C(_p) (((u32 *)(_p))[-1])
#define PTR_L(_p) (((u32*)(_p))[-2]) #define PTR_L(_p) (((u32 *)(_p))[-2])
/* Configurable stuff (use AFL_LD_* to set): */ /* Configurable stuff (use AFL_LD_* to set): */
@ -161,9 +161,9 @@ static u32 alloc_canary;
so that it is right-aligned to that boundary. Since it always uses mmap(), so that it is right-aligned to that boundary. Since it always uses mmap(),
the returned memory will be zeroed. */ the returned memory will be zeroed. */
static void* __dislocator_alloc(size_t len) { static void *__dislocator_alloc(size_t len) {
u8* ret; u8 *ret;
size_t tlen; size_t tlen;
int flags, fd, sp; int flags, fd, sp;
@ -203,7 +203,7 @@ static void* __dislocator_alloc(size_t len) {
/* We will also store buffer length and a canary below the actual buffer, so /* We will also store buffer length and a canary below the actual buffer, so
let's add 8 bytes for that. */ let's add 8 bytes for that. */
ret = (u8*)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0); ret = (u8 *)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
#if defined(USEHUGEPAGE) #if defined(USEHUGEPAGE)
/* We try one more time with regular call */ /* We try one more time with regular call */
if (ret == MAP_FAILED) { if (ret == MAP_FAILED) {
@ -215,7 +215,7 @@ static void* __dislocator_alloc(size_t len) {
#elif defined(__FreeBSD__) #elif defined(__FreeBSD__)
flags &= -MAP_ALIGNED_SUPER; flags &= -MAP_ALIGNED_SUPER;
#endif #endif
ret = (u8*)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0); ret = (u8 *)mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
} }
@ -265,9 +265,9 @@ static void* __dislocator_alloc(size_t len) {
/* The "user-facing" wrapper for calloc(). This just checks for overflows and /* The "user-facing" wrapper for calloc(). This just checks for overflows and
displays debug messages if requested. */ displays debug messages if requested. */
void* calloc(size_t elem_len, size_t elem_cnt) { void *calloc(size_t elem_len, size_t elem_cnt) {
void* ret; void *ret;
size_t len = elem_len * elem_cnt; size_t len = elem_len * elem_cnt;
@ -304,9 +304,9 @@ void* calloc(size_t elem_len, size_t elem_cnt) {
memory (unlike calloc(), malloc() is not guaranteed to return zeroed memory (unlike calloc(), malloc() is not guaranteed to return zeroed
memory). */ memory). */
void* malloc(size_t len) { void *malloc(size_t len) {
void* ret; void *ret;
ret = __dislocator_alloc(len); ret = __dislocator_alloc(len);
@ -322,7 +322,7 @@ void* malloc(size_t len) {
If the region is already freed, the code will segfault during the attempt to If the region is already freed, the code will segfault during the attempt to
read the canary. Not very graceful, but works, right? */ read the canary. Not very graceful, but works, right? */
void free(void* ptr) { void free(void *ptr) {
u32 len; u32 len;
@ -338,7 +338,7 @@ void free(void* ptr) {
if (align_allocations && (len & (ALLOC_ALIGN_SIZE - 1))) { if (align_allocations && (len & (ALLOC_ALIGN_SIZE - 1))) {
u8* ptr_ = ptr; u8 *ptr_ = ptr;
size_t rlen = (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE; size_t rlen = (len & ~(ALLOC_ALIGN_SIZE - 1)) + ALLOC_ALIGN_SIZE;
for (; len < rlen; ++len) for (; len < rlen; ++len)
if (ptr_[len] != TAIL_ALLOC_CANARY) if (ptr_[len] != TAIL_ALLOC_CANARY)
@ -361,9 +361,9 @@ void free(void* ptr) {
/* Realloc is pretty straightforward, too. We forcibly reallocate the buffer, /* Realloc is pretty straightforward, too. We forcibly reallocate the buffer,
move data, and then free (aka mprotect()) the original one. */ move data, and then free (aka mprotect()) the original one. */
void* realloc(void* ptr, size_t len) { void *realloc(void *ptr, size_t len) {
void* ret; void *ret;
ret = malloc(len); ret = malloc(len);
@ -387,10 +387,10 @@ void* realloc(void* ptr, size_t len) {
if the requested size fits within the alignment we do if the requested size fits within the alignment we do
a normal request */ a normal request */
int posix_memalign(void** ptr, size_t align, size_t len) { int posix_memalign(void **ptr, size_t align, size_t len) {
// if (*ptr == NULL) return EINVAL; // (andrea) Why? I comment it out for now // if (*ptr == NULL) return EINVAL; // (andrea) Why? I comment it out for now
if ((align % 2) || (align % sizeof(void*))) return EINVAL; if ((align % 2) || (align % sizeof(void *))) return EINVAL;
if (len == 0) { if (len == 0) {
*ptr = NULL; *ptr = NULL;
@ -413,9 +413,9 @@ int posix_memalign(void** ptr, size_t align, size_t len) {
/* just the non-posix fashion */ /* just the non-posix fashion */
void* memalign(size_t align, size_t len) { void *memalign(size_t align, size_t len) {
void* ret = NULL; void *ret = NULL;
if (posix_memalign(&ret, align, len)) { if (posix_memalign(&ret, align, len)) {
@ -429,9 +429,9 @@ void* memalign(size_t align, size_t len) {
/* sort of C11 alias of memalign only more severe, alignment-wise */ /* sort of C11 alias of memalign only more severe, alignment-wise */
void* aligned_alloc(size_t align, size_t len) { void *aligned_alloc(size_t align, size_t len) {
void* ret = NULL; void *ret = NULL;
if ((len % align)) return NULL; if ((len % align)) return NULL;
@ -447,11 +447,11 @@ void* aligned_alloc(size_t align, size_t len) {
/* specific BSD api mainly checking possible overflow for the size */ /* specific BSD api mainly checking possible overflow for the size */
void* reallocarray(void* ptr, size_t elem_len, size_t elem_cnt) { void *reallocarray(void *ptr, size_t elem_len, size_t elem_cnt) {
const size_t elem_lim = 1UL << (sizeof(size_t) * 4); const size_t elem_lim = 1UL << (sizeof(size_t) * 4);
const size_t elem_tot = elem_len * elem_cnt; const size_t elem_tot = elem_len * elem_cnt;
void* ret = NULL; void *ret = NULL;
if ((elem_len >= elem_lim || elem_cnt >= elem_lim) && elem_len > 0 && if ((elem_len >= elem_lim || elem_cnt >= elem_lim) && elem_len > 0 &&
elem_cnt > (SIZE_MAX / elem_len)) { elem_cnt > (SIZE_MAX / elem_len)) {
@ -470,19 +470,19 @@ void* reallocarray(void* ptr, size_t elem_len, size_t elem_cnt) {
__attribute__((constructor)) void __dislocator_init(void) { __attribute__((constructor)) void __dislocator_init(void) {
u8* tmp = (u8*)getenv("AFL_LD_LIMIT_MB"); u8 *tmp = (u8 *)getenv("AFL_LD_LIMIT_MB");
if (tmp) { if (tmp) {
u8* tok; u8 *tok;
s32 mmem = (s32)strtol((char*)tmp, (char**)&tok, 10); s32 mmem = (s32)strtol((char *)tmp, (char **)&tok, 10);
if (*tok != '\0' || errno == ERANGE) FATAL("Bad value for AFL_LD_LIMIT_MB"); if (*tok != '\0' || errno == ERANGE) FATAL("Bad value for AFL_LD_LIMIT_MB");
max_mem = mmem * 1024 * 1024; max_mem = mmem * 1024 * 1024;
} }
alloc_canary = ALLOC_CANARY; alloc_canary = ALLOC_CANARY;
tmp = (u8*)getenv("AFL_RANDOM_ALLOC_CANARY"); tmp = (u8 *)getenv("AFL_RANDOM_ALLOC_CANARY");
if (tmp) arc4random_buf(&alloc_canary, sizeof(alloc_canary)); if (tmp) arc4random_buf(&alloc_canary, sizeof(alloc_canary));

134
libtokencap/libtokencap.so.c
View File

@ -54,16 +54,16 @@
#ifdef RTLD_NEXT #ifdef RTLD_NEXT
/* The libc functions are a magnitude faster than our replacements. /* The libc functions are a magnitude faster than our replacements.
Use them when RTLD_NEXT is available. */ Use them when RTLD_NEXT is available. */
int (*__libc_strcmp)(const char* str1, const char* str2); int (*__libc_strcmp)(const char *str1, const char *str2);
int (*__libc_strncmp)(const char* str1, const char* str2, size_t len); int (*__libc_strncmp)(const char *str1, const char *str2, size_t len);
int (*__libc_strcasecmp)(const char* str1, const char* str2); int (*__libc_strcasecmp)(const char *str1, const char *str2);
int (*__libc_strncasecmp)(const char* str1, const char* str2, size_t len); int (*__libc_strncasecmp)(const char *str1, const char *str2, size_t len);
int (*__libc_memcmp)(const void* mem1, const void* mem2, size_t len); int (*__libc_memcmp)(const void *mem1, const void *mem2, size_t len);
int (*__libc_bcmp)(const void* mem1, const void* mem2, size_t len); int (*__libc_bcmp)(const void *mem1, const void *mem2, size_t len);
char* (*__libc_strstr)(const char* haystack, const char* needle); char *(*__libc_strstr)(const char *haystack, const char *needle);
char* (*__libc_strcasestr)(const char* haystack, const char* needle); char *(*__libc_strcasestr)(const char *haystack, const char *needle);
void* (*__libc_memmem)(const void* haystack, size_t haystack_len, void *(*__libc_memmem)(const void *haystack, size_t haystack_len,
const void* needle, size_t needle_len); const void *needle, size_t needle_len);
#endif #endif
/* Mapping data and such */ /* Mapping data and such */
@ -86,7 +86,7 @@ static void __tokencap_load_mappings(void) {
#if defined __linux__ #if defined __linux__
u8 buf[MAX_LINE]; u8 buf[MAX_LINE];
FILE* f = fopen("/proc/self/maps", "r"); FILE *f = fopen("/proc/self/maps", "r");
__tokencap_ro_loaded = 1; __tokencap_ro_loaded = 1;
@ -100,8 +100,8 @@ static void __tokencap_load_mappings(void) {
if (sscanf(buf, "%p-%p %c%c", &st, &en, &rf, &wf) != 4) continue; if (sscanf(buf, "%p-%p %c%c", &st, &en, &rf, &wf) != 4) continue;
if (wf == 'w' || rf != 'r') continue; if (wf == 'w' || rf != 'r') continue;
__tokencap_ro[__tokencap_ro_cnt].st = (void*)st; __tokencap_ro[__tokencap_ro_cnt].st = (void *)st;
__tokencap_ro[__tokencap_ro_cnt].en = (void*)en; __tokencap_ro[__tokencap_ro_cnt].en = (void *)en;
if (++__tokencap_ro_cnt == MAX_MAPPINGS) break; if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
@ -136,8 +136,8 @@ static void __tokencap_load_mappings(void) {
if ((region.protection & VM_PROT_READ) && if ((region.protection & VM_PROT_READ) &&
!(region.protection & VM_PROT_WRITE)) { !(region.protection & VM_PROT_WRITE)) {
__tokencap_ro[__tokencap_ro_cnt].st = (void*)base; __tokencap_ro[__tokencap_ro_cnt].st = (void *)base;
__tokencap_ro[__tokencap_ro_cnt].en = (void*)(base + size); __tokencap_ro[__tokencap_ro_cnt].en = (void *)(base + size);
if (++__tokencap_ro_cnt == MAX_MAPPINGS) break; if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
@ -160,7 +160,7 @@ static void __tokencap_load_mappings(void) {
int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, __tokencap_pid, int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, __tokencap_pid,
sizeof(struct kinfo_vmentry)}; sizeof(struct kinfo_vmentry)};
#endif #endif
char * buf, *low, *high; char *buf, *low, *high;
size_t miblen = sizeof(mib) / sizeof(mib[0]); size_t miblen = sizeof(mib) / sizeof(mib[0]);
size_t len; size_t len;
@ -189,7 +189,7 @@ static void __tokencap_load_mappings(void) {
while (low < high) { while (low < high) {
struct kinfo_vmentry* region = (struct kinfo_vmentry*)low; struct kinfo_vmentry *region = (struct kinfo_vmentry *)low;
#if defined __FreeBSD__ || defined __NetBSD__ #if defined __FreeBSD__ || defined __NetBSD__
@ -216,8 +216,8 @@ static void __tokencap_load_mappings(void) {
!(region->kve_protection & KVE_PROT_WRITE)) { !(region->kve_protection & KVE_PROT_WRITE)) {
#endif #endif
__tokencap_ro[__tokencap_ro_cnt].st = (void*)region->kve_start; __tokencap_ro[__tokencap_ro_cnt].st = (void *)region->kve_start;
__tokencap_ro[__tokencap_ro_cnt].en = (void*)region->kve_end; __tokencap_ro[__tokencap_ro_cnt].en = (void *)region->kve_end;
if (++__tokencap_ro_cnt == MAX_MAPPINGS) break; if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
@ -234,7 +234,7 @@ static void __tokencap_load_mappings(void) {
/* Check an address against the list of read-only mappings. */ /* Check an address against the list of read-only mappings. */
static u8 __tokencap_is_ro(const void* ptr) { static u8 __tokencap_is_ro(const void *ptr) {
u32 i; u32 i;
@ -250,7 +250,7 @@ static u8 __tokencap_is_ro(const void* ptr) {
/* Dump an interesting token to output file, quoting and escaping it /* Dump an interesting token to output file, quoting and escaping it
properly. */ properly. */
static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) { static void __tokencap_dump(const u8 *ptr, size_t len, u8 is_text) {
u8 buf[MAX_AUTO_EXTRA * 4 + 1]; u8 buf[MAX_AUTO_EXTRA * 4 + 1];
u32 i; u32 i;
@ -293,7 +293,7 @@ static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) {
#undef strcmp #undef strcmp
int strcmp(const char* str1, const char* str2) { int strcmp(const char *str1, const char *str2) {
if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1); if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1); if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
@ -317,7 +317,7 @@ int strcmp(const char* str1, const char* str2) {
#undef strncmp #undef strncmp
int strncmp(const char* str1, const char* str2, size_t len) { int strncmp(const char *str1, const char *str2, size_t len) {
if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1); if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1); if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
@ -343,7 +343,7 @@ int strncmp(const char* str1, const char* str2, size_t len) {
#undef strcasecmp #undef strcasecmp
int strcasecmp(const char* str1, const char* str2) { int strcasecmp(const char *str1, const char *str2) {
if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1); if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1); if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
@ -367,7 +367,7 @@ int strcasecmp(const char* str1, const char* str2) {
#undef strncasecmp #undef strncasecmp
int strncasecmp(const char* str1, const char* str2, size_t len) { int strncasecmp(const char *str1, const char *str2, size_t len) {
if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1); if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1); if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
@ -393,7 +393,7 @@ int strncasecmp(const char* str1, const char* str2, size_t len) {
#undef memcmp #undef memcmp
int memcmp(const void* mem1, const void* mem2, size_t len) { int memcmp(const void *mem1, const void *mem2, size_t len) {
if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0); if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0); if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
@ -402,8 +402,8 @@ int memcmp(const void* mem1, const void* mem2, size_t len) {
if (__libc_memcmp) return __libc_memcmp(mem1, mem2, len); if (__libc_memcmp) return __libc_memcmp(mem1, mem2, len);
#endif #endif
const char* strmem1 = (const char*)mem1; const char *strmem1 = (const char *)mem1;
const char* strmem2 = (const char*)mem2; const char *strmem2 = (const char *)mem2;
while (len--) { while (len--) {
@ -420,7 +420,7 @@ int memcmp(const void* mem1, const void* mem2, size_t len) {
#undef bcmp #undef bcmp
int bcmp(const void* mem1, const void* mem2, size_t len) { int bcmp(const void *mem1, const void *mem2, size_t len) {
if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0); if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0); if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
@ -429,8 +429,8 @@ int bcmp(const void* mem1, const void* mem2, size_t len) {
if (__libc_bcmp) return __libc_bcmp(mem1, mem2, len); if (__libc_bcmp) return __libc_bcmp(mem1, mem2, len);
#endif #endif
const char* strmem1 = (const char*)mem1; const char *strmem1 = (const char *)mem1;
const char* strmem2 = (const char*)mem2; const char *strmem2 = (const char *)mem2;
while (len--) { while (len--) {
@ -447,7 +447,7 @@ int bcmp(const void* mem1, const void* mem2, size_t len) {
#undef strstr #undef strstr
char* strstr(const char* haystack, const char* needle) { char *strstr(const char *haystack, const char *needle) {
if (__tokencap_is_ro(haystack)) if (__tokencap_is_ro(haystack))
__tokencap_dump(haystack, strlen(haystack), 1); __tokencap_dump(haystack, strlen(haystack), 1);
@ -460,13 +460,13 @@ char* strstr(const char* haystack, const char* needle) {
do { do {
const char* n = needle; const char *n = needle;
const char* h = haystack; const char *h = haystack;
while (*n && *h && *n == *h) while (*n && *h && *n == *h)
n++, h++; n++, h++;
if (!*n) return (char*)haystack; if (!*n) return (char *)haystack;
} while (*(haystack++)); } while (*(haystack++));
@ -476,7 +476,7 @@ char* strstr(const char* haystack, const char* needle) {
#undef strcasestr #undef strcasestr
char* strcasestr(const char* haystack, const char* needle) { char *strcasestr(const char *haystack, const char *needle) {
if (__tokencap_is_ro(haystack)) if (__tokencap_is_ro(haystack))
__tokencap_dump(haystack, strlen(haystack), 1); __tokencap_dump(haystack, strlen(haystack), 1);
@ -489,13 +489,13 @@ char* strcasestr(const char* haystack, const char* needle) {
do { do {
const char* n = needle; const char *n = needle;
const char* h = haystack; const char *h = haystack;
while (*n && *h && tolower(*n) == tolower(*h)) while (*n && *h && tolower(*n) == tolower(*h))
n++, h++; n++, h++;
if (!*n) return (char*)haystack; if (!*n) return (char *)haystack;
} while (*(haystack++)); } while (*(haystack++));
@ -505,7 +505,7 @@ char* strcasestr(const char* haystack, const char* needle) {
#undef memmem #undef memmem
void* memmem(const void* haystack, size_t haystack_len, const void* needle, void *memmem(const void *haystack, size_t haystack_len, const void *needle,
size_t needle_len) { size_t needle_len) {
if (__tokencap_is_ro(haystack)) __tokencap_dump(haystack, haystack_len, 1); if (__tokencap_is_ro(haystack)) __tokencap_dump(haystack, haystack_len, 1);
@ -517,19 +517,19 @@ void* memmem(const void* haystack, size_t haystack_len, const void* needle,
return __libc_memmem(haystack, haystack_len, needle, needle_len); return __libc_memmem(haystack, haystack_len, needle, needle_len);
#endif #endif
const char* n = (const char*)needle; const char *n = (const char *)needle;
const char* h = (const char*)haystack; const char *h = (const char *)haystack;
if (haystack_len < needle_len) return 0; if (haystack_len < needle_len) return 0;
if (needle_len == 0) return (void*)haystack; if (needle_len == 0) return (void *)haystack;
if (needle_len == 1) return memchr(haystack, *n, haystack_len); if (needle_len == 1) return memchr(haystack, *n, haystack_len);
const char* end = h + (haystack_len - needle_len); const char *end = h + (haystack_len - needle_len);
do { do {
if (*h == *n) { if (*h == *n) {
if (memcmp(h, n, needle_len) == 0) return (void*)h; if (memcmp(h, n, needle_len) == 0) return (void *)h;
} }
@ -544,31 +544,31 @@ void* memmem(const void* haystack, size_t haystack_len, const void* needle,
/* /*
* Apache's httpd wrappers * Apache's httpd wrappers
*/ */
int ap_cstr_casecmp(const char* s1, const char* s2) { int ap_cstr_casecmp(const char *s1, const char *s2) {
return strcasecmp(s1, s2); return strcasecmp(s1, s2);
} }
int ap_cstr_casecmpn(const char* s1, const char* s2, size_t n) { int ap_cstr_casecmpn(const char *s1, const char *s2, size_t n) {
return strncasecmp(s1, s2, n); return strncasecmp(s1, s2, n);
} }
const char* ap_strcasestr(const char* s1, const char* s2) { const char *ap_strcasestr(const char *s1, const char *s2) {
return strcasestr(s1, s2); return strcasestr(s1, s2);
} }
int apr_cstr_casecmp(const char* s1, const char* s2) { int apr_cstr_casecmp(const char *s1, const char *s2) {
return strcasecmp(s1, s2); return strcasecmp(s1, s2);
} }
int apr_cstr_casecmpn(const char* s1, const char* s2, size_t n) { int apr_cstr_casecmpn(const char *s1, const char *s2, size_t n) {
return strncasecmp(s1, s2, n); return strncasecmp(s1, s2, n);
@ -577,31 +577,31 @@ int apr_cstr_casecmpn(const char* s1, const char* s2, size_t n) {
/* /*
* *SSL wrappers * *SSL wrappers
*/ */
int CRYPTO_memcmp(const void* m1, const void* m2, size_t len) { int CRYPTO_memcmp(const void *m1, const void *m2, size_t len) {
return memcmp(m1, m2, len); return memcmp(m1, m2, len);
} }
int OPENSSL_memcmp(const void* m1, const void* m2, size_t len) { int OPENSSL_memcmp(const void *m1, const void *m2, size_t len) {
return memcmp(m1, m2, len); return memcmp(m1, m2, len);
} }
int OPENSSL_strcasecmp(const char* s1, const char* s2) { int OPENSSL_strcasecmp(const char *s1, const char *s2) {
return strcasecmp(s1, s2); return strcasecmp(s1, s2);
} }
int OPENSSL_strncasecmp(const char* s1, const char* s2, size_t len) { int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t len) {
return strncasecmp(s1, s2, len); return strncasecmp(s1, s2, len);
} }
int32_t memcmpct(const void* s1, const void* s2, size_t len) { int32_t memcmpct(const void *s1, const void *s2, size_t len) {
return memcmp(s1, s2, len); return memcmp(s1, s2, len);
@ -610,7 +610,7 @@ int32_t memcmpct(const void* s1, const void* s2, size_t len) {
/* /*
* libXML wrappers * libXML wrappers
*/ */
int xmlStrncmp(const char* s1, const char* s2, int len) { int xmlStrncmp(const char *s1, const char *s2, int len) {
if (len <= 0) { return 0; } if (len <= 0) { return 0; }
if (s1 == s2) { return 0; } if (s1 == s2) { return 0; }
@ -620,7 +620,7 @@ int xmlStrncmp(const char* s1, const char* s2, int len) {
} }
int xmlStrcmp(const char* s1, const char* s2) { int xmlStrcmp(const char *s1, const char *s2) {
if (s1 == s2) { return 0; } if (s1 == s2) { return 0; }
if (s1 == NULL) { return -1; } if (s1 == NULL) { return -1; }
@ -629,7 +629,7 @@ int xmlStrcmp(const char* s1, const char* s2) {
} }
int xmlStrEqual(const char* s1, const char* s2) { int xmlStrEqual(const char *s1, const char *s2) {
if (s1 == s2) { return 1; } if (s1 == s2) { return 1; }
if (s1 == NULL) { return 0; } if (s1 == NULL) { return 0; }
@ -639,7 +639,7 @@ int xmlStrEqual(const char* s1, const char* s2) {
} }
int xmlStrcasecmp(const char* s1, const char* s2) { int xmlStrcasecmp(const char *s1, const char *s2) {
if (s1 == s2) { return 0; } if (s1 == s2) { return 0; }
if (s1 == NULL) { return -1; } if (s1 == NULL) { return -1; }
@ -648,7 +648,7 @@ int xmlStrcasecmp(const char* s1, const char* s2) {
} }
int xmlStrncasecmp(const char* s1, const char* s2, int len) { int xmlStrncasecmp(const char *s1, const char *s2, int len) {
if (len <= 0) { return 0; } if (len <= 0) { return 0; }
if (s1 == s2) { return 0; } if (s1 == s2) { return 0; }
@ -658,7 +658,7 @@ int xmlStrncasecmp(const char* s1, const char* s2, int len) {
} }
const char* xmlStrstr(const char* haystack, const char* needle) { const char *xmlStrstr(const char *haystack, const char *needle) {
if (haystack == NULL) { return NULL; } if (haystack == NULL) { return NULL; }
if (needle == NULL) { return NULL; } if (needle == NULL) { return NULL; }
@ -666,7 +666,7 @@ const char* xmlStrstr(const char* haystack, const char* needle) {
} }
const char* xmlStrcasestr(const char* haystack, const char* needle) { const char *xmlStrcasestr(const char *haystack, const char *needle) {
if (haystack == NULL) { return NULL; } if (haystack == NULL) { return NULL; }
if (needle == NULL) { return NULL; } if (needle == NULL) { return NULL; }
@ -677,13 +677,13 @@ const char* xmlStrcasestr(const char* haystack, const char* needle) {
/* /*
* Samba wrappers * Samba wrappers
*/ */
int memcmp_const_time(const void* s1, const void* s2, size_t n) { int memcmp_const_time(const void *s1, const void *s2, size_t n) {
return memcmp(s1, s2, n); return memcmp(s1, s2, n);
} }
bool strcsequal(const void* s1, const void* s2) { bool strcsequal(const void *s1, const void *s2) {
if (s1 == s2) { return true; } if (s1 == s2) { return true; }
if (!s1 || !s2) { return false; } if (!s1 || !s2) { return false; }
@ -693,13 +693,13 @@ bool strcsequal(const void* s1, const void* s2) {
/* bcmp/memcmp BSD flavors, similar to CRYPTO_memcmp */ /* bcmp/memcmp BSD flavors, similar to CRYPTO_memcmp */
int timingsafe_bcmp(const void* mem1, const void* mem2, size_t len) { int timingsafe_bcmp(const void *mem1, const void *mem2, size_t len) {
return bcmp(mem1, mem2, len); return bcmp(mem1, mem2, len);
} }
int timingsafe_memcmp(const void* mem1, const void* mem2, size_t len) { int timingsafe_memcmp(const void *mem1, const void *mem2, size_t len) {
return memcmp(mem1, mem2, len); return memcmp(mem1, mem2, len);
@ -709,7 +709,7 @@ int timingsafe_memcmp(const void* mem1, const void* mem2, size_t len) {
__attribute__((constructor)) void __tokencap_init(void) { __attribute__((constructor)) void __tokencap_init(void) {
u8* fn = getenv("AFL_TOKEN_FILE"); u8 *fn = getenv("AFL_TOKEN_FILE");
if (fn) __tokencap_out_file = open(fn, O_RDWR | O_CREAT | O_APPEND, 0655); if (fn) __tokencap_out_file = open(fn, O_RDWR | O_CREAT | O_APPEND, 0655);
if (__tokencap_out_file == -1) __tokencap_out_file = STDERR_FILENO; if (__tokencap_out_file == -1) __tokencap_out_file = STDERR_FILENO;
__tokencap_pid = getpid(); __tokencap_pid = getpid();

42
llvm_mode/afl-clang-fast.c
View File

@ -37,20 +37,20 @@
#include <limits.h> #include <limits.h>
#include <assert.h> #include <assert.h>
static u8* obj_path; /* Path to runtime libraries */ static u8 *obj_path; /* Path to runtime libraries */
static u8** cc_params; /* Parameters passed to the real CC */ static u8 **cc_params; /* Parameters passed to the real CC */
static u32 cc_par_cnt = 1; /* Param count, including argv0 */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */
static u8 llvm_fullpath[PATH_MAX]; static u8 llvm_fullpath[PATH_MAX];
static u8 lto_mode; static u8 lto_mode;
static u8* lto_flag = AFL_CLANG_FLTO; static u8 *lto_flag = AFL_CLANG_FLTO;
static u8* march_opt = CFLAGS_OPT; static u8 *march_opt = CFLAGS_OPT;
static u8 debug; static u8 debug;
static u8 cwd[4096]; static u8 cwd[4096];
static u8 cmplog_mode; static u8 cmplog_mode;
u8 use_stdin = 0; /* dummy */ u8 use_stdin = 0; /* dummy */
u8 be_quiet = 0; u8 be_quiet = 0;
u8* getthecwd() { u8 *getthecwd() {
static u8 fail[] = ""; static u8 fail[] = "";
if (getcwd(cwd, sizeof(cwd)) == NULL) return fail; if (getcwd(cwd, sizeof(cwd)) == NULL) return fail;
@ -60,9 +60,9 @@ u8* getthecwd() {
/* Try to find the runtime libraries. If that fails, abort. */ /* Try to find the runtime libraries. If that fails, abort. */
static void find_obj(u8* argv0) { static void find_obj(u8 *argv0) {
u8* afl_path = getenv("AFL_PATH"); u8 *afl_path = getenv("AFL_PATH");
u8 *slash, *tmp; u8 *slash, *tmp;
if (afl_path) { if (afl_path) {
@ -89,7 +89,7 @@ static void find_obj(u8* argv0) {
if (slash) { if (slash) {
u8* dir; u8 *dir;
*slash = 0; *slash = 0;
dir = ck_strdup(argv0); dir = ck_strdup(argv0);
@ -135,13 +135,13 @@ static void find_obj(u8* argv0) {
/* Copy argv to cc_params, making the necessary edits. */ /* Copy argv to cc_params, making the necessary edits. */
static void edit_params(u32 argc, char** argv) { static void edit_params(u32 argc, char **argv) {
u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1, bit_mode = 0; u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1, bit_mode = 0;
u8 has_llvm_config = 0; u8 has_llvm_config = 0;
u8* name; u8 *name;
cc_params = ck_alloc((argc + 128) * sizeof(u8*)); cc_params = ck_alloc((argc + 128) * sizeof(u8 *));
name = strrchr(argv[0], '/'); name = strrchr(argv[0], '/');
if (!name) if (!name)
@ -168,21 +168,21 @@ static void edit_params(u32 argc, char** argv) {
if (!strcmp(name, "afl-clang-fast++") || !strcmp(name, "afl-clang-lto++")) { if (!strcmp(name, "afl-clang-fast++") || !strcmp(name, "afl-clang-lto++")) {
u8* alt_cxx = getenv("AFL_CXX"); u8 *alt_cxx = getenv("AFL_CXX");
if (has_llvm_config) if (has_llvm_config)
snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang++", LLVM_BINDIR); snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang++", LLVM_BINDIR);
else else
sprintf(llvm_fullpath, "clang++"); sprintf(llvm_fullpath, "clang++");
cc_params[0] = alt_cxx ? alt_cxx : (u8*)llvm_fullpath; cc_params[0] = alt_cxx ? alt_cxx : (u8 *)llvm_fullpath;
} else { } else {
u8* alt_cc = getenv("AFL_CC"); u8 *alt_cc = getenv("AFL_CC");
if (has_llvm_config) if (has_llvm_config)
snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang", LLVM_BINDIR); snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang", LLVM_BINDIR);
else else
sprintf(llvm_fullpath, "clang"); sprintf(llvm_fullpath, "clang");
cc_params[0] = alt_cc ? alt_cc : (u8*)llvm_fullpath; cc_params[0] = alt_cc ? alt_cc : (u8 *)llvm_fullpath;
} }
@ -267,8 +267,8 @@ static void edit_params(u32 argc, char** argv) {
if (lto_mode) { if (lto_mode) {
char* old_path = getenv("PATH"); char *old_path = getenv("PATH");
char* new_path = alloc_printf("%s:%s", AFL_PATH, old_path); char *new_path = alloc_printf("%s:%s", AFL_PATH, old_path);
setenv("PATH", new_path, 1); setenv("PATH", new_path, 1);
setenv("AFL_LD", "1", 1); setenv("AFL_LD", "1", 1);
@ -322,7 +322,7 @@ static void edit_params(u32 argc, char** argv) {
while (--argc) { while (--argc) {
u8* cur = *(++argv); u8 *cur = *(++argv);
if (!strcmp(cur, "-m32")) bit_mode = 32; if (!strcmp(cur, "-m32")) bit_mode = 32;
if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32; if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32;
@ -521,10 +521,10 @@ static void edit_params(u32 argc, char** argv) {
/* Main entry point */ /* Main entry point */
int main(int argc, char** argv, char** envp) { int main(int argc, char **argv, char **envp) {
int i; int i;
char* callname = "afl-clang-fast"; char *callname = "afl-clang-fast";
if (getenv("AFL_DEBUG")) { if (getenv("AFL_DEBUG")) {
@ -671,7 +671,7 @@ int main(int argc, char** argv, char** envp) {
} }
execvp(cc_params[0], (char**)cc_params); execvp(cc_params[0], (char **)cc_params);
FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]); FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);

68
llvm_mode/afl-ld.c
View File

@ -51,17 +51,17 @@ static u8 **ld_params, /* Parameters passed to the real 'ld' */
**opt_params, /* Parameters passed to 'opt' opt */ **opt_params, /* Parameters passed to 'opt' opt */
**inst_params; /* Parameters passed to 'opt' inst */ **inst_params; /* Parameters passed to 'opt' inst */
static u8* input_file; /* Originally specified input file */ static u8 *input_file; /* Originally specified input file */
static u8 *final_file, /* Instrumented file for the real 'ld' */ static u8 *final_file, /* Instrumented file for the real 'ld' */
*linked_file, /* file where we link all files */ *linked_file, /* file where we link all files */
*modified_file; /* file that was optimized before instr */ *modified_file; /* file that was optimized before instr */
static u8* afl_path = AFL_PATH; static u8 *afl_path = AFL_PATH;
static u8* real_ld = AFL_REAL_LD; static u8 *real_ld = AFL_REAL_LD;
static u8 cwd[4096]; static u8 cwd[4096];
static u8* tmp_dir; static u8 *tmp_dir;
static u8* ar_dir; static u8 *ar_dir;
static u8 ar_dir_cnt; static u8 ar_dir_cnt;
static u8* libdirs[254]; static u8 *libdirs[254];
static u8 libdir_cnt; static u8 libdir_cnt;
static u8 be_quiet, /* Quiet mode (no stderr output) */ static u8 be_quiet, /* Quiet mode (no stderr output) */
@ -76,10 +76,10 @@ static u32 ld_param_cnt = 1, /* Number of params to 'ld' */
inst_param_cnt = 1; /* Number of params to 'opt' instr */ inst_param_cnt = 1; /* Number of params to 'opt' instr */
/* This function wipes a directory - our AR unpack directory in this case */ /* This function wipes a directory - our AR unpack directory in this case */
static u8 wipe_directory(u8* path) { static u8 wipe_directory(u8 *path) {
DIR* d; DIR *d;
struct dirent* d_ent; struct dirent *d_ent;
d = opendir(path); d = opendir(path);
@ -89,7 +89,7 @@ static u8 wipe_directory(u8* path) {
if (strcmp(d_ent->d_name, ".") != 0 && strcmp(d_ent->d_name, "..") != 0) { if (strcmp(d_ent->d_name, ".") != 0 && strcmp(d_ent->d_name, "..") != 0) {
u8* fname = alloc_printf("%s/%s", path, d_ent->d_name); u8 *fname = alloc_printf("%s/%s", path, d_ent->d_name);
if (unlink(fname)) PFATAL("Unable to delete '%s'", fname); if (unlink(fname)) PFATAL("Unable to delete '%s'", fname);
ck_free(fname); ck_free(fname);
@ -142,7 +142,7 @@ static void at_exit_handler(void) {
/* This function checks if the parameter is a) an existing file and b) /* This function checks if the parameter is a) an existing file and b)
if it is a BC or LL file, if both are true it returns 1 and 0 otherwise */ if it is a BC or LL file, if both are true it returns 1 and 0 otherwise */
int is_llvm_file(const char* file) { int is_llvm_file(const char *file) {
int fd; int fd;
u8 buf[5]; u8 buf[5];
@ -169,7 +169,7 @@ int is_llvm_file(const char* file) {
} }
/* Return the current working directory, not thread safe ;-) */ /* Return the current working directory, not thread safe ;-) */
u8* getthecwd() { u8 *getthecwd() {
static u8 fail[] = ""; static u8 fail[] = "";
if (getcwd(cwd, sizeof(cwd)) == NULL) return fail; if (getcwd(cwd, sizeof(cwd)) == NULL) return fail;
@ -178,7 +178,7 @@ u8* getthecwd() {
} }
/* Check if an ar extracted file is already in the parameter list */ /* Check if an ar extracted file is already in the parameter list */
int is_duplicate(u8** params, u32 ld_param_cnt, u8* ar_file) { int is_duplicate(u8 **params, u32 ld_param_cnt, u8 *ar_file) {
for (uint32_t i = 0; i < ld_param_cnt; i++) for (uint32_t i = 0; i < ld_param_cnt; i++)
if (params[i] != NULL) if (params[i] != NULL)
@ -191,7 +191,7 @@ int is_duplicate(u8** params, u32 ld_param_cnt, u8* ar_file) {
/* Examine and modify parameters to pass to 'ld', 'llvm-link' and 'llmv-ar'. /* Examine and modify parameters to pass to 'ld', 'llvm-link' and 'llmv-ar'.
Note that the file name is always the last parameter passed by GCC, Note that the file name is always the last parameter passed by GCC,
so we exploit this property to keep the code "simple". */ so we exploit this property to keep the code "simple". */
static void edit_params(int argc, char** argv) { static void edit_params(int argc, char **argv) {
u32 i, have_lto = 0, libdir_index; u32 i, have_lto = 0, libdir_index;
u8 libdir_file[4096]; u8 libdir_file[4096];
@ -212,12 +212,12 @@ static void edit_params(int argc, char** argv) {
final_file = final_file =
alloc_printf("%s/.afl-%u-%u-3.bc", tmp_dir, getpid(), (u32)time(NULL)); alloc_printf("%s/.afl-%u-%u-3.bc", tmp_dir, getpid(), (u32)time(NULL));
ld_params = ck_alloc(4096 * sizeof(u8*)); ld_params = ck_alloc(4096 * sizeof(u8 *));
link_params = ck_alloc(4096 * sizeof(u8*)); link_params = ck_alloc(4096 * sizeof(u8 *));
inst_params = ck_alloc(12 * sizeof(u8*)); inst_params = ck_alloc(12 * sizeof(u8 *));
opt_params = ck_alloc(12 * sizeof(u8*)); opt_params = ck_alloc(12 * sizeof(u8 *));
ld_params[0] = (u8*)real_ld; ld_params[0] = (u8 *)real_ld;
ld_params[ld_param_cnt++] = "--allow-multiple-definition"; ld_params[ld_param_cnt++] = "--allow-multiple-definition";
link_params[0] = alloc_printf("%s/%s", LLVM_BINDIR, "llvm-link"); link_params[0] = alloc_printf("%s/%s", LLVM_BINDIR, "llvm-link");
@ -328,13 +328,13 @@ static void edit_params(int argc, char** argv) {
// where the same "foo.o" was in both .a archives. llvm-link does not // where the same "foo.o" was in both .a archives. llvm-link does not
// like this so we have to work around that ... // like this so we have to work around that ...
u8 this_wd[4096], *this_ar; u8 this_wd[4096], *this_ar;
u8 ar_params_cnt = 4; u8 ar_params_cnt = 4;
u8* ar_params[ar_params_cnt]; u8 *ar_params[ar_params_cnt];
u8* file = argv[i]; u8 *file = argv[i];
s32 pid, status; s32 pid, status;
DIR* arx; DIR *arx;
struct dirent* dir_ent; struct dirent *dir_ent;
if (libdir_index < libdir_cnt) file = libdir_file; if (libdir_index < libdir_cnt) file = libdir_file;
@ -373,7 +373,7 @@ static void edit_params(int argc, char** argv) {
if (!(pid = fork())) { if (!(pid = fork())) {
execvp(ar_params[0], (char**)ar_params); execvp(ar_params[0], (char **)ar_params);
FATAL("Oops, failed to execute '%s'", ar_params[0]); FATAL("Oops, failed to execute '%s'", ar_params[0]);
} }
@ -389,7 +389,7 @@ static void edit_params(int argc, char** argv) {
while ((dir_ent = readdir(arx)) != NULL) { while ((dir_ent = readdir(arx)) != NULL) {
u8* ar_file = alloc_printf("%s/%s", ar_dir, dir_ent->d_name); u8 *ar_file = alloc_printf("%s/%s", ar_dir, dir_ent->d_name);
if (dir_ent->d_name[strlen(dir_ent->d_name) - 1] == 'o' && if (dir_ent->d_name[strlen(dir_ent->d_name) - 1] == 'o' &&
dir_ent->d_name[strlen(dir_ent->d_name) - 2] == '.') { dir_ent->d_name[strlen(dir_ent->d_name) - 2] == '.') {
@ -535,7 +535,7 @@ void clean_path() {
/* Main entry point */ /* Main entry point */
int main(int argc, char** argv) { int main(int argc, char **argv) {
s32 pid, i; s32 pid, i;
int status; int status;
@ -665,7 +665,7 @@ int main(int argc, char** argv) {
if (!(pid = fork())) { if (!(pid = fork())) {
execvp(link_params[0], (char**)link_params); execvp(link_params[0], (char **)link_params);
FATAL("Oops, failed to execute '%s'", link_params[0]); FATAL("Oops, failed to execute '%s'", link_params[0]);
} }
@ -707,7 +707,7 @@ int main(int argc, char** argv) {
if (!(pid = fork())) { if (!(pid = fork())) {
execvp(opt_params[0], (char**)opt_params); execvp(opt_params[0], (char **)opt_params);
FATAL("Oops, failed to execute '%s'", opt_params[0]); FATAL("Oops, failed to execute '%s'", opt_params[0]);
} }
@ -730,7 +730,7 @@ int main(int argc, char** argv) {
if (!(pid = fork())) { if (!(pid = fork())) {
execvp(inst_params[0], (char**)inst_params); execvp(inst_params[0], (char **)inst_params);
FATAL("Oops, failed to execute '%s'", inst_params[0]); FATAL("Oops, failed to execute '%s'", inst_params[0]);
} }
@ -761,8 +761,8 @@ int main(int argc, char** argv) {
unsetenv("AFL_LD"); unsetenv("AFL_LD");
if (strlen(real_ld) > 1) execvp(real_ld, (char**)ld_params); if (strlen(real_ld) > 1) execvp(real_ld, (char **)ld_params);
execvp("ld", (char**)ld_params); // fallback execvp("ld", (char **)ld_params); // fallback
FATAL("Oops, failed to execute 'ld' - check your PATH"); FATAL("Oops, failed to execute 'ld' - check your PATH");
} }

42
llvm_mode/afl-llvm-rt.o.c
View File

@ -59,7 +59,7 @@
run. It will end up as .comm, so it shouldn't be too wasteful. */ run. It will end up as .comm, so it shouldn't be too wasteful. */
u8 __afl_area_initial[MAP_SIZE]; u8 __afl_area_initial[MAP_SIZE];
u8* __afl_area_ptr = __afl_area_initial; u8 *__afl_area_ptr = __afl_area_initial;
#ifdef __ANDROID__ #ifdef __ANDROID__
u32 __afl_prev_loc; u32 __afl_prev_loc;
@ -69,7 +69,7 @@ __thread u32 __afl_prev_loc;
__thread u32 __afl_final_loc; __thread u32 __afl_final_loc;
#endif #endif
struct cmp_map* __afl_cmp_map; struct cmp_map *__afl_cmp_map;
__thread u32 __afl_cmp_counter; __thread u32 __afl_cmp_counter;
/* Running in persistent mode? */ /* Running in persistent mode? */
@ -80,7 +80,7 @@ static u8 is_persistent;
static void __afl_map_shm(void) { static void __afl_map_shm(void) {
u8* id_str = getenv(SHM_ENV_VAR); u8 *id_str = getenv(SHM_ENV_VAR);
/* If we're running under AFL, attach to the appropriate region, replacing the /* If we're running under AFL, attach to the appropriate region, replacing the
early-stage __afl_area_initial region that is needed to allow some really early-stage __afl_area_initial region that is needed to allow some really
@ -89,9 +89,9 @@ static void __afl_map_shm(void) {
if (id_str) { if (id_str) {
#ifdef USEMMAP #ifdef USEMMAP
const char* shm_file_path = id_str; const char *shm_file_path = id_str;
int shm_fd = -1; int shm_fd = -1;
unsigned char* shm_base = NULL; unsigned char *shm_base = NULL;
/* create the shared memory segment as if it was a file */ /* create the shared memory segment as if it was a file */
shm_fd = shm_open(shm_file_path, O_RDWR, 0600); shm_fd = shm_open(shm_file_path, O_RDWR, 0600);
@ -123,7 +123,7 @@ static void __afl_map_shm(void) {
/* Whooooops. */ /* Whooooops. */
if (__afl_area_ptr == (void*)-1) _exit(1); if (__afl_area_ptr == (void *)-1) _exit(1);
/* Write something into the bitmap so that even with low AFL_INST_RATIO, /* Write something into the bitmap so that even with low AFL_INST_RATIO,
our parent doesn't give up on us. */ our parent doesn't give up on us. */
@ -137,9 +137,9 @@ static void __afl_map_shm(void) {
if (id_str) { if (id_str) {
#ifdef USEMMAP #ifdef USEMMAP
const char* shm_file_path = id_str; const char *shm_file_path = id_str;
int shm_fd = -1; int shm_fd = -1;
unsigned char* shm_base = NULL; unsigned char *shm_base = NULL;
/* create the shared memory segment as if it was a file */ /* create the shared memory segment as if it was a file */
shm_fd = shm_open(shm_file_path, O_RDWR, 0600); shm_fd = shm_open(shm_file_path, O_RDWR, 0600);
@ -170,7 +170,7 @@ static void __afl_map_shm(void) {
__afl_cmp_map = shmat(shm_id, NULL, 0); __afl_cmp_map = shmat(shm_id, NULL, 0);
#endif #endif
if (__afl_cmp_map == (void*)-1) _exit(1); if (__afl_cmp_map == (void *)-1) _exit(1);
} }
@ -354,7 +354,7 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) {
The first function (__sanitizer_cov_trace_pc_guard) is called back on every The first function (__sanitizer_cov_trace_pc_guard) is called back on every
edge (as opposed to every basic block). */ edge (as opposed to every basic block). */
void __sanitizer_cov_trace_pc_guard(uint32_t* guard) { void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
__afl_area_ptr[*guard]++; __afl_area_ptr[*guard]++;
@ -364,10 +364,10 @@ void __sanitizer_cov_trace_pc_guard(uint32_t* guard) {
ID of 0 as a special value to indicate non-instrumented bits. That may ID of 0 as a special value to indicate non-instrumented bits. That may
still touch the bitmap, but in a fairly harmless way. */ still touch the bitmap, but in a fairly harmless way. */
void __sanitizer_cov_trace_pc_guard_init(uint32_t* start, uint32_t* stop) { void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) {
u32 inst_ratio = 100; u32 inst_ratio = 100;
u8* x; u8 *x;
if (start == stop || *start) return; if (start == stop || *start) return;
@ -504,7 +504,7 @@ void __sanitizer_cov_trace_cmp8(uint64_t Arg1, uint64_t Arg2)
__attribute__((alias("__cmplog_ins_hook8"))); __attribute__((alias("__cmplog_ins_hook8")));
#endif /* defined(__APPLE__) */ #endif /* defined(__APPLE__) */
void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t* Cases) { void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) {
for (uint64_t i = 0; i < Cases[0]; i++) { for (uint64_t i = 0; i < Cases[0]; i++) {
@ -530,10 +530,10 @@ void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t* Cases) {
// POSIX shenanigan to see if an area is mapped. // POSIX shenanigan to see if an area is mapped.
// If it is mapped as X-only, we have a problem, so maybe we should add a check // If it is mapped as X-only, we have a problem, so maybe we should add a check
// to avoid to call it on .text addresses // to avoid to call it on .text addresses
static int area_is_mapped(void* ptr, size_t len) { static int area_is_mapped(void *ptr, size_t len) {
char* p = ptr; char *p = ptr;
char* page = (char*)((uintptr_t)p & ~(sysconf(_SC_PAGE_SIZE) - 1)); char *page = (char *)((uintptr_t)p & ~(sysconf(_SC_PAGE_SIZE) - 1));
int r = msync(page, (p - page) + len, MS_ASYNC); int r = msync(page, (p - page) + len, MS_ASYNC);
if (r < 0) return errno != ENOMEM; if (r < 0) return errno != ENOMEM;
@ -541,7 +541,7 @@ static int area_is_mapped(void* ptr, size_t len) {
} }
void __cmplog_rtn_hook(void* ptr1, void* ptr2) { void __cmplog_rtn_hook(void *ptr1, void *ptr2) {
if (!__afl_cmp_map) return; if (!__afl_cmp_map) return;
@ -559,9 +559,9 @@ void __cmplog_rtn_hook(void* ptr1, void* ptr2) {
__afl_cmp_map->headers[k].shape = 31; __afl_cmp_map->headers[k].shape = 31;
hits &= CMP_MAP_RTN_H - 1; hits &= CMP_MAP_RTN_H - 1;
__builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v0, __builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0,
ptr1, 32); ptr1, 32);
__builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v1, __builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1,
ptr2, 32); ptr2, 32);
} }

92
qemu_mode/libcompcov/libcompcov.so.c
View File

@ -45,15 +45,15 @@
static void *__compcov_code_start, *__compcov_code_end; static void *__compcov_code_start, *__compcov_code_end;
static u8* __compcov_afl_map; static u8 *__compcov_afl_map;
static u32 __compcov_level; static u32 __compcov_level;
static int (*__libc_strcmp)(const char*, const char*); static int (*__libc_strcmp)(const char *, const char *);
static int (*__libc_strncmp)(const char*, const char*, size_t); static int (*__libc_strncmp)(const char *, const char *, size_t);
static int (*__libc_strcasecmp)(const char*, const char*); static int (*__libc_strcasecmp)(const char *, const char *);
static int (*__libc_strncasecmp)(const char*, const char*, size_t); static int (*__libc_strncasecmp)(const char *, const char *, size_t);
static int (*__libc_memcmp)(const void*, const void*, size_t); static int (*__libc_memcmp)(const void *, const void *, size_t);
static int debug_fd = -1; static int debug_fd = -1;
@ -65,7 +65,7 @@ static u32 __compcov_ro_cnt;
/* Check an address against the list of read-only mappings. */ /* Check an address against the list of read-only mappings. */
static u8 __compcov_is_ro(const void* ptr) { static u8 __compcov_is_ro(const void *ptr) {
u32 i; u32 i;
@ -76,7 +76,7 @@ static u8 __compcov_is_ro(const void* ptr) {
} }
static size_t __strlen2(const char* s1, const char* s2, size_t max_length) { static size_t __strlen2(const char *s1, const char *s2, size_t max_length) {
// from https://github.com/googleprojectzero/CompareCoverage // from https://github.com/googleprojectzero/CompareCoverage
@ -103,7 +103,7 @@ static void __compcov_load(void) {
} }
char* id_str = getenv(SHM_ENV_VAR); char *id_str = getenv(SHM_ENV_VAR);
int shm_id; int shm_id;
if (id_str) { if (id_str) {
@ -111,7 +111,7 @@ static void __compcov_load(void) {
shm_id = atoi(id_str); shm_id = atoi(id_str);
__compcov_afl_map = shmat(shm_id, NULL, 0); __compcov_afl_map = shmat(shm_id, NULL, 0);
if (__compcov_afl_map == (void*)-1) exit(1); if (__compcov_afl_map == (void *)-1) exit(1);
} else { } else {
@ -121,16 +121,16 @@ static void __compcov_load(void) {
if (getenv("AFL_INST_LIBS")) { if (getenv("AFL_INST_LIBS")) {
__compcov_code_start = (void*)0; __compcov_code_start = (void *)0;
__compcov_code_end = (void*)-1; __compcov_code_end = (void *)-1;
return; return;
} }
char* bin_name = getenv("AFL_COMPCOV_BINNAME"); char *bin_name = getenv("AFL_COMPCOV_BINNAME");
procmaps_iterator* maps = pmparser_parse(-1); procmaps_iterator *maps = pmparser_parse(-1);
procmaps_struct* maps_tmp = NULL; procmaps_struct *maps_tmp = NULL;
while ((maps_tmp = pmparser_next(maps)) != NULL) { while ((maps_tmp = pmparser_next(maps)) != NULL) {
@ -159,7 +159,7 @@ static void __compcov_load(void) {
} }
static void __compcov_trace(u64 cur_loc, const u8* v0, const u8* v1, size_t n) { static void __compcov_trace(u64 cur_loc, const u8 *v0, const u8 *v1, size_t n) {
size_t i; size_t i;
@ -167,8 +167,8 @@ static void __compcov_trace(u64 cur_loc, const u8* v0, const u8* v1, size_t n) {
char debugbuf[4096]; char debugbuf[4096];
snprintf(debugbuf, sizeof(debugbuf), "0x%llx %s %s %lu\n", cur_loc, snprintf(debugbuf, sizeof(debugbuf), "0x%llx %s %s %lu\n", cur_loc,
v0 == NULL ? "(null)" : (char*)v0, v0 == NULL ? "(null)" : (char *)v0,
v1 == NULL ? "(null)" : (char*)v1, n); v1 == NULL ? "(null)" : (char *)v1, n);
write(debug_fd, debugbuf, strlen(debugbuf)); write(debug_fd, debugbuf, strlen(debugbuf));
} }
@ -183,7 +183,7 @@ static void __compcov_trace(u64 cur_loc, const u8* v0, const u8* v1, size_t n) {
/* Check an address against the list of read-only mappings. */ /* Check an address against the list of read-only mappings. */
static u8 __compcov_is_in_bound(const void* ptr) { static u8 __compcov_is_in_bound(const void *ptr) {
return ptr >= __compcov_code_start && ptr < __compcov_code_end; return ptr >= __compcov_code_start && ptr < __compcov_code_end;
@ -194,9 +194,9 @@ static u8 __compcov_is_in_bound(const void* ptr) {
#undef strcmp #undef strcmp
int strcmp(const char* str1, const char* str2) { int strcmp(const char *str1, const char *str2) {
void* retaddr = __builtin_return_address(0); void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) && if (__compcov_is_in_bound(retaddr) &&
!(__compcov_level < 2 && !__compcov_is_ro(str1) && !(__compcov_level < 2 && !__compcov_is_ro(str1) &&
@ -222,9 +222,9 @@ int strcmp(const char* str1, const char* str2) {
#undef strncmp #undef strncmp
int strncmp(const char* str1, const char* str2, size_t len) { int strncmp(const char *str1, const char *str2, size_t len) {
void* retaddr = __builtin_return_address(0); void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) && if (__compcov_is_in_bound(retaddr) &&
!(__compcov_level < 2 && !__compcov_is_ro(str1) && !(__compcov_level < 2 && !__compcov_is_ro(str1) &&
@ -251,9 +251,9 @@ int strncmp(const char* str1, const char* str2, size_t len) {
#undef strcasecmp #undef strcasecmp
int strcasecmp(const char* str1, const char* str2) { int strcasecmp(const char *str1, const char *str2) {
void* retaddr = __builtin_return_address(0); void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) && if (__compcov_is_in_bound(retaddr) &&
!(__compcov_level < 2 && !__compcov_is_ro(str1) && !(__compcov_level < 2 && !__compcov_is_ro(str1) &&
@ -281,9 +281,9 @@ int strcasecmp(const char* str1, const char* str2) {
#undef strncasecmp #undef strncasecmp
int strncasecmp(const char* str1, const char* str2, size_t len) { int strncasecmp(const char *str1, const char *str2, size_t len) {
void* retaddr = __builtin_return_address(0); void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) && if (__compcov_is_in_bound(retaddr) &&
!(__compcov_level < 2 && !__compcov_is_ro(str1) && !(__compcov_level < 2 && !__compcov_is_ro(str1) &&
@ -312,9 +312,9 @@ int strncasecmp(const char* str1, const char* str2, size_t len) {
#undef memcmp #undef memcmp
int memcmp(const void* mem1, const void* mem2, size_t len) { int memcmp(const void *mem1, const void *mem2, size_t len) {
void* retaddr = __builtin_return_address(0); void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) && if (__compcov_is_in_bound(retaddr) &&
!(__compcov_level < 2 && !__compcov_is_ro(mem1) && !(__compcov_level < 2 && !__compcov_is_ro(mem1) &&
@ -345,25 +345,25 @@ int memcmp(const void* mem1, const void* mem2, size_t len) {
/* /*
* Apache's httpd wrappers * Apache's httpd wrappers
*/ */
int ap_cstr_casecmp(const char* s1, const char* s2) { int ap_cstr_casecmp(const char *s1, const char *s2) {
return strcasecmp(s1, s2); return strcasecmp(s1, s2);
} }
int ap_cstr_casecmpn(const char* s1, const char* s2, size_t n) { int ap_cstr_casecmpn(const char *s1, const char *s2, size_t n) {
return strncasecmp(s1, s2, n); return strncasecmp(s1, s2, n);
} }
int apr_cstr_casecmp(const char* s1, const char* s2) { int apr_cstr_casecmp(const char *s1, const char *s2) {
return strcasecmp(s1, s2); return strcasecmp(s1, s2);
} }
int apr_cstr_casecmpn(const char* s1, const char* s2, size_t n) { int apr_cstr_casecmpn(const char *s1, const char *s2, size_t n) {
return strncasecmp(s1, s2, n); return strncasecmp(s1, s2, n);
@ -372,31 +372,31 @@ int apr_cstr_casecmpn(const char* s1, const char* s2, size_t n) {
/* /*
* *SSL wrappers * *SSL wrappers
*/ */
int CRYPTO_memcmp(const void* m1, const void* m2, size_t len) { int CRYPTO_memcmp(const void *m1, const void *m2, size_t len) {
return memcmp(m1, m2, len); return memcmp(m1, m2, len);
} }
int OPENSSL_memcmp(const void* m1, const void* m2, size_t len) { int OPENSSL_memcmp(const void *m1, const void *m2, size_t len) {
return memcmp(m1, m2, len); return memcmp(m1, m2, len);
} }
int OPENSSL_strcasecmp(const char* s1, const char* s2) { int OPENSSL_strcasecmp(const char *s1, const char *s2) {
return strcasecmp(s1, s2); return strcasecmp(s1, s2);
} }
int OPENSSL_strncasecmp(const char* s1, const char* s2, size_t len) { int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t len) {
return strncasecmp(s1, s2, len); return strncasecmp(s1, s2, len);
} }
int32_t memcmpct(const void* s1, const void* s2, size_t len) { int32_t memcmpct(const void *s1, const void *s2, size_t len) {
return memcmp(s1, s2, len); return memcmp(s1, s2, len);
@ -405,7 +405,7 @@ int32_t memcmpct(const void* s1, const void* s2, size_t len) {
/* /*
* libXML wrappers * libXML wrappers
*/ */
int xmlStrncmp(const char* s1, const char* s2, int len) { int xmlStrncmp(const char *s1, const char *s2, int len) {
if (len <= 0) { return 0; } if (len <= 0) { return 0; }
if (s1 == s2) { return 0; } if (s1 == s2) { return 0; }
@ -415,7 +415,7 @@ int xmlStrncmp(const char* s1, const char* s2, int len) {
} }
int xmlStrcmp(const char* s1, const char* s2) { int xmlStrcmp(const char *s1, const char *s2) {
if (s1 == s2) { return 0; } if (s1 == s2) { return 0; }
if (s1 == NULL) { return -1; } if (s1 == NULL) { return -1; }
@ -424,7 +424,7 @@ int xmlStrcmp(const char* s1, const char* s2) {
} }
int xmlStrEqual(const char* s1, const char* s2) { int xmlStrEqual(const char *s1, const char *s2) {
if (s1 == s2) { return 1; } if (s1 == s2) { return 1; }
if (s1 == NULL) { return 0; } if (s1 == NULL) { return 0; }
@ -434,7 +434,7 @@ int xmlStrEqual(const char* s1, const char* s2) {
} }
int xmlStrcasecmp(const char* s1, const char* s2) { int xmlStrcasecmp(const char *s1, const char *s2) {
if (s1 == s2) { return 0; } if (s1 == s2) { return 0; }
if (s1 == NULL) { return -1; } if (s1 == NULL) { return -1; }
@ -443,7 +443,7 @@ int xmlStrcasecmp(const char* s1, const char* s2) {
} }
int xmlStrncasecmp(const char* s1, const char* s2, int len) { int xmlStrncasecmp(const char *s1, const char *s2, int len) {
if (len <= 0) { return 0; } if (len <= 0) { return 0; }
if (s1 == s2) { return 0; } if (s1 == s2) { return 0; }
@ -453,7 +453,7 @@ int xmlStrncasecmp(const char* s1, const char* s2, int len) {
} }
const char* xmlStrcasestr(const char* haystack, const char* needle) { const char *xmlStrcasestr(const char *haystack, const char *needle) {
if (haystack == NULL) { return NULL; } if (haystack == NULL) { return NULL; }
if (needle == NULL) { return NULL; } if (needle == NULL) { return NULL; }
@ -464,13 +464,13 @@ const char* xmlStrcasestr(const char* haystack, const char* needle) {
/* /*
* Samba wrappers * Samba wrappers
*/ */
int memcmp_const_time(const void* s1, const void* s2, size_t n) { int memcmp_const_time(const void *s1, const void *s2, size_t n) {
return memcmp(s1, s2, n); return memcmp(s1, s2, n);
} }
bool strcsequal(const void* s1, const void* s2) { bool strcsequal(const void *s1, const void *s2) {
if (s1 == s2) { return true; } if (s1 == s2) { return true; }
if (!s1 || !s2) { return false; } if (!s1 || !s2) { return false; }

60
qemu_mode/libcompcov/pmparser.h
View File

@ -32,8 +32,8 @@ implied warranty.
*/ */
typedef struct procmaps_struct { typedef struct procmaps_struct {
void* addr_start; //< start address of the area void *addr_start; //< start address of the area
void* addr_end; //< end address void *addr_end; //< end address
unsigned long length; //< size of the range unsigned long length; //< size of the range
char perm[5]; //< permissions rwxp char perm[5]; //< permissions rwxp
@ -48,7 +48,7 @@ typedef struct procmaps_struct {
char pathname[600]; //< the path of the file that backs the area char pathname[600]; //< the path of the file that backs the area
// chained list // chained list
struct procmaps_struct* next; //<handler of the chinaed list struct procmaps_struct *next; //<handler of the chinaed list
} procmaps_struct; } procmaps_struct;
@ -58,8 +58,8 @@ typedef struct procmaps_struct {
*/ */
typedef struct procmaps_iterator { typedef struct procmaps_iterator {
procmaps_struct* head; procmaps_struct *head;
procmaps_struct* current; procmaps_struct *current;
} procmaps_iterator; } procmaps_iterator;
@ -69,7 +69,7 @@ typedef struct procmaps_iterator {
* if pid<0 * if pid<0
* @return an iterator over all the nodes * @return an iterator over all the nodes
*/ */
procmaps_iterator* pmparser_parse(int pid); procmaps_iterator *pmparser_parse(int pid);
/** /**
* pmparser_next * pmparser_next
@ -77,28 +77,28 @@ procmaps_iterator* pmparser_parse(int pid);
* @param p_procmaps_it the iterator to move on step in the chained list * @param p_procmaps_it the iterator to move on step in the chained list
* @return a procmaps structure filled with information about this VM area * @return a procmaps structure filled with information about this VM area
*/ */
procmaps_struct* pmparser_next(procmaps_iterator* p_procmaps_it); procmaps_struct *pmparser_next(procmaps_iterator *p_procmaps_it);
/** /**
* pmparser_free * pmparser_free
* @description should be called at the end to free the resources * @description should be called at the end to free the resources
* @param p_procmaps_it the iterator structure returned by pmparser_parse * @param p_procmaps_it the iterator structure returned by pmparser_parse
*/ */
void pmparser_free(procmaps_iterator* p_procmaps_it); void pmparser_free(procmaps_iterator *p_procmaps_it);
/** /**
* _pmparser_split_line * _pmparser_split_line
* @description internal usage * @description internal usage
*/ */
void _pmparser_split_line(char* buf, char* addr1, char* addr2, char* perm, void _pmparser_split_line(char *buf, char *addr1, char *addr2, char *perm,
char* offset, char* device, char* inode, char *offset, char *device, char *inode,
char* pathname); char *pathname);
/** /**
* pmparser_print * pmparser_print
* @param map the head of the list * @param map the head of the list
* @order the order of the area to print, -1 to print everything * @order the order of the area to print, -1 to print everything
*/ */
void pmparser_print(procmaps_struct* map, int order); void pmparser_print(procmaps_struct *map, int order);
/** /**
* gobal variables * gobal variables
@ -106,9 +106,9 @@ void pmparser_print(procmaps_struct* map, int order);
// procmaps_struct* g_last_head=NULL; // procmaps_struct* g_last_head=NULL;
// procmaps_struct* g_current=NULL; // procmaps_struct* g_current=NULL;
procmaps_iterator* pmparser_parse(int pid) { procmaps_iterator *pmparser_parse(int pid) {
procmaps_iterator* maps_it = malloc(sizeof(procmaps_iterator)); procmaps_iterator *maps_it = malloc(sizeof(procmaps_iterator));
char maps_path[500]; char maps_path[500];
if (pid >= 0) { if (pid >= 0) {
@ -120,7 +120,7 @@ procmaps_iterator* pmparser_parse(int pid) {
} }
FILE* file = fopen(maps_path, "r"); FILE *file = fopen(maps_path, "r");
if (!file) { if (!file) {
fprintf(stderr, "pmparser : cannot open the memory maps, %s\n", fprintf(stderr, "pmparser : cannot open the memory maps, %s\n",
@ -132,24 +132,24 @@ procmaps_iterator* pmparser_parse(int pid) {
int ind = 0; int ind = 0;
char buf[PROCMAPS_LINE_MAX_LENGTH]; char buf[PROCMAPS_LINE_MAX_LENGTH];
// int c; // int c;
procmaps_struct* list_maps = NULL; procmaps_struct *list_maps = NULL;
procmaps_struct* tmp; procmaps_struct *tmp;
procmaps_struct* current_node = list_maps; procmaps_struct *current_node = list_maps;
char addr1[20], addr2[20], perm[8], offset[20], dev[10], inode[30], char addr1[20], addr2[20], perm[8], offset[20], dev[10], inode[30],
pathname[PATH_MAX]; pathname[PATH_MAX];
while (!feof(file)) { while (!feof(file)) {
fgets(buf, PROCMAPS_LINE_MAX_LENGTH, file); fgets(buf, PROCMAPS_LINE_MAX_LENGTH, file);
// allocate a node // allocate a node
tmp = (procmaps_struct*)malloc(sizeof(procmaps_struct)); tmp = (procmaps_struct *)malloc(sizeof(procmaps_struct));
// fill the node // fill the node
_pmparser_split_line(buf, addr1, addr2, perm, offset, dev, inode, pathname); _pmparser_split_line(buf, addr1, addr2, perm, offset, dev, inode, pathname);
// printf("#%s",buf); // printf("#%s",buf);
// printf("%s-%s %s %s %s // printf("%s-%s %s %s %s
// %s\t%s\n",addr1,addr2,perm,offset,dev,inode,pathname); addr_start & // %s\t%s\n",addr1,addr2,perm,offset,dev,inode,pathname); addr_start &
// addr_end unsigned long l_addr_start; // addr_end unsigned long l_addr_start;
sscanf(addr1, "%lx", (long unsigned*)&tmp->addr_start); sscanf(addr1, "%lx", (long unsigned *)&tmp->addr_start);
sscanf(addr2, "%lx", (long unsigned*)&tmp->addr_end); sscanf(addr2, "%lx", (long unsigned *)&tmp->addr_end);
// size // size
tmp->length = (unsigned long)(tmp->addr_end - tmp->addr_start); tmp->length = (unsigned long)(tmp->addr_end - tmp->addr_start);
// perm // perm
@ -194,10 +194,10 @@ procmaps_iterator* pmparser_parse(int pid) {
} }
procmaps_struct* pmparser_next(procmaps_iterator* p_procmaps_it) { procmaps_struct *pmparser_next(procmaps_iterator *p_procmaps_it) {
if (p_procmaps_it->current == NULL) return NULL; if (p_procmaps_it->current == NULL) return NULL;
procmaps_struct* p_current = p_procmaps_it->current; procmaps_struct *p_current = p_procmaps_it->current;
p_procmaps_it->current = p_procmaps_it->current->next; p_procmaps_it->current = p_procmaps_it->current->next;
return p_current; return p_current;
/* /*
@ -214,12 +214,12 @@ procmaps_struct* pmparser_next(procmaps_iterator* p_procmaps_it) {
} }
void pmparser_free(procmaps_iterator* p_procmaps_it) { void pmparser_free(procmaps_iterator *p_procmaps_it) {
procmaps_struct* maps_list = p_procmaps_it->head; procmaps_struct *maps_list = p_procmaps_it->head;
if (maps_list == NULL) return; if (maps_list == NULL) return;
procmaps_struct* act = maps_list; procmaps_struct *act = maps_list;
procmaps_struct* nxt = act->next; procmaps_struct *nxt = act->next;
while (act != NULL) { while (act != NULL) {
free(act); free(act);
@ -230,9 +230,9 @@ void pmparser_free(procmaps_iterator* p_procmaps_it) {
} }
void _pmparser_split_line(char* buf, char* addr1, char* addr2, char* perm, void _pmparser_split_line(char *buf, char *addr1, char *addr2, char *perm,
char* offset, char* device, char* inode, char *offset, char *device, char *inode,
char* pathname) { char *pathname) {
// //
int orig = 0; int orig = 0;

8
qemu_mode/patches/afl-qemu-floats.h
View File

@ -64,14 +64,14 @@ union afl_float64 {
// TODO figure out why float*_unpack_canonical does not work // TODO figure out why float*_unpack_canonical does not work
void afl_float_compcov_log_32(target_ulong cur_loc, float32 arg1, float32 arg2, void afl_float_compcov_log_32(target_ulong cur_loc, float32 arg1, float32 arg2,
void* status) { void *status) {
cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
cur_loc &= MAP_SIZE - 7; cur_loc &= MAP_SIZE - 7;
if (cur_loc >= afl_inst_rms) return; if (cur_loc >= afl_inst_rms) return;
// float_status* s = (float_status*)status; // float_status*s = (float_status*)status;
// FloatParts a = float32_unpack_canonical(arg1, s); // FloatParts a = float32_unpack_canonical(arg1, s);
// FloatParts b = float32_unpack_canonical(arg2, s); // FloatParts b = float32_unpack_canonical(arg2, s);
union afl_float32 a = {.f = arg1}; union afl_float32 a = {.f = arg1};
@ -96,14 +96,14 @@ void afl_float_compcov_log_32(target_ulong cur_loc, float32 arg1, float32 arg2,
} }
void afl_float_compcov_log_64(target_ulong cur_loc, float64 arg1, float64 arg2, void afl_float_compcov_log_64(target_ulong cur_loc, float64 arg1, float64 arg2,
void* status) { void *status) {
cur_loc = (cur_loc >> 4) ^ (cur_loc << 8); cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
cur_loc &= MAP_SIZE - 7; cur_loc &= MAP_SIZE - 7;
if (cur_loc >= afl_inst_rms) return; if (cur_loc >= afl_inst_rms) return;
// float_status* s = (float_status*)status; // float_status*s = (float_status*)status;
// FloatParts a = float64_unpack_canonical(arg1, s); // FloatParts a = float64_unpack_canonical(arg1, s);
// FloatParts b = float64_unpack_canonical(arg2, s); // FloatParts b = float64_unpack_canonical(arg2, s);
union afl_float64 a = {.f = arg1}; union afl_float64 a = {.f = arg1};

28
qemu_mode/patches/afl-qemu-tcg-runtime-inl.h
View File

@ -34,7 +34,7 @@
#include "afl-qemu-common.h" #include "afl-qemu-common.h"
#include "tcg.h" #include "tcg.h"
void HELPER(afl_entry_routine)(CPUArchState* env) { void HELPER(afl_entry_routine)(CPUArchState *env) {
afl_forkserver(ENV_GET_CPU(env)); afl_forkserver(ENV_GET_CPU(env));
@ -160,10 +160,10 @@ void HELPER(afl_cmplog_64)(target_ulong cur_loc, target_ulong arg1,
#include <sys/mman.h> #include <sys/mman.h>
static int area_is_mapped(void* ptr, size_t len) { static int area_is_mapped(void *ptr, size_t len) {
char* p = ptr; char *p = ptr;
char* page = (char*)((uintptr_t)p & ~(sysconf(_SC_PAGE_SIZE) - 1)); char *page = (char *)((uintptr_t)p & ~(sysconf(_SC_PAGE_SIZE) - 1));
int r = msync(page, (p - page) + len, MS_ASYNC); int r = msync(page, (p - page) + len, MS_ASYNC);
if (r < 0) return errno != ENOMEM; if (r < 0) return errno != ENOMEM;
@ -171,28 +171,28 @@ static int area_is_mapped(void* ptr, size_t len) {
} }
void HELPER(afl_cmplog_rtn)(CPUX86State* env) { void HELPER(afl_cmplog_rtn)(CPUX86State *env) {
#if defined(TARGET_X86_64) #if defined(TARGET_X86_64)
void* ptr1 = g2h(env->regs[R_EDI]); void *ptr1 = g2h(env->regs[R_EDI]);
void* ptr2 = g2h(env->regs[R_ESI]); void *ptr2 = g2h(env->regs[R_ESI]);
#elif defined(TARGET_I386) #elif defined(TARGET_I386)
target_ulong* stack = g2h(env->regs[R_ESP]); target_ulong *stack = g2h(env->regs[R_ESP]);
if (!area_is_mapped(stack, sizeof(target_ulong) * 2)) return; if (!area_is_mapped(stack, sizeof(target_ulong) * 2)) return;
// when this hook is executed, the retaddr is not on stack yet // when this hook is executed, the retaddr is not on stack yet
void* ptr1 = g2h(stack[0]); void *ptr1 = g2h(stack[0]);
void* ptr2 = g2h(stack[1]); void *ptr2 = g2h(stack[1]);
#else #else
// dumb code to make it compile // dumb code to make it compile
void* ptr1 = NULL; void *ptr1 = NULL;
void* ptr2 = NULL; void *ptr2 = NULL;
return; return;
#endif #endif
@ -211,9 +211,9 @@ void HELPER(afl_cmplog_rtn)(CPUX86State* env) {
__afl_cmp_map->headers[k].shape = 31; __afl_cmp_map->headers[k].shape = 31;
hits &= CMP_MAP_RTN_H - 1; hits &= CMP_MAP_RTN_H - 1;
__builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v0, __builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v0,
ptr1, 32); ptr1, 32);
__builtin_memcpy(((struct cmpfn_operands*)__afl_cmp_map->log[k])[hits].v1, __builtin_memcpy(((struct cmpfn_operands *)__afl_cmp_map->log[k])[hits].v1,
ptr2, 32); ptr2, 32);
} }

50
src/afl-analyze.c
View File

@ -57,13 +57,13 @@
static s32 child_pid; /* PID of the tested program */ static s32 child_pid; /* PID of the tested program */
u8* trace_bits; /* SHM with instrumentation bitmap */ u8 *trace_bits; /* SHM with instrumentation bitmap */
static u8 *in_file, /* Analyzer input test case */ static u8 *in_file, /* Analyzer input test case */
*prog_in, /* Targeted program input file */ *prog_in, /* Targeted program input file */
*doc_path; /* Path to docs */ *doc_path; /* Path to docs */
static u8* in_data; /* Input data for analysis */ static u8 *in_data; /* Input data for analysis */
static u32 in_len, /* Input data length */ static u32 in_len, /* Input data length */
orig_cksum, /* Original checksum */ orig_cksum, /* Original checksum */
@ -84,7 +84,7 @@ static volatile u8 stop_soon, /* Ctrl-C pressed? */
static u8 qemu_mode; static u8 qemu_mode;
static u8* target_path; static u8 *target_path;
/* Constants used for describing byte behavior. */ /* Constants used for describing byte behavior. */
@ -114,7 +114,7 @@ static u8 count_class_lookup[256] = {
}; };
static void classify_counts(u8* mem) { static void classify_counts(u8 *mem) {
u32 i = MAP_SIZE; u32 i = MAP_SIZE;
@ -144,7 +144,7 @@ static void classify_counts(u8* mem) {
static inline u8 anything_set(void) { static inline u8 anything_set(void) {
u32* ptr = (u32*)trace_bits; u32 *ptr = (u32 *)trace_bits;
u32 i = (MAP_SIZE >> 2); u32 i = (MAP_SIZE >> 2);
while (i--) while (i--)
@ -189,7 +189,7 @@ static void read_initial_file(void) {
/* Write output file. */ /* Write output file. */
static s32 write_to_file(u8* path, u8* mem, u32 len) { static s32 write_to_file(u8 *path, u8 *mem, u32 len) {
s32 ret; s32 ret;
@ -219,7 +219,7 @@ static void handle_timeout(int sig) {
/* Execute target application. Returns exec checksum, or 0 if program /* Execute target application. Returns exec checksum, or 0 if program
times out. */ times out. */
static u32 run_target(char** argv, u8* mem, u32 len, u8 first_run) { static u32 run_target(char **argv, u8 *mem, u32 len, u8 first_run) {
static struct itimerval it; static struct itimerval it;
int status = 0; int status = 0;
@ -243,7 +243,7 @@ static u32 run_target(char** argv, u8* mem, u32 len, u8 first_run) {
if (dup2(use_stdin ? prog_in_fd : dev_null_fd, 0) < 0 || if (dup2(use_stdin ? prog_in_fd : dev_null_fd, 0) < 0 ||
dup2(dev_null_fd, 1) < 0 || dup2(dev_null_fd, 2) < 0) { dup2(dev_null_fd, 1) < 0 || dup2(dev_null_fd, 2) < 0) {
*(u32*)trace_bits = EXEC_FAIL_SIG; *(u32 *)trace_bits = EXEC_FAIL_SIG;
PFATAL("dup2() failed"); PFATAL("dup2() failed");
} }
@ -272,7 +272,7 @@ static u32 run_target(char** argv, u8* mem, u32 len, u8 first_run) {
execv(target_path, argv); execv(target_path, argv);
*(u32*)trace_bits = EXEC_FAIL_SIG; *(u32 *)trace_bits = EXEC_FAIL_SIG;
exit(0); exit(0);
} }
@ -299,7 +299,7 @@ static u32 run_target(char** argv, u8* mem, u32 len, u8 first_run) {
/* Clean up bitmap, analyze exit condition, etc. */ /* Clean up bitmap, analyze exit condition, etc. */
if (*(u32*)trace_bits == EXEC_FAIL_SIG) if (*(u32 *)trace_bits == EXEC_FAIL_SIG)
FATAL("Unable to execute '%s'", argv[0]); FATAL("Unable to execute '%s'", argv[0]);
classify_counts(trace_bits); classify_counts(trace_bits);
@ -378,7 +378,7 @@ static void show_legend(void) {
/* Interpret and report a pattern in the input file. */ /* Interpret and report a pattern in the input file. */
static void dump_hex(u8* buf, u32 len, u8* b_data) { static void dump_hex(u8 *buf, u32 len, u8 *b_data) {
u32 i; u32 i;
@ -409,7 +409,7 @@ static void dump_hex(u8* buf, u32 len, u8* b_data) {
case 2: { case 2: {
u16 val = *(u16*)(in_data + i); u16 val = *(u16 *)(in_data + i);
/* Small integers may be length fields. */ /* Small integers may be length fields. */
@ -435,7 +435,7 @@ static void dump_hex(u8* buf, u32 len, u8* b_data) {
case 4: { case 4: {
u32 val = *(u32*)(in_data + i); u32 val = *(u32 *)(in_data + i);
/* Small integers may be length fields. */ /* Small integers may be length fields. */
@ -544,12 +544,12 @@ static void dump_hex(u8* buf, u32 len, u8* b_data) {
/* Actually analyze! */ /* Actually analyze! */
static void analyze(char** argv) { static void analyze(char **argv) {
u32 i; u32 i;
u32 boring_len = 0, prev_xff = 0, prev_x01 = 0, prev_s10 = 0, prev_a10 = 0; u32 boring_len = 0, prev_xff = 0, prev_x01 = 0, prev_s10 = 0, prev_a10 = 0;
u8* b_data = ck_alloc(in_len + 1); u8 *b_data = ck_alloc(in_len + 1);
u8 seq_byte = 0; u8 seq_byte = 0;
b_data[in_len] = 0xff; /* Intentional terminator. */ b_data[in_len] = 0xff; /* Intentional terminator. */
@ -651,14 +651,14 @@ static void handle_stop_sig(int sig) {
static void set_up_environment(void) { static void set_up_environment(void) {
u8* x; u8 *x;
dev_null_fd = open("/dev/null", O_RDWR); dev_null_fd = open("/dev/null", O_RDWR);
if (dev_null_fd < 0) PFATAL("Unable to open /dev/null"); if (dev_null_fd < 0) PFATAL("Unable to open /dev/null");
if (!prog_in) { if (!prog_in) {
u8* use_dir = "."; u8 *use_dir = ".";
if (access(use_dir, R_OK | W_OK | X_OK)) { if (access(use_dir, R_OK | W_OK | X_OK)) {
@ -715,9 +715,9 @@ static void set_up_environment(void) {
if (qemu_mode) { if (qemu_mode) {
u8* qemu_preload = getenv("QEMU_SET_ENV"); u8 *qemu_preload = getenv("QEMU_SET_ENV");
u8* afl_preload = getenv("AFL_PRELOAD"); u8 *afl_preload = getenv("AFL_PRELOAD");
u8* buf; u8 *buf;
s32 i, afl_preload_size = strlen(afl_preload); s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) { for (i = 0; i < afl_preload_size; ++i) {
@ -779,7 +779,7 @@ static void setup_signal_handlers(void) {
/* Display usage hints. */ /* Display usage hints. */
static void usage(u8* argv0) { static void usage(u8 *argv0) {
SAYF( SAYF(
"\n%s [ options ] -- /path/to/target_app [ ... ]\n\n" "\n%s [ options ] -- /path/to/target_app [ ... ]\n\n"
@ -822,9 +822,9 @@ static void usage(u8* argv0) {
/* Find binary. */ /* Find binary. */
static void find_binary(u8* fname) { static void find_binary(u8 *fname) {
u8* env_path = 0; u8 *env_path = 0;
struct stat st; struct stat st;
if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { if (strchr(fname, '/') || !(env_path = getenv("PATH"))) {
@ -877,11 +877,11 @@ static void find_binary(u8* fname) {
/* Main entry point */ /* Main entry point */
int main(int argc, char** argv, char** envp) { int main(int argc, char **argv, char **envp) {
s32 opt; s32 opt;
u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0;
char** use_argv; char **use_argv;
doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;

24
src/afl-as.c
View File

@ -53,10 +53,10 @@
#include <sys/wait.h> #include <sys/wait.h>
#include <sys/time.h> #include <sys/time.h>
static u8** as_params; /* Parameters passed to the real 'as' */ static u8 **as_params; /* Parameters passed to the real 'as' */
static u8* input_file; /* Originally specified input file */ static u8 *input_file; /* Originally specified input file */
static u8* modified_file; /* Instrumented file for the real 'as' */ static u8 *modified_file; /* Instrumented file for the real 'as' */
static u8 be_quiet, /* Quiet mode (no stderr output) */ static u8 be_quiet, /* Quiet mode (no stderr output) */
clang_mode, /* Running in clang mode? */ clang_mode, /* Running in clang mode? */
@ -89,7 +89,7 @@ static u8 use_64bit = 0;
is always the last parameter passed by GCC, so we exploit this property is always the last parameter passed by GCC, so we exploit this property
to keep the code simple. */ to keep the code simple. */
static void edit_params(int argc, char** argv) { static void edit_params(int argc, char **argv) {
u8 *tmp_dir = getenv("TMPDIR"), *afl_as = getenv("AFL_AS"); u8 *tmp_dir = getenv("TMPDIR"), *afl_as = getenv("AFL_AS");
u32 i; u32 i;
@ -130,9 +130,9 @@ static void edit_params(int argc, char** argv) {
if (!tmp_dir) tmp_dir = getenv("TMP"); if (!tmp_dir) tmp_dir = getenv("TMP");
if (!tmp_dir) tmp_dir = "/tmp"; if (!tmp_dir) tmp_dir = "/tmp";
as_params = ck_alloc((argc + 32) * sizeof(u8*)); as_params = ck_alloc((argc + 32) * sizeof(u8 *));
as_params[0] = afl_as ? afl_as : (u8*)"as"; as_params[0] = afl_as ? afl_as : (u8 *)"as";
as_params[argc] = 0; as_params[argc] = 0;
@ -234,8 +234,8 @@ static void add_instrumentation(void) {
static u8 line[MAX_LINE]; static u8 line[MAX_LINE];
FILE* inf; FILE *inf;
FILE* outf; FILE *outf;
s32 outfd; s32 outfd;
u32 ins_lines = 0; u32 ins_lines = 0;
@ -244,7 +244,7 @@ static void add_instrumentation(void) {
#ifdef __APPLE__ #ifdef __APPLE__
u8* colon_pos; u8 *colon_pos;
#endif /* __APPLE__ */ #endif /* __APPLE__ */
@ -498,12 +498,12 @@ static void add_instrumentation(void) {
/* Main entry point */ /* Main entry point */
int main(int argc, char** argv) { int main(int argc, char **argv) {
s32 pid; s32 pid;
u32 rand_seed; u32 rand_seed;
int status; int status;
u8* inst_ratio_str = getenv("AFL_INST_RATIO"); u8 *inst_ratio_str = getenv("AFL_INST_RATIO");
struct timeval tv; struct timeval tv;
struct timezone tz; struct timezone tz;
@ -590,7 +590,7 @@ int main(int argc, char** argv) {
if (!(pid = fork())) { if (!(pid = fork())) {
execvp(as_params[0], (char**)as_params); execvp(as_params[0], (char **)as_params);
FATAL("Oops, failed to execute '%s' - check your PATH", as_params[0]); FATAL("Oops, failed to execute '%s' - check your PATH", as_params[0]);
} }

44
src/afl-common.c
View File

@ -38,16 +38,16 @@
extern u8 be_quiet; extern u8 be_quiet;
void detect_file_args(char** argv, u8* prog_in, u8* use_stdin) { void detect_file_args(char **argv, u8 *prog_in, u8 *use_stdin) {
u32 i = 0; u32 i = 0;
#ifdef __GLIBC__ #ifdef __GLIBC__
u8* cwd = getcwd(NULL, 0); /* non portable glibc extension */ u8 *cwd = getcwd(NULL, 0); /* non portable glibc extension */
#else #else
u8* cwd; u8 *cwd;
char* buf; char *buf;
long size = pathconf(".", _PC_PATH_MAX); long size = pathconf(".", _PC_PATH_MAX);
if ((buf = (char*)malloc((size_t)size)) != NULL) { if ((buf = (char *)malloc((size_t)size)) != NULL) {
cwd = getcwd(buf, (size_t)size); /* portable version */ cwd = getcwd(buf, (size_t)size); /* portable version */
ck_free(buf); ck_free(buf);
@ -67,7 +67,7 @@ void detect_file_args(char** argv, u8* prog_in, u8* use_stdin) {
while (argv[i]) { while (argv[i]) {
u8* aa_loc = strstr(argv[i], "@@"); u8 *aa_loc = strstr(argv[i], "@@");
if (aa_loc) { if (aa_loc) {
@ -111,11 +111,11 @@ void detect_file_args(char** argv, u8* prog_in, u8* use_stdin) {
/* duplicate the system argv so that /* duplicate the system argv so that
we can edit (and free!) it later */ we can edit (and free!) it later */
char** argv_cpy_dup(int argc, char** argv) { char **argv_cpy_dup(int argc, char **argv) {
u32 i = 0; u32 i = 0;
char** ret = ck_alloc((argc + 1) * sizeof(char*)); char **ret = ck_alloc((argc + 1) * sizeof(char *));
for (i = 0; i < argc; i++) { for (i = 0; i < argc; i++) {
@ -132,7 +132,7 @@ char** argv_cpy_dup(int argc, char** argv) {
/* frees all args in the given argv, /* frees all args in the given argv,
previously created by argv_cpy_dup */ previously created by argv_cpy_dup */
void argv_cpy_free(char** argv) { void argv_cpy_free(char **argv) {
u32 i = 0; u32 i = 0;
while (argv[i]) { while (argv[i]) {
@ -148,12 +148,12 @@ void argv_cpy_free(char** argv) {
/* Rewrite argv for QEMU. */ /* Rewrite argv for QEMU. */
char** get_qemu_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) { char **get_qemu_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); char **new_argv = ck_alloc(sizeof(char *) * (argc + 4));
u8 * tmp, *cp = NULL, *rsl, *own_copy; u8 *tmp, *cp = NULL, *rsl, *own_copy;
memcpy(new_argv + 3, argv + 1, (int)(sizeof(char*)) * argc); memcpy(new_argv + 3, argv + 1, (int)(sizeof(char *)) * argc);
new_argv[2] = *target_path_p; new_argv[2] = *target_path_p;
new_argv[1] = "--"; new_argv[1] = "--";
@ -226,12 +226,12 @@ char** get_qemu_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) {
/* Rewrite argv for Wine+QEMU. */ /* Rewrite argv for Wine+QEMU. */
char** get_wine_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) { char **get_wine_argv(u8 *own_loc, u8 **target_path_p, int argc, char **argv) {
char** new_argv = ck_alloc(sizeof(char*) * (argc + 3)); char **new_argv = ck_alloc(sizeof(char *) * (argc + 3));
u8 * tmp, *cp = NULL, *rsl, *own_copy; u8 *tmp, *cp = NULL, *rsl, *own_copy;
memcpy(new_argv + 2, argv + 1, (int)(sizeof(char*)) * argc); memcpy(new_argv + 2, argv + 1, (int)(sizeof(char *)) * argc);
new_argv[1] = *target_path_p; new_argv[1] = *target_path_p;
@ -285,7 +285,7 @@ char** get_wine_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) {
ck_free(own_copy); ck_free(own_copy);
u8* ncp = BIN_PATH "/afl-qemu-trace"; u8 *ncp = BIN_PATH "/afl-qemu-trace";
if (!access(ncp, X_OK)) { if (!access(ncp, X_OK)) {
@ -322,10 +322,10 @@ char** get_wine_argv(u8* own_loc, u8** target_path_p, int argc, char** argv) {
} }
void check_environment_vars(char** envp) { void check_environment_vars(char **envp) {
int index = 0, found = 0; int index = 0, found = 0;
char* env; char *env;
while ((env = envp[index++]) != NULL) { while ((env = envp[index++]) != NULL) {
if (strncmp(env, "ALF_", 4) == 0) { if (strncmp(env, "ALF_", 4) == 0) {
@ -358,9 +358,9 @@ void check_environment_vars(char** envp) {
} }
char* get_afl_env(char* env) { char *get_afl_env(char *env) {
char* val; char *val;
if ((val = getenv(env)) != NULL) if ((val = getenv(env)) != NULL)
if (!be_quiet) if (!be_quiet)

1
src/afl-forkserver.c
View File

@ -331,6 +331,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv) {
rlen = read(fsrv->fsrv_st_fd, &status, 4); rlen = read(fsrv->fsrv_st_fd, &status, 4);
} }
} else { } else {
rlen = read(fsrv->fsrv_st_fd, &status, 4); rlen = read(fsrv->fsrv_st_fd, &status, 4);

76
src/afl-fuzz-bitmap.c
View File

@ -29,9 +29,9 @@
-B option, to focus a separate fuzzing session on a particular -B option, to focus a separate fuzzing session on a particular
interesting input without rediscovering all the others. */ interesting input without rediscovering all the others. */
void write_bitmap(afl_state_t* afl) { void write_bitmap(afl_state_t *afl) {
u8* fname; u8 *fname;
s32 fd; s32 fd;
if (!afl->bitmap_changed) return; if (!afl->bitmap_changed) return;
@ -51,7 +51,7 @@ void write_bitmap(afl_state_t* afl) {
/* Read bitmap from file. This is for the -B option again. */ /* Read bitmap from file. This is for the -B option again. */
void read_bitmap(afl_state_t* afl, u8* fname) { void read_bitmap(afl_state_t *afl, u8 *fname) {
s32 fd = open(fname, O_RDONLY); s32 fd = open(fname, O_RDONLY);
@ -71,19 +71,19 @@ void read_bitmap(afl_state_t* afl, u8* fname) {
This function is called after every exec() on a fairly large buffer, so This function is called after every exec() on a fairly large buffer, so
it needs to be fast. We do this in 32-bit and 64-bit flavors. */ it needs to be fast. We do this in 32-bit and 64-bit flavors. */
u8 has_new_bits(afl_state_t* afl, u8* virgin_map) { u8 has_new_bits(afl_state_t *afl, u8 *virgin_map) {
#ifdef WORD_SIZE_64 #ifdef WORD_SIZE_64
u64* current = (u64*)afl->fsrv.trace_bits; u64 *current = (u64 *)afl->fsrv.trace_bits;
u64* virgin = (u64*)virgin_map; u64 *virgin = (u64 *)virgin_map;
u32 i = (MAP_SIZE >> 3); u32 i = (MAP_SIZE >> 3);
#else #else
u32* current = (u32*)afl->fsrv.trace_bits; u32 *current = (u32 *)afl->fsrv.trace_bits;
u32* virgin = (u32*)virgin_map; u32 *virgin = (u32 *)virgin_map;
u32 i = (MAP_SIZE >> 2); u32 i = (MAP_SIZE >> 2);
@ -101,8 +101,8 @@ u8 has_new_bits(afl_state_t* afl, u8* virgin_map) {
if (likely(ret < 2)) { if (likely(ret < 2)) {
u8* cur = (u8*)current; u8 *cur = (u8 *)current;
u8* vir = (u8*)virgin; u8 *vir = (u8 *)virgin;
/* Looks like we have not found any new bytes yet; see if any non-zero /* Looks like we have not found any new bytes yet; see if any non-zero
bytes in current[] are pristine in virgin[]. */ bytes in current[] are pristine in virgin[]. */
@ -147,9 +147,9 @@ u8 has_new_bits(afl_state_t* afl, u8* virgin_map) {
/* Count the number of bits set in the provided bitmap. Used for the status /* Count the number of bits set in the provided bitmap. Used for the status
screen several times every second, does not have to be fast. */ screen several times every second, does not have to be fast. */
u32 count_bits(u8* mem) { u32 count_bits(u8 *mem) {
u32* ptr = (u32*)mem; u32 *ptr = (u32 *)mem;
u32 i = (MAP_SIZE >> 2); u32 i = (MAP_SIZE >> 2);
u32 ret = 0; u32 ret = 0;
@ -183,9 +183,9 @@ u32 count_bits(u8* mem) {
mostly to update the status screen or calibrate and examine confirmed mostly to update the status screen or calibrate and examine confirmed
new paths. */ new paths. */
u32 count_bytes(u8* mem) { u32 count_bytes(u8 *mem) {
u32* ptr = (u32*)mem; u32 *ptr = (u32 *)mem;
u32 i = (MAP_SIZE >> 2); u32 i = (MAP_SIZE >> 2);
u32 ret = 0; u32 ret = 0;
@ -208,9 +208,9 @@ u32 count_bytes(u8* mem) {
/* Count the number of non-255 bytes set in the bitmap. Used strictly for the /* Count the number of non-255 bytes set in the bitmap. Used strictly for the
status screen, several calls per second or so. */ status screen, several calls per second or so. */
u32 count_non_255_bytes(u8* mem) { u32 count_non_255_bytes(u8 *mem) {
u32* ptr = (u32*)mem; u32 *ptr = (u32 *)mem;
u32 i = (MAP_SIZE >> 2); u32 i = (MAP_SIZE >> 2);
u32 ret = 0; u32 ret = 0;
@ -246,7 +246,7 @@ const u8 simplify_lookup[256] = {
#ifdef WORD_SIZE_64 #ifdef WORD_SIZE_64
void simplify_trace(u64* mem) { void simplify_trace(u64 *mem) {
u32 i = MAP_SIZE >> 3; u32 i = MAP_SIZE >> 3;
@ -256,7 +256,7 @@ void simplify_trace(u64* mem) {
if (unlikely(*mem)) { if (unlikely(*mem)) {
u8* mem8 = (u8*)mem; u8 *mem8 = (u8 *)mem;
mem8[0] = simplify_lookup[mem8[0]]; mem8[0] = simplify_lookup[mem8[0]];
mem8[1] = simplify_lookup[mem8[1]]; mem8[1] = simplify_lookup[mem8[1]];
@ -279,7 +279,7 @@ void simplify_trace(u64* mem) {
#else #else
void simplify_trace(u32* mem) { void simplify_trace(u32 *mem) {
u32 i = MAP_SIZE >> 2; u32 i = MAP_SIZE >> 2;
@ -289,7 +289,7 @@ void simplify_trace(u32* mem) {
if (unlikely(*mem)) { if (unlikely(*mem)) {
u8* mem8 = (u8*)mem; u8 *mem8 = (u8 *)mem;
mem8[0] = simplify_lookup[mem8[0]]; mem8[0] = simplify_lookup[mem8[0]];
mem8[1] = simplify_lookup[mem8[1]]; mem8[1] = simplify_lookup[mem8[1]];
@ -341,7 +341,7 @@ void init_count_class16(void) {
#ifdef WORD_SIZE_64 #ifdef WORD_SIZE_64
void classify_counts(u64* mem) { void classify_counts(u64 *mem) {
u32 i = MAP_SIZE >> 3; u32 i = MAP_SIZE >> 3;
@ -351,7 +351,7 @@ void classify_counts(u64* mem) {
if (unlikely(*mem)) { if (unlikely(*mem)) {
u16* mem16 = (u16*)mem; u16 *mem16 = (u16 *)mem;
mem16[0] = count_class_lookup16[mem16[0]]; mem16[0] = count_class_lookup16[mem16[0]];
mem16[1] = count_class_lookup16[mem16[1]]; mem16[1] = count_class_lookup16[mem16[1]];
@ -368,7 +368,7 @@ void classify_counts(u64* mem) {
#else #else
void classify_counts(u32* mem) { void classify_counts(u32 *mem) {
u32 i = MAP_SIZE >> 2; u32 i = MAP_SIZE >> 2;
@ -378,7 +378,7 @@ void classify_counts(u32* mem) {
if (unlikely(*mem)) { if (unlikely(*mem)) {
u16* mem16 = (u16*)mem; u16 *mem16 = (u16 *)mem;
mem16[0] = count_class_lookup16[mem16[0]]; mem16[0] = count_class_lookup16[mem16[0]];
mem16[1] = count_class_lookup16[mem16[1]]; mem16[1] = count_class_lookup16[mem16[1]];
@ -397,7 +397,7 @@ void classify_counts(u32* mem) {
count information here. This is called only sporadically, for some count information here. This is called only sporadically, for some
new paths. */ new paths. */
void minimize_bits(u8* dst, u8* src) { void minimize_bits(u8 *dst, u8 *src) {
u32 i = 0; u32 i = 0;
@ -415,9 +415,9 @@ void minimize_bits(u8* dst, u8* src) {
/* Construct a file name for a new test case, capturing the operation /* Construct a file name for a new test case, capturing the operation
that led to its discovery. Uses a static buffer. */ that led to its discovery. Uses a static buffer. */
u8* describe_op(afl_state_t* afl, u8 hnb) { u8 *describe_op(afl_state_t *afl, u8 hnb) {
u8* ret = afl->describe_op_buf_256; u8 *ret = afl->describe_op_buf_256;
if (afl->syncing_party) { if (afl->syncing_party) {
@ -459,11 +459,11 @@ u8* describe_op(afl_state_t* afl, u8 hnb) {
/* Write a message accompanying the crash directory :-) */ /* Write a message accompanying the crash directory :-) */
static void write_crash_readme(afl_state_t* afl) { static void write_crash_readme(afl_state_t *afl) {
u8* fn = alloc_printf("%s/crashes/README.txt", afl->out_dir); u8 *fn = alloc_printf("%s/crashes/README.txt", afl->out_dir);
s32 fd; s32 fd;
FILE* f; FILE *f;
fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
ck_free(fn); ck_free(fn);
@ -511,11 +511,11 @@ static void write_crash_readme(afl_state_t* afl) {
save or queue the input test case for further analysis if so. Returns 1 if save or queue the input test case for further analysis if so. Returns 1 if
entry is saved, 0 otherwise. */ entry is saved, 0 otherwise. */
u8 save_if_interesting(afl_state_t* afl, void* mem, u32 len, u8 fault) { u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
if (len == 0) return 0; if (len == 0) return 0;
u8* fn = ""; u8 *fn = "";
u8 hnb; u8 hnb;
s32 fd; s32 fd;
u8 keeping = 0, res; u8 keeping = 0, res;
@ -523,7 +523,7 @@ u8 save_if_interesting(afl_state_t* afl, void* mem, u32 len, u8 fault) {
/* Update path frequency. */ /* Update path frequency. */
u32 cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST); u32 cksum = hash32(afl->fsrv.trace_bits, MAP_SIZE, HASH_CONST);
struct queue_entry* q = afl->queue; struct queue_entry *q = afl->queue;
while (q) { while (q) {
if (q->exec_cksum == cksum) { if (q->exec_cksum == cksum) {
@ -603,9 +603,9 @@ u8 save_if_interesting(afl_state_t* afl, void* mem, u32 len, u8 fault) {
if (!afl->dumb_mode) { if (!afl->dumb_mode) {
#ifdef WORD_SIZE_64 #ifdef WORD_SIZE_64
simplify_trace((u64*)afl->fsrv.trace_bits); simplify_trace((u64 *)afl->fsrv.trace_bits);
#else #else
simplify_trace((u32*)afl->fsrv.trace_bits); simplify_trace((u32 *)afl->fsrv.trace_bits);
#endif /* ^WORD_SIZE_64 */ #endif /* ^WORD_SIZE_64 */
if (!has_new_bits(afl, afl->virgin_tmout)) return keeping; if (!has_new_bits(afl, afl->virgin_tmout)) return keeping;
@ -666,9 +666,9 @@ u8 save_if_interesting(afl_state_t* afl, void* mem, u32 len, u8 fault) {
if (!afl->dumb_mode) { if (!afl->dumb_mode) {
#ifdef WORD_SIZE_64 #ifdef WORD_SIZE_64
simplify_trace((u64*)afl->fsrv.trace_bits); simplify_trace((u64 *)afl->fsrv.trace_bits);
#else #else
simplify_trace((u32*)afl->fsrv.trace_bits); simplify_trace((u32 *)afl->fsrv.trace_bits);
#endif /* ^WORD_SIZE_64 */ #endif /* ^WORD_SIZE_64 */
if (!has_new_bits(afl, afl->virgin_crash)) return keeping; if (!has_new_bits(afl, afl->virgin_crash)) return keeping;

4
src/afl-fuzz-cmplog.c
View File

@ -190,7 +190,8 @@ void init_cmplog_forkserver(afl_state_t *afl) {
timeout.tv_sec = ((afl->fsrv.exec_tmout * FORK_WAIT_MULT) / 1000); timeout.tv_sec = ((afl->fsrv.exec_tmout * FORK_WAIT_MULT) / 1000);
timeout.tv_usec = ((afl->fsrv.exec_tmout * FORK_WAIT_MULT) % 1000) * 1000; timeout.tv_usec = ((afl->fsrv.exec_tmout * FORK_WAIT_MULT) % 1000) * 1000;
int sret = select(afl->cmplog_fsrv_st_fd + 1, &readfds, NULL, NULL, &timeout); int sret =
select(afl->cmplog_fsrv_st_fd + 1, &readfds, NULL, NULL, &timeout);
if (sret == 0) { if (sret == 0) {
@ -201,6 +202,7 @@ void init_cmplog_forkserver(afl_state_t *afl) {
rlen = read(afl->cmplog_fsrv_st_fd, &status, 4); rlen = read(afl->cmplog_fsrv_st_fd, &status, 4);
} }
} else { } else {
rlen = read(afl->cmplog_fsrv_st_fd, &status, 4); rlen = read(afl->cmplog_fsrv_st_fd, &status, 4);

58
src/afl-fuzz-extras.c
View File

@ -27,17 +27,19 @@
/* Helper function for load_extras. */ /* Helper function for load_extras. */
static int compare_extras_len(const void* p1, const void* p2) { static int compare_extras_len(const void *p1, const void *p2) {
struct extra_data *e1 = (struct extra_data*)p1, *e2 = (struct extra_data*)p2; struct extra_data *e1 = (struct extra_data *)p1,
*e2 = (struct extra_data *)p2;
return e1->len - e2->len; return e1->len - e2->len;
} }
static int compare_extras_use_d(const void* p1, const void* p2) { static int compare_extras_use_d(const void *p1, const void *p2) {
struct extra_data *e1 = (struct extra_data*)p1, *e2 = (struct extra_data*)p2; struct extra_data *e1 = (struct extra_data *)p1,
*e2 = (struct extra_data *)p2;
return e2->hit_cnt - e1->hit_cnt; return e2->hit_cnt - e1->hit_cnt;
@ -45,13 +47,13 @@ static int compare_extras_use_d(const void* p1, const void* p2) {
/* Read extras from a file, sort by size. */ /* Read extras from a file, sort by size. */
void load_extras_file(afl_state_t* afl, u8* fname, u32* min_len, u32* max_len, void load_extras_file(afl_state_t *afl, u8 *fname, u32 *min_len, u32 *max_len,
u32 dict_level) { u32 dict_level) {
FILE* f; FILE *f;
u8 buf[MAX_LINE]; u8 buf[MAX_LINE];
u8* lptr; u8 *lptr;
u32 cur_line = 0; u32 cur_line = 0;
f = fopen(fname, "r"); f = fopen(fname, "r");
@ -128,7 +130,7 @@ void load_extras_file(afl_state_t* afl, u8* fname, u32* min_len, u32* max_len,
while (*lptr) { while (*lptr) {
char* hexdigits = "0123456789abcdef"; char *hexdigits = "0123456789abcdef";
switch (*lptr) { switch (*lptr) {
@ -184,12 +186,12 @@ void load_extras_file(afl_state_t* afl, u8* fname, u32* min_len, u32* max_len,
/* Read extras from the extras directory and sort them by size. */ /* Read extras from the extras directory and sort them by size. */
void load_extras(afl_state_t* afl, u8* dir) { void load_extras(afl_state_t *afl, u8 *dir) {
DIR* d; DIR *d;
struct dirent* de; struct dirent *de;
u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0; u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0;
u8* x; u8 *x;
/* If the name ends with @, extract level and continue. */ /* If the name ends with @, extract level and continue. */
@ -222,8 +224,8 @@ void load_extras(afl_state_t* afl, u8* dir) {
while ((de = readdir(d))) { while ((de = readdir(d))) {
struct stat st; struct stat st;
u8* fn = alloc_printf("%s/%s", dir, de->d_name); u8 *fn = alloc_printf("%s/%s", dir, de->d_name);
s32 fd; s32 fd;
if (lstat(fn, &st) || access(fn, R_OK)) PFATAL("Unable to access '%s'", fn); if (lstat(fn, &st) || access(fn, R_OK)) PFATAL("Unable to access '%s'", fn);
@ -285,7 +287,7 @@ check_and_sort:
/* Helper function for maybe_add_auto(afl, ) */ /* Helper function for maybe_add_auto(afl, ) */
static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) { static inline u8 memcmp_nocase(u8 *m1, u8 *m2, u32 len) {
while (len--) while (len--)
if (tolower(*(m1++)) ^ tolower(*(m2++))) return 1; if (tolower(*(m1++)) ^ tolower(*(m2++))) return 1;
@ -295,7 +297,7 @@ static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) {
/* Maybe add automatic extra. */ /* Maybe add automatic extra. */
void maybe_add_auto(afl_state_t* afl, u8* mem, u32 len) { void maybe_add_auto(afl_state_t *afl, u8 *mem, u32 len) {
u32 i; u32 i;
@ -317,8 +319,8 @@ void maybe_add_auto(afl_state_t* afl, u8* mem, u32 len) {
i = sizeof(interesting_16) >> 1; i = sizeof(interesting_16) >> 1;
while (i--) while (i--)
if (*((u16*)mem) == interesting_16[i] || if (*((u16 *)mem) == interesting_16[i] ||
*((u16*)mem) == SWAP16(interesting_16[i])) *((u16 *)mem) == SWAP16(interesting_16[i]))
return; return;
} }
@ -328,8 +330,8 @@ void maybe_add_auto(afl_state_t* afl, u8* mem, u32 len) {
i = sizeof(interesting_32) >> 2; i = sizeof(interesting_32) >> 2;
while (i--) while (i--)
if (*((u32*)mem) == interesting_32[i] || if (*((u32 *)mem) == interesting_32[i] ||
*((u32*)mem) == SWAP32(interesting_32[i])) *((u32 *)mem) == SWAP32(interesting_32[i]))
return; return;
} }
@ -402,7 +404,7 @@ sort_a_extras:
/* Save automatically generated extras. */ /* Save automatically generated extras. */
void save_auto(afl_state_t* afl) { void save_auto(afl_state_t *afl) {
u32 i; u32 i;
@ -411,7 +413,7 @@ void save_auto(afl_state_t* afl) {
for (i = 0; i < MIN(USE_AUTO_EXTRAS, afl->a_extras_cnt); ++i) { for (i = 0; i < MIN(USE_AUTO_EXTRAS, afl->a_extras_cnt); ++i) {
u8* fn = u8 *fn =
alloc_printf("%s/queue/.state/auto_extras/auto_%06u", afl->out_dir, i); alloc_printf("%s/queue/.state/auto_extras/auto_%06u", afl->out_dir, i);
s32 fd; s32 fd;
@ -430,14 +432,14 @@ void save_auto(afl_state_t* afl) {
/* Load automatically generated extras. */ /* Load automatically generated extras. */
void load_auto(afl_state_t* afl) { void load_auto(afl_state_t *afl) {
u32 i; u32 i;
for (i = 0; i < USE_AUTO_EXTRAS; ++i) { for (i = 0; i < USE_AUTO_EXTRAS; ++i) {
u8 tmp[MAX_AUTO_EXTRA + 1]; u8 tmp[MAX_AUTO_EXTRA + 1];
u8* fn = alloc_printf("%s/.state/auto_extras/auto_%06u", afl->in_dir, i); u8 *fn = alloc_printf("%s/.state/auto_extras/auto_%06u", afl->in_dir, i);
s32 fd, len; s32 fd, len;
fd = open(fn, O_RDONLY, 0600); fd = open(fn, O_RDONLY, 0600);
@ -474,7 +476,7 @@ void load_auto(afl_state_t* afl) {
/* Destroy extras. */ /* Destroy extras. */
void destroy_extras(afl_state_t* afl) { void destroy_extras(afl_state_t *afl) {
u32 i; u32 i;

156
src/afl-fuzz-init.c
View File

@ -30,12 +30,12 @@
/* Build a list of processes bound to specific cores. Returns -1 if nothing /* Build a list of processes bound to specific cores. Returns -1 if nothing
can be found. Assumes an upper bound of 4k CPUs. */ can be found. Assumes an upper bound of 4k CPUs. */
void bind_to_free_cpu(afl_state_t* afl) { void bind_to_free_cpu(afl_state_t *afl) {
#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__) #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__)
cpu_set_t c; cpu_set_t c;
#elif defined(__NetBSD__) #elif defined(__NetBSD__)
cpuset_t* c; cpuset_t *c;
#endif #endif
u8 cpu_used[4096] = {0}; u8 cpu_used[4096] = {0};
@ -51,8 +51,8 @@ void bind_to_free_cpu(afl_state_t* afl) {
} }
#if defined(__linux__) #if defined(__linux__)
DIR* d; DIR *d;
struct dirent* de; struct dirent *de;
d = opendir("/proc"); d = opendir("/proc");
if (!d) { if (!d) {
@ -76,8 +76,8 @@ void bind_to_free_cpu(afl_state_t* afl) {
while ((de = readdir(d))) { while ((de = readdir(d))) {
u8* fn; u8 *fn;
FILE* f; FILE *f;
u8 tmp[MAX_LINE]; u8 tmp[MAX_LINE];
u8 has_vmsize = 0; u8 has_vmsize = 0;
@ -118,7 +118,7 @@ void bind_to_free_cpu(afl_state_t* afl) {
closedir(d); closedir(d);
#elif defined(__FreeBSD__) || defined(__DragonFly__) #elif defined(__FreeBSD__) || defined(__DragonFly__)
struct kinfo_proc* procs; struct kinfo_proc *procs;
size_t nprocs; size_t nprocs;
size_t proccount; size_t proccount;
int s_name[] = {CTL_KERN, KERN_PROC, KERN_PROC_ALL}; int s_name[] = {CTL_KERN, KERN_PROC, KERN_PROC_ALL};
@ -151,7 +151,7 @@ void bind_to_free_cpu(afl_state_t* afl) {
ck_free(procs); ck_free(procs);
#elif defined(__NetBSD__) #elif defined(__NetBSD__)
struct kinfo_proc2* procs; struct kinfo_proc2 *procs;
size_t nprocs; size_t nprocs;
size_t proccount; size_t proccount;
int s_name[] = { int s_name[] = {
@ -272,11 +272,11 @@ cpuset_destroy(c);
/* Load postprocessor, if available. */ /* Load postprocessor, if available. */
void setup_post(afl_state_t* afl) { void setup_post(afl_state_t *afl) {
void* dh; void *dh;
u8* fn = get_afl_env("AFL_POST_LIBRARY"); u8 *fn = get_afl_env("AFL_POST_LIBRARY");
u32 tlen = 6; u32 tlen = 6;
if (!fn) return; if (!fn) return;
@ -298,14 +298,14 @@ void setup_post(afl_state_t* afl) {
/* Shuffle an array of pointers. Might be slightly biased. */ /* Shuffle an array of pointers. Might be slightly biased. */
static void shuffle_ptrs(afl_state_t* afl, void** ptrs, u32 cnt) { static void shuffle_ptrs(afl_state_t *afl, void **ptrs, u32 cnt) {
u32 i; u32 i;
for (i = 0; i < cnt - 2; ++i) { for (i = 0; i < cnt - 2; ++i) {
u32 j = i + UR(afl, cnt - i); u32 j = i + UR(afl, cnt - i);
void* s = ptrs[i]; void *s = ptrs[i];
ptrs[i] = ptrs[j]; ptrs[i] = ptrs[j];
ptrs[j] = s; ptrs[j] = s;
@ -316,12 +316,12 @@ static void shuffle_ptrs(afl_state_t* afl, void** ptrs, u32 cnt) {
/* Read all testcases from the input directory, then queue them for testing. /* Read all testcases from the input directory, then queue them for testing.
Called at startup. */ Called at startup. */
void read_testcases(afl_state_t* afl) { void read_testcases(afl_state_t *afl) {
struct dirent** nl; struct dirent **nl;
s32 nl_cnt; s32 nl_cnt;
u32 i; u32 i;
u8* fn1; u8 *fn1;
/* Auto-detect non-in-place resumption attempts. */ /* Auto-detect non-in-place resumption attempts. */
@ -359,7 +359,7 @@ void read_testcases(afl_state_t* afl) {
if (afl->shuffle_queue && nl_cnt > 1) { if (afl->shuffle_queue && nl_cnt > 1) {
ACTF("Shuffling queue..."); ACTF("Shuffling queue...");
shuffle_ptrs(afl, (void**)nl, nl_cnt); shuffle_ptrs(afl, (void **)nl, nl_cnt);
} }
@ -367,8 +367,8 @@ void read_testcases(afl_state_t* afl) {
struct stat st; struct stat st;
u8* fn2 = alloc_printf("%s/%s", afl->in_dir, nl[i]->d_name); u8 *fn2 = alloc_printf("%s/%s", afl->in_dir, nl[i]->d_name);
u8* dfn = alloc_printf("%s/.state/deterministic_done/%s", afl->in_dir, u8 *dfn = alloc_printf("%s/.state/deterministic_done/%s", afl->in_dir,
nl[i]->d_name); nl[i]->d_name);
u8 passed_det = 0; u8 passed_det = 0;
@ -428,7 +428,7 @@ void read_testcases(afl_state_t* afl) {
/* Examine map coverage. Called once, for first test case. */ /* Examine map coverage. Called once, for first test case. */
static void check_map_coverage(afl_state_t* afl) { static void check_map_coverage(afl_state_t *afl) {
u32 i; u32 i;
@ -444,19 +444,19 @@ static void check_map_coverage(afl_state_t* afl) {
/* Perform dry run of all test cases to confirm that the app is working as /* Perform dry run of all test cases to confirm that the app is working as
expected. This is done only for the initial inputs, and only once. */ expected. This is done only for the initial inputs, and only once. */
void perform_dry_run(afl_state_t* afl) { void perform_dry_run(afl_state_t *afl) {
struct queue_entry* q = afl->queue; struct queue_entry *q = afl->queue;
u32 cal_failures = 0; u32 cal_failures = 0;
u8* skip_crashes = get_afl_env("AFL_SKIP_CRASHES"); u8 *skip_crashes = get_afl_env("AFL_SKIP_CRASHES");
while (q) { while (q) {
u8* use_mem; u8 *use_mem;
u8 res; u8 res;
s32 fd; s32 fd;
u8* fn = strrchr(q->fname, '/') + 1; u8 *fn = strrchr(q->fname, '/') + 1;
ACTF("Attempting dry run with '%s'...", fn); ACTF("Attempting dry run with '%s'...", fn);
@ -673,11 +673,11 @@ void perform_dry_run(afl_state_t* afl) {
/* Helper function: link() if possible, copy otherwise. */ /* Helper function: link() if possible, copy otherwise. */
static void link_or_copy(u8* old_path, u8* new_path) { static void link_or_copy(u8 *old_path, u8 *new_path) {
s32 i = link(old_path, new_path); s32 i = link(old_path, new_path);
s32 sfd, dfd; s32 sfd, dfd;
u8* tmp; u8 *tmp;
if (!i) return; if (!i) return;
@ -703,9 +703,9 @@ static void link_or_copy(u8* old_path, u8* new_path) {
/* Create hard links for input test cases in the output directory, choosing /* Create hard links for input test cases in the output directory, choosing
good names and pivoting accordingly. */ good names and pivoting accordingly. */
void pivot_inputs(afl_state_t* afl) { void pivot_inputs(afl_state_t *afl) {
struct queue_entry* q = afl->queue; struct queue_entry *q = afl->queue;
u32 id = 0; u32 id = 0;
ACTF("Creating hard links for all input files..."); ACTF("Creating hard links for all input files...");
@ -727,7 +727,7 @@ void pivot_inputs(afl_state_t* afl) {
if (!strncmp(rsl, CASE_PREFIX, 3) && if (!strncmp(rsl, CASE_PREFIX, 3) &&
sscanf(rsl + 3, "%06u", &orig_id) == 1 && orig_id == id) { sscanf(rsl + 3, "%06u", &orig_id) == 1 && orig_id == id) {
u8* src_str; u8 *src_str;
u32 src_id; u32 src_id;
afl->resuming_fuzz = 1; afl->resuming_fuzz = 1;
@ -740,7 +740,7 @@ void pivot_inputs(afl_state_t* afl) {
if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) { if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) {
struct queue_entry* s = afl->queue; struct queue_entry *s = afl->queue;
while (src_id-- && s) while (src_id-- && s)
s = s->next; s = s->next;
if (s) q->depth = s->depth + 1; if (s) q->depth = s->depth + 1;
@ -756,7 +756,7 @@ void pivot_inputs(afl_state_t* afl) {
#ifndef SIMPLE_FILES #ifndef SIMPLE_FILES
u8* use_name = strstr(rsl, ",orig:"); u8 *use_name = strstr(rsl, ",orig:");
if (use_name) if (use_name)
use_name += 6; use_name += 6;
@ -795,7 +795,7 @@ void pivot_inputs(afl_state_t* afl) {
/* When resuming, try to find the queue position to start from. This makes sense /* When resuming, try to find the queue position to start from. This makes sense
only when resuming, and when we can find the original fuzzer_stats. */ only when resuming, and when we can find the original fuzzer_stats. */
u32 find_start_position(afl_state_t* afl) { u32 find_start_position(afl_state_t *afl) {
static u8 tmp[4096]; /* Ought to be enough for anybody. */ static u8 tmp[4096]; /* Ought to be enough for anybody. */
@ -832,7 +832,7 @@ u32 find_start_position(afl_state_t* afl) {
-t given, we don't want to keep auto-scaling the timeout over and over -t given, we don't want to keep auto-scaling the timeout over and over
again to prevent it from growing due to random flukes. */ again to prevent it from growing due to random flukes. */
void find_timeout(afl_state_t* afl) { void find_timeout(afl_state_t *afl) {
static u8 tmp[4096]; /* Ought to be enough for anybody. */ static u8 tmp[4096]; /* Ought to be enough for anybody. */
@ -870,10 +870,10 @@ void find_timeout(afl_state_t* afl) {
/* A helper function for handle_existing_out_dir(), deleting all prefixed /* A helper function for handle_existing_out_dir(), deleting all prefixed
files in a directory. */ files in a directory. */
static u8 delete_files(u8* path, u8* prefix) { static u8 delete_files(u8 *path, u8 *prefix) {
DIR* d; DIR *d;
struct dirent* d_ent; struct dirent *d_ent;
d = opendir(path); d = opendir(path);
@ -884,7 +884,7 @@ static u8 delete_files(u8* path, u8* prefix) {
if (d_ent->d_name[0] != '.' && if (d_ent->d_name[0] != '.' &&
(!prefix || !strncmp(d_ent->d_name, prefix, strlen(prefix)))) { (!prefix || !strncmp(d_ent->d_name, prefix, strlen(prefix)))) {
u8* fname = alloc_printf("%s/%s", path, d_ent->d_name); u8 *fname = alloc_printf("%s/%s", path, d_ent->d_name);
if (unlink(fname)) PFATAL("Unable to delete '%s'", fname); if (unlink(fname)) PFATAL("Unable to delete '%s'", fname);
ck_free(fname); ck_free(fname);
@ -919,7 +919,7 @@ double get_runnable_processes(void) {
computed in funny ways and sometimes don't reflect extremely short-lived computed in funny ways and sometimes don't reflect extremely short-lived
processes well. */ processes well. */
FILE* f = fopen("/proc/stat", "r"); FILE *f = fopen("/proc/stat", "r");
u8 tmp[1024]; u8 tmp[1024];
u32 val = 0; u32 val = 0;
@ -954,9 +954,9 @@ double get_runnable_processes(void) {
/* Delete the temporary directory used for in-place session resume. */ /* Delete the temporary directory used for in-place session resume. */
void nuke_resume_dir(afl_state_t* afl) { void nuke_resume_dir(afl_state_t *afl) {
u8* fn; u8 *fn;
fn = alloc_printf("%s/_resume/.state/deterministic_done", afl->out_dir); fn = alloc_printf("%s/_resume/.state/deterministic_done", afl->out_dir);
if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed;
@ -994,10 +994,10 @@ dir_cleanup_failed:
is not currently running, and if the last run time isn't too great. is not currently running, and if the last run time isn't too great.
Resume fuzzing if `-` is set as in_dir or if AFL_AUTORESUME is set */ Resume fuzzing if `-` is set as in_dir or if AFL_AUTORESUME is set */
static void handle_existing_out_dir(afl_state_t* afl) { static void handle_existing_out_dir(afl_state_t *afl) {
FILE* f; FILE *f;
u8* fn = alloc_printf("%s/fuzzer_stats", afl->out_dir); u8 *fn = alloc_printf("%s/fuzzer_stats", afl->out_dir);
/* See if the output directory is locked. If yes, bail out. If not, /* See if the output directory is locked. If yes, bail out. If not,
create a lock that will persist for the lifetime of the process create a lock that will persist for the lifetime of the process
@ -1084,7 +1084,7 @@ static void handle_existing_out_dir(afl_state_t* afl) {
if (afl->in_place_resume) { if (afl->in_place_resume) {
u8* orig_q = alloc_printf("%s/queue", afl->out_dir); u8 *orig_q = alloc_printf("%s/queue", afl->out_dir);
afl->in_dir = alloc_printf("%s/_resume", afl->out_dir); afl->in_dir = alloc_printf("%s/_resume", afl->out_dir);
@ -1161,17 +1161,17 @@ static void handle_existing_out_dir(afl_state_t* afl) {
if (afl->in_place_resume && rmdir(fn)) { if (afl->in_place_resume && rmdir(fn)) {
time_t cur_t = time(0); time_t cur_t = time(0);
struct tm* t = localtime(&cur_t); struct tm *t = localtime(&cur_t);
#ifndef SIMPLE_FILES #ifndef SIMPLE_FILES
u8* nfn = alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn, u8 *nfn = alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn,
t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, t->tm_year + 1900, t->tm_mon + 1, t->tm_mday,
t->tm_hour, t->tm_min, t->tm_sec); t->tm_hour, t->tm_min, t->tm_sec);
#else #else
u8* nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t->tm_year + 1900, u8 *nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t->tm_year + 1900,
t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min,
t->tm_sec); t->tm_sec);
@ -1192,17 +1192,17 @@ static void handle_existing_out_dir(afl_state_t* afl) {
if (afl->in_place_resume && rmdir(fn)) { if (afl->in_place_resume && rmdir(fn)) {
time_t cur_t = time(0); time_t cur_t = time(0);
struct tm* t = localtime(&cur_t); struct tm *t = localtime(&cur_t);
#ifndef SIMPLE_FILES #ifndef SIMPLE_FILES
u8* nfn = alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn, u8 *nfn = alloc_printf("%s.%04d-%02d-%02d-%02d:%02d:%02d", fn,
t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, t->tm_year + 1900, t->tm_mon + 1, t->tm_mday,
t->tm_hour, t->tm_min, t->tm_sec); t->tm_hour, t->tm_min, t->tm_sec);
#else #else
u8* nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t->tm_year + 1900, u8 *nfn = alloc_printf("%s_%04d%02d%02d%02d%02d%02d", fn, t->tm_year + 1900,
t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min,
t->tm_sec); t->tm_sec);
@ -1278,9 +1278,9 @@ dir_cleanup_failed:
/* Prepare output directories and fds. */ /* Prepare output directories and fds. */
void setup_dirs_fds(afl_state_t* afl) { void setup_dirs_fds(afl_state_t *afl) {
u8* tmp; u8 *tmp;
s32 fd; s32 fd;
ACTF("Setting up output directories..."); ACTF("Setting up output directories...");
@ -1402,13 +1402,13 @@ void setup_dirs_fds(afl_state_t* afl) {
} }
void setup_cmdline_file(afl_state_t* afl, char** argv) { void setup_cmdline_file(afl_state_t *afl, char **argv) {
u8* tmp; u8 *tmp;
s32 fd; s32 fd;
u32 i = 0; u32 i = 0;
FILE* cmdline_file = NULL; FILE *cmdline_file = NULL;
/* Store the command line to reproduce our findings */ /* Store the command line to reproduce our findings */
tmp = alloc_printf("%s/cmdline", afl->out_dir); tmp = alloc_printf("%s/cmdline", afl->out_dir);
@ -1432,9 +1432,9 @@ void setup_cmdline_file(afl_state_t* afl, char** argv) {
/* Setup the output file for fuzzed data, if not using -f. */ /* Setup the output file for fuzzed data, if not using -f. */
void setup_stdio_file(afl_state_t* afl) { void setup_stdio_file(afl_state_t *afl) {
u8* fn; u8 *fn;
if (afl->file_extension) { if (afl->file_extension) {
fn = alloc_printf("%s/.cur_input.%s", afl->tmp_dir, afl->file_extension); fn = alloc_printf("%s/.cur_input.%s", afl->tmp_dir, afl->file_extension);
@ -1531,10 +1531,10 @@ void check_crash_handling(void) {
/* Check CPU governor. */ /* Check CPU governor. */
void check_cpu_governor(afl_state_t* afl) { void check_cpu_governor(afl_state_t *afl) {
#ifdef __linux__ #ifdef __linux__
FILE* f; FILE *f;
u8 tmp[128]; u8 tmp[128];
u64 min = 0, max = 0; u64 min = 0, max = 0;
@ -1654,7 +1654,7 @@ void check_cpu_governor(afl_state_t* afl) {
/* Count the number of logical CPU cores. */ /* Count the number of logical CPU cores. */
void get_core_count(afl_state_t* afl) { void get_core_count(afl_state_t *afl) {
#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \ #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \
defined(__DragonFly__) defined(__DragonFly__)
@ -1684,7 +1684,7 @@ void get_core_count(afl_state_t* afl) {
#else #else
FILE* f = fopen("/proc/stat", "r"); FILE *f = fopen("/proc/stat", "r");
u8 tmp[1024]; u8 tmp[1024];
if (!f) return; if (!f) return;
@ -1742,9 +1742,9 @@ void get_core_count(afl_state_t* afl) {
/* Validate and fix up afl->out_dir and sync_dir when using -S. */ /* Validate and fix up afl->out_dir and sync_dir when using -S. */
void fix_up_sync(afl_state_t* afl) { void fix_up_sync(afl_state_t *afl) {
u8* x = afl->sync_id; u8 *x = afl->sync_id;
if (afl->dumb_mode) FATAL("-S / -M and -n are mutually exclusive"); if (afl->dumb_mode) FATAL("-S / -M and -n are mutually exclusive");
@ -1793,7 +1793,7 @@ static void handle_resize(int sig) {
void check_asan_opts(void) { void check_asan_opts(void) {
u8* x = get_afl_env("ASAN_OPTIONS"); u8 *x = get_afl_env("ASAN_OPTIONS");
if (x) { if (x) {
@ -1849,13 +1849,13 @@ static void handle_skipreq(int sig) {
isn't a shell script - a common and painful mistake. We also check for isn't a shell script - a common and painful mistake. We also check for
a valid ELF header and for evidence of AFL instrumentation. */ a valid ELF header and for evidence of AFL instrumentation. */
void check_binary(afl_state_t* afl, u8* fname) { void check_binary(afl_state_t *afl, u8 *fname) {
u8* env_path = 0; u8 *env_path = 0;
struct stat st; struct stat st;
s32 fd; s32 fd;
u8* f_data; u8 *f_data;
u32 f_len = 0; u32 f_len = 0;
ACTF("Validating target binary..."); ACTF("Validating target binary...");
@ -2042,7 +2042,7 @@ void check_binary(afl_state_t* afl, u8* fname) {
/* Trim and possibly create a banner for the run. */ /* Trim and possibly create a banner for the run. */
void fix_up_banner(afl_state_t* afl, u8* name) { void fix_up_banner(afl_state_t *afl, u8 *name) {
if (!afl->use_banner) { if (!afl->use_banner) {
@ -2052,7 +2052,7 @@ void fix_up_banner(afl_state_t* afl, u8* name) {
} else { } else {
u8* trim = strrchr(name, '/'); u8 *trim = strrchr(name, '/');
if (!trim) if (!trim)
afl->use_banner = name; afl->use_banner = name;
else else
@ -2064,7 +2064,7 @@ void fix_up_banner(afl_state_t* afl, u8* name) {
if (strlen(afl->use_banner) > 32) { if (strlen(afl->use_banner) > 32) {
u8* tmp = ck_alloc(36); u8 *tmp = ck_alloc(36);
sprintf(tmp, "%.32s...", afl->use_banner); sprintf(tmp, "%.32s...", afl->use_banner);
afl->use_banner = tmp; afl->use_banner = tmp;
@ -2074,7 +2074,7 @@ void fix_up_banner(afl_state_t* afl, u8* name) {
/* Check if we're on TTY. */ /* Check if we're on TTY. */
void check_if_tty(afl_state_t* afl) { void check_if_tty(afl_state_t *afl) {
struct winsize ws; struct winsize ws;
@ -2148,10 +2148,10 @@ void setup_signal_handlers(void) {
/* Make a copy of the current command line. */ /* Make a copy of the current command line. */
void save_cmdline(afl_state_t* afl, u32 argc, char** argv) { void save_cmdline(afl_state_t *afl, u32 argc, char **argv) {
u32 len = 1, i; u32 len = 1, i;
u8* buf; u8 *buf;
for (i = 0; i < argc; ++i) for (i = 0; i < argc; ++i)
len += strlen(argv[i]) + 1; len += strlen(argv[i]) + 1;

8
src/afl-fuzz-misc.c
View File

@ -29,7 +29,7 @@
returned should be five characters or less for all the integers we reasonably returned should be five characters or less for all the integers we reasonably
expect to see. */ expect to see. */
u8* DI(u64 val) { u8 *DI(u64 val) {
static u8 tmp[12][16]; static u8 tmp[12][16];
static u8 cur; static u8 cur;
@ -90,7 +90,7 @@ u8* DI(u64 val) {
/* Describe float. Similar to the above, except with a single /* Describe float. Similar to the above, except with a single
static buffer. */ static buffer. */
u8* DF(double val) { u8 *DF(double val) {
static u8 tmp[16]; static u8 tmp[16];
@ -114,7 +114,7 @@ u8* DF(double val) {
/* Describe integer as memory size. */ /* Describe integer as memory size. */
u8* DMS(u64 val) { u8 *DMS(u64 val) {
static u8 tmp[12][16]; static u8 tmp[12][16];
static u8 cur; static u8 cur;
@ -164,7 +164,7 @@ u8* DMS(u64 val) {
/* Describe time delta. Returns one static buffer, 34 chars of less. */ /* Describe time delta. Returns one static buffer, 34 chars of less. */
u8* DTD(u64 cur_ms, u64 event_ms) { u8 *DTD(u64 cur_ms, u64 event_ms) {
static u8 tmp[64]; static u8 tmp[64];
u64 delta; u64 delta;

24
src/afl-fuzz-mutators.c
View File

@ -25,15 +25,15 @@
#include "afl-fuzz.h" #include "afl-fuzz.h"
void load_custom_mutator(afl_state_t*, const char*); void load_custom_mutator(afl_state_t *, const char *);
#ifdef USE_PYTHON #ifdef USE_PYTHON
void load_custom_mutator_py(afl_state_t*, const char*); void load_custom_mutator_py(afl_state_t *, const char *);
#endif #endif
void setup_custom_mutator(afl_state_t* afl) { void setup_custom_mutator(afl_state_t *afl) {
/* Try mutator library first */ /* Try mutator library first */
u8* fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY"); u8 *fn = getenv("AFL_CUSTOM_MUTATOR_LIBRARY");
if (fn) { if (fn) {
@ -51,7 +51,7 @@ void setup_custom_mutator(afl_state_t* afl) {
/* Try Python module */ /* Try Python module */
#ifdef USE_PYTHON #ifdef USE_PYTHON
u8* module_name = getenv("AFL_PYTHON_MODULE"); u8 *module_name = getenv("AFL_PYTHON_MODULE");
if (module_name) { if (module_name) {
@ -75,7 +75,7 @@ void setup_custom_mutator(afl_state_t* afl) {
} }
void destroy_custom_mutator(afl_state_t* afl) { void destroy_custom_mutator(afl_state_t *afl) {
if (afl->mutator) { if (afl->mutator) {
@ -96,9 +96,9 @@ void destroy_custom_mutator(afl_state_t* afl) {
} }
void load_custom_mutator(afl_state_t* afl, const char* fn) { void load_custom_mutator(afl_state_t *afl, const char *fn) {
void* dh; void *dh;
afl->mutator = ck_alloc(sizeof(struct custom_mutator)); afl->mutator = ck_alloc(sizeof(struct custom_mutator));
afl->mutator->name = fn; afl->mutator->name = fn;
@ -190,7 +190,7 @@ void load_custom_mutator(afl_state_t* afl, const char* fn) {
} }
u8 trim_case_custom(afl_state_t* afl, struct queue_entry* q, u8* in_buf) { u8 trim_case_custom(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
static u8 tmp[64]; static u8 tmp[64];
static u8 clean_trace[MAP_SIZE]; static u8 clean_trace[MAP_SIZE];
@ -216,7 +216,7 @@ u8 trim_case_custom(afl_state_t* afl, struct queue_entry* q, u8* in_buf) {
u32 cksum; u32 cksum;
u8* retbuf = NULL; u8 *retbuf = NULL;
size_t retlen = 0; size_t retlen = 0;
afl->mutator->afl_custom_trim(afl, &retbuf, &retlen); afl->mutator->afl_custom_trim(afl, &retbuf, &retlen);
@ -312,9 +312,9 @@ abort_trimming:
} }
#ifdef USE_PYTHON #ifdef USE_PYTHON
void load_custom_mutator_py(afl_state_t* afl, const char* module_name) { void load_custom_mutator_py(afl_state_t *afl, const char *module_name) {
PyObject** py_functions = afl->py_functions; PyObject **py_functions = afl->py_functions;
afl->mutator = ck_alloc(sizeof(struct custom_mutator)); afl->mutator = ck_alloc(sizeof(struct custom_mutator));

218
src/afl-fuzz-one.c
View File

@ -27,7 +27,7 @@
/* MOpt */ /* MOpt */
int select_algorithm(afl_state_t* afl) { int select_algorithm(afl_state_t *afl) {
int i_puppet, j_puppet; int i_puppet, j_puppet;
@ -62,7 +62,7 @@ int select_algorithm(afl_state_t* afl) {
/* Helper to choose random block len for block operations in fuzz_one(). /* Helper to choose random block len for block operations in fuzz_one().
Doesn't return zero, provided that max_len is > 0. */ Doesn't return zero, provided that max_len is > 0. */
static u32 choose_block_len(afl_state_t* afl, u32 limit) { static u32 choose_block_len(afl_state_t *afl, u32 limit) {
u32 min_value, max_value; u32 min_value, max_value;
u32 rlim = MIN(afl->queue_cycle, 3); u32 rlim = MIN(afl->queue_cycle, 3);
@ -305,7 +305,7 @@ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) {
/* Helper function to compare buffers; returns first and last differing offset. /* Helper function to compare buffers; returns first and last differing offset.
We use this to find reasonable locations for splicing two files. */ We use this to find reasonable locations for splicing two files. */
static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) { static void locate_diffs(u8 *ptr1, u8 *ptr2, u32 len, s32 *first, s32 *last) {
s32 f_loc = -1; s32 f_loc = -1;
s32 l_loc = -1; s32 l_loc = -1;
@ -335,7 +335,7 @@ static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) {
function is a tad too long... returns 0 if fuzzed successfully, 1 if function is a tad too long... returns 0 if fuzzed successfully, 1 if
skipped or bailed out. */ skipped or bailed out. */
u8 fuzz_one_original(afl_state_t* afl) { u8 fuzz_one_original(afl_state_t *afl) {
s32 len, fd, temp_len, i, j; s32 len, fd, temp_len, i, j;
u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0;
@ -538,7 +538,7 @@ u8 fuzz_one_original(afl_state_t* afl) {
#define FLIP_BIT(_ar, _b) \ #define FLIP_BIT(_ar, _b) \
do { \ do { \
\ \
u8* _arf = (u8*)(_ar); \ u8 *_arf = (u8 *)(_ar); \
u32 _bf = (_b); \ u32 _bf = (_b); \
_arf[(_bf) >> 3] ^= (128 >> ((_bf)&7)); \ _arf[(_bf) >> 3] ^= (128 >> ((_bf)&7)); \
\ \
@ -820,12 +820,12 @@ u8 fuzz_one_original(afl_state_t* afl) {
afl->stage_cur_byte = i; afl->stage_cur_byte = i;
*(u16*)(out_buf + i) ^= 0xFFFF; *(u16 *)(out_buf + i) ^= 0xFFFF;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
*(u16*)(out_buf + i) ^= 0xFFFF; *(u16 *)(out_buf + i) ^= 0xFFFF;
} }
@ -858,12 +858,12 @@ u8 fuzz_one_original(afl_state_t* afl) {
afl->stage_cur_byte = i; afl->stage_cur_byte = i;
*(u32*)(out_buf + i) ^= 0xFFFFFFFF; *(u32 *)(out_buf + i) ^= 0xFFFFFFFF;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
*(u32*)(out_buf + i) ^= 0xFFFFFFFF; *(u32 *)(out_buf + i) ^= 0xFFFFFFFF;
} }
@ -963,7 +963,7 @@ skip_bitflip:
for (i = 0; i < len - 1; ++i) { for (i = 0; i < len - 1; ++i) {
u16 orig = *(u16*)(out_buf + i); u16 orig = *(u16 *)(out_buf + i);
/* Let's consult the effector map... */ /* Let's consult the effector map... */
@ -992,7 +992,7 @@ skip_bitflip:
if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) { if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) {
afl->stage_cur_val = j; afl->stage_cur_val = j;
*(u16*)(out_buf + i) = orig + j; *(u16 *)(out_buf + i) = orig + j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -1004,7 +1004,7 @@ skip_bitflip:
if ((orig & 0xff) < j && !could_be_bitflip(r2)) { if ((orig & 0xff) < j && !could_be_bitflip(r2)) {
afl->stage_cur_val = -j; afl->stage_cur_val = -j;
*(u16*)(out_buf + i) = orig - j; *(u16 *)(out_buf + i) = orig - j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -1020,7 +1020,7 @@ skip_bitflip:
if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) { if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) {
afl->stage_cur_val = j; afl->stage_cur_val = j;
*(u16*)(out_buf + i) = SWAP16(SWAP16(orig) + j); *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) + j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -1032,7 +1032,7 @@ skip_bitflip:
if ((orig >> 8) < j && !could_be_bitflip(r4)) { if ((orig >> 8) < j && !could_be_bitflip(r4)) {
afl->stage_cur_val = -j; afl->stage_cur_val = -j;
*(u16*)(out_buf + i) = SWAP16(SWAP16(orig) - j); *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) - j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -1041,7 +1041,7 @@ skip_bitflip:
--afl->stage_max; --afl->stage_max;
*(u16*)(out_buf + i) = orig; *(u16 *)(out_buf + i) = orig;
} }
@ -1065,7 +1065,7 @@ skip_bitflip:
for (i = 0; i < len - 3; ++i) { for (i = 0; i < len - 3; ++i) {
u32 orig = *(u32*)(out_buf + i); u32 orig = *(u32 *)(out_buf + i);
/* Let's consult the effector map... */ /* Let's consult the effector map... */
@ -1093,7 +1093,7 @@ skip_bitflip:
if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) { if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) {
afl->stage_cur_val = j; afl->stage_cur_val = j;
*(u32*)(out_buf + i) = orig + j; *(u32 *)(out_buf + i) = orig + j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -1105,7 +1105,7 @@ skip_bitflip:
if ((orig & 0xffff) < j && !could_be_bitflip(r2)) { if ((orig & 0xffff) < j && !could_be_bitflip(r2)) {
afl->stage_cur_val = -j; afl->stage_cur_val = -j;
*(u32*)(out_buf + i) = orig - j; *(u32 *)(out_buf + i) = orig - j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -1121,7 +1121,7 @@ skip_bitflip:
if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) { if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) {
afl->stage_cur_val = j; afl->stage_cur_val = j;
*(u32*)(out_buf + i) = SWAP32(SWAP32(orig) + j); *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) + j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -1133,7 +1133,7 @@ skip_bitflip:
if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) { if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) {
afl->stage_cur_val = -j; afl->stage_cur_val = -j;
*(u32*)(out_buf + i) = SWAP32(SWAP32(orig) - j); *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) - j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -1142,7 +1142,7 @@ skip_bitflip:
--afl->stage_max; --afl->stage_max;
*(u32*)(out_buf + i) = orig; *(u32 *)(out_buf + i) = orig;
} }
@ -1227,7 +1227,7 @@ skip_arith:
for (i = 0; i < len - 1; ++i) { for (i = 0; i < len - 1; ++i) {
u16 orig = *(u16*)(out_buf + i); u16 orig = *(u16 *)(out_buf + i);
/* Let's consult the effector map... */ /* Let's consult the effector map... */
@ -1253,7 +1253,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_LE; afl->stage_val_type = STAGE_VAL_LE;
*(u16*)(out_buf + i) = interesting_16[j]; *(u16 *)(out_buf + i) = interesting_16[j];
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -1269,7 +1269,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_BE; afl->stage_val_type = STAGE_VAL_BE;
*(u16*)(out_buf + i) = SWAP16(interesting_16[j]); *(u16 *)(out_buf + i) = SWAP16(interesting_16[j]);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -1279,7 +1279,7 @@ skip_arith:
} }
*(u16*)(out_buf + i) = orig; *(u16 *)(out_buf + i) = orig;
} }
@ -1301,7 +1301,7 @@ skip_arith:
for (i = 0; i < len - 3; i++) { for (i = 0; i < len - 3; i++) {
u32 orig = *(u32*)(out_buf + i); u32 orig = *(u32 *)(out_buf + i);
/* Let's consult the effector map... */ /* Let's consult the effector map... */
@ -1328,7 +1328,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_LE; afl->stage_val_type = STAGE_VAL_LE;
*(u32*)(out_buf + i) = interesting_32[j]; *(u32 *)(out_buf + i) = interesting_32[j];
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -1344,7 +1344,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_BE; afl->stage_val_type = STAGE_VAL_BE;
*(u32*)(out_buf + i) = SWAP32(interesting_32[j]); *(u32 *)(out_buf + i) = SWAP32(interesting_32[j]);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -1354,7 +1354,7 @@ skip_arith:
} }
*(u32*)(out_buf + i) = orig; *(u32 *)(out_buf + i) = orig;
} }
@ -1565,9 +1565,9 @@ custom_mutator_stage:
for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
struct queue_entry* target; struct queue_entry *target;
u32 tid; u32 tid;
u8* new_buf; u8 *new_buf;
retry_external_pick: retry_external_pick:
/* Pick a random other queue entry for passing to external API */ /* Pick a random other queue entry for passing to external API */
@ -1751,12 +1751,12 @@ havoc_stage:
if (UR(afl, 2)) { if (UR(afl, 2)) {
*(u16*)(out_buf + UR(afl, temp_len - 1)) = *(u16 *)(out_buf + UR(afl, temp_len - 1)) =
interesting_16[UR(afl, sizeof(interesting_16) >> 1)]; interesting_16[UR(afl, sizeof(interesting_16) >> 1)];
} else { } else {
*(u16*)(out_buf + UR(afl, temp_len - 1)) = *(u16 *)(out_buf + UR(afl, temp_len - 1)) =
SWAP16(interesting_16[UR(afl, sizeof(interesting_16) >> 1)]); SWAP16(interesting_16[UR(afl, sizeof(interesting_16) >> 1)]);
} }
@ -1771,12 +1771,12 @@ havoc_stage:
if (UR(afl, 2)) { if (UR(afl, 2)) {
*(u32*)(out_buf + UR(afl, temp_len - 3)) = *(u32 *)(out_buf + UR(afl, temp_len - 3)) =
interesting_32[UR(afl, sizeof(interesting_32) >> 2)]; interesting_32[UR(afl, sizeof(interesting_32) >> 2)];
} else { } else {
*(u32*)(out_buf + UR(afl, temp_len - 3)) = *(u32 *)(out_buf + UR(afl, temp_len - 3)) =
SWAP32(interesting_32[UR(afl, sizeof(interesting_32) >> 2)]); SWAP32(interesting_32[UR(afl, sizeof(interesting_32) >> 2)]);
} }
@ -1807,15 +1807,15 @@ havoc_stage:
u32 pos = UR(afl, temp_len - 1); u32 pos = UR(afl, temp_len - 1);
*(u16*)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); *(u16 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX);
} else { } else {
u32 pos = UR(afl, temp_len - 1); u32 pos = UR(afl, temp_len - 1);
u16 num = 1 + UR(afl, ARITH_MAX); u16 num = 1 + UR(afl, ARITH_MAX);
*(u16*)(out_buf + pos) = *(u16 *)(out_buf + pos) =
SWAP16(SWAP16(*(u16*)(out_buf + pos)) - num); SWAP16(SWAP16(*(u16 *)(out_buf + pos)) - num);
} }
@ -1831,15 +1831,15 @@ havoc_stage:
u32 pos = UR(afl, temp_len - 1); u32 pos = UR(afl, temp_len - 1);
*(u16*)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); *(u16 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX);
} else { } else {
u32 pos = UR(afl, temp_len - 1); u32 pos = UR(afl, temp_len - 1);
u16 num = 1 + UR(afl, ARITH_MAX); u16 num = 1 + UR(afl, ARITH_MAX);
*(u16*)(out_buf + pos) = *(u16 *)(out_buf + pos) =
SWAP16(SWAP16(*(u16*)(out_buf + pos)) + num); SWAP16(SWAP16(*(u16 *)(out_buf + pos)) + num);
} }
@ -1855,15 +1855,15 @@ havoc_stage:
u32 pos = UR(afl, temp_len - 3); u32 pos = UR(afl, temp_len - 3);
*(u32*)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); *(u32 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX);
} else { } else {
u32 pos = UR(afl, temp_len - 3); u32 pos = UR(afl, temp_len - 3);
u32 num = 1 + UR(afl, ARITH_MAX); u32 num = 1 + UR(afl, ARITH_MAX);
*(u32*)(out_buf + pos) = *(u32 *)(out_buf + pos) =
SWAP32(SWAP32(*(u32*)(out_buf + pos)) - num); SWAP32(SWAP32(*(u32 *)(out_buf + pos)) - num);
} }
@ -1879,15 +1879,15 @@ havoc_stage:
u32 pos = UR(afl, temp_len - 3); u32 pos = UR(afl, temp_len - 3);
*(u32*)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); *(u32 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX);
} else { } else {
u32 pos = UR(afl, temp_len - 3); u32 pos = UR(afl, temp_len - 3);
u32 num = 1 + UR(afl, ARITH_MAX); u32 num = 1 + UR(afl, ARITH_MAX);
*(u32*)(out_buf + pos) = *(u32 *)(out_buf + pos) =
SWAP32(SWAP32(*(u32*)(out_buf + pos)) + num); SWAP32(SWAP32(*(u32 *)(out_buf + pos)) + num);
} }
@ -1935,7 +1935,7 @@ havoc_stage:
u8 actually_clone = UR(afl, 4); u8 actually_clone = UR(afl, 4);
u32 clone_from, clone_to, clone_len; u32 clone_from, clone_to, clone_len;
u8* new_buf; u8 *new_buf;
if (actually_clone) { if (actually_clone) {
@ -2051,7 +2051,7 @@ havoc_stage:
case 16: { case 16: {
u32 use_extra, extra_len, insert_at = UR(afl, temp_len + 1); u32 use_extra, extra_len, insert_at = UR(afl, temp_len + 1);
u8* new_buf; u8 *new_buf;
/* Insert an extra. Do the same dice-rolling stuff as for the /* Insert an extra. Do the same dice-rolling stuff as for the
previous case. */ previous case. */
@ -2162,10 +2162,10 @@ retry_splicing:
if (afl->use_splicing && splice_cycle++ < SPLICE_CYCLES && if (afl->use_splicing && splice_cycle++ < SPLICE_CYCLES &&
afl->queued_paths > 1 && afl->queue_cur->len > 1) { afl->queued_paths > 1 && afl->queue_cur->len > 1) {
struct queue_entry* target; struct queue_entry *target;
u32 tid, split_at; u32 tid, split_at;
u8* new_buf; u8 *new_buf;
s32 f_diff, l_diff; s32 f_diff, l_diff;
/* First of all, if we've modified in_buf for havoc, let's clean that /* First of all, if we've modified in_buf for havoc, let's clean that
up... */ up... */
@ -2275,12 +2275,12 @@ radamsa_stage:
orig_hit_cnt = afl->queued_paths + afl->unique_crashes; orig_hit_cnt = afl->queued_paths + afl->unique_crashes;
/* Read the additional testcase into a new buffer. */ /* Read the additional testcase into a new buffer. */
u8* save_buf = ck_alloc_nozero(len); u8 *save_buf = ck_alloc_nozero(len);
memcpy(save_buf, out_buf, len); memcpy(save_buf, out_buf, len);
u32 max_len = len + choose_block_len(afl, HAVOC_BLK_XL); u32 max_len = len + choose_block_len(afl, HAVOC_BLK_XL);
u8* new_buf = ck_alloc_nozero(max_len); u8 *new_buf = ck_alloc_nozero(max_len);
u8* tmp_buf; u8 *tmp_buf;
for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) { for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
@ -2352,7 +2352,7 @@ abandon_entry:
} }
/* MOpt mode */ /* MOpt mode */
u8 mopt_common_fuzzing(afl_state_t* afl, MOpt_globals_t MOpt_globals) { u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
if (!MOpt_globals.is_pilot_mode) { if (!MOpt_globals.is_pilot_mode) {
@ -2544,7 +2544,7 @@ u8 mopt_common_fuzzing(afl_state_t* afl, MOpt_globals_t MOpt_globals) {
#define FLIP_BIT(_ar, _b) \ #define FLIP_BIT(_ar, _b) \
do { \ do { \
\ \
u8* _arf = (u8*)(_ar); \ u8 *_arf = (u8 *)(_ar); \
u32 _bf = (_b); \ u32 _bf = (_b); \
_arf[(_bf) >> 3] ^= (128 >> ((_bf)&7)); \ _arf[(_bf) >> 3] ^= (128 >> ((_bf)&7)); \
\ \
@ -2826,12 +2826,12 @@ u8 mopt_common_fuzzing(afl_state_t* afl, MOpt_globals_t MOpt_globals) {
afl->stage_cur_byte = i; afl->stage_cur_byte = i;
*(u16*)(out_buf + i) ^= 0xFFFF; *(u16 *)(out_buf + i) ^= 0xFFFF;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
*(u16*)(out_buf + i) ^= 0xFFFF; *(u16 *)(out_buf + i) ^= 0xFFFF;
} /* for i = 0; i < len */ } /* for i = 0; i < len */
@ -2864,12 +2864,12 @@ u8 mopt_common_fuzzing(afl_state_t* afl, MOpt_globals_t MOpt_globals) {
afl->stage_cur_byte = i; afl->stage_cur_byte = i;
*(u32*)(out_buf + i) ^= 0xFFFFFFFF; *(u32 *)(out_buf + i) ^= 0xFFFFFFFF;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
*(u32*)(out_buf + i) ^= 0xFFFFFFFF; *(u32 *)(out_buf + i) ^= 0xFFFFFFFF;
} /* for i = 0; i < len - 3 */ } /* for i = 0; i < len - 3 */
@ -2969,7 +2969,7 @@ skip_bitflip:
for (i = 0; i < len - 1; ++i) { for (i = 0; i < len - 1; ++i) {
u16 orig = *(u16*)(out_buf + i); u16 orig = *(u16 *)(out_buf + i);
/* Let's consult the effector map... */ /* Let's consult the effector map... */
@ -2998,7 +2998,7 @@ skip_bitflip:
if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) { if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) {
afl->stage_cur_val = j; afl->stage_cur_val = j;
*(u16*)(out_buf + i) = orig + j; *(u16 *)(out_buf + i) = orig + j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -3010,7 +3010,7 @@ skip_bitflip:
if ((orig & 0xff) < j && !could_be_bitflip(r2)) { if ((orig & 0xff) < j && !could_be_bitflip(r2)) {
afl->stage_cur_val = -j; afl->stage_cur_val = -j;
*(u16*)(out_buf + i) = orig - j; *(u16 *)(out_buf + i) = orig - j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -3026,7 +3026,7 @@ skip_bitflip:
if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) { if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) {
afl->stage_cur_val = j; afl->stage_cur_val = j;
*(u16*)(out_buf + i) = SWAP16(SWAP16(orig) + j); *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) + j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -3038,7 +3038,7 @@ skip_bitflip:
if ((orig >> 8) < j && !could_be_bitflip(r4)) { if ((orig >> 8) < j && !could_be_bitflip(r4)) {
afl->stage_cur_val = -j; afl->stage_cur_val = -j;
*(u16*)(out_buf + i) = SWAP16(SWAP16(orig) - j); *(u16 *)(out_buf + i) = SWAP16(SWAP16(orig) - j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -3047,7 +3047,7 @@ skip_bitflip:
--afl->stage_max; --afl->stage_max;
*(u16*)(out_buf + i) = orig; *(u16 *)(out_buf + i) = orig;
} }
@ -3071,7 +3071,7 @@ skip_bitflip:
for (i = 0; i < len - 3; ++i) { for (i = 0; i < len - 3; ++i) {
u32 orig = *(u32*)(out_buf + i); u32 orig = *(u32 *)(out_buf + i);
/* Let's consult the effector map... */ /* Let's consult the effector map... */
@ -3099,7 +3099,7 @@ skip_bitflip:
if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) { if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) {
afl->stage_cur_val = j; afl->stage_cur_val = j;
*(u32*)(out_buf + i) = orig + j; *(u32 *)(out_buf + i) = orig + j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -3111,7 +3111,7 @@ skip_bitflip:
if ((orig & 0xffff) < j && !could_be_bitflip(r2)) { if ((orig & 0xffff) < j && !could_be_bitflip(r2)) {
afl->stage_cur_val = -j; afl->stage_cur_val = -j;
*(u32*)(out_buf + i) = orig - j; *(u32 *)(out_buf + i) = orig - j;
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -3127,7 +3127,7 @@ skip_bitflip:
if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) { if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) {
afl->stage_cur_val = j; afl->stage_cur_val = j;
*(u32*)(out_buf + i) = SWAP32(SWAP32(orig) + j); *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) + j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -3139,7 +3139,7 @@ skip_bitflip:
if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) { if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) {
afl->stage_cur_val = -j; afl->stage_cur_val = -j;
*(u32*)(out_buf + i) = SWAP32(SWAP32(orig) - j); *(u32 *)(out_buf + i) = SWAP32(SWAP32(orig) - j);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -3148,7 +3148,7 @@ skip_bitflip:
--afl->stage_max; --afl->stage_max;
*(u32*)(out_buf + i) = orig; *(u32 *)(out_buf + i) = orig;
} }
@ -3233,7 +3233,7 @@ skip_arith:
for (i = 0; i < len - 1; ++i) { for (i = 0; i < len - 1; ++i) {
u16 orig = *(u16*)(out_buf + i); u16 orig = *(u16 *)(out_buf + i);
/* Let's consult the effector map... */ /* Let's consult the effector map... */
@ -3259,7 +3259,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_LE; afl->stage_val_type = STAGE_VAL_LE;
*(u16*)(out_buf + i) = interesting_16[j]; *(u16 *)(out_buf + i) = interesting_16[j];
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -3275,7 +3275,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_BE; afl->stage_val_type = STAGE_VAL_BE;
*(u16*)(out_buf + i) = SWAP16(interesting_16[j]); *(u16 *)(out_buf + i) = SWAP16(interesting_16[j]);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -3285,7 +3285,7 @@ skip_arith:
} }
*(u16*)(out_buf + i) = orig; *(u16 *)(out_buf + i) = orig;
} /* for i = 0; i < len - 1 */ } /* for i = 0; i < len - 1 */
@ -3307,7 +3307,7 @@ skip_arith:
for (i = 0; i < len - 3; ++i) { for (i = 0; i < len - 3; ++i) {
u32 orig = *(u32*)(out_buf + i); u32 orig = *(u32 *)(out_buf + i);
/* Let's consult the effector map... */ /* Let's consult the effector map... */
@ -3334,7 +3334,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_LE; afl->stage_val_type = STAGE_VAL_LE;
*(u32*)(out_buf + i) = interesting_32[j]; *(u32 *)(out_buf + i) = interesting_32[j];
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -3350,7 +3350,7 @@ skip_arith:
afl->stage_val_type = STAGE_VAL_BE; afl->stage_val_type = STAGE_VAL_BE;
*(u32*)(out_buf + i) = SWAP32(interesting_32[j]); *(u32 *)(out_buf + i) = SWAP32(interesting_32[j]);
if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry; if (common_fuzz_stuff(afl, out_buf, len)) goto abandon_entry;
++afl->stage_cur; ++afl->stage_cur;
@ -3360,7 +3360,7 @@ skip_arith:
} }
*(u32*)(out_buf + i) = orig; *(u32 *)(out_buf + i) = orig;
} /* for i = 0; i < len - 3 */ } /* for i = 0; i < len - 3 */
@ -3688,13 +3688,13 @@ pacemaker_fuzzing:
case 4: case 4:
if (temp_len < 8) break; if (temp_len < 8) break;
*(u16*)(out_buf + UR(afl, temp_len - 1)) ^= 0xFFFF; *(u16 *)(out_buf + UR(afl, temp_len - 1)) ^= 0xFFFF;
MOpt_globals.cycles_v2[STAGE_FLIP16] += 1; MOpt_globals.cycles_v2[STAGE_FLIP16] += 1;
break; break;
case 5: case 5:
if (temp_len < 8) break; if (temp_len < 8) break;
*(u32*)(out_buf + UR(afl, temp_len - 3)) ^= 0xFFFFFFFF; *(u32 *)(out_buf + UR(afl, temp_len - 3)) ^= 0xFFFFFFFF;
MOpt_globals.cycles_v2[STAGE_FLIP32] += 1; MOpt_globals.cycles_v2[STAGE_FLIP32] += 1;
break; break;
@ -3710,14 +3710,14 @@ pacemaker_fuzzing:
if (UR(afl, 2)) { if (UR(afl, 2)) {
u32 pos = UR(afl, temp_len - 1); u32 pos = UR(afl, temp_len - 1);
*(u16*)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); *(u16 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX);
} else { } else {
u32 pos = UR(afl, temp_len - 1); u32 pos = UR(afl, temp_len - 1);
u16 num = 1 + UR(afl, ARITH_MAX); u16 num = 1 + UR(afl, ARITH_MAX);
*(u16*)(out_buf + pos) = *(u16 *)(out_buf + pos) =
SWAP16(SWAP16(*(u16*)(out_buf + pos)) - num); SWAP16(SWAP16(*(u16 *)(out_buf + pos)) - num);
} }
@ -3725,14 +3725,14 @@ pacemaker_fuzzing:
if (UR(afl, 2)) { if (UR(afl, 2)) {
u32 pos = UR(afl, temp_len - 1); u32 pos = UR(afl, temp_len - 1);
*(u16*)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); *(u16 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX);
} else { } else {
u32 pos = UR(afl, temp_len - 1); u32 pos = UR(afl, temp_len - 1);
u16 num = 1 + UR(afl, ARITH_MAX); u16 num = 1 + UR(afl, ARITH_MAX);
*(u16*)(out_buf + pos) = *(u16 *)(out_buf + pos) =
SWAP16(SWAP16(*(u16*)(out_buf + pos)) + num); SWAP16(SWAP16(*(u16 *)(out_buf + pos)) + num);
} }
@ -3745,14 +3745,14 @@ pacemaker_fuzzing:
if (UR(afl, 2)) { if (UR(afl, 2)) {
u32 pos = UR(afl, temp_len - 3); u32 pos = UR(afl, temp_len - 3);
*(u32*)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX); *(u32 *)(out_buf + pos) -= 1 + UR(afl, ARITH_MAX);
} else { } else {
u32 pos = UR(afl, temp_len - 3); u32 pos = UR(afl, temp_len - 3);
u32 num = 1 + UR(afl, ARITH_MAX); u32 num = 1 + UR(afl, ARITH_MAX);
*(u32*)(out_buf + pos) = *(u32 *)(out_buf + pos) =
SWAP32(SWAP32(*(u32*)(out_buf + pos)) - num); SWAP32(SWAP32(*(u32 *)(out_buf + pos)) - num);
} }
@ -3761,14 +3761,14 @@ pacemaker_fuzzing:
if (UR(afl, 2)) { if (UR(afl, 2)) {
u32 pos = UR(afl, temp_len - 3); u32 pos = UR(afl, temp_len - 3);
*(u32*)(out_buf + pos) += 1 + UR(afl, ARITH_MAX); *(u32 *)(out_buf + pos) += 1 + UR(afl, ARITH_MAX);
} else { } else {
u32 pos = UR(afl, temp_len - 3); u32 pos = UR(afl, temp_len - 3);
u32 num = 1 + UR(afl, ARITH_MAX); u32 num = 1 + UR(afl, ARITH_MAX);
*(u32*)(out_buf + pos) = *(u32 *)(out_buf + pos) =
SWAP32(SWAP32(*(u32*)(out_buf + pos)) + num); SWAP32(SWAP32(*(u32 *)(out_buf + pos)) + num);
} }
@ -3788,12 +3788,12 @@ pacemaker_fuzzing:
if (temp_len < 8) break; if (temp_len < 8) break;
if (UR(afl, 2)) { if (UR(afl, 2)) {
*(u16*)(out_buf + UR(afl, temp_len - 1)) = *(u16 *)(out_buf + UR(afl, temp_len - 1)) =
interesting_16[UR(afl, sizeof(interesting_16) >> 1)]; interesting_16[UR(afl, sizeof(interesting_16) >> 1)];
} else { } else {
*(u16*)(out_buf + UR(afl, temp_len - 1)) = SWAP16( *(u16 *)(out_buf + UR(afl, temp_len - 1)) = SWAP16(
interesting_16[UR(afl, sizeof(interesting_16) >> 1)]); interesting_16[UR(afl, sizeof(interesting_16) >> 1)]);
} }
@ -3808,12 +3808,12 @@ pacemaker_fuzzing:
if (UR(afl, 2)) { if (UR(afl, 2)) {
*(u32*)(out_buf + UR(afl, temp_len - 3)) = *(u32 *)(out_buf + UR(afl, temp_len - 3)) =
interesting_32[UR(afl, sizeof(interesting_32) >> 2)]; interesting_32[UR(afl, sizeof(interesting_32) >> 2)];
} else { } else {
*(u32*)(out_buf + UR(afl, temp_len - 3)) = SWAP32( *(u32 *)(out_buf + UR(afl, temp_len - 3)) = SWAP32(
interesting_32[UR(afl, sizeof(interesting_32) >> 2)]); interesting_32[UR(afl, sizeof(interesting_32) >> 2)]);
} }
@ -3865,7 +3865,7 @@ pacemaker_fuzzing:
u8 actually_clone = UR(afl, 4); u8 actually_clone = UR(afl, 4);
u32 clone_from, clone_to, clone_len; u32 clone_from, clone_to, clone_len;
u8* new_buf; u8 *new_buf;
if (actually_clone) { if (actually_clone) {
@ -4020,9 +4020,9 @@ pacemaker_fuzzing:
if (afl->use_splicing && splice_cycle++ < afl->SPLICE_CYCLES_puppet && if (afl->use_splicing && splice_cycle++ < afl->SPLICE_CYCLES_puppet &&
afl->queued_paths > 1 && afl->queue_cur->len > 1) { afl->queued_paths > 1 && afl->queue_cur->len > 1) {
struct queue_entry* target; struct queue_entry *target;
u32 tid, split_at; u32 tid, split_at;
u8* new_buf; u8 * new_buf;
s32 f_diff, l_diff; s32 f_diff, l_diff;
/* First of all, if we've modified in_buf for havoc, let's clean that /* First of all, if we've modified in_buf for havoc, let's clean that
@ -4268,19 +4268,19 @@ pacemaker_fuzzing:
#undef FLIP_BIT #undef FLIP_BIT
u8 core_fuzzing(afl_state_t* afl) { u8 core_fuzzing(afl_state_t *afl) {
return mopt_common_fuzzing(afl, afl->mopt_globals_core); return mopt_common_fuzzing(afl, afl->mopt_globals_core);
} }
u8 pilot_fuzzing(afl_state_t* afl) { u8 pilot_fuzzing(afl_state_t *afl) {
return mopt_common_fuzzing(afl, afl->mopt_globals_pilot); return mopt_common_fuzzing(afl, afl->mopt_globals_pilot);
} }
void pso_updating(afl_state_t* afl) { void pso_updating(afl_state_t *afl) {
afl->g_now += 1; afl->g_now += 1;
if (afl->g_now > afl->g_max) afl->g_now = 0; if (afl->g_now > afl->g_max) afl->g_now = 0;
@ -4358,14 +4358,14 @@ void pso_updating(afl_state_t* afl) {
to fuzz_one_original. All documentation references to fuzz_one therefore to fuzz_one_original. All documentation references to fuzz_one therefore
mean fuzz_one_original */ mean fuzz_one_original */
u8 fuzz_one(afl_state_t* afl) { u8 fuzz_one(afl_state_t *afl) {
int key_val_lv = 0; int key_val_lv = 0;
#ifdef _AFL_DOCUMENT_MUTATIONS #ifdef _AFL_DOCUMENT_MUTATIONS
if (afl->do_document == 0) { if (afl->do_document == 0) {
char* fn = alloc_printf("%s/mutations", afl->out_dir); char *fn = alloc_printf("%s/mutations", afl->out_dir);
if (fn) { if (fn) {
afl->do_document = mkdir(fn, 0700); // if it exists we do not care afl->do_document = mkdir(fn, 0700); // if it exists we do not care

2
src/afl-fuzz-python.c
View File

@ -43,7 +43,7 @@ int init_py_module(afl_state_t *afl, u8 *module_name) {
afl->py_module = PyImport_Import(py_name); afl->py_module = PyImport_Import(py_name);
Py_DECREF(py_name); Py_DECREF(py_name);
PyObject * py_module = afl->py_module; PyObject *py_module = afl->py_module;
PyObject **py_functions = afl->py_functions; PyObject **py_functions = afl->py_functions;
if (afl->py_module != NULL) { if (afl->py_module != NULL) {

28
src/afl-fuzz-queue.c
View File

@ -28,9 +28,9 @@
.state file to avoid repeating deterministic fuzzing when resuming aborted .state file to avoid repeating deterministic fuzzing when resuming aborted
scans. */ scans. */
void mark_as_det_done(afl_state_t* afl, struct queue_entry* q) { void mark_as_det_done(afl_state_t *afl, struct queue_entry *q) {
u8* fn = strrchr(q->fname, '/'); u8 *fn = strrchr(q->fname, '/');
s32 fd; s32 fd;
fn = alloc_printf("%s/queue/.state/deterministic_done/%s", afl->out_dir, fn = alloc_printf("%s/queue/.state/deterministic_done/%s", afl->out_dir,
@ -49,7 +49,7 @@ void mark_as_det_done(afl_state_t* afl, struct queue_entry* q) {
/* Mark as variable. Create symlinks if possible to make it easier to examine /* Mark as variable. Create symlinks if possible to make it easier to examine
the files. */ the files. */
void mark_as_variable(afl_state_t* afl, struct queue_entry* q) { void mark_as_variable(afl_state_t *afl, struct queue_entry *q) {
u8 *fn = strrchr(q->fname, '/') + 1, *ldest; u8 *fn = strrchr(q->fname, '/') + 1, *ldest;
@ -74,9 +74,9 @@ void mark_as_variable(afl_state_t* afl, struct queue_entry* q) {
/* Mark / unmark as redundant (edge-only). This is not used for restoring state, /* Mark / unmark as redundant (edge-only). This is not used for restoring state,
but may be useful for post-processing datasets. */ but may be useful for post-processing datasets. */
void mark_as_redundant(afl_state_t* afl, struct queue_entry* q, u8 state) { void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) {
u8* fn; u8 *fn;
if (state == q->fs_redundant) return; if (state == q->fs_redundant) return;
@ -105,9 +105,9 @@ void mark_as_redundant(afl_state_t* afl, struct queue_entry* q, u8 state) {
/* Append new test case to the queue. */ /* Append new test case to the queue. */
void add_to_queue(afl_state_t* afl, u8* fname, u32 len, u8 passed_det) { void add_to_queue(afl_state_t *afl, u8 *fname, u32 len, u8 passed_det) {
struct queue_entry* q = ck_alloc(sizeof(struct queue_entry)); struct queue_entry *q = ck_alloc(sizeof(struct queue_entry));
q->fname = fname; q->fname = fname;
q->len = len; q->len = len;
@ -142,7 +142,7 @@ void add_to_queue(afl_state_t* afl, u8* fname, u32 len, u8 passed_det) {
if (afl->mutator && afl->mutator->afl_custom_queue_new_entry) { if (afl->mutator && afl->mutator->afl_custom_queue_new_entry) {
u8* fname_orig = NULL; u8 *fname_orig = NULL;
/* At the initialization stage, queue_cur is NULL */ /* At the initialization stage, queue_cur is NULL */
if (afl->queue_cur) fname_orig = afl->queue_cur->fname; if (afl->queue_cur) fname_orig = afl->queue_cur->fname;
@ -155,7 +155,7 @@ void add_to_queue(afl_state_t* afl, u8* fname, u32 len, u8 passed_det) {
/* Destroy the entire queue. */ /* Destroy the entire queue. */
void destroy_queue(afl_state_t* afl) { void destroy_queue(afl_state_t *afl) {
struct queue_entry *q = afl->queue, *n; struct queue_entry *q = afl->queue, *n;
@ -182,7 +182,7 @@ void destroy_queue(afl_state_t* afl) {
previous contender, or if the contender has a more favorable speed x size previous contender, or if the contender has a more favorable speed x size
factor. */ factor. */
void update_bitmap_score(afl_state_t* afl, struct queue_entry* q) { void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
u32 i; u32 i;
u64 fav_factor = q->exec_us * q->len; u64 fav_factor = q->exec_us * q->len;
@ -251,9 +251,9 @@ void update_bitmap_score(afl_state_t* afl, struct queue_entry* q) {
until the next run. The favored entries are given more air time during until the next run. The favored entries are given more air time during
all fuzzing steps. */ all fuzzing steps. */
void cull_queue(afl_state_t* afl) { void cull_queue(afl_state_t *afl) {
struct queue_entry* q; struct queue_entry *q;
static u8 temp_v[MAP_SIZE >> 3]; static u8 temp_v[MAP_SIZE >> 3];
u32 i; u32 i;
@ -312,7 +312,7 @@ void cull_queue(afl_state_t* afl) {
A helper function for fuzz_one(). Maybe some of these constants should A helper function for fuzz_one(). Maybe some of these constants should
go into config.h. */ go into config.h. */
u32 calculate_score(afl_state_t* afl, struct queue_entry* q) { u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
u32 avg_exec_us = afl->total_cal_us / afl->total_cal_cycles; u32 avg_exec_us = afl->total_cal_us / afl->total_cal_cycles;
u32 avg_bitmap_size = afl->total_bitmap_size / afl->total_bitmap_entries; u32 avg_bitmap_size = afl->total_bitmap_size / afl->total_bitmap_entries;
@ -405,7 +405,7 @@ u32 calculate_score(afl_state_t* afl, struct queue_entry* q) {
fuzz_total = 0; fuzz_total = 0;
n_paths = 0; n_paths = 0;
struct queue_entry* queue_it = afl->queue; struct queue_entry *queue_it = afl->queue;
while (queue_it) { while (queue_it) {
fuzz_total += queue_it->n_fuzz; fuzz_total += queue_it->n_fuzz;

78
src/afl-fuzz-redqueen.c
View File

@ -33,13 +33,13 @@ struct range {
u32 start; u32 start;
u32 end; u32 end;
struct range* next; struct range *next;
}; };
struct range* add_range(struct range* ranges, u32 start, u32 end) { struct range *add_range(struct range *ranges, u32 start, u32 end) {
struct range* r = ck_alloc_nozero(sizeof(struct range)); struct range *r = ck_alloc_nozero(sizeof(struct range));
r->start = start; r->start = start;
r->end = end; r->end = end;
r->next = ranges; r->next = ranges;
@ -47,12 +47,12 @@ struct range* add_range(struct range* ranges, u32 start, u32 end) {
} }
struct range* pop_biggest_range(struct range** ranges) { struct range *pop_biggest_range(struct range **ranges) {
struct range* r = *ranges; struct range *r = *ranges;
struct range* prev = NULL; struct range *prev = NULL;
struct range* rmax = NULL; struct range *rmax = NULL;
struct range* prev_rmax = NULL; struct range *prev_rmax = NULL;
u32 max_size = 0; u32 max_size = 0;
while (r) { while (r) {
@ -84,7 +84,7 @@ struct range* pop_biggest_range(struct range** ranges) {
} }
static u8 get_exec_checksum(afl_state_t* afl, u8* buf, u32 len, u32* cksum) { static u8 get_exec_checksum(afl_state_t *afl, u8 *buf, u32 len, u32 *cksum) {
if (unlikely(common_fuzz_stuff(afl, buf, len))) return 1; if (unlikely(common_fuzz_stuff(afl, buf, len))) return 1;
@ -93,7 +93,7 @@ static u8 get_exec_checksum(afl_state_t* afl, u8* buf, u32 len, u32* cksum) {
} }
static void rand_replace(afl_state_t* afl, u8* buf, u32 len) { static void rand_replace(afl_state_t *afl, u8 *buf, u32 len) {
u32 i; u32 i;
for (i = 0; i < len; ++i) for (i = 0; i < len; ++i)
@ -101,10 +101,10 @@ static void rand_replace(afl_state_t* afl, u8* buf, u32 len) {
} }
static u8 colorization(afl_state_t* afl, u8* buf, u32 len, u32 exec_cksum) { static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
struct range* ranges = add_range(NULL, 0, len); struct range *ranges = add_range(NULL, 0, len);
u8* backup = ck_alloc_nozero(len); u8 * backup = ck_alloc_nozero(len);
u8 needs_write = 0; u8 needs_write = 0;
@ -115,7 +115,7 @@ static u8 colorization(afl_state_t* afl, u8* buf, u32 len, u32 exec_cksum) {
afl->stage_short = "colorization"; afl->stage_short = "colorization";
afl->stage_max = 1000; afl->stage_max = 1000;
struct range* rng; struct range *rng;
afl->stage_cur = 0; afl->stage_cur = 0;
while ((rng = pop_biggest_range(&ranges)) != NULL && while ((rng = pop_biggest_range(&ranges)) != NULL &&
afl->stage_cur < afl->stage_max) { afl->stage_cur < afl->stage_max) {
@ -205,7 +205,7 @@ checksum_fail:
///// Input to State replacement ///// Input to State replacement
static u8 its_fuzz(afl_state_t* afl, u8* buf, u32 len, u8* status) { static u8 its_fuzz(afl_state_t *afl, u8 *buf, u32 len, u8 *status) {
u64 orig_hit_cnt, new_hit_cnt; u64 orig_hit_cnt, new_hit_cnt;
@ -224,13 +224,13 @@ static u8 its_fuzz(afl_state_t* afl, u8* buf, u32 len, u8* status) {
} }
static u8 cmp_extend_encoding(afl_state_t* afl, struct cmp_header* h, static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
u64 pattern, u64 repl, u32 idx, u8* orig_buf, u64 pattern, u64 repl, u32 idx, u8 *orig_buf,
u8* buf, u32 len, u8 do_reverse, u8* status) { u8 *buf, u32 len, u8 do_reverse, u8 *status) {
u64* buf_64 = (u64*)&buf[idx]; u64 *buf_64 = (u64 *)&buf[idx];
u32* buf_32 = (u32*)&buf[idx]; u32 *buf_32 = (u32 *)&buf[idx];
u16* buf_16 = (u16*)&buf[idx]; u16 *buf_16 = (u16 *)&buf[idx];
// u8* buf_8 = &buf[idx]; // u8* buf_8 = &buf[idx];
// u64* o_buf_64 = (u64*)&orig_buf[idx]; // u64* o_buf_64 = (u64*)&orig_buf[idx];
// u32* o_buf_32 = (u32*)&orig_buf[idx]; // u32* o_buf_32 = (u32*)&orig_buf[idx];
@ -313,9 +313,9 @@ static u8 cmp_extend_encoding(afl_state_t* afl, struct cmp_header* h,
} }
static void try_to_add_to_dict(afl_state_t* afl, u64 v, u8 shape) { static void try_to_add_to_dict(afl_state_t *afl, u64 v, u8 shape) {
u8* b = (u8*)&v; u8 *b = (u8 *)&v;
u32 k; u32 k;
u8 cons_ff = 0, cons_0 = 0; u8 cons_ff = 0, cons_0 = 0;
@ -332,7 +332,7 @@ static void try_to_add_to_dict(afl_state_t* afl, u64 v, u8 shape) {
} }
maybe_add_auto(afl, (u8*)&v, shape); maybe_add_auto(afl, (u8 *)&v, shape);
u64 rev; u64 rev;
switch (shape) { switch (shape) {
@ -340,24 +340,24 @@ static void try_to_add_to_dict(afl_state_t* afl, u64 v, u8 shape) {
case 1: break; case 1: break;
case 2: case 2:
rev = SWAP16((u16)v); rev = SWAP16((u16)v);
maybe_add_auto(afl, (u8*)&rev, shape); maybe_add_auto(afl, (u8 *)&rev, shape);
break; break;
case 4: case 4:
rev = SWAP32((u32)v); rev = SWAP32((u32)v);
maybe_add_auto(afl, (u8*)&rev, shape); maybe_add_auto(afl, (u8 *)&rev, shape);
break; break;
case 8: case 8:
rev = SWAP64(v); rev = SWAP64(v);
maybe_add_auto(afl, (u8*)&rev, shape); maybe_add_auto(afl, (u8 *)&rev, shape);
break; break;
} }
} }
static u8 cmp_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) { static u8 cmp_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
struct cmp_header* h = &afl->shm.cmp_map->headers[key]; struct cmp_header *h = &afl->shm.cmp_map->headers[key];
u32 i, j, idx; u32 i, j, idx;
u32 loggeds = h->hits; u32 loggeds = h->hits;
@ -369,7 +369,7 @@ static u8 cmp_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) {
for (i = 0; i < loggeds; ++i) { for (i = 0; i < loggeds; ++i) {
struct cmp_operands* o = &afl->shm.cmp_map->log[key][i]; struct cmp_operands *o = &afl->shm.cmp_map->log[key][i];
// opt not in the paper // opt not in the paper
for (j = 0; j < i; ++j) for (j = 0; j < i; ++j)
@ -414,9 +414,9 @@ static u8 cmp_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) {
} }
static u8 rtn_extend_encoding(afl_state_t* afl, struct cmp_header* h, static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h,
u8* pattern, u8* repl, u32 idx, u8* orig_buf, u8 *pattern, u8 *repl, u32 idx, u8 *orig_buf,
u8* buf, u32 len, u8* status) { u8 *buf, u32 len, u8 *status) {
u32 i; u32 i;
u32 its_len = MIN(32, len - idx); u32 its_len = MIN(32, len - idx);
@ -440,9 +440,9 @@ static u8 rtn_extend_encoding(afl_state_t* afl, struct cmp_header* h,
} }
static u8 rtn_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) { static u8 rtn_fuzz(afl_state_t *afl, u32 key, u8 *orig_buf, u8 *buf, u32 len) {
struct cmp_header* h = &afl->shm.cmp_map->headers[key]; struct cmp_header *h = &afl->shm.cmp_map->headers[key];
u32 i, j, idx; u32 i, j, idx;
u32 loggeds = h->hits; u32 loggeds = h->hits;
@ -454,12 +454,12 @@ static u8 rtn_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) {
for (i = 0; i < loggeds; ++i) { for (i = 0; i < loggeds; ++i) {
struct cmpfn_operands* o = struct cmpfn_operands *o =
&((struct cmpfn_operands*)afl->shm.cmp_map->log[key])[i]; &((struct cmpfn_operands *)afl->shm.cmp_map->log[key])[i];
// opt not in the paper // opt not in the paper
for (j = 0; j < i; ++j) for (j = 0; j < i; ++j)
if (!memcmp(&((struct cmpfn_operands*)afl->shm.cmp_map->log[key])[j], o, if (!memcmp(&((struct cmpfn_operands *)afl->shm.cmp_map->log[key])[j], o,
sizeof(struct cmpfn_operands))) sizeof(struct cmpfn_operands)))
goto rtn_fuzz_next_iter; goto rtn_fuzz_next_iter;
@ -503,7 +503,7 @@ static u8 rtn_fuzz(afl_state_t* afl, u32 key, u8* orig_buf, u8* buf, u32 len) {
///// Input to State stage ///// Input to State stage
// afl->queue_cur->exec_cksum // afl->queue_cur->exec_cksum
u8 input_to_state_stage(afl_state_t* afl, u8* orig_buf, u8* buf, u32 len, u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len,
u32 exec_cksum) { u32 exec_cksum) {
u8 r = 1; u8 r = 1;

74
src/afl-fuzz-run.c
View File

@ -32,12 +32,12 @@
void timeout_handle(union sigval timer_data) { void timeout_handle(union sigval timer_data) {
pid_t child_pid = timer_data.sival_int; pid_t child_pid = timer_data.sival_int;
if (child_pid > 0) kill(child_pid, SIGKILL); if (child_pid > 0) kill(child_pid, SIGKILL);
} }
u8 run_target(afl_state_t* afl, u32 timeout) { u8 run_target(afl_state_t *afl, u32 timeout) {
// static struct itimerval it; // static struct itimerval it;
struct sigevent timer_signal_event; struct sigevent timer_signal_event;
@ -146,7 +146,7 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
/* Use a distinctive bitmap value to tell the parent about execv() /* Use a distinctive bitmap value to tell the parent about execv()
falling through. */ falling through. */
*(u32*)afl->fsrv.trace_bits = EXEC_FAIL_SIG; *(u32 *)afl->fsrv.trace_bits = EXEC_FAIL_SIG;
exit(0); exit(0);
} }
@ -181,11 +181,7 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
timer_signal_event.sigev_value.sival_int = afl->fsrv.child_pid; timer_signal_event.sigev_value.sival_int = afl->fsrv.child_pid;
timer_status = timer_create(CLOCK_MONOTONIC, &timer_signal_event, &timer); timer_status = timer_create(CLOCK_MONOTONIC, &timer_signal_event, &timer);
if (timer_status == -1) { if (timer_status == -1) { FATAL("Failed to create Timer"); }
FATAL("Failed to create Timer");
}
timer_period.it_value.tv_sec = (timeout / 1000); timer_period.it_value.tv_sec = (timeout / 1000);
timer_period.it_value.tv_nsec = (timeout % 1000) * 1000000; timer_period.it_value.tv_nsec = (timeout % 1000) * 1000000;
@ -203,13 +199,12 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
} else { } else {
FATAL("Failed to set the timer to the given timeout"); FATAL("Failed to set the timer to the given timeout");
} }
} }
/* The SIGALRM handler simply kills the afl->fsrv.child_pid and sets /* The SIGALRM handler simply kills the afl->fsrv.child_pid and sets
* afl->fsrv.child_timed_out. */ * afl->fsrv.child_timed_out. */
@ -221,6 +216,7 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
PFATAL("waitpid() failed"); PFATAL("waitpid() failed");
} }
} else { } else {
s32 res; s32 res;
@ -261,11 +257,7 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
timer_period.it_value.tv_nsec / 1000000); timer_period.it_value.tv_nsec / 1000000);
if (afl->slowest_exec_ms < exec_ms) afl->slowest_exec_ms = exec_ms; if (afl->slowest_exec_ms < exec_ms) afl->slowest_exec_ms = exec_ms;
if (exec_ms >= timeout) { if (exec_ms >= timeout) { afl->fsrv.child_timed_out = 1; }
afl->fsrv.child_timed_out = 1;
}
timer_period.it_value.tv_sec = 0; timer_period.it_value.tv_sec = 0;
timer_period.it_value.tv_nsec = 0; timer_period.it_value.tv_nsec = 0;
@ -289,12 +281,12 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
MEM_BARRIER(); MEM_BARRIER();
tb4 = *(u32*)afl->fsrv.trace_bits; tb4 = *(u32 *)afl->fsrv.trace_bits;
#ifdef WORD_SIZE_64 #ifdef WORD_SIZE_64
classify_counts((u64*)afl->fsrv.trace_bits); classify_counts((u64 *)afl->fsrv.trace_bits);
#else #else
classify_counts((u32*)afl->fsrv.trace_bits); classify_counts((u32 *)afl->fsrv.trace_bits);
#endif /* ^WORD_SIZE_64 */ #endif /* ^WORD_SIZE_64 */
prev_timed_out = afl->fsrv.child_timed_out; prev_timed_out = afl->fsrv.child_timed_out;
@ -327,9 +319,9 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
return FAULT_NONE; return FAULT_NONE;
handle_stop_soon: handle_stop_soon:
timer_delete(timer); timer_delete(timer);
return 0; return 0;
} }
@ -337,13 +329,13 @@ u8 run_target(afl_state_t* afl, u32 timeout) {
old file is unlinked and a new one is created. Otherwise, afl->fsrv.out_fd is old file is unlinked and a new one is created. Otherwise, afl->fsrv.out_fd is
rewound and truncated. */ rewound and truncated. */
void write_to_testcase(afl_state_t* afl, void* mem, u32 len) { void write_to_testcase(afl_state_t *afl, void *mem, u32 len) {
s32 fd = afl->fsrv.out_fd; s32 fd = afl->fsrv.out_fd;
#ifdef _AFL_DOCUMENT_MUTATIONS #ifdef _AFL_DOCUMENT_MUTATIONS
s32 doc_fd; s32 doc_fd;
char* fn = alloc_printf("%s/mutations/%09u:%s", afl->out_dir, char *fn = alloc_printf("%s/mutations/%09u:%s", afl->out_dir,
afl->document_counter++, describe_op(0)); afl->document_counter++, describe_op(0));
if (fn != NULL) { if (fn != NULL) {
@ -382,7 +374,7 @@ void write_to_testcase(afl_state_t* afl, void* mem, u32 len) {
if (afl->mutator && afl->mutator->afl_custom_pre_save) { if (afl->mutator && afl->mutator->afl_custom_pre_save) {
u8* new_data; u8 *new_data;
size_t new_size = size_t new_size =
afl->mutator->afl_custom_pre_save(afl, mem, len, &new_data); afl->mutator->afl_custom_pre_save(afl, mem, len, &new_data);
ck_write(fd, new_data, new_size, afl->fsrv.out_file); ck_write(fd, new_data, new_size, afl->fsrv.out_file);
@ -407,7 +399,7 @@ void write_to_testcase(afl_state_t* afl, void* mem, u32 len) {
/* The same, but with an adjustable gap. Used for trimming. */ /* The same, but with an adjustable gap. Used for trimming. */
static void write_with_gap(afl_state_t* afl, void* mem, u32 len, u32 skip_at, static void write_with_gap(afl_state_t *afl, void *mem, u32 len, u32 skip_at,
u32 skip_len) { u32 skip_len) {
s32 fd = afl->fsrv.out_fd; s32 fd = afl->fsrv.out_fd;
@ -434,7 +426,7 @@ static void write_with_gap(afl_state_t* afl, void* mem, u32 len, u32 skip_at,
if (skip_at) ck_write(fd, mem, skip_at, afl->fsrv.out_file); if (skip_at) ck_write(fd, mem, skip_at, afl->fsrv.out_file);
u8* memu8 = mem; u8 *memu8 = mem;
if (tail_len) if (tail_len)
ck_write(fd, memu8 + skip_at + skip_len, tail_len, afl->fsrv.out_file); ck_write(fd, memu8 + skip_at + skip_len, tail_len, afl->fsrv.out_file);
@ -453,7 +445,7 @@ static void write_with_gap(afl_state_t* afl, void* mem, u32 len, u32 skip_at,
to warn about flaky or otherwise problematic test cases early on; and when to warn about flaky or otherwise problematic test cases early on; and when
new paths are discovered to detect variable behavior and so on. */ new paths are discovered to detect variable behavior and so on. */
u8 calibrate_case(afl_state_t* afl, struct queue_entry* q, u8* use_mem, u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
u32 handicap, u8 from_queue) { u32 handicap, u8 from_queue) {
static u8 first_trace[MAP_SIZE]; static u8 first_trace[MAP_SIZE];
@ -465,7 +457,7 @@ u8 calibrate_case(afl_state_t* afl, struct queue_entry* q, u8* use_mem,
s32 old_sc = afl->stage_cur, old_sm = afl->stage_max; s32 old_sc = afl->stage_cur, old_sm = afl->stage_max;
u32 use_tmout = afl->fsrv.exec_tmout; u32 use_tmout = afl->fsrv.exec_tmout;
u8* old_sn = afl->stage_name; u8 *old_sn = afl->stage_name;
/* Be a bit more generous about timeouts when resuming sessions, or when /* Be a bit more generous about timeouts when resuming sessions, or when
trying to calibrate already-added finds. This helps avoid trouble due trying to calibrate already-added finds. This helps avoid trouble due
@ -612,11 +604,11 @@ abort_calibration:
/* Grab interesting test cases from other fuzzers. */ /* Grab interesting test cases from other fuzzers. */
void sync_fuzzers(afl_state_t* afl) { void sync_fuzzers(afl_state_t *afl) {
DIR* sd; DIR *sd;
struct dirent* sd_ent; struct dirent *sd_ent;
u32 sync_cnt = 0; u32 sync_cnt = 0;
sd = opendir(afl->sync_dir); sd = opendir(afl->sync_dir);
if (!sd) PFATAL("Unable to open '%s'", afl->sync_dir); if (!sd) PFATAL("Unable to open '%s'", afl->sync_dir);
@ -631,10 +623,10 @@ void sync_fuzzers(afl_state_t* afl) {
static u8 stage_tmp[128]; static u8 stage_tmp[128];
DIR* qd; DIR *qd;
struct dirent* qd_ent; struct dirent *qd_ent;
u8 * qd_path, *qd_synced_path; u8 *qd_path, *qd_synced_path;
u32 min_accept = 0, next_min_accept; u32 min_accept = 0, next_min_accept;
s32 id_fd; s32 id_fd;
@ -679,8 +671,8 @@ void sync_fuzzers(afl_state_t* afl) {
while ((qd_ent = readdir(qd))) { while ((qd_ent = readdir(qd))) {
u8* path; u8 *path;
s32 fd; s32 fd;
struct stat st; struct stat st;
if (qd_ent->d_name[0] == '.' || if (qd_ent->d_name[0] == '.' ||
@ -713,7 +705,7 @@ void sync_fuzzers(afl_state_t* afl) {
if (st.st_size && st.st_size <= MAX_FILE) { if (st.st_size && st.st_size <= MAX_FILE) {
u8 fault; u8 fault;
u8* mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); u8 *mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
if (mem == MAP_FAILED) PFATAL("Unable to mmap '%s'", path); if (mem == MAP_FAILED) PFATAL("Unable to mmap '%s'", path);
@ -760,7 +752,7 @@ void sync_fuzzers(afl_state_t* afl) {
trimmer uses power-of-two increments somewhere between 1/16 and 1/1024 of trimmer uses power-of-two increments somewhere between 1/16 and 1/1024 of
file size, to keep the stage short and sweet. */ file size, to keep the stage short and sweet. */
u8 trim_case(afl_state_t* afl, struct queue_entry* q, u8* in_buf) { u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
/* Custom mutator trimmer */ /* Custom mutator trimmer */
if (afl->mutator && afl->mutator->afl_custom_trim) if (afl->mutator && afl->mutator->afl_custom_trim)
@ -896,7 +888,7 @@ abort_trimming:
error conditions, returning 1 if it's time to bail out. This is error conditions, returning 1 if it's time to bail out. This is
a helper function for fuzz_one(). */ a helper function for fuzz_one(). */
u8 common_fuzz_stuff(afl_state_t* afl, u8* out_buf, u32 len) { u8 common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
u8 fault; u8 fault;

14
src/afl-fuzz-stats.c
View File

@ -347,9 +347,9 @@ void show_stats(afl_state_t *afl) {
/* Lord, forgive me this. */ /* Lord, forgive me this. */
SAYF(SET_G1 bSTG bLT bH bSTOP cCYA SAYF(SET_G1 bSTG bLT bH bSTOP cCYA
" process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA
" overall results " bSTG bH2 bH2 bRT "\n"); " overall results " bSTG bH2 bH2 bRT "\n");
if (afl->dumb_mode) { if (afl->dumb_mode) {
@ -429,9 +429,9 @@ void show_stats(afl_state_t *afl) {
" uniq hangs : " cRST "%-6s" bSTG bV "\n", " uniq hangs : " cRST "%-6s" bSTG bV "\n",
DTD(cur_ms, afl->last_hang_time), tmp); DTD(cur_ms, afl->last_hang_time), tmp);
SAYF(bVR bH bSTOP cCYA SAYF(bVR bH bSTOP cCYA
" cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA
" map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); " map coverage " bSTG bH bHT bH20 bH2 bVL "\n");
/* This gets funny because we want to print several variable-length variables /* This gets funny because we want to print several variable-length variables
together, but then cram them into a fixed-width field - so we need to together, but then cram them into a fixed-width field - so we need to
@ -460,9 +460,9 @@ void show_stats(afl_state_t *afl) {
SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp);
SAYF(bVR bH bSTOP cCYA SAYF(bVR bH bSTOP cCYA
" stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA
" findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n");
sprintf(tmp, "%s (%0.02f%%)", DI(afl->queued_favored), sprintf(tmp, "%s (%0.02f%%)", DI(afl->queued_favored),
((double)afl->queued_favored) * 100 / afl->queued_paths); ((double)afl->queued_favored) * 100 / afl->queued_paths);
@ -533,7 +533,7 @@ void show_stats(afl_state_t *afl) {
/* Aaaalmost there... hold on! */ /* Aaaalmost there... hold on! */
SAYF(bVR bH cCYA bSTOP SAYF(bVR bH cCYA bSTOP
" fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA
" path geometry " bSTG bH5 bH2 bVL "\n"); " path geometry " bSTG bH5 bH2 bVL "\n");

34
src/afl-fuzz.c
View File

@ -27,7 +27,7 @@
u8 be_quiet = 0; u8 be_quiet = 0;
static u8* get_libradamsa_path(u8* own_loc) { static u8 *get_libradamsa_path(u8 *own_loc) {
u8 *tmp, *cp, *rsl, *own_copy; u8 *tmp, *cp, *rsl, *own_copy;
@ -84,7 +84,7 @@ static u8* get_libradamsa_path(u8* own_loc) {
/* Display usage hints. */ /* Display usage hints. */
static void usage(afl_state_t* afl, u8* argv0, int more_help) { static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
SAYF( SAYF(
"\n%s [ options ] -- /path/to/fuzzed_app [ ... ]\n\n" "\n%s [ options ] -- /path/to/fuzzed_app [ ... ]\n\n"
@ -198,7 +198,7 @@ static void usage(afl_state_t* afl, u8* argv0, int more_help) {
#ifdef USE_PYTHON #ifdef USE_PYTHON
SAYF("Compiled with %s module support, see docs/custom_mutator.md\n", SAYF("Compiled with %s module support, see docs/custom_mutator.md\n",
(char*)PYTHON_VERSION); (char *)PYTHON_VERSION);
#endif #endif
SAYF("For additional help please consult %s/README.md\n\n", doc_path); SAYF("For additional help please consult %s/README.md\n\n", doc_path);
@ -210,7 +210,7 @@ static void usage(afl_state_t* afl, u8* argv0, int more_help) {
#ifndef AFL_LIB #ifndef AFL_LIB
static int stricmp(char const* a, char const* b) { static int stricmp(char const *a, char const *b) {
for (;; ++a, ++b) { for (;; ++a, ++b) {
@ -224,22 +224,22 @@ static int stricmp(char const* a, char const* b) {
/* Main entry point */ /* Main entry point */
int main(int argc, char** argv_orig, char** envp) { int main(int argc, char **argv_orig, char **envp) {
s32 opt; s32 opt;
u64 prev_queued = 0; u64 prev_queued = 0;
u32 sync_interval_cnt = 0, seek_to, show_help = 0; u32 sync_interval_cnt = 0, seek_to, show_help = 0;
u8* extras_dir = 0; u8 * extras_dir = 0;
u8 mem_limit_given = 0; u8 mem_limit_given = 0;
u8 exit_1 = !!get_afl_env("AFL_BENCH_JUST_ONE"); u8 exit_1 = !!get_afl_env("AFL_BENCH_JUST_ONE");
char** use_argv; char **use_argv;
struct timeval tv; struct timeval tv;
struct timezone tz; struct timezone tz;
char** argv = argv_cpy_dup(argc, argv_orig); char **argv = argv_cpy_dup(argc, argv_orig);
afl_state_t* afl = calloc(1, sizeof(afl_state_t)); afl_state_t *afl = calloc(1, sizeof(afl_state_t));
if (!afl) { FATAL("Could not create afl state"); } if (!afl) { FATAL("Could not create afl state"); }
afl_state_init(afl); afl_state_init(afl);
@ -248,7 +248,7 @@ int main(int argc, char** argv_orig, char** envp) {
SAYF(cCYA "afl-fuzz" VERSION cRST SAYF(cCYA "afl-fuzz" VERSION cRST
" based on afl by Michal Zalewski and a big online community\n"); " based on afl by Michal Zalewski and a big online community\n");
doc_path = access(DOC_PATH, F_OK) ? (u8*)"docs" : doc_path; doc_path = access(DOC_PATH, F_OK) ? (u8 *)"docs" : doc_path;
gettimeofday(&tv, &tz); gettimeofday(&tv, &tz);
afl->init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); afl->init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid();
@ -337,7 +337,7 @@ int main(int argc, char** argv_orig, char** envp) {
case 'M': { /* master sync ID */ case 'M': { /* master sync ID */
u8* c; u8 *c;
if (afl->sync_id) FATAL("Multiple -S or -M options not supported"); if (afl->sync_id) FATAL("Multiple -S or -M options not supported");
afl->sync_id = ck_strdup(optarg); afl->sync_id = ck_strdup(optarg);
@ -696,8 +696,8 @@ int main(int argc, char** argv_orig, char** envp) {
OKF("Using Radamsa add-on"); OKF("Using Radamsa add-on");
u8* libradamsa_path = get_libradamsa_path(argv[0]); u8 * libradamsa_path = get_libradamsa_path(argv[0]);
void* handle = dlopen(libradamsa_path, RTLD_NOW); void *handle = dlopen(libradamsa_path, RTLD_NOW);
ck_free(libradamsa_path); ck_free(libradamsa_path);
if (!handle) FATAL("Failed to dlopen() libradamsa"); if (!handle) FATAL("Failed to dlopen() libradamsa");
@ -794,9 +794,9 @@ int main(int argc, char** argv_orig, char** envp) {
if (afl->qemu_mode) { if (afl->qemu_mode) {
u8* qemu_preload = getenv("QEMU_SET_ENV"); u8 *qemu_preload = getenv("QEMU_SET_ENV");
u8* afl_preload = getenv("AFL_PRELOAD"); u8 *afl_preload = getenv("AFL_PRELOAD");
u8* buf; u8 *buf;
s32 i, afl_preload_size = strlen(afl_preload); s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) { for (i = 0; i < afl_preload_size; ++i) {
@ -926,7 +926,7 @@ int main(int argc, char** argv_orig, char** envp) {
u32 i = optind + 1; u32 i = optind + 1;
while (argv[i]) { while (argv[i]) {
u8* aa_loc = strstr(argv[i], "@@"); u8 *aa_loc = strstr(argv[i], "@@");
if (aa_loc && !afl->fsrv.out_file) { if (aa_loc && !afl->fsrv.out_file) {

48
src/afl-gcc.c
View File

@ -48,18 +48,18 @@
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
static u8* as_path; /* Path to the AFL 'as' wrapper */ static u8 *as_path; /* Path to the AFL 'as' wrapper */
static u8** cc_params; /* Parameters passed to the real CC */ static u8 **cc_params; /* Parameters passed to the real CC */
static u32 cc_par_cnt = 1; /* Param count, including argv0 */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */
static u8 be_quiet, /* Quiet mode */ static u8 be_quiet, /* Quiet mode */
clang_mode; /* Invoked as afl-clang*? */ clang_mode; /* Invoked as afl-clang*? */
/* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived /* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived
from argv[0]. If that fails, abort. */ from argv[0]. If that fails, abort. */
static void find_as(u8* argv0) { static void find_as(u8 *argv0) {
u8* afl_path = getenv("AFL_PATH"); u8 *afl_path = getenv("AFL_PATH");
u8 *slash, *tmp; u8 *slash, *tmp;
if (afl_path) { if (afl_path) {
@ -82,7 +82,7 @@ static void find_as(u8* argv0) {
if (slash) { if (slash) {
u8* dir; u8 *dir;
*slash = 0; *slash = 0;
dir = ck_strdup(argv0); dir = ck_strdup(argv0);
@ -116,16 +116,16 @@ static void find_as(u8* argv0) {
/* Copy argv to cc_params, making the necessary edits. */ /* Copy argv to cc_params, making the necessary edits. */
static void edit_params(u32 argc, char** argv) { static void edit_params(u32 argc, char **argv) {
u8 fortify_set = 0, asan_set = 0; u8 fortify_set = 0, asan_set = 0;
u8* name; u8 *name;
#if defined(__FreeBSD__) && defined(WORD_SIZE_64) #if defined(__FreeBSD__) && defined(WORD_SIZE_64)
u8 m32_set = 0; u8 m32_set = 0;
#endif #endif
cc_params = ck_alloc((argc + 128) * sizeof(u8*)); cc_params = ck_alloc((argc + 128) * sizeof(u8 *));
name = strrchr(argv[0], '/'); name = strrchr(argv[0], '/');
if (!name) if (!name)
@ -141,13 +141,13 @@ static void edit_params(u32 argc, char** argv) {
if (!strcmp(name, "afl-clang++")) { if (!strcmp(name, "afl-clang++")) {
u8* alt_cxx = getenv("AFL_CXX"); u8 *alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++"; cc_params[0] = alt_cxx ? alt_cxx : (u8 *)"clang++";
} else { } else {
u8* alt_cc = getenv("AFL_CC"); u8 *alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc ? alt_cc : (u8*)"clang"; cc_params[0] = alt_cc ? alt_cc : (u8 *)"clang";
} }
@ -186,18 +186,18 @@ static void edit_params(u32 argc, char** argv) {
if (!strcmp(name, "afl-g++")) { if (!strcmp(name, "afl-g++")) {
u8* alt_cxx = getenv("AFL_CXX"); u8 *alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++"; cc_params[0] = alt_cxx ? alt_cxx : (u8 *)"g++";
} else if (!strcmp(name, "afl-gcj")) { } else if (!strcmp(name, "afl-gcj")) {
u8* alt_cc = getenv("AFL_GCJ"); u8 *alt_cc = getenv("AFL_GCJ");
cc_params[0] = alt_cc ? alt_cc : (u8*)"gcj"; cc_params[0] = alt_cc ? alt_cc : (u8 *)"gcj";
} else { } else {
u8* alt_cc = getenv("AFL_CC"); u8 *alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc"; cc_params[0] = alt_cc ? alt_cc : (u8 *)"gcc";
} }
@ -207,7 +207,7 @@ static void edit_params(u32 argc, char** argv) {
while (--argc) { while (--argc) {
u8* cur = *(++argv); u8 *cur = *(++argv);
if (!strncmp(cur, "-B", 2)) { if (!strncmp(cur, "-B", 2)) {
@ -340,9 +340,9 @@ static void edit_params(u32 argc, char** argv) {
/* Main entry point */ /* Main entry point */
int main(int argc, char** argv) { int main(int argc, char **argv) {
char* env_info = char *env_info =
"Environment variables used by afl-gcc:\n" "Environment variables used by afl-gcc:\n"
"AFL_CC: path to the C compiler to use\n" "AFL_CC: path to the C compiler to use\n"
"AFL_CXX: path to the C++ compiler to use\n" "AFL_CXX: path to the C++ compiler to use\n"
@ -415,7 +415,7 @@ int main(int argc, char** argv) {
edit_params(argc, argv); edit_params(argc, argv);
execvp(cc_params[0], (char**)cc_params); execvp(cc_params[0], (char **)cc_params);
FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]); FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);

4
src/afl-gotcpu.c
View File

@ -129,7 +129,7 @@ repeat_loop:
/* Do the benchmark thing. */ /* Do the benchmark thing. */
int main(int argc, char** argv) { int main(int argc, char **argv) {
if (argc > 1) { if (argc > 1) {
@ -165,7 +165,7 @@ int main(int argc, char** argv) {
CPU_ZERO(&c); CPU_ZERO(&c);
CPU_SET(i, &c); CPU_SET(i, &c);
#elif defined(__NetBSD__) #elif defined(__NetBSD__)
cpuset_t* c; cpuset_t *c;
c = cpuset_create(); c = cpuset_create();
if (c == NULL) PFATAL("cpuset_create failed"); if (c == NULL) PFATAL("cpuset_create failed");

60
src/afl-showmap.c
View File

@ -61,13 +61,13 @@
u8 be_quiet; u8 be_quiet;
char* stdin_file; /* stdin file */ char *stdin_file; /* stdin file */
u8 *in_dir, /* input folder */ u8 *in_dir, /* input folder */
*doc_path, /* Path to docs */ *doc_path, /* Path to docs */
*at_file = NULL; /* Substitution string for @@ */ *at_file = NULL; /* Substitution string for @@ */
static u8* in_data; /* Input data */ static u8 *in_data; /* Input data */
static u32 total, highest; /* tuple content information */ static u32 total, highest; /* tuple content information */
@ -111,7 +111,7 @@ static const u8 count_class_binary[256] = {
}; };
static void classify_counts(u8* mem, const u8* map) { static void classify_counts(u8 *mem, const u8 *map) {
u32 i = MAP_SIZE; u32 i = MAP_SIZE;
@ -147,7 +147,7 @@ static void at_exit_handler(void) {
/* Write results. */ /* Write results. */
static u32 write_results_to_file(afl_forkserver_t* fsrv, u8* outfile) { static u32 write_results_to_file(afl_forkserver_t *fsrv, u8 *outfile) {
s32 fd; s32 fd;
u32 i, ret = 0; u32 i, ret = 0;
@ -183,7 +183,7 @@ static u32 write_results_to_file(afl_forkserver_t* fsrv, u8* outfile) {
} else { } else {
FILE* f = fdopen(fd, "w"); FILE *f = fdopen(fd, "w");
if (!f) PFATAL("fdopen() failed"); if (!f) PFATAL("fdopen() failed");
@ -218,7 +218,7 @@ static u32 write_results_to_file(afl_forkserver_t* fsrv, u8* outfile) {
/* Write results. */ /* Write results. */
static u32 write_results(afl_forkserver_t* fsrv) { static u32 write_results(afl_forkserver_t *fsrv) {
return write_results_to_file(fsrv, fsrv->out_file); return write_results_to_file(fsrv, fsrv->out_file);
@ -226,7 +226,7 @@ static u32 write_results(afl_forkserver_t* fsrv) {
/* Write output file. */ /* Write output file. */
static s32 write_to_file(u8* path, u8* mem, u32 len) { static s32 write_to_file(u8 *path, u8 *mem, u32 len) {
s32 ret; s32 ret;
@ -248,7 +248,7 @@ static s32 write_to_file(u8* path, u8* mem, u32 len) {
is unlinked and a new one is created. Otherwise, out_fd is rewound and is unlinked and a new one is created. Otherwise, out_fd is rewound and
truncated. */ truncated. */
static void write_to_testcase(afl_forkserver_t* fsrv, void* mem, u32 len) { static void write_to_testcase(afl_forkserver_t *fsrv, void *mem, u32 len) {
lseek(fsrv->out_fd, 0, SEEK_SET); lseek(fsrv->out_fd, 0, SEEK_SET);
ck_write(fsrv->out_fd, mem, len, fsrv->out_file); ck_write(fsrv->out_fd, mem, len, fsrv->out_file);
@ -260,7 +260,7 @@ static void write_to_testcase(afl_forkserver_t* fsrv, void* mem, u32 len) {
/* Execute target application. Returns 0 if the changes are a dud, or /* Execute target application. Returns 0 if the changes are a dud, or
1 if they should be kept. */ 1 if they should be kept. */
static u8 run_target_forkserver(afl_forkserver_t* fsrv, char** argv, u8* mem, static u8 run_target_forkserver(afl_forkserver_t *fsrv, char **argv, u8 *mem,
u32 len) { u32 len) {
static struct itimerval it; static struct itimerval it;
@ -321,7 +321,7 @@ static u8 run_target_forkserver(afl_forkserver_t* fsrv, char** argv, u8* mem,
/* Clean up bitmap, analyze exit condition, etc. */ /* Clean up bitmap, analyze exit condition, etc. */
if (*(u32*)fsrv->trace_bits == EXEC_FAIL_SIG) if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG)
FATAL("Unable to execute '%s'", argv[0]); FATAL("Unable to execute '%s'", argv[0]);
classify_counts(fsrv->trace_bits, classify_counts(fsrv->trace_bits,
@ -356,7 +356,7 @@ static u8 run_target_forkserver(afl_forkserver_t* fsrv, char** argv, u8* mem,
/* Read initial file. */ /* Read initial file. */
u32 read_file(u8* in_file) { u32 read_file(u8 *in_file) {
struct stat st; struct stat st;
s32 fd = open(in_file, O_RDONLY); s32 fd = open(in_file, O_RDONLY);
@ -381,7 +381,7 @@ u32 read_file(u8* in_file) {
/* Execute target application. */ /* Execute target application. */
static void run_target(afl_forkserver_t* fsrv, char** argv) { static void run_target(afl_forkserver_t *fsrv, char **argv) {
static struct itimerval it; static struct itimerval it;
int status = 0; int status = 0;
@ -404,7 +404,7 @@ static void run_target(afl_forkserver_t* fsrv, char** argv) {
if (fd < 0 || dup2(fd, 1) < 0 || dup2(fd, 2) < 0) { if (fd < 0 || dup2(fd, 1) < 0 || dup2(fd, 2) < 0) {
*(u32*)fsrv->trace_bits = EXEC_FAIL_SIG; *(u32 *)fsrv->trace_bits = EXEC_FAIL_SIG;
PFATAL("Descriptor initialization failed"); PFATAL("Descriptor initialization failed");
} }
@ -442,7 +442,7 @@ static void run_target(afl_forkserver_t* fsrv, char** argv) {
execv(fsrv->target_path, argv); execv(fsrv->target_path, argv);
*(u32*)fsrv->trace_bits = EXEC_FAIL_SIG; *(u32 *)fsrv->trace_bits = EXEC_FAIL_SIG;
exit(0); exit(0);
} }
@ -470,7 +470,7 @@ static void run_target(afl_forkserver_t* fsrv, char** argv) {
/* Clean up bitmap, analyze exit condition, etc. */ /* Clean up bitmap, analyze exit condition, etc. */
if (*(u32*)fsrv->trace_bits == EXEC_FAIL_SIG) if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG)
FATAL("Unable to execute '%s'", argv[0]); FATAL("Unable to execute '%s'", argv[0]);
classify_counts(fsrv->trace_bits, classify_counts(fsrv->trace_bits,
@ -525,9 +525,9 @@ static void set_up_environment(void) {
if (qemu_mode) { if (qemu_mode) {
u8* qemu_preload = getenv("QEMU_SET_ENV"); u8 *qemu_preload = getenv("QEMU_SET_ENV");
u8* afl_preload = getenv("AFL_PRELOAD"); u8 *afl_preload = getenv("AFL_PRELOAD");
u8* buf; u8 *buf;
s32 i, afl_preload_size = strlen(afl_preload); s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) { for (i = 0; i < afl_preload_size; ++i) {
@ -597,7 +597,7 @@ static void show_banner(void) {
/* Display usage hints. */ /* Display usage hints. */
static void usage(u8* argv0) { static void usage(u8 *argv0) {
show_banner(); show_banner();
@ -647,9 +647,9 @@ static void usage(u8* argv0) {
/* Find binary. */ /* Find binary. */
static void find_binary(afl_forkserver_t* fsrv, u8* fname) { static void find_binary(afl_forkserver_t *fsrv, u8 *fname) {
u8* env_path = 0; u8 *env_path = 0;
struct stat st; struct stat st;
if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { if (strchr(fname, '/') || !(env_path = getenv("PATH"))) {
@ -703,19 +703,19 @@ static void find_binary(afl_forkserver_t* fsrv, u8* fname) {
/* Main entry point */ /* Main entry point */
int main(int argc, char** argv_orig, char** envp) { int main(int argc, char **argv_orig, char **envp) {
// TODO: u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ // TODO: u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */
s32 opt, i; s32 opt, i;
u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0;
u32 tcnt = 0; u32 tcnt = 0;
char** use_argv; char **use_argv;
char** argv = argv_cpy_dup(argc, argv_orig); char **argv = argv_cpy_dup(argc, argv_orig);
afl_forkserver_t fsrv_var = {0}; afl_forkserver_t fsrv_var = {0};
afl_forkserver_t* fsrv = &fsrv_var; afl_forkserver_t *fsrv = &fsrv_var;
afl_fsrv_init(fsrv); afl_fsrv_init(fsrv);
doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;
@ -929,10 +929,10 @@ int main(int argc, char** argv_orig, char** envp) {
if (in_dir) { if (in_dir) {
DIR * dir_in, *dir_out; DIR *dir_in, *dir_out;
struct dirent* dir_ent; struct dirent *dir_ent;
int done = 0; int done = 0;
u8 infile[4096], outfile[4096]; u8 infile[4096], outfile[4096];
#if !defined(DT_REG) #if !defined(DT_REG)
struct stat statbuf; struct stat statbuf;
#endif #endif
@ -946,7 +946,7 @@ int main(int argc, char** argv_orig, char** envp) {
if (mkdir(fsrv->out_file, 0700)) if (mkdir(fsrv->out_file, 0700))
PFATAL("cannot create output directory %s", fsrv->out_file); PFATAL("cannot create output directory %s", fsrv->out_file);
u8* use_dir = "."; u8 *use_dir = ".";
if (access(use_dir, R_OK | W_OK | X_OK)) { if (access(use_dir, R_OK | W_OK | X_OK)) {

54
src/afl-tmin.c
View File

@ -58,13 +58,13 @@
#include <sys/types.h> #include <sys/types.h>
#include <sys/resource.h> #include <sys/resource.h>
static u8* mask_bitmap; /* Mask for trace bits (-B) */ static u8 *mask_bitmap; /* Mask for trace bits (-B) */
u8 *in_file, /* Minimizer input test case */ u8 *in_file, /* Minimizer input test case */
*output_file, /* Minimizer output file */ *output_file, /* Minimizer output file */
*doc_path; /* Path to docs */ *doc_path; /* Path to docs */
static u8* in_data; /* Input data for trimming */ static u8 *in_data; /* Input data for trimming */
static u32 in_len, /* Input data length */ static u32 in_len, /* Input data length */
orig_cksum, /* Original checksum */ orig_cksum, /* Original checksum */
@ -105,7 +105,7 @@ static const u8 count_class_lookup[256] = {
}; };
static void classify_counts(u8* mem) { static void classify_counts(u8 *mem) {
u32 i = MAP_SIZE; u32 i = MAP_SIZE;
@ -133,7 +133,7 @@ static void classify_counts(u8* mem) {
/* Apply mask to classified bitmap (if set). */ /* Apply mask to classified bitmap (if set). */
static void apply_mask(u32* mem, u32* mask) { static void apply_mask(u32 *mem, u32 *mask) {
u32 i = (MAP_SIZE >> 2); u32 i = (MAP_SIZE >> 2);
@ -151,9 +151,9 @@ static void apply_mask(u32* mem, u32* mask) {
/* See if any bytes are set in the bitmap. */ /* See if any bytes are set in the bitmap. */
static inline u8 anything_set(afl_forkserver_t* fsrv) { static inline u8 anything_set(afl_forkserver_t *fsrv) {
u32* ptr = (u32*)fsrv->trace_bits; u32 *ptr = (u32 *)fsrv->trace_bits;
u32 i = (MAP_SIZE >> 2); u32 i = (MAP_SIZE >> 2);
while (i--) while (i--)
@ -196,7 +196,7 @@ static void read_initial_file(void) {
/* Write output file. */ /* Write output file. */
static s32 write_to_file(u8* path, u8* mem, u32 len) { static s32 write_to_file(u8 *path, u8 *mem, u32 len) {
s32 ret; s32 ret;
@ -218,7 +218,7 @@ static s32 write_to_file(u8* path, u8* mem, u32 len) {
is unlinked and a new one is created. Otherwise, out_fd is rewound and is unlinked and a new one is created. Otherwise, out_fd is rewound and
truncated. */ truncated. */
static void write_to_testcase(afl_forkserver_t* fsrv, void* mem, u32 len) { static void write_to_testcase(afl_forkserver_t *fsrv, void *mem, u32 len) {
s32 fd = fsrv->out_fd; s32 fd = fsrv->out_fd;
@ -395,7 +395,7 @@ static void init_forkserver(char **argv) {
/* Execute target application. Returns 0 if the changes are a dud, or /* Execute target application. Returns 0 if the changes are a dud, or
1 if they should be kept. */ 1 if they should be kept. */
static u8 run_target(afl_forkserver_t* fsrv, char** argv, u8* mem, u32 len, static u8 run_target(afl_forkserver_t *fsrv, char **argv, u8 *mem, u32 len,
u8 first_run) { u8 first_run) {
static struct itimerval it; static struct itimerval it;
@ -460,13 +460,13 @@ static u8 run_target(afl_forkserver_t* fsrv, char** argv, u8* mem, u32 len,
/* Clean up bitmap, analyze exit condition, etc. */ /* Clean up bitmap, analyze exit condition, etc. */
if (*(u32*)fsrv->trace_bits == EXEC_FAIL_SIG) if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG)
FATAL("Unable to execute '%s'", argv[0]); FATAL("Unable to execute '%s'", argv[0]);
if (!hang_mode) { if (!hang_mode) {
classify_counts(fsrv->trace_bits); classify_counts(fsrv->trace_bits);
apply_mask((u32*)fsrv->trace_bits, (u32*)mask_bitmap); apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap);
} }
@ -565,11 +565,11 @@ static u32 next_p2(u32 val) {
/* Actually minimize! */ /* Actually minimize! */
static void minimize(afl_forkserver_t* fsrv, char** argv) { static void minimize(afl_forkserver_t *fsrv, char **argv) {
static u32 alpha_map[256]; static u32 alpha_map[256];
u8* tmp_buf = ck_alloc_nozero(in_len); u8 *tmp_buf = ck_alloc_nozero(in_len);
u32 orig_len = in_len, stage_o_len; u32 orig_len = in_len, stage_o_len;
u32 del_len, set_len, del_pos, set_pos, i, alpha_size, cur_pass = 0; u32 del_len, set_len, del_pos, set_pos, i, alpha_size, cur_pass = 0;
@ -835,16 +835,16 @@ static void handle_stop_sig(int sig) {
/* Do basic preparations - persistent fds, filenames, etc. */ /* Do basic preparations - persistent fds, filenames, etc. */
static void set_up_environment(afl_forkserver_t* fsrv) { static void set_up_environment(afl_forkserver_t *fsrv) {
u8* x; u8 *x;
fsrv->dev_null_fd = open("/dev/null", O_RDWR); fsrv->dev_null_fd = open("/dev/null", O_RDWR);
if (fsrv->dev_null_fd < 0) PFATAL("Unable to open /dev/null"); if (fsrv->dev_null_fd < 0) PFATAL("Unable to open /dev/null");
if (!fsrv->out_file) { if (!fsrv->out_file) {
u8* use_dir = "."; u8 *use_dir = ".";
if (access(use_dir, R_OK | W_OK | X_OK)) { if (access(use_dir, R_OK | W_OK | X_OK)) {
@ -907,9 +907,9 @@ static void set_up_environment(afl_forkserver_t* fsrv) {
if (qemu_mode) { if (qemu_mode) {
u8* qemu_preload = getenv("QEMU_SET_ENV"); u8 *qemu_preload = getenv("QEMU_SET_ENV");
u8* afl_preload = getenv("AFL_PRELOAD"); u8 *afl_preload = getenv("AFL_PRELOAD");
u8* buf; u8 *buf;
s32 i, afl_preload_size = strlen(afl_preload); s32 i, afl_preload_size = strlen(afl_preload);
for (i = 0; i < afl_preload_size; ++i) { for (i = 0; i < afl_preload_size; ++i) {
@ -971,7 +971,7 @@ static void setup_signal_handlers(void) {
/* Display usage hints. */ /* Display usage hints. */
static void usage(u8* argv0) { static void usage(u8 *argv0) {
SAYF( SAYF(
"\n%s [ options ] -- /path/to/target_app [ ... ]\n\n" "\n%s [ options ] -- /path/to/target_app [ ... ]\n\n"
@ -1018,9 +1018,9 @@ static void usage(u8* argv0) {
/* Find binary. */ /* Find binary. */
static void find_binary(afl_forkserver_t* fsrv, u8* fname) { static void find_binary(afl_forkserver_t *fsrv, u8 *fname) {
u8* env_path = 0; u8 * env_path = 0;
struct stat st; struct stat st;
if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { if (strchr(fname, '/') || !(env_path = getenv("PATH"))) {
@ -1074,7 +1074,7 @@ static void find_binary(afl_forkserver_t* fsrv, u8* fname) {
/* Read mask bitmap from file. This is for the -B option. */ /* Read mask bitmap from file. This is for the -B option. */
static void read_bitmap(u8* fname) { static void read_bitmap(u8 *fname) {
s32 fd = open(fname, O_RDONLY); s32 fd = open(fname, O_RDONLY);
@ -1088,16 +1088,16 @@ static void read_bitmap(u8* fname) {
/* Main entry point */ /* Main entry point */
int main(int argc, char** argv_orig, char** envp) { int main(int argc, char **argv_orig, char **envp) {
s32 opt; s32 opt;
u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0; u8 mem_limit_given = 0, timeout_given = 0, unicorn_mode = 0, use_wine = 0;
char** use_argv; char **use_argv;
char** argv = argv_cpy_dup(argc, argv_orig); char **argv = argv_cpy_dup(argc, argv_orig);
afl_forkserver_t fsrv_var = {0}; afl_forkserver_t fsrv_var = {0};
afl_forkserver_t* fsrv = &fsrv_var; afl_forkserver_t *fsrv = &fsrv_var;
afl_fsrv_init(fsrv); afl_fsrv_init(fsrv);
doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;

4
test-instr.c
View File

@ -23,11 +23,11 @@
#include <sys/stat.h> #include <sys/stat.h>
#include <fcntl.h> #include <fcntl.h>
int main(int argc, char** argv) { int main(int argc, char **argv) {
int fd = 0; int fd = 0;
char buff[8]; char buff[8];
char* buf = buff; char *buf = buff;
// we support command line parameter and stdin // we support command line parameter and stdin
if (argc == 2) { if (argc == 2) {

2
test/test-compcov.c
View File

@ -3,7 +3,7 @@
#include <unistd.h> #include <unistd.h>
#include <string.h> #include <string.h>
int main(int argc, char** argv) { int main(int argc, char **argv) {
char *input = argv[1], *buf, buffer[20]; char *input = argv[1], *buf, buffer[20];
if (argc < 2) { if (argc < 2) {