allow for -c0 also for src targets

2025-06-07 15:51:32 +00:00 · 2022-03-01 19:30:17 +01:00 · 2022-03-01 19:30:17 +01:00 · d84a8da1e9
commit d84a8da1e9
parent f70760896c
3 changed files with 16 additions and 5 deletions
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -12,6 +12,9 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
  - fix */build_...sh scripts to work outside of git
  - new custom_mutator: libafl with token fuzzing :)
  - afl-fuzz:
+    - when you just want to compile once and set CMPLOG, then just
+      set -c 0 to tell afl-fuzz that the fuzzing binary is also for
+      CMPLOG.
    - new commandline options -g/G to set min/max length of generated
      fuzz inputs
    - reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow
--- a/docs/fuzzing_binary-only_targets.md
+++ b/docs/fuzzing_binary-only_targets.md
@ -48,11 +48,12 @@ The following setup to use QEMU mode is recommended:

 Then run as many instances as you have cores left with either -Q mode or - even
 better - use a binary rewriter like Dyninst, RetroWrite, ZAFL, etc.
+The binary rewriters all have their own advantages and caveats.
+ZAFL is the best but cannot be used in a business/commercial context.

-If [afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) works for your
-binary, then you can use afl-fuzz normally and it will have twice the speed
-compared to QEMU mode (but slower than QEMU persistent mode). Note that several
-other binary rewriters exist, all with their advantages and caveats.
+If a binary rewriter works for your target then you can use afl-fuzz normally
+and it will have twice the speed compared to QEMU mode (but slower than QEMU
+persistent mode).

 The speed decrease of QEMU mode is at about 50%. However, various options exist
 to increase the speed:
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -167,7 +167,8 @@ static void usage(u8 *argv0, int more_help) {
      "                  See docs/README.MOpt.md\n"
      "  -c program    - enable CmpLog by specifying a binary compiled for "
      "it.\n"
-      "                  if using QEMU, just use -c 0.\n"
+      "                  if using QEMU/FRIDA or if you the fuzzing target is compiled"
+      "                  for CmpLog then just use -c 0.\n"
      "  -l cmplog_opts - CmpLog configuration values (e.g. \"2AT\"):\n"
      "                  1=small files, 2=larger files (default), 3=all "
      "files,\n"
@ -1458,6 +1459,12 @@ int main(int argc, char **argv_orig, char **envp) {

  if (!afl->use_banner) { afl->use_banner = argv[optind]; }

+  if (afl->shm.cmplog_mode && (!strcmp("-", afl->cmplog_binary) || !strcmp("0", afl->cmplog_binary))) {
+
+    afl->cmplog_binary = argv[optind];
+
+  }
+
  if (strchr(argv[optind], '/') == NULL && !afl->unicorn_mode) {

    WARNF(cLRD