mirror of
https://github.com/AFLplusplus/AFLplusplus.git
synced 2025-06-14 11:08:06 +00:00
switch shmem_len to the map
This commit is contained in:
van Hauser
@ -7,9 +7,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
|
|||||||
__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv);
|
__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv);
|
||||||
|
|
||||||
static const size_t kMaxAflInputSize = 1 << 20;
|
static const size_t kMaxAflInputSize = 1 << 20;
|
||||||
static uint8_t AflInputBuf[kMaxAflInputSize];
|
static uint8_t AflInputBuf[kMaxAflInputSize];
|
||||||
|
|
||||||
void __attribute__ ((noinline)) afl_qemu_driver_stdin_input(void) {
|
void __attribute__((noinline)) afl_qemu_driver_stdin_input(void) {
|
||||||
|
|
||||||
size_t l = read(0, AflInputBuf, kMaxAflInputSize);
|
size_t l = read(0, AflInputBuf, kMaxAflInputSize);
|
||||||
LLVMFuzzerTestOneInput(AflInputBuf, l);
|
LLVMFuzzerTestOneInput(AflInputBuf, l);
|
||||||
@ -31,7 +31,7 @@ int main(int argc, char **argv) {
|
|||||||
LLVMFuzzerTestOneInput(dummy_input, 1);
|
LLVMFuzzerTestOneInput(dummy_input, 1);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -75,13 +75,13 @@ typedef struct afl_forkserver {
|
|||||||
|
|
||||||
u8 use_shdmen_fuzz; /* use shared mem for test cases */
|
u8 use_shdmen_fuzz; /* use shared mem for test cases */
|
||||||
|
|
||||||
u8 support_shdmen_fuzz; /* set by afl-fuzz */
|
u8 support_shmem_fuzz; /* set by afl-fuzz */
|
||||||
|
|
||||||
u8 use_fauxsrv; /* Fauxsrv for non-forking targets? */
|
u8 use_fauxsrv; /* Fauxsrv for non-forking targets? */
|
||||||
|
|
||||||
u8 qemu_mode; /* if running in qemu mode or not */
|
u8 qemu_mode; /* if running in qemu mode or not */
|
||||||
|
|
||||||
u32 shmem_fuzz_len; /* length of the fuzzing test case */
|
u32 *shmem_fuzz_len; /* length of the fuzzing test case */
|
||||||
|
|
||||||
u8 *shmem_fuzz; /* allocated memory for fuzzing */
|
u8 *shmem_fuzz; /* allocated memory for fuzzing */
|
||||||
|
|
||||||
|
|||||||
@ -166,8 +166,7 @@ static void __afl_map_shm_fuzz() {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
__afl_fuzz_len_shmem = (u32 *)mmap(NULL, sizeof(int), PROT_READ | PROT_WRITE,
|
__afl_fuzz_len_shmem = (u32 *)(__afl_fuzz_ptr + MAX_FILE);
|
||||||
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -448,9 +447,6 @@ static void __afl_start_snapshots(void) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
*__afl_fuzz_len_shmem = __afl_fuzz_len = (was_killed >> 8);
|
|
||||||
was_killed = (was_killed & 0xff);
|
|
||||||
|
|
||||||
#ifdef _AFL_DOCUMENT_MUTATIONS
|
#ifdef _AFL_DOCUMENT_MUTATIONS
|
||||||
if (__afl_fuzz_ptr) {
|
if (__afl_fuzz_ptr) {
|
||||||
|
|
||||||
@ -651,9 +647,6 @@ static void __afl_start_forkserver(void) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
*__afl_fuzz_len_shmem = __afl_fuzz_len = (was_killed >> 8);
|
|
||||||
was_killed = (was_killed & 0xff);
|
|
||||||
|
|
||||||
#ifdef _AFL_DOCUMENT_MUTATIONS
|
#ifdef _AFL_DOCUMENT_MUTATIONS
|
||||||
if (__afl_fuzz_ptr) {
|
if (__afl_fuzz_ptr) {
|
||||||
|
|
||||||
|
|||||||
@ -83,9 +83,9 @@ extern unsigned char persistent_save_gpr;
|
|||||||
extern uint64_t persistent_saved_gpr[AFL_REGS_NUM];
|
extern uint64_t persistent_saved_gpr[AFL_REGS_NUM];
|
||||||
extern int persisent_retaddr_offset;
|
extern int persisent_retaddr_offset;
|
||||||
|
|
||||||
extern u8 *shared_buf;
|
extern u8 * shared_buf;
|
||||||
extern u32 shared_buf_len;
|
extern u32 *shared_buf_len;
|
||||||
extern u8 sharedmem_fuzzing;
|
extern u8 sharedmem_fuzzing;
|
||||||
|
|
||||||
extern afl_persistent_hook_fn afl_persistent_hook_ptr;
|
extern afl_persistent_hook_fn afl_persistent_hook_ptr;
|
||||||
|
|
||||||
|
|||||||
@ -83,9 +83,9 @@ unsigned char persistent_save_gpr;
|
|||||||
uint64_t persistent_saved_gpr[AFL_REGS_NUM];
|
uint64_t persistent_saved_gpr[AFL_REGS_NUM];
|
||||||
int persisent_retaddr_offset;
|
int persisent_retaddr_offset;
|
||||||
|
|
||||||
u8 *shared_buf;
|
u8 * shared_buf;
|
||||||
u32 shared_buf_len;
|
u32 *shared_buf_len;
|
||||||
u8 sharedmem_fuzzing;
|
u8 sharedmem_fuzzing;
|
||||||
|
|
||||||
afl_persistent_hook_fn afl_persistent_hook_ptr;
|
afl_persistent_hook_fn afl_persistent_hook_ptr;
|
||||||
|
|
||||||
@ -148,6 +148,7 @@ static void afl_map_shm_fuzz(void) {
|
|||||||
|
|
||||||
u32 shm_id = atoi(id_str);
|
u32 shm_id = atoi(id_str);
|
||||||
shared_buf = shmat(shm_id, NULL, 0);
|
shared_buf = shmat(shm_id, NULL, 0);
|
||||||
|
shared_buf_len = (u32 *)(shared_buf + MAX_FILE);
|
||||||
|
|
||||||
/* Whooooops. */
|
/* Whooooops. */
|
||||||
|
|
||||||
@ -377,9 +378,6 @@ void afl_forkserver(CPUState *cpu) {
|
|||||||
|
|
||||||
if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2);
|
if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2);
|
||||||
|
|
||||||
shared_buf_len = (was_killed >> 8);
|
|
||||||
was_killed = (was_killed & 0xff);
|
|
||||||
|
|
||||||
/* If we stopped the child in persistent mode, but there was a race
|
/* If we stopped the child in persistent mode, but there was a race
|
||||||
condition and afl-fuzz already issued SIGKILL, write off the old
|
condition and afl-fuzz already issued SIGKILL, write off the old
|
||||||
process. */
|
process. */
|
||||||
|
|||||||
@ -162,7 +162,7 @@ static void log_x86_sp_content(void) {
|
|||||||
static void callback_to_persistent_hook(void) {
|
static void callback_to_persistent_hook(void) {
|
||||||
|
|
||||||
afl_persistent_hook_ptr(persistent_saved_gpr, guest_base, shared_buf,
|
afl_persistent_hook_ptr(persistent_saved_gpr, guest_base, shared_buf,
|
||||||
shared_buf_len);
|
*shared_buf_len);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -506,7 +506,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
|
|||||||
|
|
||||||
if ((status & FS_OPT_SHDMEM_FUZZ) == FS_OPT_SHDMEM_FUZZ) {
|
if ((status & FS_OPT_SHDMEM_FUZZ) == FS_OPT_SHDMEM_FUZZ) {
|
||||||
|
|
||||||
if (fsrv->support_shdmen_fuzz) {
|
if (fsrv->support_shmem_fuzz) {
|
||||||
|
|
||||||
fsrv->use_shdmen_fuzz = 1;
|
fsrv->use_shdmen_fuzz = 1;
|
||||||
if (!be_quiet) { ACTF("Using SHARED MEMORY FUZZING feature."); }
|
if (!be_quiet) { ACTF("Using SHARED MEMORY FUZZING feature."); }
|
||||||
@ -832,7 +832,7 @@ void afl_fsrv_write_to_testcase(afl_forkserver_t *fsrv, u8 *buf, size_t len) {
|
|||||||
if (fsrv->shmem_fuzz) {
|
if (fsrv->shmem_fuzz) {
|
||||||
|
|
||||||
memcpy(fsrv->shmem_fuzz, buf, len);
|
memcpy(fsrv->shmem_fuzz, buf, len);
|
||||||
fsrv->shmem_fuzz_len = len;
|
*fsrv->shmem_fuzz_len = len;
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
@ -894,8 +894,6 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
|
|||||||
|
|
||||||
MEM_BARRIER();
|
MEM_BARRIER();
|
||||||
|
|
||||||
if (fsrv->shmem_fuzz_len) write_value += (fsrv->shmem_fuzz_len << 8);
|
|
||||||
|
|
||||||
/* we have the fork server (or faux server) up and running
|
/* we have the fork server (or faux server) up and running
|
||||||
First, tell it if the previous run timed out. */
|
First, tell it if the previous run timed out. */
|
||||||
|
|
||||||
|
|||||||
@ -1960,7 +1960,8 @@ void setup_testcase_shmem(afl_state_t *afl) {
|
|||||||
afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t));
|
afl->shm_fuzz = ck_alloc(sizeof(sharedmem_t));
|
||||||
|
|
||||||
// we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR
|
// we need to set the non-instrumented mode to not overwrite the SHM_ENV_VAR
|
||||||
if ((afl->fsrv.shmem_fuzz = afl_shm_init(afl->shm_fuzz, MAX_FILE, 1))) {
|
if ((afl->fsrv.shmem_fuzz =
|
||||||
|
afl_shm_init(afl->shm_fuzz, MAX_FILE + sizeof(int), 1))) {
|
||||||
|
|
||||||
#ifdef USEMMAP
|
#ifdef USEMMAP
|
||||||
setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1);
|
setenv(SHM_FUZZ_ENV_VAR, afl->shm_fuzz->g_shm_file_path, 1);
|
||||||
@ -1970,7 +1971,8 @@ void setup_testcase_shmem(afl_state_t *afl) {
|
|||||||
setenv(SHM_FUZZ_ENV_VAR, shm_str, 1);
|
setenv(SHM_FUZZ_ENV_VAR, shm_str, 1);
|
||||||
ck_free(shm_str);
|
ck_free(shm_str);
|
||||||
#endif
|
#endif
|
||||||
afl->fsrv.support_shdmen_fuzz = 1;
|
afl->fsrv.support_shmem_fuzz = 1;
|
||||||
|
afl->fsrv.shmem_fuzz_len = (u32 *)(afl->fsrv.shmem_fuzz + MAX_FILE);
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
|
|||||||
@ -232,12 +232,12 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
|
|||||||
afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon,
|
afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon,
|
||||||
afl->afl_env.afl_debug_child_output);
|
afl->afl_env.afl_debug_child_output);
|
||||||
|
|
||||||
if (afl->fsrv.support_shdmen_fuzz && !afl->fsrv.use_shdmen_fuzz) {
|
if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shdmen_fuzz) {
|
||||||
|
|
||||||
afl_shm_deinit(afl->shm_fuzz);
|
afl_shm_deinit(afl->shm_fuzz);
|
||||||
ck_free(afl->shm_fuzz);
|
ck_free(afl->shm_fuzz);
|
||||||
afl->shm_fuzz = NULL;
|
afl->shm_fuzz = NULL;
|
||||||
afl->fsrv.support_shdmen_fuzz = 0;
|
afl->fsrv.support_shmem_fuzz = 0;
|
||||||
afl->fsrv.shmem_fuzz = NULL;
|
afl->fsrv.shmem_fuzz = NULL;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -138,6 +138,20 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
|
|||||||
afl->orig_cmdline);
|
afl->orig_cmdline);
|
||||||
/* ignore errors */
|
/* ignore errors */
|
||||||
|
|
||||||
|
if (afl->debug) {
|
||||||
|
|
||||||
|
fprintf(f, "virgin_bytes :");
|
||||||
|
for (uint32_t i = 0; i < afl->fsrv.map_size; i++)
|
||||||
|
if (afl->virgin_bits[i] != 0xff)
|
||||||
|
fprintf(f, " %d[%02x]", i, afl->virgin_bits[i]);
|
||||||
|
fprintf(f, "\n");
|
||||||
|
fprintf(f, "var_bytes :");
|
||||||
|
for (uint32_t i = 0; i < afl->fsrv.map_size; i++)
|
||||||
|
if (afl->var_bytes[i]) fprintf(f, " %d", i);
|
||||||
|
fprintf(f, "\n");
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
fclose(f);
|
fclose(f);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user