ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-17 12:18:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

remove datalen in havoc

Browse Source
This commit is contained in:
van Hauser
2020-08-06 23:27:50 +02:00
parent d94681186d
commit e2434cf8c6
3 changed files with 58 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
examples/aflpp_driver/aflpp_driver.c
View File

@ -66,7 +66,7 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both.
#endif #endif
#ifndef MAP_FIXED_NOREPLACE #ifndef MAP_FIXED_NOREPLACE
#define MAP_FIXED_NOREPLACE 0x100000 #define MAP_FIXED_NOREPLACE 0x100000
#endif #endif
#define MAX_DUMMY_SIZE 256000 #define MAX_DUMMY_SIZE 256000
@ -106,10 +106,10 @@ If 1, close stdout at startup. If 2 close stderr; if 3 close both.
#error "Support for your platform has not been implemented" #error "Support for your platform has not been implemented"
#endif #endif
int __afl_sharedmem_fuzzing = 1; int __afl_sharedmem_fuzzing = 1;
extern unsigned int * __afl_fuzz_len; extern unsigned int * __afl_fuzz_len;
extern unsigned char *__afl_fuzz_ptr; extern unsigned char * __afl_fuzz_ptr;
extern unsigned char *__afl_area_ptr; extern unsigned char * __afl_area_ptr;
extern struct cmp_map *__afl_cmp_map; extern struct cmp_map *__afl_cmp_map;
// libFuzzer interface is thin, so we don't include any libFuzzer headers. // libFuzzer interface is thin, so we don't include any libFuzzer headers.
@ -249,17 +249,21 @@ static int ExecuteFilesOnyByOne(int argc, char **argv) {
} }
__attribute__((constructor(10))) void __afl_protect(void) { __attribute__((constructor(10))) void __afl_protect(void) {
__afl_area_ptr = (unsigned char*) mmap((void *)0x10000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE,
MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
if ((uint64_t)__afl_area_ptr == -1)
__afl_area_ptr = (unsigned char*) mmap((void *)0x10000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
if ((uint64_t)__afl_area_ptr == -1)
__afl_area_ptr = (unsigned char*) mmap(NULL, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
__afl_cmp_map = (struct cmp_map *) __afl_area_ptr;
}
__afl_area_ptr = (unsigned char *)mmap(
(void *)0x10000, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE,
MAP_FIXED_NOREPLACE | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
if ((uint64_t)__afl_area_ptr == -1)
__afl_area_ptr = (unsigned char *)mmap((void *)0x10000, MAX_DUMMY_SIZE,
PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
if ((uint64_t)__afl_area_ptr == -1)
__afl_area_ptr =
(unsigned char *)mmap(NULL, MAX_DUMMY_SIZE, PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
__afl_cmp_map = (struct cmp_map *)__afl_area_ptr;
}
int main(int argc, char **argv) { int main(int argc, char **argv) {
@ -272,7 +276,8 @@ int main(int argc, char **argv) {
" %s INPUT_FILE1 [INPUT_FILE2 ... ]\n" " %s INPUT_FILE1 [INPUT_FILE2 ... ]\n"
"To fuzz with afl-fuzz execute this:\n" "To fuzz with afl-fuzz execute this:\n"
" afl-fuzz [afl-flags] -- %s [-N]\n" " afl-fuzz [afl-flags] -- %s [-N]\n"
"afl-fuzz will run N iterations before re-spawning the process (default: 1000)\n" "afl-fuzz will run N iterations before re-spawning the process (default: "
"1000)\n"
"======================================================\n", "======================================================\n",
argv[0], argv[0]); argv[0], argv[0]);
@ -280,9 +285,11 @@ int main(int argc, char **argv) {
maybe_duplicate_stderr(); maybe_duplicate_stderr();
maybe_close_fd_mask(); maybe_close_fd_mask();
if (LLVMFuzzerInitialize) { if (LLVMFuzzerInitialize) {
fprintf(stderr, "Running LLVMFuzzerInitialize ...\n"); fprintf(stderr, "Running LLVMFuzzerInitialize ...\n");
LLVMFuzzerInitialize(&argc, &argv); LLVMFuzzerInitialize(&argc, &argv);
fprintf(stderr, "continue...\n"); fprintf(stderr, "continue...\n");
} }
// Do any other expensive one-time initialization here. // Do any other expensive one-time initialization here.

2
llvm_mode/afl-llvm-rt.o.c
View File

@ -101,7 +101,7 @@ __thread u32 __afl_cmp_counter;
int __afl_sharedmem_fuzzing __attribute__((weak)); int __afl_sharedmem_fuzzing __attribute__((weak));
struct cmp_map *__afl_cmp_map = (struct cmp_map *) __afl_area_initial; struct cmp_map *__afl_cmp_map = (struct cmp_map *)__afl_area_initial;
/* Running in persistent mode? */ /* Running in persistent mode? */

73
src/afl-fuzz-one.c
View File

@ -1921,14 +1921,14 @@ havoc_stage:
/* Flip a single bit somewhere. Spooky! */ /* Flip a single bit somewhere. Spooky! */
FLIP_BIT(out_buf, rand_below_datalen(afl, temp_len << 3)); FLIP_BIT(out_buf, rand_below(afl, temp_len << 3));
break; break;
case 1: case 1:
/* Set byte to interesting value. */ /* Set byte to interesting value. */
out_buf[rand_below_datalen(afl, temp_len)] = out_buf[rand_below(afl, temp_len)] =
interesting_8[rand_below(afl, sizeof(interesting_8))]; interesting_8[rand_below(afl, sizeof(interesting_8))];
break; break;
@ -1940,12 +1940,12 @@ havoc_stage:
if (rand_below(afl, 2)) { if (rand_below(afl, 2)) {
*(u16 *)(out_buf + rand_below_datalen(afl, temp_len - 1)) = *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) =
interesting_16[rand_below(afl, sizeof(interesting_16) >> 1)]; interesting_16[rand_below(afl, sizeof(interesting_16) >> 1)];
} else { } else {
*(u16 *)(out_buf + rand_below_datalen(afl, temp_len - 1)) = SWAP16( *(u16 *)(out_buf + rand_below(afl, temp_len - 1)) = SWAP16(
interesting_16[rand_below(afl, sizeof(interesting_16) >> 1)]); interesting_16[rand_below(afl, sizeof(interesting_16) >> 1)]);
} }
@ -1960,12 +1960,12 @@ havoc_stage:
if (rand_below(afl, 2)) { if (rand_below(afl, 2)) {
*(u32 *)(out_buf + rand_below_datalen(afl, temp_len - 3)) = *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) =
interesting_32[rand_below(afl, sizeof(interesting_32) >> 2)]; interesting_32[rand_below(afl, sizeof(interesting_32) >> 2)];
} else { } else {
*(u32 *)(out_buf + rand_below_datalen(afl, temp_len - 3)) = SWAP32( *(u32 *)(out_buf + rand_below(afl, temp_len - 3)) = SWAP32(
interesting_32[rand_below(afl, sizeof(interesting_32) >> 2)]); interesting_32[rand_below(afl, sizeof(interesting_32) >> 2)]);
} }
@ -1976,16 +1976,14 @@ havoc_stage:
/* Randomly subtract from byte. */ /* Randomly subtract from byte. */
out_buf[rand_below_datalen(afl, temp_len)] -= out_buf[rand_below(afl, temp_len)] -= 1 + rand_below(afl, ARITH_MAX);
1 + rand_below(afl, ARITH_MAX);
break; break;
case 5: case 5:
/* Randomly add to byte. */ /* Randomly add to byte. */
out_buf[rand_below_datalen(afl, temp_len)] += out_buf[rand_below(afl, temp_len)] += 1 + rand_below(afl, ARITH_MAX);
1 + rand_below(afl, ARITH_MAX);
break; break;
case 6: case 6:
@ -1996,13 +1994,13 @@ havoc_stage:
if (rand_below(afl, 2)) { if (rand_below(afl, 2)) {
u32 pos = rand_below_datalen(afl, temp_len - 1); u32 pos = rand_below(afl, temp_len - 1);
*(u16 *)(out_buf + pos) -= 1 + rand_below(afl, ARITH_MAX); *(u16 *)(out_buf + pos) -= 1 + rand_below(afl, ARITH_MAX);
} else { } else {
u32 pos = rand_below_datalen(afl, temp_len - 1); u32 pos = rand_below(afl, temp_len - 1);
u16 num = 1 + rand_below(afl, ARITH_MAX); u16 num = 1 + rand_below(afl, ARITH_MAX);
*(u16 *)(out_buf + pos) = *(u16 *)(out_buf + pos) =
@ -2020,13 +2018,13 @@ havoc_stage:
if (rand_below(afl, 2)) { if (rand_below(afl, 2)) {
u32 pos = rand_below_datalen(afl, temp_len - 1); u32 pos = rand_below(afl, temp_len - 1);
*(u16 *)(out_buf + pos) += 1 + rand_below(afl, ARITH_MAX); *(u16 *)(out_buf + pos) += 1 + rand_below(afl, ARITH_MAX);
} else { } else {
u32 pos = rand_below_datalen(afl, temp_len - 1); u32 pos = rand_below(afl, temp_len - 1);
u16 num = 1 + rand_below(afl, ARITH_MAX); u16 num = 1 + rand_below(afl, ARITH_MAX);
*(u16 *)(out_buf + pos) = *(u16 *)(out_buf + pos) =
@ -2044,13 +2042,13 @@ havoc_stage:
if (rand_below(afl, 2)) { if (rand_below(afl, 2)) {
u32 pos = rand_below_datalen(afl, temp_len - 3); u32 pos = rand_below(afl, temp_len - 3);
*(u32 *)(out_buf + pos) -= 1 + rand_below(afl, ARITH_MAX); *(u32 *)(out_buf + pos) -= 1 + rand_below(afl, ARITH_MAX);
} else { } else {
u32 pos = rand_below_datalen(afl, temp_len - 3); u32 pos = rand_below(afl, temp_len - 3);
u32 num = 1 + rand_below(afl, ARITH_MAX); u32 num = 1 + rand_below(afl, ARITH_MAX);
*(u32 *)(out_buf + pos) = *(u32 *)(out_buf + pos) =
@ -2068,13 +2066,13 @@ havoc_stage:
if (rand_below(afl, 2)) { if (rand_below(afl, 2)) {
u32 pos = rand_below_datalen(afl, temp_len - 3); u32 pos = rand_below(afl, temp_len - 3);
*(u32 *)(out_buf + pos) += 1 + rand_below(afl, ARITH_MAX); *(u32 *)(out_buf + pos) += 1 + rand_below(afl, ARITH_MAX);
} else { } else {
u32 pos = rand_below_datalen(afl, temp_len - 3); u32 pos = rand_below(afl, temp_len - 3);
u32 num = 1 + rand_below(afl, ARITH_MAX); u32 num = 1 + rand_below(afl, ARITH_MAX);
*(u32 *)(out_buf + pos) = *(u32 *)(out_buf + pos) =
@ -2090,8 +2088,7 @@ havoc_stage:
why not. We use XOR with 1-255 to eliminate the why not. We use XOR with 1-255 to eliminate the
possibility of a no-op. */ possibility of a no-op. */
out_buf[rand_below_datalen(afl, temp_len)] ^= out_buf[rand_below(afl, temp_len)] ^= 1 + rand_below(afl, 255);
1 + rand_below(afl, 255);
break; break;
case 11 ... 12: { case 11 ... 12: {
@ -2108,7 +2105,7 @@ havoc_stage:
del_len = choose_block_len(afl, temp_len - 1); del_len = choose_block_len(afl, temp_len - 1);
del_from = rand_below_datalen(afl, temp_len - del_len + 1); del_from = rand_below(afl, temp_len - del_len + 1);
memmove(out_buf + del_from, out_buf + del_from + del_len, memmove(out_buf + del_from, out_buf + del_from + del_len,
temp_len - del_from - del_len); temp_len - del_from - del_len);
@ -2132,7 +2129,7 @@ havoc_stage:
if (actually_clone) { if (actually_clone) {
clone_len = choose_block_len(afl, temp_len); clone_len = choose_block_len(afl, temp_len);
clone_from = rand_below_datalen(afl, temp_len - clone_len + 1); clone_from = rand_below(afl, temp_len - clone_len + 1);
} else { } else {
@ -2141,7 +2138,7 @@ havoc_stage:
} }
clone_to = rand_below_datalen(afl, temp_len); clone_to = rand_below(afl, temp_len);
new_buf = new_buf =
ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + clone_len); ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + clone_len);
@ -2159,9 +2156,8 @@ havoc_stage:
} else { } else {
memset(new_buf + clone_to, memset(new_buf + clone_to,
rand_below(afl, 2) rand_below(afl, 2) ? rand_below(afl, 256)
? rand_below(afl, 256) : out_buf[rand_below(afl, temp_len)],
: out_buf[rand_below_datalen(afl, temp_len)],
clone_len); clone_len);
} }
@ -2190,8 +2186,8 @@ havoc_stage:
copy_len = choose_block_len(afl, temp_len - 1); copy_len = choose_block_len(afl, temp_len - 1);
copy_from = rand_below_datalen(afl, temp_len - copy_len + 1); copy_from = rand_below(afl, temp_len - copy_len + 1);
copy_to = rand_below_datalen(afl, temp_len - copy_len + 1); copy_to = rand_below(afl, temp_len - copy_len + 1);
if (rand_below(afl, 4)) { if (rand_below(afl, 4)) {
@ -2204,9 +2200,8 @@ havoc_stage:
} else { } else {
memset(out_buf + copy_to, memset(out_buf + copy_to,
rand_below(afl, 2) rand_below(afl, 2) ? rand_below(afl, 256)
? rand_below(afl, 256) : out_buf[rand_below(afl, temp_len)],
: out_buf[rand_below_datalen(afl, temp_len)],
copy_len); copy_len);
} }
@ -2238,7 +2233,7 @@ havoc_stage:
if (extra_len > temp_len) { break; } if (extra_len > temp_len) { break; }
insert_at = rand_below_datalen(afl, temp_len - extra_len + 1); insert_at = rand_below(afl, temp_len - extra_len + 1);
memcpy(out_buf + insert_at, afl->a_extras[use_extra].data, memcpy(out_buf + insert_at, afl->a_extras[use_extra].data,
extra_len); extra_len);
@ -2252,7 +2247,7 @@ havoc_stage:
if (extra_len > temp_len) { break; } if (extra_len > temp_len) { break; }
insert_at = rand_below_datalen(afl, temp_len - extra_len + 1); insert_at = rand_below(afl, temp_len - extra_len + 1);
memcpy(out_buf + insert_at, afl->extras[use_extra].data, memcpy(out_buf + insert_at, afl->extras[use_extra].data,
extra_len); extra_len);
@ -2263,7 +2258,7 @@ havoc_stage:
} else { // case 16 } else { // case 16
u32 use_extra, extra_len, u32 use_extra, extra_len,
insert_at = rand_below_datalen(afl, temp_len + 1); insert_at = rand_below(afl, temp_len + 1);
u8 *ptr; u8 *ptr;
/* Insert an extra. Do the same dice-rolling stuff as for the /* Insert an extra. Do the same dice-rolling stuff as for the
@ -2367,8 +2362,8 @@ havoc_stage:
copy_len = choose_block_len(afl, new_len - 1); copy_len = choose_block_len(afl, new_len - 1);
if (copy_len > temp_len) copy_len = temp_len; if (copy_len > temp_len) copy_len = temp_len;
copy_from = rand_below_datalen(afl, new_len - copy_len + 1); copy_from = rand_below(afl, new_len - copy_len + 1);
copy_to = rand_below_datalen(afl, temp_len - copy_len + 1); copy_to = rand_below(afl, temp_len - copy_len + 1);
memmove(out_buf + copy_to, new_buf + copy_from, copy_len); memmove(out_buf + copy_to, new_buf + copy_from, copy_len);
@ -2377,9 +2372,9 @@ havoc_stage:
u32 clone_from, clone_to, clone_len; u32 clone_from, clone_to, clone_len;
clone_len = choose_block_len(afl, new_len); clone_len = choose_block_len(afl, new_len);
clone_from = rand_below_datalen(afl, new_len - clone_len + 1); clone_from = rand_below(afl, new_len - clone_len + 1);
clone_to = rand_below_datalen(afl, temp_len); clone_to = rand_below(afl, temp_len);
u8 *temp_buf = u8 *temp_buf =
ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + clone_len); ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + clone_len);
@ -2528,7 +2523,7 @@ retry_splicing:
/* Split somewhere between the first and last differing byte. */ /* Split somewhere between the first and last differing byte. */
split_at = f_diff + rand_below_datalen(afl, l_diff - f_diff); split_at = f_diff + rand_below(afl, l_diff - f_diff);
/* Do the thing. */ /* Do the thing. */