ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 02:58:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

code format

Browse Source
This commit is contained in:
Dominik Maier
2020-03-27 23:30:15 +01:00
parent 3d6c58df53
commit e71c2937de
10 changed files with 66 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
examples/custom_mutators/example.c
View File

@ -149,6 +149,7 @@ size_t afl_custom_pre_save(my_mutator_t *data, uint8_t *buf, size_t buf_size,
data->pre_save_size = buf_size + 5; data->pre_save_size = buf_size + 5;
} }
*out_buf = data->pre_save_buf; *out_buf = data->pre_save_buf;
memcpy(*out_buf + 5, buf, buf_size); memcpy(*out_buf + 5, buf, buf_size);

17
include/afl-fuzz.h
View File

@ -583,27 +583,26 @@ typedef struct afl_state {
u8 clean_trace_custom[MAP_SIZE]; u8 clean_trace_custom[MAP_SIZE];
u8 first_trace[MAP_SIZE]; u8 first_trace[MAP_SIZE];
/*needed for afl_fuzz_one */ /*needed for afl_fuzz_one */
// TODO: see which we can reuse // TODO: see which we can reuse
u8 *out_buf; u8 * out_buf;
size_t out_size; size_t out_size;
u8 *out_scratch_buf; u8 * out_scratch_buf;
size_t out_scratch_size; size_t out_scratch_size;
u8 *eff_buf; u8 * eff_buf;
size_t eff_size; size_t eff_size;
u8 *in_buf; u8 * in_buf;
size_t in_size; size_t in_size;
u8 *in_scratch_buf; u8 * in_scratch_buf;
size_t in_scratch_size; size_t in_scratch_size;
u8 *ex_buf; u8 * ex_buf;
size_t ex_size; size_t ex_size;
} afl_state_t; } afl_state_t;
/* A global pointer to all instances is needed (for now) for signals to arrive /* A global pointer to all instances is needed (for now) for signals to arrive

13
include/alloc-inl.h
View File

@ -774,7 +774,8 @@ static inline void TRK_ck_free(void *ptr, const char *file, const char *func,
Will FATAL if size_needed is <1 or *size is negative. Will FATAL if size_needed is <1 or *size is negative.
@return For convenience, this function returns *buf. @return For convenience, this function returns *buf.
*/ */
static inline void *ck_maybe_grow(void **buf, size_t *size, size_t size_needed) { static inline void *ck_maybe_grow(void **buf, size_t *size,
size_t size_needed) {
/* Oops. found a bug? */ /* Oops. found a bug? */
if (unlikely(size_needed < 1)) FATAL("cannot grow to non-positive size"); if (unlikely(size_needed < 1)) FATAL("cannot grow to non-positive size");
@ -785,21 +786,27 @@ static inline void *ck_maybe_grow(void **buf, size_t *size, size_t size_needed)
/* No inital size was set */ /* No inital size was set */
if (*size == 0) *size = INITIAL_GROWTH_SIZE; if (*size == 0) *size = INITIAL_GROWTH_SIZE;
while (*size < size_needed) { while (*size < size_needed) {
*size *= 2; *size *= 2;
} }
*buf = ck_realloc(*buf, *size); *buf = ck_realloc(*buf, *size);
return *buf; return *buf;
} }
/* Swaps buf1 ptr and buf2 ptr, as well as their sizes */ /* Swaps buf1 ptr and buf2 ptr, as well as their sizes */
static inline void swap_bufs(void **buf1, size_t *size1, void **buf2, size_t *size2) { static inline void swap_bufs(void **buf1, size_t *size1, void **buf2,
void *scratch_buf = *buf1; size_t *size2) {
void * scratch_buf = *buf1;
size_t scratch_size = *size1; size_t scratch_size = *size1;
*buf1 = *buf2; *buf1 = *buf2;
*size1 = *size2; *size1 = *size2;
*buf2 = scratch_buf; *buf2 = scratch_buf;
*size2 = scratch_size; *size2 = scratch_size;
} }
#undef INITIAL_GROWTH_SIZE #undef INITIAL_GROWTH_SIZE

10
llvm_mode/afl-clang-fast.c
View File

@ -397,15 +397,15 @@ static void edit_params(u32 argc, char **argv, char **envp) {
if (getenv("AFL_USE_CFISAN")) { if (getenv("AFL_USE_CFISAN")) {
if (!lto_mode) { if (!lto_mode) {
uint32_t i = 0, found = 0; uint32_t i = 0, found = 0;
while (envp[i] != NULL && !found) while (envp[i] != NULL && !found)
if (strncmp("-flto", envp[i++], 5) == 0) if (strncmp("-flto", envp[i++], 5) == 0) found = 1;
found = 1;
if (!found) cc_params[cc_par_cnt++] = "-flto"; if (!found) cc_params[cc_par_cnt++] = "-flto";
} }
cc_params[cc_par_cnt++] = "-fsanitize=cfi"; cc_params[cc_par_cnt++] = "-fsanitize=cfi";
cc_params[cc_par_cnt++] = "-fvisibility=hidden"; cc_params[cc_par_cnt++] = "-fvisibility=hidden";

7
llvm_mode/afl-llvm-pass.so.cc
View File

@ -132,8 +132,11 @@ class AFLCoverage : public ModulePass {
char AFLCoverage::ID = 0; char AFLCoverage::ID = 0;
/* needed up to 3.9.0 */ /* needed up to 3.9.0 */
#if LLVM_VERSION_MAJOR == 3 && (LLVM_VERSION_MINOR < 9 || (LLVM_VERSION_MINOR == 9 && LLVM_VERSION_PATCH < 1)) #if LLVM_VERSION_MAJOR == 3 && \
(LLVM_VERSION_MINOR < 9 || \
(LLVM_VERSION_MINOR == 9 && LLVM_VERSION_PATCH < 1))
uint64_t PowerOf2Ceil(unsigned in) { uint64_t PowerOf2Ceil(unsigned in) {
uint64_t in64 = in - 1; uint64_t in64 = in - 1;
in64 |= (in64 >> 1); in64 |= (in64 >> 1);
in64 |= (in64 >> 2); in64 |= (in64 >> 2);
@ -142,7 +145,9 @@ uint64_t PowerOf2Ceil(unsigned in) {
in64 |= (in64 >> 16); in64 |= (in64 >> 16);
in64 |= (in64 >> 32); in64 |= (in64 >> 32);
return in64 + 1; return in64 + 1;
} }
#endif #endif
bool AFLCoverage::runOnModule(Module &M) { bool AFLCoverage::runOnModule(Module &M) {

22
src/afl-fuzz-bitmap.c
View File

@ -31,7 +31,7 @@
void write_bitmap(afl_state_t *afl) { void write_bitmap(afl_state_t *afl) {
u8 fname[PATH_MAX]; u8 fname[PATH_MAX];
s32 fd; s32 fd;
if (!afl->bitmap_changed) return; if (!afl->bitmap_changed) return;
@ -461,7 +461,7 @@ u8 *describe_op(afl_state_t *afl, u8 hnb) {
static void write_crash_readme(afl_state_t *afl) { static void write_crash_readme(afl_state_t *afl) {
u8 fn[PATH_MAX]; u8 fn[PATH_MAX];
s32 fd; s32 fd;
FILE *f; FILE *f;
@ -558,12 +558,13 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
#ifndef SIMPLE_FILES #ifndef SIMPLE_FILES
queue_fn = alloc_printf("%s/queue/id:%06u,%s", afl->out_dir, afl->queued_paths, queue_fn = alloc_printf("%s/queue/id:%06u,%s", afl->out_dir,
describe_op(afl, hnb)); afl->queued_paths, describe_op(afl, hnb));
#else #else
queue_fn = alloc_printf("%s/queue/id_%06u", afl->out_dir, afl->queued_paths); queue_fn =
alloc_printf("%s/queue/id_%06u", afl->out_dir, afl->queued_paths);
#endif /* ^!SIMPLE_FILES */ #endif /* ^!SIMPLE_FILES */
@ -645,11 +646,12 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
#ifndef SIMPLE_FILES #ifndef SIMPLE_FILES
snprintf(fn, PATH_MAX, "%s/hangs/id:%06llu,%s", afl->out_dir, snprintf(fn, PATH_MAX, "%s/hangs/id:%06llu,%s", afl->out_dir,
afl->unique_hangs, describe_op(afl, 0)); afl->unique_hangs, describe_op(afl, 0));
#else #else
snprintf(fn, PATH_MAX, "%s/hangs/id_%06llu", afl->out_dir, afl->unique_hangs); snprintf(fn, PATH_MAX, "%s/hangs/id_%06llu", afl->out_dir,
afl->unique_hangs);
#endif /* ^!SIMPLE_FILES */ #endif /* ^!SIMPLE_FILES */
@ -687,11 +689,13 @@ u8 save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
#ifndef SIMPLE_FILES #ifndef SIMPLE_FILES
snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir, afl->unique_crashes, afl->kill_signal, describe_op(afl, 0)); snprintf(fn, PATH_MAX, "%s/crashes/id:%06llu,sig:%02u,%s", afl->out_dir,
afl->unique_crashes, afl->kill_signal, describe_op(afl, 0));
#else #else
snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir, afl->unique_crashes, afl->kill_signal); snprintf(fn, PATH_MAX, "%s/crashes/id_%06llu_%02u", afl->out_dir,
afl->unique_crashes, afl->kill_signal);
#endif /* ^!SIMPLE_FILES */ #endif /* ^!SIMPLE_FILES */

11
src/afl-fuzz-init.c
View File

@ -76,7 +76,7 @@ void bind_to_free_cpu(afl_state_t *afl) {
while ((de = readdir(d))) { while ((de = readdir(d))) {
u8 fn[PATH_MAX]; u8 fn[PATH_MAX];
FILE *f; FILE *f;
u8 tmp[MAX_LINE]; u8 tmp[MAX_LINE];
u8 has_vmsize = 0; u8 has_vmsize = 0;
@ -85,11 +85,7 @@ void bind_to_free_cpu(afl_state_t *afl) {
snprintf(fn, PATH_MAX, "/proc/%s/status", de->d_name); snprintf(fn, PATH_MAX, "/proc/%s/status", de->d_name);
if (!(f = fopen(fn, "r"))) { if (!(f = fopen(fn, "r"))) { continue; }
continue;
}
while (fgets(tmp, MAX_LINE, f)) { while (fgets(tmp, MAX_LINE, f)) {
@ -368,7 +364,8 @@ void read_testcases(afl_state_t *afl) {
struct stat st; struct stat st;
u8 dfn[PATH_MAX]; u8 dfn[PATH_MAX];
snprintf(dfn, PATH_MAX, "%s/.state/deterministic_done/%s", afl->in_dir, nl[i]->d_name); snprintf(dfn, PATH_MAX, "%s/.state/deterministic_done/%s", afl->in_dir,
nl[i]->d_name);
u8 *fn2 = alloc_printf("%s/%s", afl->in_dir, nl[i]->d_name); u8 *fn2 = alloc_printf("%s/%s", afl->in_dir, nl[i]->d_name);
u8 passed_det = 0; u8 passed_det = 0;

30
src/afl-fuzz-one.c
View File

@ -1957,7 +1957,9 @@ havoc_stage:
clone_to = rand_below(afl, temp_len); clone_to = rand_below(afl, temp_len);
new_buf = ck_maybe_grow((void **)&afl->out_scratch_buf, &afl->out_scratch_size, temp_len + clone_len); new_buf =
ck_maybe_grow((void **)&afl->out_scratch_buf,
&afl->out_scratch_size, temp_len + clone_len);
/* Head */ /* Head */
@ -1977,8 +1979,8 @@ havoc_stage:
memcpy(new_buf + clone_to + clone_len, out_buf + clone_to, memcpy(new_buf + clone_to + clone_len, out_buf + clone_to,
temp_len - clone_to); temp_len - clone_to);
swap_bufs((void **)&afl->out_buf, &afl->out_size,
swap_bufs((void **)&afl->out_buf, &afl->out_size, (void **)&afl->out_scratch_buf, &afl->out_scratch_size); (void **)&afl->out_scratch_buf, &afl->out_scratch_size);
out_buf = new_buf; out_buf = new_buf;
temp_len += clone_len; temp_len += clone_len;
@ -2072,7 +2074,8 @@ havoc_stage:
if (temp_len + extra_len >= MAX_FILE) break; if (temp_len + extra_len >= MAX_FILE) break;
new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + extra_len); new_buf =
ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + extra_len);
/* Head */ /* Head */
memcpy(new_buf, out_buf, insert_at); memcpy(new_buf, out_buf, insert_at);
@ -2088,7 +2091,8 @@ havoc_stage:
if (temp_len + extra_len >= MAX_FILE) break; if (temp_len + extra_len >= MAX_FILE) break;
new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + extra_len); new_buf =
ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + extra_len);
/* Head */ /* Head */
memcpy(new_buf, out_buf, insert_at); memcpy(new_buf, out_buf, insert_at);
@ -2236,11 +2240,7 @@ retry_splicing:
locate_diffs(in_buf, new_buf, MIN(len, target->len), &f_diff, &l_diff); locate_diffs(in_buf, new_buf, MIN(len, target->len), &f_diff, &l_diff);
if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) { if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) { goto retry_splicing; }
goto retry_splicing;
}
/* Split somewhere between the first and last differing byte. */ /* Split somewhere between the first and last differing byte. */
@ -2308,11 +2308,7 @@ radamsa_stage:
} }
if (common_fuzz_stuff(afl, tmp_buf, temp_len)) { if (common_fuzz_stuff(afl, tmp_buf, temp_len)) { goto abandon_entry; }
goto abandon_entry;
}
} }
@ -3885,7 +3881,8 @@ pacemaker_fuzzing:
clone_to = rand_below(afl, temp_len); clone_to = rand_below(afl, temp_len);
new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch), temp_len + clone_len); new_buf = ck_maybe_grow(BUF_PARAMS(out_scratch),
temp_len + clone_len);
/* Head */ /* Head */
@ -4399,7 +4396,6 @@ u8 fuzz_one(afl_state_t *afl) {
return key_val_lv; return key_val_lv;
#undef BUF_PARAMS #undef BUF_PARAMS
} }

8
src/afl-fuzz-queue.c
View File

@ -30,10 +30,11 @@
void mark_as_det_done(afl_state_t *afl, struct queue_entry *q) { void mark_as_det_done(afl_state_t *afl, struct queue_entry *q) {
u8 fn[PATH_MAX]; u8 fn[PATH_MAX];
s32 fd; s32 fd;
snprintf(fn, PATH_MAX, "%s/queue/.state/deterministic_done/%s", afl->out_dir, strrchr(q->fname, '/') + 1); snprintf(fn, PATH_MAX, "%s/queue/.state/deterministic_done/%s", afl->out_dir,
strrchr(q->fname, '/') + 1);
fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600);
if (fd < 0) PFATAL("Unable to create '%s'", fn); if (fd < 0) PFATAL("Unable to create '%s'", fn);
@ -79,7 +80,8 @@ void mark_as_redundant(afl_state_t *afl, struct queue_entry *q, u8 state) {
q->fs_redundant = state; q->fs_redundant = state;
sprintf(fn, "%s/queue/.state/redundant_edges/%s", afl->out_dir, strrchr(q->fname, '/') + 1); sprintf(fn, "%s/queue/.state/redundant_edges/%s", afl->out_dir,
strrchr(q->fname, '/') + 1);
if (state) { if (state) {

2
src/afl-fuzz-stats.c
View File

@ -33,7 +33,7 @@ void write_stats_file(afl_state_t *afl, double bitmap_cvg, double stability,
struct rusage rus; struct rusage rus;
unsigned long long int cur_time = get_cur_time(); unsigned long long int cur_time = get_cur_time();
u8 fn[PATH_MAX]; u8 fn[PATH_MAX];
s32 fd; s32 fd;
FILE * f; FILE * f;