ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-06 15:21:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

code format

Browse Source
This commit is contained in:
vanhauser-thc 2025-02-10 13:29:22 +01:00
parent 287edf2754
commit ecaddc09e8
15 changed files with 70 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
include/asanfuzz.h
View File

@ -7,9 +7,9 @@
Forkserver design by Jann Horn <jannhorn@googlemail.com>
Now maintained by Marc Heuse <mh@mh-sec.de>,
Heiko Eißfeldt <heiko.eissfeldt@hexco.de>,
Dominik Maier <mail@dmnk.co>,
Andrea Fioraldi <andreafioraldi@gmail.com>,
Dominik Maier <mail@dmnk.co>
Heiko Eissfeldt <heiko.eissfeldt@hexco.de>
Copyright 2016, 2017 Google Inc. All rights reserved.
Copyright 2019-2023 AFLplusplus Project. All rights reserved.
@ -36,9 +36,13 @@
#define NON_COV_INCREASE_BUG (1 << 5)
enum SanitizerAbstraction {
SIMPLIFY_TRACE = 0, // Feed all unique trace to sanitizers, the most sensitive
SIMPLIFY_TRACE = 0, // Feed all unique trace to sanitizers, the
// most sensitive
UNIQUE_TRACE,
COVERAGE_INCREASE // Feed all coverage increasing cases to sanitizers, the least sensitive
COVERAGE_INCREASE // Feed all coverage increasing cases to sanitizers, the
// least sensitive
};
/* Execs the child */

5
include/common.h
View File

@ -76,8 +76,9 @@ u8 *find_afl_binary(u8 *own_loc, u8 *fname);
int parse_afl_kill_signal(u8 *numeric_signal_as_str, int default_signal);
/* Configure the signals that are used to kill the forkserver
and the forked children. If `afl_kill_signal_env` or `afl_fsrv_kill_signal_env`
is NULL, the appropriate values are read from the environment. */
and the forked children. If `afl_kill_signal_env` or
`afl_fsrv_kill_signal_env` is NULL, the appropriate values are read from the
environment. */
void configure_afl_kill_signals(afl_forkserver_t *fsrv,
char *afl_kill_signal_env,
char *afl_fsrv_kill_signal_env,

3
include/envs.h
View File

@ -118,8 +118,7 @@ static char *afl_environment_variables[] = {
"AFL_CFISAN_VERBOSE", "AFL_USE_LSAN", "AFL_WINE_PATH", "AFL_NO_SNAPSHOT",
"AFL_EXPAND_HAVOC_NOW", "AFL_USE_FASAN", "AFL_USE_QASAN",
"AFL_PRINT_FILENAMES", "AFL_PIZZA_MODE", "AFL_NO_FASTRESUME",
"AFL_SAN_ABSTRACTION", "AFL_SAN_NO_INST", "AFL_SAN_RECOVER", NULL
};
"AFL_SAN_ABSTRACTION", "AFL_SAN_NO_INST", "AFL_SAN_RECOVER", NULL};
extern char *afl_environment_variables[];

3
include/forkserver.h
View File

@ -159,7 +159,8 @@ typedef struct afl_forkserver {
bool debug; /* debug mode? */
u8 san_but_not_instrumented; /* Is it sanitizer enabled but not instrumented? */
u8 san_but_not_instrumented; /* Is it sanitizer enabled but not instrumented?
*/
bool uses_crash_exitcode; /* Custom crash exitcode specified? */
u8 crash_exitcode; /* The crash exitcode specified */

17
instrumentation/SanitizerCoverageLTO.so.cc
View File

@ -328,13 +328,16 @@ class ModuleSanitizerCoverageLTOLegacyPass : public ModulePass {
};
if (!getenv("AFL_SAN_NO_INST")) {
return ModuleSancov.instrumentModule(M, DTCallback, PDTCallback);
} else {
if (getenv("AFL_DEBUG")) {
DEBUGF("Instrument disabled\n");
}
if (getenv("AFL_DEBUG")) { DEBUGF("Instrument disabled\n"); }
return false;
}
}
private:
@ -387,12 +390,14 @@ PreservedAnalyses ModuleSanitizerCoverageLTO::run(Module &M,
};
if (!getenv("AFL_SAN_NO_INST")) {
if (ModuleSancov.instrumentModule(M, DTCallback, PDTCallback))
return PreservedAnalyses::none();
} else {
if (debug) {
DEBUGF("Instrument disabled\n");
}
if (debug) { DEBUGF("Instrument disabled\n"); }
}
return PreservedAnalyses::all();

12
instrumentation/SanitizerCoveragePCGUARD.so.cc
View File

@ -262,15 +262,19 @@ PreservedAnalyses ModuleSanitizerCoverageAFL::run(Module &M,
};
// TODO: Support LTO or llvm classic?
// Note we still need afl-compiler-rt so we just disable the instrumentation here.
// Note we still need afl-compiler-rt so we just disable the instrumentation
// here.
if (!getenv("AFL_SAN_NO_INST")) {
if (ModuleSancov.instrumentModule(M, DTCallback, PDTCallback))
return PreservedAnalyses::none();
} else {
if (getenv("AFL_DEBUG")) {
DEBUGF("Instrument disabled\n");
}
if (getenv("AFL_DEBUG")) { DEBUGF("Instrument disabled\n"); }
}
return PreservedAnalyses::all();
}

14
instrumentation/afl-llvm-pass.so.cc
View File

@ -225,18 +225,20 @@ bool AFLCoverage::runOnModule(Module &M) {
#if LLVM_VERSION_MAJOR >= 11 /* use new pass manager */
if (getenv("AFL_SAN_NO_INST")) {
if (debug) {
fprintf(stderr, "Instrument disabled\n");
}
if (debug) { fprintf(stderr, "Instrument disabled\n"); }
return PreservedAnalyses::all();
}
#else
if (getenv("AFL_SAN_NO_INST")) {
if (debug) {
fprintf(stderr, "Instrument disabled\n");
}
if (debug) { fprintf(stderr, "Instrument disabled\n"); }
return true;
}
#endif
if ((isatty(2) && !getenv("AFL_QUIET")) || getenv("AFL_DEBUG") != NULL) {

5
src/afl-forkserver.c
View File

@ -1918,8 +1918,10 @@ fsrv_run_result_t __attribute__((hot)) afl_fsrv_run_target(
must prevent any earlier operations from venturing into that
territory. */
/* If the binary is not instrumented, we don't care about the coverage. Make it a bit faster */
/* If the binary is not instrumented, we don't care about the coverage. Make
* it a bit faster */
if (!fsrv->san_but_not_instrumented) {
#ifdef __linux__
if (likely(!fsrv->nyx_mode)) {
@ -1932,6 +1934,7 @@ fsrv_run_result_t __attribute__((hot)) afl_fsrv_run_target(
memset(fsrv->trace_bits, 0, fsrv->map_size);
MEM_BARRIER();
#endif
}
/* we have the fork server (or faux server) up and running

4
src/afl-fuzz-bitmap.c
View File

@ -543,8 +543,8 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
simplify_trace(afl, afl->san_fsrvs[0].trace_bits);
// Note: Original SAND implementation used XXHASH32
cksum_simplified = hash32(afl->san_fsrvs[0].trace_bits,
afl->fsrv.map_size, HASH_CONST);
cksum_simplified =
hash32(afl->san_fsrvs[0].trace_bits, afl->fsrv.map_size, HASH_CONST);
if (unlikely(!bitmap_read(afl->simplified_n_fuzz, cksum_simplified))) {

10
src/afl-fuzz-init.c
View File

@ -2328,16 +2328,20 @@ void setup_dirs_fds(afl_state_t *afl) {
afl->fsrv.plot_file = fdopen(fd, "w");
if (!afl->fsrv.plot_file) { PFATAL("fdopen() failed"); }
fprintf(
afl->fsrv.plot_file,
fprintf(afl->fsrv.plot_file,
"# relative_time, cycles_done, cur_item, corpus_count, "
"pending_total, pending_favs, map_size, saved_crashes, "
"saved_hangs, max_depth, execs_per_sec, total_execs, edges_found, total_crashes, servers_count");
"saved_hangs, max_depth, execs_per_sec, total_execs, edges_found, "
"total_crashes, servers_count");
if (afl->san_binary_length) {
for (u8 i = 0; i < afl->san_binary_length; i++) {
fprintf(afl->fsrv.plot_file, ", sand_fsrv%u_exec", i);
}
}
fprintf(afl->fsrv.plot_file, "\n");

4
src/afl-fuzz-sanfuzz.c
View File

@ -32,7 +32,8 @@
void sanfuzz_exec_child(afl_forkserver_t *fsrv, char **argv) {
if (!fsrv->qemu_mode && !fsrv->frida_mode && argv[0] != fsrv->asanfuzz_binary) {
if (!fsrv->qemu_mode && !fsrv->frida_mode &&
argv[0] != fsrv->asanfuzz_binary) {
argv[0] = fsrv->asanfuzz_binary;
@ -41,3 +42,4 @@ void sanfuzz_exec_child(afl_forkserver_t *fsrv, char **argv) {
execv(fsrv->target_path, argv);
}

7
src/afl-fuzz.c
View File

@ -2249,7 +2249,9 @@ int main(int argc, char **argv_orig, char **envp) {
// so that we won't overwrite target_path.
// Lazymio: why does cmplog fsrv even work?!
for (u8 i = 0; i < afl->san_binary_length; i++) {
check_binary(afl, afl->san_binary[i]);
}
check_binary(afl, argv[optind]);
@ -3611,11 +3613,10 @@ stop_fuzzing:
ck_free(afl->san_fsrvs[i].trace_bits);
afl_fsrv_deinit(&afl->san_fsrvs[i]);
}
if (afl->cmplog_binary) {
afl_fsrv_deinit(&afl->cmplog_fsrv);
}
if (afl->cmplog_binary) { afl_fsrv_deinit(&afl->cmplog_fsrv); }
/* remove tmpfile */
if (!afl->in_place_resume && afl->fsrv.out_file) {

1
src/afl-performance.c
View File

@ -424,3 +424,4 @@ char *sha1_hex_for_file(const char *fname, u32 len) {
return hex;
}