ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-17 12:18:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

fixed #317

Browse Source
This commit is contained in:
Dominik Maier
2020-04-14 17:21:15 +02:00
parent 8440aaea5a
commit f4436f118c
4 changed files with 37 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
llvm_mode/afl-llvm-rt.o.c
View File

@ -671,6 +671,7 @@ void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2) {
hits &= CMP_MAP_H - 1; hits &= CMP_MAP_H - 1;
__afl_cmp_map->log[k][hits].v0 = arg1; __afl_cmp_map->log[k][hits].v0 = arg1;
__afl_cmp_map->log[k][hits].v1 = arg2; __afl_cmp_map->log[k][hits].v1 = arg2;
} }
void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2) { void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2) {

2
qemu_mode/patches/afl-qemu-tcg-runtime-inl.h
View File

@ -108,7 +108,7 @@ void HELPER(afl_compcov_64)(target_ulong cur_loc, target_ulong arg1,
} }
void HELPER(afl_cmplog_8)(target_ulong cur_loc, target_ulong arg1, void HELPER(afl_cmplog_8)(target_ulong cur_loc, target_ulong arg1,
target_ulong arg2) { target_ulong arg2) {
register uintptr_t k = (uintptr_t)cur_loc; register uintptr_t k = (uintptr_t)cur_loc;

46
src/afl-fuzz-redqueen.c
View File

@ -121,30 +121,37 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
afl->stage_cur < afl->stage_max) { afl->stage_cur < afl->stage_max) {
u32 s = rng->end - rng->start; u32 s = rng->end - rng->start;
if (s == 0) goto empty_range;
memcpy(backup, buf + rng->start, s); if (s != 0) {
rand_replace(afl, buf + rng->start, s);
u32 cksum; /* Range not empty */
u64 start_us = get_cur_time_us();
if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) goto checksum_fail;
u64 stop_us = get_cur_time_us();
/* Discard if the mutations change the paths or if it is too decremental memcpy(backup, buf + rng->start, s);
in speed */ rand_replace(afl, buf + rng->start, s);
if (cksum != exec_cksum ||
(stop_us - start_us > 2 * afl->queue_cur->exec_us)) {
ranges = add_range(ranges, rng->start, rng->start + s / 2); u32 cksum;
ranges = add_range(ranges, rng->start + s / 2 + 1, rng->end); u64 start_us = get_cur_time_us();
memcpy(buf + rng->start, backup, s); if (unlikely(get_exec_checksum(afl, buf, len, &cksum))) goto checksum_fail;
} else u64 stop_us = get_cur_time_us();
needs_write = 1; /* Discard if the mutations change the paths or if it is too decremental
in speed */
if (cksum != exec_cksum ||
(stop_us - start_us > 2 * afl->queue_cur->exec_us)) {
ranges = add_range(ranges, rng->start, rng->start + s / 2);
ranges = add_range(ranges, rng->start + s / 2 + 1, rng->end);
memcpy(buf + rng->start, backup, s);
} else {
needs_write = 1;
}
}
empty_range:
ck_free(rng); ck_free(rng);
rng = NULL; rng = NULL;
++afl->stage_cur; ++afl->stage_cur;
@ -196,6 +203,7 @@ static u8 colorization(afl_state_t *afl, u8 *buf, u32 len, u32 exec_cksum) {
return 0; return 0;
checksum_fail: checksum_fail:
if (rng) ck_free(rng);
ck_free(backup); ck_free(backup);
while (ranges) { while (ranges) {
@ -242,11 +250,11 @@ static u8 cmp_extend_encoding(afl_state_t *afl, struct cmp_header *h,
u64 *buf_64 = (u64 *)&buf[idx]; u64 *buf_64 = (u64 *)&buf[idx];
u32 *buf_32 = (u32 *)&buf[idx]; u32 *buf_32 = (u32 *)&buf[idx];
u16 *buf_16 = (u16 *)&buf[idx]; u16 *buf_16 = (u16 *)&buf[idx];
u8* buf_8 = &buf[idx]; u8 * buf_8 = &buf[idx];
u64 *o_buf_64 = (u64 *)&orig_buf[idx]; u64 *o_buf_64 = (u64 *)&orig_buf[idx];
u32 *o_buf_32 = (u32 *)&orig_buf[idx]; u32 *o_buf_32 = (u32 *)&orig_buf[idx];
u16 *o_buf_16 = (u16 *)&orig_buf[idx]; u16 *o_buf_16 = (u16 *)&orig_buf[idx];
u8* o_buf_8 = &orig_buf[idx]; u8 * o_buf_8 = &orig_buf[idx];
u32 its_len = len - idx; u32 its_len = len - idx;
*status = 0; *status = 0;

14
src/afl-fuzz-stats.c
View File

@ -387,9 +387,9 @@ void show_stats(afl_state_t *afl) {
/* Lord, forgive me this. */ /* Lord, forgive me this. */
SAYF(SET_G1 bSTG bLT bH bSTOP cCYA SAYF(SET_G1 bSTG bLT bH bSTOP cCYA
" process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH bHB bH bSTOP cCYA
" overall results " bSTG bH2 bH2 bRT "\n"); " overall results " bSTG bH2 bH2 bRT "\n");
if (afl->dumb_mode) { if (afl->dumb_mode) {
@ -471,9 +471,9 @@ void show_stats(afl_state_t *afl) {
" uniq hangs : " cRST "%-6s" bSTG bV "\n", " uniq hangs : " cRST "%-6s" bSTG bV "\n",
time_tmp, tmp); time_tmp, tmp);
SAYF(bVR bH bSTOP cCYA SAYF(bVR bH bSTOP cCYA
" cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA " cycle progress " bSTG bH10 bH5 bH2 bH2 bHB bH bSTOP cCYA
" map coverage " bSTG bH bHT bH20 bH2 bVL "\n"); " map coverage " bSTG bH bHT bH20 bH2 bVL "\n");
/* This gets funny because we want to print several variable-length variables /* This gets funny because we want to print several variable-length variables
together, but then cram them into a fixed-width field - so we need to together, but then cram them into a fixed-width field - so we need to
@ -503,9 +503,9 @@ void show_stats(afl_state_t *afl) {
SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp); SAYF(bSTOP " count coverage : " cRST "%-21s" bSTG bV "\n", tmp);
SAYF(bVR bH bSTOP cCYA SAYF(bVR bH bSTOP cCYA
" stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA " stage progress " bSTG bH10 bH5 bH2 bH2 bX bH bSTOP cCYA
" findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n"); " findings in depth " bSTG bH10 bH5 bH2 bH2 bVL "\n");
sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored), sprintf(tmp, "%s (%0.02f%%)", u_stringify_int(IB(0), afl->queued_favored),
((double)afl->queued_favored) * 100 / afl->queued_paths); ((double)afl->queued_favored) * 100 / afl->queued_paths);
@ -579,7 +579,7 @@ void show_stats(afl_state_t *afl) {
/* Aaaalmost there... hold on! */ /* Aaaalmost there... hold on! */
SAYF(bVR bH cCYA bSTOP SAYF(bVR bH cCYA bSTOP
" fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA " fuzzing strategy yields " bSTG bH10 bHT bH10 bH5 bHB bH bSTOP cCYA
" path geometry " bSTG bH5 bH2 bVL "\n"); " path geometry " bSTG bH5 bH2 bVL "\n");