From f610f538383418091542af28c611438ae3a3bbb7 Mon Sep 17 00:00:00 2001 From: Kuang-che Wu Date: Sat, 24 May 2025 22:28:26 +0800 Subject: [PATCH 1/3] remove redundent code these field are already copied in afl_fsrv_init_dup --- src/afl-fuzz.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index f83e5480..3b47369a 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2633,7 +2633,6 @@ int main(int argc, char **argv_orig, char **envp) { */ afl->san_fsrvs[i].trace_bits = ck_alloc( afl->fsrv.map_size + 8); /* One more u64 according to afl_shm_init*/ - afl->san_fsrvs[i].map_size = afl->fsrv.map_size; afl->san_fsrvs[i].san_but_not_instrumented = 1; afl->san_fsrvs[i].cs_mode = afl->fsrv.cs_mode; @@ -2643,10 +2642,6 @@ int main(int argc, char **argv_orig, char **envp) { afl->san_fsrvs[i].target_path = afl->san_binary[i]; afl->san_fsrvs[i].init_child_func = sanfuzz_exec_child; - afl->san_fsrvs[i].child_kill_signal = - afl->fsrv.child_kill_signal; // I believe cmplog also needs this. - afl->san_fsrvs[i].fsrv_kill_signal = afl->fsrv.fsrv_kill_signal; - if ((map_size <= DEFAULT_SHMEM_SIZE || afl->san_fsrvs[i].map_size < map_size) && !afl->non_instrumented_mode && !afl->fsrv.qemu_mode && From 8090c82c6399cb7ad98abb84eca822f885544fbb Mon Sep 17 00:00:00 2001 From: Kuang-che Wu Date: Sat, 24 May 2025 23:36:54 +0800 Subject: [PATCH 2/3] fix resize afl->top_rated --- src/afl-fuzz.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 3b47369a..835506b5 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2513,7 +2513,8 @@ int main(int argc, char **argv_orig, char **envp) { if (old_map_size < map_size) { memset(afl->var_bytes + old_map_size, 0, map_size - old_map_size); - memset(afl->top_rated + old_map_size, 0, map_size - old_map_size); + memset(afl->top_rated + old_map_size * sizeof(void *), 0, + (map_size - old_map_size) * sizeof(void *)); memset(afl->clean_trace + old_map_size, 0, map_size - old_map_size); memset(afl->clean_trace_custom + old_map_size, 0, map_size - old_map_size); @@ -2565,7 +2566,8 @@ int main(int argc, char **argv_orig, char **envp) { if (old_map_size < new_map_size) { memset(afl->var_bytes + old_map_size, 0, new_map_size - old_map_size); - memset(afl->top_rated + old_map_size, 0, new_map_size - old_map_size); + memset(afl->top_rated + old_map_size * sizeof(void *), 0, + (new_map_size - old_map_size) * sizeof(void *)); memset(afl->clean_trace + old_map_size, 0, new_map_size - old_map_size); memset(afl->clean_trace_custom + old_map_size, 0, new_map_size - old_map_size); @@ -2758,7 +2760,8 @@ int main(int argc, char **argv_orig, char **envp) { if (old_map_size < new_map_size) { memset(afl->var_bytes + old_map_size, 0, new_map_size - old_map_size); - memset(afl->top_rated + old_map_size, 0, new_map_size - old_map_size); + memset(afl->top_rated + old_map_size * sizeof(void *), 0, + (new_map_size - old_map_size) * sizeof(void *)); memset(afl->clean_trace + old_map_size, 0, new_map_size - old_map_size); memset(afl->clean_trace_custom + old_map_size, 0, new_map_size - old_map_size); From 2e7f191f3bfcdc36bd45eb5cacaa16f06e30401c Mon Sep 17 00:00:00 2001 From: Kuang-che Wu Date: Sat, 24 May 2025 23:50:33 +0800 Subject: [PATCH 3/3] extract function to resize map buffers --- include/afl-fuzz.h | 1 + src/afl-fuzz-state.c | 28 ++++++++++++++ src/afl-fuzz.c | 91 ++------------------------------------------ 3 files changed, 33 insertions(+), 87 deletions(-) diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index c1e6e0c8..60cc896b 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1140,6 +1140,7 @@ struct custom_mutator { void afl_state_init(afl_state_t *, uint32_t map_size); void afl_state_deinit(afl_state_t *); +void afl_resize_map_buffers(afl_state_t *, u32 old_size, u32 new_size); /* Set stop_soon flag on all children, kill all children */ void afl_states_stop(void); diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index 67a3f31d..f1a94910 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -148,6 +148,34 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) { } +void afl_resize_map_buffers(afl_state_t *afl, u32 old_size, u32 new_size) { + + afl->virgin_bits = ck_realloc(afl->virgin_bits, new_size); + afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_size); + afl->virgin_crash = ck_realloc(afl->virgin_crash, new_size); + afl->var_bytes = ck_realloc(afl->var_bytes, new_size); + afl->top_rated = ck_realloc(afl->top_rated, new_size * sizeof(void *)); + afl->clean_trace = ck_realloc(afl->clean_trace, new_size); + afl->clean_trace_custom = ck_realloc(afl->clean_trace_custom, new_size); + afl->first_trace = ck_realloc(afl->first_trace, new_size); + afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, new_size); + + if (old_size < new_size) { + + u32 size_diff = new_size - old_size; + + memset(afl->var_bytes + old_size, 0, size_diff); + memset(afl->top_rated + old_size * sizeof(void *), 0, + size_diff * sizeof(void *)); + memset(afl->clean_trace + old_size, 0, size_diff); + memset(afl->clean_trace_custom + old_size, 0, size_diff); + memset(afl->first_trace + old_size, 0, size_diff); + memset(afl->map_tmp_buf + old_size, 0, size_diff); + + } + +} + /*This sets up the environment variables for afl-fuzz into the afl_state * struct*/ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 835506b5..ae203349 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -2498,30 +2498,8 @@ int main(int argc, char **argv_orig, char **envp) { if (afl->non_instrumented_mode || afl->fsrv.qemu_mode || afl->fsrv.frida_mode || afl->fsrv.cs_mode || afl->unicorn_mode) { - u32 old_map_size = map_size; map_size = afl->fsrv.real_map_size = afl->fsrv.map_size = MAP_SIZE; - afl->virgin_bits = ck_realloc(afl->virgin_bits, map_size); - afl->virgin_tmout = ck_realloc(afl->virgin_tmout, map_size); - afl->virgin_crash = ck_realloc(afl->virgin_crash, map_size); - afl->var_bytes = ck_realloc(afl->var_bytes, map_size); - afl->top_rated = ck_realloc(afl->top_rated, map_size * sizeof(void *)); - afl->clean_trace = ck_realloc(afl->clean_trace, map_size); - afl->clean_trace_custom = ck_realloc(afl->clean_trace_custom, map_size); - afl->first_trace = ck_realloc(afl->first_trace, map_size); - afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, map_size); - - if (old_map_size < map_size) { - - memset(afl->var_bytes + old_map_size, 0, map_size - old_map_size); - memset(afl->top_rated + old_map_size * sizeof(void *), 0, - (map_size - old_map_size) * sizeof(void *)); - memset(afl->clean_trace + old_map_size, 0, map_size - old_map_size); - memset(afl->clean_trace_custom + old_map_size, 0, - map_size - old_map_size); - memset(afl->first_trace + old_map_size, 0, map_size - old_map_size); - memset(afl->map_tmp_buf + old_map_size, 0, map_size - old_map_size); - - } + afl_resize_map_buffers(afl, map_size, MAP_SIZE); } @@ -2549,32 +2527,7 @@ int main(int argc, char **argv_orig, char **envp) { if (map_size < new_map_size) { OKF("Re-initializing maps to %u bytes", new_map_size); - - u32 old_map_size = map_size; - afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size); - afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size); - afl->virgin_crash = ck_realloc(afl->virgin_crash, new_map_size); - afl->var_bytes = ck_realloc(afl->var_bytes, new_map_size); - afl->top_rated = - ck_realloc(afl->top_rated, new_map_size * sizeof(void *)); - afl->clean_trace = ck_realloc(afl->clean_trace, new_map_size); - afl->clean_trace_custom = - ck_realloc(afl->clean_trace_custom, new_map_size); - afl->first_trace = ck_realloc(afl->first_trace, new_map_size); - afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, new_map_size); - - if (old_map_size < new_map_size) { - - memset(afl->var_bytes + old_map_size, 0, new_map_size - old_map_size); - memset(afl->top_rated + old_map_size * sizeof(void *), 0, - (new_map_size - old_map_size) * sizeof(void *)); - memset(afl->clean_trace + old_map_size, 0, new_map_size - old_map_size); - memset(afl->clean_trace_custom + old_map_size, 0, - new_map_size - old_map_size); - memset(afl->first_trace + old_map_size, 0, new_map_size - old_map_size); - memset(afl->map_tmp_buf + old_map_size, 0, new_map_size - old_map_size); - - } + afl_resize_map_buffers(afl, map_size, new_map_size); afl_fsrv_kill(&afl->fsrv); afl_shm_deinit(&afl->shm); @@ -2666,18 +2619,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("Re-initializing maps to %u bytes due to SAN instrumented binary", new_map_size); - - afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size); - afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size); - afl->virgin_crash = ck_realloc(afl->virgin_crash, new_map_size); - afl->var_bytes = ck_realloc(afl->var_bytes, new_map_size); - afl->top_rated = - ck_realloc(afl->top_rated, new_map_size * sizeof(void *)); - afl->clean_trace = ck_realloc(afl->clean_trace, new_map_size); - afl->clean_trace_custom = - ck_realloc(afl->clean_trace_custom, new_map_size); - afl->first_trace = ck_realloc(afl->first_trace, new_map_size); - afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, new_map_size); + afl_resize_map_buffers(afl, map_size, new_map_size); afl_fsrv_kill(&afl->fsrv); afl_fsrv_kill(&afl->san_fsrvs[i]); @@ -2743,32 +2685,7 @@ int main(int argc, char **argv_orig, char **envp) { if (map_size < new_map_size) { OKF("Re-initializing maps to %u bytes due cmplog", new_map_size); - - u32 old_map_size = map_size; - afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size); - afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size); - afl->virgin_crash = ck_realloc(afl->virgin_crash, new_map_size); - afl->var_bytes = ck_realloc(afl->var_bytes, new_map_size); - afl->top_rated = - ck_realloc(afl->top_rated, new_map_size * sizeof(void *)); - afl->clean_trace = ck_realloc(afl->clean_trace, new_map_size); - afl->clean_trace_custom = - ck_realloc(afl->clean_trace_custom, new_map_size); - afl->first_trace = ck_realloc(afl->first_trace, new_map_size); - afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, new_map_size); - - if (old_map_size < new_map_size) { - - memset(afl->var_bytes + old_map_size, 0, new_map_size - old_map_size); - memset(afl->top_rated + old_map_size * sizeof(void *), 0, - (new_map_size - old_map_size) * sizeof(void *)); - memset(afl->clean_trace + old_map_size, 0, new_map_size - old_map_size); - memset(afl->clean_trace_custom + old_map_size, 0, - new_map_size - old_map_size); - memset(afl->first_trace + old_map_size, 0, new_map_size - old_map_size); - memset(afl->map_tmp_buf + old_map_size, 0, new_map_size - old_map_size); - - } + afl_resize_map_buffers(afl, map_size, new_map_size); afl_fsrv_kill(&afl->fsrv); afl_fsrv_kill(&afl->cmplog_fsrv);