ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-18 12:48:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

fixes

Browse Source
This commit is contained in:
van Hauser
2020-08-09 21:09:07 +02:00
parent e99d7e9730
commit ff40359a60
3 changed files with 28 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/afl-fuzz-init.c
View File

@ -961,6 +961,7 @@ void perform_dry_run(afl_state_t *afl) {
}
/* perform taint gathering on the input seed */
if (afl->fsrv.taint_mode)
perform_taint_run(afl, q, q->fname, use_mem, q->len);
q = q->next;
@ -1505,6 +1506,11 @@ static void handle_existing_out_dir(afl_state_t *afl) {
fn = alloc_printf("%s/taint", afl->out_dir);
mkdir(fn, 0755); // ignore errors
u8 *fn2 = alloc_printf("%s/taint/.input", afl->out_dir);
unlink(fn2); // ignore errors
ck_free(fn2);
if (delete_files(fn, CASE_PREFIX)) { goto dir_cleanup_failed; }
ck_free(fn);

28
src/afl-fuzz-one.c
View File

@ -458,26 +458,31 @@ u8 fuzz_one_original(afl_state_t *afl) {
}
if (unlikely(afl->fsrv.taint_mode && (afl->queue_cycle % 3))) {
u32 tmp_val;
if (unlikely(afl->fsrv.taint_mode &&
(tmp_val = (afl->queue_cycle % 3)) != 1)) {
if (unlikely(afl->queue_cur->cal_failed)) goto abandon_entry;
if (tmp_val == 1 && !afl->queue_cur->taint_bytes_all) goto abandon_entry;
if (tmp_val == 2 && !afl->queue_cur->taint_bytes_new) goto abandon_entry;
u32 dst = 0, i;
temp_len = len = afl->queue_cur->len;
fd = open(afl->queue_cur->fname, O_RDONLY);
afl->taint_src = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
if (fd < 0 || (size_t)afl->taint_src == -1)
FATAL("unable to open '%s'", afl->queue_cur->fname);
close(fd);
afl->taint_needs_splode = 1;
switch (afl->queue_cycle % 3) {
switch (tmp_val) {
case 0: // do nothing, but cannot happen -> else
case 1: // do nothing, but cannot happen -> else
break;
case 1: // fuzz only tainted bytes
if (!afl->queue_cur->taint_bytes_all) goto abandon_entry;
afl->taint_needs_splode = 1;
case 2: // fuzz only tainted bytes
fd = open(afl->taint_input_file, O_RDONLY);
len = afl->taint_len = afl->queue_cur->taint_bytes_all;
@ -499,9 +504,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
break;
case 2: // fuzz only newly tainted bytes
if (!afl->queue_cur->taint_bytes_new) goto abandon_entry;
afl->taint_needs_splode = 1;
case 0: // fuzz only newly tainted bytes
fd = open(afl->taint_input_file, O_RDONLY);
len = afl->taint_len = afl->queue_cur->taint_bytes_new;
@ -515,7 +518,8 @@ u8 fuzz_one_original(afl_state_t *afl) {
fd = open(fn, O_RDWR);
afl->taint_map = mmap(0, afl->queue_cur->len, PROT_READ | PROT_WRITE,
MAP_PRIVATE, fd, 0);
if (fd < 0 || (size_t)in_buf == -1) FATAL("unable to open '%s'", fn);
if (fd < 0 || (size_t)in_buf == -1)
FATAL("unable to open '%s' for %u bytes", fn, len);
close(fd);
ck_free(fn);
@ -526,8 +530,6 @@ u8 fuzz_one_original(afl_state_t *afl) {
}
goto havoc_stage; // we let the normal cycles do deterministic mode - if
} else {
/* Map the test case into memory. */
@ -653,6 +655,8 @@ u8 fuzz_one_original(afl_state_t *afl) {
if it has gone through deterministic testing in earlier, resumed runs
(passed_det). */
if (afl->taint_needs_splode) goto havoc_stage;
if (likely(afl->queue_cur->passed_det) || likely(afl->skip_deterministic) ||
likely(perf_score <
(afl->queue_cur->depth * 30 <= afl->havoc_max_mult * 100

10
src/afl-fuzz-queue.c
View File

@ -118,6 +118,9 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
if (q->fname_taint) {
u8 *save = ck_maybe_grow(BUF_PARAMS(out_scratch), afl->fsrv.map_size);
memcpy(save, afl->taint_fsrv.trace_bits, afl->fsrv.map_size);
afl->taint_fsrv.map_size = plen; // speed :)
write_to_testcase(afl, mem, len);
if (afl_fsrv_run_target(&afl->taint_fsrv, afl->fsrv.exec_tmout,
@ -214,6 +217,8 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
}
memcpy(afl->taint_fsrv.trace_bits, save, afl->fsrv.map_size);
}
if (!bytes) {
@ -227,11 +232,6 @@ void perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
}
} else {
if (q->taint_bytes_all && !q->taint_bytes_new)
q->taint_bytes_new = q->taint_bytes_all;
}
}