diff --git a/src/android-ashmem.h b/src/android-ashmem.h index 4922904..47cb0e1 100644 --- a/src/android-ashmem.h +++ b/src/android-ashmem.h @@ -1,82 +1,88 @@ +// 如果是Android平台,且尚未定义_ANDROID_ASHMEM_H,则定义它 #ifdef __ANDROID__ #ifndef _ANDROID_ASHMEM_H #define _ANDROID_ASHMEM_H +// 包含所需的头文件 #include -#include +#include // 包含ashmem相关的ioctl操作 #include #include -#include +#include // 包含内存映射函数 +// 如果Android API级别大于或等于26(Android 8.0),则使用Bionic的shm*函数 #if __ANDROID_API__ >= 26 #define shmat bionic_shmat #define shmctl bionic_shmctl #define shmdt bionic_shmdt #define shmget bionic_shmget #endif -#include +#include // 包含标准的共享内存函数 #undef shmat #undef shmctl #undef shmdt -#undef shmget +#undef shmget // 取消对Bionic函数的重定义 #include +// 定义ashmem设备的路径 #define ASHMEM_DEVICE "/dev/ashmem" -static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) { - int ret = 0; - if (__cmd == IPC_RMID) { - int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); - struct ashmem_pin pin = {0, length}; - ret = ioctl(__shmid, ASHMEM_UNPIN, &pin); - close(__shmid); - } - - return ret; +// 定义shmctl函数的封装,用于删除共享内存 +static inline int shmctl(int __shmid, int __cmd, struct shmid_ds* __buf) { + int ret = 0; + if (__cmd == IPC_RMID) { + int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); + struct ashmem_pin pin = { 0, length }; + ret = ioctl(__shmid, ASHMEM_UNPIN, &pin); + close(__shmid); + } + return ret; } +// 定义shmget函数的封装,用于创建共享内存 static inline int shmget(key_t __key, size_t __size, int __shmflg) { - (void) __shmflg; - int fd, ret; - char ourkey[11]; + (void)__shmflg; + int fd, ret; + char ourkey[11]; - fd = open(ASHMEM_DEVICE, O_RDWR); - if (fd < 0) - return fd; + fd = open(ASHMEM_DEVICE, O_RDWR); + if (fd < 0) + return fd; - sprintf(ourkey, "%d", __key); - ret = ioctl(fd, ASHMEM_SET_NAME, ourkey); - if (ret < 0) - goto error; + sprintf(ourkey, "%d", __key); + ret = ioctl(fd, ASHMEM_SET_NAME, ourkey); + if (ret < 0) + goto error; - ret = ioctl(fd, ASHMEM_SET_SIZE, __size); - if (ret < 0) - goto error; + ret = ioctl(fd, ASHMEM_SET_SIZE, __size); + if (ret < 0) + goto error; - return fd; + return fd; error: - close(fd); - return ret; + close(fd); + return ret; } -static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) { - (void) __shmflg; - int size; - void *ptr; +// 定义shmat函数的封装,用于将共享内存附加到进程地址空间 +static inline void* shmat(int __shmid, const void* __shmaddr, int __shmflg) { + (void)__shmflg; + int size; + void* ptr; - size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); - if (size < 0) { - return NULL; - } + size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); + if (size < 0) { + return NULL; + } - ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0); - if (ptr == MAP_FAILED) { - return NULL; - } + ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0); + if (ptr == MAP_FAILED) { + return NULL; + } - return ptr; + return ptr; } #endif /* !_ANDROID_ASHMEM_H */ -#endif /* !__ANDROID__ */ +#endif /* !__ANDROID__ */ \ No newline at end of file diff --git a/src/config.h b/src/config.h index 46dd857..892d206 100644 --- a/src/config.h +++ b/src/config.h @@ -27,8 +27,7 @@ #include "types.h" /* Version string: */ - -#define VERSION "2.57b" +#define VERSION "2.57b" // 定义版本号字符串 /****************************************************** * * @@ -36,228 +35,196 @@ * * ******************************************************/ -/* Comment out to disable terminal colors (note that this makes afl-analyze - a lot less nice): */ - -#define USE_COLOR + /* Comment out to disable terminal colors (note that this makes afl-analyze + a lot less nice): */ +#define USE_COLOR // 启用终端颜色 -/* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */ - -#define FANCY_BOXES + /* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */ +#define FANCY_BOXES // 启用ANSI框绘制 /* Default timeout for fuzzed code (milliseconds). This is the upper bound, also used for detecting hangs; the actual value is auto-scaled: */ +#define EXEC_TIMEOUT 1000 // 默认超时时间(毫秒) -#define EXEC_TIMEOUT 1000 - -/* Timeout rounding factor when auto-scaling (milliseconds): */ - -#define EXEC_TM_ROUND 20 + /* Timeout rounding factor when auto-scaling (milliseconds): */ +#define EXEC_TM_ROUND 20 // 自动缩放时的超时舍入因子(毫秒) /* 64bit arch MACRO */ #if (defined (__x86_64__) || defined (__arm64__) || defined (__aarch64__)) -#define WORD_SIZE_64 1 +#define WORD_SIZE_64 1 // 定义64位架构宏 #endif /* Default memory limit for child process (MB): */ - #ifndef WORD_SIZE_64 -# define MEM_LIMIT 25 +# define MEM_LIMIT 25 // 非64位架构的默认内存限制(MB) #else -# define MEM_LIMIT 50 +# define MEM_LIMIT 50 // 64位架构的默认内存限制(MB) #endif /* ^!WORD_SIZE_64 */ /* Default memory limit when running in QEMU mode (MB): */ - -#define MEM_LIMIT_QEMU 200 +#define MEM_LIMIT_QEMU 200 // QEMU模式下的默认内存限制(MB) /* Number of calibration cycles per every new test case (and for test cases that show variable behavior): */ +#define CAL_CYCLES 8 // 每个新测试用例的校准周期数 +#define CAL_CYCLES_LONG 40 // 长校准周期数 -#define CAL_CYCLES 8 -#define CAL_CYCLES_LONG 40 - -/* Number of subsequent timeouts before abandoning an input file: */ - -#define TMOUT_LIMIT 250 + /* Number of subsequent timeouts before abandoning an input file: */ +#define TMOUT_LIMIT 250 // 超时次数限制 /* Maximum number of unique hangs or crashes to record: */ - -#define KEEP_UNIQUE_HANG 500 -#define KEEP_UNIQUE_CRASH 5000 +#define KEEP_UNIQUE_HANG 500 // 最大记录的唯一挂起数 +#define KEEP_UNIQUE_CRASH 5000 // 最大记录的唯一崩溃数 /* Baseline number of random tweaks during a single 'havoc' stage: */ - -#define HAVOC_CYCLES 256 -#define HAVOC_CYCLES_INIT 1024 +#define HAVOC_CYCLES 256 // 'havoc'阶段的随机调整基数 +#define HAVOC_CYCLES_INIT 1024 // 'havoc'阶段的初始随机调整数 /* Maximum multiplier for the above (should be a power of two, beware of 32-bit int overflows): */ +#define HAVOC_MAX_MULT 16 // 'havoc'阶段的最大乘数 -#define HAVOC_MAX_MULT 16 - -/* Absolute minimum number of havoc cycles (after all adjustments): */ - -#define HAVOC_MIN 16 + /* Absolute minimum number of havoc cycles (after all adjustments): */ +#define HAVOC_MIN 16 // 'havoc'阶段的绝对最小周期数 /* Maximum stacking for havoc-stage tweaks. The actual value is calculated - like this: + like this: n = random between 1 and HAVOC_STACK_POW2 stacking = 2^n In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or 128 stacked tweaks: */ +#define HAVOC_STACK_POW2 7 // 'havoc'阶段的最大堆叠指数 -#define HAVOC_STACK_POW2 7 - -/* Caps on block sizes for cloning and deletion operations. Each of these - ranges has a 33% probability of getting picked, except for the first - two cycles where smaller blocks are favored: */ - -#define HAVOC_BLK_SMALL 32 -#define HAVOC_BLK_MEDIUM 128 -#define HAVOC_BLK_LARGE 1500 + /* Caps on block sizes for cloning and deletion operations. Each of these + ranges has a 33% probability of getting picked, except for the first + two cycles where smaller blocks are favored: */ +#define HAVOC_BLK_SMALL 32 // 小块大小限制 +#define HAVOC_BLK_MEDIUM 128 // 中块大小限制 +#define HAVOC_BLK_LARGE 1500 // 大块大小限制 -/* Extra-large blocks, selected very rarely (<5% of the time): */ - -#define HAVOC_BLK_XL 32768 + /* Extra-large blocks, selected very rarely (<5% of the time): */ +#define HAVOC_BLK_XL 32768 // 特大块大小限制 /* Probabilities of skipping non-favored entries in the queue, expressed as percentages: */ +#define SKIP_TO_NEW_PROB 99 // 跳过非优先队列项的概率(有新的待处理优先项) +#define SKIP_NFAV_OLD_PROB 95 // 跳过非优先队列项的概率(没有新的优先项,当前项已测试) +#define SKIP_NFAV_NEW_PROB 75 // 跳过非优先队列项的概率(没有新的优先项,当前项未测试) -#define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */ -#define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */ -#define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */ - -/* Splicing cycle count: */ - -#define SPLICE_CYCLES 15 + /* Splicing cycle count: */ +#define SPLICE_CYCLES 15 // 拼接周期数 /* Nominal per-splice havoc cycle length: */ - -#define SPLICE_HAVOC 32 +#define SPLICE_HAVOC 32 // 每次拼接的'havoc'周期长度 /* Maximum offset for integer addition / subtraction stages: */ - -#define ARITH_MAX 35 +#define ARITH_MAX 35 // 整数加减阶段的最大偏移量 /* Limits for the test case trimmer. The absolute minimum chunk size; and the starting and ending divisors for chopping up the input file: */ +#define TRIM_MIN_BYTES 4 // 测试用例修剪器的最小块大小 +#define TRIM_START_STEPS 16 // 测试用例修剪器的起始除数 +#define TRIM_END_STEPS 1024 // 测试用例修剪器的结束除数 -#define TRIM_MIN_BYTES 4 -#define TRIM_START_STEPS 16 -#define TRIM_END_STEPS 1024 - -/* Maximum size of input file, in bytes (keep under 100MB): */ - -#define MAX_FILE (1 * 1024 * 1024) + /* Maximum size of input file, in bytes (keep under 100MB): */ +#define MAX_FILE (1 * 1024 * 1024) // 输入文件的最大大小(字节) /* The same, for the test case minimizer: */ - -#define TMIN_MAX_FILE (10 * 1024 * 1024) +#define TMIN_MAX_FILE (10 * 1024 * 1024) // 测试用例最小化器的最大文件大小 /* Block normalization steps for afl-tmin: */ - -#define TMIN_SET_MIN_SIZE 4 -#define TMIN_SET_STEPS 128 +#define TMIN_SET_MIN_SIZE 4 // afl-tmin的块归一化最小大小 +#define TMIN_SET_STEPS 128 // afl-tmin的块归一化步数 /* Maximum dictionary token size (-x), in bytes: */ - -#define MAX_DICT_FILE 128 +#define MAX_DICT_FILE 128 // 最大字典令牌大小(字节) /* Length limits for auto-detected dictionary tokens: */ - -#define MIN_AUTO_EXTRA 3 -#define MAX_AUTO_EXTRA 32 +#define MIN_AUTO_EXTRA 3 // 自动检测的字典令牌的最小长度 +#define MAX_AUTO_EXTRA 32 // 自动检测的字典令牌的最大长度 /* Maximum number of user-specified dictionary tokens to use in deterministic steps; past this point, the "extras/user" step will be still carried out, but with proportionally lower odds: */ +#define MAX_DET_EXTRAS 200 // 最大用户指定字典令牌数 -#define MAX_DET_EXTRAS 200 - -/* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing - (first value), and to keep in memory as candidates. The latter should be much - higher than the former. */ - -#define USE_AUTO_EXTRAS 50 -#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10) - -/* Scaling factor for the effector map used to skip some of the more - expensive deterministic steps. The actual divisor is set to - 2^EFF_MAP_SCALE2 bytes: */ + /* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing + (first value), and to keep in memory as candidates. The latter should be much + higher than the former. */ +#define USE_AUTO_EXTRAS 50 // 实际用于模糊测试的自动提取字典令牌数 +#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10) // 内存中候选的自动提取字典令牌数 -#define EFF_MAP_SCALE2 3 + /* Scaling factor for the effector map used to skip some of the more + expensive deterministic steps. The actual divisor is set to + 2^EFF_MAP_SCALE2 bytes: */ +#define EFF_MAP_SCALE2 3 // 效应器映射的缩放因子 -/* Minimum input file length at which the effector logic kicks in: */ - -#define EFF_MIN_LEN 128 + /* Minimum input file length at which the effector logic kicks in: */ +#define EFF_MIN_LEN 128 // 效应器逻辑触发的最小输入文件长度 /* Maximum effector density past which everything is just fuzzed unconditionally (%): */ +#define EFF_MAX_PERC 90 // 最大效应器密度(%) -#define EFF_MAX_PERC 90 - -/* UI refresh frequency (Hz): */ - -#define UI_TARGET_HZ 5 + /* UI refresh frequency (Hz): */ +#define UI_TARGET_HZ 5 // UI刷新频率(Hz) /* Fuzzer stats file and plot update intervals (sec): */ - -#define STATS_UPDATE_SEC 60 -#define PLOT_UPDATE_SEC 5 +#define STATS_UPDATE_SEC 60 // 模糊统计文件更新间隔(秒) +#define PLOT_UPDATE_SEC 5 // 模糊统计图表更新间隔(秒) /* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */ - -#define AVG_SMOOTHING 16 +#define AVG_SMOOTHING 16 // CPU负载和执行速度统计的平滑除数 /* Sync interval (every n havoc cycles): */ - -#define SYNC_INTERVAL 5 +#define SYNC_INTERVAL 5 // 同步间隔(每n个havoc周期) /* Output directory reuse grace period (minutes): */ - -#define OUTPUT_GRACE 25 +#define OUTPUT_GRACE 25 // 输出目录重用宽限期(分钟) /* Uncomment to use simple file names (id_NNNNNN): */ - -// #define SIMPLE_FILES +// #define SIMPLE_FILES // 取消注释以使用简单文件名 /* List of interesting values to use in fuzzing. */ +// 定义一系列有趣的值,用于模糊测试 +/* 定义一组有趣的8位值,用于模糊测试,包括边界值和常见缓冲区大小 */ #define INTERESTING_8 \ - -128, /* Overflow signed 8-bit when decremented */ \ - -1, /* */ \ - 0, /* */ \ - 1, /* */ \ - 16, /* One-off with common buffer size */ \ - 32, /* One-off with common buffer size */ \ - 64, /* One-off with common buffer size */ \ - 100, /* One-off with common buffer size */ \ - 127 /* Overflow signed 8-bit when incremented */ - + -128, /* 减1时溢出的有符号8位值 */ \ + -1, /* 通用的有趣值 */ \ + 0, /* 零值,常用于测试 */ \ + 1, /* 通用的有趣值 */ \ + 16, /* 常用缓冲区大小的偏移量 */ \ + 32, /* 常用缓冲区大小的偏移量 */ \ + 64, /* 常用缓冲区大小的偏移量 */ \ + 100, /* 常用缓冲区大小的偏移量 */ \ + 127 /* 加1时溢出的有符号8位值 */ + +/* 定义一组有趣的16位值,用于模糊测试,包括边界值和常见缓冲区大小 */ #define INTERESTING_16 \ - -32768, /* Overflow signed 16-bit when decremented */ \ - -129, /* Overflow signed 8-bit */ \ - 128, /* Overflow signed 8-bit */ \ - 255, /* Overflow unsig 8-bit when incremented */ \ - 256, /* Overflow unsig 8-bit */ \ - 512, /* One-off with common buffer size */ \ - 1000, /* One-off with common buffer size */ \ - 1024, /* One-off with common buffer size */ \ - 4096, /* One-off with common buffer size */ \ - 32767 /* Overflow signed 16-bit when incremented */ - + -32768, /* 减1时溢出的有符号16位值 */ \ + -129, /* 溢出的有符号8位值 */ \ + 128, /* 溢出的有符号8位值 */ \ + 255, /* 增1时溢出的无符号8位值 */ \ + 256, /* 溢出的无符号8位值 */ \ + 512, /* 常用缓冲区大小的偏移量 */ \ + 1000, /* 常用缓冲区大小的偏移量 */ \ + 1024, /* 常用缓冲区大小的偏移量 */ \ + 4096, /* 常用缓冲区大小的偏移量 */ \ + 32767 /* 加1时溢出的有符号16位值 */ + +/* 定义一组有趣的32位值,用于模糊测试,包括边界值和大数值 */ #define INTERESTING_32 \ - -2147483648LL, /* Overflow signed 32-bit when decremented */ \ - -100663046, /* Large negative number (endian-agnostic) */ \ - -32769, /* Overflow signed 16-bit */ \ - 32768, /* Overflow signed 16-bit */ \ - 65535, /* Overflow unsig 16-bit when incremented */ \ - 65536, /* Overflow unsig 16 bit */ \ - 100663045, /* Large positive number (endian-agnostic) */ \ - 2147483647 /* Overflow signed 32-bit when incremented */ + -2147483648LL, /* 减1时溢出的有符号32位值 */ \ + -100663046, /* 大的负数(与字节序无关) */ \ + -32769, /* 溢出的有符号16位值 */ \ + 32768, /* 溢出的有符号16位值 */ \ + 65535, /* 增1时溢出的无符号16位值 */ \ + 65536, /* 溢出的无符号16位值 */ \ + 100663045, /* 大的正数(与字节序无关) */ \ + 2147483647 /* 加1时溢出的有符号32位值 */ /*********************************************************** * * @@ -265,98 +232,66 @@ * * ***********************************************************/ -/* Call count interval between reseeding the libc PRNG from /dev/urandom: */ - + /* 定义 libc 伪随机数生成器重新播种的调用计数间隔 */ #define RESEED_RNG 10000 -/* Maximum line length passed from GCC to 'as' and used for parsing - configuration files: */ - +/* 定义从 GCC 传递给 'as' 的最大行长度,并用于解析配置文件 */ #define MAX_LINE 8192 -/* Environment variable used to pass SHM ID to the called program. */ - +/* 定义用于传递共享内存ID给被调用程序的环境变量 */ #define SHM_ENV_VAR "__AFL_SHM_ID" -/* Other less interesting, internal-only variables. */ - +/* 定义其他不太有趣,仅内部使用的变量 */ #define CLANG_ENV_VAR "__AFL_CLANG_MODE" #define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK" #define PERSIST_ENV_VAR "__AFL_PERSISTENT" #define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV" -/* In-code signatures for deferred and persistent mode. */ - +/* 定义代码中用于延迟和持久模式的签名 */ #define PERSIST_SIG "##SIG_AFL_PERSISTENT##" #define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##" -/* Distinctive bitmap signature used to indicate failed execution: */ - +/* 定义用于表示执行失败的独特位图签名 */ #define EXEC_FAIL_SIG 0xfee1dead -/* Distinctive exit code used to indicate MSAN trip condition: */ - +/* 定义用于表示MSAN(内存sanitizer)触发条件的独特退出代码 */ #define MSAN_ERROR 86 -/* Designated file descriptors for forkserver commands (the application will - use FORKSRV_FD and FORKSRV_FD + 1): */ - +/* 定义用于fork服务器命令的指定文件描述符 */ #define FORKSRV_FD 198 -/* Fork server init timeout multiplier: we'll wait the user-selected - timeout plus this much for the fork server to spin up. */ - +/* 定义fork服务器初始化超时乘数 */ #define FORK_WAIT_MULT 10 -/* Calibration timeout adjustments, to be a bit more generous when resuming - fuzzing sessions or trying to calibrate already-added internal finds. - The first value is a percentage, the other is in milliseconds: */ - +/* 定义校准超时调整,恢复模糊测试会话或校准已添加的内部发现时更加宽松 */ #define CAL_TMOUT_PERC 125 #define CAL_TMOUT_ADD 50 -/* Number of chances to calibrate a case before giving up: */ - +/* 定义校准一个案例前放弃的机会数 */ #define CAL_CHANCES 3 -/* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than - 2; you probably want to keep it under 18 or so for performance reasons - (adjusting AFL_INST_RATIO when compiling is probably a better way to solve - problems with complex programs). You need to recompile the target binary - after changing this - otherwise, SEGVs may ensue. */ - +/* 定义跟踪二进制文件的映射大小 */ #define MAP_SIZE_POW2 16 #define MAP_SIZE (1 << MAP_SIZE_POW2) -/* Maximum allocator request size (keep well under INT_MAX): */ - +/* 定义最大分配请求大小 */ #define MAX_ALLOC 0x40000000 -/* A made-up hashing seed: */ - +/* 定义一个虚构的哈希种子 */ #define HASH_CONST 0xa5b35705 -/* Constants for afl-gotcpu to control busy loop timing: */ - +/* 定义 afl-gotcpu 控制忙循环计时的常量 */ #define CTEST_TARGET_MS 5000 #define CTEST_CORE_TRG_MS 1000 #define CTEST_BUSY_CYCLES (10 * 1000 * 1000) -/* Uncomment this to use inferior block-coverage-based instrumentation. Note - that you need to recompile the target binary for this to have any effect: */ - +/* 如果需要使用基于块覆盖的仪器,取消注释此宏 */ // #define COVERAGE_ONLY -/* Uncomment this to ignore hit counts and output just one bit per tuple. - As with the previous setting, you will need to recompile the target - binary: */ - +/* 如果需要忽略命中计数并且每个元组只输出一个位,取消注释此宏 */ // #define SKIP_COUNTS -/* Uncomment this to use instrumentation data to record newly discovered paths, - but do not use them as seeds for fuzzing. This is useful for conveniently - measuring coverage that could be attained by a "dumb" fuzzing algorithm: */ - +/* 如果需要使用仪器数据记录新发现的路径,但不使用它们作为模糊测试的种子,取消注释此宏 */ // #define IGNORE_FINDS -#endif /* ! _HAVE_CONFIG_H */ +#endif /* ! _HAVE_CONFIG_H */ \ No newline at end of file