parent
a1b98e3773
commit
e039455018
@ -1,28 +1,28 @@
|
|||||||
# How to Contribute
|
# How to Contribute
|
||||||
|
|
||||||
We'd love to accept your patches and contributions to this project. There are
|
We'd love to accept your patches and contributions to this project. There are
|
||||||
just a few small guidelines you need to follow.
|
just a few small guidelines you need to follow.
|
||||||
|
|
||||||
## Contributor License Agreement
|
## Contributor License Agreement
|
||||||
|
|
||||||
Contributions to this project must be accompanied by a Contributor License
|
Contributions to this project must be accompanied by a Contributor License
|
||||||
Agreement. You (or your employer) retain the copyright to your contribution;
|
Agreement. You (or your employer) retain the copyright to your contribution;
|
||||||
this simply gives us permission to use and redistribute your contributions as
|
this simply gives us permission to use and redistribute your contributions as
|
||||||
part of the project. Head over to <https://cla.developers.google.com/> to see
|
part of the project. Head over to <https://cla.developers.google.com/> to see
|
||||||
your current agreements on file or to sign a new one.
|
your current agreements on file or to sign a new one.
|
||||||
|
|
||||||
You generally only need to submit a CLA once, so if you've already submitted one
|
You generally only need to submit a CLA once, so if you've already submitted one
|
||||||
(even if it was for a different project), you probably don't need to do it
|
(even if it was for a different project), you probably don't need to do it
|
||||||
again.
|
again.
|
||||||
|
|
||||||
## Code reviews
|
## Code reviews
|
||||||
|
|
||||||
All submissions, including submissions by project members, require review. We
|
All submissions, including submissions by project members, require review. We
|
||||||
use GitHub pull requests for this purpose. Consult
|
use GitHub pull requests for this purpose. Consult
|
||||||
[GitHub Help](https://help.github.com/articles/about-pull-requests/) for more
|
[GitHub Help](https://help.github.com/articles/about-pull-requests/) for more
|
||||||
information on using pull requests.
|
information on using pull requests.
|
||||||
|
|
||||||
## Community Guidelines
|
## Community Guidelines
|
||||||
|
|
||||||
This project follows [Google's Open Source Community
|
This project follows [Google's Open Source Community
|
||||||
Guidelines](https://opensource.google.com/conduct/).
|
Guidelines](https://opensource.google.com/conduct/).
|
||||||
|
@ -1,202 +1,202 @@
|
|||||||
|
|
||||||
Apache License
|
Apache License
|
||||||
Version 2.0, January 2004
|
Version 2.0, January 2004
|
||||||
http://www.apache.org/licenses/
|
http://www.apache.org/licenses/
|
||||||
|
|
||||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||||
|
|
||||||
1. Definitions.
|
1. Definitions.
|
||||||
|
|
||||||
"License" shall mean the terms and conditions for use, reproduction,
|
"License" shall mean the terms and conditions for use, reproduction,
|
||||||
and distribution as defined by Sections 1 through 9 of this document.
|
and distribution as defined by Sections 1 through 9 of this document.
|
||||||
|
|
||||||
"Licensor" shall mean the copyright owner or entity authorized by
|
"Licensor" shall mean the copyright owner or entity authorized by
|
||||||
the copyright owner that is granting the License.
|
the copyright owner that is granting the License.
|
||||||
|
|
||||||
"Legal Entity" shall mean the union of the acting entity and all
|
"Legal Entity" shall mean the union of the acting entity and all
|
||||||
other entities that control, are controlled by, or are under common
|
other entities that control, are controlled by, or are under common
|
||||||
control with that entity. For the purposes of this definition,
|
control with that entity. For the purposes of this definition,
|
||||||
"control" means (i) the power, direct or indirect, to cause the
|
"control" means (i) the power, direct or indirect, to cause the
|
||||||
direction or management of such entity, whether by contract or
|
direction or management of such entity, whether by contract or
|
||||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||||
|
|
||||||
"You" (or "Your") shall mean an individual or Legal Entity
|
"You" (or "Your") shall mean an individual or Legal Entity
|
||||||
exercising permissions granted by this License.
|
exercising permissions granted by this License.
|
||||||
|
|
||||||
"Source" form shall mean the preferred form for making modifications,
|
"Source" form shall mean the preferred form for making modifications,
|
||||||
including but not limited to software source code, documentation
|
including but not limited to software source code, documentation
|
||||||
source, and configuration files.
|
source, and configuration files.
|
||||||
|
|
||||||
"Object" form shall mean any form resulting from mechanical
|
"Object" form shall mean any form resulting from mechanical
|
||||||
transformation or translation of a Source form, including but
|
transformation or translation of a Source form, including but
|
||||||
not limited to compiled object code, generated documentation,
|
not limited to compiled object code, generated documentation,
|
||||||
and conversions to other media types.
|
and conversions to other media types.
|
||||||
|
|
||||||
"Work" shall mean the work of authorship, whether in Source or
|
"Work" shall mean the work of authorship, whether in Source or
|
||||||
Object form, made available under the License, as indicated by a
|
Object form, made available under the License, as indicated by a
|
||||||
copyright notice that is included in or attached to the work
|
copyright notice that is included in or attached to the work
|
||||||
(an example is provided in the Appendix below).
|
(an example is provided in the Appendix below).
|
||||||
|
|
||||||
"Derivative Works" shall mean any work, whether in Source or Object
|
"Derivative Works" shall mean any work, whether in Source or Object
|
||||||
form, that is based on (or derived from) the Work and for which the
|
form, that is based on (or derived from) the Work and for which the
|
||||||
editorial revisions, annotations, elaborations, or other modifications
|
editorial revisions, annotations, elaborations, or other modifications
|
||||||
represent, as a whole, an original work of authorship. For the purposes
|
represent, as a whole, an original work of authorship. For the purposes
|
||||||
of this License, Derivative Works shall not include works that remain
|
of this License, Derivative Works shall not include works that remain
|
||||||
separable from, or merely link (or bind by name) to the interfaces of,
|
separable from, or merely link (or bind by name) to the interfaces of,
|
||||||
the Work and Derivative Works thereof.
|
the Work and Derivative Works thereof.
|
||||||
|
|
||||||
"Contribution" shall mean any work of authorship, including
|
"Contribution" shall mean any work of authorship, including
|
||||||
the original version of the Work and any modifications or additions
|
the original version of the Work and any modifications or additions
|
||||||
to that Work or Derivative Works thereof, that is intentionally
|
to that Work or Derivative Works thereof, that is intentionally
|
||||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||||
or by an individual or Legal Entity authorized to submit on behalf of
|
or by an individual or Legal Entity authorized to submit on behalf of
|
||||||
the copyright owner. For the purposes of this definition, "submitted"
|
the copyright owner. For the purposes of this definition, "submitted"
|
||||||
means any form of electronic, verbal, or written communication sent
|
means any form of electronic, verbal, or written communication sent
|
||||||
to the Licensor or its representatives, including but not limited to
|
to the Licensor or its representatives, including but not limited to
|
||||||
communication on electronic mailing lists, source code control systems,
|
communication on electronic mailing lists, source code control systems,
|
||||||
and issue tracking systems that are managed by, or on behalf of, the
|
and issue tracking systems that are managed by, or on behalf of, the
|
||||||
Licensor for the purpose of discussing and improving the Work, but
|
Licensor for the purpose of discussing and improving the Work, but
|
||||||
excluding communication that is conspicuously marked or otherwise
|
excluding communication that is conspicuously marked or otherwise
|
||||||
designated in writing by the copyright owner as "Not a Contribution."
|
designated in writing by the copyright owner as "Not a Contribution."
|
||||||
|
|
||||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||||
on behalf of whom a Contribution has been received by Licensor and
|
on behalf of whom a Contribution has been received by Licensor and
|
||||||
subsequently incorporated within the Work.
|
subsequently incorporated within the Work.
|
||||||
|
|
||||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||||
this License, each Contributor hereby grants to You a perpetual,
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
copyright license to reproduce, prepare Derivative Works of,
|
copyright license to reproduce, prepare Derivative Works of,
|
||||||
publicly display, publicly perform, sublicense, and distribute the
|
publicly display, publicly perform, sublicense, and distribute the
|
||||||
Work and such Derivative Works in Source or Object form.
|
Work and such Derivative Works in Source or Object form.
|
||||||
|
|
||||||
3. Grant of Patent License. Subject to the terms and conditions of
|
3. Grant of Patent License. Subject to the terms and conditions of
|
||||||
this License, each Contributor hereby grants to You a perpetual,
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
(except as stated in this section) patent license to make, have made,
|
(except as stated in this section) patent license to make, have made,
|
||||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||||
where such license applies only to those patent claims licensable
|
where such license applies only to those patent claims licensable
|
||||||
by such Contributor that are necessarily infringed by their
|
by such Contributor that are necessarily infringed by their
|
||||||
Contribution(s) alone or by combination of their Contribution(s)
|
Contribution(s) alone or by combination of their Contribution(s)
|
||||||
with the Work to which such Contribution(s) was submitted. If You
|
with the Work to which such Contribution(s) was submitted. If You
|
||||||
institute patent litigation against any entity (including a
|
institute patent litigation against any entity (including a
|
||||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||||
or a Contribution incorporated within the Work constitutes direct
|
or a Contribution incorporated within the Work constitutes direct
|
||||||
or contributory patent infringement, then any patent licenses
|
or contributory patent infringement, then any patent licenses
|
||||||
granted to You under this License for that Work shall terminate
|
granted to You under this License for that Work shall terminate
|
||||||
as of the date such litigation is filed.
|
as of the date such litigation is filed.
|
||||||
|
|
||||||
4. Redistribution. You may reproduce and distribute copies of the
|
4. Redistribution. You may reproduce and distribute copies of the
|
||||||
Work or Derivative Works thereof in any medium, with or without
|
Work or Derivative Works thereof in any medium, with or without
|
||||||
modifications, and in Source or Object form, provided that You
|
modifications, and in Source or Object form, provided that You
|
||||||
meet the following conditions:
|
meet the following conditions:
|
||||||
|
|
||||||
(a) You must give any other recipients of the Work or
|
(a) You must give any other recipients of the Work or
|
||||||
Derivative Works a copy of this License; and
|
Derivative Works a copy of this License; and
|
||||||
|
|
||||||
(b) You must cause any modified files to carry prominent notices
|
(b) You must cause any modified files to carry prominent notices
|
||||||
stating that You changed the files; and
|
stating that You changed the files; and
|
||||||
|
|
||||||
(c) You must retain, in the Source form of any Derivative Works
|
(c) You must retain, in the Source form of any Derivative Works
|
||||||
that You distribute, all copyright, patent, trademark, and
|
that You distribute, all copyright, patent, trademark, and
|
||||||
attribution notices from the Source form of the Work,
|
attribution notices from the Source form of the Work,
|
||||||
excluding those notices that do not pertain to any part of
|
excluding those notices that do not pertain to any part of
|
||||||
the Derivative Works; and
|
the Derivative Works; and
|
||||||
|
|
||||||
(d) If the Work includes a "NOTICE" text file as part of its
|
(d) If the Work includes a "NOTICE" text file as part of its
|
||||||
distribution, then any Derivative Works that You distribute must
|
distribution, then any Derivative Works that You distribute must
|
||||||
include a readable copy of the attribution notices contained
|
include a readable copy of the attribution notices contained
|
||||||
within such NOTICE file, excluding those notices that do not
|
within such NOTICE file, excluding those notices that do not
|
||||||
pertain to any part of the Derivative Works, in at least one
|
pertain to any part of the Derivative Works, in at least one
|
||||||
of the following places: within a NOTICE text file distributed
|
of the following places: within a NOTICE text file distributed
|
||||||
as part of the Derivative Works; within the Source form or
|
as part of the Derivative Works; within the Source form or
|
||||||
documentation, if provided along with the Derivative Works; or,
|
documentation, if provided along with the Derivative Works; or,
|
||||||
within a display generated by the Derivative Works, if and
|
within a display generated by the Derivative Works, if and
|
||||||
wherever such third-party notices normally appear. The contents
|
wherever such third-party notices normally appear. The contents
|
||||||
of the NOTICE file are for informational purposes only and
|
of the NOTICE file are for informational purposes only and
|
||||||
do not modify the License. You may add Your own attribution
|
do not modify the License. You may add Your own attribution
|
||||||
notices within Derivative Works that You distribute, alongside
|
notices within Derivative Works that You distribute, alongside
|
||||||
or as an addendum to the NOTICE text from the Work, provided
|
or as an addendum to the NOTICE text from the Work, provided
|
||||||
that such additional attribution notices cannot be construed
|
that such additional attribution notices cannot be construed
|
||||||
as modifying the License.
|
as modifying the License.
|
||||||
|
|
||||||
You may add Your own copyright statement to Your modifications and
|
You may add Your own copyright statement to Your modifications and
|
||||||
may provide additional or different license terms and conditions
|
may provide additional or different license terms and conditions
|
||||||
for use, reproduction, or distribution of Your modifications, or
|
for use, reproduction, or distribution of Your modifications, or
|
||||||
for any such Derivative Works as a whole, provided Your use,
|
for any such Derivative Works as a whole, provided Your use,
|
||||||
reproduction, and distribution of the Work otherwise complies with
|
reproduction, and distribution of the Work otherwise complies with
|
||||||
the conditions stated in this License.
|
the conditions stated in this License.
|
||||||
|
|
||||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||||
any Contribution intentionally submitted for inclusion in the Work
|
any Contribution intentionally submitted for inclusion in the Work
|
||||||
by You to the Licensor shall be under the terms and conditions of
|
by You to the Licensor shall be under the terms and conditions of
|
||||||
this License, without any additional terms or conditions.
|
this License, without any additional terms or conditions.
|
||||||
Notwithstanding the above, nothing herein shall supersede or modify
|
Notwithstanding the above, nothing herein shall supersede or modify
|
||||||
the terms of any separate license agreement you may have executed
|
the terms of any separate license agreement you may have executed
|
||||||
with Licensor regarding such Contributions.
|
with Licensor regarding such Contributions.
|
||||||
|
|
||||||
6. Trademarks. This License does not grant permission to use the trade
|
6. Trademarks. This License does not grant permission to use the trade
|
||||||
names, trademarks, service marks, or product names of the Licensor,
|
names, trademarks, service marks, or product names of the Licensor,
|
||||||
except as required for reasonable and customary use in describing the
|
except as required for reasonable and customary use in describing the
|
||||||
origin of the Work and reproducing the content of the NOTICE file.
|
origin of the Work and reproducing the content of the NOTICE file.
|
||||||
|
|
||||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||||
agreed to in writing, Licensor provides the Work (and each
|
agreed to in writing, Licensor provides the Work (and each
|
||||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||||
implied, including, without limitation, any warranties or conditions
|
implied, including, without limitation, any warranties or conditions
|
||||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||||
appropriateness of using or redistributing the Work and assume any
|
appropriateness of using or redistributing the Work and assume any
|
||||||
risks associated with Your exercise of permissions under this License.
|
risks associated with Your exercise of permissions under this License.
|
||||||
|
|
||||||
8. Limitation of Liability. In no event and under no legal theory,
|
8. Limitation of Liability. In no event and under no legal theory,
|
||||||
whether in tort (including negligence), contract, or otherwise,
|
whether in tort (including negligence), contract, or otherwise,
|
||||||
unless required by applicable law (such as deliberate and grossly
|
unless required by applicable law (such as deliberate and grossly
|
||||||
negligent acts) or agreed to in writing, shall any Contributor be
|
negligent acts) or agreed to in writing, shall any Contributor be
|
||||||
liable to You for damages, including any direct, indirect, special,
|
liable to You for damages, including any direct, indirect, special,
|
||||||
incidental, or consequential damages of any character arising as a
|
incidental, or consequential damages of any character arising as a
|
||||||
result of this License or out of the use or inability to use the
|
result of this License or out of the use or inability to use the
|
||||||
Work (including but not limited to damages for loss of goodwill,
|
Work (including but not limited to damages for loss of goodwill,
|
||||||
work stoppage, computer failure or malfunction, or any and all
|
work stoppage, computer failure or malfunction, or any and all
|
||||||
other commercial damages or losses), even if such Contributor
|
other commercial damages or losses), even if such Contributor
|
||||||
has been advised of the possibility of such damages.
|
has been advised of the possibility of such damages.
|
||||||
|
|
||||||
9. Accepting Warranty or Additional Liability. While redistributing
|
9. Accepting Warranty or Additional Liability. While redistributing
|
||||||
the Work or Derivative Works thereof, You may choose to offer,
|
the Work or Derivative Works thereof, You may choose to offer,
|
||||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||||
or other liability obligations and/or rights consistent with this
|
or other liability obligations and/or rights consistent with this
|
||||||
License. However, in accepting such obligations, You may act only
|
License. However, in accepting such obligations, You may act only
|
||||||
on Your own behalf and on Your sole responsibility, not on behalf
|
on Your own behalf and on Your sole responsibility, not on behalf
|
||||||
of any other Contributor, and only if You agree to indemnify,
|
of any other Contributor, and only if You agree to indemnify,
|
||||||
defend, and hold each Contributor harmless for any liability
|
defend, and hold each Contributor harmless for any liability
|
||||||
incurred by, or claims asserted against, such Contributor by reason
|
incurred by, or claims asserted against, such Contributor by reason
|
||||||
of your accepting any such warranty or additional liability.
|
of your accepting any such warranty or additional liability.
|
||||||
|
|
||||||
END OF TERMS AND CONDITIONS
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
APPENDIX: How to apply the Apache License to your work.
|
APPENDIX: How to apply the Apache License to your work.
|
||||||
|
|
||||||
To apply the Apache License to your work, attach the following
|
To apply the Apache License to your work, attach the following
|
||||||
boilerplate notice, with the fields enclosed by brackets "[]"
|
boilerplate notice, with the fields enclosed by brackets "[]"
|
||||||
replaced with your own identifying information. (Don't include
|
replaced with your own identifying information. (Don't include
|
||||||
the brackets!) The text should be enclosed in the appropriate
|
the brackets!) The text should be enclosed in the appropriate
|
||||||
comment syntax for the file format. We also recommend that a
|
comment syntax for the file format. We also recommend that a
|
||||||
file or class name and description of purpose be included on the
|
file or class name and description of purpose be included on the
|
||||||
same "printed page" as the copyright notice for easier
|
same "printed page" as the copyright notice for easier
|
||||||
identification within third-party archives.
|
identification within third-party archives.
|
||||||
|
|
||||||
Copyright [yyyy] [name of copyright owner]
|
Copyright [yyyy] [name of copyright owner]
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
You may obtain a copy of the License at
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
Unless required by applicable law or agreed to in writing, software
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
See the License for the specific language governing permissions and
|
See the License for the specific language governing permissions and
|
||||||
limitations under the License.
|
limitations under the License.
|
||||||
|
@ -1,153 +1,153 @@
|
|||||||
#
|
#
|
||||||
# american fuzzy lop - makefile
|
# american fuzzy lop - makefile
|
||||||
# -----------------------------
|
# -----------------------------
|
||||||
#
|
#
|
||||||
# Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
# Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
||||||
#
|
#
|
||||||
# Copyright 2013, 2014, 2015, 2016, 2017 Google LLC All rights reserved.
|
# Copyright 2013, 2014, 2015, 2016, 2017 Google LLC All rights reserved.
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
# you may not use this file except in compliance with the License.
|
# you may not use this file except in compliance with the License.
|
||||||
# You may obtain a copy of the License at:
|
# You may obtain a copy of the License at:
|
||||||
#
|
#
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
#
|
#
|
||||||
|
|
||||||
PROGNAME = afl
|
PROGNAME = afl
|
||||||
VERSION = $(shell grep '^\#define VERSION ' config.h | cut -d '"' -f2)
|
VERSION = $(shell grep '^\#define VERSION ' config.h | cut -d '"' -f2)
|
||||||
|
|
||||||
PREFIX ?= /usr/local
|
PREFIX ?= /usr/local
|
||||||
BIN_PATH = $(PREFIX)/bin
|
BIN_PATH = $(PREFIX)/bin
|
||||||
HELPER_PATH = $(PREFIX)/lib/afl
|
HELPER_PATH = $(PREFIX)/lib/afl
|
||||||
DOC_PATH = $(PREFIX)/share/doc/afl
|
DOC_PATH = $(PREFIX)/share/doc/afl
|
||||||
MISC_PATH = $(PREFIX)/share/afl
|
MISC_PATH = $(PREFIX)/share/afl
|
||||||
|
|
||||||
# PROGS intentionally omit afl-as, which gets installed elsewhere.
|
# PROGS intentionally omit afl-as, which gets installed elsewhere.
|
||||||
|
|
||||||
PROGS = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
|
PROGS = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
|
||||||
SH_PROGS = afl-plot afl-cmin afl-whatsup
|
SH_PROGS = afl-plot afl-cmin afl-whatsup
|
||||||
|
|
||||||
CFLAGS ?= -O3 -funroll-loops
|
CFLAGS ?= -O3 -funroll-loops
|
||||||
CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
|
CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
|
||||||
-DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
|
-DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
|
||||||
-DBIN_PATH=\"$(BIN_PATH)\"
|
-DBIN_PATH=\"$(BIN_PATH)\"
|
||||||
|
|
||||||
ifneq "$(filter Linux GNU%,$(shell uname))" ""
|
ifneq "$(filter Linux GNU%,$(shell uname))" ""
|
||||||
LDFLAGS += -ldl
|
LDFLAGS += -ldl
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
|
ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
|
||||||
TEST_CC = afl-gcc
|
TEST_CC = afl-gcc
|
||||||
else
|
else
|
||||||
TEST_CC = afl-clang
|
TEST_CC = afl-clang
|
||||||
endif
|
endif
|
||||||
|
|
||||||
COMM_HDR = alloc-inl.h config.h debug.h types.h
|
COMM_HDR = alloc-inl.h config.h debug.h types.h
|
||||||
|
|
||||||
all: test_x86 $(PROGS) afl-as test_build all_done
|
all: test_x86 $(PROGS) afl-as test_build all_done
|
||||||
|
|
||||||
ifndef AFL_NO_X86
|
ifndef AFL_NO_X86
|
||||||
|
|
||||||
test_x86:
|
test_x86:
|
||||||
@echo "[*] Checking for the ability to compile x86 code..."
|
@echo "[*] Checking for the ability to compile x86 code..."
|
||||||
@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
|
@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
|
||||||
@rm -f .test
|
@rm -f .test
|
||||||
@echo "[+] Everything seems to be working, ready to compile."
|
@echo "[+] Everything seems to be working, ready to compile."
|
||||||
|
|
||||||
else
|
else
|
||||||
|
|
||||||
test_x86:
|
test_x86:
|
||||||
@echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)."
|
@echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)."
|
||||||
|
|
||||||
endif
|
endif
|
||||||
|
|
||||||
afl-gcc: afl-gcc.c $(COMM_HDR) | test_x86
|
afl-gcc: afl-gcc.c $(COMM_HDR) | test_x86
|
||||||
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
|
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
|
||||||
set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done
|
set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done
|
||||||
|
|
||||||
afl-as: afl-as.c afl-as.h $(COMM_HDR) | test_x86
|
afl-as: afl-as.c afl-as.h $(COMM_HDR) | test_x86
|
||||||
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
|
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
|
||||||
ln -sf afl-as as
|
ln -sf afl-as as
|
||||||
|
|
||||||
afl-fuzz: afl-fuzz.c $(COMM_HDR) | test_x86
|
afl-fuzz: afl-fuzz.c $(COMM_HDR) | test_x86
|
||||||
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
|
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
|
||||||
|
|
||||||
afl-showmap: afl-showmap.c $(COMM_HDR) | test_x86
|
afl-showmap: afl-showmap.c $(COMM_HDR) | test_x86
|
||||||
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
|
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
|
||||||
|
|
||||||
afl-tmin: afl-tmin.c $(COMM_HDR) | test_x86
|
afl-tmin: afl-tmin.c $(COMM_HDR) | test_x86
|
||||||
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
|
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
|
||||||
|
|
||||||
afl-analyze: afl-analyze.c $(COMM_HDR) | test_x86
|
afl-analyze: afl-analyze.c $(COMM_HDR) | test_x86
|
||||||
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
|
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
|
||||||
|
|
||||||
afl-gotcpu: afl-gotcpu.c $(COMM_HDR) | test_x86
|
afl-gotcpu: afl-gotcpu.c $(COMM_HDR) | test_x86
|
||||||
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
|
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
|
||||||
|
|
||||||
ifndef AFL_NO_X86
|
ifndef AFL_NO_X86
|
||||||
|
|
||||||
test_build: afl-gcc afl-as afl-showmap
|
test_build: afl-gcc afl-as afl-showmap
|
||||||
@echo "[*] Testing the CC wrapper and instrumentation output..."
|
@echo "[*] Testing the CC wrapper and instrumentation output..."
|
||||||
unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS)
|
unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS)
|
||||||
./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
|
./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
|
||||||
echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr
|
echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr
|
||||||
@rm -f test-instr
|
@rm -f test-instr
|
||||||
@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping <lcamtuf@google.com> to troubleshoot the issue."; echo; exit 1; fi
|
@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping <lcamtuf@google.com> to troubleshoot the issue."; echo; exit 1; fi
|
||||||
@echo "[+] All right, the instrumentation seems to be working!"
|
@echo "[+] All right, the instrumentation seems to be working!"
|
||||||
|
|
||||||
else
|
else
|
||||||
|
|
||||||
test_build: afl-gcc afl-as afl-showmap
|
test_build: afl-gcc afl-as afl-showmap
|
||||||
@echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
|
@echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
|
||||||
|
|
||||||
endif
|
endif
|
||||||
|
|
||||||
all_done: test_build
|
all_done: test_build
|
||||||
@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi
|
@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi
|
||||||
@echo "[+] All done! Be sure to review README - it's pretty short and useful."
|
@echo "[+] All done! Be sure to review README - it's pretty short and useful."
|
||||||
@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
|
@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
|
||||||
@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null
|
@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null
|
||||||
|
|
||||||
.NOTPARALLEL: clean
|
.NOTPARALLEL: clean
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.10.0.tar.bz2 afl-qemu-trace
|
rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.10.0.tar.bz2 afl-qemu-trace
|
||||||
rm -rf out_dir qemu_mode/qemu-2.10.0
|
rm -rf out_dir qemu_mode/qemu-2.10.0
|
||||||
$(MAKE) -C llvm_mode clean
|
$(MAKE) -C llvm_mode clean
|
||||||
$(MAKE) -C libdislocator clean
|
$(MAKE) -C libdislocator clean
|
||||||
$(MAKE) -C libtokencap clean
|
$(MAKE) -C libtokencap clean
|
||||||
|
|
||||||
install: all
|
install: all
|
||||||
mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
|
mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
|
||||||
rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
|
rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
|
||||||
install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
|
install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
|
||||||
rm -f $${DESTDIR}$(BIN_PATH)/afl-as
|
rm -f $${DESTDIR}$(BIN_PATH)/afl-as
|
||||||
if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
|
if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
|
||||||
ifndef AFL_TRACE_PC
|
ifndef AFL_TRACE_PC
|
||||||
if [ -f afl-clang-fast -a -f afl-llvm-pass.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
|
if [ -f afl-clang-fast -a -f afl-llvm-pass.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
|
||||||
else
|
else
|
||||||
if [ -f afl-clang-fast -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
|
if [ -f afl-clang-fast -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
|
||||||
endif
|
endif
|
||||||
if [ -f afl-llvm-rt-32.o ]; then set -e; install -m 755 afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi
|
if [ -f afl-llvm-rt-32.o ]; then set -e; install -m 755 afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi
|
||||||
if [ -f afl-llvm-rt-64.o ]; then set -e; install -m 755 afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi
|
if [ -f afl-llvm-rt-64.o ]; then set -e; install -m 755 afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi
|
||||||
set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/$$i; done
|
set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/$$i; done
|
||||||
install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
|
install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
|
||||||
ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
|
ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
|
||||||
install -m 644 README.md docs/ChangeLog docs/*.txt $${DESTDIR}$(DOC_PATH)
|
install -m 644 README.md docs/ChangeLog docs/*.txt $${DESTDIR}$(DOC_PATH)
|
||||||
cp -r testcases/ $${DESTDIR}$(MISC_PATH)
|
cp -r testcases/ $${DESTDIR}$(MISC_PATH)
|
||||||
cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)
|
cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)
|
||||||
|
|
||||||
publish: clean
|
publish: clean
|
||||||
test "`basename $$PWD`" = "AFL" || exit 1
|
test "`basename $$PWD`" = "AFL" || exit 1
|
||||||
test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi
|
test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi
|
||||||
cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \
|
cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \
|
||||||
tar -cvz -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz $(PROGNAME)-$(VERSION)
|
tar -cvz -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz $(PROGNAME)-$(VERSION)
|
||||||
chmod 644 ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz
|
chmod 644 ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz
|
||||||
( cd ~/www/afl/releases/; ln -s -f $(PROGNAME)-$(VERSION).tgz $(PROGNAME)-latest.tgz )
|
( cd ~/www/afl/releases/; ln -s -f $(PROGNAME)-$(VERSION).tgz $(PROGNAME)-latest.tgz )
|
||||||
cat docs/README >~/www/afl/README.txt
|
cat docs/README >~/www/afl/README.txt
|
||||||
cat docs/status_screen.txt >~/www/afl/status_screen.txt
|
cat docs/status_screen.txt >~/www/afl/status_screen.txt
|
||||||
cat docs/historical_notes.txt >~/www/afl/historical_notes.txt
|
cat docs/historical_notes.txt >~/www/afl/historical_notes.txt
|
||||||
cat docs/technical_details.txt >~/www/afl/technical_details.txt
|
cat docs/technical_details.txt >~/www/afl/technical_details.txt
|
||||||
cat docs/ChangeLog >~/www/afl/ChangeLog.txt
|
cat docs/ChangeLog >~/www/afl/ChangeLog.txt
|
||||||
cat docs/QuickStartGuide.txt >~/www/afl/QuickStartGuide.txt
|
cat docs/QuickStartGuide.txt >~/www/afl/QuickStartGuide.txt
|
||||||
echo -n "$(VERSION)" >~/www/afl/version.txt
|
echo -n "$(VERSION)" >~/www/afl/version.txt
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -1,461 +1,461 @@
|
|||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
#
|
#
|
||||||
# american fuzzy lop - corpus minimization tool
|
# american fuzzy lop - corpus minimization tool
|
||||||
# ---------------------------------------------
|
# ---------------------------------------------
|
||||||
#
|
#
|
||||||
# Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
# Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
||||||
#
|
#
|
||||||
# Copyright 2014, 2015 Google LLC All rights reserved.
|
# Copyright 2014, 2015 Google LLC All rights reserved.
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
# you may not use this file except in compliance with the License.
|
# you may not use this file except in compliance with the License.
|
||||||
# You may obtain a copy of the License at:
|
# You may obtain a copy of the License at:
|
||||||
#
|
#
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
#
|
#
|
||||||
# This tool tries to find the smallest subset of files in the input directory
|
# This tool tries to find the smallest subset of files in the input directory
|
||||||
# that still trigger the full range of instrumentation data points seen in
|
# that still trigger the full range of instrumentation data points seen in
|
||||||
# the starting corpus. This has two uses:
|
# the starting corpus. This has two uses:
|
||||||
#
|
#
|
||||||
# - Screening large corpora of input files before using them as a seed for
|
# - Screening large corpora of input files before using them as a seed for
|
||||||
# afl-fuzz. The tool will remove functionally redundant files and likely
|
# afl-fuzz. The tool will remove functionally redundant files and likely
|
||||||
# leave you with a much smaller set.
|
# leave you with a much smaller set.
|
||||||
#
|
#
|
||||||
# (In this case, you probably also want to consider running afl-tmin on
|
# (In this case, you probably also want to consider running afl-tmin on
|
||||||
# the individual files later on to reduce their size.)
|
# the individual files later on to reduce their size.)
|
||||||
#
|
#
|
||||||
# - Minimizing the corpus generated organically by afl-fuzz, perhaps when
|
# - Minimizing the corpus generated organically by afl-fuzz, perhaps when
|
||||||
# planning to feed it to more resource-intensive tools. The tool achieves
|
# planning to feed it to more resource-intensive tools. The tool achieves
|
||||||
# this by removing all entries that used to trigger unique behaviors in the
|
# this by removing all entries that used to trigger unique behaviors in the
|
||||||
# past, but have been made obsolete by later finds.
|
# past, but have been made obsolete by later finds.
|
||||||
#
|
#
|
||||||
# Note that the tool doesn't modify the files themselves. For that, you want
|
# Note that the tool doesn't modify the files themselves. For that, you want
|
||||||
# afl-tmin.
|
# afl-tmin.
|
||||||
#
|
#
|
||||||
# This script must use bash because other shells may have hardcoded limits on
|
# This script must use bash because other shells may have hardcoded limits on
|
||||||
# array sizes.
|
# array sizes.
|
||||||
#
|
#
|
||||||
|
|
||||||
echo "corpus minimization tool for afl-fuzz by <lcamtuf@google.com>"
|
echo "corpus minimization tool for afl-fuzz by <lcamtuf@google.com>"
|
||||||
echo
|
echo
|
||||||
|
|
||||||
#########
|
#########
|
||||||
# SETUP #
|
# SETUP #
|
||||||
#########
|
#########
|
||||||
|
|
||||||
# Process command-line options...
|
# Process command-line options...
|
||||||
|
|
||||||
MEM_LIMIT=100
|
MEM_LIMIT=100
|
||||||
TIMEOUT=none
|
TIMEOUT=none
|
||||||
|
|
||||||
unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \
|
unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \
|
||||||
AFL_CMIN_CRASHES_ONLY AFL_CMIN_ALLOW_ANY QEMU_MODE
|
AFL_CMIN_CRASHES_ONLY AFL_CMIN_ALLOW_ANY QEMU_MODE
|
||||||
|
|
||||||
while getopts "+i:o:f:m:t:eQC" opt; do
|
while getopts "+i:o:f:m:t:eQC" opt; do
|
||||||
|
|
||||||
case "$opt" in
|
case "$opt" in
|
||||||
|
|
||||||
"i")
|
"i")
|
||||||
IN_DIR="$OPTARG"
|
IN_DIR="$OPTARG"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
"o")
|
"o")
|
||||||
OUT_DIR="$OPTARG"
|
OUT_DIR="$OPTARG"
|
||||||
;;
|
;;
|
||||||
"f")
|
"f")
|
||||||
STDIN_FILE="$OPTARG"
|
STDIN_FILE="$OPTARG"
|
||||||
;;
|
;;
|
||||||
"m")
|
"m")
|
||||||
MEM_LIMIT="$OPTARG"
|
MEM_LIMIT="$OPTARG"
|
||||||
MEM_LIMIT_GIVEN=1
|
MEM_LIMIT_GIVEN=1
|
||||||
;;
|
;;
|
||||||
"t")
|
"t")
|
||||||
TIMEOUT="$OPTARG"
|
TIMEOUT="$OPTARG"
|
||||||
;;
|
;;
|
||||||
"e")
|
"e")
|
||||||
EXTRA_PAR="$EXTRA_PAR -e"
|
EXTRA_PAR="$EXTRA_PAR -e"
|
||||||
;;
|
;;
|
||||||
"C")
|
"C")
|
||||||
export AFL_CMIN_CRASHES_ONLY=1
|
export AFL_CMIN_CRASHES_ONLY=1
|
||||||
;;
|
;;
|
||||||
"Q")
|
"Q")
|
||||||
EXTRA_PAR="$EXTRA_PAR -Q"
|
EXTRA_PAR="$EXTRA_PAR -Q"
|
||||||
test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
|
test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
|
||||||
QEMU_MODE=1
|
QEMU_MODE=1
|
||||||
;;
|
;;
|
||||||
"?")
|
"?")
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
|
|
||||||
esac
|
esac
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
shift $((OPTIND-1))
|
shift $((OPTIND-1))
|
||||||
|
|
||||||
TARGET_BIN="$1"
|
TARGET_BIN="$1"
|
||||||
|
|
||||||
if [ "$TARGET_BIN" = "" -o "$IN_DIR" = "" -o "$OUT_DIR" = "" ]; then
|
if [ "$TARGET_BIN" = "" -o "$IN_DIR" = "" -o "$OUT_DIR" = "" ]; then
|
||||||
|
|
||||||
cat 1>&2 <<_EOF_
|
cat 1>&2 <<_EOF_
|
||||||
Usage: $0 [ options ] -- /path/to/target_app [ ... ]
|
Usage: $0 [ options ] -- /path/to/target_app [ ... ]
|
||||||
|
|
||||||
Required parameters:
|
Required parameters:
|
||||||
|
|
||||||
-i dir - input directory with the starting corpus
|
-i dir - input directory with the starting corpus
|
||||||
-o dir - output directory for minimized files
|
-o dir - output directory for minimized files
|
||||||
|
|
||||||
Execution control settings:
|
Execution control settings:
|
||||||
|
|
||||||
-f file - location read by the fuzzed program (stdin)
|
-f file - location read by the fuzzed program (stdin)
|
||||||
-m megs - memory limit for child process ($MEM_LIMIT MB)
|
-m megs - memory limit for child process ($MEM_LIMIT MB)
|
||||||
-t msec - run time limit for child process (none)
|
-t msec - run time limit for child process (none)
|
||||||
-Q - use binary-only instrumentation (QEMU mode)
|
-Q - use binary-only instrumentation (QEMU mode)
|
||||||
|
|
||||||
Minimization settings:
|
Minimization settings:
|
||||||
|
|
||||||
-C - keep crashing inputs, reject everything else
|
-C - keep crashing inputs, reject everything else
|
||||||
-e - solve for edge coverage only, ignore hit counts
|
-e - solve for edge coverage only, ignore hit counts
|
||||||
|
|
||||||
For additional tips, please consult docs/README.
|
For additional tips, please consult docs/README.
|
||||||
|
|
||||||
_EOF_
|
_EOF_
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Do a sanity check to discourage the use of /tmp, since we can't really
|
# Do a sanity check to discourage the use of /tmp, since we can't really
|
||||||
# handle this safely from a shell script.
|
# handle this safely from a shell script.
|
||||||
|
|
||||||
if [ "$AFL_ALLOW_TMP" = "" ]; then
|
if [ "$AFL_ALLOW_TMP" = "" ]; then
|
||||||
|
|
||||||
echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
|
echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
|
||||||
T1="$?"
|
T1="$?"
|
||||||
|
|
||||||
echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
|
echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
|
||||||
T2="$?"
|
T2="$?"
|
||||||
|
|
||||||
echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
|
echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
|
||||||
T3="$?"
|
T3="$?"
|
||||||
|
|
||||||
echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
|
echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
|
||||||
T4="$?"
|
T4="$?"
|
||||||
|
|
||||||
echo "$PWD" | grep -qE '^(/var)?/tmp/'
|
echo "$PWD" | grep -qE '^(/var)?/tmp/'
|
||||||
T5="$?"
|
T5="$?"
|
||||||
|
|
||||||
if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
|
if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
|
||||||
echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2
|
echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If @@ is specified, but there's no -f, let's come up with a temporary input
|
# If @@ is specified, but there's no -f, let's come up with a temporary input
|
||||||
# file name.
|
# file name.
|
||||||
|
|
||||||
TRACE_DIR="$OUT_DIR/.traces"
|
TRACE_DIR="$OUT_DIR/.traces"
|
||||||
|
|
||||||
if [ "$STDIN_FILE" = "" ]; then
|
if [ "$STDIN_FILE" = "" ]; then
|
||||||
|
|
||||||
if echo "$*" | grep -qF '@@'; then
|
if echo "$*" | grep -qF '@@'; then
|
||||||
STDIN_FILE="$TRACE_DIR/.cur_input"
|
STDIN_FILE="$TRACE_DIR/.cur_input"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Check for obvious errors.
|
# Check for obvious errors.
|
||||||
|
|
||||||
if [ ! "$MEM_LIMIT" = "none" ]; then
|
if [ ! "$MEM_LIMIT" = "none" ]; then
|
||||||
|
|
||||||
if [ "$MEM_LIMIT" -lt "5" ]; then
|
if [ "$MEM_LIMIT" -lt "5" ]; then
|
||||||
echo "[-] Error: dangerously low memory limit." 1>&2
|
echo "[-] Error: dangerously low memory limit." 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! "$TIMEOUT" = "none" ]; then
|
if [ ! "$TIMEOUT" = "none" ]; then
|
||||||
|
|
||||||
if [ "$TIMEOUT" -lt "10" ]; then
|
if [ "$TIMEOUT" -lt "10" ]; then
|
||||||
echo "[-] Error: dangerously low timeout." 1>&2
|
echo "[-] Error: dangerously low timeout." 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -f "$TARGET_BIN" -o ! -x "$TARGET_BIN" ]; then
|
if [ ! -f "$TARGET_BIN" -o ! -x "$TARGET_BIN" ]; then
|
||||||
|
|
||||||
TNEW="`which "$TARGET_BIN" 2>/dev/null`"
|
TNEW="`which "$TARGET_BIN" 2>/dev/null`"
|
||||||
|
|
||||||
if [ ! -f "$TNEW" -o ! -x "$TNEW" ]; then
|
if [ ! -f "$TNEW" -o ! -x "$TNEW" ]; then
|
||||||
echo "[-] Error: binary '$TARGET_BIN' not found or not executable." 1>&2
|
echo "[-] Error: binary '$TARGET_BIN' not found or not executable." 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
TARGET_BIN="$TNEW"
|
TARGET_BIN="$TNEW"
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" ]; then
|
if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" ]; then
|
||||||
|
|
||||||
if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then
|
if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then
|
||||||
echo "[-] Error: binary '$TARGET_BIN' doesn't appear to be instrumented." 1>&2
|
echo "[-] Error: binary '$TARGET_BIN' doesn't appear to be instrumented." 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -d "$IN_DIR" ]; then
|
if [ ! -d "$IN_DIR" ]; then
|
||||||
echo "[-] Error: directory '$IN_DIR' not found." 1>&2
|
echo "[-] Error: directory '$IN_DIR' not found." 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
test -d "$IN_DIR/queue" && IN_DIR="$IN_DIR/queue"
|
test -d "$IN_DIR/queue" && IN_DIR="$IN_DIR/queue"
|
||||||
|
|
||||||
find "$OUT_DIR" -name 'id[:_]*' -maxdepth 1 -exec rm -- {} \; 2>/dev/null
|
find "$OUT_DIR" -name 'id[:_]*' -maxdepth 1 -exec rm -- {} \; 2>/dev/null
|
||||||
rm -rf "$TRACE_DIR" 2>/dev/null
|
rm -rf "$TRACE_DIR" 2>/dev/null
|
||||||
|
|
||||||
rmdir "$OUT_DIR" 2>/dev/null
|
rmdir "$OUT_DIR" 2>/dev/null
|
||||||
|
|
||||||
if [ -d "$OUT_DIR" ]; then
|
if [ -d "$OUT_DIR" ]; then
|
||||||
echo "[-] Error: directory '$OUT_DIR' exists and is not empty - delete it first." 1>&2
|
echo "[-] Error: directory '$OUT_DIR' exists and is not empty - delete it first." 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
mkdir -m 700 -p "$TRACE_DIR" || exit 1
|
mkdir -m 700 -p "$TRACE_DIR" || exit 1
|
||||||
|
|
||||||
if [ ! "$STDIN_FILE" = "" ]; then
|
if [ ! "$STDIN_FILE" = "" ]; then
|
||||||
rm -f "$STDIN_FILE" || exit 1
|
rm -f "$STDIN_FILE" || exit 1
|
||||||
touch "$STDIN_FILE" || exit 1
|
touch "$STDIN_FILE" || exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$AFL_PATH" = "" ]; then
|
if [ "$AFL_PATH" = "" ]; then
|
||||||
SHOWMAP="${0%/afl-cmin}/afl-showmap"
|
SHOWMAP="${0%/afl-cmin}/afl-showmap"
|
||||||
else
|
else
|
||||||
SHOWMAP="$AFL_PATH/afl-showmap"
|
SHOWMAP="$AFL_PATH/afl-showmap"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -x "$SHOWMAP" ]; then
|
if [ ! -x "$SHOWMAP" ]; then
|
||||||
echo "[-] Error: can't find 'afl-showmap' - please set AFL_PATH." 1>&2
|
echo "[-] Error: can't find 'afl-showmap' - please set AFL_PATH." 1>&2
|
||||||
rm -rf "$TRACE_DIR"
|
rm -rf "$TRACE_DIR"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
IN_COUNT=$((`ls -- "$IN_DIR" 2>/dev/null | wc -l`))
|
IN_COUNT=$((`ls -- "$IN_DIR" 2>/dev/null | wc -l`))
|
||||||
|
|
||||||
if [ "$IN_COUNT" = "0" ]; then
|
if [ "$IN_COUNT" = "0" ]; then
|
||||||
echo "[+] Hmm, no inputs in the target directory. Nothing to be done."
|
echo "[+] Hmm, no inputs in the target directory. Nothing to be done."
|
||||||
rm -rf "$TRACE_DIR"
|
rm -rf "$TRACE_DIR"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
FIRST_FILE=`ls "$IN_DIR" | head -1`
|
FIRST_FILE=`ls "$IN_DIR" | head -1`
|
||||||
|
|
||||||
# Make sure that we're not dealing with a directory.
|
# Make sure that we're not dealing with a directory.
|
||||||
|
|
||||||
if [ -d "$IN_DIR/$FIRST_FILE" ]; then
|
if [ -d "$IN_DIR/$FIRST_FILE" ]; then
|
||||||
echo "[-] Error: The target directory contains subdirectories - please fix." 1>&2
|
echo "[-] Error: The target directory contains subdirectories - please fix." 1>&2
|
||||||
rm -rf "$TRACE_DIR"
|
rm -rf "$TRACE_DIR"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Check for the more efficient way to copy files...
|
# Check for the more efficient way to copy files...
|
||||||
|
|
||||||
if ln "$IN_DIR/$FIRST_FILE" "$TRACE_DIR/.link_test" 2>/dev/null; then
|
if ln "$IN_DIR/$FIRST_FILE" "$TRACE_DIR/.link_test" 2>/dev/null; then
|
||||||
CP_TOOL=ln
|
CP_TOOL=ln
|
||||||
else
|
else
|
||||||
CP_TOOL=cp
|
CP_TOOL=cp
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Make sure that we can actually get anything out of afl-showmap before we
|
# Make sure that we can actually get anything out of afl-showmap before we
|
||||||
# waste too much time.
|
# waste too much time.
|
||||||
|
|
||||||
echo "[*] Testing the target binary..."
|
echo "[*] Testing the target binary..."
|
||||||
|
|
||||||
if [ "$STDIN_FILE" = "" ]; then
|
if [ "$STDIN_FILE" = "" ]; then
|
||||||
|
|
||||||
AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$FIRST_FILE"
|
AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$FIRST_FILE"
|
||||||
|
|
||||||
else
|
else
|
||||||
|
|
||||||
cp "$IN_DIR/$FIRST_FILE" "$STDIN_FILE"
|
cp "$IN_DIR/$FIRST_FILE" "$STDIN_FILE"
|
||||||
AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
|
AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
FIRST_COUNT=$((`grep -c . "$TRACE_DIR/.run_test"`))
|
FIRST_COUNT=$((`grep -c . "$TRACE_DIR/.run_test"`))
|
||||||
|
|
||||||
if [ "$FIRST_COUNT" -gt "0" ]; then
|
if [ "$FIRST_COUNT" -gt "0" ]; then
|
||||||
|
|
||||||
echo "[+] OK, $FIRST_COUNT tuples recorded."
|
echo "[+] OK, $FIRST_COUNT tuples recorded."
|
||||||
|
|
||||||
else
|
else
|
||||||
|
|
||||||
echo "[-] Error: no instrumentation output detected (perhaps crash or timeout)." 1>&2
|
echo "[-] Error: no instrumentation output detected (perhaps crash or timeout)." 1>&2
|
||||||
test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
|
test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
|
||||||
exit 1
|
exit 1
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Let's roll!
|
# Let's roll!
|
||||||
|
|
||||||
#############################
|
#############################
|
||||||
# STEP 1: COLLECTING TRACES #
|
# STEP 1: COLLECTING TRACES #
|
||||||
#############################
|
#############################
|
||||||
|
|
||||||
echo "[*] Obtaining traces for input files in '$IN_DIR'..."
|
echo "[*] Obtaining traces for input files in '$IN_DIR'..."
|
||||||
|
|
||||||
(
|
(
|
||||||
|
|
||||||
CUR=0
|
CUR=0
|
||||||
|
|
||||||
if [ "$STDIN_FILE" = "" ]; then
|
if [ "$STDIN_FILE" = "" ]; then
|
||||||
|
|
||||||
while read -r fn; do
|
while read -r fn; do
|
||||||
|
|
||||||
CUR=$((CUR+1))
|
CUR=$((CUR+1))
|
||||||
printf "\\r Processing file $CUR/$IN_COUNT... "
|
printf "\\r Processing file $CUR/$IN_COUNT... "
|
||||||
|
|
||||||
"$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn"
|
"$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn"
|
||||||
|
|
||||||
done < <(ls "$IN_DIR")
|
done < <(ls "$IN_DIR")
|
||||||
|
|
||||||
else
|
else
|
||||||
|
|
||||||
while read -r fn; do
|
while read -r fn; do
|
||||||
|
|
||||||
CUR=$((CUR+1))
|
CUR=$((CUR+1))
|
||||||
printf "\\r Processing file $CUR/$IN_COUNT... "
|
printf "\\r Processing file $CUR/$IN_COUNT... "
|
||||||
|
|
||||||
cp "$IN_DIR/$fn" "$STDIN_FILE"
|
cp "$IN_DIR/$fn" "$STDIN_FILE"
|
||||||
|
|
||||||
"$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
|
"$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
|
||||||
|
|
||||||
done < <(ls "$IN_DIR")
|
done < <(ls "$IN_DIR")
|
||||||
|
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
)
|
)
|
||||||
|
|
||||||
echo
|
echo
|
||||||
|
|
||||||
##########################
|
##########################
|
||||||
# STEP 2: SORTING TUPLES #
|
# STEP 2: SORTING TUPLES #
|
||||||
##########################
|
##########################
|
||||||
|
|
||||||
# With this out of the way, we sort all tuples by popularity across all
|
# With this out of the way, we sort all tuples by popularity across all
|
||||||
# datasets. The reasoning here is that we won't be able to avoid the files
|
# datasets. The reasoning here is that we won't be able to avoid the files
|
||||||
# that trigger unique tuples anyway, so we will want to start with them and
|
# that trigger unique tuples anyway, so we will want to start with them and
|
||||||
# see what's left.
|
# see what's left.
|
||||||
|
|
||||||
echo "[*] Sorting trace sets (this may take a while)..."
|
echo "[*] Sorting trace sets (this may take a while)..."
|
||||||
|
|
||||||
ls "$IN_DIR" | sed "s#^#$TRACE_DIR/#" | tr '\n' '\0' | xargs -0 -n 1 cat | \
|
ls "$IN_DIR" | sed "s#^#$TRACE_DIR/#" | tr '\n' '\0' | xargs -0 -n 1 cat | \
|
||||||
sort | uniq -c | sort -n >"$TRACE_DIR/.all_uniq"
|
sort | uniq -c | sort -n >"$TRACE_DIR/.all_uniq"
|
||||||
|
|
||||||
TUPLE_COUNT=$((`grep -c . "$TRACE_DIR/.all_uniq"`))
|
TUPLE_COUNT=$((`grep -c . "$TRACE_DIR/.all_uniq"`))
|
||||||
|
|
||||||
echo "[+] Found $TUPLE_COUNT unique tuples across $IN_COUNT files."
|
echo "[+] Found $TUPLE_COUNT unique tuples across $IN_COUNT files."
|
||||||
|
|
||||||
#####################################
|
#####################################
|
||||||
# STEP 3: SELECTING CANDIDATE FILES #
|
# STEP 3: SELECTING CANDIDATE FILES #
|
||||||
#####################################
|
#####################################
|
||||||
|
|
||||||
# The next step is to find the best candidate for each tuple. The "best"
|
# The next step is to find the best candidate for each tuple. The "best"
|
||||||
# part is understood simply as the smallest input that includes a particular
|
# part is understood simply as the smallest input that includes a particular
|
||||||
# tuple in its trace. Empirical evidence suggests that this produces smaller
|
# tuple in its trace. Empirical evidence suggests that this produces smaller
|
||||||
# datasets than more involved algorithms that could be still pulled off in
|
# datasets than more involved algorithms that could be still pulled off in
|
||||||
# a shell script.
|
# a shell script.
|
||||||
|
|
||||||
echo "[*] Finding best candidates for each tuple..."
|
echo "[*] Finding best candidates for each tuple..."
|
||||||
|
|
||||||
CUR=0
|
CUR=0
|
||||||
|
|
||||||
while read -r fn; do
|
while read -r fn; do
|
||||||
|
|
||||||
CUR=$((CUR+1))
|
CUR=$((CUR+1))
|
||||||
printf "\\r Processing file $CUR/$IN_COUNT... "
|
printf "\\r Processing file $CUR/$IN_COUNT... "
|
||||||
|
|
||||||
sed "s#\$# $fn#" "$TRACE_DIR/$fn" >>"$TRACE_DIR/.candidate_list"
|
sed "s#\$# $fn#" "$TRACE_DIR/$fn" >>"$TRACE_DIR/.candidate_list"
|
||||||
|
|
||||||
done < <(ls -rS "$IN_DIR")
|
done < <(ls -rS "$IN_DIR")
|
||||||
|
|
||||||
echo
|
echo
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
# STEP 4: LOADING CANDIDATES #
|
# STEP 4: LOADING CANDIDATES #
|
||||||
##############################
|
##############################
|
||||||
|
|
||||||
# At this point, we have a file of tuple-file pairs, sorted by file size
|
# At this point, we have a file of tuple-file pairs, sorted by file size
|
||||||
# in ascending order (as a consequence of ls -rS). By doing sort keyed
|
# in ascending order (as a consequence of ls -rS). By doing sort keyed
|
||||||
# only by tuple (-k 1,1) and configured to output only the first line for
|
# only by tuple (-k 1,1) and configured to output only the first line for
|
||||||
# every key (-s -u), we end up with the smallest file for each tuple.
|
# every key (-s -u), we end up with the smallest file for each tuple.
|
||||||
|
|
||||||
echo "[*] Sorting candidate list (be patient)..."
|
echo "[*] Sorting candidate list (be patient)..."
|
||||||
|
|
||||||
sort -k1,1 -s -u "$TRACE_DIR/.candidate_list" | \
|
sort -k1,1 -s -u "$TRACE_DIR/.candidate_list" | \
|
||||||
sed 's/^/BEST_FILE[/;s/ /]="/;s/$/"/' >"$TRACE_DIR/.candidate_script"
|
sed 's/^/BEST_FILE[/;s/ /]="/;s/$/"/' >"$TRACE_DIR/.candidate_script"
|
||||||
|
|
||||||
if [ ! -s "$TRACE_DIR/.candidate_script" ]; then
|
if [ ! -s "$TRACE_DIR/.candidate_script" ]; then
|
||||||
echo "[-] Error: no traces obtained from test cases, check syntax!" 1>&2
|
echo "[-] Error: no traces obtained from test cases, check syntax!" 1>&2
|
||||||
test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
|
test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# The sed command converted the sorted list to a shell script that populates
|
# The sed command converted the sorted list to a shell script that populates
|
||||||
# BEST_FILE[tuple]="fname". Let's load that!
|
# BEST_FILE[tuple]="fname". Let's load that!
|
||||||
|
|
||||||
. "$TRACE_DIR/.candidate_script"
|
. "$TRACE_DIR/.candidate_script"
|
||||||
|
|
||||||
##########################
|
##########################
|
||||||
# STEP 5: WRITING OUTPUT #
|
# STEP 5: WRITING OUTPUT #
|
||||||
##########################
|
##########################
|
||||||
|
|
||||||
# The final trick is to grab the top pick for each tuple, unless said tuple is
|
# The final trick is to grab the top pick for each tuple, unless said tuple is
|
||||||
# already set due to the inclusion of an earlier candidate; and then put all
|
# already set due to the inclusion of an earlier candidate; and then put all
|
||||||
# tuples associated with the newly-added file to the "already have" list. The
|
# tuples associated with the newly-added file to the "already have" list. The
|
||||||
# loop works from least popular tuples and toward the most common ones.
|
# loop works from least popular tuples and toward the most common ones.
|
||||||
|
|
||||||
echo "[*] Processing candidates and writing output files..."
|
echo "[*] Processing candidates and writing output files..."
|
||||||
|
|
||||||
CUR=0
|
CUR=0
|
||||||
|
|
||||||
touch "$TRACE_DIR/.already_have"
|
touch "$TRACE_DIR/.already_have"
|
||||||
|
|
||||||
while read -r cnt tuple; do
|
while read -r cnt tuple; do
|
||||||
|
|
||||||
CUR=$((CUR+1))
|
CUR=$((CUR+1))
|
||||||
printf "\\r Processing tuple $CUR/$TUPLE_COUNT... "
|
printf "\\r Processing tuple $CUR/$TUPLE_COUNT... "
|
||||||
|
|
||||||
# If we already have this tuple, skip it.
|
# If we already have this tuple, skip it.
|
||||||
|
|
||||||
grep -q "^$tuple\$" "$TRACE_DIR/.already_have" && continue
|
grep -q "^$tuple\$" "$TRACE_DIR/.already_have" && continue
|
||||||
|
|
||||||
FN=${BEST_FILE[tuple]}
|
FN=${BEST_FILE[tuple]}
|
||||||
|
|
||||||
$CP_TOOL "$IN_DIR/$FN" "$OUT_DIR/$FN"
|
$CP_TOOL "$IN_DIR/$FN" "$OUT_DIR/$FN"
|
||||||
|
|
||||||
if [ "$((CUR % 5))" = "0" ]; then
|
if [ "$((CUR % 5))" = "0" ]; then
|
||||||
sort -u "$TRACE_DIR/$FN" "$TRACE_DIR/.already_have" >"$TRACE_DIR/.tmp"
|
sort -u "$TRACE_DIR/$FN" "$TRACE_DIR/.already_have" >"$TRACE_DIR/.tmp"
|
||||||
mv -f "$TRACE_DIR/.tmp" "$TRACE_DIR/.already_have"
|
mv -f "$TRACE_DIR/.tmp" "$TRACE_DIR/.already_have"
|
||||||
else
|
else
|
||||||
cat "$TRACE_DIR/$FN" >>"$TRACE_DIR/.already_have"
|
cat "$TRACE_DIR/$FN" >>"$TRACE_DIR/.already_have"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
done <"$TRACE_DIR/.all_uniq"
|
done <"$TRACE_DIR/.all_uniq"
|
||||||
|
|
||||||
echo
|
echo
|
||||||
|
|
||||||
OUT_COUNT=`ls -- "$OUT_DIR" | wc -l`
|
OUT_COUNT=`ls -- "$OUT_DIR" | wc -l`
|
||||||
|
|
||||||
if [ "$OUT_COUNT" = "1" ]; then
|
if [ "$OUT_COUNT" = "1" ]; then
|
||||||
echo "[!] WARNING: All test cases had the same traces, check syntax!"
|
echo "[!] WARNING: All test cases had the same traces, check syntax!"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "[+] Narrowed down to $OUT_COUNT files, saved in '$OUT_DIR'."
|
echo "[+] Narrowed down to $OUT_COUNT files, saved in '$OUT_DIR'."
|
||||||
echo
|
echo
|
||||||
|
|
||||||
test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
|
test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -1,346 +1,346 @@
|
|||||||
/*
|
/*
|
||||||
Copyright 2013 Google LLC All rights reserved.
|
Copyright 2013 Google LLC All rights reserved.
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
You may obtain a copy of the License at:
|
You may obtain a copy of the License at:
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
Unless required by applicable law or agreed to in writing, software
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
See the License for the specific language governing permissions and
|
See the License for the specific language governing permissions and
|
||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/*
|
/*
|
||||||
american fuzzy lop - wrapper for GCC and clang
|
american fuzzy lop - wrapper for GCC and clang
|
||||||
----------------------------------------------
|
----------------------------------------------
|
||||||
|
|
||||||
Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
||||||
|
|
||||||
This program is a drop-in replacement for GCC or clang. The most common way
|
This program is a drop-in replacement for GCC or clang. The most common way
|
||||||
of using it is to pass the path to afl-gcc or afl-clang via CC when invoking
|
of using it is to pass the path to afl-gcc or afl-clang via CC when invoking
|
||||||
./configure.
|
./configure.
|
||||||
|
|
||||||
(Of course, use CXX and point it to afl-g++ / afl-clang++ for C++ code.)
|
(Of course, use CXX and point it to afl-g++ / afl-clang++ for C++ code.)
|
||||||
|
|
||||||
The wrapper needs to know the path to afl-as (renamed to 'as'). The default
|
The wrapper needs to know the path to afl-as (renamed to 'as'). The default
|
||||||
is /usr/local/lib/afl/. A convenient way to specify alternative directories
|
is /usr/local/lib/afl/. A convenient way to specify alternative directories
|
||||||
would be to set AFL_PATH.
|
would be to set AFL_PATH.
|
||||||
|
|
||||||
If AFL_HARDEN is set, the wrapper will compile the target app with various
|
If AFL_HARDEN is set, the wrapper will compile the target app with various
|
||||||
hardening options that may help detect memory management issues more
|
hardening options that may help detect memory management issues more
|
||||||
reliably. You can also specify AFL_USE_ASAN to enable ASAN.
|
reliably. You can also specify AFL_USE_ASAN to enable ASAN.
|
||||||
|
|
||||||
If you want to call a non-default compiler as a next step of the chain,
|
If you want to call a non-default compiler as a next step of the chain,
|
||||||
specify its location via AFL_CC or AFL_CXX.
|
specify its location via AFL_CC or AFL_CXX.
|
||||||
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#define AFL_MAIN
|
#define AFL_MAIN
|
||||||
|
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "types.h"
|
#include "types.h"
|
||||||
#include "debug.h"
|
#include "debug.h"
|
||||||
#include "alloc-inl.h"
|
#include "alloc-inl.h"
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
static u8* as_path; /* Path to the AFL 'as' wrapper */
|
static u8* as_path; /* Path to the AFL 'as' wrapper */
|
||||||
static u8** cc_params; /* Parameters passed to the real CC */
|
static u8** cc_params; /* Parameters passed to the real CC */
|
||||||
static u32 cc_par_cnt = 1; /* Param count, including argv0 */
|
static u32 cc_par_cnt = 1; /* Param count, including argv0 */
|
||||||
static u8 be_quiet, /* Quiet mode */
|
static u8 be_quiet, /* Quiet mode */
|
||||||
clang_mode; /* Invoked as afl-clang*? */
|
clang_mode; /* Invoked as afl-clang*? */
|
||||||
|
|
||||||
|
|
||||||
/* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived
|
/* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived
|
||||||
from argv[0]. If that fails, abort. */
|
from argv[0]. If that fails, abort. */
|
||||||
|
|
||||||
static void find_as(u8* argv0) {
|
static void find_as(u8* argv0) {
|
||||||
|
|
||||||
u8 *afl_path = getenv("AFL_PATH");
|
u8 *afl_path = getenv("AFL_PATH");
|
||||||
u8 *slash, *tmp;
|
u8 *slash, *tmp;
|
||||||
|
|
||||||
if (afl_path) {
|
if (afl_path) {
|
||||||
|
|
||||||
tmp = alloc_printf("%s/as", afl_path);
|
tmp = alloc_printf("%s/as", afl_path);
|
||||||
|
|
||||||
if (!access(tmp, X_OK)) {
|
if (!access(tmp, X_OK)) {
|
||||||
as_path = afl_path;
|
as_path = afl_path;
|
||||||
ck_free(tmp);
|
ck_free(tmp);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
ck_free(tmp);
|
ck_free(tmp);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
slash = strrchr(argv0, '/');
|
slash = strrchr(argv0, '/');
|
||||||
|
|
||||||
if (slash) {
|
if (slash) {
|
||||||
|
|
||||||
u8 *dir;
|
u8 *dir;
|
||||||
|
|
||||||
*slash = 0;
|
*slash = 0;
|
||||||
dir = ck_strdup(argv0);
|
dir = ck_strdup(argv0);
|
||||||
*slash = '/';
|
*slash = '/';
|
||||||
|
|
||||||
tmp = alloc_printf("%s/afl-as", dir);
|
tmp = alloc_printf("%s/afl-as", dir);
|
||||||
|
|
||||||
if (!access(tmp, X_OK)) {
|
if (!access(tmp, X_OK)) {
|
||||||
as_path = dir;
|
as_path = dir;
|
||||||
ck_free(tmp);
|
ck_free(tmp);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
ck_free(tmp);
|
ck_free(tmp);
|
||||||
ck_free(dir);
|
ck_free(dir);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!access(AFL_PATH "/as", X_OK)) {
|
if (!access(AFL_PATH "/as", X_OK)) {
|
||||||
as_path = AFL_PATH;
|
as_path = AFL_PATH;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
FATAL("Unable to find AFL wrapper binary for 'as'. Please set AFL_PATH");
|
FATAL("Unable to find AFL wrapper binary for 'as'. Please set AFL_PATH");
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Copy argv to cc_params, making the necessary edits. */
|
/* Copy argv to cc_params, making the necessary edits. */
|
||||||
|
|
||||||
static void edit_params(u32 argc, char** argv) {
|
static void edit_params(u32 argc, char** argv) {
|
||||||
|
|
||||||
u8 fortify_set = 0, asan_set = 0;
|
u8 fortify_set = 0, asan_set = 0;
|
||||||
u8 *name;
|
u8 *name;
|
||||||
|
|
||||||
#if defined(__FreeBSD__) && defined(__x86_64__)
|
#if defined(__FreeBSD__) && defined(__x86_64__)
|
||||||
u8 m32_set = 0;
|
u8 m32_set = 0;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
cc_params = ck_alloc((argc + 128) * sizeof(u8*));
|
cc_params = ck_alloc((argc + 128) * sizeof(u8*));
|
||||||
|
|
||||||
name = strrchr(argv[0], '/');
|
name = strrchr(argv[0], '/');
|
||||||
if (!name) name = argv[0]; else name++;
|
if (!name) name = argv[0]; else name++;
|
||||||
|
|
||||||
if (!strncmp(name, "afl-clang", 9)) {
|
if (!strncmp(name, "afl-clang", 9)) {
|
||||||
|
|
||||||
clang_mode = 1;
|
clang_mode = 1;
|
||||||
|
|
||||||
setenv(CLANG_ENV_VAR, "1", 1);
|
setenv(CLANG_ENV_VAR, "1", 1);
|
||||||
|
|
||||||
if (!strcmp(name, "afl-clang++")) {
|
if (!strcmp(name, "afl-clang++")) {
|
||||||
u8* alt_cxx = getenv("AFL_CXX");
|
u8* alt_cxx = getenv("AFL_CXX");
|
||||||
cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++";
|
cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++";
|
||||||
} else {
|
} else {
|
||||||
u8* alt_cc = getenv("AFL_CC");
|
u8* alt_cc = getenv("AFL_CC");
|
||||||
cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";
|
cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";
|
||||||
}
|
}
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
/* With GCJ and Eclipse installed, you can actually compile Java! The
|
/* With GCJ and Eclipse installed, you can actually compile Java! The
|
||||||
instrumentation will work (amazingly). Alas, unhandled exceptions do
|
instrumentation will work (amazingly). Alas, unhandled exceptions do
|
||||||
not call abort(), so afl-fuzz would need to be modified to equate
|
not call abort(), so afl-fuzz would need to be modified to equate
|
||||||
non-zero exit codes with crash conditions when working with Java
|
non-zero exit codes with crash conditions when working with Java
|
||||||
binaries. Meh. */
|
binaries. Meh. */
|
||||||
|
|
||||||
#ifdef __APPLE__
|
#ifdef __APPLE__
|
||||||
|
|
||||||
if (!strcmp(name, "afl-g++")) cc_params[0] = getenv("AFL_CXX");
|
if (!strcmp(name, "afl-g++")) cc_params[0] = getenv("AFL_CXX");
|
||||||
else if (!strcmp(name, "afl-gcj")) cc_params[0] = getenv("AFL_GCJ");
|
else if (!strcmp(name, "afl-gcj")) cc_params[0] = getenv("AFL_GCJ");
|
||||||
else cc_params[0] = getenv("AFL_CC");
|
else cc_params[0] = getenv("AFL_CC");
|
||||||
|
|
||||||
if (!cc_params[0]) {
|
if (!cc_params[0]) {
|
||||||
|
|
||||||
SAYF("\n" cLRD "[-] " cRST
|
SAYF("\n" cLRD "[-] " cRST
|
||||||
"On Apple systems, 'gcc' is usually just a wrapper for clang. Please use the\n"
|
"On Apple systems, 'gcc' is usually just a wrapper for clang. Please use the\n"
|
||||||
" 'afl-clang' utility instead of 'afl-gcc'. If you really have GCC installed,\n"
|
" 'afl-clang' utility instead of 'afl-gcc'. If you really have GCC installed,\n"
|
||||||
" set AFL_CC or AFL_CXX to specify the correct path to that compiler.\n");
|
" set AFL_CC or AFL_CXX to specify the correct path to that compiler.\n");
|
||||||
|
|
||||||
FATAL("AFL_CC or AFL_CXX required on MacOS X");
|
FATAL("AFL_CC or AFL_CXX required on MacOS X");
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#else
|
#else
|
||||||
|
|
||||||
if (!strcmp(name, "afl-g++")) {
|
if (!strcmp(name, "afl-g++")) {
|
||||||
u8* alt_cxx = getenv("AFL_CXX");
|
u8* alt_cxx = getenv("AFL_CXX");
|
||||||
cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++";
|
cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++";
|
||||||
} else if (!strcmp(name, "afl-gcj")) {
|
} else if (!strcmp(name, "afl-gcj")) {
|
||||||
u8* alt_cc = getenv("AFL_GCJ");
|
u8* alt_cc = getenv("AFL_GCJ");
|
||||||
cc_params[0] = alt_cc ? alt_cc : (u8*)"gcj";
|
cc_params[0] = alt_cc ? alt_cc : (u8*)"gcj";
|
||||||
} else {
|
} else {
|
||||||
u8* alt_cc = getenv("AFL_CC");
|
u8* alt_cc = getenv("AFL_CC");
|
||||||
cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc";
|
cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc";
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* __APPLE__ */
|
#endif /* __APPLE__ */
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
while (--argc) {
|
while (--argc) {
|
||||||
u8* cur = *(++argv);
|
u8* cur = *(++argv);
|
||||||
|
|
||||||
if (!strncmp(cur, "-B", 2)) {
|
if (!strncmp(cur, "-B", 2)) {
|
||||||
|
|
||||||
if (!be_quiet) WARNF("-B is already set, overriding");
|
if (!be_quiet) WARNF("-B is already set, overriding");
|
||||||
|
|
||||||
if (!cur[2] && argc > 1) { argc--; argv++; }
|
if (!cur[2] && argc > 1) { argc--; argv++; }
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!strcmp(cur, "-integrated-as")) continue;
|
if (!strcmp(cur, "-integrated-as")) continue;
|
||||||
|
|
||||||
if (!strcmp(cur, "-pipe")) continue;
|
if (!strcmp(cur, "-pipe")) continue;
|
||||||
|
|
||||||
#if defined(__FreeBSD__) && defined(__x86_64__)
|
#if defined(__FreeBSD__) && defined(__x86_64__)
|
||||||
if (!strcmp(cur, "-m32")) m32_set = 1;
|
if (!strcmp(cur, "-m32")) m32_set = 1;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (!strcmp(cur, "-fsanitize=address") ||
|
if (!strcmp(cur, "-fsanitize=address") ||
|
||||||
!strcmp(cur, "-fsanitize=memory")) asan_set = 1;
|
!strcmp(cur, "-fsanitize=memory")) asan_set = 1;
|
||||||
|
|
||||||
if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;
|
if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;
|
||||||
|
|
||||||
cc_params[cc_par_cnt++] = cur;
|
cc_params[cc_par_cnt++] = cur;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
cc_params[cc_par_cnt++] = "-B";
|
cc_params[cc_par_cnt++] = "-B";
|
||||||
cc_params[cc_par_cnt++] = as_path;
|
cc_params[cc_par_cnt++] = as_path;
|
||||||
|
|
||||||
if (clang_mode)
|
if (clang_mode)
|
||||||
cc_params[cc_par_cnt++] = "-no-integrated-as";
|
cc_params[cc_par_cnt++] = "-no-integrated-as";
|
||||||
|
|
||||||
if (getenv("AFL_HARDEN")) {
|
if (getenv("AFL_HARDEN")) {
|
||||||
|
|
||||||
cc_params[cc_par_cnt++] = "-fstack-protector-all";
|
cc_params[cc_par_cnt++] = "-fstack-protector-all";
|
||||||
|
|
||||||
if (!fortify_set)
|
if (!fortify_set)
|
||||||
cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2";
|
cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (asan_set) {
|
if (asan_set) {
|
||||||
|
|
||||||
/* Pass this on to afl-as to adjust map density. */
|
/* Pass this on to afl-as to adjust map density. */
|
||||||
|
|
||||||
setenv("AFL_USE_ASAN", "1", 1);
|
setenv("AFL_USE_ASAN", "1", 1);
|
||||||
|
|
||||||
} else if (getenv("AFL_USE_ASAN")) {
|
} else if (getenv("AFL_USE_ASAN")) {
|
||||||
|
|
||||||
if (getenv("AFL_USE_MSAN"))
|
if (getenv("AFL_USE_MSAN"))
|
||||||
FATAL("ASAN and MSAN are mutually exclusive");
|
FATAL("ASAN and MSAN are mutually exclusive");
|
||||||
|
|
||||||
if (getenv("AFL_HARDEN"))
|
if (getenv("AFL_HARDEN"))
|
||||||
FATAL("ASAN and AFL_HARDEN are mutually exclusive");
|
FATAL("ASAN and AFL_HARDEN are mutually exclusive");
|
||||||
|
|
||||||
cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
|
cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
|
||||||
cc_params[cc_par_cnt++] = "-fsanitize=address";
|
cc_params[cc_par_cnt++] = "-fsanitize=address";
|
||||||
|
|
||||||
} else if (getenv("AFL_USE_MSAN")) {
|
} else if (getenv("AFL_USE_MSAN")) {
|
||||||
|
|
||||||
if (getenv("AFL_USE_ASAN"))
|
if (getenv("AFL_USE_ASAN"))
|
||||||
FATAL("ASAN and MSAN are mutually exclusive");
|
FATAL("ASAN and MSAN are mutually exclusive");
|
||||||
|
|
||||||
if (getenv("AFL_HARDEN"))
|
if (getenv("AFL_HARDEN"))
|
||||||
FATAL("MSAN and AFL_HARDEN are mutually exclusive");
|
FATAL("MSAN and AFL_HARDEN are mutually exclusive");
|
||||||
|
|
||||||
cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
|
cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
|
||||||
cc_params[cc_par_cnt++] = "-fsanitize=memory";
|
cc_params[cc_par_cnt++] = "-fsanitize=memory";
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!getenv("AFL_DONT_OPTIMIZE")) {
|
if (!getenv("AFL_DONT_OPTIMIZE")) {
|
||||||
|
|
||||||
#if defined(__FreeBSD__) && defined(__x86_64__)
|
#if defined(__FreeBSD__) && defined(__x86_64__)
|
||||||
|
|
||||||
/* On 64-bit FreeBSD systems, clang -g -m32 is broken, but -m32 itself
|
/* On 64-bit FreeBSD systems, clang -g -m32 is broken, but -m32 itself
|
||||||
works OK. This has nothing to do with us, but let's avoid triggering
|
works OK. This has nothing to do with us, but let's avoid triggering
|
||||||
that bug. */
|
that bug. */
|
||||||
|
|
||||||
if (!clang_mode || !m32_set)
|
if (!clang_mode || !m32_set)
|
||||||
cc_params[cc_par_cnt++] = "-g";
|
cc_params[cc_par_cnt++] = "-g";
|
||||||
|
|
||||||
#else
|
#else
|
||||||
|
|
||||||
cc_params[cc_par_cnt++] = "-g";
|
cc_params[cc_par_cnt++] = "-g";
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
cc_params[cc_par_cnt++] = "-O3";
|
cc_params[cc_par_cnt++] = "-O3";
|
||||||
cc_params[cc_par_cnt++] = "-funroll-loops";
|
cc_params[cc_par_cnt++] = "-funroll-loops";
|
||||||
|
|
||||||
/* Two indicators that you're building for fuzzing; one of them is
|
/* Two indicators that you're building for fuzzing; one of them is
|
||||||
AFL-specific, the other is shared with libfuzzer. */
|
AFL-specific, the other is shared with libfuzzer. */
|
||||||
|
|
||||||
cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1";
|
cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1";
|
||||||
cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1";
|
cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (getenv("AFL_NO_BUILTIN")) {
|
if (getenv("AFL_NO_BUILTIN")) {
|
||||||
|
|
||||||
cc_params[cc_par_cnt++] = "-fno-builtin-strcmp";
|
cc_params[cc_par_cnt++] = "-fno-builtin-strcmp";
|
||||||
cc_params[cc_par_cnt++] = "-fno-builtin-strncmp";
|
cc_params[cc_par_cnt++] = "-fno-builtin-strncmp";
|
||||||
cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp";
|
cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp";
|
||||||
cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp";
|
cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp";
|
||||||
cc_params[cc_par_cnt++] = "-fno-builtin-memcmp";
|
cc_params[cc_par_cnt++] = "-fno-builtin-memcmp";
|
||||||
cc_params[cc_par_cnt++] = "-fno-builtin-strstr";
|
cc_params[cc_par_cnt++] = "-fno-builtin-strstr";
|
||||||
cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr";
|
cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
cc_params[cc_par_cnt] = NULL;
|
cc_params[cc_par_cnt] = NULL;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Main entry point */
|
/* Main entry point */
|
||||||
|
|
||||||
int main(int argc, char** argv) {
|
int main(int argc, char** argv) {
|
||||||
|
|
||||||
if (isatty(2) && !getenv("AFL_QUIET")) {
|
if (isatty(2) && !getenv("AFL_QUIET")) {
|
||||||
|
|
||||||
SAYF(cCYA "afl-cc " cBRI VERSION cRST " by <lcamtuf@google.com>\n");
|
SAYF(cCYA "afl-cc " cBRI VERSION cRST " by <lcamtuf@google.com>\n");
|
||||||
|
|
||||||
} else be_quiet = 1;
|
} else be_quiet = 1;
|
||||||
|
|
||||||
if (argc < 2) {
|
if (argc < 2) {
|
||||||
|
|
||||||
SAYF("\n"
|
SAYF("\n"
|
||||||
"This is a helper application for afl-fuzz. It serves as a drop-in replacement\n"
|
"This is a helper application for afl-fuzz. It serves as a drop-in replacement\n"
|
||||||
"for gcc or clang, letting you recompile third-party code with the required\n"
|
"for gcc or clang, letting you recompile third-party code with the required\n"
|
||||||
"runtime instrumentation. A common use pattern would be one of the following:\n\n"
|
"runtime instrumentation. A common use pattern would be one of the following:\n\n"
|
||||||
|
|
||||||
" CC=%s/afl-gcc ./configure\n"
|
" CC=%s/afl-gcc ./configure\n"
|
||||||
" CXX=%s/afl-g++ ./configure\n\n"
|
" CXX=%s/afl-g++ ./configure\n\n"
|
||||||
|
|
||||||
"You can specify custom next-stage toolchain via AFL_CC, AFL_CXX, and AFL_AS.\n"
|
"You can specify custom next-stage toolchain via AFL_CC, AFL_CXX, and AFL_AS.\n"
|
||||||
"Setting AFL_HARDEN enables hardening optimizations in the compiled code.\n\n",
|
"Setting AFL_HARDEN enables hardening optimizations in the compiled code.\n\n",
|
||||||
BIN_PATH, BIN_PATH);
|
BIN_PATH, BIN_PATH);
|
||||||
|
|
||||||
exit(1);
|
exit(1);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
find_as(argv[0]);
|
find_as(argv[0]);
|
||||||
|
|
||||||
edit_params(argc, argv);
|
edit_params(argc, argv);
|
||||||
|
|
||||||
execvp(cc_params[0], (char**)cc_params);
|
execvp(cc_params[0], (char**)cc_params);
|
||||||
|
|
||||||
FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);
|
FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -1,260 +1,260 @@
|
|||||||
/*
|
/*
|
||||||
Copyright 2015 Google LLC All rights reserved.
|
Copyright 2015 Google LLC All rights reserved.
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
You may obtain a copy of the License at:
|
You may obtain a copy of the License at:
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
Unless required by applicable law or agreed to in writing, software
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
See the License for the specific language governing permissions and
|
See the License for the specific language governing permissions and
|
||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/*
|
/*
|
||||||
american fuzzy lop - free CPU gizmo
|
american fuzzy lop - free CPU gizmo
|
||||||
-----------------------------------
|
-----------------------------------
|
||||||
|
|
||||||
Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
||||||
|
|
||||||
This tool provides a fairly accurate measurement of CPU preemption rate.
|
This tool provides a fairly accurate measurement of CPU preemption rate.
|
||||||
It is meant to complement the quick-and-dirty load average widget shown
|
It is meant to complement the quick-and-dirty load average widget shown
|
||||||
in the afl-fuzz UI. See docs/parallel_fuzzing.txt for more info.
|
in the afl-fuzz UI. See docs/parallel_fuzzing.txt for more info.
|
||||||
|
|
||||||
For some work loads, the tool may actually suggest running more instances
|
For some work loads, the tool may actually suggest running more instances
|
||||||
than you have CPU cores. This can happen if the tested program is spending
|
than you have CPU cores. This can happen if the tested program is spending
|
||||||
a portion of its run time waiting for I/O, rather than being 100%
|
a portion of its run time waiting for I/O, rather than being 100%
|
||||||
CPU-bound.
|
CPU-bound.
|
||||||
|
|
||||||
The idea for the getrusage()-based approach comes from Jakub Wilk.
|
The idea for the getrusage()-based approach comes from Jakub Wilk.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#define AFL_MAIN
|
#define AFL_MAIN
|
||||||
#include "android-ashmem.h"
|
#include "android-ashmem.h"
|
||||||
#define _GNU_SOURCE
|
#define _GNU_SOURCE
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <sched.h>
|
#include <sched.h>
|
||||||
|
|
||||||
#include <sys/time.h>
|
#include <sys/time.h>
|
||||||
#include <sys/times.h>
|
#include <sys/times.h>
|
||||||
#include <sys/resource.h>
|
#include <sys/resource.h>
|
||||||
#include <sys/wait.h>
|
#include <sys/wait.h>
|
||||||
|
|
||||||
#include "types.h"
|
#include "types.h"
|
||||||
#include "debug.h"
|
#include "debug.h"
|
||||||
|
|
||||||
#ifdef __linux__
|
#ifdef __linux__
|
||||||
# define HAVE_AFFINITY 1
|
# define HAVE_AFFINITY 1
|
||||||
#endif /* __linux__ */
|
#endif /* __linux__ */
|
||||||
|
|
||||||
|
|
||||||
/* Get unix time in microseconds. */
|
/* Get unix time in microseconds. */
|
||||||
|
|
||||||
static u64 get_cur_time_us(void) {
|
static u64 get_cur_time_us(void) {
|
||||||
|
|
||||||
struct timeval tv;
|
struct timeval tv;
|
||||||
struct timezone tz;
|
struct timezone tz;
|
||||||
|
|
||||||
gettimeofday(&tv, &tz);
|
gettimeofday(&tv, &tz);
|
||||||
|
|
||||||
return (tv.tv_sec * 1000000ULL) + tv.tv_usec;
|
return (tv.tv_sec * 1000000ULL) + tv.tv_usec;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Get CPU usage in microseconds. */
|
/* Get CPU usage in microseconds. */
|
||||||
|
|
||||||
static u64 get_cpu_usage_us(void) {
|
static u64 get_cpu_usage_us(void) {
|
||||||
|
|
||||||
struct rusage u;
|
struct rusage u;
|
||||||
|
|
||||||
getrusage(RUSAGE_SELF, &u);
|
getrusage(RUSAGE_SELF, &u);
|
||||||
|
|
||||||
return (u.ru_utime.tv_sec * 1000000ULL) + u.ru_utime.tv_usec +
|
return (u.ru_utime.tv_sec * 1000000ULL) + u.ru_utime.tv_usec +
|
||||||
(u.ru_stime.tv_sec * 1000000ULL) + u.ru_stime.tv_usec;
|
(u.ru_stime.tv_sec * 1000000ULL) + u.ru_stime.tv_usec;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Measure preemption rate. */
|
/* Measure preemption rate. */
|
||||||
|
|
||||||
static u32 measure_preemption(u32 target_ms) {
|
static u32 measure_preemption(u32 target_ms) {
|
||||||
|
|
||||||
static volatile u32 v1, v2;
|
static volatile u32 v1, v2;
|
||||||
|
|
||||||
u64 st_t, en_t, st_c, en_c, real_delta, slice_delta;
|
u64 st_t, en_t, st_c, en_c, real_delta, slice_delta;
|
||||||
s32 loop_repeats = 0;
|
s32 loop_repeats = 0;
|
||||||
|
|
||||||
st_t = get_cur_time_us();
|
st_t = get_cur_time_us();
|
||||||
st_c = get_cpu_usage_us();
|
st_c = get_cpu_usage_us();
|
||||||
|
|
||||||
repeat_loop:
|
repeat_loop:
|
||||||
|
|
||||||
v1 = CTEST_BUSY_CYCLES;
|
v1 = CTEST_BUSY_CYCLES;
|
||||||
|
|
||||||
while (v1--) v2++;
|
while (v1--) v2++;
|
||||||
sched_yield();
|
sched_yield();
|
||||||
|
|
||||||
en_t = get_cur_time_us();
|
en_t = get_cur_time_us();
|
||||||
|
|
||||||
if (en_t - st_t < target_ms * 1000) {
|
if (en_t - st_t < target_ms * 1000) {
|
||||||
loop_repeats++;
|
loop_repeats++;
|
||||||
goto repeat_loop;
|
goto repeat_loop;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Let's see what percentage of this time we actually had a chance to
|
/* Let's see what percentage of this time we actually had a chance to
|
||||||
run, and how much time was spent in the penalty box. */
|
run, and how much time was spent in the penalty box. */
|
||||||
|
|
||||||
en_c = get_cpu_usage_us();
|
en_c = get_cpu_usage_us();
|
||||||
|
|
||||||
real_delta = (en_t - st_t) / 1000;
|
real_delta = (en_t - st_t) / 1000;
|
||||||
slice_delta = (en_c - st_c) / 1000;
|
slice_delta = (en_c - st_c) / 1000;
|
||||||
|
|
||||||
return real_delta * 100 / slice_delta;
|
return real_delta * 100 / slice_delta;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Do the benchmark thing. */
|
/* Do the benchmark thing. */
|
||||||
|
|
||||||
int main(int argc, char** argv) {
|
int main(int argc, char** argv) {
|
||||||
|
|
||||||
#ifdef HAVE_AFFINITY
|
#ifdef HAVE_AFFINITY
|
||||||
|
|
||||||
u32 cpu_cnt = sysconf(_SC_NPROCESSORS_ONLN),
|
u32 cpu_cnt = sysconf(_SC_NPROCESSORS_ONLN),
|
||||||
idle_cpus = 0, maybe_cpus = 0, i;
|
idle_cpus = 0, maybe_cpus = 0, i;
|
||||||
|
|
||||||
SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by <lcamtuf@google.com>\n");
|
SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by <lcamtuf@google.com>\n");
|
||||||
|
|
||||||
ACTF("Measuring per-core preemption rate (this will take %0.02f sec)...",
|
ACTF("Measuring per-core preemption rate (this will take %0.02f sec)...",
|
||||||
((double)CTEST_CORE_TRG_MS) / 1000);
|
((double)CTEST_CORE_TRG_MS) / 1000);
|
||||||
|
|
||||||
for (i = 0; i < cpu_cnt; i++) {
|
for (i = 0; i < cpu_cnt; i++) {
|
||||||
|
|
||||||
s32 fr = fork();
|
s32 fr = fork();
|
||||||
|
|
||||||
if (fr < 0) PFATAL("fork failed");
|
if (fr < 0) PFATAL("fork failed");
|
||||||
|
|
||||||
if (!fr) {
|
if (!fr) {
|
||||||
|
|
||||||
cpu_set_t c;
|
cpu_set_t c;
|
||||||
u32 util_perc;
|
u32 util_perc;
|
||||||
|
|
||||||
CPU_ZERO(&c);
|
CPU_ZERO(&c);
|
||||||
CPU_SET(i, &c);
|
CPU_SET(i, &c);
|
||||||
|
|
||||||
if (sched_setaffinity(0, sizeof(c), &c))
|
if (sched_setaffinity(0, sizeof(c), &c))
|
||||||
PFATAL("sched_setaffinity failed for cpu %d", i);
|
PFATAL("sched_setaffinity failed for cpu %d", i);
|
||||||
|
|
||||||
util_perc = measure_preemption(CTEST_CORE_TRG_MS);
|
util_perc = measure_preemption(CTEST_CORE_TRG_MS);
|
||||||
|
|
||||||
if (util_perc < 110) {
|
if (util_perc < 110) {
|
||||||
|
|
||||||
SAYF(" Core #%u: " cLGN "AVAILABLE " cRST "(%u%%)\n", i, util_perc);
|
SAYF(" Core #%u: " cLGN "AVAILABLE " cRST "(%u%%)\n", i, util_perc);
|
||||||
exit(0);
|
exit(0);
|
||||||
|
|
||||||
} else if (util_perc < 250) {
|
} else if (util_perc < 250) {
|
||||||
|
|
||||||
SAYF(" Core #%u: " cYEL "CAUTION " cRST "(%u%%)\n", i, util_perc);
|
SAYF(" Core #%u: " cYEL "CAUTION " cRST "(%u%%)\n", i, util_perc);
|
||||||
exit(1);
|
exit(1);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
SAYF(" Core #%u: " cLRD "OVERBOOKED " cRST "(%u%%)\n" cRST, i,
|
SAYF(" Core #%u: " cLRD "OVERBOOKED " cRST "(%u%%)\n" cRST, i,
|
||||||
util_perc);
|
util_perc);
|
||||||
exit(2);
|
exit(2);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < cpu_cnt; i++) {
|
for (i = 0; i < cpu_cnt; i++) {
|
||||||
|
|
||||||
int ret;
|
int ret;
|
||||||
if (waitpid(-1, &ret, 0) < 0) PFATAL("waitpid failed");
|
if (waitpid(-1, &ret, 0) < 0) PFATAL("waitpid failed");
|
||||||
|
|
||||||
if (WEXITSTATUS(ret) == 0) idle_cpus++;
|
if (WEXITSTATUS(ret) == 0) idle_cpus++;
|
||||||
if (WEXITSTATUS(ret) <= 1) maybe_cpus++;
|
if (WEXITSTATUS(ret) <= 1) maybe_cpus++;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
SAYF(cGRA "\n>>> ");
|
SAYF(cGRA "\n>>> ");
|
||||||
|
|
||||||
if (idle_cpus) {
|
if (idle_cpus) {
|
||||||
|
|
||||||
if (maybe_cpus == idle_cpus) {
|
if (maybe_cpus == idle_cpus) {
|
||||||
|
|
||||||
SAYF(cLGN "PASS: " cRST "You can run more processes on %u core%s.",
|
SAYF(cLGN "PASS: " cRST "You can run more processes on %u core%s.",
|
||||||
idle_cpus, idle_cpus > 1 ? "s" : "");
|
idle_cpus, idle_cpus > 1 ? "s" : "");
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
SAYF(cLGN "PASS: " cRST "You can run more processes on %u to %u core%s.",
|
SAYF(cLGN "PASS: " cRST "You can run more processes on %u to %u core%s.",
|
||||||
idle_cpus, maybe_cpus, maybe_cpus > 1 ? "s" : "");
|
idle_cpus, maybe_cpus, maybe_cpus > 1 ? "s" : "");
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
SAYF(cGRA " <<<" cRST "\n\n");
|
SAYF(cGRA " <<<" cRST "\n\n");
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (maybe_cpus) {
|
if (maybe_cpus) {
|
||||||
|
|
||||||
SAYF(cYEL "CAUTION: " cRST "You may still have %u core%s available.",
|
SAYF(cYEL "CAUTION: " cRST "You may still have %u core%s available.",
|
||||||
maybe_cpus, maybe_cpus > 1 ? "s" : "");
|
maybe_cpus, maybe_cpus > 1 ? "s" : "");
|
||||||
SAYF(cGRA " <<<" cRST "\n\n");
|
SAYF(cGRA " <<<" cRST "\n\n");
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
SAYF(cLRD "FAIL: " cRST "All cores are overbooked.");
|
SAYF(cLRD "FAIL: " cRST "All cores are overbooked.");
|
||||||
SAYF(cGRA " <<<" cRST "\n\n");
|
SAYF(cGRA " <<<" cRST "\n\n");
|
||||||
return 2;
|
return 2;
|
||||||
|
|
||||||
#else
|
#else
|
||||||
|
|
||||||
u32 util_perc;
|
u32 util_perc;
|
||||||
|
|
||||||
SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by <lcamtuf@google.com>\n");
|
SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by <lcamtuf@google.com>\n");
|
||||||
|
|
||||||
/* Run a busy loop for CTEST_TARGET_MS. */
|
/* Run a busy loop for CTEST_TARGET_MS. */
|
||||||
|
|
||||||
ACTF("Measuring gross preemption rate (this will take %0.02f sec)...",
|
ACTF("Measuring gross preemption rate (this will take %0.02f sec)...",
|
||||||
((double)CTEST_TARGET_MS) / 1000);
|
((double)CTEST_TARGET_MS) / 1000);
|
||||||
|
|
||||||
util_perc = measure_preemption(CTEST_TARGET_MS);
|
util_perc = measure_preemption(CTEST_TARGET_MS);
|
||||||
|
|
||||||
/* Deliver the final verdict. */
|
/* Deliver the final verdict. */
|
||||||
|
|
||||||
SAYF(cGRA "\n>>> ");
|
SAYF(cGRA "\n>>> ");
|
||||||
|
|
||||||
if (util_perc < 105) {
|
if (util_perc < 105) {
|
||||||
|
|
||||||
SAYF(cLGN "PASS: " cRST "You can probably run additional processes.");
|
SAYF(cLGN "PASS: " cRST "You can probably run additional processes.");
|
||||||
|
|
||||||
} else if (util_perc < 130) {
|
} else if (util_perc < 130) {
|
||||||
|
|
||||||
SAYF(cYEL "CAUTION: " cRST "Your CPU may be somewhat overbooked (%u%%).",
|
SAYF(cYEL "CAUTION: " cRST "Your CPU may be somewhat overbooked (%u%%).",
|
||||||
util_perc);
|
util_perc);
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
SAYF(cLRD "FAIL: " cRST "Your CPU is overbooked (%u%%).", util_perc);
|
SAYF(cLRD "FAIL: " cRST "Your CPU is overbooked (%u%%).", util_perc);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
SAYF(cGRA " <<<" cRST "\n\n");
|
SAYF(cGRA " <<<" cRST "\n\n");
|
||||||
|
|
||||||
return (util_perc > 105) + (util_perc > 130);
|
return (util_perc > 105) + (util_perc > 130);
|
||||||
|
|
||||||
#endif /* ^HAVE_AFFINITY */
|
#endif /* ^HAVE_AFFINITY */
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -1,170 +1,170 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# american fuzzy lop - Advanced Persistent Graphing
|
# american fuzzy lop - Advanced Persistent Graphing
|
||||||
# -------------------------------------------------
|
# -------------------------------------------------
|
||||||
#
|
#
|
||||||
# Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
# Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
||||||
# Based on a design & prototype by Michael Rash.
|
# Based on a design & prototype by Michael Rash.
|
||||||
#
|
#
|
||||||
# Copyright 2014, 2015 Google LLC All rights reserved.
|
# Copyright 2014, 2015 Google LLC All rights reserved.
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
# you may not use this file except in compliance with the License.
|
# you may not use this file except in compliance with the License.
|
||||||
# You may obtain a copy of the License at:
|
# You may obtain a copy of the License at:
|
||||||
#
|
#
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
#
|
#
|
||||||
|
|
||||||
echo "progress plotting utility for afl-fuzz by <lcamtuf@google.com>"
|
echo "progress plotting utility for afl-fuzz by <lcamtuf@google.com>"
|
||||||
echo
|
echo
|
||||||
|
|
||||||
if [ ! "$#" = "2" ]; then
|
if [ ! "$#" = "2" ]; then
|
||||||
|
|
||||||
cat 1>&2 <<_EOF_
|
cat 1>&2 <<_EOF_
|
||||||
This program generates gnuplot images from afl-fuzz output data. Usage:
|
This program generates gnuplot images from afl-fuzz output data. Usage:
|
||||||
|
|
||||||
$0 afl_state_dir graph_output_dir
|
$0 afl_state_dir graph_output_dir
|
||||||
|
|
||||||
The afl_state_dir parameter should point to an existing state directory for any
|
The afl_state_dir parameter should point to an existing state directory for any
|
||||||
active or stopped instance of afl-fuzz; while graph_output_dir should point to
|
active or stopped instance of afl-fuzz; while graph_output_dir should point to
|
||||||
an empty directory where this tool can write the resulting plots to.
|
an empty directory where this tool can write the resulting plots to.
|
||||||
|
|
||||||
The program will put index.html and three PNG images in the output directory;
|
The program will put index.html and three PNG images in the output directory;
|
||||||
you should be able to view it with any web browser of your choice.
|
you should be able to view it with any web browser of your choice.
|
||||||
|
|
||||||
_EOF_
|
_EOF_
|
||||||
|
|
||||||
exit 1
|
exit 1
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$AFL_ALLOW_TMP" = "" ]; then
|
if [ "$AFL_ALLOW_TMP" = "" ]; then
|
||||||
|
|
||||||
echo "$1" | grep -qE '^(/var)?/tmp/'
|
echo "$1" | grep -qE '^(/var)?/tmp/'
|
||||||
T1="$?"
|
T1="$?"
|
||||||
|
|
||||||
echo "$2" | grep -qE '^(/var)?/tmp/'
|
echo "$2" | grep -qE '^(/var)?/tmp/'
|
||||||
T2="$?"
|
T2="$?"
|
||||||
|
|
||||||
if [ "$T1" = "0" -o "$T2" = "0" ]; then
|
if [ "$T1" = "0" -o "$T2" = "0" ]; then
|
||||||
|
|
||||||
echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2
|
echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -f "$1/plot_data" ]; then
|
if [ ! -f "$1/plot_data" ]; then
|
||||||
|
|
||||||
echo "[-] Error: input directory is not valid (missing 'plot_data')." 1>&2
|
echo "[-] Error: input directory is not valid (missing 'plot_data')." 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
BANNER="`cat "$1/fuzzer_stats" | grep '^afl_banner ' | cut -d: -f2- | cut -b2-`"
|
BANNER="`cat "$1/fuzzer_stats" | grep '^afl_banner ' | cut -d: -f2- | cut -b2-`"
|
||||||
|
|
||||||
test "$BANNER" = "" && BANNER="(none)"
|
test "$BANNER" = "" && BANNER="(none)"
|
||||||
|
|
||||||
GNUPLOT=`which gnuplot 2>/dev/null`
|
GNUPLOT=`which gnuplot 2>/dev/null`
|
||||||
|
|
||||||
if [ "$GNUPLOT" = "" ]; then
|
if [ "$GNUPLOT" = "" ]; then
|
||||||
|
|
||||||
echo "[-] Error: can't find 'gnuplot' in your \$PATH." 1>&2
|
echo "[-] Error: can't find 'gnuplot' in your \$PATH." 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
mkdir "$2" 2>/dev/null
|
mkdir "$2" 2>/dev/null
|
||||||
|
|
||||||
if [ ! -d "$2" ]; then
|
if [ ! -d "$2" ]; then
|
||||||
|
|
||||||
echo "[-] Error: unable to create the output directory - pick another location." 1>&2
|
echo "[-] Error: unable to create the output directory - pick another location." 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
rm -f "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png"
|
rm -f "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png"
|
||||||
mv -f "$2/index.html" "$2/index.html.orig" 2>/dev/null
|
mv -f "$2/index.html" "$2/index.html.orig" 2>/dev/null
|
||||||
|
|
||||||
echo "[*] Generating plots..."
|
echo "[*] Generating plots..."
|
||||||
|
|
||||||
(
|
(
|
||||||
|
|
||||||
cat <<_EOF_
|
cat <<_EOF_
|
||||||
set terminal png truecolor enhanced size 1000,300 butt
|
set terminal png truecolor enhanced size 1000,300 butt
|
||||||
|
|
||||||
set output '$2/high_freq.png'
|
set output '$2/high_freq.png'
|
||||||
|
|
||||||
set xdata time
|
set xdata time
|
||||||
set timefmt '%s'
|
set timefmt '%s'
|
||||||
set format x "%b %d\n%H:%M"
|
set format x "%b %d\n%H:%M"
|
||||||
set tics font 'small'
|
set tics font 'small'
|
||||||
unset mxtics
|
unset mxtics
|
||||||
unset mytics
|
unset mytics
|
||||||
|
|
||||||
set grid xtics linetype 0 linecolor rgb '#e0e0e0'
|
set grid xtics linetype 0 linecolor rgb '#e0e0e0'
|
||||||
set grid ytics linetype 0 linecolor rgb '#e0e0e0'
|
set grid ytics linetype 0 linecolor rgb '#e0e0e0'
|
||||||
set border linecolor rgb '#50c0f0'
|
set border linecolor rgb '#50c0f0'
|
||||||
set tics textcolor rgb '#000000'
|
set tics textcolor rgb '#000000'
|
||||||
set key outside
|
set key outside
|
||||||
|
|
||||||
set autoscale xfixmin
|
set autoscale xfixmin
|
||||||
set autoscale xfixmax
|
set autoscale xfixmax
|
||||||
|
|
||||||
plot '$1/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\
|
plot '$1/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\
|
||||||
'' using 1:3 with filledcurve x1 title 'current path' linecolor rgb '#f0f0f0' fillstyle transparent solid 0.5 noborder, \\
|
'' using 1:3 with filledcurve x1 title 'current path' linecolor rgb '#f0f0f0' fillstyle transparent solid 0.5 noborder, \\
|
||||||
'' using 1:5 with lines title 'pending paths' linecolor rgb '#0090ff' linewidth 3, \\
|
'' using 1:5 with lines title 'pending paths' linecolor rgb '#0090ff' linewidth 3, \\
|
||||||
'' using 1:6 with lines title 'pending favs' linecolor rgb '#c00080' linewidth 3, \\
|
'' using 1:6 with lines title 'pending favs' linecolor rgb '#c00080' linewidth 3, \\
|
||||||
'' using 1:2 with lines title 'cycles done' linecolor rgb '#c000f0' linewidth 3
|
'' using 1:2 with lines title 'cycles done' linecolor rgb '#c000f0' linewidth 3
|
||||||
|
|
||||||
set terminal png truecolor enhanced size 1000,200 butt
|
set terminal png truecolor enhanced size 1000,200 butt
|
||||||
set output '$2/low_freq.png'
|
set output '$2/low_freq.png'
|
||||||
|
|
||||||
plot '$1/plot_data' using 1:8 with filledcurve x1 title '' linecolor rgb '#c00080' fillstyle transparent solid 0.2 noborder, \\
|
plot '$1/plot_data' using 1:8 with filledcurve x1 title '' linecolor rgb '#c00080' fillstyle transparent solid 0.2 noborder, \\
|
||||||
'' using 1:8 with lines title ' uniq crashes' linecolor rgb '#c00080' linewidth 3, \\
|
'' using 1:8 with lines title ' uniq crashes' linecolor rgb '#c00080' linewidth 3, \\
|
||||||
'' using 1:9 with lines title 'uniq hangs' linecolor rgb '#c000f0' linewidth 3, \\
|
'' using 1:9 with lines title 'uniq hangs' linecolor rgb '#c000f0' linewidth 3, \\
|
||||||
'' using 1:10 with lines title 'levels' linecolor rgb '#0090ff' linewidth 3
|
'' using 1:10 with lines title 'levels' linecolor rgb '#0090ff' linewidth 3
|
||||||
|
|
||||||
set terminal png truecolor enhanced size 1000,200 butt
|
set terminal png truecolor enhanced size 1000,200 butt
|
||||||
set output '$2/exec_speed.png'
|
set output '$2/exec_speed.png'
|
||||||
|
|
||||||
plot '$1/plot_data' using 1:11 with filledcurve x1 title '' linecolor rgb '#0090ff' fillstyle transparent solid 0.2 noborder, \\
|
plot '$1/plot_data' using 1:11 with filledcurve x1 title '' linecolor rgb '#0090ff' fillstyle transparent solid 0.2 noborder, \\
|
||||||
'$1/plot_data' using 1:11 with lines title ' execs/sec' linecolor rgb '#0090ff' linewidth 3 smooth bezier;
|
'$1/plot_data' using 1:11 with lines title ' execs/sec' linecolor rgb '#0090ff' linewidth 3 smooth bezier;
|
||||||
|
|
||||||
_EOF_
|
_EOF_
|
||||||
|
|
||||||
) | gnuplot
|
) | gnuplot
|
||||||
|
|
||||||
if [ ! -s "$2/exec_speed.png" ]; then
|
if [ ! -s "$2/exec_speed.png" ]; then
|
||||||
|
|
||||||
echo "[-] Error: something went wrong! Perhaps you have an ancient version of gnuplot?" 1>&2
|
echo "[-] Error: something went wrong! Perhaps you have an ancient version of gnuplot?" 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "[*] Generating index.html..."
|
echo "[*] Generating index.html..."
|
||||||
|
|
||||||
cat >"$2/index.html" <<_EOF_
|
cat >"$2/index.html" <<_EOF_
|
||||||
<table style="font-family: 'Trebuchet MS', 'Tahoma', 'Arial', 'Helvetica'">
|
<table style="font-family: 'Trebuchet MS', 'Tahoma', 'Arial', 'Helvetica'">
|
||||||
<tr><td style="width: 18ex"><b>Banner:</b></td><td>$BANNER</td></tr>
|
<tr><td style="width: 18ex"><b>Banner:</b></td><td>$BANNER</td></tr>
|
||||||
<tr><td><b>Directory:</b></td><td>$1</td></tr>
|
<tr><td><b>Directory:</b></td><td>$1</td></tr>
|
||||||
<tr><td><b>Generated on:</b></td><td>`date`</td></tr>
|
<tr><td><b>Generated on:</b></td><td>`date`</td></tr>
|
||||||
</table>
|
</table>
|
||||||
<p>
|
<p>
|
||||||
<img src="high_freq.png" width=1000 height=300><p>
|
<img src="high_freq.png" width=1000 height=300><p>
|
||||||
<img src="low_freq.png" width=1000 height=200><p>
|
<img src="low_freq.png" width=1000 height=200><p>
|
||||||
<img src="exec_speed.png" width=1000 height=200>
|
<img src="exec_speed.png" width=1000 height=200>
|
||||||
|
|
||||||
_EOF_
|
_EOF_
|
||||||
|
|
||||||
# Make it easy to remotely view results when outputting directly to a directory
|
# Make it easy to remotely view results when outputting directly to a directory
|
||||||
# served by Apache or other HTTP daemon. Since the plots aren't horribly
|
# served by Apache or other HTTP daemon. Since the plots aren't horribly
|
||||||
# sensitive, this seems like a reasonable trade-off.
|
# sensitive, this seems like a reasonable trade-off.
|
||||||
|
|
||||||
chmod 755 "$2"
|
chmod 755 "$2"
|
||||||
chmod 644 "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png" "$2/index.html"
|
chmod 644 "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png" "$2/index.html"
|
||||||
|
|
||||||
echo "[+] All done - enjoy your charts!"
|
echo "[+] All done - enjoy your charts!"
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,163 +1,163 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# american fuzzy lop - status check tool
|
# american fuzzy lop - status check tool
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
#
|
#
|
||||||
# Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
# Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
||||||
#
|
#
|
||||||
# Copyright 2015 Google LLC All rights reserved.
|
# Copyright 2015 Google LLC All rights reserved.
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
# you may not use this file except in compliance with the License.
|
# you may not use this file except in compliance with the License.
|
||||||
# You may obtain a copy of the License at:
|
# You may obtain a copy of the License at:
|
||||||
#
|
#
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
#
|
#
|
||||||
# This tool summarizes the status of any locally-running synchronized
|
# This tool summarizes the status of any locally-running synchronized
|
||||||
# instances of afl-fuzz.
|
# instances of afl-fuzz.
|
||||||
#
|
#
|
||||||
|
|
||||||
echo "status check tool for afl-fuzz by <lcamtuf@google.com>"
|
echo "status check tool for afl-fuzz by <lcamtuf@google.com>"
|
||||||
echo
|
echo
|
||||||
|
|
||||||
if [ "$1" = "-s" ]; then
|
if [ "$1" = "-s" ]; then
|
||||||
|
|
||||||
SUMMARY_ONLY=1
|
SUMMARY_ONLY=1
|
||||||
DIR="$2"
|
DIR="$2"
|
||||||
|
|
||||||
else
|
else
|
||||||
|
|
||||||
unset SUMMARY_ONLY
|
unset SUMMARY_ONLY
|
||||||
DIR="$1"
|
DIR="$1"
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$DIR" = "" ]; then
|
if [ "$DIR" = "" ]; then
|
||||||
|
|
||||||
echo "Usage: $0 [ -s ] afl_sync_dir" 1>&2
|
echo "Usage: $0 [ -s ] afl_sync_dir" 1>&2
|
||||||
echo 1>&2
|
echo 1>&2
|
||||||
echo "The -s option causes the tool to skip all the per-fuzzer trivia and show" 1>&2
|
echo "The -s option causes the tool to skip all the per-fuzzer trivia and show" 1>&2
|
||||||
echo "just the summary results. See docs/parallel_fuzzing.txt for additional tips." 1>&2
|
echo "just the summary results. See docs/parallel_fuzzing.txt for additional tips." 1>&2
|
||||||
echo 1>&2
|
echo 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cd "$DIR" || exit 1
|
cd "$DIR" || exit 1
|
||||||
|
|
||||||
if [ -d queue ]; then
|
if [ -d queue ]; then
|
||||||
|
|
||||||
echo "[-] Error: parameter is an individual output directory, not a sync dir." 1>&2
|
echo "[-] Error: parameter is an individual output directory, not a sync dir." 1>&2
|
||||||
exit 1
|
exit 1
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
CUR_TIME=`date +%s`
|
CUR_TIME=`date +%s`
|
||||||
|
|
||||||
TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1
|
TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1
|
||||||
|
|
||||||
ALIVE_CNT=0
|
ALIVE_CNT=0
|
||||||
DEAD_CNT=0
|
DEAD_CNT=0
|
||||||
|
|
||||||
TOTAL_TIME=0
|
TOTAL_TIME=0
|
||||||
TOTAL_EXECS=0
|
TOTAL_EXECS=0
|
||||||
TOTAL_EPS=0
|
TOTAL_EPS=0
|
||||||
TOTAL_CRASHES=0
|
TOTAL_CRASHES=0
|
||||||
TOTAL_PFAV=0
|
TOTAL_PFAV=0
|
||||||
TOTAL_PENDING=0
|
TOTAL_PENDING=0
|
||||||
|
|
||||||
if [ "$SUMMARY_ONLY" = "" ]; then
|
if [ "$SUMMARY_ONLY" = "" ]; then
|
||||||
|
|
||||||
echo "Individual fuzzers"
|
echo "Individual fuzzers"
|
||||||
echo "=================="
|
echo "=================="
|
||||||
echo
|
echo
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do
|
for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do
|
||||||
|
|
||||||
sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP"
|
sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP"
|
||||||
. "$TMP"
|
. "$TMP"
|
||||||
|
|
||||||
RUN_UNIX=$((CUR_TIME - start_time))
|
RUN_UNIX=$((CUR_TIME - start_time))
|
||||||
RUN_DAYS=$((RUN_UNIX / 60 / 60 / 24))
|
RUN_DAYS=$((RUN_UNIX / 60 / 60 / 24))
|
||||||
RUN_HRS=$(((RUN_UNIX / 60 / 60) % 24))
|
RUN_HRS=$(((RUN_UNIX / 60 / 60) % 24))
|
||||||
|
|
||||||
if [ "$SUMMARY_ONLY" = "" ]; then
|
if [ "$SUMMARY_ONLY" = "" ]; then
|
||||||
|
|
||||||
echo ">>> $afl_banner ($RUN_DAYS days, $RUN_HRS hrs) <<<"
|
echo ">>> $afl_banner ($RUN_DAYS days, $RUN_HRS hrs) <<<"
|
||||||
echo
|
echo
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! kill -0 "$fuzzer_pid" 2>/dev/null; then
|
if ! kill -0 "$fuzzer_pid" 2>/dev/null; then
|
||||||
|
|
||||||
if [ "$SUMMARY_ONLY" = "" ]; then
|
if [ "$SUMMARY_ONLY" = "" ]; then
|
||||||
|
|
||||||
echo " Instance is dead or running remotely, skipping."
|
echo " Instance is dead or running remotely, skipping."
|
||||||
echo
|
echo
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
DEAD_CNT=$((DEAD_CNT + 1))
|
DEAD_CNT=$((DEAD_CNT + 1))
|
||||||
continue
|
continue
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ALIVE_CNT=$((ALIVE_CNT + 1))
|
ALIVE_CNT=$((ALIVE_CNT + 1))
|
||||||
|
|
||||||
EXEC_SEC=$((execs_done / RUN_UNIX))
|
EXEC_SEC=$((execs_done / RUN_UNIX))
|
||||||
PATH_PERC=$((cur_path * 100 / paths_total))
|
PATH_PERC=$((cur_path * 100 / paths_total))
|
||||||
|
|
||||||
TOTAL_TIME=$((TOTAL_TIME + RUN_UNIX))
|
TOTAL_TIME=$((TOTAL_TIME + RUN_UNIX))
|
||||||
TOTAL_EPS=$((TOTAL_EPS + EXEC_SEC))
|
TOTAL_EPS=$((TOTAL_EPS + EXEC_SEC))
|
||||||
TOTAL_EXECS=$((TOTAL_EXECS + execs_done))
|
TOTAL_EXECS=$((TOTAL_EXECS + execs_done))
|
||||||
TOTAL_CRASHES=$((TOTAL_CRASHES + unique_crashes))
|
TOTAL_CRASHES=$((TOTAL_CRASHES + unique_crashes))
|
||||||
TOTAL_PENDING=$((TOTAL_PENDING + pending_total))
|
TOTAL_PENDING=$((TOTAL_PENDING + pending_total))
|
||||||
TOTAL_PFAV=$((TOTAL_PFAV + pending_favs))
|
TOTAL_PFAV=$((TOTAL_PFAV + pending_favs))
|
||||||
|
|
||||||
if [ "$SUMMARY_ONLY" = "" ]; then
|
if [ "$SUMMARY_ONLY" = "" ]; then
|
||||||
|
|
||||||
echo " cycle $((cycles_done + 1)), lifetime speed $EXEC_SEC execs/sec, path $cur_path/$paths_total (${PATH_PERC}%)"
|
echo " cycle $((cycles_done + 1)), lifetime speed $EXEC_SEC execs/sec, path $cur_path/$paths_total (${PATH_PERC}%)"
|
||||||
|
|
||||||
if [ "$unique_crashes" = "0" ]; then
|
if [ "$unique_crashes" = "0" ]; then
|
||||||
echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, no crashes yet"
|
echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, no crashes yet"
|
||||||
else
|
else
|
||||||
echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, crash count $unique_crashes (!)"
|
echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, crash count $unique_crashes (!)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo
|
echo
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
rm -f "$TMP"
|
rm -f "$TMP"
|
||||||
|
|
||||||
TOTAL_DAYS=$((TOTAL_TIME / 60 / 60 / 24))
|
TOTAL_DAYS=$((TOTAL_TIME / 60 / 60 / 24))
|
||||||
TOTAL_HRS=$(((TOTAL_TIME / 60 / 60) % 24))
|
TOTAL_HRS=$(((TOTAL_TIME / 60 / 60) % 24))
|
||||||
|
|
||||||
test "$TOTAL_TIME" = "0" && TOTAL_TIME=1
|
test "$TOTAL_TIME" = "0" && TOTAL_TIME=1
|
||||||
|
|
||||||
echo "Summary stats"
|
echo "Summary stats"
|
||||||
echo "============="
|
echo "============="
|
||||||
echo
|
echo
|
||||||
echo " Fuzzers alive : $ALIVE_CNT"
|
echo " Fuzzers alive : $ALIVE_CNT"
|
||||||
|
|
||||||
if [ ! "$DEAD_CNT" = "0" ]; then
|
if [ ! "$DEAD_CNT" = "0" ]; then
|
||||||
echo " Dead or remote : $DEAD_CNT (excluded from stats)"
|
echo " Dead or remote : $DEAD_CNT (excluded from stats)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo " Total run time : $TOTAL_DAYS days, $TOTAL_HRS hours"
|
echo " Total run time : $TOTAL_DAYS days, $TOTAL_HRS hours"
|
||||||
echo " Total execs : $((TOTAL_EXECS / 1000 / 1000)) million"
|
echo " Total execs : $((TOTAL_EXECS / 1000 / 1000)) million"
|
||||||
echo " Cumulative speed : $TOTAL_EPS execs/sec"
|
echo " Cumulative speed : $TOTAL_EPS execs/sec"
|
||||||
echo " Pending paths : $TOTAL_PFAV faves, $TOTAL_PENDING total"
|
echo " Pending paths : $TOTAL_PFAV faves, $TOTAL_PENDING total"
|
||||||
|
|
||||||
if [ "$ALIVE_CNT" -gt "1" ]; then
|
if [ "$ALIVE_CNT" -gt "1" ]; then
|
||||||
echo " Pending per fuzzer : $((TOTAL_PFAV/ALIVE_CNT)) faves, $((TOTAL_PENDING/ALIVE_CNT)) total (on average)"
|
echo " Pending per fuzzer : $((TOTAL_PFAV/ALIVE_CNT)) faves, $((TOTAL_PENDING/ALIVE_CNT)) total (on average)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo " Crashes found : $TOTAL_CRASHES locally unique"
|
echo " Crashes found : $TOTAL_CRASHES locally unique"
|
||||||
echo
|
echo
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -1,82 +1,82 @@
|
|||||||
#ifdef __ANDROID__
|
#ifdef __ANDROID__
|
||||||
#ifndef _ANDROID_ASHMEM_H
|
#ifndef _ANDROID_ASHMEM_H
|
||||||
#define _ANDROID_ASHMEM_H
|
#define _ANDROID_ASHMEM_H
|
||||||
|
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
#include <linux/ashmem.h>
|
#include <linux/ashmem.h>
|
||||||
#include <linux/shm.h>
|
#include <linux/shm.h>
|
||||||
#include <sys/ioctl.h>
|
#include <sys/ioctl.h>
|
||||||
#include <sys/mman.h>
|
#include <sys/mman.h>
|
||||||
|
|
||||||
#if __ANDROID_API__ >= 26
|
#if __ANDROID_API__ >= 26
|
||||||
#define shmat bionic_shmat
|
#define shmat bionic_shmat
|
||||||
#define shmctl bionic_shmctl
|
#define shmctl bionic_shmctl
|
||||||
#define shmdt bionic_shmdt
|
#define shmdt bionic_shmdt
|
||||||
#define shmget bionic_shmget
|
#define shmget bionic_shmget
|
||||||
#endif
|
#endif
|
||||||
#include <sys/shm.h>
|
#include <sys/shm.h>
|
||||||
#undef shmat
|
#undef shmat
|
||||||
#undef shmctl
|
#undef shmctl
|
||||||
#undef shmdt
|
#undef shmdt
|
||||||
#undef shmget
|
#undef shmget
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
|
||||||
#define ASHMEM_DEVICE "/dev/ashmem"
|
#define ASHMEM_DEVICE "/dev/ashmem"
|
||||||
|
|
||||||
static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
|
static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
if (__cmd == IPC_RMID) {
|
if (__cmd == IPC_RMID) {
|
||||||
int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
|
int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
|
||||||
struct ashmem_pin pin = {0, length};
|
struct ashmem_pin pin = {0, length};
|
||||||
ret = ioctl(__shmid, ASHMEM_UNPIN, &pin);
|
ret = ioctl(__shmid, ASHMEM_UNPIN, &pin);
|
||||||
close(__shmid);
|
close(__shmid);
|
||||||
}
|
}
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int shmget(key_t __key, size_t __size, int __shmflg) {
|
static inline int shmget(key_t __key, size_t __size, int __shmflg) {
|
||||||
(void) __shmflg;
|
(void) __shmflg;
|
||||||
int fd, ret;
|
int fd, ret;
|
||||||
char ourkey[11];
|
char ourkey[11];
|
||||||
|
|
||||||
fd = open(ASHMEM_DEVICE, O_RDWR);
|
fd = open(ASHMEM_DEVICE, O_RDWR);
|
||||||
if (fd < 0)
|
if (fd < 0)
|
||||||
return fd;
|
return fd;
|
||||||
|
|
||||||
sprintf(ourkey, "%d", __key);
|
sprintf(ourkey, "%d", __key);
|
||||||
ret = ioctl(fd, ASHMEM_SET_NAME, ourkey);
|
ret = ioctl(fd, ASHMEM_SET_NAME, ourkey);
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
ret = ioctl(fd, ASHMEM_SET_SIZE, __size);
|
ret = ioctl(fd, ASHMEM_SET_SIZE, __size);
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
return fd;
|
return fd;
|
||||||
|
|
||||||
error:
|
error:
|
||||||
close(fd);
|
close(fd);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) {
|
static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) {
|
||||||
(void) __shmflg;
|
(void) __shmflg;
|
||||||
int size;
|
int size;
|
||||||
void *ptr;
|
void *ptr;
|
||||||
|
|
||||||
size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
|
size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
|
||||||
if (size < 0) {
|
if (size < 0) {
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0);
|
ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0);
|
||||||
if (ptr == MAP_FAILED) {
|
if (ptr == MAP_FAILED) {
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
return ptr;
|
return ptr;
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* !_ANDROID_ASHMEM_H */
|
#endif /* !_ANDROID_ASHMEM_H */
|
||||||
#endif /* !__ANDROID__ */
|
#endif /* !__ANDROID__ */
|
||||||
|
@ -1,362 +1,362 @@
|
|||||||
/*
|
/*
|
||||||
Copyright 2013 Google LLC All rights reserved.
|
Copyright 2013 Google LLC All rights reserved.
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
You may obtain a copy of the License at:
|
You may obtain a copy of the License at:
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
Unless required by applicable law or agreed to in writing, software
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
See the License for the specific language governing permissions and
|
See the License for the specific language governing permissions and
|
||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/*
|
/*
|
||||||
american fuzzy lop - vaguely configurable bits
|
american fuzzy lop - vaguely configurable bits
|
||||||
----------------------------------------------
|
----------------------------------------------
|
||||||
|
|
||||||
Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef _HAVE_CONFIG_H
|
#ifndef _HAVE_CONFIG_H
|
||||||
#define _HAVE_CONFIG_H
|
#define _HAVE_CONFIG_H
|
||||||
|
|
||||||
#include "types.h"
|
#include "types.h"
|
||||||
|
|
||||||
/* Version string: */
|
/* Version string: */
|
||||||
|
|
||||||
#define VERSION "2.57b"
|
#define VERSION "2.57b"
|
||||||
|
|
||||||
/******************************************************
|
/******************************************************
|
||||||
* *
|
* *
|
||||||
* Settings that may be of interest to power users: *
|
* Settings that may be of interest to power users: *
|
||||||
* *
|
* *
|
||||||
******************************************************/
|
******************************************************/
|
||||||
|
|
||||||
/* Comment out to disable terminal colors (note that this makes afl-analyze
|
/* Comment out to disable terminal colors (note that this makes afl-analyze
|
||||||
a lot less nice): */
|
a lot less nice): */
|
||||||
|
|
||||||
#define USE_COLOR
|
#define USE_COLOR
|
||||||
|
|
||||||
/* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */
|
/* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */
|
||||||
|
|
||||||
#define FANCY_BOXES
|
#define FANCY_BOXES
|
||||||
|
|
||||||
/* Default timeout for fuzzed code (milliseconds). This is the upper bound,
|
/* Default timeout for fuzzed code (milliseconds). This is the upper bound,
|
||||||
also used for detecting hangs; the actual value is auto-scaled: */
|
also used for detecting hangs; the actual value is auto-scaled: */
|
||||||
|
|
||||||
#define EXEC_TIMEOUT 1000
|
#define EXEC_TIMEOUT 1000
|
||||||
|
|
||||||
/* Timeout rounding factor when auto-scaling (milliseconds): */
|
/* Timeout rounding factor when auto-scaling (milliseconds): */
|
||||||
|
|
||||||
#define EXEC_TM_ROUND 20
|
#define EXEC_TM_ROUND 20
|
||||||
|
|
||||||
/* 64bit arch MACRO */
|
/* 64bit arch MACRO */
|
||||||
#if (defined (__x86_64__) || defined (__arm64__) || defined (__aarch64__))
|
#if (defined (__x86_64__) || defined (__arm64__) || defined (__aarch64__))
|
||||||
#define WORD_SIZE_64 1
|
#define WORD_SIZE_64 1
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Default memory limit for child process (MB): */
|
/* Default memory limit for child process (MB): */
|
||||||
|
|
||||||
#ifndef WORD_SIZE_64
|
#ifndef WORD_SIZE_64
|
||||||
# define MEM_LIMIT 25
|
# define MEM_LIMIT 25
|
||||||
#else
|
#else
|
||||||
# define MEM_LIMIT 50
|
# define MEM_LIMIT 50
|
||||||
#endif /* ^!WORD_SIZE_64 */
|
#endif /* ^!WORD_SIZE_64 */
|
||||||
|
|
||||||
/* Default memory limit when running in QEMU mode (MB): */
|
/* Default memory limit when running in QEMU mode (MB): */
|
||||||
|
|
||||||
#define MEM_LIMIT_QEMU 200
|
#define MEM_LIMIT_QEMU 200
|
||||||
|
|
||||||
/* Number of calibration cycles per every new test case (and for test
|
/* Number of calibration cycles per every new test case (and for test
|
||||||
cases that show variable behavior): */
|
cases that show variable behavior): */
|
||||||
|
|
||||||
#define CAL_CYCLES 8
|
#define CAL_CYCLES 8
|
||||||
#define CAL_CYCLES_LONG 40
|
#define CAL_CYCLES_LONG 40
|
||||||
|
|
||||||
/* Number of subsequent timeouts before abandoning an input file: */
|
/* Number of subsequent timeouts before abandoning an input file: */
|
||||||
|
|
||||||
#define TMOUT_LIMIT 250
|
#define TMOUT_LIMIT 250
|
||||||
|
|
||||||
/* Maximum number of unique hangs or crashes to record: */
|
/* Maximum number of unique hangs or crashes to record: */
|
||||||
|
|
||||||
#define KEEP_UNIQUE_HANG 500
|
#define KEEP_UNIQUE_HANG 500
|
||||||
#define KEEP_UNIQUE_CRASH 5000
|
#define KEEP_UNIQUE_CRASH 5000
|
||||||
|
|
||||||
/* Baseline number of random tweaks during a single 'havoc' stage: */
|
/* Baseline number of random tweaks during a single 'havoc' stage: */
|
||||||
|
|
||||||
#define HAVOC_CYCLES 256
|
#define HAVOC_CYCLES 256
|
||||||
#define HAVOC_CYCLES_INIT 1024
|
#define HAVOC_CYCLES_INIT 1024
|
||||||
|
|
||||||
/* Maximum multiplier for the above (should be a power of two, beware
|
/* Maximum multiplier for the above (should be a power of two, beware
|
||||||
of 32-bit int overflows): */
|
of 32-bit int overflows): */
|
||||||
|
|
||||||
#define HAVOC_MAX_MULT 16
|
#define HAVOC_MAX_MULT 16
|
||||||
|
|
||||||
/* Absolute minimum number of havoc cycles (after all adjustments): */
|
/* Absolute minimum number of havoc cycles (after all adjustments): */
|
||||||
|
|
||||||
#define HAVOC_MIN 16
|
#define HAVOC_MIN 16
|
||||||
|
|
||||||
/* Maximum stacking for havoc-stage tweaks. The actual value is calculated
|
/* Maximum stacking for havoc-stage tweaks. The actual value is calculated
|
||||||
like this:
|
like this:
|
||||||
|
|
||||||
n = random between 1 and HAVOC_STACK_POW2
|
n = random between 1 and HAVOC_STACK_POW2
|
||||||
stacking = 2^n
|
stacking = 2^n
|
||||||
|
|
||||||
In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or
|
In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or
|
||||||
128 stacked tweaks: */
|
128 stacked tweaks: */
|
||||||
|
|
||||||
#define HAVOC_STACK_POW2 7
|
#define HAVOC_STACK_POW2 7
|
||||||
|
|
||||||
/* Caps on block sizes for cloning and deletion operations. Each of these
|
/* Caps on block sizes for cloning and deletion operations. Each of these
|
||||||
ranges has a 33% probability of getting picked, except for the first
|
ranges has a 33% probability of getting picked, except for the first
|
||||||
two cycles where smaller blocks are favored: */
|
two cycles where smaller blocks are favored: */
|
||||||
|
|
||||||
#define HAVOC_BLK_SMALL 32
|
#define HAVOC_BLK_SMALL 32
|
||||||
#define HAVOC_BLK_MEDIUM 128
|
#define HAVOC_BLK_MEDIUM 128
|
||||||
#define HAVOC_BLK_LARGE 1500
|
#define HAVOC_BLK_LARGE 1500
|
||||||
|
|
||||||
/* Extra-large blocks, selected very rarely (<5% of the time): */
|
/* Extra-large blocks, selected very rarely (<5% of the time): */
|
||||||
|
|
||||||
#define HAVOC_BLK_XL 32768
|
#define HAVOC_BLK_XL 32768
|
||||||
|
|
||||||
/* Probabilities of skipping non-favored entries in the queue, expressed as
|
/* Probabilities of skipping non-favored entries in the queue, expressed as
|
||||||
percentages: */
|
percentages: */
|
||||||
|
|
||||||
#define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */
|
#define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */
|
||||||
#define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */
|
#define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */
|
||||||
#define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */
|
#define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */
|
||||||
|
|
||||||
/* Splicing cycle count: */
|
/* Splicing cycle count: */
|
||||||
|
|
||||||
#define SPLICE_CYCLES 15
|
#define SPLICE_CYCLES 15
|
||||||
|
|
||||||
/* Nominal per-splice havoc cycle length: */
|
/* Nominal per-splice havoc cycle length: */
|
||||||
|
|
||||||
#define SPLICE_HAVOC 32
|
#define SPLICE_HAVOC 32
|
||||||
|
|
||||||
/* Maximum offset for integer addition / subtraction stages: */
|
/* Maximum offset for integer addition / subtraction stages: */
|
||||||
|
|
||||||
#define ARITH_MAX 35
|
#define ARITH_MAX 35
|
||||||
|
|
||||||
/* Limits for the test case trimmer. The absolute minimum chunk size; and
|
/* Limits for the test case trimmer. The absolute minimum chunk size; and
|
||||||
the starting and ending divisors for chopping up the input file: */
|
the starting and ending divisors for chopping up the input file: */
|
||||||
|
|
||||||
#define TRIM_MIN_BYTES 4
|
#define TRIM_MIN_BYTES 4
|
||||||
#define TRIM_START_STEPS 16
|
#define TRIM_START_STEPS 16
|
||||||
#define TRIM_END_STEPS 1024
|
#define TRIM_END_STEPS 1024
|
||||||
|
|
||||||
/* Maximum size of input file, in bytes (keep under 100MB): */
|
/* Maximum size of input file, in bytes (keep under 100MB): */
|
||||||
|
|
||||||
#define MAX_FILE (1 * 1024 * 1024)
|
#define MAX_FILE (1 * 1024 * 1024)
|
||||||
|
|
||||||
/* The same, for the test case minimizer: */
|
/* The same, for the test case minimizer: */
|
||||||
|
|
||||||
#define TMIN_MAX_FILE (10 * 1024 * 1024)
|
#define TMIN_MAX_FILE (10 * 1024 * 1024)
|
||||||
|
|
||||||
/* Block normalization steps for afl-tmin: */
|
/* Block normalization steps for afl-tmin: */
|
||||||
|
|
||||||
#define TMIN_SET_MIN_SIZE 4
|
#define TMIN_SET_MIN_SIZE 4
|
||||||
#define TMIN_SET_STEPS 128
|
#define TMIN_SET_STEPS 128
|
||||||
|
|
||||||
/* Maximum dictionary token size (-x), in bytes: */
|
/* Maximum dictionary token size (-x), in bytes: */
|
||||||
|
|
||||||
#define MAX_DICT_FILE 128
|
#define MAX_DICT_FILE 128
|
||||||
|
|
||||||
/* Length limits for auto-detected dictionary tokens: */
|
/* Length limits for auto-detected dictionary tokens: */
|
||||||
|
|
||||||
#define MIN_AUTO_EXTRA 3
|
#define MIN_AUTO_EXTRA 3
|
||||||
#define MAX_AUTO_EXTRA 32
|
#define MAX_AUTO_EXTRA 32
|
||||||
|
|
||||||
/* Maximum number of user-specified dictionary tokens to use in deterministic
|
/* Maximum number of user-specified dictionary tokens to use in deterministic
|
||||||
steps; past this point, the "extras/user" step will be still carried out,
|
steps; past this point, the "extras/user" step will be still carried out,
|
||||||
but with proportionally lower odds: */
|
but with proportionally lower odds: */
|
||||||
|
|
||||||
#define MAX_DET_EXTRAS 200
|
#define MAX_DET_EXTRAS 200
|
||||||
|
|
||||||
/* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing
|
/* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing
|
||||||
(first value), and to keep in memory as candidates. The latter should be much
|
(first value), and to keep in memory as candidates. The latter should be much
|
||||||
higher than the former. */
|
higher than the former. */
|
||||||
|
|
||||||
#define USE_AUTO_EXTRAS 50
|
#define USE_AUTO_EXTRAS 50
|
||||||
#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10)
|
#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10)
|
||||||
|
|
||||||
/* Scaling factor for the effector map used to skip some of the more
|
/* Scaling factor for the effector map used to skip some of the more
|
||||||
expensive deterministic steps. The actual divisor is set to
|
expensive deterministic steps. The actual divisor is set to
|
||||||
2^EFF_MAP_SCALE2 bytes: */
|
2^EFF_MAP_SCALE2 bytes: */
|
||||||
|
|
||||||
#define EFF_MAP_SCALE2 3
|
#define EFF_MAP_SCALE2 3
|
||||||
|
|
||||||
/* Minimum input file length at which the effector logic kicks in: */
|
/* Minimum input file length at which the effector logic kicks in: */
|
||||||
|
|
||||||
#define EFF_MIN_LEN 128
|
#define EFF_MIN_LEN 128
|
||||||
|
|
||||||
/* Maximum effector density past which everything is just fuzzed
|
/* Maximum effector density past which everything is just fuzzed
|
||||||
unconditionally (%): */
|
unconditionally (%): */
|
||||||
|
|
||||||
#define EFF_MAX_PERC 90
|
#define EFF_MAX_PERC 90
|
||||||
|
|
||||||
/* UI refresh frequency (Hz): */
|
/* UI refresh frequency (Hz): */
|
||||||
|
|
||||||
#define UI_TARGET_HZ 5
|
#define UI_TARGET_HZ 5
|
||||||
|
|
||||||
/* Fuzzer stats file and plot update intervals (sec): */
|
/* Fuzzer stats file and plot update intervals (sec): */
|
||||||
|
|
||||||
#define STATS_UPDATE_SEC 60
|
#define STATS_UPDATE_SEC 60
|
||||||
#define PLOT_UPDATE_SEC 5
|
#define PLOT_UPDATE_SEC 5
|
||||||
|
|
||||||
/* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */
|
/* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */
|
||||||
|
|
||||||
#define AVG_SMOOTHING 16
|
#define AVG_SMOOTHING 16
|
||||||
|
|
||||||
/* Sync interval (every n havoc cycles): */
|
/* Sync interval (every n havoc cycles): */
|
||||||
|
|
||||||
#define SYNC_INTERVAL 5
|
#define SYNC_INTERVAL 5
|
||||||
|
|
||||||
/* Output directory reuse grace period (minutes): */
|
/* Output directory reuse grace period (minutes): */
|
||||||
|
|
||||||
#define OUTPUT_GRACE 25
|
#define OUTPUT_GRACE 25
|
||||||
|
|
||||||
/* Uncomment to use simple file names (id_NNNNNN): */
|
/* Uncomment to use simple file names (id_NNNNNN): */
|
||||||
|
|
||||||
// #define SIMPLE_FILES
|
// #define SIMPLE_FILES
|
||||||
|
|
||||||
/* List of interesting values to use in fuzzing. */
|
/* List of interesting values to use in fuzzing. */
|
||||||
|
|
||||||
#define INTERESTING_8 \
|
#define INTERESTING_8 \
|
||||||
-128, /* Overflow signed 8-bit when decremented */ \
|
-128, /* Overflow signed 8-bit when decremented */ \
|
||||||
-1, /* */ \
|
-1, /* */ \
|
||||||
0, /* */ \
|
0, /* */ \
|
||||||
1, /* */ \
|
1, /* */ \
|
||||||
16, /* One-off with common buffer size */ \
|
16, /* One-off with common buffer size */ \
|
||||||
32, /* One-off with common buffer size */ \
|
32, /* One-off with common buffer size */ \
|
||||||
64, /* One-off with common buffer size */ \
|
64, /* One-off with common buffer size */ \
|
||||||
100, /* One-off with common buffer size */ \
|
100, /* One-off with common buffer size */ \
|
||||||
127 /* Overflow signed 8-bit when incremented */
|
127 /* Overflow signed 8-bit when incremented */
|
||||||
|
|
||||||
#define INTERESTING_16 \
|
#define INTERESTING_16 \
|
||||||
-32768, /* Overflow signed 16-bit when decremented */ \
|
-32768, /* Overflow signed 16-bit when decremented */ \
|
||||||
-129, /* Overflow signed 8-bit */ \
|
-129, /* Overflow signed 8-bit */ \
|
||||||
128, /* Overflow signed 8-bit */ \
|
128, /* Overflow signed 8-bit */ \
|
||||||
255, /* Overflow unsig 8-bit when incremented */ \
|
255, /* Overflow unsig 8-bit when incremented */ \
|
||||||
256, /* Overflow unsig 8-bit */ \
|
256, /* Overflow unsig 8-bit */ \
|
||||||
512, /* One-off with common buffer size */ \
|
512, /* One-off with common buffer size */ \
|
||||||
1000, /* One-off with common buffer size */ \
|
1000, /* One-off with common buffer size */ \
|
||||||
1024, /* One-off with common buffer size */ \
|
1024, /* One-off with common buffer size */ \
|
||||||
4096, /* One-off with common buffer size */ \
|
4096, /* One-off with common buffer size */ \
|
||||||
32767 /* Overflow signed 16-bit when incremented */
|
32767 /* Overflow signed 16-bit when incremented */
|
||||||
|
|
||||||
#define INTERESTING_32 \
|
#define INTERESTING_32 \
|
||||||
-2147483648LL, /* Overflow signed 32-bit when decremented */ \
|
-2147483648LL, /* Overflow signed 32-bit when decremented */ \
|
||||||
-100663046, /* Large negative number (endian-agnostic) */ \
|
-100663046, /* Large negative number (endian-agnostic) */ \
|
||||||
-32769, /* Overflow signed 16-bit */ \
|
-32769, /* Overflow signed 16-bit */ \
|
||||||
32768, /* Overflow signed 16-bit */ \
|
32768, /* Overflow signed 16-bit */ \
|
||||||
65535, /* Overflow unsig 16-bit when incremented */ \
|
65535, /* Overflow unsig 16-bit when incremented */ \
|
||||||
65536, /* Overflow unsig 16 bit */ \
|
65536, /* Overflow unsig 16 bit */ \
|
||||||
100663045, /* Large positive number (endian-agnostic) */ \
|
100663045, /* Large positive number (endian-agnostic) */ \
|
||||||
2147483647 /* Overflow signed 32-bit when incremented */
|
2147483647 /* Overflow signed 32-bit when incremented */
|
||||||
|
|
||||||
/***********************************************************
|
/***********************************************************
|
||||||
* *
|
* *
|
||||||
* Really exotic stuff you probably don't want to touch: *
|
* Really exotic stuff you probably don't want to touch: *
|
||||||
* *
|
* *
|
||||||
***********************************************************/
|
***********************************************************/
|
||||||
|
|
||||||
/* Call count interval between reseeding the libc PRNG from /dev/urandom: */
|
/* Call count interval between reseeding the libc PRNG from /dev/urandom: */
|
||||||
|
|
||||||
#define RESEED_RNG 10000
|
#define RESEED_RNG 10000
|
||||||
|
|
||||||
/* Maximum line length passed from GCC to 'as' and used for parsing
|
/* Maximum line length passed from GCC to 'as' and used for parsing
|
||||||
configuration files: */
|
configuration files: */
|
||||||
|
|
||||||
#define MAX_LINE 8192
|
#define MAX_LINE 8192
|
||||||
|
|
||||||
/* Environment variable used to pass SHM ID to the called program. */
|
/* Environment variable used to pass SHM ID to the called program. */
|
||||||
|
|
||||||
#define SHM_ENV_VAR "__AFL_SHM_ID"
|
#define SHM_ENV_VAR "__AFL_SHM_ID"
|
||||||
|
|
||||||
/* Other less interesting, internal-only variables. */
|
/* Other less interesting, internal-only variables. */
|
||||||
|
|
||||||
#define CLANG_ENV_VAR "__AFL_CLANG_MODE"
|
#define CLANG_ENV_VAR "__AFL_CLANG_MODE"
|
||||||
#define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK"
|
#define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK"
|
||||||
#define PERSIST_ENV_VAR "__AFL_PERSISTENT"
|
#define PERSIST_ENV_VAR "__AFL_PERSISTENT"
|
||||||
#define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV"
|
#define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV"
|
||||||
|
|
||||||
/* In-code signatures for deferred and persistent mode. */
|
/* In-code signatures for deferred and persistent mode. */
|
||||||
|
|
||||||
#define PERSIST_SIG "##SIG_AFL_PERSISTENT##"
|
#define PERSIST_SIG "##SIG_AFL_PERSISTENT##"
|
||||||
#define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##"
|
#define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##"
|
||||||
|
|
||||||
/* Distinctive bitmap signature used to indicate failed execution: */
|
/* Distinctive bitmap signature used to indicate failed execution: */
|
||||||
|
|
||||||
#define EXEC_FAIL_SIG 0xfee1dead
|
#define EXEC_FAIL_SIG 0xfee1dead
|
||||||
|
|
||||||
/* Distinctive exit code used to indicate MSAN trip condition: */
|
/* Distinctive exit code used to indicate MSAN trip condition: */
|
||||||
|
|
||||||
#define MSAN_ERROR 86
|
#define MSAN_ERROR 86
|
||||||
|
|
||||||
/* Designated file descriptors for forkserver commands (the application will
|
/* Designated file descriptors for forkserver commands (the application will
|
||||||
use FORKSRV_FD and FORKSRV_FD + 1): */
|
use FORKSRV_FD and FORKSRV_FD + 1): */
|
||||||
|
|
||||||
#define FORKSRV_FD 198
|
#define FORKSRV_FD 198
|
||||||
|
|
||||||
/* Fork server init timeout multiplier: we'll wait the user-selected
|
/* Fork server init timeout multiplier: we'll wait the user-selected
|
||||||
timeout plus this much for the fork server to spin up. */
|
timeout plus this much for the fork server to spin up. */
|
||||||
|
|
||||||
#define FORK_WAIT_MULT 10
|
#define FORK_WAIT_MULT 10
|
||||||
|
|
||||||
/* Calibration timeout adjustments, to be a bit more generous when resuming
|
/* Calibration timeout adjustments, to be a bit more generous when resuming
|
||||||
fuzzing sessions or trying to calibrate already-added internal finds.
|
fuzzing sessions or trying to calibrate already-added internal finds.
|
||||||
The first value is a percentage, the other is in milliseconds: */
|
The first value is a percentage, the other is in milliseconds: */
|
||||||
|
|
||||||
#define CAL_TMOUT_PERC 125
|
#define CAL_TMOUT_PERC 125
|
||||||
#define CAL_TMOUT_ADD 50
|
#define CAL_TMOUT_ADD 50
|
||||||
|
|
||||||
/* Number of chances to calibrate a case before giving up: */
|
/* Number of chances to calibrate a case before giving up: */
|
||||||
|
|
||||||
#define CAL_CHANCES 3
|
#define CAL_CHANCES 3
|
||||||
|
|
||||||
/* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than
|
/* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than
|
||||||
2; you probably want to keep it under 18 or so for performance reasons
|
2; you probably want to keep it under 18 or so for performance reasons
|
||||||
(adjusting AFL_INST_RATIO when compiling is probably a better way to solve
|
(adjusting AFL_INST_RATIO when compiling is probably a better way to solve
|
||||||
problems with complex programs). You need to recompile the target binary
|
problems with complex programs). You need to recompile the target binary
|
||||||
after changing this - otherwise, SEGVs may ensue. */
|
after changing this - otherwise, SEGVs may ensue. */
|
||||||
|
|
||||||
#define MAP_SIZE_POW2 16
|
#define MAP_SIZE_POW2 16
|
||||||
#define MAP_SIZE (1 << MAP_SIZE_POW2)
|
#define MAP_SIZE (1 << MAP_SIZE_POW2)
|
||||||
|
|
||||||
/* Maximum allocator request size (keep well under INT_MAX): */
|
/* Maximum allocator request size (keep well under INT_MAX): */
|
||||||
|
|
||||||
#define MAX_ALLOC 0x40000000
|
#define MAX_ALLOC 0x40000000
|
||||||
|
|
||||||
/* A made-up hashing seed: */
|
/* A made-up hashing seed: */
|
||||||
|
|
||||||
#define HASH_CONST 0xa5b35705
|
#define HASH_CONST 0xa5b35705
|
||||||
|
|
||||||
/* Constants for afl-gotcpu to control busy loop timing: */
|
/* Constants for afl-gotcpu to control busy loop timing: */
|
||||||
|
|
||||||
#define CTEST_TARGET_MS 5000
|
#define CTEST_TARGET_MS 5000
|
||||||
#define CTEST_CORE_TRG_MS 1000
|
#define CTEST_CORE_TRG_MS 1000
|
||||||
#define CTEST_BUSY_CYCLES (10 * 1000 * 1000)
|
#define CTEST_BUSY_CYCLES (10 * 1000 * 1000)
|
||||||
|
|
||||||
/* Uncomment this to use inferior block-coverage-based instrumentation. Note
|
/* Uncomment this to use inferior block-coverage-based instrumentation. Note
|
||||||
that you need to recompile the target binary for this to have any effect: */
|
that you need to recompile the target binary for this to have any effect: */
|
||||||
|
|
||||||
// #define COVERAGE_ONLY
|
// #define COVERAGE_ONLY
|
||||||
|
|
||||||
/* Uncomment this to ignore hit counts and output just one bit per tuple.
|
/* Uncomment this to ignore hit counts and output just one bit per tuple.
|
||||||
As with the previous setting, you will need to recompile the target
|
As with the previous setting, you will need to recompile the target
|
||||||
binary: */
|
binary: */
|
||||||
|
|
||||||
// #define SKIP_COUNTS
|
// #define SKIP_COUNTS
|
||||||
|
|
||||||
/* Uncomment this to use instrumentation data to record newly discovered paths,
|
/* Uncomment this to use instrumentation data to record newly discovered paths,
|
||||||
but do not use them as seeds for fuzzing. This is useful for conveniently
|
but do not use them as seeds for fuzzing. This is useful for conveniently
|
||||||
measuring coverage that could be attained by a "dumb" fuzzing algorithm: */
|
measuring coverage that could be attained by a "dumb" fuzzing algorithm: */
|
||||||
|
|
||||||
// #define IGNORE_FINDS
|
// #define IGNORE_FINDS
|
||||||
|
|
||||||
#endif /* ! _HAVE_CONFIG_H */
|
#endif /* ! _HAVE_CONFIG_H */
|
||||||
|
@ -1,258 +1,258 @@
|
|||||||
/*
|
/*
|
||||||
Copyright 2013 Google LLC All rights reserved.
|
Copyright 2013 Google LLC All rights reserved.
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
You may obtain a copy of the License at:
|
You may obtain a copy of the License at:
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
Unless required by applicable law or agreed to in writing, software
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
See the License for the specific language governing permissions and
|
See the License for the specific language governing permissions and
|
||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/*
|
/*
|
||||||
american fuzzy lop - debug / error handling macros
|
american fuzzy lop - debug / error handling macros
|
||||||
--------------------------------------------------
|
--------------------------------------------------
|
||||||
|
|
||||||
Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef _HAVE_DEBUG_H
|
#ifndef _HAVE_DEBUG_H
|
||||||
#define _HAVE_DEBUG_H
|
#define _HAVE_DEBUG_H
|
||||||
|
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
|
|
||||||
#include "types.h"
|
#include "types.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
|
||||||
/*******************
|
/*******************
|
||||||
* Terminal colors *
|
* Terminal colors *
|
||||||
*******************/
|
*******************/
|
||||||
|
|
||||||
#ifdef USE_COLOR
|
#ifdef USE_COLOR
|
||||||
|
|
||||||
# define cBLK "\x1b[0;30m"
|
# define cBLK "\x1b[0;30m"
|
||||||
# define cRED "\x1b[0;31m"
|
# define cRED "\x1b[0;31m"
|
||||||
# define cGRN "\x1b[0;32m"
|
# define cGRN "\x1b[0;32m"
|
||||||
# define cBRN "\x1b[0;33m"
|
# define cBRN "\x1b[0;33m"
|
||||||
# define cBLU "\x1b[0;34m"
|
# define cBLU "\x1b[0;34m"
|
||||||
# define cMGN "\x1b[0;35m"
|
# define cMGN "\x1b[0;35m"
|
||||||
# define cCYA "\x1b[0;36m"
|
# define cCYA "\x1b[0;36m"
|
||||||
# define cLGR "\x1b[0;37m"
|
# define cLGR "\x1b[0;37m"
|
||||||
# define cGRA "\x1b[1;90m"
|
# define cGRA "\x1b[1;90m"
|
||||||
# define cLRD "\x1b[1;91m"
|
# define cLRD "\x1b[1;91m"
|
||||||
# define cLGN "\x1b[1;92m"
|
# define cLGN "\x1b[1;92m"
|
||||||
# define cYEL "\x1b[1;93m"
|
# define cYEL "\x1b[1;93m"
|
||||||
# define cLBL "\x1b[1;94m"
|
# define cLBL "\x1b[1;94m"
|
||||||
# define cPIN "\x1b[1;95m"
|
# define cPIN "\x1b[1;95m"
|
||||||
# define cLCY "\x1b[1;96m"
|
# define cLCY "\x1b[1;96m"
|
||||||
# define cBRI "\x1b[1;97m"
|
# define cBRI "\x1b[1;97m"
|
||||||
# define cRST "\x1b[0m"
|
# define cRST "\x1b[0m"
|
||||||
|
|
||||||
# define bgBLK "\x1b[40m"
|
# define bgBLK "\x1b[40m"
|
||||||
# define bgRED "\x1b[41m"
|
# define bgRED "\x1b[41m"
|
||||||
# define bgGRN "\x1b[42m"
|
# define bgGRN "\x1b[42m"
|
||||||
# define bgBRN "\x1b[43m"
|
# define bgBRN "\x1b[43m"
|
||||||
# define bgBLU "\x1b[44m"
|
# define bgBLU "\x1b[44m"
|
||||||
# define bgMGN "\x1b[45m"
|
# define bgMGN "\x1b[45m"
|
||||||
# define bgCYA "\x1b[46m"
|
# define bgCYA "\x1b[46m"
|
||||||
# define bgLGR "\x1b[47m"
|
# define bgLGR "\x1b[47m"
|
||||||
# define bgGRA "\x1b[100m"
|
# define bgGRA "\x1b[100m"
|
||||||
# define bgLRD "\x1b[101m"
|
# define bgLRD "\x1b[101m"
|
||||||
# define bgLGN "\x1b[102m"
|
# define bgLGN "\x1b[102m"
|
||||||
# define bgYEL "\x1b[103m"
|
# define bgYEL "\x1b[103m"
|
||||||
# define bgLBL "\x1b[104m"
|
# define bgLBL "\x1b[104m"
|
||||||
# define bgPIN "\x1b[105m"
|
# define bgPIN "\x1b[105m"
|
||||||
# define bgLCY "\x1b[106m"
|
# define bgLCY "\x1b[106m"
|
||||||
# define bgBRI "\x1b[107m"
|
# define bgBRI "\x1b[107m"
|
||||||
|
|
||||||
#else
|
#else
|
||||||
|
|
||||||
# define cBLK ""
|
# define cBLK ""
|
||||||
# define cRED ""
|
# define cRED ""
|
||||||
# define cGRN ""
|
# define cGRN ""
|
||||||
# define cBRN ""
|
# define cBRN ""
|
||||||
# define cBLU ""
|
# define cBLU ""
|
||||||
# define cMGN ""
|
# define cMGN ""
|
||||||
# define cCYA ""
|
# define cCYA ""
|
||||||
# define cLGR ""
|
# define cLGR ""
|
||||||
# define cGRA ""
|
# define cGRA ""
|
||||||
# define cLRD ""
|
# define cLRD ""
|
||||||
# define cLGN ""
|
# define cLGN ""
|
||||||
# define cYEL ""
|
# define cYEL ""
|
||||||
# define cLBL ""
|
# define cLBL ""
|
||||||
# define cPIN ""
|
# define cPIN ""
|
||||||
# define cLCY ""
|
# define cLCY ""
|
||||||
# define cBRI ""
|
# define cBRI ""
|
||||||
# define cRST ""
|
# define cRST ""
|
||||||
|
|
||||||
# define bgBLK ""
|
# define bgBLK ""
|
||||||
# define bgRED ""
|
# define bgRED ""
|
||||||
# define bgGRN ""
|
# define bgGRN ""
|
||||||
# define bgBRN ""
|
# define bgBRN ""
|
||||||
# define bgBLU ""
|
# define bgBLU ""
|
||||||
# define bgMGN ""
|
# define bgMGN ""
|
||||||
# define bgCYA ""
|
# define bgCYA ""
|
||||||
# define bgLGR ""
|
# define bgLGR ""
|
||||||
# define bgGRA ""
|
# define bgGRA ""
|
||||||
# define bgLRD ""
|
# define bgLRD ""
|
||||||
# define bgLGN ""
|
# define bgLGN ""
|
||||||
# define bgYEL ""
|
# define bgYEL ""
|
||||||
# define bgLBL ""
|
# define bgLBL ""
|
||||||
# define bgPIN ""
|
# define bgPIN ""
|
||||||
# define bgLCY ""
|
# define bgLCY ""
|
||||||
# define bgBRI ""
|
# define bgBRI ""
|
||||||
|
|
||||||
#endif /* ^USE_COLOR */
|
#endif /* ^USE_COLOR */
|
||||||
|
|
||||||
/*************************
|
/*************************
|
||||||
* Box drawing sequences *
|
* Box drawing sequences *
|
||||||
*************************/
|
*************************/
|
||||||
|
|
||||||
#ifdef FANCY_BOXES
|
#ifdef FANCY_BOXES
|
||||||
|
|
||||||
# define SET_G1 "\x1b)0" /* Set G1 for box drawing */
|
# define SET_G1 "\x1b)0" /* Set G1 for box drawing */
|
||||||
# define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */
|
# define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */
|
||||||
# define bSTART "\x0e" /* Enter G1 drawing mode */
|
# define bSTART "\x0e" /* Enter G1 drawing mode */
|
||||||
# define bSTOP "\x0f" /* Leave G1 drawing mode */
|
# define bSTOP "\x0f" /* Leave G1 drawing mode */
|
||||||
# define bH "q" /* Horizontal line */
|
# define bH "q" /* Horizontal line */
|
||||||
# define bV "x" /* Vertical line */
|
# define bV "x" /* Vertical line */
|
||||||
# define bLT "l" /* Left top corner */
|
# define bLT "l" /* Left top corner */
|
||||||
# define bRT "k" /* Right top corner */
|
# define bRT "k" /* Right top corner */
|
||||||
# define bLB "m" /* Left bottom corner */
|
# define bLB "m" /* Left bottom corner */
|
||||||
# define bRB "j" /* Right bottom corner */
|
# define bRB "j" /* Right bottom corner */
|
||||||
# define bX "n" /* Cross */
|
# define bX "n" /* Cross */
|
||||||
# define bVR "t" /* Vertical, branch right */
|
# define bVR "t" /* Vertical, branch right */
|
||||||
# define bVL "u" /* Vertical, branch left */
|
# define bVL "u" /* Vertical, branch left */
|
||||||
# define bHT "v" /* Horizontal, branch top */
|
# define bHT "v" /* Horizontal, branch top */
|
||||||
# define bHB "w" /* Horizontal, branch bottom */
|
# define bHB "w" /* Horizontal, branch bottom */
|
||||||
|
|
||||||
#else
|
#else
|
||||||
|
|
||||||
# define SET_G1 ""
|
# define SET_G1 ""
|
||||||
# define RESET_G1 ""
|
# define RESET_G1 ""
|
||||||
# define bSTART ""
|
# define bSTART ""
|
||||||
# define bSTOP ""
|
# define bSTOP ""
|
||||||
# define bH "-"
|
# define bH "-"
|
||||||
# define bV "|"
|
# define bV "|"
|
||||||
# define bLT "+"
|
# define bLT "+"
|
||||||
# define bRT "+"
|
# define bRT "+"
|
||||||
# define bLB "+"
|
# define bLB "+"
|
||||||
# define bRB "+"
|
# define bRB "+"
|
||||||
# define bX "+"
|
# define bX "+"
|
||||||
# define bVR "+"
|
# define bVR "+"
|
||||||
# define bVL "+"
|
# define bVL "+"
|
||||||
# define bHT "+"
|
# define bHT "+"
|
||||||
# define bHB "+"
|
# define bHB "+"
|
||||||
|
|
||||||
#endif /* ^FANCY_BOXES */
|
#endif /* ^FANCY_BOXES */
|
||||||
|
|
||||||
/***********************
|
/***********************
|
||||||
* Misc terminal codes *
|
* Misc terminal codes *
|
||||||
***********************/
|
***********************/
|
||||||
|
|
||||||
#define TERM_HOME "\x1b[H"
|
#define TERM_HOME "\x1b[H"
|
||||||
#define TERM_CLEAR TERM_HOME "\x1b[2J"
|
#define TERM_CLEAR TERM_HOME "\x1b[2J"
|
||||||
#define cEOL "\x1b[0K"
|
#define cEOL "\x1b[0K"
|
||||||
#define CURSOR_HIDE "\x1b[?25l"
|
#define CURSOR_HIDE "\x1b[?25l"
|
||||||
#define CURSOR_SHOW "\x1b[?25h"
|
#define CURSOR_SHOW "\x1b[?25h"
|
||||||
|
|
||||||
/************************
|
/************************
|
||||||
* Debug & error macros *
|
* Debug & error macros *
|
||||||
************************/
|
************************/
|
||||||
|
|
||||||
/* Just print stuff to the appropriate stream. */
|
/* Just print stuff to the appropriate stream. */
|
||||||
|
|
||||||
#ifdef MESSAGES_TO_STDOUT
|
#ifdef MESSAGES_TO_STDOUT
|
||||||
# define SAYF(x...) printf(x)
|
# define SAYF(x...) printf(x)
|
||||||
#else
|
#else
|
||||||
# define SAYF(x...) fprintf(stderr, x)
|
# define SAYF(x...) fprintf(stderr, x)
|
||||||
#endif /* ^MESSAGES_TO_STDOUT */
|
#endif /* ^MESSAGES_TO_STDOUT */
|
||||||
|
|
||||||
/* Show a prefixed warning. */
|
/* Show a prefixed warning. */
|
||||||
|
|
||||||
#define WARNF(x...) do { \
|
#define WARNF(x...) do { \
|
||||||
SAYF(cYEL "[!] " cBRI "WARNING: " cRST x); \
|
SAYF(cYEL "[!] " cBRI "WARNING: " cRST x); \
|
||||||
SAYF(cRST "\n"); \
|
SAYF(cRST "\n"); \
|
||||||
} while (0)
|
} while (0)
|
||||||
|
|
||||||
/* Show a prefixed "doing something" message. */
|
/* Show a prefixed "doing something" message. */
|
||||||
|
|
||||||
#define ACTF(x...) do { \
|
#define ACTF(x...) do { \
|
||||||
SAYF(cLBL "[*] " cRST x); \
|
SAYF(cLBL "[*] " cRST x); \
|
||||||
SAYF(cRST "\n"); \
|
SAYF(cRST "\n"); \
|
||||||
} while (0)
|
} while (0)
|
||||||
|
|
||||||
/* Show a prefixed "success" message. */
|
/* Show a prefixed "success" message. */
|
||||||
|
|
||||||
#define OKF(x...) do { \
|
#define OKF(x...) do { \
|
||||||
SAYF(cLGN "[+] " cRST x); \
|
SAYF(cLGN "[+] " cRST x); \
|
||||||
SAYF(cRST "\n"); \
|
SAYF(cRST "\n"); \
|
||||||
} while (0)
|
} while (0)
|
||||||
|
|
||||||
/* Show a prefixed fatal error message (not used in afl). */
|
/* Show a prefixed fatal error message (not used in afl). */
|
||||||
|
|
||||||
#define BADF(x...) do { \
|
#define BADF(x...) do { \
|
||||||
SAYF(cLRD "\n[-] " cRST x); \
|
SAYF(cLRD "\n[-] " cRST x); \
|
||||||
SAYF(cRST "\n"); \
|
SAYF(cRST "\n"); \
|
||||||
} while (0)
|
} while (0)
|
||||||
|
|
||||||
/* Die with a verbose non-OS fatal error message. */
|
/* Die with a verbose non-OS fatal error message. */
|
||||||
|
|
||||||
#define FATAL(x...) do { \
|
#define FATAL(x...) do { \
|
||||||
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
|
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
|
||||||
cBRI x); \
|
cBRI x); \
|
||||||
SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", \
|
SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", \
|
||||||
__FUNCTION__, __FILE__, __LINE__); \
|
__FUNCTION__, __FILE__, __LINE__); \
|
||||||
exit(1); \
|
exit(1); \
|
||||||
} while (0)
|
} while (0)
|
||||||
|
|
||||||
/* Die by calling abort() to provide a core dump. */
|
/* Die by calling abort() to provide a core dump. */
|
||||||
|
|
||||||
#define ABORT(x...) do { \
|
#define ABORT(x...) do { \
|
||||||
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
|
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
|
||||||
cBRI x); \
|
cBRI x); \
|
||||||
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", \
|
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", \
|
||||||
__FUNCTION__, __FILE__, __LINE__); \
|
__FUNCTION__, __FILE__, __LINE__); \
|
||||||
abort(); \
|
abort(); \
|
||||||
} while (0)
|
} while (0)
|
||||||
|
|
||||||
/* Die while also including the output of perror(). */
|
/* Die while also including the output of perror(). */
|
||||||
|
|
||||||
#define PFATAL(x...) do { \
|
#define PFATAL(x...) do { \
|
||||||
fflush(stdout); \
|
fflush(stdout); \
|
||||||
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] SYSTEM ERROR : " \
|
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] SYSTEM ERROR : " \
|
||||||
cBRI x); \
|
cBRI x); \
|
||||||
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", \
|
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", \
|
||||||
__FUNCTION__, __FILE__, __LINE__); \
|
__FUNCTION__, __FILE__, __LINE__); \
|
||||||
SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \
|
SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \
|
||||||
exit(1); \
|
exit(1); \
|
||||||
} while (0)
|
} while (0)
|
||||||
|
|
||||||
/* Die with FAULT() or PFAULT() depending on the value of res (used to
|
/* Die with FAULT() or PFAULT() depending on the value of res (used to
|
||||||
interpret different failure modes for read(), write(), etc). */
|
interpret different failure modes for read(), write(), etc). */
|
||||||
|
|
||||||
#define RPFATAL(res, x...) do { \
|
#define RPFATAL(res, x...) do { \
|
||||||
if (res < 0) PFATAL(x); else FATAL(x); \
|
if (res < 0) PFATAL(x); else FATAL(x); \
|
||||||
} while (0)
|
} while (0)
|
||||||
|
|
||||||
/* Error-checking versions of read() and write() that call RPFATAL() as
|
/* Error-checking versions of read() and write() that call RPFATAL() as
|
||||||
appropriate. */
|
appropriate. */
|
||||||
|
|
||||||
#define ck_write(fd, buf, len, fn) do { \
|
#define ck_write(fd, buf, len, fn) do { \
|
||||||
u32 _len = (len); \
|
u32 _len = (len); \
|
||||||
s32 _res = write(fd, buf, _len); \
|
s32 _res = write(fd, buf, _len); \
|
||||||
if (_res != _len) RPFATAL(_res, "Short write to %s", fn); \
|
if (_res != _len) RPFATAL(_res, "Short write to %s", fn); \
|
||||||
} while (0)
|
} while (0)
|
||||||
|
|
||||||
#define ck_read(fd, buf, len, fn) do { \
|
#define ck_read(fd, buf, len, fn) do { \
|
||||||
u32 _len = (len); \
|
u32 _len = (len); \
|
||||||
s32 _res = read(fd, buf, _len); \
|
s32 _res = read(fd, buf, _len); \
|
||||||
if (_res != _len) RPFATAL(_res, "Short read from %s", fn); \
|
if (_res != _len) RPFATAL(_res, "Short read from %s", fn); \
|
||||||
} while (0)
|
} while (0)
|
||||||
|
|
||||||
#endif /* ! _HAVE_DEBUG_H */
|
#endif /* ! _HAVE_DEBUG_H */
|
||||||
|
@ -1,111 +1,111 @@
|
|||||||
/*
|
/*
|
||||||
Copyright 2016 Google LLC All rights reserved.
|
Copyright 2016 Google LLC All rights reserved.
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
You may obtain a copy of the License at:
|
You may obtain a copy of the License at:
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
Unless required by applicable law or agreed to in writing, software
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
See the License for the specific language governing permissions and
|
See the License for the specific language governing permissions and
|
||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/*
|
/*
|
||||||
american fuzzy lop - hashing function
|
american fuzzy lop - hashing function
|
||||||
-------------------------------------
|
-------------------------------------
|
||||||
|
|
||||||
The hash32() function is a variant of MurmurHash3, a good
|
The hash32() function is a variant of MurmurHash3, a good
|
||||||
non-cryptosafe hashing function developed by Austin Appleby.
|
non-cryptosafe hashing function developed by Austin Appleby.
|
||||||
|
|
||||||
For simplicity, this variant does *NOT* accept buffer lengths
|
For simplicity, this variant does *NOT* accept buffer lengths
|
||||||
that are not divisible by 8 bytes. The 32-bit version is otherwise
|
that are not divisible by 8 bytes. The 32-bit version is otherwise
|
||||||
similar to the original; the 64-bit one is a custom hack with
|
similar to the original; the 64-bit one is a custom hack with
|
||||||
mostly-unproven properties.
|
mostly-unproven properties.
|
||||||
|
|
||||||
Austin's original code is public domain.
|
Austin's original code is public domain.
|
||||||
|
|
||||||
Other code written and maintained by Michal Zalewski <lcamtuf@google.com>
|
Other code written and maintained by Michal Zalewski <lcamtuf@google.com>
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef _HAVE_HASH_H
|
#ifndef _HAVE_HASH_H
|
||||||
#define _HAVE_HASH_H
|
#define _HAVE_HASH_H
|
||||||
|
|
||||||
#include "types.h"
|
#include "types.h"
|
||||||
|
|
||||||
#ifdef __x86_64__
|
#ifdef __x86_64__
|
||||||
|
|
||||||
#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r))))
|
#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r))))
|
||||||
|
|
||||||
static inline u32 hash32(const void* key, u32 len, u32 seed) {
|
static inline u32 hash32(const void* key, u32 len, u32 seed) {
|
||||||
|
|
||||||
const u64* data = (u64*)key;
|
const u64* data = (u64*)key;
|
||||||
u64 h1 = seed ^ len;
|
u64 h1 = seed ^ len;
|
||||||
|
|
||||||
len >>= 3;
|
len >>= 3;
|
||||||
|
|
||||||
while (len--) {
|
while (len--) {
|
||||||
|
|
||||||
u64 k1 = *data++;
|
u64 k1 = *data++;
|
||||||
|
|
||||||
k1 *= 0x87c37b91114253d5ULL;
|
k1 *= 0x87c37b91114253d5ULL;
|
||||||
k1 = ROL64(k1, 31);
|
k1 = ROL64(k1, 31);
|
||||||
k1 *= 0x4cf5ad432745937fULL;
|
k1 *= 0x4cf5ad432745937fULL;
|
||||||
|
|
||||||
h1 ^= k1;
|
h1 ^= k1;
|
||||||
h1 = ROL64(h1, 27);
|
h1 = ROL64(h1, 27);
|
||||||
h1 = h1 * 5 + 0x52dce729;
|
h1 = h1 * 5 + 0x52dce729;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
h1 ^= h1 >> 33;
|
h1 ^= h1 >> 33;
|
||||||
h1 *= 0xff51afd7ed558ccdULL;
|
h1 *= 0xff51afd7ed558ccdULL;
|
||||||
h1 ^= h1 >> 33;
|
h1 ^= h1 >> 33;
|
||||||
h1 *= 0xc4ceb9fe1a85ec53ULL;
|
h1 *= 0xc4ceb9fe1a85ec53ULL;
|
||||||
h1 ^= h1 >> 33;
|
h1 ^= h1 >> 33;
|
||||||
|
|
||||||
return h1;
|
return h1;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#else
|
#else
|
||||||
|
|
||||||
#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r))))
|
#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r))))
|
||||||
|
|
||||||
static inline u32 hash32(const void* key, u32 len, u32 seed) {
|
static inline u32 hash32(const void* key, u32 len, u32 seed) {
|
||||||
|
|
||||||
const u32* data = (u32*)key;
|
const u32* data = (u32*)key;
|
||||||
u32 h1 = seed ^ len;
|
u32 h1 = seed ^ len;
|
||||||
|
|
||||||
len >>= 2;
|
len >>= 2;
|
||||||
|
|
||||||
while (len--) {
|
while (len--) {
|
||||||
|
|
||||||
u32 k1 = *data++;
|
u32 k1 = *data++;
|
||||||
|
|
||||||
k1 *= 0xcc9e2d51;
|
k1 *= 0xcc9e2d51;
|
||||||
k1 = ROL32(k1, 15);
|
k1 = ROL32(k1, 15);
|
||||||
k1 *= 0x1b873593;
|
k1 *= 0x1b873593;
|
||||||
|
|
||||||
h1 ^= k1;
|
h1 ^= k1;
|
||||||
h1 = ROL32(h1, 13);
|
h1 = ROL32(h1, 13);
|
||||||
h1 = h1 * 5 + 0xe6546b64;
|
h1 = h1 * 5 + 0xe6546b64;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
h1 ^= h1 >> 16;
|
h1 ^= h1 >> 16;
|
||||||
h1 *= 0x85ebca6b;
|
h1 *= 0x85ebca6b;
|
||||||
h1 ^= h1 >> 13;
|
h1 ^= h1 >> 13;
|
||||||
h1 *= 0xc2b2ae35;
|
h1 *= 0xc2b2ae35;
|
||||||
h1 ^= h1 >> 16;
|
h1 ^= h1 >> 16;
|
||||||
|
|
||||||
return h1;
|
return h1;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* ^__x86_64__ */
|
#endif /* ^__x86_64__ */
|
||||||
|
|
||||||
#endif /* !_HAVE_HASH_H */
|
#endif /* !_HAVE_HASH_H */
|
||||||
|
@ -1,45 +1,45 @@
|
|||||||
/*
|
/*
|
||||||
Copyright 2014 Google LLC All rights reserved.
|
Copyright 2014 Google LLC All rights reserved.
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
You may obtain a copy of the License at:
|
You may obtain a copy of the License at:
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
Unless required by applicable law or agreed to in writing, software
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
See the License for the specific language governing permissions and
|
See the License for the specific language governing permissions and
|
||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
american fuzzy lop - a trivial program to test the build
|
american fuzzy lop - a trivial program to test the build
|
||||||
--------------------------------------------------------
|
--------------------------------------------------------
|
||||||
|
|
||||||
Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
int main(int argc, char** argv) {
|
int main(int argc, char** argv) {
|
||||||
|
|
||||||
char buf[8];
|
char buf[8];
|
||||||
|
|
||||||
if (read(0, buf, 8) < 1) {
|
if (read(0, buf, 8) < 1) {
|
||||||
printf("Hum?\n");
|
printf("Hum?\n");
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (buf[0] == '0')
|
if (buf[0] == '0')
|
||||||
printf("Looks like a zero to me!\n");
|
printf("Looks like a zero to me!\n");
|
||||||
else
|
else
|
||||||
printf("A non-zero value? How quaint!\n");
|
printf("A non-zero value? How quaint!\n");
|
||||||
|
|
||||||
exit(0);
|
exit(0);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -1,41 +1,41 @@
|
|||||||
/*
|
/*
|
||||||
Copyright 2019 Google LLC All rights reserved.
|
Copyright 2019 Google LLC All rights reserved.
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
You may obtain a copy of the License at:
|
You may obtain a copy of the License at:
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
Unless required by applicable law or agreed to in writing, software
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
See the License for the specific language governing permissions and
|
See the License for the specific language governing permissions and
|
||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
american fuzzy lop - a trivial program to test libFuzzer target fuzzing.
|
american fuzzy lop - a trivial program to test libFuzzer target fuzzing.
|
||||||
------------------------------------------------------------------------
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
Initially written and maintained by Michal Zalewski.
|
Initially written and maintained by Michal Zalewski.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
|
||||||
// TODO(metzman): Create a test/ directory to store this and other similar
|
// TODO(metzman): Create a test/ directory to store this and other similar
|
||||||
// files.
|
// files.
|
||||||
int LLVMFuzzerTestOneInput(uint8_t* buf, size_t size) {
|
int LLVMFuzzerTestOneInput(uint8_t* buf, size_t size) {
|
||||||
if (size < 2)
|
if (size < 2)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (buf[0] == '0')
|
if (buf[0] == '0')
|
||||||
printf("Looks like a zero to me!\n");
|
printf("Looks like a zero to me!\n");
|
||||||
else
|
else
|
||||||
printf("A non-zero value? How quaint!\n");
|
printf("A non-zero value? How quaint!\n");
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -1,94 +1,94 @@
|
|||||||
/*
|
/*
|
||||||
Copyright 2013 Google LLC All rights reserved.
|
Copyright 2013 Google LLC All rights reserved.
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
You may obtain a copy of the License at:
|
You may obtain a copy of the License at:
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
Unless required by applicable law or agreed to in writing, software
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
See the License for the specific language governing permissions and
|
See the License for the specific language governing permissions and
|
||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
american fuzzy lop - type definitions and minor macros
|
american fuzzy lop - type definitions and minor macros
|
||||||
------------------------------------------------------
|
------------------------------------------------------
|
||||||
|
|
||||||
Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
Written and maintained by Michal Zalewski <lcamtuf@google.com>
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef _HAVE_TYPES_H
|
#ifndef _HAVE_TYPES_H
|
||||||
#define _HAVE_TYPES_H
|
#define _HAVE_TYPES_H
|
||||||
|
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
|
|
||||||
typedef uint8_t u8;
|
typedef uint8_t u8;
|
||||||
typedef uint16_t u16;
|
typedef uint16_t u16;
|
||||||
typedef uint32_t u32;
|
typedef uint32_t u32;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
||||||
Ugh. There is an unintended compiler / glibc #include glitch caused by
|
Ugh. There is an unintended compiler / glibc #include glitch caused by
|
||||||
combining the u64 type an %llu in format strings, necessitating a workaround.
|
combining the u64 type an %llu in format strings, necessitating a workaround.
|
||||||
|
|
||||||
In essence, the compiler is always looking for 'unsigned long long' for %llu.
|
In essence, the compiler is always looking for 'unsigned long long' for %llu.
|
||||||
On 32-bit systems, the u64 type (aliased to uint64_t) is expanded to
|
On 32-bit systems, the u64 type (aliased to uint64_t) is expanded to
|
||||||
'unsigned long long' in <bits/types.h>, so everything checks out.
|
'unsigned long long' in <bits/types.h>, so everything checks out.
|
||||||
|
|
||||||
But on 64-bit systems, it is #ifdef'ed in the same file as 'unsigned long'.
|
But on 64-bit systems, it is #ifdef'ed in the same file as 'unsigned long'.
|
||||||
Now, it only happens in circumstances where the type happens to have the
|
Now, it only happens in circumstances where the type happens to have the
|
||||||
expected bit width, *but* the compiler does not know that... and complains
|
expected bit width, *but* the compiler does not know that... and complains
|
||||||
about 'unsigned long' being unsafe to pass to %llu.
|
about 'unsigned long' being unsafe to pass to %llu.
|
||||||
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifdef __x86_64__
|
#ifdef __x86_64__
|
||||||
typedef unsigned long long u64;
|
typedef unsigned long long u64;
|
||||||
#else
|
#else
|
||||||
typedef uint64_t u64;
|
typedef uint64_t u64;
|
||||||
#endif /* ^__x86_64__ */
|
#endif /* ^__x86_64__ */
|
||||||
|
|
||||||
typedef int8_t s8;
|
typedef int8_t s8;
|
||||||
typedef int16_t s16;
|
typedef int16_t s16;
|
||||||
typedef int32_t s32;
|
typedef int32_t s32;
|
||||||
typedef int64_t s64;
|
typedef int64_t s64;
|
||||||
|
|
||||||
#ifndef MIN
|
#ifndef MIN
|
||||||
# define MIN(_a,_b) ((_a) > (_b) ? (_b) : (_a))
|
# define MIN(_a,_b) ((_a) > (_b) ? (_b) : (_a))
|
||||||
# define MAX(_a,_b) ((_a) > (_b) ? (_a) : (_b))
|
# define MAX(_a,_b) ((_a) > (_b) ? (_a) : (_b))
|
||||||
#endif /* !MIN */
|
#endif /* !MIN */
|
||||||
|
|
||||||
#define SWAP16(_x) ({ \
|
#define SWAP16(_x) ({ \
|
||||||
u16 _ret = (_x); \
|
u16 _ret = (_x); \
|
||||||
(u16)((_ret << 8) | (_ret >> 8)); \
|
(u16)((_ret << 8) | (_ret >> 8)); \
|
||||||
})
|
})
|
||||||
|
|
||||||
#define SWAP32(_x) ({ \
|
#define SWAP32(_x) ({ \
|
||||||
u32 _ret = (_x); \
|
u32 _ret = (_x); \
|
||||||
(u32)((_ret << 24) | (_ret >> 24) | \
|
(u32)((_ret << 24) | (_ret >> 24) | \
|
||||||
((_ret << 8) & 0x00FF0000) | \
|
((_ret << 8) & 0x00FF0000) | \
|
||||||
((_ret >> 8) & 0x0000FF00)); \
|
((_ret >> 8) & 0x0000FF00)); \
|
||||||
})
|
})
|
||||||
|
|
||||||
#ifdef AFL_LLVM_PASS
|
#ifdef AFL_LLVM_PASS
|
||||||
# define AFL_R(x) (random() % (x))
|
# define AFL_R(x) (random() % (x))
|
||||||
#else
|
#else
|
||||||
# define R(x) (random() % (x))
|
# define R(x) (random() % (x))
|
||||||
#endif /* ^AFL_LLVM_PASS */
|
#endif /* ^AFL_LLVM_PASS */
|
||||||
|
|
||||||
#define STRINGIFY_INTERNAL(x) #x
|
#define STRINGIFY_INTERNAL(x) #x
|
||||||
#define STRINGIFY(x) STRINGIFY_INTERNAL(x)
|
#define STRINGIFY(x) STRINGIFY_INTERNAL(x)
|
||||||
|
|
||||||
#define MEM_BARRIER() \
|
#define MEM_BARRIER() \
|
||||||
__asm__ volatile("" ::: "memory")
|
__asm__ volatile("" ::: "memory")
|
||||||
|
|
||||||
#define likely(_x) __builtin_expect(!!(_x), 1)
|
#define likely(_x) __builtin_expect(!!(_x), 1)
|
||||||
#define unlikely(_x) __builtin_expect(!!(_x), 0)
|
#define unlikely(_x) __builtin_expect(!!(_x), 0)
|
||||||
|
|
||||||
#endif /* ! _HAVE_TYPES_H */
|
#endif /* ! _HAVE_TYPES_H */
|
||||||
|
Loading…
Reference in new issue