m5cn9itjr
/
AFL
1
0
Fork 0
Code Issues Pull Requests 2 Packages Projects Releases 1 Wiki Activity

Compare commits

base: m5cn9itjr:f61a973efeb2ff30153bc3da1993e8b9a14b3c6c
Branches Tags
m5cn9itjr:main
m5cn9itjr:develop_ShangShuo
m5cn9itjr:developer
m5cn9itjr:develop_LiYanda
m5cn9itjr:develop_MaAo
m5cn9itjr:develop_XiangWeiyang
..
compare: m5cn9itjr:65b14554f7010fd14d3fe6a12b47feddfa789221
Branches Tags
m5cn9itjr:main
m5cn9itjr:develop_ShangShuo
m5cn9itjr:developer
m5cn9itjr:develop_LiYanda
m5cn9itjr:develop_MaAo
m5cn9itjr:develop_XiangWeiyang

4 Commits
f61a973efe ... 65b14554f7

Author SHA1 Message Date
dongloong 65b14554f7 刘昊冬
1 month ago
dongloong e039455018 modified: afl-fuzz.c
1 month ago
dongloong a1b98e3773 Merge remote-tracking branch 'remotes/origin/developer' into developer
1 month ago
BagPipeOuO a06b0af75d Merge branch 'main' of https://bdgit.educoder.net/m5cn9itjr/AFL
1 month ago
22 changed files with 15751 additions and 15897 deletions
Show Stats

56
CONTRIBUTING.md
Unescape View File

@ -1,28 +1,28 @@
# How to Contribute # How to Contribute
We'd love to accept your patches and contributions to this project. There are We'd love to accept your patches and contributions to this project. There are
just a few small guidelines you need to follow. just a few small guidelines you need to follow.
## Contributor License Agreement ## Contributor License Agreement
Contributions to this project must be accompanied by a Contributor License Contributions to this project must be accompanied by a Contributor License
Agreement. You (or your employer) retain the copyright to your contribution; Agreement. You (or your employer) retain the copyright to your contribution;
this simply gives us permission to use and redistribute your contributions as this simply gives us permission to use and redistribute your contributions as
part of the project. Head over to <https://cla.developers.google.com/> to see part of the project. Head over to <https://cla.developers.google.com/> to see
your current agreements on file or to sign a new one. your current agreements on file or to sign a new one.
You generally only need to submit a CLA once, so if you've already submitted one You generally only need to submit a CLA once, so if you've already submitted one
(even if it was for a different project), you probably don't need to do it (even if it was for a different project), you probably don't need to do it
again. again.
## Code reviews ## Code reviews
All submissions, including submissions by project members, require review. We All submissions, including submissions by project members, require review. We
use GitHub pull requests for this purpose. Consult use GitHub pull requests for this purpose. Consult
[GitHub Help](https://help.github.com/articles/about-pull-requests/) for more [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more
information on using pull requests. information on using pull requests.
## Community Guidelines ## Community Guidelines
This project follows [Google's Open Source Community This project follows [Google's Open Source Community
Guidelines](https://opensource.google.com/conduct/). Guidelines](https://opensource.google.com/conduct/).

404
LICENSE
Unescape View File

@ -1,202 +1,202 @@
Apache License Apache License
Version 2.0, January 2004 Version 2.0, January 2004
http://www.apache.org/licenses/ http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions. 1. Definitions.
"License" shall mean the terms and conditions for use, reproduction, "License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document. and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by "Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License. the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all "Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition, control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the "control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity. outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity "You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License. exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications, "Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation including but not limited to software source code, documentation
source, and configuration files. source, and configuration files.
"Object" form shall mean any form resulting from mechanical "Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation, not limited to compiled object code, generated documentation,
and conversions to other media types. and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or "Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work copyright notice that is included in or attached to the work
(an example is provided in the Appendix below). (an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object "Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of, separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof. the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including "Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted" the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems, communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution." designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity "Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work. subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of 2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual, this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of, copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form. Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of 3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual, this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made, (except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work, use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s) Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate granted to You under this License for that Work shall terminate
as of the date such litigation is filed. as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the 4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You modifications, and in Source or Object form, provided that You
meet the following conditions: meet the following conditions:
(a) You must give any other recipients of the Work or (a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices (b) You must cause any modified files to carry prominent notices
stating that You changed the files; and stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works (c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work, attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of excluding those notices that do not pertain to any part of
the Derivative Works; and the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its (d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or, documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed that such additional attribution notices cannot be construed
as modifying the License. as modifying the License.
You may add Your own copyright statement to Your modifications and You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use, for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License. the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, 5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions. this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions. with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade 6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor, names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file. origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or 7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS, Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License. risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory, 8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise, whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special, liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill, Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages. has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing 9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer, the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity, and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify, of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability. of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work. APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]" boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier same "printed page" as the copyright notice for easier
identification within third-party archives. identification within third-party archives.
Copyright [yyyy] [name of copyright owner] Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
You may obtain a copy of the License at You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and See the License for the specific language governing permissions and
limitations under the License. limitations under the License.

306
Makefile
Unescape View File

@ -1,153 +1,153 @@
# #
# american fuzzy lop - makefile # american fuzzy lop - makefile
# ----------------------------- # -----------------------------
# #
# Written and maintained by Michal Zalewski <lcamtuf@google.com> # Written and maintained by Michal Zalewski <lcamtuf@google.com>
# #
# Copyright 2013, 2014, 2015, 2016, 2017 Google LLC All rights reserved. # Copyright 2013, 2014, 2015, 2016, 2017 Google LLC All rights reserved.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
# You may obtain a copy of the License at: # You may obtain a copy of the License at:
# #
# http://www.apache.org/licenses/LICENSE-2.0 # http://www.apache.org/licenses/LICENSE-2.0
# #
PROGNAME = afl PROGNAME = afl
VERSION = $(shell grep '^\#define VERSION ' config.h | cut -d '"' -f2) VERSION = $(shell grep '^\#define VERSION ' config.h | cut -d '"' -f2)
PREFIX ?= /usr/local PREFIX ?= /usr/local
BIN_PATH = $(PREFIX)/bin BIN_PATH = $(PREFIX)/bin
HELPER_PATH = $(PREFIX)/lib/afl HELPER_PATH = $(PREFIX)/lib/afl
DOC_PATH = $(PREFIX)/share/doc/afl DOC_PATH = $(PREFIX)/share/doc/afl
MISC_PATH = $(PREFIX)/share/afl MISC_PATH = $(PREFIX)/share/afl
# PROGS intentionally omit afl-as, which gets installed elsewhere. # PROGS intentionally omit afl-as, which gets installed elsewhere.
PROGS = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze PROGS = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
SH_PROGS = afl-plot afl-cmin afl-whatsup SH_PROGS = afl-plot afl-cmin afl-whatsup
CFLAGS ?= -O3 -funroll-loops CFLAGS ?= -O3 -funroll-loops
CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \ CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
-DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \ -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
-DBIN_PATH=\"$(BIN_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\"
ifneq "$(filter Linux GNU%,$(shell uname))" "" ifneq "$(filter Linux GNU%,$(shell uname))" ""
LDFLAGS += -ldl LDFLAGS += -ldl
endif endif
ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" "" ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
TEST_CC = afl-gcc TEST_CC = afl-gcc
else else
TEST_CC = afl-clang TEST_CC = afl-clang
endif endif
COMM_HDR = alloc-inl.h config.h debug.h types.h COMM_HDR = alloc-inl.h config.h debug.h types.h
all: test_x86 $(PROGS) afl-as test_build all_done all: test_x86 $(PROGS) afl-as test_build all_done
ifndef AFL_NO_X86 ifndef AFL_NO_X86
test_x86: test_x86:
@echo "[*] Checking for the ability to compile x86 code..." @echo "[*] Checking for the ability to compile x86 code..."
@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 ) @echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
@rm -f .test @rm -f .test
@echo "[+] Everything seems to be working, ready to compile." @echo "[+] Everything seems to be working, ready to compile."
else else
test_x86: test_x86:
@echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)." @echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)."
endif endif
afl-gcc: afl-gcc.c $(COMM_HDR) | test_x86 afl-gcc: afl-gcc.c $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done
afl-as: afl-as.c afl-as.h $(COMM_HDR) | test_x86 afl-as: afl-as.c afl-as.h $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
ln -sf afl-as as ln -sf afl-as as
afl-fuzz: afl-fuzz.c $(COMM_HDR) | test_x86 afl-fuzz: afl-fuzz.c $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
afl-showmap: afl-showmap.c $(COMM_HDR) | test_x86 afl-showmap: afl-showmap.c $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
afl-tmin: afl-tmin.c $(COMM_HDR) | test_x86 afl-tmin: afl-tmin.c $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
afl-analyze: afl-analyze.c $(COMM_HDR) | test_x86 afl-analyze: afl-analyze.c $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
afl-gotcpu: afl-gotcpu.c $(COMM_HDR) | test_x86 afl-gotcpu: afl-gotcpu.c $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
ifndef AFL_NO_X86 ifndef AFL_NO_X86
test_build: afl-gcc afl-as afl-showmap test_build: afl-gcc afl-as afl-showmap
@echo "[*] Testing the CC wrapper and instrumentation output..." @echo "[*] Testing the CC wrapper and instrumentation output..."
unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS) unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS)
./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr
@rm -f test-instr @rm -f test-instr
@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping <lcamtuf@google.com> to troubleshoot the issue."; echo; exit 1; fi @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping <lcamtuf@google.com> to troubleshoot the issue."; echo; exit 1; fi
@echo "[+] All right, the instrumentation seems to be working!" @echo "[+] All right, the instrumentation seems to be working!"
else else
test_build: afl-gcc afl-as afl-showmap test_build: afl-gcc afl-as afl-showmap
@echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)." @echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
endif endif
all_done: test_build all_done: test_build
@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi @if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi
@echo "[+] All done! Be sure to review README - it's pretty short and useful." @echo "[+] All done! Be sure to review README - it's pretty short and useful."
@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi @if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null @! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null
.NOTPARALLEL: clean .NOTPARALLEL: clean
clean: clean:
rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.10.0.tar.bz2 afl-qemu-trace rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.10.0.tar.bz2 afl-qemu-trace
rm -rf out_dir qemu_mode/qemu-2.10.0 rm -rf out_dir qemu_mode/qemu-2.10.0
$(MAKE) -C llvm_mode clean $(MAKE) -C llvm_mode clean
$(MAKE) -C libdislocator clean $(MAKE) -C libdislocator clean
$(MAKE) -C libtokencap clean $(MAKE) -C libtokencap clean
install: all install: all
mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH) mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH) install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
rm -f $${DESTDIR}$(BIN_PATH)/afl-as rm -f $${DESTDIR}$(BIN_PATH)/afl-as
if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
ifndef AFL_TRACE_PC ifndef AFL_TRACE_PC
if [ -f afl-clang-fast -a -f afl-llvm-pass.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi if [ -f afl-clang-fast -a -f afl-llvm-pass.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
else else
if [ -f afl-clang-fast -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi if [ -f afl-clang-fast -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
endif endif
if [ -f afl-llvm-rt-32.o ]; then set -e; install -m 755 afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi if [ -f afl-llvm-rt-32.o ]; then set -e; install -m 755 afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi
if [ -f afl-llvm-rt-64.o ]; then set -e; install -m 755 afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi if [ -f afl-llvm-rt-64.o ]; then set -e; install -m 755 afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi
set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/$$i; done set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/$$i; done
install -m 755 afl-as $${DESTDIR}$(HELPER_PATH) install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
install -m 644 README.md docs/ChangeLog docs/*.txt $${DESTDIR}$(DOC_PATH) install -m 644 README.md docs/ChangeLog docs/*.txt $${DESTDIR}$(DOC_PATH)
cp -r testcases/ $${DESTDIR}$(MISC_PATH) cp -r testcases/ $${DESTDIR}$(MISC_PATH)
cp -r dictionaries/ $${DESTDIR}$(MISC_PATH) cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)
publish: clean publish: clean
test "`basename $$PWD`" = "AFL" || exit 1 test "`basename $$PWD`" = "AFL" || exit 1
test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi
cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \ cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \
tar -cvz -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz $(PROGNAME)-$(VERSION) tar -cvz -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz $(PROGNAME)-$(VERSION)
chmod 644 ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz chmod 644 ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz
( cd ~/www/afl/releases/; ln -s -f $(PROGNAME)-$(VERSION).tgz $(PROGNAME)-latest.tgz ) ( cd ~/www/afl/releases/; ln -s -f $(PROGNAME)-$(VERSION).tgz $(PROGNAME)-latest.tgz )
cat docs/README >~/www/afl/README.txt cat docs/README >~/www/afl/README.txt
cat docs/status_screen.txt >~/www/afl/status_screen.txt cat docs/status_screen.txt >~/www/afl/status_screen.txt
cat docs/historical_notes.txt >~/www/afl/historical_notes.txt cat docs/historical_notes.txt >~/www/afl/historical_notes.txt
cat docs/technical_details.txt >~/www/afl/technical_details.txt cat docs/technical_details.txt >~/www/afl/technical_details.txt
cat docs/ChangeLog >~/www/afl/ChangeLog.txt cat docs/ChangeLog >~/www/afl/ChangeLog.txt
cat docs/QuickStartGuide.txt >~/www/afl/QuickStartGuide.txt cat docs/QuickStartGuide.txt >~/www/afl/QuickStartGuide.txt
echo -n "$(VERSION)" >~/www/afl/version.txt echo -n "$(VERSION)" >~/www/afl/version.txt

2190
afl-analyze.c
View File

File diff suppressed because it is too large Load Diff

1114
afl-as.c
View File

File diff suppressed because it is too large Load Diff

1454
afl-as.h
View File

File diff suppressed because it is too large Load Diff

922
afl-cmin
Unescape View File

@ -1,461 +1,461 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# #
# american fuzzy lop - corpus minimization tool # american fuzzy lop - corpus minimization tool
# --------------------------------------------- # ---------------------------------------------
# #
# Written and maintained by Michal Zalewski <lcamtuf@google.com> # Written and maintained by Michal Zalewski <lcamtuf@google.com>
# #
# Copyright 2014, 2015 Google LLC All rights reserved. # Copyright 2014, 2015 Google LLC All rights reserved.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
# You may obtain a copy of the License at: # You may obtain a copy of the License at:
# #
# http://www.apache.org/licenses/LICENSE-2.0 # http://www.apache.org/licenses/LICENSE-2.0
# #
# This tool tries to find the smallest subset of files in the input directory # This tool tries to find the smallest subset of files in the input directory
# that still trigger the full range of instrumentation data points seen in # that still trigger the full range of instrumentation data points seen in
# the starting corpus. This has two uses: # the starting corpus. This has two uses:
# #
# - Screening large corpora of input files before using them as a seed for # - Screening large corpora of input files before using them as a seed for
# afl-fuzz. The tool will remove functionally redundant files and likely # afl-fuzz. The tool will remove functionally redundant files and likely
# leave you with a much smaller set. # leave you with a much smaller set.
# #
# (In this case, you probably also want to consider running afl-tmin on # (In this case, you probably also want to consider running afl-tmin on
# the individual files later on to reduce their size.) # the individual files later on to reduce their size.)
# #
# - Minimizing the corpus generated organically by afl-fuzz, perhaps when # - Minimizing the corpus generated organically by afl-fuzz, perhaps when
# planning to feed it to more resource-intensive tools. The tool achieves # planning to feed it to more resource-intensive tools. The tool achieves
# this by removing all entries that used to trigger unique behaviors in the # this by removing all entries that used to trigger unique behaviors in the
# past, but have been made obsolete by later finds. # past, but have been made obsolete by later finds.
# #
# Note that the tool doesn't modify the files themselves. For that, you want # Note that the tool doesn't modify the files themselves. For that, you want
# afl-tmin. # afl-tmin.
# #
# This script must use bash because other shells may have hardcoded limits on # This script must use bash because other shells may have hardcoded limits on
# array sizes. # array sizes.
# #
echo "corpus minimization tool for afl-fuzz by <lcamtuf@google.com>" echo "corpus minimization tool for afl-fuzz by <lcamtuf@google.com>"
echo echo
######### #########
# SETUP # # SETUP #
######### #########
# Process command-line options... # Process command-line options...
MEM_LIMIT=100 MEM_LIMIT=100
TIMEOUT=none TIMEOUT=none
unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \ unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \
AFL_CMIN_CRASHES_ONLY AFL_CMIN_ALLOW_ANY QEMU_MODE AFL_CMIN_CRASHES_ONLY AFL_CMIN_ALLOW_ANY QEMU_MODE
while getopts "+i:o:f:m:t:eQC" opt; do while getopts "+i:o:f:m:t:eQC" opt; do
case "$opt" in case "$opt" in
"i") "i")
IN_DIR="$OPTARG" IN_DIR="$OPTARG"
;; ;;
"o") "o")
OUT_DIR="$OPTARG" OUT_DIR="$OPTARG"
;; ;;
"f") "f")
STDIN_FILE="$OPTARG" STDIN_FILE="$OPTARG"
;; ;;
"m") "m")
MEM_LIMIT="$OPTARG" MEM_LIMIT="$OPTARG"
MEM_LIMIT_GIVEN=1 MEM_LIMIT_GIVEN=1
;; ;;
"t") "t")
TIMEOUT="$OPTARG" TIMEOUT="$OPTARG"
;; ;;
"e") "e")
EXTRA_PAR="$EXTRA_PAR -e" EXTRA_PAR="$EXTRA_PAR -e"
;; ;;
"C") "C")
export AFL_CMIN_CRASHES_ONLY=1 export AFL_CMIN_CRASHES_ONLY=1
;; ;;
"Q") "Q")
EXTRA_PAR="$EXTRA_PAR -Q" EXTRA_PAR="$EXTRA_PAR -Q"
test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250 test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
QEMU_MODE=1 QEMU_MODE=1
;; ;;
"?") "?")
exit 1 exit 1
;; ;;
esac esac
done done
shift $((OPTIND-1)) shift $((OPTIND-1))
TARGET_BIN="$1" TARGET_BIN="$1"
if [ "$TARGET_BIN" = "" -o "$IN_DIR" = "" -o "$OUT_DIR" = "" ]; then if [ "$TARGET_BIN" = "" -o "$IN_DIR" = "" -o "$OUT_DIR" = "" ]; then
cat 1>&2 <<_EOF_ cat 1>&2 <<_EOF_
Usage: $0 [ options ] -- /path/to/target_app [ ... ] Usage: $0 [ options ] -- /path/to/target_app [ ... ]
Required parameters: Required parameters:
-i dir - input directory with the starting corpus -i dir - input directory with the starting corpus
-o dir - output directory for minimized files -o dir - output directory for minimized files
Execution control settings: Execution control settings:
-f file - location read by the fuzzed program (stdin) -f file - location read by the fuzzed program (stdin)
-m megs - memory limit for child process ($MEM_LIMIT MB) -m megs - memory limit for child process ($MEM_LIMIT MB)
-t msec - run time limit for child process (none) -t msec - run time limit for child process (none)
-Q - use binary-only instrumentation (QEMU mode) -Q - use binary-only instrumentation (QEMU mode)
Minimization settings: Minimization settings:
-C - keep crashing inputs, reject everything else -C - keep crashing inputs, reject everything else
-e - solve for edge coverage only, ignore hit counts -e - solve for edge coverage only, ignore hit counts
For additional tips, please consult docs/README. For additional tips, please consult docs/README.
_EOF_ _EOF_
exit 1 exit 1
fi fi
# Do a sanity check to discourage the use of /tmp, since we can't really # Do a sanity check to discourage the use of /tmp, since we can't really
# handle this safely from a shell script. # handle this safely from a shell script.
if [ "$AFL_ALLOW_TMP" = "" ]; then if [ "$AFL_ALLOW_TMP" = "" ]; then
echo "$IN_DIR" | grep -qE '^(/var)?/tmp/' echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
T1="$?" T1="$?"
echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/' echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
T2="$?" T2="$?"
echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/' echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
T3="$?" T3="$?"
echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/' echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
T4="$?" T4="$?"
echo "$PWD" | grep -qE '^(/var)?/tmp/' echo "$PWD" | grep -qE '^(/var)?/tmp/'
T5="$?" T5="$?"
if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2 echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2
exit 1 exit 1
fi fi
fi fi
# If @@ is specified, but there's no -f, let's come up with a temporary input # If @@ is specified, but there's no -f, let's come up with a temporary input
# file name. # file name.
TRACE_DIR="$OUT_DIR/.traces" TRACE_DIR="$OUT_DIR/.traces"
if [ "$STDIN_FILE" = "" ]; then if [ "$STDIN_FILE" = "" ]; then
if echo "$*" | grep -qF '@@'; then if echo "$*" | grep -qF '@@'; then
STDIN_FILE="$TRACE_DIR/.cur_input" STDIN_FILE="$TRACE_DIR/.cur_input"
fi fi
fi fi
# Check for obvious errors. # Check for obvious errors.
if [ ! "$MEM_LIMIT" = "none" ]; then if [ ! "$MEM_LIMIT" = "none" ]; then
if [ "$MEM_LIMIT" -lt "5" ]; then if [ "$MEM_LIMIT" -lt "5" ]; then
echo "[-] Error: dangerously low memory limit." 1>&2 echo "[-] Error: dangerously low memory limit." 1>&2
exit 1 exit 1
fi fi
fi fi
if [ ! "$TIMEOUT" = "none" ]; then if [ ! "$TIMEOUT" = "none" ]; then
if [ "$TIMEOUT" -lt "10" ]; then if [ "$TIMEOUT" -lt "10" ]; then
echo "[-] Error: dangerously low timeout." 1>&2 echo "[-] Error: dangerously low timeout." 1>&2
exit 1 exit 1
fi fi
fi fi
if [ ! -f "$TARGET_BIN" -o ! -x "$TARGET_BIN" ]; then if [ ! -f "$TARGET_BIN" -o ! -x "$TARGET_BIN" ]; then
TNEW="`which "$TARGET_BIN" 2>/dev/null`" TNEW="`which "$TARGET_BIN" 2>/dev/null`"
if [ ! -f "$TNEW" -o ! -x "$TNEW" ]; then if [ ! -f "$TNEW" -o ! -x "$TNEW" ]; then
echo "[-] Error: binary '$TARGET_BIN' not found or not executable." 1>&2 echo "[-] Error: binary '$TARGET_BIN' not found or not executable." 1>&2
exit 1 exit 1
fi fi
TARGET_BIN="$TNEW" TARGET_BIN="$TNEW"
fi fi
if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" ]; then if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" ]; then
if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then
echo "[-] Error: binary '$TARGET_BIN' doesn't appear to be instrumented." 1>&2 echo "[-] Error: binary '$TARGET_BIN' doesn't appear to be instrumented." 1>&2
exit 1 exit 1
fi fi
fi fi
if [ ! -d "$IN_DIR" ]; then if [ ! -d "$IN_DIR" ]; then
echo "[-] Error: directory '$IN_DIR' not found." 1>&2 echo "[-] Error: directory '$IN_DIR' not found." 1>&2
exit 1 exit 1
fi fi
test -d "$IN_DIR/queue" && IN_DIR="$IN_DIR/queue" test -d "$IN_DIR/queue" && IN_DIR="$IN_DIR/queue"
find "$OUT_DIR" -name 'id[:_]*' -maxdepth 1 -exec rm -- {} \; 2>/dev/null find "$OUT_DIR" -name 'id[:_]*' -maxdepth 1 -exec rm -- {} \; 2>/dev/null
rm -rf "$TRACE_DIR" 2>/dev/null rm -rf "$TRACE_DIR" 2>/dev/null
rmdir "$OUT_DIR" 2>/dev/null rmdir "$OUT_DIR" 2>/dev/null
if [ -d "$OUT_DIR" ]; then if [ -d "$OUT_DIR" ]; then
echo "[-] Error: directory '$OUT_DIR' exists and is not empty - delete it first." 1>&2 echo "[-] Error: directory '$OUT_DIR' exists and is not empty - delete it first." 1>&2
exit 1 exit 1
fi fi
mkdir -m 700 -p "$TRACE_DIR" || exit 1 mkdir -m 700 -p "$TRACE_DIR" || exit 1
if [ ! "$STDIN_FILE" = "" ]; then if [ ! "$STDIN_FILE" = "" ]; then
rm -f "$STDIN_FILE" || exit 1 rm -f "$STDIN_FILE" || exit 1
touch "$STDIN_FILE" || exit 1 touch "$STDIN_FILE" || exit 1
fi fi
if [ "$AFL_PATH" = "" ]; then if [ "$AFL_PATH" = "" ]; then
SHOWMAP="${0%/afl-cmin}/afl-showmap" SHOWMAP="${0%/afl-cmin}/afl-showmap"
else else
SHOWMAP="$AFL_PATH/afl-showmap" SHOWMAP="$AFL_PATH/afl-showmap"
fi fi
if [ ! -x "$SHOWMAP" ]; then if [ ! -x "$SHOWMAP" ]; then
echo "[-] Error: can't find 'afl-showmap' - please set AFL_PATH." 1>&2 echo "[-] Error: can't find 'afl-showmap' - please set AFL_PATH." 1>&2
rm -rf "$TRACE_DIR" rm -rf "$TRACE_DIR"
exit 1 exit 1
fi fi
IN_COUNT=$((`ls -- "$IN_DIR" 2>/dev/null | wc -l`)) IN_COUNT=$((`ls -- "$IN_DIR" 2>/dev/null | wc -l`))
if [ "$IN_COUNT" = "0" ]; then if [ "$IN_COUNT" = "0" ]; then
echo "[+] Hmm, no inputs in the target directory. Nothing to be done." echo "[+] Hmm, no inputs in the target directory. Nothing to be done."
rm -rf "$TRACE_DIR" rm -rf "$TRACE_DIR"
exit 1 exit 1
fi fi
FIRST_FILE=`ls "$IN_DIR" | head -1` FIRST_FILE=`ls "$IN_DIR" | head -1`
# Make sure that we're not dealing with a directory. # Make sure that we're not dealing with a directory.
if [ -d "$IN_DIR/$FIRST_FILE" ]; then if [ -d "$IN_DIR/$FIRST_FILE" ]; then
echo "[-] Error: The target directory contains subdirectories - please fix." 1>&2 echo "[-] Error: The target directory contains subdirectories - please fix." 1>&2
rm -rf "$TRACE_DIR" rm -rf "$TRACE_DIR"
exit 1 exit 1
fi fi
# Check for the more efficient way to copy files... # Check for the more efficient way to copy files...
if ln "$IN_DIR/$FIRST_FILE" "$TRACE_DIR/.link_test" 2>/dev/null; then if ln "$IN_DIR/$FIRST_FILE" "$TRACE_DIR/.link_test" 2>/dev/null; then
CP_TOOL=ln CP_TOOL=ln
else else
CP_TOOL=cp CP_TOOL=cp
fi fi
# Make sure that we can actually get anything out of afl-showmap before we # Make sure that we can actually get anything out of afl-showmap before we
# waste too much time. # waste too much time.
echo "[*] Testing the target binary..." echo "[*] Testing the target binary..."
if [ "$STDIN_FILE" = "" ]; then if [ "$STDIN_FILE" = "" ]; then
AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$FIRST_FILE" AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$FIRST_FILE"
else else
cp "$IN_DIR/$FIRST_FILE" "$STDIN_FILE" cp "$IN_DIR/$FIRST_FILE" "$STDIN_FILE"
AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
fi fi
FIRST_COUNT=$((`grep -c . "$TRACE_DIR/.run_test"`)) FIRST_COUNT=$((`grep -c . "$TRACE_DIR/.run_test"`))
if [ "$FIRST_COUNT" -gt "0" ]; then if [ "$FIRST_COUNT" -gt "0" ]; then
echo "[+] OK, $FIRST_COUNT tuples recorded." echo "[+] OK, $FIRST_COUNT tuples recorded."
else else
echo "[-] Error: no instrumentation output detected (perhaps crash or timeout)." 1>&2 echo "[-] Error: no instrumentation output detected (perhaps crash or timeout)." 1>&2
test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR" test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
exit 1 exit 1
fi fi
# Let's roll! # Let's roll!
############################# #############################
# STEP 1: COLLECTING TRACES # # STEP 1: COLLECTING TRACES #
############################# #############################
echo "[*] Obtaining traces for input files in '$IN_DIR'..." echo "[*] Obtaining traces for input files in '$IN_DIR'..."
( (
CUR=0 CUR=0
if [ "$STDIN_FILE" = "" ]; then if [ "$STDIN_FILE" = "" ]; then
while read -r fn; do while read -r fn; do
CUR=$((CUR+1)) CUR=$((CUR+1))
printf "\\r Processing file $CUR/$IN_COUNT... " printf "\\r Processing file $CUR/$IN_COUNT... "
"$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn" "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn"
done < <(ls "$IN_DIR") done < <(ls "$IN_DIR")
else else
while read -r fn; do while read -r fn; do
CUR=$((CUR+1)) CUR=$((CUR+1))
printf "\\r Processing file $CUR/$IN_COUNT... " printf "\\r Processing file $CUR/$IN_COUNT... "
cp "$IN_DIR/$fn" "$STDIN_FILE" cp "$IN_DIR/$fn" "$STDIN_FILE"
"$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" </dev/null
done < <(ls "$IN_DIR") done < <(ls "$IN_DIR")
fi fi
) )
echo echo
########################## ##########################
# STEP 2: SORTING TUPLES # # STEP 2: SORTING TUPLES #
########################## ##########################
# With this out of the way, we sort all tuples by popularity across all # With this out of the way, we sort all tuples by popularity across all
# datasets. The reasoning here is that we won't be able to avoid the files # datasets. The reasoning here is that we won't be able to avoid the files
# that trigger unique tuples anyway, so we will want to start with them and # that trigger unique tuples anyway, so we will want to start with them and
# see what's left. # see what's left.
echo "[*] Sorting trace sets (this may take a while)..." echo "[*] Sorting trace sets (this may take a while)..."
ls "$IN_DIR" | sed "s#^#$TRACE_DIR/#" | tr '\n' '\0' | xargs -0 -n 1 cat | \ ls "$IN_DIR" | sed "s#^#$TRACE_DIR/#" | tr '\n' '\0' | xargs -0 -n 1 cat | \
sort | uniq -c | sort -n >"$TRACE_DIR/.all_uniq" sort | uniq -c | sort -n >"$TRACE_DIR/.all_uniq"
TUPLE_COUNT=$((`grep -c . "$TRACE_DIR/.all_uniq"`)) TUPLE_COUNT=$((`grep -c . "$TRACE_DIR/.all_uniq"`))
echo "[+] Found $TUPLE_COUNT unique tuples across $IN_COUNT files." echo "[+] Found $TUPLE_COUNT unique tuples across $IN_COUNT files."
##################################### #####################################
# STEP 3: SELECTING CANDIDATE FILES # # STEP 3: SELECTING CANDIDATE FILES #
##################################### #####################################
# The next step is to find the best candidate for each tuple. The "best" # The next step is to find the best candidate for each tuple. The "best"
# part is understood simply as the smallest input that includes a particular # part is understood simply as the smallest input that includes a particular
# tuple in its trace. Empirical evidence suggests that this produces smaller # tuple in its trace. Empirical evidence suggests that this produces smaller
# datasets than more involved algorithms that could be still pulled off in # datasets than more involved algorithms that could be still pulled off in
# a shell script. # a shell script.
echo "[*] Finding best candidates for each tuple..." echo "[*] Finding best candidates for each tuple..."
CUR=0 CUR=0
while read -r fn; do while read -r fn; do
CUR=$((CUR+1)) CUR=$((CUR+1))
printf "\\r Processing file $CUR/$IN_COUNT... " printf "\\r Processing file $CUR/$IN_COUNT... "
sed "s#\$# $fn#" "$TRACE_DIR/$fn" >>"$TRACE_DIR/.candidate_list" sed "s#\$# $fn#" "$TRACE_DIR/$fn" >>"$TRACE_DIR/.candidate_list"
done < <(ls -rS "$IN_DIR") done < <(ls -rS "$IN_DIR")
echo echo
############################## ##############################
# STEP 4: LOADING CANDIDATES # # STEP 4: LOADING CANDIDATES #
############################## ##############################
# At this point, we have a file of tuple-file pairs, sorted by file size # At this point, we have a file of tuple-file pairs, sorted by file size
# in ascending order (as a consequence of ls -rS). By doing sort keyed # in ascending order (as a consequence of ls -rS). By doing sort keyed
# only by tuple (-k 1,1) and configured to output only the first line for # only by tuple (-k 1,1) and configured to output only the first line for
# every key (-s -u), we end up with the smallest file for each tuple. # every key (-s -u), we end up with the smallest file for each tuple.
echo "[*] Sorting candidate list (be patient)..." echo "[*] Sorting candidate list (be patient)..."
sort -k1,1 -s -u "$TRACE_DIR/.candidate_list" | \ sort -k1,1 -s -u "$TRACE_DIR/.candidate_list" | \
sed 's/^/BEST_FILE[/;s/ /]="/;s/$/"/' >"$TRACE_DIR/.candidate_script" sed 's/^/BEST_FILE[/;s/ /]="/;s/$/"/' >"$TRACE_DIR/.candidate_script"
if [ ! -s "$TRACE_DIR/.candidate_script" ]; then if [ ! -s "$TRACE_DIR/.candidate_script" ]; then
echo "[-] Error: no traces obtained from test cases, check syntax!" 1>&2 echo "[-] Error: no traces obtained from test cases, check syntax!" 1>&2
test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR" test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
exit 1 exit 1
fi fi
# The sed command converted the sorted list to a shell script that populates # The sed command converted the sorted list to a shell script that populates
# BEST_FILE[tuple]="fname". Let's load that! # BEST_FILE[tuple]="fname". Let's load that!
. "$TRACE_DIR/.candidate_script" . "$TRACE_DIR/.candidate_script"
########################## ##########################
# STEP 5: WRITING OUTPUT # # STEP 5: WRITING OUTPUT #
########################## ##########################
# The final trick is to grab the top pick for each tuple, unless said tuple is # The final trick is to grab the top pick for each tuple, unless said tuple is
# already set due to the inclusion of an earlier candidate; and then put all # already set due to the inclusion of an earlier candidate; and then put all
# tuples associated with the newly-added file to the "already have" list. The # tuples associated with the newly-added file to the "already have" list. The
# loop works from least popular tuples and toward the most common ones. # loop works from least popular tuples and toward the most common ones.
echo "[*] Processing candidates and writing output files..." echo "[*] Processing candidates and writing output files..."
CUR=0 CUR=0
touch "$TRACE_DIR/.already_have" touch "$TRACE_DIR/.already_have"
while read -r cnt tuple; do while read -r cnt tuple; do
CUR=$((CUR+1)) CUR=$((CUR+1))
printf "\\r Processing tuple $CUR/$TUPLE_COUNT... " printf "\\r Processing tuple $CUR/$TUPLE_COUNT... "
# If we already have this tuple, skip it. # If we already have this tuple, skip it.
grep -q "^$tuple\$" "$TRACE_DIR/.already_have" && continue grep -q "^$tuple\$" "$TRACE_DIR/.already_have" && continue
FN=${BEST_FILE[tuple]} FN=${BEST_FILE[tuple]}
$CP_TOOL "$IN_DIR/$FN" "$OUT_DIR/$FN" $CP_TOOL "$IN_DIR/$FN" "$OUT_DIR/$FN"
if [ "$((CUR % 5))" = "0" ]; then if [ "$((CUR % 5))" = "0" ]; then
sort -u "$TRACE_DIR/$FN" "$TRACE_DIR/.already_have" >"$TRACE_DIR/.tmp" sort -u "$TRACE_DIR/$FN" "$TRACE_DIR/.already_have" >"$TRACE_DIR/.tmp"
mv -f "$TRACE_DIR/.tmp" "$TRACE_DIR/.already_have" mv -f "$TRACE_DIR/.tmp" "$TRACE_DIR/.already_have"
else else
cat "$TRACE_DIR/$FN" >>"$TRACE_DIR/.already_have" cat "$TRACE_DIR/$FN" >>"$TRACE_DIR/.already_have"
fi fi
done <"$TRACE_DIR/.all_uniq" done <"$TRACE_DIR/.all_uniq"
echo echo
OUT_COUNT=`ls -- "$OUT_DIR" | wc -l` OUT_COUNT=`ls -- "$OUT_DIR" | wc -l`
if [ "$OUT_COUNT" = "1" ]; then if [ "$OUT_COUNT" = "1" ]; then
echo "[!] WARNING: All test cases had the same traces, check syntax!" echo "[!] WARNING: All test cases had the same traces, check syntax!"
fi fi
echo "[+] Narrowed down to $OUT_COUNT files, saved in '$OUT_DIR'." echo "[+] Narrowed down to $OUT_COUNT files, saved in '$OUT_DIR'."
echo echo
test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR" test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR"
exit 0 exit 0

16248
afl-fuzz.c
View File

File diff suppressed because it is too large Load Diff

692
afl-gcc.c
Unescape View File

@ -1,346 +1,346 @@
/* /*
Copyright 2013 Google LLC All rights reserved. Copyright 2013 Google LLC All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
You may obtain a copy of the License at: You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
/* /*
american fuzzy lop - wrapper for GCC and clang american fuzzy lop - wrapper for GCC and clang
---------------------------------------------- ----------------------------------------------
Written and maintained by Michal Zalewski <lcamtuf@google.com> Written and maintained by Michal Zalewski <lcamtuf@google.com>
This program is a drop-in replacement for GCC or clang. The most common way This program is a drop-in replacement for GCC or clang. The most common way
of using it is to pass the path to afl-gcc or afl-clang via CC when invoking of using it is to pass the path to afl-gcc or afl-clang via CC when invoking
./configure. ./configure.
(Of course, use CXX and point it to afl-g++ / afl-clang++ for C++ code.) (Of course, use CXX and point it to afl-g++ / afl-clang++ for C++ code.)
The wrapper needs to know the path to afl-as (renamed to 'as'). The default The wrapper needs to know the path to afl-as (renamed to 'as'). The default
is /usr/local/lib/afl/. A convenient way to specify alternative directories is /usr/local/lib/afl/. A convenient way to specify alternative directories
would be to set AFL_PATH. would be to set AFL_PATH.
If AFL_HARDEN is set, the wrapper will compile the target app with various If AFL_HARDEN is set, the wrapper will compile the target app with various
hardening options that may help detect memory management issues more hardening options that may help detect memory management issues more
reliably. You can also specify AFL_USE_ASAN to enable ASAN. reliably. You can also specify AFL_USE_ASAN to enable ASAN.
If you want to call a non-default compiler as a next step of the chain, If you want to call a non-default compiler as a next step of the chain,
specify its location via AFL_CC or AFL_CXX. specify its location via AFL_CC or AFL_CXX.
*/ */
#define AFL_MAIN #define AFL_MAIN
#include "config.h" #include "config.h"
#include "types.h" #include "types.h"
#include "debug.h" #include "debug.h"
#include "alloc-inl.h" #include "alloc-inl.h"
#include <stdio.h> #include <stdio.h>
#include <unistd.h> #include <unistd.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
static u8* as_path; /* Path to the AFL 'as' wrapper */ static u8* as_path; /* Path to the AFL 'as' wrapper */
static u8** cc_params; /* Parameters passed to the real CC */ static u8** cc_params; /* Parameters passed to the real CC */
static u32 cc_par_cnt = 1; /* Param count, including argv0 */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */
static u8 be_quiet, /* Quiet mode */ static u8 be_quiet, /* Quiet mode */
clang_mode; /* Invoked as afl-clang*? */ clang_mode; /* Invoked as afl-clang*? */
/* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived /* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived
from argv[0]. If that fails, abort. */ from argv[0]. If that fails, abort. */
static void find_as(u8* argv0) { static void find_as(u8* argv0) {
u8 *afl_path = getenv("AFL_PATH"); u8 *afl_path = getenv("AFL_PATH");
u8 *slash, *tmp; u8 *slash, *tmp;
if (afl_path) { if (afl_path) {
tmp = alloc_printf("%s/as", afl_path); tmp = alloc_printf("%s/as", afl_path);
if (!access(tmp, X_OK)) { if (!access(tmp, X_OK)) {
as_path = afl_path; as_path = afl_path;
ck_free(tmp); ck_free(tmp);
return; return;
} }
ck_free(tmp); ck_free(tmp);
} }
slash = strrchr(argv0, '/'); slash = strrchr(argv0, '/');
if (slash) { if (slash) {
u8 *dir; u8 *dir;
*slash = 0; *slash = 0;
dir = ck_strdup(argv0); dir = ck_strdup(argv0);
*slash = '/'; *slash = '/';
tmp = alloc_printf("%s/afl-as", dir); tmp = alloc_printf("%s/afl-as", dir);
if (!access(tmp, X_OK)) { if (!access(tmp, X_OK)) {
as_path = dir; as_path = dir;
ck_free(tmp); ck_free(tmp);
return; return;
} }
ck_free(tmp); ck_free(tmp);
ck_free(dir); ck_free(dir);
} }
if (!access(AFL_PATH "/as", X_OK)) { if (!access(AFL_PATH "/as", X_OK)) {
as_path = AFL_PATH; as_path = AFL_PATH;
return; return;
} }
FATAL("Unable to find AFL wrapper binary for 'as'. Please set AFL_PATH"); FATAL("Unable to find AFL wrapper binary for 'as'. Please set AFL_PATH");
} }
/* Copy argv to cc_params, making the necessary edits. */ /* Copy argv to cc_params, making the necessary edits. */
static void edit_params(u32 argc, char** argv) { static void edit_params(u32 argc, char** argv) {
u8 fortify_set = 0, asan_set = 0; u8 fortify_set = 0, asan_set = 0;
u8 *name; u8 *name;
#if defined(__FreeBSD__) && defined(__x86_64__) #if defined(__FreeBSD__) && defined(__x86_64__)
u8 m32_set = 0; u8 m32_set = 0;
#endif #endif
cc_params = ck_alloc((argc + 128) * sizeof(u8*)); cc_params = ck_alloc((argc + 128) * sizeof(u8*));
name = strrchr(argv[0], '/'); name = strrchr(argv[0], '/');
if (!name) name = argv[0]; else name++; if (!name) name = argv[0]; else name++;
if (!strncmp(name, "afl-clang", 9)) { if (!strncmp(name, "afl-clang", 9)) {
clang_mode = 1; clang_mode = 1;
setenv(CLANG_ENV_VAR, "1", 1); setenv(CLANG_ENV_VAR, "1", 1);
if (!strcmp(name, "afl-clang++")) { if (!strcmp(name, "afl-clang++")) {
u8* alt_cxx = getenv("AFL_CXX"); u8* alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++"; cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++";
} else { } else {
u8* alt_cc = getenv("AFL_CC"); u8* alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc ? alt_cc : (u8*)"clang"; cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";
} }
} else { } else {
/* With GCJ and Eclipse installed, you can actually compile Java! The /* With GCJ and Eclipse installed, you can actually compile Java! The
instrumentation will work (amazingly). Alas, unhandled exceptions do instrumentation will work (amazingly). Alas, unhandled exceptions do
not call abort(), so afl-fuzz would need to be modified to equate not call abort(), so afl-fuzz would need to be modified to equate
non-zero exit codes with crash conditions when working with Java non-zero exit codes with crash conditions when working with Java
binaries. Meh. */ binaries. Meh. */
#ifdef __APPLE__ #ifdef __APPLE__
if (!strcmp(name, "afl-g++")) cc_params[0] = getenv("AFL_CXX"); if (!strcmp(name, "afl-g++")) cc_params[0] = getenv("AFL_CXX");
else if (!strcmp(name, "afl-gcj")) cc_params[0] = getenv("AFL_GCJ"); else if (!strcmp(name, "afl-gcj")) cc_params[0] = getenv("AFL_GCJ");
else cc_params[0] = getenv("AFL_CC"); else cc_params[0] = getenv("AFL_CC");
if (!cc_params[0]) { if (!cc_params[0]) {
SAYF("\n" cLRD "[-] " cRST SAYF("\n" cLRD "[-] " cRST
"On Apple systems, 'gcc' is usually just a wrapper for clang. Please use the\n" "On Apple systems, 'gcc' is usually just a wrapper for clang. Please use the\n"
" 'afl-clang' utility instead of 'afl-gcc'. If you really have GCC installed,\n" " 'afl-clang' utility instead of 'afl-gcc'. If you really have GCC installed,\n"
" set AFL_CC or AFL_CXX to specify the correct path to that compiler.\n"); " set AFL_CC or AFL_CXX to specify the correct path to that compiler.\n");
FATAL("AFL_CC or AFL_CXX required on MacOS X"); FATAL("AFL_CC or AFL_CXX required on MacOS X");
} }
#else #else
if (!strcmp(name, "afl-g++")) { if (!strcmp(name, "afl-g++")) {
u8* alt_cxx = getenv("AFL_CXX"); u8* alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++"; cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++";
} else if (!strcmp(name, "afl-gcj")) { } else if (!strcmp(name, "afl-gcj")) {
u8* alt_cc = getenv("AFL_GCJ"); u8* alt_cc = getenv("AFL_GCJ");
cc_params[0] = alt_cc ? alt_cc : (u8*)"gcj"; cc_params[0] = alt_cc ? alt_cc : (u8*)"gcj";
} else { } else {
u8* alt_cc = getenv("AFL_CC"); u8* alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc"; cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc";
} }
#endif /* __APPLE__ */ #endif /* __APPLE__ */
} }
while (--argc) { while (--argc) {
u8* cur = *(++argv); u8* cur = *(++argv);
if (!strncmp(cur, "-B", 2)) { if (!strncmp(cur, "-B", 2)) {
if (!be_quiet) WARNF("-B is already set, overriding"); if (!be_quiet) WARNF("-B is already set, overriding");
if (!cur[2] && argc > 1) { argc--; argv++; } if (!cur[2] && argc > 1) { argc--; argv++; }
continue; continue;
} }
if (!strcmp(cur, "-integrated-as")) continue; if (!strcmp(cur, "-integrated-as")) continue;
if (!strcmp(cur, "-pipe")) continue; if (!strcmp(cur, "-pipe")) continue;
#if defined(__FreeBSD__) && defined(__x86_64__) #if defined(__FreeBSD__) && defined(__x86_64__)
if (!strcmp(cur, "-m32")) m32_set = 1; if (!strcmp(cur, "-m32")) m32_set = 1;
#endif #endif
if (!strcmp(cur, "-fsanitize=address") || if (!strcmp(cur, "-fsanitize=address") ||
!strcmp(cur, "-fsanitize=memory")) asan_set = 1; !strcmp(cur, "-fsanitize=memory")) asan_set = 1;
if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1; if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;
cc_params[cc_par_cnt++] = cur; cc_params[cc_par_cnt++] = cur;
} }
cc_params[cc_par_cnt++] = "-B"; cc_params[cc_par_cnt++] = "-B";
cc_params[cc_par_cnt++] = as_path; cc_params[cc_par_cnt++] = as_path;
if (clang_mode) if (clang_mode)
cc_params[cc_par_cnt++] = "-no-integrated-as"; cc_params[cc_par_cnt++] = "-no-integrated-as";
if (getenv("AFL_HARDEN")) { if (getenv("AFL_HARDEN")) {
cc_params[cc_par_cnt++] = "-fstack-protector-all"; cc_params[cc_par_cnt++] = "-fstack-protector-all";
if (!fortify_set) if (!fortify_set)
cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2"; cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2";
} }
if (asan_set) { if (asan_set) {
/* Pass this on to afl-as to adjust map density. */ /* Pass this on to afl-as to adjust map density. */
setenv("AFL_USE_ASAN", "1", 1); setenv("AFL_USE_ASAN", "1", 1);
} else if (getenv("AFL_USE_ASAN")) { } else if (getenv("AFL_USE_ASAN")) {
if (getenv("AFL_USE_MSAN")) if (getenv("AFL_USE_MSAN"))
FATAL("ASAN and MSAN are mutually exclusive"); FATAL("ASAN and MSAN are mutually exclusive");
if (getenv("AFL_HARDEN")) if (getenv("AFL_HARDEN"))
FATAL("ASAN and AFL_HARDEN are mutually exclusive"); FATAL("ASAN and AFL_HARDEN are mutually exclusive");
cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
cc_params[cc_par_cnt++] = "-fsanitize=address"; cc_params[cc_par_cnt++] = "-fsanitize=address";
} else if (getenv("AFL_USE_MSAN")) { } else if (getenv("AFL_USE_MSAN")) {
if (getenv("AFL_USE_ASAN")) if (getenv("AFL_USE_ASAN"))
FATAL("ASAN and MSAN are mutually exclusive"); FATAL("ASAN and MSAN are mutually exclusive");
if (getenv("AFL_HARDEN")) if (getenv("AFL_HARDEN"))
FATAL("MSAN and AFL_HARDEN are mutually exclusive"); FATAL("MSAN and AFL_HARDEN are mutually exclusive");
cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
cc_params[cc_par_cnt++] = "-fsanitize=memory"; cc_params[cc_par_cnt++] = "-fsanitize=memory";
} }
if (!getenv("AFL_DONT_OPTIMIZE")) { if (!getenv("AFL_DONT_OPTIMIZE")) {
#if defined(__FreeBSD__) && defined(__x86_64__) #if defined(__FreeBSD__) && defined(__x86_64__)
/* On 64-bit FreeBSD systems, clang -g -m32 is broken, but -m32 itself /* On 64-bit FreeBSD systems, clang -g -m32 is broken, but -m32 itself
works OK. This has nothing to do with us, but let's avoid triggering works OK. This has nothing to do with us, but let's avoid triggering
that bug. */ that bug. */
if (!clang_mode || !m32_set) if (!clang_mode || !m32_set)
cc_params[cc_par_cnt++] = "-g"; cc_params[cc_par_cnt++] = "-g";
#else #else
cc_params[cc_par_cnt++] = "-g"; cc_params[cc_par_cnt++] = "-g";
#endif #endif
cc_params[cc_par_cnt++] = "-O3"; cc_params[cc_par_cnt++] = "-O3";
cc_params[cc_par_cnt++] = "-funroll-loops"; cc_params[cc_par_cnt++] = "-funroll-loops";
/* Two indicators that you're building for fuzzing; one of them is /* Two indicators that you're building for fuzzing; one of them is
AFL-specific, the other is shared with libfuzzer. */ AFL-specific, the other is shared with libfuzzer. */
cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1"; cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1";
cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1"; cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1";
} }
if (getenv("AFL_NO_BUILTIN")) { if (getenv("AFL_NO_BUILTIN")) {
cc_params[cc_par_cnt++] = "-fno-builtin-strcmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strcmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strncmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp";
cc_params[cc_par_cnt++] = "-fno-builtin-memcmp"; cc_params[cc_par_cnt++] = "-fno-builtin-memcmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strstr"; cc_params[cc_par_cnt++] = "-fno-builtin-strstr";
cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr"; cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr";
} }
cc_params[cc_par_cnt] = NULL; cc_params[cc_par_cnt] = NULL;
} }
/* Main entry point */ /* Main entry point */
int main(int argc, char** argv) { int main(int argc, char** argv) {
if (isatty(2) && !getenv("AFL_QUIET")) { if (isatty(2) && !getenv("AFL_QUIET")) {
SAYF(cCYA "afl-cc " cBRI VERSION cRST " by <lcamtuf@google.com>\n"); SAYF(cCYA "afl-cc " cBRI VERSION cRST " by <lcamtuf@google.com>\n");
} else be_quiet = 1; } else be_quiet = 1;
if (argc < 2) { if (argc < 2) {
SAYF("\n" SAYF("\n"
"This is a helper application for afl-fuzz. It serves as a drop-in replacement\n" "This is a helper application for afl-fuzz. It serves as a drop-in replacement\n"
"for gcc or clang, letting you recompile third-party code with the required\n" "for gcc or clang, letting you recompile third-party code with the required\n"
"runtime instrumentation. A common use pattern would be one of the following:\n\n" "runtime instrumentation. A common use pattern would be one of the following:\n\n"
" CC=%s/afl-gcc ./configure\n" " CC=%s/afl-gcc ./configure\n"
" CXX=%s/afl-g++ ./configure\n\n" " CXX=%s/afl-g++ ./configure\n\n"
"You can specify custom next-stage toolchain via AFL_CC, AFL_CXX, and AFL_AS.\n" "You can specify custom next-stage toolchain via AFL_CC, AFL_CXX, and AFL_AS.\n"
"Setting AFL_HARDEN enables hardening optimizations in the compiled code.\n\n", "Setting AFL_HARDEN enables hardening optimizations in the compiled code.\n\n",
BIN_PATH, BIN_PATH); BIN_PATH, BIN_PATH);
exit(1); exit(1);
} }
find_as(argv[0]); find_as(argv[0]);
edit_params(argc, argv); edit_params(argc, argv);
execvp(cc_params[0], (char**)cc_params); execvp(cc_params[0], (char**)cc_params);
FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]); FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);
return 0; return 0;
} }

520
afl-gotcpu.c
Unescape View File

@ -1,260 +1,260 @@
/* /*
Copyright 2015 Google LLC All rights reserved. Copyright 2015 Google LLC All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
You may obtain a copy of the License at: You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
/* /*
american fuzzy lop - free CPU gizmo american fuzzy lop - free CPU gizmo
----------------------------------- -----------------------------------
Written and maintained by Michal Zalewski <lcamtuf@google.com> Written and maintained by Michal Zalewski <lcamtuf@google.com>
This tool provides a fairly accurate measurement of CPU preemption rate. This tool provides a fairly accurate measurement of CPU preemption rate.
It is meant to complement the quick-and-dirty load average widget shown It is meant to complement the quick-and-dirty load average widget shown
in the afl-fuzz UI. See docs/parallel_fuzzing.txt for more info. in the afl-fuzz UI. See docs/parallel_fuzzing.txt for more info.
For some work loads, the tool may actually suggest running more instances For some work loads, the tool may actually suggest running more instances
than you have CPU cores. This can happen if the tested program is spending than you have CPU cores. This can happen if the tested program is spending
a portion of its run time waiting for I/O, rather than being 100% a portion of its run time waiting for I/O, rather than being 100%
CPU-bound. CPU-bound.
The idea for the getrusage()-based approach comes from Jakub Wilk. The idea for the getrusage()-based approach comes from Jakub Wilk.
*/ */
#define AFL_MAIN #define AFL_MAIN
#include "android-ashmem.h" #include "android-ashmem.h"
#define _GNU_SOURCE #define _GNU_SOURCE
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
#include <string.h> #include <string.h>
#include <sched.h> #include <sched.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/times.h> #include <sys/times.h>
#include <sys/resource.h> #include <sys/resource.h>
#include <sys/wait.h> #include <sys/wait.h>
#include "types.h" #include "types.h"
#include "debug.h" #include "debug.h"
#ifdef __linux__ #ifdef __linux__
# define HAVE_AFFINITY 1 # define HAVE_AFFINITY 1
#endif /* __linux__ */ #endif /* __linux__ */
/* Get unix time in microseconds. */ /* Get unix time in microseconds. */
static u64 get_cur_time_us(void) { static u64 get_cur_time_us(void) {
struct timeval tv; struct timeval tv;
struct timezone tz; struct timezone tz;
gettimeofday(&tv, &tz); gettimeofday(&tv, &tz);
return (tv.tv_sec * 1000000ULL) + tv.tv_usec; return (tv.tv_sec * 1000000ULL) + tv.tv_usec;
} }
/* Get CPU usage in microseconds. */ /* Get CPU usage in microseconds. */
static u64 get_cpu_usage_us(void) { static u64 get_cpu_usage_us(void) {
struct rusage u; struct rusage u;
getrusage(RUSAGE_SELF, &u); getrusage(RUSAGE_SELF, &u);
return (u.ru_utime.tv_sec * 1000000ULL) + u.ru_utime.tv_usec + return (u.ru_utime.tv_sec * 1000000ULL) + u.ru_utime.tv_usec +
(u.ru_stime.tv_sec * 1000000ULL) + u.ru_stime.tv_usec; (u.ru_stime.tv_sec * 1000000ULL) + u.ru_stime.tv_usec;
} }
/* Measure preemption rate. */ /* Measure preemption rate. */
static u32 measure_preemption(u32 target_ms) { static u32 measure_preemption(u32 target_ms) {
static volatile u32 v1, v2; static volatile u32 v1, v2;
u64 st_t, en_t, st_c, en_c, real_delta, slice_delta; u64 st_t, en_t, st_c, en_c, real_delta, slice_delta;
s32 loop_repeats = 0; s32 loop_repeats = 0;
st_t = get_cur_time_us(); st_t = get_cur_time_us();
st_c = get_cpu_usage_us(); st_c = get_cpu_usage_us();
repeat_loop: repeat_loop:
v1 = CTEST_BUSY_CYCLES; v1 = CTEST_BUSY_CYCLES;
while (v1--) v2++; while (v1--) v2++;
sched_yield(); sched_yield();
en_t = get_cur_time_us(); en_t = get_cur_time_us();
if (en_t - st_t < target_ms * 1000) { if (en_t - st_t < target_ms * 1000) {
loop_repeats++; loop_repeats++;
goto repeat_loop; goto repeat_loop;
} }
/* Let's see what percentage of this time we actually had a chance to /* Let's see what percentage of this time we actually had a chance to
run, and how much time was spent in the penalty box. */ run, and how much time was spent in the penalty box. */
en_c = get_cpu_usage_us(); en_c = get_cpu_usage_us();
real_delta = (en_t - st_t) / 1000; real_delta = (en_t - st_t) / 1000;
slice_delta = (en_c - st_c) / 1000; slice_delta = (en_c - st_c) / 1000;
return real_delta * 100 / slice_delta; return real_delta * 100 / slice_delta;
} }
/* Do the benchmark thing. */ /* Do the benchmark thing. */
int main(int argc, char** argv) { int main(int argc, char** argv) {
#ifdef HAVE_AFFINITY #ifdef HAVE_AFFINITY
u32 cpu_cnt = sysconf(_SC_NPROCESSORS_ONLN), u32 cpu_cnt = sysconf(_SC_NPROCESSORS_ONLN),
idle_cpus = 0, maybe_cpus = 0, i; idle_cpus = 0, maybe_cpus = 0, i;
SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by <lcamtuf@google.com>\n"); SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by <lcamtuf@google.com>\n");
ACTF("Measuring per-core preemption rate (this will take %0.02f sec)...", ACTF("Measuring per-core preemption rate (this will take %0.02f sec)...",
((double)CTEST_CORE_TRG_MS) / 1000); ((double)CTEST_CORE_TRG_MS) / 1000);
for (i = 0; i < cpu_cnt; i++) { for (i = 0; i < cpu_cnt; i++) {
s32 fr = fork(); s32 fr = fork();
if (fr < 0) PFATAL("fork failed"); if (fr < 0) PFATAL("fork failed");
if (!fr) { if (!fr) {
cpu_set_t c; cpu_set_t c;
u32 util_perc; u32 util_perc;
CPU_ZERO(&c); CPU_ZERO(&c);
CPU_SET(i, &c); CPU_SET(i, &c);
if (sched_setaffinity(0, sizeof(c), &c)) if (sched_setaffinity(0, sizeof(c), &c))
PFATAL("sched_setaffinity failed for cpu %d", i); PFATAL("sched_setaffinity failed for cpu %d", i);
util_perc = measure_preemption(CTEST_CORE_TRG_MS); util_perc = measure_preemption(CTEST_CORE_TRG_MS);
if (util_perc < 110) { if (util_perc < 110) {
SAYF(" Core #%u: " cLGN "AVAILABLE " cRST "(%u%%)\n", i, util_perc); SAYF(" Core #%u: " cLGN "AVAILABLE " cRST "(%u%%)\n", i, util_perc);
exit(0); exit(0);
} else if (util_perc < 250) { } else if (util_perc < 250) {
SAYF(" Core #%u: " cYEL "CAUTION " cRST "(%u%%)\n", i, util_perc); SAYF(" Core #%u: " cYEL "CAUTION " cRST "(%u%%)\n", i, util_perc);
exit(1); exit(1);
} }
SAYF(" Core #%u: " cLRD "OVERBOOKED " cRST "(%u%%)\n" cRST, i, SAYF(" Core #%u: " cLRD "OVERBOOKED " cRST "(%u%%)\n" cRST, i,
util_perc); util_perc);
exit(2); exit(2);
} }
} }
for (i = 0; i < cpu_cnt; i++) { for (i = 0; i < cpu_cnt; i++) {
int ret; int ret;
if (waitpid(-1, &ret, 0) < 0) PFATAL("waitpid failed"); if (waitpid(-1, &ret, 0) < 0) PFATAL("waitpid failed");
if (WEXITSTATUS(ret) == 0) idle_cpus++; if (WEXITSTATUS(ret) == 0) idle_cpus++;
if (WEXITSTATUS(ret) <= 1) maybe_cpus++; if (WEXITSTATUS(ret) <= 1) maybe_cpus++;
} }
SAYF(cGRA "\n>>> "); SAYF(cGRA "\n>>> ");
if (idle_cpus) { if (idle_cpus) {
if (maybe_cpus == idle_cpus) { if (maybe_cpus == idle_cpus) {
SAYF(cLGN "PASS: " cRST "You can run more processes on %u core%s.", SAYF(cLGN "PASS: " cRST "You can run more processes on %u core%s.",
idle_cpus, idle_cpus > 1 ? "s" : ""); idle_cpus, idle_cpus > 1 ? "s" : "");
} else { } else {
SAYF(cLGN "PASS: " cRST "You can run more processes on %u to %u core%s.", SAYF(cLGN "PASS: " cRST "You can run more processes on %u to %u core%s.",
idle_cpus, maybe_cpus, maybe_cpus > 1 ? "s" : ""); idle_cpus, maybe_cpus, maybe_cpus > 1 ? "s" : "");
} }
SAYF(cGRA " <<<" cRST "\n\n"); SAYF(cGRA " <<<" cRST "\n\n");
return 0; return 0;
} }
if (maybe_cpus) { if (maybe_cpus) {
SAYF(cYEL "CAUTION: " cRST "You may still have %u core%s available.", SAYF(cYEL "CAUTION: " cRST "You may still have %u core%s available.",
maybe_cpus, maybe_cpus > 1 ? "s" : ""); maybe_cpus, maybe_cpus > 1 ? "s" : "");
SAYF(cGRA " <<<" cRST "\n\n"); SAYF(cGRA " <<<" cRST "\n\n");
return 1; return 1;
} }
SAYF(cLRD "FAIL: " cRST "All cores are overbooked."); SAYF(cLRD "FAIL: " cRST "All cores are overbooked.");
SAYF(cGRA " <<<" cRST "\n\n"); SAYF(cGRA " <<<" cRST "\n\n");
return 2; return 2;
#else #else
u32 util_perc; u32 util_perc;
SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by <lcamtuf@google.com>\n"); SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by <lcamtuf@google.com>\n");
/* Run a busy loop for CTEST_TARGET_MS. */ /* Run a busy loop for CTEST_TARGET_MS. */
ACTF("Measuring gross preemption rate (this will take %0.02f sec)...", ACTF("Measuring gross preemption rate (this will take %0.02f sec)...",
((double)CTEST_TARGET_MS) / 1000); ((double)CTEST_TARGET_MS) / 1000);
util_perc = measure_preemption(CTEST_TARGET_MS); util_perc = measure_preemption(CTEST_TARGET_MS);
/* Deliver the final verdict. */ /* Deliver the final verdict. */
SAYF(cGRA "\n>>> "); SAYF(cGRA "\n>>> ");
if (util_perc < 105) { if (util_perc < 105) {
SAYF(cLGN "PASS: " cRST "You can probably run additional processes."); SAYF(cLGN "PASS: " cRST "You can probably run additional processes.");
} else if (util_perc < 130) { } else if (util_perc < 130) {
SAYF(cYEL "CAUTION: " cRST "Your CPU may be somewhat overbooked (%u%%).", SAYF(cYEL "CAUTION: " cRST "Your CPU may be somewhat overbooked (%u%%).",
util_perc); util_perc);
} else { } else {
SAYF(cLRD "FAIL: " cRST "Your CPU is overbooked (%u%%).", util_perc); SAYF(cLRD "FAIL: " cRST "Your CPU is overbooked (%u%%).", util_perc);
} }
SAYF(cGRA " <<<" cRST "\n\n"); SAYF(cGRA " <<<" cRST "\n\n");
return (util_perc > 105) + (util_perc > 130); return (util_perc > 105) + (util_perc > 130);
#endif /* ^HAVE_AFFINITY */ #endif /* ^HAVE_AFFINITY */
} }

340
afl-plot
Unescape View File

@ -1,170 +1,170 @@
#!/bin/sh #!/bin/sh
# #
# american fuzzy lop - Advanced Persistent Graphing # american fuzzy lop - Advanced Persistent Graphing
# ------------------------------------------------- # -------------------------------------------------
# #
# Written and maintained by Michal Zalewski <lcamtuf@google.com> # Written and maintained by Michal Zalewski <lcamtuf@google.com>
# Based on a design & prototype by Michael Rash. # Based on a design & prototype by Michael Rash.
# #
# Copyright 2014, 2015 Google LLC All rights reserved. # Copyright 2014, 2015 Google LLC All rights reserved.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
# You may obtain a copy of the License at: # You may obtain a copy of the License at:
# #
# http://www.apache.org/licenses/LICENSE-2.0 # http://www.apache.org/licenses/LICENSE-2.0
# #
echo "progress plotting utility for afl-fuzz by <lcamtuf@google.com>" echo "progress plotting utility for afl-fuzz by <lcamtuf@google.com>"
echo echo
if [ ! "$#" = "2" ]; then if [ ! "$#" = "2" ]; then
cat 1>&2 <<_EOF_ cat 1>&2 <<_EOF_
This program generates gnuplot images from afl-fuzz output data. Usage: This program generates gnuplot images from afl-fuzz output data. Usage:
$0 afl_state_dir graph_output_dir $0 afl_state_dir graph_output_dir
The afl_state_dir parameter should point to an existing state directory for any The afl_state_dir parameter should point to an existing state directory for any
active or stopped instance of afl-fuzz; while graph_output_dir should point to active or stopped instance of afl-fuzz; while graph_output_dir should point to
an empty directory where this tool can write the resulting plots to. an empty directory where this tool can write the resulting plots to.
The program will put index.html and three PNG images in the output directory; The program will put index.html and three PNG images in the output directory;
you should be able to view it with any web browser of your choice. you should be able to view it with any web browser of your choice.
_EOF_ _EOF_
exit 1 exit 1
fi fi
if [ "$AFL_ALLOW_TMP" = "" ]; then if [ "$AFL_ALLOW_TMP" = "" ]; then
echo "$1" | grep -qE '^(/var)?/tmp/' echo "$1" | grep -qE '^(/var)?/tmp/'
T1="$?" T1="$?"
echo "$2" | grep -qE '^(/var)?/tmp/' echo "$2" | grep -qE '^(/var)?/tmp/'
T2="$?" T2="$?"
if [ "$T1" = "0" -o "$T2" = "0" ]; then if [ "$T1" = "0" -o "$T2" = "0" ]; then
echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2 echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2
exit 1 exit 1
fi fi
fi fi
if [ ! -f "$1/plot_data" ]; then if [ ! -f "$1/plot_data" ]; then
echo "[-] Error: input directory is not valid (missing 'plot_data')." 1>&2 echo "[-] Error: input directory is not valid (missing 'plot_data')." 1>&2
exit 1 exit 1
fi fi
BANNER="`cat "$1/fuzzer_stats" | grep '^afl_banner ' | cut -d: -f2- | cut -b2-`" BANNER="`cat "$1/fuzzer_stats" | grep '^afl_banner ' | cut -d: -f2- | cut -b2-`"
test "$BANNER" = "" && BANNER="(none)" test "$BANNER" = "" && BANNER="(none)"
GNUPLOT=`which gnuplot 2>/dev/null` GNUPLOT=`which gnuplot 2>/dev/null`
if [ "$GNUPLOT" = "" ]; then if [ "$GNUPLOT" = "" ]; then
echo "[-] Error: can't find 'gnuplot' in your \$PATH." 1>&2 echo "[-] Error: can't find 'gnuplot' in your \$PATH." 1>&2
exit 1 exit 1
fi fi
mkdir "$2" 2>/dev/null mkdir "$2" 2>/dev/null
if [ ! -d "$2" ]; then if [ ! -d "$2" ]; then
echo "[-] Error: unable to create the output directory - pick another location." 1>&2 echo "[-] Error: unable to create the output directory - pick another location." 1>&2
exit 1 exit 1
fi fi
rm -f "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png" rm -f "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png"
mv -f "$2/index.html" "$2/index.html.orig" 2>/dev/null mv -f "$2/index.html" "$2/index.html.orig" 2>/dev/null
echo "[*] Generating plots..." echo "[*] Generating plots..."
( (
cat <<_EOF_ cat <<_EOF_
set terminal png truecolor enhanced size 1000,300 butt set terminal png truecolor enhanced size 1000,300 butt
set output '$2/high_freq.png' set output '$2/high_freq.png'
set xdata time set xdata time
set timefmt '%s' set timefmt '%s'
set format x "%b %d\n%H:%M" set format x "%b %d\n%H:%M"
set tics font 'small' set tics font 'small'
unset mxtics unset mxtics
unset mytics unset mytics
set grid xtics linetype 0 linecolor rgb '#e0e0e0' set grid xtics linetype 0 linecolor rgb '#e0e0e0'
set grid ytics linetype 0 linecolor rgb '#e0e0e0' set grid ytics linetype 0 linecolor rgb '#e0e0e0'
set border linecolor rgb '#50c0f0' set border linecolor rgb '#50c0f0'
set tics textcolor rgb '#000000' set tics textcolor rgb '#000000'
set key outside set key outside
set autoscale xfixmin set autoscale xfixmin
set autoscale xfixmax set autoscale xfixmax
plot '$1/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\ plot '$1/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\
'' using 1:3 with filledcurve x1 title 'current path' linecolor rgb '#f0f0f0' fillstyle transparent solid 0.5 noborder, \\ '' using 1:3 with filledcurve x1 title 'current path' linecolor rgb '#f0f0f0' fillstyle transparent solid 0.5 noborder, \\
'' using 1:5 with lines title 'pending paths' linecolor rgb '#0090ff' linewidth 3, \\ '' using 1:5 with lines title 'pending paths' linecolor rgb '#0090ff' linewidth 3, \\
'' using 1:6 with lines title 'pending favs' linecolor rgb '#c00080' linewidth 3, \\ '' using 1:6 with lines title 'pending favs' linecolor rgb '#c00080' linewidth 3, \\
'' using 1:2 with lines title 'cycles done' linecolor rgb '#c000f0' linewidth 3 '' using 1:2 with lines title 'cycles done' linecolor rgb '#c000f0' linewidth 3
set terminal png truecolor enhanced size 1000,200 butt set terminal png truecolor enhanced size 1000,200 butt
set output '$2/low_freq.png' set output '$2/low_freq.png'
plot '$1/plot_data' using 1:8 with filledcurve x1 title '' linecolor rgb '#c00080' fillstyle transparent solid 0.2 noborder, \\ plot '$1/plot_data' using 1:8 with filledcurve x1 title '' linecolor rgb '#c00080' fillstyle transparent solid 0.2 noborder, \\
'' using 1:8 with lines title ' uniq crashes' linecolor rgb '#c00080' linewidth 3, \\ '' using 1:8 with lines title ' uniq crashes' linecolor rgb '#c00080' linewidth 3, \\
'' using 1:9 with lines title 'uniq hangs' linecolor rgb '#c000f0' linewidth 3, \\ '' using 1:9 with lines title 'uniq hangs' linecolor rgb '#c000f0' linewidth 3, \\
'' using 1:10 with lines title 'levels' linecolor rgb '#0090ff' linewidth 3 '' using 1:10 with lines title 'levels' linecolor rgb '#0090ff' linewidth 3
set terminal png truecolor enhanced size 1000,200 butt set terminal png truecolor enhanced size 1000,200 butt
set output '$2/exec_speed.png' set output '$2/exec_speed.png'
plot '$1/plot_data' using 1:11 with filledcurve x1 title '' linecolor rgb '#0090ff' fillstyle transparent solid 0.2 noborder, \\ plot '$1/plot_data' using 1:11 with filledcurve x1 title '' linecolor rgb '#0090ff' fillstyle transparent solid 0.2 noborder, \\
'$1/plot_data' using 1:11 with lines title ' execs/sec' linecolor rgb '#0090ff' linewidth 3 smooth bezier; '$1/plot_data' using 1:11 with lines title ' execs/sec' linecolor rgb '#0090ff' linewidth 3 smooth bezier;
_EOF_ _EOF_
) | gnuplot ) | gnuplot
if [ ! -s "$2/exec_speed.png" ]; then if [ ! -s "$2/exec_speed.png" ]; then
echo "[-] Error: something went wrong! Perhaps you have an ancient version of gnuplot?" 1>&2 echo "[-] Error: something went wrong! Perhaps you have an ancient version of gnuplot?" 1>&2
exit 1 exit 1
fi fi
echo "[*] Generating index.html..." echo "[*] Generating index.html..."
cat >"$2/index.html" <<_EOF_ cat >"$2/index.html" <<_EOF_
<table style="font-family: 'Trebuchet MS', 'Tahoma', 'Arial', 'Helvetica'"> <table style="font-family: 'Trebuchet MS', 'Tahoma', 'Arial', 'Helvetica'">
<tr><td style="width: 18ex"><b>Banner:</b></td><td>$BANNER</td></tr> <tr><td style="width: 18ex"><b>Banner:</b></td><td>$BANNER</td></tr>
<tr><td><b>Directory:</b></td><td>$1</td></tr> <tr><td><b>Directory:</b></td><td>$1</td></tr>
<tr><td><b>Generated on:</b></td><td>`date`</td></tr> <tr><td><b>Generated on:</b></td><td>`date`</td></tr>
</table> </table>
<p> <p>
<img src="high_freq.png" width=1000 height=300><p> <img src="high_freq.png" width=1000 height=300><p>
<img src="low_freq.png" width=1000 height=200><p> <img src="low_freq.png" width=1000 height=200><p>
<img src="exec_speed.png" width=1000 height=200> <img src="exec_speed.png" width=1000 height=200>
_EOF_ _EOF_
# Make it easy to remotely view results when outputting directly to a directory # Make it easy to remotely view results when outputting directly to a directory
# served by Apache or other HTTP daemon. Since the plots aren't horribly # served by Apache or other HTTP daemon. Since the plots aren't horribly
# sensitive, this seems like a reasonable trade-off. # sensitive, this seems like a reasonable trade-off.
chmod 755 "$2" chmod 755 "$2"
chmod 644 "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png" "$2/index.html" chmod 644 "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png" "$2/index.html"
echo "[+] All done - enjoy your charts!" echo "[+] All done - enjoy your charts!"
exit 0 exit 0

1590
afl-showmap.c
View File

File diff suppressed because it is too large Load Diff

2346
afl-tmin.c
View File

File diff suppressed because it is too large Load Diff

326
afl-whatsup
Unescape View File

@ -1,163 +1,163 @@
#!/bin/sh #!/bin/sh
# #
# american fuzzy lop - status check tool # american fuzzy lop - status check tool
# -------------------------------------- # --------------------------------------
# #
# Written and maintained by Michal Zalewski <lcamtuf@google.com> # Written and maintained by Michal Zalewski <lcamtuf@google.com>
# #
# Copyright 2015 Google LLC All rights reserved. # Copyright 2015 Google LLC All rights reserved.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
# You may obtain a copy of the License at: # You may obtain a copy of the License at:
# #
# http://www.apache.org/licenses/LICENSE-2.0 # http://www.apache.org/licenses/LICENSE-2.0
# #
# This tool summarizes the status of any locally-running synchronized # This tool summarizes the status of any locally-running synchronized
# instances of afl-fuzz. # instances of afl-fuzz.
# #
echo "status check tool for afl-fuzz by <lcamtuf@google.com>" echo "status check tool for afl-fuzz by <lcamtuf@google.com>"
echo echo
if [ "$1" = "-s" ]; then if [ "$1" = "-s" ]; then
SUMMARY_ONLY=1 SUMMARY_ONLY=1
DIR="$2" DIR="$2"
else else
unset SUMMARY_ONLY unset SUMMARY_ONLY
DIR="$1" DIR="$1"
fi fi
if [ "$DIR" = "" ]; then if [ "$DIR" = "" ]; then
echo "Usage: $0 [ -s ] afl_sync_dir" 1>&2 echo "Usage: $0 [ -s ] afl_sync_dir" 1>&2
echo 1>&2 echo 1>&2
echo "The -s option causes the tool to skip all the per-fuzzer trivia and show" 1>&2 echo "The -s option causes the tool to skip all the per-fuzzer trivia and show" 1>&2
echo "just the summary results. See docs/parallel_fuzzing.txt for additional tips." 1>&2 echo "just the summary results. See docs/parallel_fuzzing.txt for additional tips." 1>&2
echo 1>&2 echo 1>&2
exit 1 exit 1
fi fi
cd "$DIR" || exit 1 cd "$DIR" || exit 1
if [ -d queue ]; then if [ -d queue ]; then
echo "[-] Error: parameter is an individual output directory, not a sync dir." 1>&2 echo "[-] Error: parameter is an individual output directory, not a sync dir." 1>&2
exit 1 exit 1
fi fi
CUR_TIME=`date +%s` CUR_TIME=`date +%s`
TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1 TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1
ALIVE_CNT=0 ALIVE_CNT=0
DEAD_CNT=0 DEAD_CNT=0
TOTAL_TIME=0 TOTAL_TIME=0
TOTAL_EXECS=0 TOTAL_EXECS=0
TOTAL_EPS=0 TOTAL_EPS=0
TOTAL_CRASHES=0 TOTAL_CRASHES=0
TOTAL_PFAV=0 TOTAL_PFAV=0
TOTAL_PENDING=0 TOTAL_PENDING=0
if [ "$SUMMARY_ONLY" = "" ]; then if [ "$SUMMARY_ONLY" = "" ]; then
echo "Individual fuzzers" echo "Individual fuzzers"
echo "==================" echo "=================="
echo echo
fi fi
for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do
sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP" sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP"
. "$TMP" . "$TMP"
RUN_UNIX=$((CUR_TIME - start_time)) RUN_UNIX=$((CUR_TIME - start_time))
RUN_DAYS=$((RUN_UNIX / 60 / 60 / 24)) RUN_DAYS=$((RUN_UNIX / 60 / 60 / 24))
RUN_HRS=$(((RUN_UNIX / 60 / 60) % 24)) RUN_HRS=$(((RUN_UNIX / 60 / 60) % 24))
if [ "$SUMMARY_ONLY" = "" ]; then if [ "$SUMMARY_ONLY" = "" ]; then
echo ">>> $afl_banner ($RUN_DAYS days, $RUN_HRS hrs) <<<" echo ">>> $afl_banner ($RUN_DAYS days, $RUN_HRS hrs) <<<"
echo echo
fi fi
if ! kill -0 "$fuzzer_pid" 2>/dev/null; then if ! kill -0 "$fuzzer_pid" 2>/dev/null; then
if [ "$SUMMARY_ONLY" = "" ]; then if [ "$SUMMARY_ONLY" = "" ]; then
echo " Instance is dead or running remotely, skipping." echo " Instance is dead or running remotely, skipping."
echo echo
fi fi
DEAD_CNT=$((DEAD_CNT + 1)) DEAD_CNT=$((DEAD_CNT + 1))
continue continue
fi fi
ALIVE_CNT=$((ALIVE_CNT + 1)) ALIVE_CNT=$((ALIVE_CNT + 1))
EXEC_SEC=$((execs_done / RUN_UNIX)) EXEC_SEC=$((execs_done / RUN_UNIX))
PATH_PERC=$((cur_path * 100 / paths_total)) PATH_PERC=$((cur_path * 100 / paths_total))
TOTAL_TIME=$((TOTAL_TIME + RUN_UNIX)) TOTAL_TIME=$((TOTAL_TIME + RUN_UNIX))
TOTAL_EPS=$((TOTAL_EPS + EXEC_SEC)) TOTAL_EPS=$((TOTAL_EPS + EXEC_SEC))
TOTAL_EXECS=$((TOTAL_EXECS + execs_done)) TOTAL_EXECS=$((TOTAL_EXECS + execs_done))
TOTAL_CRASHES=$((TOTAL_CRASHES + unique_crashes)) TOTAL_CRASHES=$((TOTAL_CRASHES + unique_crashes))
TOTAL_PENDING=$((TOTAL_PENDING + pending_total)) TOTAL_PENDING=$((TOTAL_PENDING + pending_total))
TOTAL_PFAV=$((TOTAL_PFAV + pending_favs)) TOTAL_PFAV=$((TOTAL_PFAV + pending_favs))
if [ "$SUMMARY_ONLY" = "" ]; then if [ "$SUMMARY_ONLY" = "" ]; then
echo " cycle $((cycles_done + 1)), lifetime speed $EXEC_SEC execs/sec, path $cur_path/$paths_total (${PATH_PERC}%)" echo " cycle $((cycles_done + 1)), lifetime speed $EXEC_SEC execs/sec, path $cur_path/$paths_total (${PATH_PERC}%)"
if [ "$unique_crashes" = "0" ]; then if [ "$unique_crashes" = "0" ]; then
echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, no crashes yet" echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, no crashes yet"
else else
echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, crash count $unique_crashes (!)" echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, crash count $unique_crashes (!)"
fi fi
echo echo
fi fi
done done
rm -f "$TMP" rm -f "$TMP"
TOTAL_DAYS=$((TOTAL_TIME / 60 / 60 / 24)) TOTAL_DAYS=$((TOTAL_TIME / 60 / 60 / 24))
TOTAL_HRS=$(((TOTAL_TIME / 60 / 60) % 24)) TOTAL_HRS=$(((TOTAL_TIME / 60 / 60) % 24))
test "$TOTAL_TIME" = "0" && TOTAL_TIME=1 test "$TOTAL_TIME" = "0" && TOTAL_TIME=1
echo "Summary stats" echo "Summary stats"
echo "=============" echo "============="
echo echo
echo " Fuzzers alive : $ALIVE_CNT" echo " Fuzzers alive : $ALIVE_CNT"
if [ ! "$DEAD_CNT" = "0" ]; then if [ ! "$DEAD_CNT" = "0" ]; then
echo " Dead or remote : $DEAD_CNT (excluded from stats)" echo " Dead or remote : $DEAD_CNT (excluded from stats)"
fi fi
echo " Total run time : $TOTAL_DAYS days, $TOTAL_HRS hours" echo " Total run time : $TOTAL_DAYS days, $TOTAL_HRS hours"
echo " Total execs : $((TOTAL_EXECS / 1000 / 1000)) million" echo " Total execs : $((TOTAL_EXECS / 1000 / 1000)) million"
echo " Cumulative speed : $TOTAL_EPS execs/sec" echo " Cumulative speed : $TOTAL_EPS execs/sec"
echo " Pending paths : $TOTAL_PFAV faves, $TOTAL_PENDING total" echo " Pending paths : $TOTAL_PFAV faves, $TOTAL_PENDING total"
if [ "$ALIVE_CNT" -gt "1" ]; then if [ "$ALIVE_CNT" -gt "1" ]; then
echo " Pending per fuzzer : $((TOTAL_PFAV/ALIVE_CNT)) faves, $((TOTAL_PENDING/ALIVE_CNT)) total (on average)" echo " Pending per fuzzer : $((TOTAL_PFAV/ALIVE_CNT)) faves, $((TOTAL_PENDING/ALIVE_CNT)) total (on average)"
fi fi
echo " Crashes found : $TOTAL_CRASHES locally unique" echo " Crashes found : $TOTAL_CRASHES locally unique"
echo echo
exit 0 exit 0

1154
alloc-inl.h
View File

File diff suppressed because it is too large Load Diff

164
android-ashmem.h
Unescape View File

@ -1,82 +1,82 @@
#ifdef __ANDROID__ #ifdef __ANDROID__
#ifndef _ANDROID_ASHMEM_H #ifndef _ANDROID_ASHMEM_H
#define _ANDROID_ASHMEM_H #define _ANDROID_ASHMEM_H
#include <fcntl.h> #include <fcntl.h>
#include <linux/ashmem.h> #include <linux/ashmem.h>
#include <linux/shm.h> #include <linux/shm.h>
#include <sys/ioctl.h> #include <sys/ioctl.h>
#include <sys/mman.h> #include <sys/mman.h>
#if __ANDROID_API__ >= 26 #if __ANDROID_API__ >= 26
#define shmat bionic_shmat #define shmat bionic_shmat
#define shmctl bionic_shmctl #define shmctl bionic_shmctl
#define shmdt bionic_shmdt #define shmdt bionic_shmdt
#define shmget bionic_shmget #define shmget bionic_shmget
#endif #endif
#include <sys/shm.h> #include <sys/shm.h>
#undef shmat #undef shmat
#undef shmctl #undef shmctl
#undef shmdt #undef shmdt
#undef shmget #undef shmget
#include <stdio.h> #include <stdio.h>
#define ASHMEM_DEVICE "/dev/ashmem" #define ASHMEM_DEVICE "/dev/ashmem"
static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) { static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
int ret = 0; int ret = 0;
if (__cmd == IPC_RMID) { if (__cmd == IPC_RMID) {
int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
struct ashmem_pin pin = {0, length}; struct ashmem_pin pin = {0, length};
ret = ioctl(__shmid, ASHMEM_UNPIN, &pin); ret = ioctl(__shmid, ASHMEM_UNPIN, &pin);
close(__shmid); close(__shmid);
} }
return ret; return ret;
} }
static inline int shmget(key_t __key, size_t __size, int __shmflg) { static inline int shmget(key_t __key, size_t __size, int __shmflg) {
(void) __shmflg; (void) __shmflg;
int fd, ret; int fd, ret;
char ourkey[11]; char ourkey[11];
fd = open(ASHMEM_DEVICE, O_RDWR); fd = open(ASHMEM_DEVICE, O_RDWR);
if (fd < 0) if (fd < 0)
return fd; return fd;
sprintf(ourkey, "%d", __key); sprintf(ourkey, "%d", __key);
ret = ioctl(fd, ASHMEM_SET_NAME, ourkey); ret = ioctl(fd, ASHMEM_SET_NAME, ourkey);
if (ret < 0) if (ret < 0)
goto error; goto error;
ret = ioctl(fd, ASHMEM_SET_SIZE, __size); ret = ioctl(fd, ASHMEM_SET_SIZE, __size);
if (ret < 0) if (ret < 0)
goto error; goto error;
return fd; return fd;
error: error:
close(fd); close(fd);
return ret; return ret;
} }
static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) { static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) {
(void) __shmflg; (void) __shmflg;
int size; int size;
void *ptr; void *ptr;
size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
if (size < 0) { if (size < 0) {
return NULL; return NULL;
} }
ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0); ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0);
if (ptr == MAP_FAILED) { if (ptr == MAP_FAILED) {
return NULL; return NULL;
} }
return ptr; return ptr;
} }
#endif /* !_ANDROID_ASHMEM_H */ #endif /* !_ANDROID_ASHMEM_H */
#endif /* !__ANDROID__ */ #endif /* !__ANDROID__ */

724
config.h
Unescape View File

@ -1,362 +1,362 @@
/* /*
Copyright 2013 Google LLC All rights reserved. Copyright 2013 Google LLC All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
You may obtain a copy of the License at: You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
/* /*
american fuzzy lop - vaguely configurable bits american fuzzy lop - vaguely configurable bits
---------------------------------------------- ----------------------------------------------
Written and maintained by Michal Zalewski <lcamtuf@google.com> Written and maintained by Michal Zalewski <lcamtuf@google.com>
*/ */
#ifndef _HAVE_CONFIG_H #ifndef _HAVE_CONFIG_H
#define _HAVE_CONFIG_H #define _HAVE_CONFIG_H
#include "types.h" #include "types.h"
/* Version string: */ /* Version string: */
#define VERSION "2.57b" #define VERSION "2.57b"
/****************************************************** /******************************************************
* * * *
* Settings that may be of interest to power users: * * Settings that may be of interest to power users: *
* * * *
******************************************************/ ******************************************************/
/* Comment out to disable terminal colors (note that this makes afl-analyze /* Comment out to disable terminal colors (note that this makes afl-analyze
a lot less nice): */ a lot less nice): */
#define USE_COLOR #define USE_COLOR
/* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */ /* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */
#define FANCY_BOXES #define FANCY_BOXES
/* Default timeout for fuzzed code (milliseconds). This is the upper bound, /* Default timeout for fuzzed code (milliseconds). This is the upper bound,
also used for detecting hangs; the actual value is auto-scaled: */ also used for detecting hangs; the actual value is auto-scaled: */
#define EXEC_TIMEOUT 1000 #define EXEC_TIMEOUT 1000
/* Timeout rounding factor when auto-scaling (milliseconds): */ /* Timeout rounding factor when auto-scaling (milliseconds): */
#define EXEC_TM_ROUND 20 #define EXEC_TM_ROUND 20
/* 64bit arch MACRO */ /* 64bit arch MACRO */
#if (defined (__x86_64__) || defined (__arm64__) || defined (__aarch64__)) #if (defined (__x86_64__) || defined (__arm64__) || defined (__aarch64__))
#define WORD_SIZE_64 1 #define WORD_SIZE_64 1
#endif #endif
/* Default memory limit for child process (MB): */ /* Default memory limit for child process (MB): */
#ifndef WORD_SIZE_64 #ifndef WORD_SIZE_64
# define MEM_LIMIT 25 # define MEM_LIMIT 25
#else #else
# define MEM_LIMIT 50 # define MEM_LIMIT 50
#endif /* ^!WORD_SIZE_64 */ #endif /* ^!WORD_SIZE_64 */
/* Default memory limit when running in QEMU mode (MB): */ /* Default memory limit when running in QEMU mode (MB): */
#define MEM_LIMIT_QEMU 200 #define MEM_LIMIT_QEMU 200
/* Number of calibration cycles per every new test case (and for test /* Number of calibration cycles per every new test case (and for test
cases that show variable behavior): */ cases that show variable behavior): */
#define CAL_CYCLES 8 #define CAL_CYCLES 8
#define CAL_CYCLES_LONG 40 #define CAL_CYCLES_LONG 40
/* Number of subsequent timeouts before abandoning an input file: */ /* Number of subsequent timeouts before abandoning an input file: */
#define TMOUT_LIMIT 250 #define TMOUT_LIMIT 250
/* Maximum number of unique hangs or crashes to record: */ /* Maximum number of unique hangs or crashes to record: */
#define KEEP_UNIQUE_HANG 500 #define KEEP_UNIQUE_HANG 500
#define KEEP_UNIQUE_CRASH 5000 #define KEEP_UNIQUE_CRASH 5000
/* Baseline number of random tweaks during a single 'havoc' stage: */ /* Baseline number of random tweaks during a single 'havoc' stage: */
#define HAVOC_CYCLES 256 #define HAVOC_CYCLES 256
#define HAVOC_CYCLES_INIT 1024 #define HAVOC_CYCLES_INIT 1024
/* Maximum multiplier for the above (should be a power of two, beware /* Maximum multiplier for the above (should be a power of two, beware
of 32-bit int overflows): */ of 32-bit int overflows): */
#define HAVOC_MAX_MULT 16 #define HAVOC_MAX_MULT 16
/* Absolute minimum number of havoc cycles (after all adjustments): */ /* Absolute minimum number of havoc cycles (after all adjustments): */
#define HAVOC_MIN 16 #define HAVOC_MIN 16
/* Maximum stacking for havoc-stage tweaks. The actual value is calculated /* Maximum stacking for havoc-stage tweaks. The actual value is calculated
like this: like this:
n = random between 1 and HAVOC_STACK_POW2 n = random between 1 and HAVOC_STACK_POW2
stacking = 2^n stacking = 2^n
In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or
128 stacked tweaks: */ 128 stacked tweaks: */
#define HAVOC_STACK_POW2 7 #define HAVOC_STACK_POW2 7
/* Caps on block sizes for cloning and deletion operations. Each of these /* Caps on block sizes for cloning and deletion operations. Each of these
ranges has a 33% probability of getting picked, except for the first ranges has a 33% probability of getting picked, except for the first
two cycles where smaller blocks are favored: */ two cycles where smaller blocks are favored: */
#define HAVOC_BLK_SMALL 32 #define HAVOC_BLK_SMALL 32
#define HAVOC_BLK_MEDIUM 128 #define HAVOC_BLK_MEDIUM 128
#define HAVOC_BLK_LARGE 1500 #define HAVOC_BLK_LARGE 1500
/* Extra-large blocks, selected very rarely (<5% of the time): */ /* Extra-large blocks, selected very rarely (<5% of the time): */
#define HAVOC_BLK_XL 32768 #define HAVOC_BLK_XL 32768
/* Probabilities of skipping non-favored entries in the queue, expressed as /* Probabilities of skipping non-favored entries in the queue, expressed as
percentages: */ percentages: */
#define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */ #define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */
#define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */ #define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */
#define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */ #define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */
/* Splicing cycle count: */ /* Splicing cycle count: */
#define SPLICE_CYCLES 15 #define SPLICE_CYCLES 15
/* Nominal per-splice havoc cycle length: */ /* Nominal per-splice havoc cycle length: */
#define SPLICE_HAVOC 32 #define SPLICE_HAVOC 32
/* Maximum offset for integer addition / subtraction stages: */ /* Maximum offset for integer addition / subtraction stages: */
#define ARITH_MAX 35 #define ARITH_MAX 35
/* Limits for the test case trimmer. The absolute minimum chunk size; and /* Limits for the test case trimmer. The absolute minimum chunk size; and
the starting and ending divisors for chopping up the input file: */ the starting and ending divisors for chopping up the input file: */
#define TRIM_MIN_BYTES 4 #define TRIM_MIN_BYTES 4
#define TRIM_START_STEPS 16 #define TRIM_START_STEPS 16
#define TRIM_END_STEPS 1024 #define TRIM_END_STEPS 1024
/* Maximum size of input file, in bytes (keep under 100MB): */ /* Maximum size of input file, in bytes (keep under 100MB): */
#define MAX_FILE (1 * 1024 * 1024) #define MAX_FILE (1 * 1024 * 1024)
/* The same, for the test case minimizer: */ /* The same, for the test case minimizer: */
#define TMIN_MAX_FILE (10 * 1024 * 1024) #define TMIN_MAX_FILE (10 * 1024 * 1024)
/* Block normalization steps for afl-tmin: */ /* Block normalization steps for afl-tmin: */
#define TMIN_SET_MIN_SIZE 4 #define TMIN_SET_MIN_SIZE 4
#define TMIN_SET_STEPS 128 #define TMIN_SET_STEPS 128
/* Maximum dictionary token size (-x), in bytes: */ /* Maximum dictionary token size (-x), in bytes: */
#define MAX_DICT_FILE 128 #define MAX_DICT_FILE 128
/* Length limits for auto-detected dictionary tokens: */ /* Length limits for auto-detected dictionary tokens: */
#define MIN_AUTO_EXTRA 3 #define MIN_AUTO_EXTRA 3
#define MAX_AUTO_EXTRA 32 #define MAX_AUTO_EXTRA 32
/* Maximum number of user-specified dictionary tokens to use in deterministic /* Maximum number of user-specified dictionary tokens to use in deterministic
steps; past this point, the "extras/user" step will be still carried out, steps; past this point, the "extras/user" step will be still carried out,
but with proportionally lower odds: */ but with proportionally lower odds: */
#define MAX_DET_EXTRAS 200 #define MAX_DET_EXTRAS 200
/* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing /* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing
(first value), and to keep in memory as candidates. The latter should be much (first value), and to keep in memory as candidates. The latter should be much
higher than the former. */ higher than the former. */
#define USE_AUTO_EXTRAS 50 #define USE_AUTO_EXTRAS 50
#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10) #define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10)
/* Scaling factor for the effector map used to skip some of the more /* Scaling factor for the effector map used to skip some of the more
expensive deterministic steps. The actual divisor is set to expensive deterministic steps. The actual divisor is set to
2^EFF_MAP_SCALE2 bytes: */ 2^EFF_MAP_SCALE2 bytes: */
#define EFF_MAP_SCALE2 3 #define EFF_MAP_SCALE2 3
/* Minimum input file length at which the effector logic kicks in: */ /* Minimum input file length at which the effector logic kicks in: */
#define EFF_MIN_LEN 128 #define EFF_MIN_LEN 128
/* Maximum effector density past which everything is just fuzzed /* Maximum effector density past which everything is just fuzzed
unconditionally (%): */ unconditionally (%): */
#define EFF_MAX_PERC 90 #define EFF_MAX_PERC 90
/* UI refresh frequency (Hz): */ /* UI refresh frequency (Hz): */
#define UI_TARGET_HZ 5 #define UI_TARGET_HZ 5
/* Fuzzer stats file and plot update intervals (sec): */ /* Fuzzer stats file and plot update intervals (sec): */
#define STATS_UPDATE_SEC 60 #define STATS_UPDATE_SEC 60
#define PLOT_UPDATE_SEC 5 #define PLOT_UPDATE_SEC 5
/* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */ /* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */
#define AVG_SMOOTHING 16 #define AVG_SMOOTHING 16
/* Sync interval (every n havoc cycles): */ /* Sync interval (every n havoc cycles): */
#define SYNC_INTERVAL 5 #define SYNC_INTERVAL 5
/* Output directory reuse grace period (minutes): */ /* Output directory reuse grace period (minutes): */
#define OUTPUT_GRACE 25 #define OUTPUT_GRACE 25
/* Uncomment to use simple file names (id_NNNNNN): */ /* Uncomment to use simple file names (id_NNNNNN): */
// #define SIMPLE_FILES // #define SIMPLE_FILES
/* List of interesting values to use in fuzzing. */ /* List of interesting values to use in fuzzing. */
#define INTERESTING_8 \ #define INTERESTING_8 \
-128, /* Overflow signed 8-bit when decremented */ \ -128, /* Overflow signed 8-bit when decremented */ \
-1, /* */ \ -1, /* */ \
0, /* */ \ 0, /* */ \
1, /* */ \ 1, /* */ \
16, /* One-off with common buffer size */ \ 16, /* One-off with common buffer size */ \
32, /* One-off with common buffer size */ \ 32, /* One-off with common buffer size */ \
64, /* One-off with common buffer size */ \ 64, /* One-off with common buffer size */ \
100, /* One-off with common buffer size */ \ 100, /* One-off with common buffer size */ \
127 /* Overflow signed 8-bit when incremented */ 127 /* Overflow signed 8-bit when incremented */
#define INTERESTING_16 \ #define INTERESTING_16 \
-32768, /* Overflow signed 16-bit when decremented */ \ -32768, /* Overflow signed 16-bit when decremented */ \
-129, /* Overflow signed 8-bit */ \ -129, /* Overflow signed 8-bit */ \
128, /* Overflow signed 8-bit */ \ 128, /* Overflow signed 8-bit */ \
255, /* Overflow unsig 8-bit when incremented */ \ 255, /* Overflow unsig 8-bit when incremented */ \
256, /* Overflow unsig 8-bit */ \ 256, /* Overflow unsig 8-bit */ \
512, /* One-off with common buffer size */ \ 512, /* One-off with common buffer size */ \
1000, /* One-off with common buffer size */ \ 1000, /* One-off with common buffer size */ \
1024, /* One-off with common buffer size */ \ 1024, /* One-off with common buffer size */ \
4096, /* One-off with common buffer size */ \ 4096, /* One-off with common buffer size */ \
32767 /* Overflow signed 16-bit when incremented */ 32767 /* Overflow signed 16-bit when incremented */
#define INTERESTING_32 \ #define INTERESTING_32 \
-2147483648LL, /* Overflow signed 32-bit when decremented */ \ -2147483648LL, /* Overflow signed 32-bit when decremented */ \
-100663046, /* Large negative number (endian-agnostic) */ \ -100663046, /* Large negative number (endian-agnostic) */ \
-32769, /* Overflow signed 16-bit */ \ -32769, /* Overflow signed 16-bit */ \
32768, /* Overflow signed 16-bit */ \ 32768, /* Overflow signed 16-bit */ \
65535, /* Overflow unsig 16-bit when incremented */ \ 65535, /* Overflow unsig 16-bit when incremented */ \
65536, /* Overflow unsig 16 bit */ \ 65536, /* Overflow unsig 16 bit */ \
100663045, /* Large positive number (endian-agnostic) */ \ 100663045, /* Large positive number (endian-agnostic) */ \
2147483647 /* Overflow signed 32-bit when incremented */ 2147483647 /* Overflow signed 32-bit when incremented */
/*********************************************************** /***********************************************************
* * * *
* Really exotic stuff you probably don't want to touch: * * Really exotic stuff you probably don't want to touch: *
* * * *
***********************************************************/ ***********************************************************/
/* Call count interval between reseeding the libc PRNG from /dev/urandom: */ /* Call count interval between reseeding the libc PRNG from /dev/urandom: */
#define RESEED_RNG 10000 #define RESEED_RNG 10000
/* Maximum line length passed from GCC to 'as' and used for parsing /* Maximum line length passed from GCC to 'as' and used for parsing
configuration files: */ configuration files: */
#define MAX_LINE 8192 #define MAX_LINE 8192
/* Environment variable used to pass SHM ID to the called program. */ /* Environment variable used to pass SHM ID to the called program. */
#define SHM_ENV_VAR "__AFL_SHM_ID" #define SHM_ENV_VAR "__AFL_SHM_ID"
/* Other less interesting, internal-only variables. */ /* Other less interesting, internal-only variables. */
#define CLANG_ENV_VAR "__AFL_CLANG_MODE" #define CLANG_ENV_VAR "__AFL_CLANG_MODE"
#define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK" #define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK"
#define PERSIST_ENV_VAR "__AFL_PERSISTENT" #define PERSIST_ENV_VAR "__AFL_PERSISTENT"
#define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV" #define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV"
/* In-code signatures for deferred and persistent mode. */ /* In-code signatures for deferred and persistent mode. */
#define PERSIST_SIG "##SIG_AFL_PERSISTENT##" #define PERSIST_SIG "##SIG_AFL_PERSISTENT##"
#define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##" #define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##"
/* Distinctive bitmap signature used to indicate failed execution: */ /* Distinctive bitmap signature used to indicate failed execution: */
#define EXEC_FAIL_SIG 0xfee1dead #define EXEC_FAIL_SIG 0xfee1dead
/* Distinctive exit code used to indicate MSAN trip condition: */ /* Distinctive exit code used to indicate MSAN trip condition: */
#define MSAN_ERROR 86 #define MSAN_ERROR 86
/* Designated file descriptors for forkserver commands (the application will /* Designated file descriptors for forkserver commands (the application will
use FORKSRV_FD and FORKSRV_FD + 1): */ use FORKSRV_FD and FORKSRV_FD + 1): */
#define FORKSRV_FD 198 #define FORKSRV_FD 198
/* Fork server init timeout multiplier: we'll wait the user-selected /* Fork server init timeout multiplier: we'll wait the user-selected
timeout plus this much for the fork server to spin up. */ timeout plus this much for the fork server to spin up. */
#define FORK_WAIT_MULT 10 #define FORK_WAIT_MULT 10
/* Calibration timeout adjustments, to be a bit more generous when resuming /* Calibration timeout adjustments, to be a bit more generous when resuming
fuzzing sessions or trying to calibrate already-added internal finds. fuzzing sessions or trying to calibrate already-added internal finds.
The first value is a percentage, the other is in milliseconds: */ The first value is a percentage, the other is in milliseconds: */
#define CAL_TMOUT_PERC 125 #define CAL_TMOUT_PERC 125
#define CAL_TMOUT_ADD 50 #define CAL_TMOUT_ADD 50
/* Number of chances to calibrate a case before giving up: */ /* Number of chances to calibrate a case before giving up: */
#define CAL_CHANCES 3 #define CAL_CHANCES 3
/* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than /* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than
2; you probably want to keep it under 18 or so for performance reasons 2; you probably want to keep it under 18 or so for performance reasons
(adjusting AFL_INST_RATIO when compiling is probably a better way to solve (adjusting AFL_INST_RATIO when compiling is probably a better way to solve
problems with complex programs). You need to recompile the target binary problems with complex programs). You need to recompile the target binary
after changing this - otherwise, SEGVs may ensue. */ after changing this - otherwise, SEGVs may ensue. */
#define MAP_SIZE_POW2 16 #define MAP_SIZE_POW2 16
#define MAP_SIZE (1 << MAP_SIZE_POW2) #define MAP_SIZE (1 << MAP_SIZE_POW2)
/* Maximum allocator request size (keep well under INT_MAX): */ /* Maximum allocator request size (keep well under INT_MAX): */
#define MAX_ALLOC 0x40000000 #define MAX_ALLOC 0x40000000
/* A made-up hashing seed: */ /* A made-up hashing seed: */
#define HASH_CONST 0xa5b35705 #define HASH_CONST 0xa5b35705
/* Constants for afl-gotcpu to control busy loop timing: */ /* Constants for afl-gotcpu to control busy loop timing: */
#define CTEST_TARGET_MS 5000 #define CTEST_TARGET_MS 5000
#define CTEST_CORE_TRG_MS 1000 #define CTEST_CORE_TRG_MS 1000
#define CTEST_BUSY_CYCLES (10 * 1000 * 1000) #define CTEST_BUSY_CYCLES (10 * 1000 * 1000)
/* Uncomment this to use inferior block-coverage-based instrumentation. Note /* Uncomment this to use inferior block-coverage-based instrumentation. Note
that you need to recompile the target binary for this to have any effect: */ that you need to recompile the target binary for this to have any effect: */
// #define COVERAGE_ONLY // #define COVERAGE_ONLY
/* Uncomment this to ignore hit counts and output just one bit per tuple. /* Uncomment this to ignore hit counts and output just one bit per tuple.
As with the previous setting, you will need to recompile the target As with the previous setting, you will need to recompile the target
binary: */ binary: */
// #define SKIP_COUNTS // #define SKIP_COUNTS
/* Uncomment this to use instrumentation data to record newly discovered paths, /* Uncomment this to use instrumentation data to record newly discovered paths,
but do not use them as seeds for fuzzing. This is useful for conveniently but do not use them as seeds for fuzzing. This is useful for conveniently
measuring coverage that could be attained by a "dumb" fuzzing algorithm: */ measuring coverage that could be attained by a "dumb" fuzzing algorithm: */
// #define IGNORE_FINDS // #define IGNORE_FINDS
#endif /* ! _HAVE_CONFIG_H */ #endif /* ! _HAVE_CONFIG_H */

516
debug.h
Unescape View File

@ -1,258 +1,258 @@
/* /*
Copyright 2013 Google LLC All rights reserved. Copyright 2013 Google LLC All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
You may obtain a copy of the License at: You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
/* /*
american fuzzy lop - debug / error handling macros american fuzzy lop - debug / error handling macros
-------------------------------------------------- --------------------------------------------------
Written and maintained by Michal Zalewski <lcamtuf@google.com> Written and maintained by Michal Zalewski <lcamtuf@google.com>
*/ */
#ifndef _HAVE_DEBUG_H #ifndef _HAVE_DEBUG_H
#define _HAVE_DEBUG_H #define _HAVE_DEBUG_H
#include <errno.h> #include <errno.h>
#include "types.h" #include "types.h"
#include "config.h" #include "config.h"
/******************* /*******************
* Terminal colors * * Terminal colors *
*******************/ *******************/
#ifdef USE_COLOR #ifdef USE_COLOR
# define cBLK "\x1b[0;30m" # define cBLK "\x1b[0;30m"
# define cRED "\x1b[0;31m" # define cRED "\x1b[0;31m"
# define cGRN "\x1b[0;32m" # define cGRN "\x1b[0;32m"
# define cBRN "\x1b[0;33m" # define cBRN "\x1b[0;33m"
# define cBLU "\x1b[0;34m" # define cBLU "\x1b[0;34m"
# define cMGN "\x1b[0;35m" # define cMGN "\x1b[0;35m"
# define cCYA "\x1b[0;36m" # define cCYA "\x1b[0;36m"
# define cLGR "\x1b[0;37m" # define cLGR "\x1b[0;37m"
# define cGRA "\x1b[1;90m" # define cGRA "\x1b[1;90m"
# define cLRD "\x1b[1;91m" # define cLRD "\x1b[1;91m"
# define cLGN "\x1b[1;92m" # define cLGN "\x1b[1;92m"
# define cYEL "\x1b[1;93m" # define cYEL "\x1b[1;93m"
# define cLBL "\x1b[1;94m" # define cLBL "\x1b[1;94m"
# define cPIN "\x1b[1;95m" # define cPIN "\x1b[1;95m"
# define cLCY "\x1b[1;96m" # define cLCY "\x1b[1;96m"
# define cBRI "\x1b[1;97m" # define cBRI "\x1b[1;97m"
# define cRST "\x1b[0m" # define cRST "\x1b[0m"
# define bgBLK "\x1b[40m" # define bgBLK "\x1b[40m"
# define bgRED "\x1b[41m" # define bgRED "\x1b[41m"
# define bgGRN "\x1b[42m" # define bgGRN "\x1b[42m"
# define bgBRN "\x1b[43m" # define bgBRN "\x1b[43m"
# define bgBLU "\x1b[44m" # define bgBLU "\x1b[44m"
# define bgMGN "\x1b[45m" # define bgMGN "\x1b[45m"
# define bgCYA "\x1b[46m" # define bgCYA "\x1b[46m"
# define bgLGR "\x1b[47m" # define bgLGR "\x1b[47m"
# define bgGRA "\x1b[100m" # define bgGRA "\x1b[100m"
# define bgLRD "\x1b[101m" # define bgLRD "\x1b[101m"
# define bgLGN "\x1b[102m" # define bgLGN "\x1b[102m"
# define bgYEL "\x1b[103m" # define bgYEL "\x1b[103m"
# define bgLBL "\x1b[104m" # define bgLBL "\x1b[104m"
# define bgPIN "\x1b[105m" # define bgPIN "\x1b[105m"
# define bgLCY "\x1b[106m" # define bgLCY "\x1b[106m"
# define bgBRI "\x1b[107m" # define bgBRI "\x1b[107m"
#else #else
# define cBLK "" # define cBLK ""
# define cRED "" # define cRED ""
# define cGRN "" # define cGRN ""
# define cBRN "" # define cBRN ""
# define cBLU "" # define cBLU ""
# define cMGN "" # define cMGN ""
# define cCYA "" # define cCYA ""
# define cLGR "" # define cLGR ""
# define cGRA "" # define cGRA ""
# define cLRD "" # define cLRD ""
# define cLGN "" # define cLGN ""
# define cYEL "" # define cYEL ""
# define cLBL "" # define cLBL ""
# define cPIN "" # define cPIN ""
# define cLCY "" # define cLCY ""
# define cBRI "" # define cBRI ""
# define cRST "" # define cRST ""
# define bgBLK "" # define bgBLK ""
# define bgRED "" # define bgRED ""
# define bgGRN "" # define bgGRN ""
# define bgBRN "" # define bgBRN ""
# define bgBLU "" # define bgBLU ""
# define bgMGN "" # define bgMGN ""
# define bgCYA "" # define bgCYA ""
# define bgLGR "" # define bgLGR ""
# define bgGRA "" # define bgGRA ""
# define bgLRD "" # define bgLRD ""
# define bgLGN "" # define bgLGN ""
# define bgYEL "" # define bgYEL ""
# define bgLBL "" # define bgLBL ""
# define bgPIN "" # define bgPIN ""
# define bgLCY "" # define bgLCY ""
# define bgBRI "" # define bgBRI ""
#endif /* ^USE_COLOR */ #endif /* ^USE_COLOR */
/************************* /*************************
* Box drawing sequences * * Box drawing sequences *
*************************/ *************************/
#ifdef FANCY_BOXES #ifdef FANCY_BOXES
# define SET_G1 "\x1b)0" /* Set G1 for box drawing */ # define SET_G1 "\x1b)0" /* Set G1 for box drawing */
# define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */ # define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */
# define bSTART "\x0e" /* Enter G1 drawing mode */ # define bSTART "\x0e" /* Enter G1 drawing mode */
# define bSTOP "\x0f" /* Leave G1 drawing mode */ # define bSTOP "\x0f" /* Leave G1 drawing mode */
# define bH "q" /* Horizontal line */ # define bH "q" /* Horizontal line */
# define bV "x" /* Vertical line */ # define bV "x" /* Vertical line */
# define bLT "l" /* Left top corner */ # define bLT "l" /* Left top corner */
# define bRT "k" /* Right top corner */ # define bRT "k" /* Right top corner */
# define bLB "m" /* Left bottom corner */ # define bLB "m" /* Left bottom corner */
# define bRB "j" /* Right bottom corner */ # define bRB "j" /* Right bottom corner */
# define bX "n" /* Cross */ # define bX "n" /* Cross */
# define bVR "t" /* Vertical, branch right */ # define bVR "t" /* Vertical, branch right */
# define bVL "u" /* Vertical, branch left */ # define bVL "u" /* Vertical, branch left */
# define bHT "v" /* Horizontal, branch top */ # define bHT "v" /* Horizontal, branch top */
# define bHB "w" /* Horizontal, branch bottom */ # define bHB "w" /* Horizontal, branch bottom */
#else #else
# define SET_G1 "" # define SET_G1 ""
# define RESET_G1 "" # define RESET_G1 ""
# define bSTART "" # define bSTART ""
# define bSTOP "" # define bSTOP ""
# define bH "-" # define bH "-"
# define bV "|" # define bV "|"
# define bLT "+" # define bLT "+"
# define bRT "+" # define bRT "+"
# define bLB "+" # define bLB "+"
# define bRB "+" # define bRB "+"
# define bX "+" # define bX "+"
# define bVR "+" # define bVR "+"
# define bVL "+" # define bVL "+"
# define bHT "+" # define bHT "+"
# define bHB "+" # define bHB "+"
#endif /* ^FANCY_BOXES */ #endif /* ^FANCY_BOXES */
/*********************** /***********************
* Misc terminal codes * * Misc terminal codes *
***********************/ ***********************/
#define TERM_HOME "\x1b[H" #define TERM_HOME "\x1b[H"
#define TERM_CLEAR TERM_HOME "\x1b[2J" #define TERM_CLEAR TERM_HOME "\x1b[2J"
#define cEOL "\x1b[0K" #define cEOL "\x1b[0K"
#define CURSOR_HIDE "\x1b[?25l" #define CURSOR_HIDE "\x1b[?25l"
#define CURSOR_SHOW "\x1b[?25h" #define CURSOR_SHOW "\x1b[?25h"
/************************ /************************
* Debug & error macros * * Debug & error macros *
************************/ ************************/
/* Just print stuff to the appropriate stream. */ /* Just print stuff to the appropriate stream. */
#ifdef MESSAGES_TO_STDOUT #ifdef MESSAGES_TO_STDOUT
# define SAYF(x...) printf(x) # define SAYF(x...) printf(x)
#else #else
# define SAYF(x...) fprintf(stderr, x) # define SAYF(x...) fprintf(stderr, x)
#endif /* ^MESSAGES_TO_STDOUT */ #endif /* ^MESSAGES_TO_STDOUT */
/* Show a prefixed warning. */ /* Show a prefixed warning. */
#define WARNF(x...) do { \ #define WARNF(x...) do { \
SAYF(cYEL "[!] " cBRI "WARNING: " cRST x); \ SAYF(cYEL "[!] " cBRI "WARNING: " cRST x); \
SAYF(cRST "\n"); \ SAYF(cRST "\n"); \
} while (0) } while (0)
/* Show a prefixed "doing something" message. */ /* Show a prefixed "doing something" message. */
#define ACTF(x...) do { \ #define ACTF(x...) do { \
SAYF(cLBL "[*] " cRST x); \ SAYF(cLBL "[*] " cRST x); \
SAYF(cRST "\n"); \ SAYF(cRST "\n"); \
} while (0) } while (0)
/* Show a prefixed "success" message. */ /* Show a prefixed "success" message. */
#define OKF(x...) do { \ #define OKF(x...) do { \
SAYF(cLGN "[+] " cRST x); \ SAYF(cLGN "[+] " cRST x); \
SAYF(cRST "\n"); \ SAYF(cRST "\n"); \
} while (0) } while (0)
/* Show a prefixed fatal error message (not used in afl). */ /* Show a prefixed fatal error message (not used in afl). */
#define BADF(x...) do { \ #define BADF(x...) do { \
SAYF(cLRD "\n[-] " cRST x); \ SAYF(cLRD "\n[-] " cRST x); \
SAYF(cRST "\n"); \ SAYF(cRST "\n"); \
} while (0) } while (0)
/* Die with a verbose non-OS fatal error message. */ /* Die with a verbose non-OS fatal error message. */
#define FATAL(x...) do { \ #define FATAL(x...) do { \
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
cBRI x); \ cBRI x); \
SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", \ SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", \
__FUNCTION__, __FILE__, __LINE__); \ __FUNCTION__, __FILE__, __LINE__); \
exit(1); \ exit(1); \
} while (0) } while (0)
/* Die by calling abort() to provide a core dump. */ /* Die by calling abort() to provide a core dump. */
#define ABORT(x...) do { \ #define ABORT(x...) do { \
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
cBRI x); \ cBRI x); \
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", \ SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", \
__FUNCTION__, __FILE__, __LINE__); \ __FUNCTION__, __FILE__, __LINE__); \
abort(); \ abort(); \
} while (0) } while (0)
/* Die while also including the output of perror(). */ /* Die while also including the output of perror(). */
#define PFATAL(x...) do { \ #define PFATAL(x...) do { \
fflush(stdout); \ fflush(stdout); \
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] SYSTEM ERROR : " \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] SYSTEM ERROR : " \
cBRI x); \ cBRI x); \
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", \ SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", \
__FUNCTION__, __FILE__, __LINE__); \ __FUNCTION__, __FILE__, __LINE__); \
SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \ SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \
exit(1); \ exit(1); \
} while (0) } while (0)
/* Die with FAULT() or PFAULT() depending on the value of res (used to /* Die with FAULT() or PFAULT() depending on the value of res (used to
interpret different failure modes for read(), write(), etc). */ interpret different failure modes for read(), write(), etc). */
#define RPFATAL(res, x...) do { \ #define RPFATAL(res, x...) do { \
if (res < 0) PFATAL(x); else FATAL(x); \ if (res < 0) PFATAL(x); else FATAL(x); \
} while (0) } while (0)
/* Error-checking versions of read() and write() that call RPFATAL() as /* Error-checking versions of read() and write() that call RPFATAL() as
appropriate. */ appropriate. */
#define ck_write(fd, buf, len, fn) do { \ #define ck_write(fd, buf, len, fn) do { \
u32 _len = (len); \ u32 _len = (len); \
s32 _res = write(fd, buf, _len); \ s32 _res = write(fd, buf, _len); \
if (_res != _len) RPFATAL(_res, "Short write to %s", fn); \ if (_res != _len) RPFATAL(_res, "Short write to %s", fn); \
} while (0) } while (0)
#define ck_read(fd, buf, len, fn) do { \ #define ck_read(fd, buf, len, fn) do { \
u32 _len = (len); \ u32 _len = (len); \
s32 _res = read(fd, buf, _len); \ s32 _res = read(fd, buf, _len); \
if (_res != _len) RPFATAL(_res, "Short read from %s", fn); \ if (_res != _len) RPFATAL(_res, "Short read from %s", fn); \
} while (0) } while (0)
#endif /* ! _HAVE_DEBUG_H */ #endif /* ! _HAVE_DEBUG_H */

222
hash.h
Unescape View File

@ -1,111 +1,111 @@
/* /*
Copyright 2016 Google LLC All rights reserved. Copyright 2016 Google LLC All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
You may obtain a copy of the License at: You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
/* /*
american fuzzy lop - hashing function american fuzzy lop - hashing function
------------------------------------- -------------------------------------
The hash32() function is a variant of MurmurHash3, a good The hash32() function is a variant of MurmurHash3, a good
non-cryptosafe hashing function developed by Austin Appleby. non-cryptosafe hashing function developed by Austin Appleby.
For simplicity, this variant does *NOT* accept buffer lengths For simplicity, this variant does *NOT* accept buffer lengths
that are not divisible by 8 bytes. The 32-bit version is otherwise that are not divisible by 8 bytes. The 32-bit version is otherwise
similar to the original; the 64-bit one is a custom hack with similar to the original; the 64-bit one is a custom hack with
mostly-unproven properties. mostly-unproven properties.
Austin's original code is public domain. Austin's original code is public domain.
Other code written and maintained by Michal Zalewski <lcamtuf@google.com> Other code written and maintained by Michal Zalewski <lcamtuf@google.com>
*/ */
#ifndef _HAVE_HASH_H #ifndef _HAVE_HASH_H
#define _HAVE_HASH_H #define _HAVE_HASH_H
#include "types.h" #include "types.h"
#ifdef __x86_64__ #ifdef __x86_64__
#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) #define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r))))
static inline u32 hash32(const void* key, u32 len, u32 seed) { static inline u32 hash32(const void* key, u32 len, u32 seed) {
const u64* data = (u64*)key; const u64* data = (u64*)key;
u64 h1 = seed ^ len; u64 h1 = seed ^ len;
len >>= 3; len >>= 3;
while (len--) { while (len--) {
u64 k1 = *data++; u64 k1 = *data++;
k1 *= 0x87c37b91114253d5ULL; k1 *= 0x87c37b91114253d5ULL;
k1 = ROL64(k1, 31); k1 = ROL64(k1, 31);
k1 *= 0x4cf5ad432745937fULL; k1 *= 0x4cf5ad432745937fULL;
h1 ^= k1; h1 ^= k1;
h1 = ROL64(h1, 27); h1 = ROL64(h1, 27);
h1 = h1 * 5 + 0x52dce729; h1 = h1 * 5 + 0x52dce729;
} }
h1 ^= h1 >> 33; h1 ^= h1 >> 33;
h1 *= 0xff51afd7ed558ccdULL; h1 *= 0xff51afd7ed558ccdULL;
h1 ^= h1 >> 33; h1 ^= h1 >> 33;
h1 *= 0xc4ceb9fe1a85ec53ULL; h1 *= 0xc4ceb9fe1a85ec53ULL;
h1 ^= h1 >> 33; h1 ^= h1 >> 33;
return h1; return h1;
} }
#else #else
#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) #define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r))))
static inline u32 hash32(const void* key, u32 len, u32 seed) { static inline u32 hash32(const void* key, u32 len, u32 seed) {
const u32* data = (u32*)key; const u32* data = (u32*)key;
u32 h1 = seed ^ len; u32 h1 = seed ^ len;
len >>= 2; len >>= 2;
while (len--) { while (len--) {
u32 k1 = *data++; u32 k1 = *data++;
k1 *= 0xcc9e2d51; k1 *= 0xcc9e2d51;
k1 = ROL32(k1, 15); k1 = ROL32(k1, 15);
k1 *= 0x1b873593; k1 *= 0x1b873593;
h1 ^= k1; h1 ^= k1;
h1 = ROL32(h1, 13); h1 = ROL32(h1, 13);
h1 = h1 * 5 + 0xe6546b64; h1 = h1 * 5 + 0xe6546b64;
} }
h1 ^= h1 >> 16; h1 ^= h1 >> 16;
h1 *= 0x85ebca6b; h1 *= 0x85ebca6b;
h1 ^= h1 >> 13; h1 ^= h1 >> 13;
h1 *= 0xc2b2ae35; h1 *= 0xc2b2ae35;
h1 ^= h1 >> 16; h1 ^= h1 >> 16;
return h1; return h1;
} }
#endif /* ^__x86_64__ */ #endif /* ^__x86_64__ */
#endif /* !_HAVE_HASH_H */ #endif /* !_HAVE_HASH_H */

90
test-instr.c
Unescape View File

@ -1,45 +1,45 @@
/* /*
Copyright 2014 Google LLC All rights reserved. Copyright 2014 Google LLC All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
You may obtain a copy of the License at: You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
/* /*
american fuzzy lop - a trivial program to test the build american fuzzy lop - a trivial program to test the build
-------------------------------------------------------- --------------------------------------------------------
Written and maintained by Michal Zalewski <lcamtuf@google.com> Written and maintained by Michal Zalewski <lcamtuf@google.com>
*/ */
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
int main(int argc, char** argv) { int main(int argc, char** argv) {
char buf[8]; char buf[8];
if (read(0, buf, 8) < 1) { if (read(0, buf, 8) < 1) {
printf("Hum?\n"); printf("Hum?\n");
exit(1); exit(1);
} }
if (buf[0] == '0') if (buf[0] == '0')
printf("Looks like a zero to me!\n"); printf("Looks like a zero to me!\n");
else else
printf("A non-zero value? How quaint!\n"); printf("A non-zero value? How quaint!\n");
exit(0); exit(0);
} }

82
test-libfuzzer-target.c
Unescape View File

@ -1,41 +1,41 @@
/* /*
Copyright 2019 Google LLC All rights reserved. Copyright 2019 Google LLC All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
You may obtain a copy of the License at: You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
/* /*
american fuzzy lop - a trivial program to test libFuzzer target fuzzing. american fuzzy lop - a trivial program to test libFuzzer target fuzzing.
------------------------------------------------------------------------ ------------------------------------------------------------------------
Initially written and maintained by Michal Zalewski. Initially written and maintained by Michal Zalewski.
*/ */
#include <stddef.h> #include <stddef.h>
#include <stdint.h> #include <stdint.h>
#include <stdio.h> #include <stdio.h>
// TODO(metzman): Create a test/ directory to store this and other similar // TODO(metzman): Create a test/ directory to store this and other similar
// files. // files.
int LLVMFuzzerTestOneInput(uint8_t* buf, size_t size) { int LLVMFuzzerTestOneInput(uint8_t* buf, size_t size) {
if (size < 2) if (size < 2)
return 0; return 0;
if (buf[0] == '0') if (buf[0] == '0')
printf("Looks like a zero to me!\n"); printf("Looks like a zero to me!\n");
else else
printf("A non-zero value? How quaint!\n"); printf("A non-zero value? How quaint!\n");
return 0; return 0;
} }

188
types.h
Unescape View File

@ -1,94 +1,94 @@
/* /*
Copyright 2013 Google LLC All rights reserved. Copyright 2013 Google LLC All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
You may obtain a copy of the License at: You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
/* /*
american fuzzy lop - type definitions and minor macros american fuzzy lop - type definitions and minor macros
------------------------------------------------------ ------------------------------------------------------
Written and maintained by Michal Zalewski <lcamtuf@google.com> Written and maintained by Michal Zalewski <lcamtuf@google.com>
*/ */
#ifndef _HAVE_TYPES_H #ifndef _HAVE_TYPES_H
#define _HAVE_TYPES_H #define _HAVE_TYPES_H
#include <stdint.h> #include <stdint.h>
#include <stdlib.h> #include <stdlib.h>
typedef uint8_t u8; typedef uint8_t u8;
typedef uint16_t u16; typedef uint16_t u16;
typedef uint32_t u32; typedef uint32_t u32;
/* /*
Ugh. There is an unintended compiler / glibc #include glitch caused by Ugh. There is an unintended compiler / glibc #include glitch caused by
combining the u64 type an %llu in format strings, necessitating a workaround. combining the u64 type an %llu in format strings, necessitating a workaround.
In essence, the compiler is always looking for 'unsigned long long' for %llu. In essence, the compiler is always looking for 'unsigned long long' for %llu.
On 32-bit systems, the u64 type (aliased to uint64_t) is expanded to On 32-bit systems, the u64 type (aliased to uint64_t) is expanded to
'unsigned long long' in <bits/types.h>, so everything checks out. 'unsigned long long' in <bits/types.h>, so everything checks out.
But on 64-bit systems, it is #ifdef'ed in the same file as 'unsigned long'. But on 64-bit systems, it is #ifdef'ed in the same file as 'unsigned long'.
Now, it only happens in circumstances where the type happens to have the Now, it only happens in circumstances where the type happens to have the
expected bit width, *but* the compiler does not know that... and complains expected bit width, *but* the compiler does not know that... and complains
about 'unsigned long' being unsafe to pass to %llu. about 'unsigned long' being unsafe to pass to %llu.
*/ */
#ifdef __x86_64__ #ifdef __x86_64__
typedef unsigned long long u64; typedef unsigned long long u64;
#else #else
typedef uint64_t u64; typedef uint64_t u64;
#endif /* ^__x86_64__ */ #endif /* ^__x86_64__ */
typedef int8_t s8; typedef int8_t s8;
typedef int16_t s16; typedef int16_t s16;
typedef int32_t s32; typedef int32_t s32;
typedef int64_t s64; typedef int64_t s64;
#ifndef MIN #ifndef MIN
# define MIN(_a,_b) ((_a) > (_b) ? (_b) : (_a)) # define MIN(_a,_b) ((_a) > (_b) ? (_b) : (_a))
# define MAX(_a,_b) ((_a) > (_b) ? (_a) : (_b)) # define MAX(_a,_b) ((_a) > (_b) ? (_a) : (_b))
#endif /* !MIN */ #endif /* !MIN */
#define SWAP16(_x) ({ \ #define SWAP16(_x) ({ \
u16 _ret = (_x); \ u16 _ret = (_x); \
(u16)((_ret << 8) | (_ret >> 8)); \ (u16)((_ret << 8) | (_ret >> 8)); \
}) })
#define SWAP32(_x) ({ \ #define SWAP32(_x) ({ \
u32 _ret = (_x); \ u32 _ret = (_x); \
(u32)((_ret << 24) | (_ret >> 24) | \ (u32)((_ret << 24) | (_ret >> 24) | \
((_ret << 8) & 0x00FF0000) | \ ((_ret << 8) & 0x00FF0000) | \
((_ret >> 8) & 0x0000FF00)); \ ((_ret >> 8) & 0x0000FF00)); \
}) })
#ifdef AFL_LLVM_PASS #ifdef AFL_LLVM_PASS
# define AFL_R(x) (random() % (x)) # define AFL_R(x) (random() % (x))
#else #else
# define R(x) (random() % (x)) # define R(x) (random() % (x))
#endif /* ^AFL_LLVM_PASS */ #endif /* ^AFL_LLVM_PASS */
#define STRINGIFY_INTERNAL(x) #x #define STRINGIFY_INTERNAL(x) #x
#define STRINGIFY(x) STRINGIFY_INTERNAL(x) #define STRINGIFY(x) STRINGIFY_INTERNAL(x)
#define MEM_BARRIER() \ #define MEM_BARRIER() \
__asm__ volatile("" ::: "memory") __asm__ volatile("" ::: "memory")
#define likely(_x) __builtin_expect(!!(_x), 1) #define likely(_x) __builtin_expect(!!(_x), 1)
#define unlikely(_x) __builtin_expect(!!(_x), 0) #define unlikely(_x) __builtin_expect(!!(_x), 0)
#endif /* ! _HAVE_TYPES_H */ #endif /* ! _HAVE_TYPES_H */

Write Preview
Loading…
Cancel
Save