From e0394550185d030acd3922ad2669c1caa2e0720a Mon Sep 17 00:00:00 2001 From: dongloong <1909842837@qq.com> Date: Mon, 21 Oct 2024 16:21:48 +0800 Subject: [PATCH 1/6] modified: afl-fuzz.c --- CONTRIBUTING.md | 56 +- LICENSE | 404 +- Makefile | 306 +- afl-analyze.c | 2190 ++--- afl-as.c | 1114 +-- afl-as.h | 1454 ++-- afl-cmin | 922 +-- afl-fuzz.c | 16394 +++++++++++++++++++------------------- afl-gcc.c | 692 +- afl-gotcpu.c | 520 +- afl-plot | 340 +- afl-showmap.c | 1590 ++-- afl-tmin.c | 2346 +++--- afl-whatsup | 326 +- alloc-inl.h | 1154 +-- android-ashmem.h | 164 +- config.h | 724 +- debug.h | 516 +- hash.h | 222 +- test-instr.c | 90 +- test-libfuzzer-target.c | 82 +- types.h | 188 +- 22 files changed, 15897 insertions(+), 15897 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c4de213..939e534 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,28 +1,28 @@ -# How to Contribute - -We'd love to accept your patches and contributions to this project. There are -just a few small guidelines you need to follow. - -## Contributor License Agreement - -Contributions to this project must be accompanied by a Contributor License -Agreement. You (or your employer) retain the copyright to your contribution; -this simply gives us permission to use and redistribute your contributions as -part of the project. Head over to to see -your current agreements on file or to sign a new one. - -You generally only need to submit a CLA once, so if you've already submitted one -(even if it was for a different project), you probably don't need to do it -again. - -## Code reviews - -All submissions, including submissions by project members, require review. We -use GitHub pull requests for this purpose. Consult -[GitHub Help](https://help.github.com/articles/about-pull-requests/) for more -information on using pull requests. - -## Community Guidelines - -This project follows [Google's Open Source Community -Guidelines](https://opensource.google.com/conduct/). +# How to Contribute + +We'd love to accept your patches and contributions to this project. There are +just a few small guidelines you need to follow. + +## Contributor License Agreement + +Contributions to this project must be accompanied by a Contributor License +Agreement. You (or your employer) retain the copyright to your contribution; +this simply gives us permission to use and redistribute your contributions as +part of the project. Head over to to see +your current agreements on file or to sign a new one. + +You generally only need to submit a CLA once, so if you've already submitted one +(even if it was for a different project), you probably don't need to do it +again. + +## Code reviews + +All submissions, including submissions by project members, require review. We +use GitHub pull requests for this purpose. Consult +[GitHub Help](https://help.github.com/articles/about-pull-requests/) for more +information on using pull requests. + +## Community Guidelines + +This project follows [Google's Open Source Community +Guidelines](https://opensource.google.com/conduct/). diff --git a/LICENSE b/LICENSE index 75b5248..d645695 100644 --- a/LICENSE +++ b/LICENSE @@ -1,202 +1,202 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Makefile b/Makefile index b1428b4..3819312 100644 --- a/Makefile +++ b/Makefile @@ -1,153 +1,153 @@ -# -# american fuzzy lop - makefile -# ----------------------------- -# -# Written and maintained by Michal Zalewski -# -# Copyright 2013, 2014, 2015, 2016, 2017 Google LLC All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# - -PROGNAME = afl -VERSION = $(shell grep '^\#define VERSION ' config.h | cut -d '"' -f2) - -PREFIX ?= /usr/local -BIN_PATH = $(PREFIX)/bin -HELPER_PATH = $(PREFIX)/lib/afl -DOC_PATH = $(PREFIX)/share/doc/afl -MISC_PATH = $(PREFIX)/share/afl - -# PROGS intentionally omit afl-as, which gets installed elsewhere. - -PROGS = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze -SH_PROGS = afl-plot afl-cmin afl-whatsup - -CFLAGS ?= -O3 -funroll-loops -CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \ - -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \ - -DBIN_PATH=\"$(BIN_PATH)\" - -ifneq "$(filter Linux GNU%,$(shell uname))" "" - LDFLAGS += -ldl -endif - -ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" "" - TEST_CC = afl-gcc -else - TEST_CC = afl-clang -endif - -COMM_HDR = alloc-inl.h config.h debug.h types.h - -all: test_x86 $(PROGS) afl-as test_build all_done - -ifndef AFL_NO_X86 - -test_x86: - @echo "[*] Checking for the ability to compile x86 code..." - @echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 ) - @rm -f .test - @echo "[+] Everything seems to be working, ready to compile." - -else - -test_x86: - @echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)." - -endif - -afl-gcc: afl-gcc.c $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) - set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done - -afl-as: afl-as.c afl-as.h $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) - ln -sf afl-as as - -afl-fuzz: afl-fuzz.c $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) - -afl-showmap: afl-showmap.c $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) - -afl-tmin: afl-tmin.c $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) - -afl-analyze: afl-analyze.c $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) - -afl-gotcpu: afl-gotcpu.c $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) - -ifndef AFL_NO_X86 - -test_build: afl-gcc afl-as afl-showmap - @echo "[*] Testing the CC wrapper and instrumentation output..." - unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS) - ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null - echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr - @rm -f test-instr - @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping to troubleshoot the issue."; echo; exit 1; fi - @echo "[+] All right, the instrumentation seems to be working!" - -else - -test_build: afl-gcc afl-as afl-showmap - @echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)." - -endif - -all_done: test_build - @if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi - @echo "[+] All done! Be sure to review README - it's pretty short and useful." - @if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi - @! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null - -.NOTPARALLEL: clean - -clean: - rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.10.0.tar.bz2 afl-qemu-trace - rm -rf out_dir qemu_mode/qemu-2.10.0 - $(MAKE) -C llvm_mode clean - $(MAKE) -C libdislocator clean - $(MAKE) -C libtokencap clean - -install: all - mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH) - rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh - install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH) - rm -f $${DESTDIR}$(BIN_PATH)/afl-as - if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi -ifndef AFL_TRACE_PC - if [ -f afl-clang-fast -a -f afl-llvm-pass.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi -else - if [ -f afl-clang-fast -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi -endif - if [ -f afl-llvm-rt-32.o ]; then set -e; install -m 755 afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi - if [ -f afl-llvm-rt-64.o ]; then set -e; install -m 755 afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi - set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/$$i; done - install -m 755 afl-as $${DESTDIR}$(HELPER_PATH) - ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as - install -m 644 README.md docs/ChangeLog docs/*.txt $${DESTDIR}$(DOC_PATH) - cp -r testcases/ $${DESTDIR}$(MISC_PATH) - cp -r dictionaries/ $${DESTDIR}$(MISC_PATH) - -publish: clean - test "`basename $$PWD`" = "AFL" || exit 1 - test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi - cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \ - tar -cvz -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz $(PROGNAME)-$(VERSION) - chmod 644 ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz - ( cd ~/www/afl/releases/; ln -s -f $(PROGNAME)-$(VERSION).tgz $(PROGNAME)-latest.tgz ) - cat docs/README >~/www/afl/README.txt - cat docs/status_screen.txt >~/www/afl/status_screen.txt - cat docs/historical_notes.txt >~/www/afl/historical_notes.txt - cat docs/technical_details.txt >~/www/afl/technical_details.txt - cat docs/ChangeLog >~/www/afl/ChangeLog.txt - cat docs/QuickStartGuide.txt >~/www/afl/QuickStartGuide.txt - echo -n "$(VERSION)" >~/www/afl/version.txt +# +# american fuzzy lop - makefile +# ----------------------------- +# +# Written and maintained by Michal Zalewski +# +# Copyright 2013, 2014, 2015, 2016, 2017 Google LLC All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# + +PROGNAME = afl +VERSION = $(shell grep '^\#define VERSION ' config.h | cut -d '"' -f2) + +PREFIX ?= /usr/local +BIN_PATH = $(PREFIX)/bin +HELPER_PATH = $(PREFIX)/lib/afl +DOC_PATH = $(PREFIX)/share/doc/afl +MISC_PATH = $(PREFIX)/share/afl + +# PROGS intentionally omit afl-as, which gets installed elsewhere. + +PROGS = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze +SH_PROGS = afl-plot afl-cmin afl-whatsup + +CFLAGS ?= -O3 -funroll-loops +CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \ + -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \ + -DBIN_PATH=\"$(BIN_PATH)\" + +ifneq "$(filter Linux GNU%,$(shell uname))" "" + LDFLAGS += -ldl +endif + +ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" "" + TEST_CC = afl-gcc +else + TEST_CC = afl-clang +endif + +COMM_HDR = alloc-inl.h config.h debug.h types.h + +all: test_x86 $(PROGS) afl-as test_build all_done + +ifndef AFL_NO_X86 + +test_x86: + @echo "[*] Checking for the ability to compile x86 code..." + @echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 ) + @rm -f .test + @echo "[+] Everything seems to be working, ready to compile." + +else + +test_x86: + @echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)." + +endif + +afl-gcc: afl-gcc.c $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) + set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done + +afl-as: afl-as.c afl-as.h $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) + ln -sf afl-as as + +afl-fuzz: afl-fuzz.c $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) + +afl-showmap: afl-showmap.c $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) + +afl-tmin: afl-tmin.c $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) + +afl-analyze: afl-analyze.c $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) + +afl-gotcpu: afl-gotcpu.c $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) + +ifndef AFL_NO_X86 + +test_build: afl-gcc afl-as afl-showmap + @echo "[*] Testing the CC wrapper and instrumentation output..." + unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS) + ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null + echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr + @rm -f test-instr + @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping to troubleshoot the issue."; echo; exit 1; fi + @echo "[+] All right, the instrumentation seems to be working!" + +else + +test_build: afl-gcc afl-as afl-showmap + @echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)." + +endif + +all_done: test_build + @if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi + @echo "[+] All done! Be sure to review README - it's pretty short and useful." + @if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi + @! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null + +.NOTPARALLEL: clean + +clean: + rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.10.0.tar.bz2 afl-qemu-trace + rm -rf out_dir qemu_mode/qemu-2.10.0 + $(MAKE) -C llvm_mode clean + $(MAKE) -C libdislocator clean + $(MAKE) -C libtokencap clean + +install: all + mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH) + rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh + install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH) + rm -f $${DESTDIR}$(BIN_PATH)/afl-as + if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi +ifndef AFL_TRACE_PC + if [ -f afl-clang-fast -a -f afl-llvm-pass.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi +else + if [ -f afl-clang-fast -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi +endif + if [ -f afl-llvm-rt-32.o ]; then set -e; install -m 755 afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi + if [ -f afl-llvm-rt-64.o ]; then set -e; install -m 755 afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi + set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/$$i; done + install -m 755 afl-as $${DESTDIR}$(HELPER_PATH) + ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as + install -m 644 README.md docs/ChangeLog docs/*.txt $${DESTDIR}$(DOC_PATH) + cp -r testcases/ $${DESTDIR}$(MISC_PATH) + cp -r dictionaries/ $${DESTDIR}$(MISC_PATH) + +publish: clean + test "`basename $$PWD`" = "AFL" || exit 1 + test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi + cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \ + tar -cvz -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz $(PROGNAME)-$(VERSION) + chmod 644 ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz + ( cd ~/www/afl/releases/; ln -s -f $(PROGNAME)-$(VERSION).tgz $(PROGNAME)-latest.tgz ) + cat docs/README >~/www/afl/README.txt + cat docs/status_screen.txt >~/www/afl/status_screen.txt + cat docs/historical_notes.txt >~/www/afl/historical_notes.txt + cat docs/technical_details.txt >~/www/afl/technical_details.txt + cat docs/ChangeLog >~/www/afl/ChangeLog.txt + cat docs/QuickStartGuide.txt >~/www/afl/QuickStartGuide.txt + echo -n "$(VERSION)" >~/www/afl/version.txt diff --git a/afl-analyze.c b/afl-analyze.c index 91f5251..c97b73d 100644 --- a/afl-analyze.c +++ b/afl-analyze.c @@ -1,1095 +1,1095 @@ -/* - Copyright 2016 Google LLC All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -/* - american fuzzy lop - file format analyzer - ----------------------------------------- - - Written and maintained by Michal Zalewski - - A nifty utility that grabs an input file and takes a stab at explaining - its structure by observing how changes to it affect the execution path. - - If the output scrolls past the edge of the screen, pipe it to 'less -r'. - -*/ - -#define AFL_MAIN -#include "android-ashmem.h" - -#include "config.h" -#include "types.h" -#include "debug.h" -#include "alloc-inl.h" -#include "hash.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -static s32 child_pid; /* PID of the tested program */ - -static u8* trace_bits; /* SHM with instrumentation bitmap */ - -static u8 *in_file, /* Analyzer input test case */ - *prog_in, /* Targeted program input file */ - *target_path, /* Path to target binary */ - *doc_path; /* Path to docs */ - -static u8 *in_data; /* Input data for analysis */ - -static u32 in_len, /* Input data length */ - orig_cksum, /* Original checksum */ - total_execs, /* Total number of execs */ - exec_hangs, /* Total number of hangs */ - exec_tmout = EXEC_TIMEOUT; /* Exec timeout (ms) */ - -static u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ - -static s32 shm_id, /* ID of the SHM region */ - dev_null_fd = -1; /* FD to /dev/null */ - -static u8 edges_only, /* Ignore hit counts? */ - use_hex_offsets, /* Show hex offsets? */ - use_stdin = 1; /* Use stdin for program input? */ - -static volatile u8 - stop_soon, /* Ctrl-C pressed? */ - child_timed_out; /* Child timed out? */ - - -/* Constants used for describing byte behavior. */ - -#define RESP_NONE 0x00 /* Changing byte is a no-op. */ -#define RESP_MINOR 0x01 /* Some changes have no effect. */ -#define RESP_VARIABLE 0x02 /* Changes produce variable paths. */ -#define RESP_FIXED 0x03 /* Changes produce fixed patterns. */ - -#define RESP_LEN 0x04 /* Potential length field */ -#define RESP_CKSUM 0x05 /* Potential checksum */ -#define RESP_SUSPECT 0x06 /* Potential "suspect" blob */ - - -/* Classify tuple counts. This is a slow & naive version, but good enough here. */ - -static u8 count_class_lookup[256] = { - - [0] = 0, - [1] = 1, - [2] = 2, - [3] = 4, - [4 ... 7] = 8, - [8 ... 15] = 16, - [16 ... 31] = 32, - [32 ... 127] = 64, - [128 ... 255] = 128 - -}; - -static void classify_counts(u8* mem) { - - u32 i = MAP_SIZE; - - if (edges_only) { - - while (i--) { - if (*mem) *mem = 1; - mem++; - } - - } else { - - while (i--) { - *mem = count_class_lookup[*mem]; - mem++; - } - - } - -} - - -/* See if any bytes are set in the bitmap. */ - -static inline u8 anything_set(void) { - - u32* ptr = (u32*)trace_bits; - u32 i = (MAP_SIZE >> 2); - - while (i--) if (*(ptr++)) return 1; - - return 0; - -} - - -/* Get rid of shared memory and temp files (atexit handler). */ - -static void remove_shm(void) { - - unlink(prog_in); /* Ignore errors */ - shmctl(shm_id, IPC_RMID, NULL); - -} - - -/* Configure shared memory. */ - -static void setup_shm(void) { - - u8* shm_str; - - shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600); - - if (shm_id < 0) PFATAL("shmget() failed"); - - atexit(remove_shm); - - shm_str = alloc_printf("%d", shm_id); - - setenv(SHM_ENV_VAR, shm_str, 1); - - ck_free(shm_str); - - trace_bits = shmat(shm_id, NULL, 0); - - if (trace_bits == (void *)-1) PFATAL("shmat() failed"); - -} - - -/* Read initial file. */ - -static void read_initial_file(void) { - - struct stat st; - s32 fd = open(in_file, O_RDONLY); - - if (fd < 0) PFATAL("Unable to open '%s'", in_file); - - if (fstat(fd, &st) || !st.st_size) - FATAL("Zero-sized input file."); - - if (st.st_size >= TMIN_MAX_FILE) - FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024); - - in_len = st.st_size; - in_data = ck_alloc_nozero(in_len); - - ck_read(fd, in_data, in_len, in_file); - - close(fd); - - OKF("Read %u byte%s from '%s'.", in_len, in_len == 1 ? "" : "s", in_file); - -} - - -/* Write output file. */ - -static s32 write_to_file(u8* path, u8* mem, u32 len) { - - s32 ret; - - unlink(path); /* Ignore errors */ - - ret = open(path, O_RDWR | O_CREAT | O_EXCL, 0600); - - if (ret < 0) PFATAL("Unable to create '%s'", path); - - ck_write(ret, mem, len, path); - - lseek(ret, 0, SEEK_SET); - - return ret; - -} - - -/* Handle timeout signal. */ - -static void handle_timeout(int sig) { - - child_timed_out = 1; - if (child_pid > 0) kill(child_pid, SIGKILL); - -} - - -/* Execute target application. Returns exec checksum, or 0 if program - times out. */ - -static u32 run_target(char** argv, u8* mem, u32 len, u8 first_run) { - - static struct itimerval it; - int status = 0; - - s32 prog_in_fd; - u32 cksum; - - memset(trace_bits, 0, MAP_SIZE); - MEM_BARRIER(); - - prog_in_fd = write_to_file(prog_in, mem, len); - - child_pid = fork(); - - if (child_pid < 0) PFATAL("fork() failed"); - - if (!child_pid) { - - struct rlimit r; - - if (dup2(use_stdin ? prog_in_fd : dev_null_fd, 0) < 0 || - dup2(dev_null_fd, 1) < 0 || - dup2(dev_null_fd, 2) < 0) { - - *(u32*)trace_bits = EXEC_FAIL_SIG; - PFATAL("dup2() failed"); - - } - - close(dev_null_fd); - close(prog_in_fd); - - if (mem_limit) { - - r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; - -#ifdef RLIMIT_AS - - setrlimit(RLIMIT_AS, &r); /* Ignore errors */ - -#else - - setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ - -#endif /* ^RLIMIT_AS */ - - } - - r.rlim_max = r.rlim_cur = 0; - setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ - - execv(target_path, argv); - - *(u32*)trace_bits = EXEC_FAIL_SIG; - exit(0); - - } - - close(prog_in_fd); - - /* Configure timeout, wait for child, cancel timeout. */ - - child_timed_out = 0; - it.it_value.tv_sec = (exec_tmout / 1000); - it.it_value.tv_usec = (exec_tmout % 1000) * 1000; - - setitimer(ITIMER_REAL, &it, NULL); - - if (waitpid(child_pid, &status, 0) <= 0) FATAL("waitpid() failed"); - - child_pid = 0; - it.it_value.tv_sec = 0; - it.it_value.tv_usec = 0; - - setitimer(ITIMER_REAL, &it, NULL); - - MEM_BARRIER(); - - /* Clean up bitmap, analyze exit condition, etc. */ - - if (*(u32*)trace_bits == EXEC_FAIL_SIG) - FATAL("Unable to execute '%s'", argv[0]); - - classify_counts(trace_bits); - total_execs++; - - if (stop_soon) { - SAYF(cRST cLRD "\n+++ Analysis aborted by user +++\n" cRST); - exit(1); - } - - /* Always discard inputs that time out. */ - - if (child_timed_out) { - - exec_hangs++; - return 0; - - } - - cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - - /* We don't actually care if the target is crashing or not, - except that when it does, the checksum should be different. */ - - if (WIFSIGNALED(status) || - (WIFEXITED(status) && WEXITSTATUS(status) == MSAN_ERROR) || - (WIFEXITED(status) && WEXITSTATUS(status))) { - - cksum ^= 0xffffffff; - - } - - if (first_run) orig_cksum = cksum; - - return cksum; - -} - - -#ifdef USE_COLOR - -/* Helper function to display a human-readable character. */ - -static void show_char(u8 val) { - - switch (val) { - - case 0 ... 32: - case 127 ... 255: SAYF("#%02x", val); break; - - default: SAYF(" %c ", val); - - } - -} - - -/* Show the legend */ - -static void show_legend(void) { - - SAYF(" " cLGR bgGRA " 01 " cRST " - no-op block " - cBLK bgLGN " 01 " cRST " - suspected length field\n" - " " cBRI bgGRA " 01 " cRST " - superficial content " - cBLK bgYEL " 01 " cRST " - suspected cksum or magic int\n" - " " cBLK bgCYA " 01 " cRST " - critical stream " - cBLK bgLRD " 01 " cRST " - suspected checksummed block\n" - " " cBLK bgMGN " 01 " cRST " - \"magic value\" section\n\n"); - -} - -#endif /* USE_COLOR */ - - -/* Interpret and report a pattern in the input file. */ - -static void dump_hex(u8* buf, u32 len, u8* b_data) { - - u32 i; - - for (i = 0; i < len; i++) { - -#ifdef USE_COLOR - u32 rlen = 1, off; -#else - u32 rlen = 1; -#endif /* ^USE_COLOR */ - - u8 rtype = b_data[i] & 0x0f; - - /* Look ahead to determine the length of run. */ - - while (i + rlen < len && (b_data[i] >> 7) == (b_data[i + rlen] >> 7)) { - - if (rtype < (b_data[i + rlen] & 0x0f)) rtype = b_data[i + rlen] & 0x0f; - rlen++; - - } - - /* Try to do some further classification based on length & value. */ - - if (rtype == RESP_FIXED) { - - switch (rlen) { - - case 2: { - - u16 val = *(u16*)(in_data + i); - - /* Small integers may be length fields. */ - - if (val && (val <= in_len || SWAP16(val) <= in_len)) { - rtype = RESP_LEN; - break; - } - - /* Uniform integers may be checksums. */ - - if (val && abs(in_data[i] - in_data[i + 1]) > 32) { - rtype = RESP_CKSUM; - break; - } - - break; - - } - - case 4: { - - u32 val = *(u32*)(in_data + i); - - /* Small integers may be length fields. */ - - if (val && (val <= in_len || SWAP32(val) <= in_len)) { - rtype = RESP_LEN; - break; - } - - /* Uniform integers may be checksums. */ - - if (val && (in_data[i] >> 7 != in_data[i + 1] >> 7 || - in_data[i] >> 7 != in_data[i + 2] >> 7 || - in_data[i] >> 7 != in_data[i + 3] >> 7)) { - rtype = RESP_CKSUM; - break; - } - - break; - - } - - case 1: case 3: case 5 ... MAX_AUTO_EXTRA - 1: break; - - default: rtype = RESP_SUSPECT; - - } - - } - - /* Print out the entire run. */ - -#ifdef USE_COLOR - - for (off = 0; off < rlen; off++) { - - /* Every 16 digits, display offset. */ - - if (!((i + off) % 16)) { - - if (off) SAYF(cRST cLCY ">"); - - if (use_hex_offsets) - SAYF(cRST cGRA "%s[%06x] " cRST, (i + off) ? "\n" : "", i + off); - else - SAYF(cRST cGRA "%s[%06u] " cRST, (i + off) ? "\n" : "", i + off); - - } - - switch (rtype) { - - case RESP_NONE: SAYF(cLGR bgGRA); break; - case RESP_MINOR: SAYF(cBRI bgGRA); break; - case RESP_VARIABLE: SAYF(cBLK bgCYA); break; - case RESP_FIXED: SAYF(cBLK bgMGN); break; - case RESP_LEN: SAYF(cBLK bgLGN); break; - case RESP_CKSUM: SAYF(cBLK bgYEL); break; - case RESP_SUSPECT: SAYF(cBLK bgLRD); break; - - } - - show_char(in_data[i + off]); - - if (off != rlen - 1 && (i + off + 1) % 16) SAYF(" "); else SAYF(cRST " "); - - } - -#else - - if (use_hex_offsets) - SAYF(" Offset %x, length %u: ", i, rlen); - else - SAYF(" Offset %u, length %u: ", i, rlen); - - switch (rtype) { - - case RESP_NONE: SAYF("no-op block\n"); break; - case RESP_MINOR: SAYF("superficial content\n"); break; - case RESP_VARIABLE: SAYF("critical stream\n"); break; - case RESP_FIXED: SAYF("\"magic value\" section\n"); break; - case RESP_LEN: SAYF("suspected length field\n"); break; - case RESP_CKSUM: SAYF("suspected cksum or magic int\n"); break; - case RESP_SUSPECT: SAYF("suspected checksummed block\n"); break; - - } - -#endif /* ^USE_COLOR */ - - i += rlen - 1; - - } - -#ifdef USE_COLOR - SAYF(cRST "\n"); -#endif /* USE_COLOR */ - -} - - - -/* Actually analyze! */ - -static void analyze(char** argv) { - - u32 i; - u32 boring_len = 0, prev_xff = 0, prev_x01 = 0, prev_s10 = 0, prev_a10 = 0; - - u8* b_data = ck_alloc(in_len + 1); - u8 seq_byte = 0; - - b_data[in_len] = 0xff; /* Intentional terminator. */ - - ACTF("Analyzing input file (this may take a while)...\n"); - -#ifdef USE_COLOR - show_legend(); -#endif /* USE_COLOR */ - - for (i = 0; i < in_len; i++) { - - u32 xor_ff, xor_01, sub_10, add_10; - u8 xff_orig, x01_orig, s10_orig, a10_orig; - - /* Perform walking byte adjustments across the file. We perform four - operations designed to elicit some response from the underlying - code. */ - - in_data[i] ^= 0xff; - xor_ff = run_target(argv, in_data, in_len, 0); - - in_data[i] ^= 0xfe; - xor_01 = run_target(argv, in_data, in_len, 0); - - in_data[i] = (in_data[i] ^ 0x01) - 0x10; - sub_10 = run_target(argv, in_data, in_len, 0); - - in_data[i] += 0x20; - add_10 = run_target(argv, in_data, in_len, 0); - in_data[i] -= 0x10; - - /* Classify current behavior. */ - - xff_orig = (xor_ff == orig_cksum); - x01_orig = (xor_01 == orig_cksum); - s10_orig = (sub_10 == orig_cksum); - a10_orig = (add_10 == orig_cksum); - - if (xff_orig && x01_orig && s10_orig && a10_orig) { - - b_data[i] = RESP_NONE; - boring_len++; - - } else if (xff_orig || x01_orig || s10_orig || a10_orig) { - - b_data[i] = RESP_MINOR; - boring_len++; - - } else if (xor_ff == xor_01 && xor_ff == sub_10 && xor_ff == add_10) { - - b_data[i] = RESP_FIXED; - - } else b_data[i] = RESP_VARIABLE; - - /* When all checksums change, flip most significant bit of b_data. */ - - if (prev_xff != xor_ff && prev_x01 != xor_01 && - prev_s10 != sub_10 && prev_a10 != add_10) seq_byte ^= 0x80; - - b_data[i] |= seq_byte; - - prev_xff = xor_ff; - prev_x01 = xor_01; - prev_s10 = sub_10; - prev_a10 = add_10; - - } - - dump_hex(in_data, in_len, b_data); - - SAYF("\n"); - - OKF("Analysis complete. Interesting bits: %0.02f%% of the input file.", - 100.0 - ((double)boring_len * 100) / in_len); - - if (exec_hangs) - WARNF(cLRD "Encountered %u timeouts - results may be skewed." cRST, - exec_hangs); - - ck_free(b_data); - -} - - - -/* Handle Ctrl-C and the like. */ - -static void handle_stop_sig(int sig) { - - stop_soon = 1; - - if (child_pid > 0) kill(child_pid, SIGKILL); - -} - - -/* Do basic preparations - persistent fds, filenames, etc. */ - -static void set_up_environment(void) { - - u8* x; - - dev_null_fd = open("/dev/null", O_RDWR); - if (dev_null_fd < 0) PFATAL("Unable to open /dev/null"); - - if (!prog_in) { - - u8* use_dir = "."; - - if (access(use_dir, R_OK | W_OK | X_OK)) { - - use_dir = getenv("TMPDIR"); - if (!use_dir) use_dir = "/tmp"; - - } - - prog_in = alloc_printf("%s/.afl-analyze-temp-%u", use_dir, getpid()); - - } - - /* Set sane defaults... */ - - x = getenv("ASAN_OPTIONS"); - - if (x) { - - if (!strstr(x, "abort_on_error=1")) - FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!"); - - if (!strstr(x, "symbolize=0")) - FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!"); - - } - - x = getenv("MSAN_OPTIONS"); - - if (x) { - - if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) - FATAL("Custom MSAN_OPTIONS set without exit_code=" - STRINGIFY(MSAN_ERROR) " - please fix!"); - - if (!strstr(x, "symbolize=0")) - FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!"); - - } - - setenv("ASAN_OPTIONS", "abort_on_error=1:" - "detect_leaks=0:" - "symbolize=0:" - "allocator_may_return_null=1", 0); - - setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" - "symbolize=0:" - "abort_on_error=1:" - "allocator_may_return_null=1:" - "msan_track_origins=0", 0); - - if (getenv("AFL_PRELOAD")) { - setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); - setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); - } - -} - - -/* Setup signal handlers, duh. */ - -static void setup_signal_handlers(void) { - - struct sigaction sa; - - sa.sa_handler = NULL; - sa.sa_flags = SA_RESTART; - sa.sa_sigaction = NULL; - - sigemptyset(&sa.sa_mask); - - /* Various ways of saying "stop". */ - - sa.sa_handler = handle_stop_sig; - sigaction(SIGHUP, &sa, NULL); - sigaction(SIGINT, &sa, NULL); - sigaction(SIGTERM, &sa, NULL); - - /* Exec timeout notifications. */ - - sa.sa_handler = handle_timeout; - sigaction(SIGALRM, &sa, NULL); - -} - - -/* Detect @@ in args. */ - -static void detect_file_args(char** argv) { - - u32 i = 0; - u8* cwd = getcwd(NULL, 0); - - if (!cwd) PFATAL("getcwd() failed"); - - while (argv[i]) { - - u8* aa_loc = strstr(argv[i], "@@"); - - if (aa_loc) { - - u8 *aa_subst, *n_arg; - - /* Be sure that we're always using fully-qualified paths. */ - - if (prog_in[0] == '/') aa_subst = prog_in; - else aa_subst = alloc_printf("%s/%s", cwd, prog_in); - - /* Construct a replacement argv value. */ - - *aa_loc = 0; - n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2); - argv[i] = n_arg; - *aa_loc = '@'; - - if (prog_in[0] != '/') ck_free(aa_subst); - - } - - i++; - - } - - free(cwd); /* not tracked */ - -} - - -/* Display usage hints. */ - -static void usage(u8* argv0) { - - SAYF("\n%s [ options ] -- /path/to/target_app [ ... ]\n\n" - - "Required parameters:\n\n" - - " -i file - input test case to be analyzed by the tool\n" - - "Execution control settings:\n\n" - - " -f file - input file read by the tested program (stdin)\n" - " -t msec - timeout for each run (%u ms)\n" - " -m megs - memory limit for child process (%u MB)\n" - " -Q - use binary-only instrumentation (QEMU mode)\n\n" - - "Analysis settings:\n\n" - - " -e - look for edge coverage only, ignore hit counts\n\n" - - "Other stuff:\n\n" - - " -V - show version number and exit\n\n" - - "For additional tips, please consult %s/README.\n\n", - - argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); - - exit(1); - -} - - -/* Find binary. */ - -static void find_binary(u8* fname) { - - u8* env_path = 0; - struct stat st; - - if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { - - target_path = ck_strdup(fname); - - if (stat(target_path, &st) || !S_ISREG(st.st_mode) || - !(st.st_mode & 0111) || st.st_size < 4) - FATAL("Program '%s' not found or not executable", fname); - - } else { - - while (env_path) { - - u8 *cur_elem, *delim = strchr(env_path, ':'); - - if (delim) { - - cur_elem = ck_alloc(delim - env_path + 1); - memcpy(cur_elem, env_path, delim - env_path); - delim++; - - } else cur_elem = ck_strdup(env_path); - - env_path = delim; - - if (cur_elem[0]) - target_path = alloc_printf("%s/%s", cur_elem, fname); - else - target_path = ck_strdup(fname); - - ck_free(cur_elem); - - if (!stat(target_path, &st) && S_ISREG(st.st_mode) && - (st.st_mode & 0111) && st.st_size >= 4) break; - - ck_free(target_path); - target_path = 0; - - } - - if (!target_path) FATAL("Program '%s' not found or not executable", fname); - - } - -} - - -/* Fix up argv for QEMU. */ - -static char** get_qemu_argv(u8* own_loc, char** argv, int argc) { - - char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); - u8 *tmp, *cp, *rsl, *own_copy; - - /* Workaround for a QEMU stability glitch. */ - - setenv("QEMU_LOG", "nochain", 1); - - memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); - - /* Now we need to actually find qemu for argv[0]. */ - - new_argv[2] = target_path; - new_argv[1] = "--"; - - tmp = getenv("AFL_PATH"); - - if (tmp) { - - cp = alloc_printf("%s/afl-qemu-trace", tmp); - - if (access(cp, X_OK)) - FATAL("Unable to find '%s'", tmp); - - target_path = new_argv[0] = cp; - return new_argv; - - } - - own_copy = ck_strdup(own_loc); - rsl = strrchr(own_copy, '/'); - - if (rsl) { - - *rsl = 0; - - cp = alloc_printf("%s/afl-qemu-trace", own_copy); - ck_free(own_copy); - - if (!access(cp, X_OK)) { - - target_path = new_argv[0] = cp; - return new_argv; - - } - - } else ck_free(own_copy); - - if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { - - target_path = new_argv[0] = BIN_PATH "/afl-qemu-trace"; - return new_argv; - - } - - FATAL("Unable to find 'afl-qemu-trace'."); - -} - - -/* Main entry point */ - -int main(int argc, char** argv) { - - s32 opt; - u8 mem_limit_given = 0, timeout_given = 0, qemu_mode = 0; - char** use_argv; - - doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - - SAYF(cCYA "afl-analyze " cBRI VERSION cRST " by \n"); - - while ((opt = getopt(argc,argv,"+i:f:m:t:eQV")) > 0) - - switch (opt) { - - case 'i': - - if (in_file) FATAL("Multiple -i options not supported"); - in_file = optarg; - break; - - case 'f': - - if (prog_in) FATAL("Multiple -f options not supported"); - use_stdin = 0; - prog_in = optarg; - break; - - case 'e': - - if (edges_only) FATAL("Multiple -e options not supported"); - edges_only = 1; - break; - - case 'm': { - - u8 suffix = 'M'; - - if (mem_limit_given) FATAL("Multiple -m options not supported"); - mem_limit_given = 1; - - if (!strcmp(optarg, "none")) { - - mem_limit = 0; - break; - - } - - if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || - optarg[0] == '-') FATAL("Bad syntax used for -m"); - - switch (suffix) { - - case 'T': mem_limit *= 1024 * 1024; break; - case 'G': mem_limit *= 1024; break; - case 'k': mem_limit /= 1024; break; - case 'M': break; - - default: FATAL("Unsupported suffix or bad syntax for -m"); - - } - - if (mem_limit < 5) FATAL("Dangerously low value of -m"); - - if (sizeof(rlim_t) == 4 && mem_limit > 2000) - FATAL("Value of -m out of range on 32-bit systems"); - - } - - break; - - case 't': - - if (timeout_given) FATAL("Multiple -t options not supported"); - timeout_given = 1; - - exec_tmout = atoi(optarg); - - if (exec_tmout < 10 || optarg[0] == '-') - FATAL("Dangerously low value of -t"); - - break; - - case 'Q': - - if (qemu_mode) FATAL("Multiple -Q options not supported"); - if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU; - - qemu_mode = 1; - break; - - case 'V': /* Show version number */ - - /* Version number has been printed already, just quit. */ - exit(0); - - default: - - usage(argv[0]); - - } - - if (optind == argc || !in_file) usage(argv[0]); - - use_hex_offsets = !!getenv("AFL_ANALYZE_HEX"); - - setup_shm(); - setup_signal_handlers(); - - set_up_environment(); - - find_binary(argv[optind]); - detect_file_args(argv + optind); - - if (qemu_mode) - use_argv = get_qemu_argv(argv[0], argv + optind, argc - optind); - else - use_argv = argv + optind; - - SAYF("\n"); - - read_initial_file(); - - ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", - mem_limit, exec_tmout, edges_only ? ", edges only" : ""); - - run_target(use_argv, in_data, in_len, 1); - - if (child_timed_out) - FATAL("Target binary times out (adjusting -t may help)."); - - if (!anything_set()) FATAL("No instrumentation detected."); - - analyze(use_argv); - - OKF("We're done here. Have a nice day!\n"); - - exit(0); - -} - +/* + Copyright 2016 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +/* + american fuzzy lop - file format analyzer + ----------------------------------------- + + Written and maintained by Michal Zalewski + + A nifty utility that grabs an input file and takes a stab at explaining + its structure by observing how changes to it affect the execution path. + + If the output scrolls past the edge of the screen, pipe it to 'less -r'. + +*/ + +#define AFL_MAIN +#include "android-ashmem.h" + +#include "config.h" +#include "types.h" +#include "debug.h" +#include "alloc-inl.h" +#include "hash.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +static s32 child_pid; /* PID of the tested program */ + +static u8* trace_bits; /* SHM with instrumentation bitmap */ + +static u8 *in_file, /* Analyzer input test case */ + *prog_in, /* Targeted program input file */ + *target_path, /* Path to target binary */ + *doc_path; /* Path to docs */ + +static u8 *in_data; /* Input data for analysis */ + +static u32 in_len, /* Input data length */ + orig_cksum, /* Original checksum */ + total_execs, /* Total number of execs */ + exec_hangs, /* Total number of hangs */ + exec_tmout = EXEC_TIMEOUT; /* Exec timeout (ms) */ + +static u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ + +static s32 shm_id, /* ID of the SHM region */ + dev_null_fd = -1; /* FD to /dev/null */ + +static u8 edges_only, /* Ignore hit counts? */ + use_hex_offsets, /* Show hex offsets? */ + use_stdin = 1; /* Use stdin for program input? */ + +static volatile u8 + stop_soon, /* Ctrl-C pressed? */ + child_timed_out; /* Child timed out? */ + + +/* Constants used for describing byte behavior. */ + +#define RESP_NONE 0x00 /* Changing byte is a no-op. */ +#define RESP_MINOR 0x01 /* Some changes have no effect. */ +#define RESP_VARIABLE 0x02 /* Changes produce variable paths. */ +#define RESP_FIXED 0x03 /* Changes produce fixed patterns. */ + +#define RESP_LEN 0x04 /* Potential length field */ +#define RESP_CKSUM 0x05 /* Potential checksum */ +#define RESP_SUSPECT 0x06 /* Potential "suspect" blob */ + + +/* Classify tuple counts. This is a slow & naive version, but good enough here. */ + +static u8 count_class_lookup[256] = { + + [0] = 0, + [1] = 1, + [2] = 2, + [3] = 4, + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 + +}; + +static void classify_counts(u8* mem) { + + u32 i = MAP_SIZE; + + if (edges_only) { + + while (i--) { + if (*mem) *mem = 1; + mem++; + } + + } else { + + while (i--) { + *mem = count_class_lookup[*mem]; + mem++; + } + + } + +} + + +/* See if any bytes are set in the bitmap. */ + +static inline u8 anything_set(void) { + + u32* ptr = (u32*)trace_bits; + u32 i = (MAP_SIZE >> 2); + + while (i--) if (*(ptr++)) return 1; + + return 0; + +} + + +/* Get rid of shared memory and temp files (atexit handler). */ + +static void remove_shm(void) { + + unlink(prog_in); /* Ignore errors */ + shmctl(shm_id, IPC_RMID, NULL); + +} + + +/* Configure shared memory. */ + +static void setup_shm(void) { + + u8* shm_str; + + shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600); + + if (shm_id < 0) PFATAL("shmget() failed"); + + atexit(remove_shm); + + shm_str = alloc_printf("%d", shm_id); + + setenv(SHM_ENV_VAR, shm_str, 1); + + ck_free(shm_str); + + trace_bits = shmat(shm_id, NULL, 0); + + if (trace_bits == (void *)-1) PFATAL("shmat() failed"); + +} + + +/* Read initial file. */ + +static void read_initial_file(void) { + + struct stat st; + s32 fd = open(in_file, O_RDONLY); + + if (fd < 0) PFATAL("Unable to open '%s'", in_file); + + if (fstat(fd, &st) || !st.st_size) + FATAL("Zero-sized input file."); + + if (st.st_size >= TMIN_MAX_FILE) + FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024); + + in_len = st.st_size; + in_data = ck_alloc_nozero(in_len); + + ck_read(fd, in_data, in_len, in_file); + + close(fd); + + OKF("Read %u byte%s from '%s'.", in_len, in_len == 1 ? "" : "s", in_file); + +} + + +/* Write output file. */ + +static s32 write_to_file(u8* path, u8* mem, u32 len) { + + s32 ret; + + unlink(path); /* Ignore errors */ + + ret = open(path, O_RDWR | O_CREAT | O_EXCL, 0600); + + if (ret < 0) PFATAL("Unable to create '%s'", path); + + ck_write(ret, mem, len, path); + + lseek(ret, 0, SEEK_SET); + + return ret; + +} + + +/* Handle timeout signal. */ + +static void handle_timeout(int sig) { + + child_timed_out = 1; + if (child_pid > 0) kill(child_pid, SIGKILL); + +} + + +/* Execute target application. Returns exec checksum, or 0 if program + times out. */ + +static u32 run_target(char** argv, u8* mem, u32 len, u8 first_run) { + + static struct itimerval it; + int status = 0; + + s32 prog_in_fd; + u32 cksum; + + memset(trace_bits, 0, MAP_SIZE); + MEM_BARRIER(); + + prog_in_fd = write_to_file(prog_in, mem, len); + + child_pid = fork(); + + if (child_pid < 0) PFATAL("fork() failed"); + + if (!child_pid) { + + struct rlimit r; + + if (dup2(use_stdin ? prog_in_fd : dev_null_fd, 0) < 0 || + dup2(dev_null_fd, 1) < 0 || + dup2(dev_null_fd, 2) < 0) { + + *(u32*)trace_bits = EXEC_FAIL_SIG; + PFATAL("dup2() failed"); + + } + + close(dev_null_fd); + close(prog_in_fd); + + if (mem_limit) { + + r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; + +#ifdef RLIMIT_AS + + setrlimit(RLIMIT_AS, &r); /* Ignore errors */ + +#else + + setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ + +#endif /* ^RLIMIT_AS */ + + } + + r.rlim_max = r.rlim_cur = 0; + setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + + execv(target_path, argv); + + *(u32*)trace_bits = EXEC_FAIL_SIG; + exit(0); + + } + + close(prog_in_fd); + + /* Configure timeout, wait for child, cancel timeout. */ + + child_timed_out = 0; + it.it_value.tv_sec = (exec_tmout / 1000); + it.it_value.tv_usec = (exec_tmout % 1000) * 1000; + + setitimer(ITIMER_REAL, &it, NULL); + + if (waitpid(child_pid, &status, 0) <= 0) FATAL("waitpid() failed"); + + child_pid = 0; + it.it_value.tv_sec = 0; + it.it_value.tv_usec = 0; + + setitimer(ITIMER_REAL, &it, NULL); + + MEM_BARRIER(); + + /* Clean up bitmap, analyze exit condition, etc. */ + + if (*(u32*)trace_bits == EXEC_FAIL_SIG) + FATAL("Unable to execute '%s'", argv[0]); + + classify_counts(trace_bits); + total_execs++; + + if (stop_soon) { + SAYF(cRST cLRD "\n+++ Analysis aborted by user +++\n" cRST); + exit(1); + } + + /* Always discard inputs that time out. */ + + if (child_timed_out) { + + exec_hangs++; + return 0; + + } + + cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + + /* We don't actually care if the target is crashing or not, + except that when it does, the checksum should be different. */ + + if (WIFSIGNALED(status) || + (WIFEXITED(status) && WEXITSTATUS(status) == MSAN_ERROR) || + (WIFEXITED(status) && WEXITSTATUS(status))) { + + cksum ^= 0xffffffff; + + } + + if (first_run) orig_cksum = cksum; + + return cksum; + +} + + +#ifdef USE_COLOR + +/* Helper function to display a human-readable character. */ + +static void show_char(u8 val) { + + switch (val) { + + case 0 ... 32: + case 127 ... 255: SAYF("#%02x", val); break; + + default: SAYF(" %c ", val); + + } + +} + + +/* Show the legend */ + +static void show_legend(void) { + + SAYF(" " cLGR bgGRA " 01 " cRST " - no-op block " + cBLK bgLGN " 01 " cRST " - suspected length field\n" + " " cBRI bgGRA " 01 " cRST " - superficial content " + cBLK bgYEL " 01 " cRST " - suspected cksum or magic int\n" + " " cBLK bgCYA " 01 " cRST " - critical stream " + cBLK bgLRD " 01 " cRST " - suspected checksummed block\n" + " " cBLK bgMGN " 01 " cRST " - \"magic value\" section\n\n"); + +} + +#endif /* USE_COLOR */ + + +/* Interpret and report a pattern in the input file. */ + +static void dump_hex(u8* buf, u32 len, u8* b_data) { + + u32 i; + + for (i = 0; i < len; i++) { + +#ifdef USE_COLOR + u32 rlen = 1, off; +#else + u32 rlen = 1; +#endif /* ^USE_COLOR */ + + u8 rtype = b_data[i] & 0x0f; + + /* Look ahead to determine the length of run. */ + + while (i + rlen < len && (b_data[i] >> 7) == (b_data[i + rlen] >> 7)) { + + if (rtype < (b_data[i + rlen] & 0x0f)) rtype = b_data[i + rlen] & 0x0f; + rlen++; + + } + + /* Try to do some further classification based on length & value. */ + + if (rtype == RESP_FIXED) { + + switch (rlen) { + + case 2: { + + u16 val = *(u16*)(in_data + i); + + /* Small integers may be length fields. */ + + if (val && (val <= in_len || SWAP16(val) <= in_len)) { + rtype = RESP_LEN; + break; + } + + /* Uniform integers may be checksums. */ + + if (val && abs(in_data[i] - in_data[i + 1]) > 32) { + rtype = RESP_CKSUM; + break; + } + + break; + + } + + case 4: { + + u32 val = *(u32*)(in_data + i); + + /* Small integers may be length fields. */ + + if (val && (val <= in_len || SWAP32(val) <= in_len)) { + rtype = RESP_LEN; + break; + } + + /* Uniform integers may be checksums. */ + + if (val && (in_data[i] >> 7 != in_data[i + 1] >> 7 || + in_data[i] >> 7 != in_data[i + 2] >> 7 || + in_data[i] >> 7 != in_data[i + 3] >> 7)) { + rtype = RESP_CKSUM; + break; + } + + break; + + } + + case 1: case 3: case 5 ... MAX_AUTO_EXTRA - 1: break; + + default: rtype = RESP_SUSPECT; + + } + + } + + /* Print out the entire run. */ + +#ifdef USE_COLOR + + for (off = 0; off < rlen; off++) { + + /* Every 16 digits, display offset. */ + + if (!((i + off) % 16)) { + + if (off) SAYF(cRST cLCY ">"); + + if (use_hex_offsets) + SAYF(cRST cGRA "%s[%06x] " cRST, (i + off) ? "\n" : "", i + off); + else + SAYF(cRST cGRA "%s[%06u] " cRST, (i + off) ? "\n" : "", i + off); + + } + + switch (rtype) { + + case RESP_NONE: SAYF(cLGR bgGRA); break; + case RESP_MINOR: SAYF(cBRI bgGRA); break; + case RESP_VARIABLE: SAYF(cBLK bgCYA); break; + case RESP_FIXED: SAYF(cBLK bgMGN); break; + case RESP_LEN: SAYF(cBLK bgLGN); break; + case RESP_CKSUM: SAYF(cBLK bgYEL); break; + case RESP_SUSPECT: SAYF(cBLK bgLRD); break; + + } + + show_char(in_data[i + off]); + + if (off != rlen - 1 && (i + off + 1) % 16) SAYF(" "); else SAYF(cRST " "); + + } + +#else + + if (use_hex_offsets) + SAYF(" Offset %x, length %u: ", i, rlen); + else + SAYF(" Offset %u, length %u: ", i, rlen); + + switch (rtype) { + + case RESP_NONE: SAYF("no-op block\n"); break; + case RESP_MINOR: SAYF("superficial content\n"); break; + case RESP_VARIABLE: SAYF("critical stream\n"); break; + case RESP_FIXED: SAYF("\"magic value\" section\n"); break; + case RESP_LEN: SAYF("suspected length field\n"); break; + case RESP_CKSUM: SAYF("suspected cksum or magic int\n"); break; + case RESP_SUSPECT: SAYF("suspected checksummed block\n"); break; + + } + +#endif /* ^USE_COLOR */ + + i += rlen - 1; + + } + +#ifdef USE_COLOR + SAYF(cRST "\n"); +#endif /* USE_COLOR */ + +} + + + +/* Actually analyze! */ + +static void analyze(char** argv) { + + u32 i; + u32 boring_len = 0, prev_xff = 0, prev_x01 = 0, prev_s10 = 0, prev_a10 = 0; + + u8* b_data = ck_alloc(in_len + 1); + u8 seq_byte = 0; + + b_data[in_len] = 0xff; /* Intentional terminator. */ + + ACTF("Analyzing input file (this may take a while)...\n"); + +#ifdef USE_COLOR + show_legend(); +#endif /* USE_COLOR */ + + for (i = 0; i < in_len; i++) { + + u32 xor_ff, xor_01, sub_10, add_10; + u8 xff_orig, x01_orig, s10_orig, a10_orig; + + /* Perform walking byte adjustments across the file. We perform four + operations designed to elicit some response from the underlying + code. */ + + in_data[i] ^= 0xff; + xor_ff = run_target(argv, in_data, in_len, 0); + + in_data[i] ^= 0xfe; + xor_01 = run_target(argv, in_data, in_len, 0); + + in_data[i] = (in_data[i] ^ 0x01) - 0x10; + sub_10 = run_target(argv, in_data, in_len, 0); + + in_data[i] += 0x20; + add_10 = run_target(argv, in_data, in_len, 0); + in_data[i] -= 0x10; + + /* Classify current behavior. */ + + xff_orig = (xor_ff == orig_cksum); + x01_orig = (xor_01 == orig_cksum); + s10_orig = (sub_10 == orig_cksum); + a10_orig = (add_10 == orig_cksum); + + if (xff_orig && x01_orig && s10_orig && a10_orig) { + + b_data[i] = RESP_NONE; + boring_len++; + + } else if (xff_orig || x01_orig || s10_orig || a10_orig) { + + b_data[i] = RESP_MINOR; + boring_len++; + + } else if (xor_ff == xor_01 && xor_ff == sub_10 && xor_ff == add_10) { + + b_data[i] = RESP_FIXED; + + } else b_data[i] = RESP_VARIABLE; + + /* When all checksums change, flip most significant bit of b_data. */ + + if (prev_xff != xor_ff && prev_x01 != xor_01 && + prev_s10 != sub_10 && prev_a10 != add_10) seq_byte ^= 0x80; + + b_data[i] |= seq_byte; + + prev_xff = xor_ff; + prev_x01 = xor_01; + prev_s10 = sub_10; + prev_a10 = add_10; + + } + + dump_hex(in_data, in_len, b_data); + + SAYF("\n"); + + OKF("Analysis complete. Interesting bits: %0.02f%% of the input file.", + 100.0 - ((double)boring_len * 100) / in_len); + + if (exec_hangs) + WARNF(cLRD "Encountered %u timeouts - results may be skewed." cRST, + exec_hangs); + + ck_free(b_data); + +} + + + +/* Handle Ctrl-C and the like. */ + +static void handle_stop_sig(int sig) { + + stop_soon = 1; + + if (child_pid > 0) kill(child_pid, SIGKILL); + +} + + +/* Do basic preparations - persistent fds, filenames, etc. */ + +static void set_up_environment(void) { + + u8* x; + + dev_null_fd = open("/dev/null", O_RDWR); + if (dev_null_fd < 0) PFATAL("Unable to open /dev/null"); + + if (!prog_in) { + + u8* use_dir = "."; + + if (access(use_dir, R_OK | W_OK | X_OK)) { + + use_dir = getenv("TMPDIR"); + if (!use_dir) use_dir = "/tmp"; + + } + + prog_in = alloc_printf("%s/.afl-analyze-temp-%u", use_dir, getpid()); + + } + + /* Set sane defaults... */ + + x = getenv("ASAN_OPTIONS"); + + if (x) { + + if (!strstr(x, "abort_on_error=1")) + FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!"); + + if (!strstr(x, "symbolize=0")) + FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!"); + + } + + x = getenv("MSAN_OPTIONS"); + + if (x) { + + if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) + FATAL("Custom MSAN_OPTIONS set without exit_code=" + STRINGIFY(MSAN_ERROR) " - please fix!"); + + if (!strstr(x, "symbolize=0")) + FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!"); + + } + + setenv("ASAN_OPTIONS", "abort_on_error=1:" + "detect_leaks=0:" + "symbolize=0:" + "allocator_may_return_null=1", 0); + + setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" + "symbolize=0:" + "abort_on_error=1:" + "allocator_may_return_null=1:" + "msan_track_origins=0", 0); + + if (getenv("AFL_PRELOAD")) { + setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); + setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); + } + +} + + +/* Setup signal handlers, duh. */ + +static void setup_signal_handlers(void) { + + struct sigaction sa; + + sa.sa_handler = NULL; + sa.sa_flags = SA_RESTART; + sa.sa_sigaction = NULL; + + sigemptyset(&sa.sa_mask); + + /* Various ways of saying "stop". */ + + sa.sa_handler = handle_stop_sig; + sigaction(SIGHUP, &sa, NULL); + sigaction(SIGINT, &sa, NULL); + sigaction(SIGTERM, &sa, NULL); + + /* Exec timeout notifications. */ + + sa.sa_handler = handle_timeout; + sigaction(SIGALRM, &sa, NULL); + +} + + +/* Detect @@ in args. */ + +static void detect_file_args(char** argv) { + + u32 i = 0; + u8* cwd = getcwd(NULL, 0); + + if (!cwd) PFATAL("getcwd() failed"); + + while (argv[i]) { + + u8* aa_loc = strstr(argv[i], "@@"); + + if (aa_loc) { + + u8 *aa_subst, *n_arg; + + /* Be sure that we're always using fully-qualified paths. */ + + if (prog_in[0] == '/') aa_subst = prog_in; + else aa_subst = alloc_printf("%s/%s", cwd, prog_in); + + /* Construct a replacement argv value. */ + + *aa_loc = 0; + n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2); + argv[i] = n_arg; + *aa_loc = '@'; + + if (prog_in[0] != '/') ck_free(aa_subst); + + } + + i++; + + } + + free(cwd); /* not tracked */ + +} + + +/* Display usage hints. */ + +static void usage(u8* argv0) { + + SAYF("\n%s [ options ] -- /path/to/target_app [ ... ]\n\n" + + "Required parameters:\n\n" + + " -i file - input test case to be analyzed by the tool\n" + + "Execution control settings:\n\n" + + " -f file - input file read by the tested program (stdin)\n" + " -t msec - timeout for each run (%u ms)\n" + " -m megs - memory limit for child process (%u MB)\n" + " -Q - use binary-only instrumentation (QEMU mode)\n\n" + + "Analysis settings:\n\n" + + " -e - look for edge coverage only, ignore hit counts\n\n" + + "Other stuff:\n\n" + + " -V - show version number and exit\n\n" + + "For additional tips, please consult %s/README.\n\n", + + argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); + + exit(1); + +} + + +/* Find binary. */ + +static void find_binary(u8* fname) { + + u8* env_path = 0; + struct stat st; + + if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { + + target_path = ck_strdup(fname); + + if (stat(target_path, &st) || !S_ISREG(st.st_mode) || + !(st.st_mode & 0111) || st.st_size < 4) + FATAL("Program '%s' not found or not executable", fname); + + } else { + + while (env_path) { + + u8 *cur_elem, *delim = strchr(env_path, ':'); + + if (delim) { + + cur_elem = ck_alloc(delim - env_path + 1); + memcpy(cur_elem, env_path, delim - env_path); + delim++; + + } else cur_elem = ck_strdup(env_path); + + env_path = delim; + + if (cur_elem[0]) + target_path = alloc_printf("%s/%s", cur_elem, fname); + else + target_path = ck_strdup(fname); + + ck_free(cur_elem); + + if (!stat(target_path, &st) && S_ISREG(st.st_mode) && + (st.st_mode & 0111) && st.st_size >= 4) break; + + ck_free(target_path); + target_path = 0; + + } + + if (!target_path) FATAL("Program '%s' not found or not executable", fname); + + } + +} + + +/* Fix up argv for QEMU. */ + +static char** get_qemu_argv(u8* own_loc, char** argv, int argc) { + + char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); + u8 *tmp, *cp, *rsl, *own_copy; + + /* Workaround for a QEMU stability glitch. */ + + setenv("QEMU_LOG", "nochain", 1); + + memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); + + /* Now we need to actually find qemu for argv[0]. */ + + new_argv[2] = target_path; + new_argv[1] = "--"; + + tmp = getenv("AFL_PATH"); + + if (tmp) { + + cp = alloc_printf("%s/afl-qemu-trace", tmp); + + if (access(cp, X_OK)) + FATAL("Unable to find '%s'", tmp); + + target_path = new_argv[0] = cp; + return new_argv; + + } + + own_copy = ck_strdup(own_loc); + rsl = strrchr(own_copy, '/'); + + if (rsl) { + + *rsl = 0; + + cp = alloc_printf("%s/afl-qemu-trace", own_copy); + ck_free(own_copy); + + if (!access(cp, X_OK)) { + + target_path = new_argv[0] = cp; + return new_argv; + + } + + } else ck_free(own_copy); + + if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { + + target_path = new_argv[0] = BIN_PATH "/afl-qemu-trace"; + return new_argv; + + } + + FATAL("Unable to find 'afl-qemu-trace'."); + +} + + +/* Main entry point */ + +int main(int argc, char** argv) { + + s32 opt; + u8 mem_limit_given = 0, timeout_given = 0, qemu_mode = 0; + char** use_argv; + + doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; + + SAYF(cCYA "afl-analyze " cBRI VERSION cRST " by \n"); + + while ((opt = getopt(argc,argv,"+i:f:m:t:eQV")) > 0) + + switch (opt) { + + case 'i': + + if (in_file) FATAL("Multiple -i options not supported"); + in_file = optarg; + break; + + case 'f': + + if (prog_in) FATAL("Multiple -f options not supported"); + use_stdin = 0; + prog_in = optarg; + break; + + case 'e': + + if (edges_only) FATAL("Multiple -e options not supported"); + edges_only = 1; + break; + + case 'm': { + + u8 suffix = 'M'; + + if (mem_limit_given) FATAL("Multiple -m options not supported"); + mem_limit_given = 1; + + if (!strcmp(optarg, "none")) { + + mem_limit = 0; + break; + + } + + if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -m"); + + switch (suffix) { + + case 'T': mem_limit *= 1024 * 1024; break; + case 'G': mem_limit *= 1024; break; + case 'k': mem_limit /= 1024; break; + case 'M': break; + + default: FATAL("Unsupported suffix or bad syntax for -m"); + + } + + if (mem_limit < 5) FATAL("Dangerously low value of -m"); + + if (sizeof(rlim_t) == 4 && mem_limit > 2000) + FATAL("Value of -m out of range on 32-bit systems"); + + } + + break; + + case 't': + + if (timeout_given) FATAL("Multiple -t options not supported"); + timeout_given = 1; + + exec_tmout = atoi(optarg); + + if (exec_tmout < 10 || optarg[0] == '-') + FATAL("Dangerously low value of -t"); + + break; + + case 'Q': + + if (qemu_mode) FATAL("Multiple -Q options not supported"); + if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU; + + qemu_mode = 1; + break; + + case 'V': /* Show version number */ + + /* Version number has been printed already, just quit. */ + exit(0); + + default: + + usage(argv[0]); + + } + + if (optind == argc || !in_file) usage(argv[0]); + + use_hex_offsets = !!getenv("AFL_ANALYZE_HEX"); + + setup_shm(); + setup_signal_handlers(); + + set_up_environment(); + + find_binary(argv[optind]); + detect_file_args(argv + optind); + + if (qemu_mode) + use_argv = get_qemu_argv(argv[0], argv + optind, argc - optind); + else + use_argv = argv + optind; + + SAYF("\n"); + + read_initial_file(); + + ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", + mem_limit, exec_tmout, edges_only ? ", edges only" : ""); + + run_target(use_argv, in_data, in_len, 1); + + if (child_timed_out) + FATAL("Target binary times out (adjusting -t may help)."); + + if (!anything_set()) FATAL("No instrumentation detected."); + + analyze(use_argv); + + OKF("We're done here. Have a nice day!\n"); + + exit(0); + +} + diff --git a/afl-as.c b/afl-as.c index f0a372f..ea018ee 100644 --- a/afl-as.c +++ b/afl-as.c @@ -1,557 +1,557 @@ -/* - Copyright 2013 Google LLC All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -/* - american fuzzy lop - wrapper for GNU as - --------------------------------------- - - Written and maintained by Michal Zalewski - - The sole purpose of this wrapper is to preprocess assembly files generated - by GCC / clang and inject the instrumentation bits included from afl-as.h. It - is automatically invoked by the toolchain when compiling programs using - afl-gcc / afl-clang. - - Note that it's an explicit non-goal to instrument hand-written assembly, - be it in separate .s files or in __asm__ blocks. The only aspiration this - utility has right now is to be able to skip them gracefully and allow the - compilation process to continue. - - That said, see experimental/clang_asm_normalize/ for a solution that may - allow clang users to make things work even with hand-crafted assembly. Just - note that there is no equivalent for GCC. - -*/ - -#define AFL_MAIN - -#include "config.h" -#include "types.h" -#include "debug.h" -#include "alloc-inl.h" - -#include "afl-as.h" - -#include -#include -#include -#include -#include -#include -#include - -#include -#include - -static u8** as_params; /* Parameters passed to the real 'as' */ - -static u8* input_file; /* Originally specified input file */ -static u8* modified_file; /* Instrumented file for the real 'as' */ - -static u8 be_quiet, /* Quiet mode (no stderr output) */ - clang_mode, /* Running in clang mode? */ - pass_thru, /* Just pass data through? */ - just_version, /* Just show version? */ - sanitizer; /* Using ASAN / MSAN */ - -static u32 inst_ratio = 100, /* Instrumentation probability (%) */ - as_par_cnt = 1; /* Number of params to 'as' */ - -/* If we don't find --32 or --64 in the command line, default to - instrumentation for whichever mode we were compiled with. This is not - perfect, but should do the trick for almost all use cases. */ - -#ifdef WORD_SIZE_64 - -static u8 use_64bit = 1; - -#else - -static u8 use_64bit = 0; - -#ifdef __APPLE__ -# error "Sorry, 32-bit Apple platforms are not supported." -#endif /* __APPLE__ */ - -#endif /* ^WORD_SIZE_64 */ - - -/* Examine and modify parameters to pass to 'as'. Note that the file name - is always the last parameter passed by GCC, so we exploit this property - to keep the code simple. */ - -static void edit_params(int argc, char** argv) { - - u8 *tmp_dir = getenv("TMPDIR"), *afl_as = getenv("AFL_AS"); - u32 i; - -#ifdef __APPLE__ - - u8 use_clang_as = 0; - - /* On MacOS X, the Xcode cctool 'as' driver is a bit stale and does not work - with the code generated by newer versions of clang that are hand-built - by the user. See the thread here: http://goo.gl/HBWDtn. - - To work around this, when using clang and running without AFL_AS - specified, we will actually call 'clang -c' instead of 'as -q' to - compile the assembly file. - - The tools aren't cmdline-compatible, but at least for now, we can - seemingly get away with this by making only very minor tweaks. Thanks - to Nico Weber for the idea. */ - - if (clang_mode && !afl_as) { - - use_clang_as = 1; - - afl_as = getenv("AFL_CC"); - if (!afl_as) afl_as = getenv("AFL_CXX"); - if (!afl_as) afl_as = "clang"; - - } - -#endif /* __APPLE__ */ - - /* Although this is not documented, GCC also uses TEMP and TMP when TMPDIR - is not set. We need to check these non-standard variables to properly - handle the pass_thru logic later on. */ - - if (!tmp_dir) tmp_dir = getenv("TEMP"); - if (!tmp_dir) tmp_dir = getenv("TMP"); - if (!tmp_dir) tmp_dir = "/tmp"; - - as_params = ck_alloc((argc + 32) * sizeof(u8*)); - - as_params[0] = afl_as ? afl_as : (u8*)"as"; - - as_params[argc] = 0; - - for (i = 1; i < argc - 1; i++) { - - if (!strcmp(argv[i], "--64")) use_64bit = 1; - else if (!strcmp(argv[i], "--32")) use_64bit = 0; - -#ifdef __APPLE__ - - /* The Apple case is a bit different... */ - - if (!strcmp(argv[i], "-arch") && i + 1 < argc) { - - if (!strcmp(argv[i + 1], "x86_64")) use_64bit = 1; - else if (!strcmp(argv[i + 1], "i386")) - FATAL("Sorry, 32-bit Apple platforms are not supported."); - - } - - /* Strip options that set the preference for a particular upstream - assembler in Xcode. */ - - if (clang_mode && (!strcmp(argv[i], "-q") || !strcmp(argv[i], "-Q"))) - continue; - -#endif /* __APPLE__ */ - - as_params[as_par_cnt++] = argv[i]; - - } - -#ifdef __APPLE__ - - /* When calling clang as the upstream assembler, append -c -x assembler - and hope for the best. */ - - if (use_clang_as) { - - as_params[as_par_cnt++] = "-c"; - as_params[as_par_cnt++] = "-x"; - as_params[as_par_cnt++] = "assembler"; - - } - -#endif /* __APPLE__ */ - - input_file = argv[argc - 1]; - - if (input_file[0] == '-') { - - if (!strcmp(input_file + 1, "-version")) { - just_version = 1; - modified_file = input_file; - goto wrap_things_up; - } - - if (input_file[1]) FATAL("Incorrect use (not called through afl-gcc?)"); - else input_file = NULL; - - } else { - - /* Check if this looks like a standard invocation as a part of an attempt - to compile a program, rather than using gcc on an ad-hoc .s file in - a format we may not understand. This works around an issue compiling - NSS. */ - - if (strncmp(input_file, tmp_dir, strlen(tmp_dir)) && - strncmp(input_file, "/var/tmp/", 9) && - strncmp(input_file, "/tmp/", 5)) pass_thru = 1; - - } - - modified_file = alloc_printf("%s/.afl-%u-%u.s", tmp_dir, getpid(), - (u32)time(NULL)); - -wrap_things_up: - - as_params[as_par_cnt++] = modified_file; - as_params[as_par_cnt] = NULL; - -} - - -/* Process input file, generate modified_file. Insert instrumentation in all - the appropriate places. */ - -static void add_instrumentation(void) { - - static u8 line[MAX_LINE]; - - FILE* inf; - FILE* outf; - s32 outfd; - u32 ins_lines = 0; - - u8 instr_ok = 0, skip_csect = 0, skip_next_label = 0, - skip_intel = 0, skip_app = 0, instrument_next = 0; - -#ifdef __APPLE__ - - u8* colon_pos; - -#endif /* __APPLE__ */ - - if (input_file) { - - inf = fopen(input_file, "r"); - if (!inf) PFATAL("Unable to read '%s'", input_file); - - } else inf = stdin; - - outfd = open(modified_file, O_WRONLY | O_EXCL | O_CREAT, 0600); - - if (outfd < 0) PFATAL("Unable to write to '%s'", modified_file); - - outf = fdopen(outfd, "w"); - - if (!outf) PFATAL("fdopen() failed"); - - while (fgets(line, MAX_LINE, inf)) { - - /* In some cases, we want to defer writing the instrumentation trampoline - until after all the labels, macros, comments, etc. If we're in this - mode, and if the line starts with a tab followed by a character, dump - the trampoline now. */ - - if (!pass_thru && !skip_intel && !skip_app && !skip_csect && instr_ok && - instrument_next && line[0] == '\t' && isalpha(line[1])) { - - fprintf(outf, use_64bit ? trampoline_fmt_64 : trampoline_fmt_32, - R(MAP_SIZE)); - - instrument_next = 0; - ins_lines++; - - } - - /* Output the actual line, call it a day in pass-thru mode. */ - - fputs(line, outf); - - if (pass_thru) continue; - - /* All right, this is where the actual fun begins. For one, we only want to - instrument the .text section. So, let's keep track of that in processed - files - and let's set instr_ok accordingly. */ - - if (line[0] == '\t' && line[1] == '.') { - - /* OpenBSD puts jump tables directly inline with the code, which is - a bit annoying. They use a specific format of p2align directives - around them, so we use that as a signal. */ - - if (!clang_mode && instr_ok && !strncmp(line + 2, "p2align ", 8) && - isdigit(line[10]) && line[11] == '\n') skip_next_label = 1; - - if (!strncmp(line + 2, "text\n", 5) || - !strncmp(line + 2, "section\t.text", 13) || - !strncmp(line + 2, "section\t__TEXT,__text", 21) || - !strncmp(line + 2, "section __TEXT,__text", 21)) { - instr_ok = 1; - continue; - } - - if (!strncmp(line + 2, "section\t", 8) || - !strncmp(line + 2, "section ", 8) || - !strncmp(line + 2, "bss\n", 4) || - !strncmp(line + 2, "data\n", 5)) { - instr_ok = 0; - continue; - } - - } - - /* Detect off-flavor assembly (rare, happens in gdb). When this is - encountered, we set skip_csect until the opposite directive is - seen, and we do not instrument. */ - - if (strstr(line, ".code")) { - - if (strstr(line, ".code32")) skip_csect = use_64bit; - if (strstr(line, ".code64")) skip_csect = !use_64bit; - - } - - /* Detect syntax changes, as could happen with hand-written assembly. - Skip Intel blocks, resume instrumentation when back to AT&T. */ - - if (strstr(line, ".intel_syntax")) skip_intel = 1; - if (strstr(line, ".att_syntax")) skip_intel = 0; - - /* Detect and skip ad-hoc __asm__ blocks, likewise skipping them. */ - - if (line[0] == '#' || line[1] == '#') { - - if (strstr(line, "#APP")) skip_app = 1; - if (strstr(line, "#NO_APP")) skip_app = 0; - - } - - /* If we're in the right mood for instrumenting, check for function - names or conditional labels. This is a bit messy, but in essence, - we want to catch: - - ^main: - function entry point (always instrumented) - ^.L0: - GCC branch label - ^.LBB0_0: - clang branch label (but only in clang mode) - ^\tjnz foo - conditional branches - - ...but not: - - ^# BB#0: - clang comments - ^ # BB#0: - ditto - ^.Ltmp0: - clang non-branch labels - ^.LC0 - GCC non-branch labels - ^.LBB0_0: - ditto (when in GCC mode) - ^\tjmp foo - non-conditional jumps - - Additionally, clang and GCC on MacOS X follow a different convention - with no leading dots on labels, hence the weird maze of #ifdefs - later on. - - */ - - if (skip_intel || skip_app || skip_csect || !instr_ok || - line[0] == '#' || line[0] == ' ') continue; - - /* Conditional branch instruction (jnz, etc). We append the instrumentation - right after the branch (to instrument the not-taken path) and at the - branch destination label (handled later on). */ - - if (line[0] == '\t') { - - if (line[1] == 'j' && line[2] != 'm' && R(100) < inst_ratio) { - - fprintf(outf, use_64bit ? trampoline_fmt_64 : trampoline_fmt_32, - R(MAP_SIZE)); - - ins_lines++; - - } - - continue; - - } - - /* Label of some sort. This may be a branch destination, but we need to - tread carefully and account for several different formatting - conventions. */ - -#ifdef __APPLE__ - - /* Apple: L: */ - - if ((colon_pos = strstr(line, ":"))) { - - if (line[0] == 'L' && isdigit(*(colon_pos - 1))) { - -#else - - /* Everybody else: .L: */ - - if (strstr(line, ":")) { - - if (line[0] == '.') { - -#endif /* __APPLE__ */ - - /* .L0: or LBB0_0: style jump destination */ - -#ifdef __APPLE__ - - /* Apple: L / LBB */ - - if ((isdigit(line[1]) || (clang_mode && !strncmp(line, "LBB", 3))) - && R(100) < inst_ratio) { - -#else - - /* Apple: .L / .LBB */ - - if ((isdigit(line[2]) || (clang_mode && !strncmp(line + 1, "LBB", 3))) - && R(100) < inst_ratio) { - -#endif /* __APPLE__ */ - - /* An optimization is possible here by adding the code only if the - label is mentioned in the code in contexts other than call / jmp. - That said, this complicates the code by requiring two-pass - processing (messy with stdin), and results in a speed gain - typically under 10%, because compilers are generally pretty good - about not generating spurious intra-function jumps. - - We use deferred output chiefly to avoid disrupting - .Lfunc_begin0-style exception handling calculations (a problem on - MacOS X). */ - - if (!skip_next_label) instrument_next = 1; else skip_next_label = 0; - - } - - } else { - - /* Function label (always instrumented, deferred mode). */ - - instrument_next = 1; - - } - - } - - } - - if (ins_lines) - fputs(use_64bit ? main_payload_64 : main_payload_32, outf); - - if (input_file) fclose(inf); - fclose(outf); - - if (!be_quiet) { - - if (!ins_lines) WARNF("No instrumentation targets found%s.", - pass_thru ? " (pass-thru mode)" : ""); - else OKF("Instrumented %u locations (%s-bit, %s mode, ratio %u%%).", - ins_lines, use_64bit ? "64" : "32", - getenv("AFL_HARDEN") ? "hardened" : - (sanitizer ? "ASAN/MSAN" : "non-hardened"), - inst_ratio); - - } - -} - - -/* Main entry point */ - -int main(int argc, char** argv) { - - s32 pid; - u32 rand_seed; - int status; - u8* inst_ratio_str = getenv("AFL_INST_RATIO"); - - struct timeval tv; - struct timezone tz; - - clang_mode = !!getenv(CLANG_ENV_VAR); - - if (isatty(2) && !getenv("AFL_QUIET")) { - - SAYF(cCYA "afl-as " cBRI VERSION cRST " by \n"); - - } else be_quiet = 1; - - if (argc < 2) { - - SAYF("\n" - "This is a helper application for afl-fuzz. It is a wrapper around GNU 'as',\n" - "executed by the toolchain whenever using afl-gcc or afl-clang. You probably\n" - "don't want to run this program directly.\n\n" - - "Rarely, when dealing with extremely complex projects, it may be advisable to\n" - "set AFL_INST_RATIO to a value less than 100 in order to reduce the odds of\n" - "instrumenting every discovered branch.\n\n"); - - exit(1); - - } - - gettimeofday(&tv, &tz); - - rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); - - srandom(rand_seed); - - edit_params(argc, argv); - - if (inst_ratio_str) { - - if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || inst_ratio > 100) - FATAL("Bad value of AFL_INST_RATIO (must be between 0 and 100)"); - - } - - if (getenv(AS_LOOP_ENV_VAR)) - FATAL("Endless loop when calling 'as' (remove '.' from your PATH)"); - - setenv(AS_LOOP_ENV_VAR, "1", 1); - - /* When compiling with ASAN, we don't have a particularly elegant way to skip - ASAN-specific branches. But we can probabilistically compensate for - that... */ - - if (getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) { - sanitizer = 1; - inst_ratio /= 3; - } - - if (!just_version) add_instrumentation(); - - if (!(pid = fork())) { - - execvp(as_params[0], (char**)as_params); - FATAL("Oops, failed to execute '%s' - check your PATH", as_params[0]); - - } - - if (pid < 0) PFATAL("fork() failed"); - - if (waitpid(pid, &status, 0) <= 0) PFATAL("waitpid() failed"); - - if (!getenv("AFL_KEEP_ASSEMBLY")) unlink(modified_file); - - exit(WEXITSTATUS(status)); - -} - +/* + Copyright 2013 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +/* + american fuzzy lop - wrapper for GNU as + --------------------------------------- + + Written and maintained by Michal Zalewski + + The sole purpose of this wrapper is to preprocess assembly files generated + by GCC / clang and inject the instrumentation bits included from afl-as.h. It + is automatically invoked by the toolchain when compiling programs using + afl-gcc / afl-clang. + + Note that it's an explicit non-goal to instrument hand-written assembly, + be it in separate .s files or in __asm__ blocks. The only aspiration this + utility has right now is to be able to skip them gracefully and allow the + compilation process to continue. + + That said, see experimental/clang_asm_normalize/ for a solution that may + allow clang users to make things work even with hand-crafted assembly. Just + note that there is no equivalent for GCC. + +*/ + +#define AFL_MAIN + +#include "config.h" +#include "types.h" +#include "debug.h" +#include "alloc-inl.h" + +#include "afl-as.h" + +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +static u8** as_params; /* Parameters passed to the real 'as' */ + +static u8* input_file; /* Originally specified input file */ +static u8* modified_file; /* Instrumented file for the real 'as' */ + +static u8 be_quiet, /* Quiet mode (no stderr output) */ + clang_mode, /* Running in clang mode? */ + pass_thru, /* Just pass data through? */ + just_version, /* Just show version? */ + sanitizer; /* Using ASAN / MSAN */ + +static u32 inst_ratio = 100, /* Instrumentation probability (%) */ + as_par_cnt = 1; /* Number of params to 'as' */ + +/* If we don't find --32 or --64 in the command line, default to + instrumentation for whichever mode we were compiled with. This is not + perfect, but should do the trick for almost all use cases. */ + +#ifdef WORD_SIZE_64 + +static u8 use_64bit = 1; + +#else + +static u8 use_64bit = 0; + +#ifdef __APPLE__ +# error "Sorry, 32-bit Apple platforms are not supported." +#endif /* __APPLE__ */ + +#endif /* ^WORD_SIZE_64 */ + + +/* Examine and modify parameters to pass to 'as'. Note that the file name + is always the last parameter passed by GCC, so we exploit this property + to keep the code simple. */ + +static void edit_params(int argc, char** argv) { + + u8 *tmp_dir = getenv("TMPDIR"), *afl_as = getenv("AFL_AS"); + u32 i; + +#ifdef __APPLE__ + + u8 use_clang_as = 0; + + /* On MacOS X, the Xcode cctool 'as' driver is a bit stale and does not work + with the code generated by newer versions of clang that are hand-built + by the user. See the thread here: http://goo.gl/HBWDtn. + + To work around this, when using clang and running without AFL_AS + specified, we will actually call 'clang -c' instead of 'as -q' to + compile the assembly file. + + The tools aren't cmdline-compatible, but at least for now, we can + seemingly get away with this by making only very minor tweaks. Thanks + to Nico Weber for the idea. */ + + if (clang_mode && !afl_as) { + + use_clang_as = 1; + + afl_as = getenv("AFL_CC"); + if (!afl_as) afl_as = getenv("AFL_CXX"); + if (!afl_as) afl_as = "clang"; + + } + +#endif /* __APPLE__ */ + + /* Although this is not documented, GCC also uses TEMP and TMP when TMPDIR + is not set. We need to check these non-standard variables to properly + handle the pass_thru logic later on. */ + + if (!tmp_dir) tmp_dir = getenv("TEMP"); + if (!tmp_dir) tmp_dir = getenv("TMP"); + if (!tmp_dir) tmp_dir = "/tmp"; + + as_params = ck_alloc((argc + 32) * sizeof(u8*)); + + as_params[0] = afl_as ? afl_as : (u8*)"as"; + + as_params[argc] = 0; + + for (i = 1; i < argc - 1; i++) { + + if (!strcmp(argv[i], "--64")) use_64bit = 1; + else if (!strcmp(argv[i], "--32")) use_64bit = 0; + +#ifdef __APPLE__ + + /* The Apple case is a bit different... */ + + if (!strcmp(argv[i], "-arch") && i + 1 < argc) { + + if (!strcmp(argv[i + 1], "x86_64")) use_64bit = 1; + else if (!strcmp(argv[i + 1], "i386")) + FATAL("Sorry, 32-bit Apple platforms are not supported."); + + } + + /* Strip options that set the preference for a particular upstream + assembler in Xcode. */ + + if (clang_mode && (!strcmp(argv[i], "-q") || !strcmp(argv[i], "-Q"))) + continue; + +#endif /* __APPLE__ */ + + as_params[as_par_cnt++] = argv[i]; + + } + +#ifdef __APPLE__ + + /* When calling clang as the upstream assembler, append -c -x assembler + and hope for the best. */ + + if (use_clang_as) { + + as_params[as_par_cnt++] = "-c"; + as_params[as_par_cnt++] = "-x"; + as_params[as_par_cnt++] = "assembler"; + + } + +#endif /* __APPLE__ */ + + input_file = argv[argc - 1]; + + if (input_file[0] == '-') { + + if (!strcmp(input_file + 1, "-version")) { + just_version = 1; + modified_file = input_file; + goto wrap_things_up; + } + + if (input_file[1]) FATAL("Incorrect use (not called through afl-gcc?)"); + else input_file = NULL; + + } else { + + /* Check if this looks like a standard invocation as a part of an attempt + to compile a program, rather than using gcc on an ad-hoc .s file in + a format we may not understand. This works around an issue compiling + NSS. */ + + if (strncmp(input_file, tmp_dir, strlen(tmp_dir)) && + strncmp(input_file, "/var/tmp/", 9) && + strncmp(input_file, "/tmp/", 5)) pass_thru = 1; + + } + + modified_file = alloc_printf("%s/.afl-%u-%u.s", tmp_dir, getpid(), + (u32)time(NULL)); + +wrap_things_up: + + as_params[as_par_cnt++] = modified_file; + as_params[as_par_cnt] = NULL; + +} + + +/* Process input file, generate modified_file. Insert instrumentation in all + the appropriate places. */ + +static void add_instrumentation(void) { + + static u8 line[MAX_LINE]; + + FILE* inf; + FILE* outf; + s32 outfd; + u32 ins_lines = 0; + + u8 instr_ok = 0, skip_csect = 0, skip_next_label = 0, + skip_intel = 0, skip_app = 0, instrument_next = 0; + +#ifdef __APPLE__ + + u8* colon_pos; + +#endif /* __APPLE__ */ + + if (input_file) { + + inf = fopen(input_file, "r"); + if (!inf) PFATAL("Unable to read '%s'", input_file); + + } else inf = stdin; + + outfd = open(modified_file, O_WRONLY | O_EXCL | O_CREAT, 0600); + + if (outfd < 0) PFATAL("Unable to write to '%s'", modified_file); + + outf = fdopen(outfd, "w"); + + if (!outf) PFATAL("fdopen() failed"); + + while (fgets(line, MAX_LINE, inf)) { + + /* In some cases, we want to defer writing the instrumentation trampoline + until after all the labels, macros, comments, etc. If we're in this + mode, and if the line starts with a tab followed by a character, dump + the trampoline now. */ + + if (!pass_thru && !skip_intel && !skip_app && !skip_csect && instr_ok && + instrument_next && line[0] == '\t' && isalpha(line[1])) { + + fprintf(outf, use_64bit ? trampoline_fmt_64 : trampoline_fmt_32, + R(MAP_SIZE)); + + instrument_next = 0; + ins_lines++; + + } + + /* Output the actual line, call it a day in pass-thru mode. */ + + fputs(line, outf); + + if (pass_thru) continue; + + /* All right, this is where the actual fun begins. For one, we only want to + instrument the .text section. So, let's keep track of that in processed + files - and let's set instr_ok accordingly. */ + + if (line[0] == '\t' && line[1] == '.') { + + /* OpenBSD puts jump tables directly inline with the code, which is + a bit annoying. They use a specific format of p2align directives + around them, so we use that as a signal. */ + + if (!clang_mode && instr_ok && !strncmp(line + 2, "p2align ", 8) && + isdigit(line[10]) && line[11] == '\n') skip_next_label = 1; + + if (!strncmp(line + 2, "text\n", 5) || + !strncmp(line + 2, "section\t.text", 13) || + !strncmp(line + 2, "section\t__TEXT,__text", 21) || + !strncmp(line + 2, "section __TEXT,__text", 21)) { + instr_ok = 1; + continue; + } + + if (!strncmp(line + 2, "section\t", 8) || + !strncmp(line + 2, "section ", 8) || + !strncmp(line + 2, "bss\n", 4) || + !strncmp(line + 2, "data\n", 5)) { + instr_ok = 0; + continue; + } + + } + + /* Detect off-flavor assembly (rare, happens in gdb). When this is + encountered, we set skip_csect until the opposite directive is + seen, and we do not instrument. */ + + if (strstr(line, ".code")) { + + if (strstr(line, ".code32")) skip_csect = use_64bit; + if (strstr(line, ".code64")) skip_csect = !use_64bit; + + } + + /* Detect syntax changes, as could happen with hand-written assembly. + Skip Intel blocks, resume instrumentation when back to AT&T. */ + + if (strstr(line, ".intel_syntax")) skip_intel = 1; + if (strstr(line, ".att_syntax")) skip_intel = 0; + + /* Detect and skip ad-hoc __asm__ blocks, likewise skipping them. */ + + if (line[0] == '#' || line[1] == '#') { + + if (strstr(line, "#APP")) skip_app = 1; + if (strstr(line, "#NO_APP")) skip_app = 0; + + } + + /* If we're in the right mood for instrumenting, check for function + names or conditional labels. This is a bit messy, but in essence, + we want to catch: + + ^main: - function entry point (always instrumented) + ^.L0: - GCC branch label + ^.LBB0_0: - clang branch label (but only in clang mode) + ^\tjnz foo - conditional branches + + ...but not: + + ^# BB#0: - clang comments + ^ # BB#0: - ditto + ^.Ltmp0: - clang non-branch labels + ^.LC0 - GCC non-branch labels + ^.LBB0_0: - ditto (when in GCC mode) + ^\tjmp foo - non-conditional jumps + + Additionally, clang and GCC on MacOS X follow a different convention + with no leading dots on labels, hence the weird maze of #ifdefs + later on. + + */ + + if (skip_intel || skip_app || skip_csect || !instr_ok || + line[0] == '#' || line[0] == ' ') continue; + + /* Conditional branch instruction (jnz, etc). We append the instrumentation + right after the branch (to instrument the not-taken path) and at the + branch destination label (handled later on). */ + + if (line[0] == '\t') { + + if (line[1] == 'j' && line[2] != 'm' && R(100) < inst_ratio) { + + fprintf(outf, use_64bit ? trampoline_fmt_64 : trampoline_fmt_32, + R(MAP_SIZE)); + + ins_lines++; + + } + + continue; + + } + + /* Label of some sort. This may be a branch destination, but we need to + tread carefully and account for several different formatting + conventions. */ + +#ifdef __APPLE__ + + /* Apple: L: */ + + if ((colon_pos = strstr(line, ":"))) { + + if (line[0] == 'L' && isdigit(*(colon_pos - 1))) { + +#else + + /* Everybody else: .L: */ + + if (strstr(line, ":")) { + + if (line[0] == '.') { + +#endif /* __APPLE__ */ + + /* .L0: or LBB0_0: style jump destination */ + +#ifdef __APPLE__ + + /* Apple: L / LBB */ + + if ((isdigit(line[1]) || (clang_mode && !strncmp(line, "LBB", 3))) + && R(100) < inst_ratio) { + +#else + + /* Apple: .L / .LBB */ + + if ((isdigit(line[2]) || (clang_mode && !strncmp(line + 1, "LBB", 3))) + && R(100) < inst_ratio) { + +#endif /* __APPLE__ */ + + /* An optimization is possible here by adding the code only if the + label is mentioned in the code in contexts other than call / jmp. + That said, this complicates the code by requiring two-pass + processing (messy with stdin), and results in a speed gain + typically under 10%, because compilers are generally pretty good + about not generating spurious intra-function jumps. + + We use deferred output chiefly to avoid disrupting + .Lfunc_begin0-style exception handling calculations (a problem on + MacOS X). */ + + if (!skip_next_label) instrument_next = 1; else skip_next_label = 0; + + } + + } else { + + /* Function label (always instrumented, deferred mode). */ + + instrument_next = 1; + + } + + } + + } + + if (ins_lines) + fputs(use_64bit ? main_payload_64 : main_payload_32, outf); + + if (input_file) fclose(inf); + fclose(outf); + + if (!be_quiet) { + + if (!ins_lines) WARNF("No instrumentation targets found%s.", + pass_thru ? " (pass-thru mode)" : ""); + else OKF("Instrumented %u locations (%s-bit, %s mode, ratio %u%%).", + ins_lines, use_64bit ? "64" : "32", + getenv("AFL_HARDEN") ? "hardened" : + (sanitizer ? "ASAN/MSAN" : "non-hardened"), + inst_ratio); + + } + +} + + +/* Main entry point */ + +int main(int argc, char** argv) { + + s32 pid; + u32 rand_seed; + int status; + u8* inst_ratio_str = getenv("AFL_INST_RATIO"); + + struct timeval tv; + struct timezone tz; + + clang_mode = !!getenv(CLANG_ENV_VAR); + + if (isatty(2) && !getenv("AFL_QUIET")) { + + SAYF(cCYA "afl-as " cBRI VERSION cRST " by \n"); + + } else be_quiet = 1; + + if (argc < 2) { + + SAYF("\n" + "This is a helper application for afl-fuzz. It is a wrapper around GNU 'as',\n" + "executed by the toolchain whenever using afl-gcc or afl-clang. You probably\n" + "don't want to run this program directly.\n\n" + + "Rarely, when dealing with extremely complex projects, it may be advisable to\n" + "set AFL_INST_RATIO to a value less than 100 in order to reduce the odds of\n" + "instrumenting every discovered branch.\n\n"); + + exit(1); + + } + + gettimeofday(&tv, &tz); + + rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); + + srandom(rand_seed); + + edit_params(argc, argv); + + if (inst_ratio_str) { + + if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || inst_ratio > 100) + FATAL("Bad value of AFL_INST_RATIO (must be between 0 and 100)"); + + } + + if (getenv(AS_LOOP_ENV_VAR)) + FATAL("Endless loop when calling 'as' (remove '.' from your PATH)"); + + setenv(AS_LOOP_ENV_VAR, "1", 1); + + /* When compiling with ASAN, we don't have a particularly elegant way to skip + ASAN-specific branches. But we can probabilistically compensate for + that... */ + + if (getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) { + sanitizer = 1; + inst_ratio /= 3; + } + + if (!just_version) add_instrumentation(); + + if (!(pid = fork())) { + + execvp(as_params[0], (char**)as_params); + FATAL("Oops, failed to execute '%s' - check your PATH", as_params[0]); + + } + + if (pid < 0) PFATAL("fork() failed"); + + if (waitpid(pid, &status, 0) <= 0) PFATAL("waitpid() failed"); + + if (!getenv("AFL_KEEP_ASSEMBLY")) unlink(modified_file); + + exit(WEXITSTATUS(status)); + +} + diff --git a/afl-as.h b/afl-as.h index 983046e..276b8a4 100644 --- a/afl-as.h +++ b/afl-as.h @@ -1,727 +1,727 @@ -/* - Copyright 2013 Google LLC All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -/* - american fuzzy lop - injectable parts - ------------------------------------- - - Written and maintained by Michal Zalewski - - Forkserver design by Jann Horn - - This file houses the assembly-level instrumentation injected into fuzzed - programs. The instrumentation stores XORed pairs of data: identifiers of the - currently executing branch and the one that executed immediately before. - - TL;DR: the instrumentation does shm_trace_map[cur_loc ^ prev_loc]++ - - The code is designed for 32-bit and 64-bit x86 systems. Both modes should - work everywhere except for Apple systems. Apple does relocations differently - from everybody else, so since their OSes have been 64-bit for a longer while, - I didn't go through the mental effort of porting the 32-bit code. - - In principle, similar code should be easy to inject into any well-behaved - binary-only code (e.g., using DynamoRIO). Conditional jumps offer natural - targets for instrumentation, and should offer comparable probe density. - -*/ - -#ifndef _HAVE_AFL_AS_H -#define _HAVE_AFL_AS_H - -#include "config.h" -#include "types.h" - -/* - ------------------ - Performances notes - ------------------ - - Contributions to make this code faster are appreciated! Here are some - rough notes that may help with the task: - - - Only the trampoline_fmt and the non-setup __afl_maybe_log code paths are - really worth optimizing; the setup / fork server stuff matters a lot less - and should be mostly just kept readable. - - - We're aiming for modern CPUs with out-of-order execution and large - pipelines; the code is mostly follows intuitive, human-readable - instruction ordering, because "textbook" manual reorderings make no - substantial difference. - - - Interestingly, instrumented execution isn't a lot faster if we store a - variable pointer to the setup, log, or return routine and then do a reg - call from within trampoline_fmt. It does speed up non-instrumented - execution quite a bit, though, since that path just becomes - push-call-ret-pop. - - - There is also not a whole lot to be gained by doing SHM attach at a - fixed address instead of retrieving __afl_area_ptr. Although it allows us - to have a shorter log routine inserted for conditional jumps and jump - labels (for a ~10% perf gain), there is a risk of bumping into other - allocations created by the program or by tools such as ASAN. - - - popf is *awfully* slow, which is why we're doing the lahf / sahf + - overflow test trick. Unfortunately, this forces us to taint eax / rax, but - this dependency on a commonly-used register still beats the alternative of - using pushf / popf. - - One possible optimization is to avoid touching flags by using a circular - buffer that stores just a sequence of current locations, with the XOR stuff - happening offline. Alas, this doesn't seem to have a huge impact: - - https://groups.google.com/d/msg/afl-users/MsajVf4fRLo/2u6t88ntUBIJ - - - Preforking one child a bit sooner, and then waiting for the "go" command - from within the child, doesn't offer major performance gains; fork() seems - to be relatively inexpensive these days. Preforking multiple children does - help, but badly breaks the "~1 core per fuzzer" design, making it harder to - scale up. Maybe there is some middle ground. - - Perhaps of note: in the 64-bit version for all platforms except for Apple, - the instrumentation is done slightly differently than on 32-bit, with - __afl_prev_loc and __afl_area_ptr being local to the object file (.lcomm), - rather than global (.comm). This is to avoid GOTRELPC lookups in the critical - code path, which AFAICT, are otherwise unavoidable if we want gcc -shared to - work; simple relocations between .bss and .text won't work on most 64-bit - platforms in such a case. - - (Fun fact: on Apple systems, .lcomm can segfault the linker.) - - The side effect is that state transitions are measured in a somewhat - different way, with previous tuple being recorded separately within the scope - of every .c file. This should have no impact in any practical sense. - - Another side effect of this design is that getenv() will be called once per - every .o file when running in non-instrumented mode; and since getenv() tends - to be optimized in funny ways, we need to be very careful to save every - oddball register it may touch. - - */ - -static const u8* trampoline_fmt_32 = - - "\n" - "/* --- AFL TRAMPOLINE (32-BIT) --- */\n" - "\n" - ".align 4\n" - "\n" - "leal -16(%%esp), %%esp\n" - "movl %%edi, 0(%%esp)\n" - "movl %%edx, 4(%%esp)\n" - "movl %%ecx, 8(%%esp)\n" - "movl %%eax, 12(%%esp)\n" - "movl $0x%08x, %%ecx\n" - "call __afl_maybe_log\n" - "movl 12(%%esp), %%eax\n" - "movl 8(%%esp), %%ecx\n" - "movl 4(%%esp), %%edx\n" - "movl 0(%%esp), %%edi\n" - "leal 16(%%esp), %%esp\n" - "\n" - "/* --- END --- */\n" - "\n"; - -static const u8* trampoline_fmt_64 = - - "\n" - "/* --- AFL TRAMPOLINE (64-BIT) --- */\n" - "\n" - ".align 4\n" - "\n" - "leaq -(128+24)(%%rsp), %%rsp\n" - "movq %%rdx, 0(%%rsp)\n" - "movq %%rcx, 8(%%rsp)\n" - "movq %%rax, 16(%%rsp)\n" - "movq $0x%08x, %%rcx\n" - "call __afl_maybe_log\n" - "movq 16(%%rsp), %%rax\n" - "movq 8(%%rsp), %%rcx\n" - "movq 0(%%rsp), %%rdx\n" - "leaq (128+24)(%%rsp), %%rsp\n" - "\n" - "/* --- END --- */\n" - "\n"; - -static const u8* main_payload_32 = - - "\n" - "/* --- AFL MAIN PAYLOAD (32-BIT) --- */\n" - "\n" - ".text\n" - ".att_syntax\n" - ".code32\n" - ".align 8\n" - "\n" - - "__afl_maybe_log:\n" - "\n" - " lahf\n" - " seto %al\n" - "\n" - " /* Check if SHM region is already mapped. */\n" - "\n" - " movl __afl_area_ptr, %edx\n" - " testl %edx, %edx\n" - " je __afl_setup\n" - "\n" - "__afl_store:\n" - "\n" - " /* Calculate and store hit for the code location specified in ecx. There\n" - " is a double-XOR way of doing this without tainting another register,\n" - " and we use it on 64-bit systems; but it's slower for 32-bit ones. */\n" - "\n" -#ifndef COVERAGE_ONLY - " movl __afl_prev_loc, %edi\n" - " xorl %ecx, %edi\n" - " shrl $1, %ecx\n" - " movl %ecx, __afl_prev_loc\n" -#else - " movl %ecx, %edi\n" -#endif /* ^!COVERAGE_ONLY */ - "\n" -#ifdef SKIP_COUNTS - " orb $1, (%edx, %edi, 1)\n" -#else - " incb (%edx, %edi, 1)\n" -#endif /* ^SKIP_COUNTS */ - "\n" - "__afl_return:\n" - "\n" - " addb $127, %al\n" - " sahf\n" - " ret\n" - "\n" - ".align 8\n" - "\n" - "__afl_setup:\n" - "\n" - " /* Do not retry setup if we had previous failures. */\n" - "\n" - " cmpb $0, __afl_setup_failure\n" - " jne __afl_return\n" - "\n" - " /* Map SHM, jumping to __afl_setup_abort if something goes wrong.\n" - " We do not save FPU/MMX/SSE registers here, but hopefully, nobody\n" - " will notice this early in the game. */\n" - "\n" - " pushl %eax\n" - " pushl %ecx\n" - "\n" - " pushl $.AFL_SHM_ENV\n" - " call getenv\n" - " addl $4, %esp\n" - "\n" - " testl %eax, %eax\n" - " je __afl_setup_abort\n" - "\n" - " pushl %eax\n" - " call atoi\n" - " addl $4, %esp\n" - "\n" - " pushl $0 /* shmat flags */\n" - " pushl $0 /* requested addr */\n" - " pushl %eax /* SHM ID */\n" - " call shmat\n" - " addl $12, %esp\n" - "\n" - " cmpl $-1, %eax\n" - " je __afl_setup_abort\n" - "\n" - " /* Store the address of the SHM region. */\n" - "\n" - " movl %eax, __afl_area_ptr\n" - " movl %eax, %edx\n" - "\n" - " popl %ecx\n" - " popl %eax\n" - "\n" - "__afl_forkserver:\n" - "\n" - " /* Enter the fork server mode to avoid the overhead of execve() calls. */\n" - "\n" - " pushl %eax\n" - " pushl %ecx\n" - " pushl %edx\n" - "\n" - " /* Phone home and tell the parent that we're OK. (Note that signals with\n" - " no SA_RESTART will mess it up). If this fails, assume that the fd is\n" - " closed because we were execve()d from an instrumented binary, or because\n" - " the parent doesn't want to use the fork server. */\n" - "\n" - " pushl $4 /* length */\n" - " pushl $__afl_temp /* data */\n" - " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n" - " call write\n" - " addl $12, %esp\n" - "\n" - " cmpl $4, %eax\n" - " jne __afl_fork_resume\n" - "\n" - "__afl_fork_wait_loop:\n" - "\n" - " /* Wait for parent by reading from the pipe. Abort if read fails. */\n" - "\n" - " pushl $4 /* length */\n" - " pushl $__afl_temp /* data */\n" - " pushl $" STRINGIFY(FORKSRV_FD) " /* file desc */\n" - " call read\n" - " addl $12, %esp\n" - "\n" - " cmpl $4, %eax\n" - " jne __afl_die\n" - "\n" - " /* Once woken up, create a clone of our process. This is an excellent use\n" - " case for syscall(__NR_clone, 0, CLONE_PARENT), but glibc boneheadedly\n" - " caches getpid() results and offers no way to update the value, breaking\n" - " abort(), raise(), and a bunch of other things :-( */\n" - "\n" - " call fork\n" - "\n" - " cmpl $0, %eax\n" - " jl __afl_die\n" - " je __afl_fork_resume\n" - "\n" - " /* In parent process: write PID to pipe, then wait for child. */\n" - "\n" - " movl %eax, __afl_fork_pid\n" - "\n" - " pushl $4 /* length */\n" - " pushl $__afl_fork_pid /* data */\n" - " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n" - " call write\n" - " addl $12, %esp\n" - "\n" - " pushl $0 /* no flags */\n" - " pushl $__afl_temp /* status */\n" - " pushl __afl_fork_pid /* PID */\n" - " call waitpid\n" - " addl $12, %esp\n" - "\n" - " cmpl $0, %eax\n" - " jle __afl_die\n" - "\n" - " /* Relay wait status to pipe, then loop back. */\n" - "\n" - " pushl $4 /* length */\n" - " pushl $__afl_temp /* data */\n" - " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n" - " call write\n" - " addl $12, %esp\n" - "\n" - " jmp __afl_fork_wait_loop\n" - "\n" - "__afl_fork_resume:\n" - "\n" - " /* In child process: close fds, resume execution. */\n" - "\n" - " pushl $" STRINGIFY(FORKSRV_FD) "\n" - " call close\n" - "\n" - " pushl $" STRINGIFY((FORKSRV_FD + 1)) "\n" - " call close\n" - "\n" - " addl $8, %esp\n" - "\n" - " popl %edx\n" - " popl %ecx\n" - " popl %eax\n" - " jmp __afl_store\n" - "\n" - "__afl_die:\n" - "\n" - " xorl %eax, %eax\n" - " call _exit\n" - "\n" - "__afl_setup_abort:\n" - "\n" - " /* Record setup failure so that we don't keep calling\n" - " shmget() / shmat() over and over again. */\n" - "\n" - " incb __afl_setup_failure\n" - " popl %ecx\n" - " popl %eax\n" - " jmp __afl_return\n" - "\n" - ".AFL_VARS:\n" - "\n" - " .comm __afl_area_ptr, 4, 32\n" - " .comm __afl_setup_failure, 1, 32\n" -#ifndef COVERAGE_ONLY - " .comm __afl_prev_loc, 4, 32\n" -#endif /* !COVERAGE_ONLY */ - " .comm __afl_fork_pid, 4, 32\n" - " .comm __afl_temp, 4, 32\n" - "\n" - ".AFL_SHM_ENV:\n" - " .asciz \"" SHM_ENV_VAR "\"\n" - "\n" - "/* --- END --- */\n" - "\n"; - -/* The OpenBSD hack is due to lahf and sahf not being recognized by some - versions of binutils: http://marc.info/?l=openbsd-cvs&m=141636589924400 - - The Apple code is a bit different when calling libc functions because - they are doing relocations differently from everybody else. We also need - to work around the crash issue with .lcomm and the fact that they don't - recognize .string. */ - -#ifdef __APPLE__ -# define CALL_L64(str) "call _" str "\n" -#else -# define CALL_L64(str) "call " str "@PLT\n" -#endif /* ^__APPLE__ */ - -static const u8* main_payload_64 = - - "\n" - "/* --- AFL MAIN PAYLOAD (64-BIT) --- */\n" - "\n" - ".text\n" - ".att_syntax\n" - ".code64\n" - ".align 8\n" - "\n" - "__afl_maybe_log:\n" - "\n" -#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9)) - " .byte 0x9f /* lahf */\n" -#else - " lahf\n" -#endif /* ^__OpenBSD__, etc */ - " seto %al\n" - "\n" - " /* Check if SHM region is already mapped. */\n" - "\n" - " movq __afl_area_ptr(%rip), %rdx\n" - " testq %rdx, %rdx\n" - " je __afl_setup\n" - "\n" - "__afl_store:\n" - "\n" - " /* Calculate and store hit for the code location specified in rcx. */\n" - "\n" -#ifndef COVERAGE_ONLY - " xorq __afl_prev_loc(%rip), %rcx\n" - " xorq %rcx, __afl_prev_loc(%rip)\n" - " shrq $1, __afl_prev_loc(%rip)\n" -#endif /* ^!COVERAGE_ONLY */ - "\n" -#ifdef SKIP_COUNTS - " orb $1, (%rdx, %rcx, 1)\n" -#else - " incb (%rdx, %rcx, 1)\n" -#endif /* ^SKIP_COUNTS */ - "\n" - "__afl_return:\n" - "\n" - " addb $127, %al\n" -#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9)) - " .byte 0x9e /* sahf */\n" -#else - " sahf\n" -#endif /* ^__OpenBSD__, etc */ - " ret\n" - "\n" - ".align 8\n" - "\n" - "__afl_setup:\n" - "\n" - " /* Do not retry setup if we had previous failures. */\n" - "\n" - " cmpb $0, __afl_setup_failure(%rip)\n" - " jne __afl_return\n" - "\n" - " /* Check out if we have a global pointer on file. */\n" - "\n" -#ifndef __APPLE__ - " movq __afl_global_area_ptr@GOTPCREL(%rip), %rdx\n" - " movq (%rdx), %rdx\n" -#else - " movq __afl_global_area_ptr(%rip), %rdx\n" -#endif /* !^__APPLE__ */ - " testq %rdx, %rdx\n" - " je __afl_setup_first\n" - "\n" - " movq %rdx, __afl_area_ptr(%rip)\n" - " jmp __afl_store\n" - "\n" - "__afl_setup_first:\n" - "\n" - " /* Save everything that is not yet saved and that may be touched by\n" - " getenv() and several other libcalls we'll be relying on. */\n" - "\n" - " leaq -352(%rsp), %rsp\n" - "\n" - " movq %rax, 0(%rsp)\n" - " movq %rcx, 8(%rsp)\n" - " movq %rdi, 16(%rsp)\n" - " movq %rsi, 32(%rsp)\n" - " movq %r8, 40(%rsp)\n" - " movq %r9, 48(%rsp)\n" - " movq %r10, 56(%rsp)\n" - " movq %r11, 64(%rsp)\n" - "\n" - " movq %xmm0, 96(%rsp)\n" - " movq %xmm1, 112(%rsp)\n" - " movq %xmm2, 128(%rsp)\n" - " movq %xmm3, 144(%rsp)\n" - " movq %xmm4, 160(%rsp)\n" - " movq %xmm5, 176(%rsp)\n" - " movq %xmm6, 192(%rsp)\n" - " movq %xmm7, 208(%rsp)\n" - " movq %xmm8, 224(%rsp)\n" - " movq %xmm9, 240(%rsp)\n" - " movq %xmm10, 256(%rsp)\n" - " movq %xmm11, 272(%rsp)\n" - " movq %xmm12, 288(%rsp)\n" - " movq %xmm13, 304(%rsp)\n" - " movq %xmm14, 320(%rsp)\n" - " movq %xmm15, 336(%rsp)\n" - "\n" - " /* Map SHM, jumping to __afl_setup_abort if something goes wrong. */\n" - "\n" - " /* The 64-bit ABI requires 16-byte stack alignment. We'll keep the\n" - " original stack ptr in the callee-saved r12. */\n" - "\n" - " pushq %r12\n" - " movq %rsp, %r12\n" - " subq $16, %rsp\n" - " andq $0xfffffffffffffff0, %rsp\n" - "\n" - " leaq .AFL_SHM_ENV(%rip), %rdi\n" - CALL_L64("getenv") - "\n" - " testq %rax, %rax\n" - " je __afl_setup_abort\n" - "\n" - " movq %rax, %rdi\n" - CALL_L64("atoi") - "\n" - " xorq %rdx, %rdx /* shmat flags */\n" - " xorq %rsi, %rsi /* requested addr */\n" - " movq %rax, %rdi /* SHM ID */\n" - CALL_L64("shmat") - "\n" - " cmpq $-1, %rax\n" - " je __afl_setup_abort\n" - "\n" - " /* Store the address of the SHM region. */\n" - "\n" - " movq %rax, %rdx\n" - " movq %rax, __afl_area_ptr(%rip)\n" - "\n" -#ifdef __APPLE__ - " movq %rax, __afl_global_area_ptr(%rip)\n" -#else - " movq __afl_global_area_ptr@GOTPCREL(%rip), %rdx\n" - " movq %rax, (%rdx)\n" -#endif /* ^__APPLE__ */ - " movq %rax, %rdx\n" - "\n" - "__afl_forkserver:\n" - "\n" - " /* Enter the fork server mode to avoid the overhead of execve() calls. We\n" - " push rdx (area ptr) twice to keep stack alignment neat. */\n" - "\n" - " pushq %rdx\n" - " pushq %rdx\n" - "\n" - " /* Phone home and tell the parent that we're OK. (Note that signals with\n" - " no SA_RESTART will mess it up). If this fails, assume that the fd is\n" - " closed because we were execve()d from an instrumented binary, or because\n" - " the parent doesn't want to use the fork server. */\n" - "\n" - " movq $4, %rdx /* length */\n" - " leaq __afl_temp(%rip), %rsi /* data */\n" - " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n" - CALL_L64("write") - "\n" - " cmpq $4, %rax\n" - " jne __afl_fork_resume\n" - "\n" - "__afl_fork_wait_loop:\n" - "\n" - " /* Wait for parent by reading from the pipe. Abort if read fails. */\n" - "\n" - " movq $4, %rdx /* length */\n" - " leaq __afl_temp(%rip), %rsi /* data */\n" - " movq $" STRINGIFY(FORKSRV_FD) ", %rdi /* file desc */\n" - CALL_L64("read") - " cmpq $4, %rax\n" - " jne __afl_die\n" - "\n" - " /* Once woken up, create a clone of our process. This is an excellent use\n" - " case for syscall(__NR_clone, 0, CLONE_PARENT), but glibc boneheadedly\n" - " caches getpid() results and offers no way to update the value, breaking\n" - " abort(), raise(), and a bunch of other things :-( */\n" - "\n" - CALL_L64("fork") - " cmpq $0, %rax\n" - " jl __afl_die\n" - " je __afl_fork_resume\n" - "\n" - " /* In parent process: write PID to pipe, then wait for child. */\n" - "\n" - " movl %eax, __afl_fork_pid(%rip)\n" - "\n" - " movq $4, %rdx /* length */\n" - " leaq __afl_fork_pid(%rip), %rsi /* data */\n" - " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n" - CALL_L64("write") - "\n" - " movq $0, %rdx /* no flags */\n" - " leaq __afl_temp(%rip), %rsi /* status */\n" - " movq __afl_fork_pid(%rip), %rdi /* PID */\n" - CALL_L64("waitpid") - " cmpq $0, %rax\n" - " jle __afl_die\n" - "\n" - " /* Relay wait status to pipe, then loop back. */\n" - "\n" - " movq $4, %rdx /* length */\n" - " leaq __afl_temp(%rip), %rsi /* data */\n" - " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n" - CALL_L64("write") - "\n" - " jmp __afl_fork_wait_loop\n" - "\n" - "__afl_fork_resume:\n" - "\n" - " /* In child process: close fds, resume execution. */\n" - "\n" - " movq $" STRINGIFY(FORKSRV_FD) ", %rdi\n" - CALL_L64("close") - "\n" - " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi\n" - CALL_L64("close") - "\n" - " popq %rdx\n" - " popq %rdx\n" - "\n" - " movq %r12, %rsp\n" - " popq %r12\n" - "\n" - " movq 0(%rsp), %rax\n" - " movq 8(%rsp), %rcx\n" - " movq 16(%rsp), %rdi\n" - " movq 32(%rsp), %rsi\n" - " movq 40(%rsp), %r8\n" - " movq 48(%rsp), %r9\n" - " movq 56(%rsp), %r10\n" - " movq 64(%rsp), %r11\n" - "\n" - " movq 96(%rsp), %xmm0\n" - " movq 112(%rsp), %xmm1\n" - " movq 128(%rsp), %xmm2\n" - " movq 144(%rsp), %xmm3\n" - " movq 160(%rsp), %xmm4\n" - " movq 176(%rsp), %xmm5\n" - " movq 192(%rsp), %xmm6\n" - " movq 208(%rsp), %xmm7\n" - " movq 224(%rsp), %xmm8\n" - " movq 240(%rsp), %xmm9\n" - " movq 256(%rsp), %xmm10\n" - " movq 272(%rsp), %xmm11\n" - " movq 288(%rsp), %xmm12\n" - " movq 304(%rsp), %xmm13\n" - " movq 320(%rsp), %xmm14\n" - " movq 336(%rsp), %xmm15\n" - "\n" - " leaq 352(%rsp), %rsp\n" - "\n" - " jmp __afl_store\n" - "\n" - "__afl_die:\n" - "\n" - " xorq %rax, %rax\n" - CALL_L64("_exit") - "\n" - "__afl_setup_abort:\n" - "\n" - " /* Record setup failure so that we don't keep calling\n" - " shmget() / shmat() over and over again. */\n" - "\n" - " incb __afl_setup_failure(%rip)\n" - "\n" - " movq %r12, %rsp\n" - " popq %r12\n" - "\n" - " movq 0(%rsp), %rax\n" - " movq 8(%rsp), %rcx\n" - " movq 16(%rsp), %rdi\n" - " movq 32(%rsp), %rsi\n" - " movq 40(%rsp), %r8\n" - " movq 48(%rsp), %r9\n" - " movq 56(%rsp), %r10\n" - " movq 64(%rsp), %r11\n" - "\n" - " movq 96(%rsp), %xmm0\n" - " movq 112(%rsp), %xmm1\n" - " movq 128(%rsp), %xmm2\n" - " movq 144(%rsp), %xmm3\n" - " movq 160(%rsp), %xmm4\n" - " movq 176(%rsp), %xmm5\n" - " movq 192(%rsp), %xmm6\n" - " movq 208(%rsp), %xmm7\n" - " movq 224(%rsp), %xmm8\n" - " movq 240(%rsp), %xmm9\n" - " movq 256(%rsp), %xmm10\n" - " movq 272(%rsp), %xmm11\n" - " movq 288(%rsp), %xmm12\n" - " movq 304(%rsp), %xmm13\n" - " movq 320(%rsp), %xmm14\n" - " movq 336(%rsp), %xmm15\n" - "\n" - " leaq 352(%rsp), %rsp\n" - "\n" - " jmp __afl_return\n" - "\n" - ".AFL_VARS:\n" - "\n" - -#ifdef __APPLE__ - - " .comm __afl_area_ptr, 8\n" -#ifndef COVERAGE_ONLY - " .comm __afl_prev_loc, 8\n" -#endif /* !COVERAGE_ONLY */ - " .comm __afl_fork_pid, 4\n" - " .comm __afl_temp, 4\n" - " .comm __afl_setup_failure, 1\n" - -#else - - " .lcomm __afl_area_ptr, 8\n" -#ifndef COVERAGE_ONLY - " .lcomm __afl_prev_loc, 8\n" -#endif /* !COVERAGE_ONLY */ - " .lcomm __afl_fork_pid, 4\n" - " .lcomm __afl_temp, 4\n" - " .lcomm __afl_setup_failure, 1\n" - -#endif /* ^__APPLE__ */ - - " .comm __afl_global_area_ptr, 8, 8\n" - "\n" - ".AFL_SHM_ENV:\n" - " .asciz \"" SHM_ENV_VAR "\"\n" - "\n" - "/* --- END --- */\n" - "\n"; - -#endif /* !_HAVE_AFL_AS_H */ +/* + Copyright 2013 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +/* + american fuzzy lop - injectable parts + ------------------------------------- + + Written and maintained by Michal Zalewski + + Forkserver design by Jann Horn + + This file houses the assembly-level instrumentation injected into fuzzed + programs. The instrumentation stores XORed pairs of data: identifiers of the + currently executing branch and the one that executed immediately before. + + TL;DR: the instrumentation does shm_trace_map[cur_loc ^ prev_loc]++ + + The code is designed for 32-bit and 64-bit x86 systems. Both modes should + work everywhere except for Apple systems. Apple does relocations differently + from everybody else, so since their OSes have been 64-bit for a longer while, + I didn't go through the mental effort of porting the 32-bit code. + + In principle, similar code should be easy to inject into any well-behaved + binary-only code (e.g., using DynamoRIO). Conditional jumps offer natural + targets for instrumentation, and should offer comparable probe density. + +*/ + +#ifndef _HAVE_AFL_AS_H +#define _HAVE_AFL_AS_H + +#include "config.h" +#include "types.h" + +/* + ------------------ + Performances notes + ------------------ + + Contributions to make this code faster are appreciated! Here are some + rough notes that may help with the task: + + - Only the trampoline_fmt and the non-setup __afl_maybe_log code paths are + really worth optimizing; the setup / fork server stuff matters a lot less + and should be mostly just kept readable. + + - We're aiming for modern CPUs with out-of-order execution and large + pipelines; the code is mostly follows intuitive, human-readable + instruction ordering, because "textbook" manual reorderings make no + substantial difference. + + - Interestingly, instrumented execution isn't a lot faster if we store a + variable pointer to the setup, log, or return routine and then do a reg + call from within trampoline_fmt. It does speed up non-instrumented + execution quite a bit, though, since that path just becomes + push-call-ret-pop. + + - There is also not a whole lot to be gained by doing SHM attach at a + fixed address instead of retrieving __afl_area_ptr. Although it allows us + to have a shorter log routine inserted for conditional jumps and jump + labels (for a ~10% perf gain), there is a risk of bumping into other + allocations created by the program or by tools such as ASAN. + + - popf is *awfully* slow, which is why we're doing the lahf / sahf + + overflow test trick. Unfortunately, this forces us to taint eax / rax, but + this dependency on a commonly-used register still beats the alternative of + using pushf / popf. + + One possible optimization is to avoid touching flags by using a circular + buffer that stores just a sequence of current locations, with the XOR stuff + happening offline. Alas, this doesn't seem to have a huge impact: + + https://groups.google.com/d/msg/afl-users/MsajVf4fRLo/2u6t88ntUBIJ + + - Preforking one child a bit sooner, and then waiting for the "go" command + from within the child, doesn't offer major performance gains; fork() seems + to be relatively inexpensive these days. Preforking multiple children does + help, but badly breaks the "~1 core per fuzzer" design, making it harder to + scale up. Maybe there is some middle ground. + + Perhaps of note: in the 64-bit version for all platforms except for Apple, + the instrumentation is done slightly differently than on 32-bit, with + __afl_prev_loc and __afl_area_ptr being local to the object file (.lcomm), + rather than global (.comm). This is to avoid GOTRELPC lookups in the critical + code path, which AFAICT, are otherwise unavoidable if we want gcc -shared to + work; simple relocations between .bss and .text won't work on most 64-bit + platforms in such a case. + + (Fun fact: on Apple systems, .lcomm can segfault the linker.) + + The side effect is that state transitions are measured in a somewhat + different way, with previous tuple being recorded separately within the scope + of every .c file. This should have no impact in any practical sense. + + Another side effect of this design is that getenv() will be called once per + every .o file when running in non-instrumented mode; and since getenv() tends + to be optimized in funny ways, we need to be very careful to save every + oddball register it may touch. + + */ + +static const u8* trampoline_fmt_32 = + + "\n" + "/* --- AFL TRAMPOLINE (32-BIT) --- */\n" + "\n" + ".align 4\n" + "\n" + "leal -16(%%esp), %%esp\n" + "movl %%edi, 0(%%esp)\n" + "movl %%edx, 4(%%esp)\n" + "movl %%ecx, 8(%%esp)\n" + "movl %%eax, 12(%%esp)\n" + "movl $0x%08x, %%ecx\n" + "call __afl_maybe_log\n" + "movl 12(%%esp), %%eax\n" + "movl 8(%%esp), %%ecx\n" + "movl 4(%%esp), %%edx\n" + "movl 0(%%esp), %%edi\n" + "leal 16(%%esp), %%esp\n" + "\n" + "/* --- END --- */\n" + "\n"; + +static const u8* trampoline_fmt_64 = + + "\n" + "/* --- AFL TRAMPOLINE (64-BIT) --- */\n" + "\n" + ".align 4\n" + "\n" + "leaq -(128+24)(%%rsp), %%rsp\n" + "movq %%rdx, 0(%%rsp)\n" + "movq %%rcx, 8(%%rsp)\n" + "movq %%rax, 16(%%rsp)\n" + "movq $0x%08x, %%rcx\n" + "call __afl_maybe_log\n" + "movq 16(%%rsp), %%rax\n" + "movq 8(%%rsp), %%rcx\n" + "movq 0(%%rsp), %%rdx\n" + "leaq (128+24)(%%rsp), %%rsp\n" + "\n" + "/* --- END --- */\n" + "\n"; + +static const u8* main_payload_32 = + + "\n" + "/* --- AFL MAIN PAYLOAD (32-BIT) --- */\n" + "\n" + ".text\n" + ".att_syntax\n" + ".code32\n" + ".align 8\n" + "\n" + + "__afl_maybe_log:\n" + "\n" + " lahf\n" + " seto %al\n" + "\n" + " /* Check if SHM region is already mapped. */\n" + "\n" + " movl __afl_area_ptr, %edx\n" + " testl %edx, %edx\n" + " je __afl_setup\n" + "\n" + "__afl_store:\n" + "\n" + " /* Calculate and store hit for the code location specified in ecx. There\n" + " is a double-XOR way of doing this without tainting another register,\n" + " and we use it on 64-bit systems; but it's slower for 32-bit ones. */\n" + "\n" +#ifndef COVERAGE_ONLY + " movl __afl_prev_loc, %edi\n" + " xorl %ecx, %edi\n" + " shrl $1, %ecx\n" + " movl %ecx, __afl_prev_loc\n" +#else + " movl %ecx, %edi\n" +#endif /* ^!COVERAGE_ONLY */ + "\n" +#ifdef SKIP_COUNTS + " orb $1, (%edx, %edi, 1)\n" +#else + " incb (%edx, %edi, 1)\n" +#endif /* ^SKIP_COUNTS */ + "\n" + "__afl_return:\n" + "\n" + " addb $127, %al\n" + " sahf\n" + " ret\n" + "\n" + ".align 8\n" + "\n" + "__afl_setup:\n" + "\n" + " /* Do not retry setup if we had previous failures. */\n" + "\n" + " cmpb $0, __afl_setup_failure\n" + " jne __afl_return\n" + "\n" + " /* Map SHM, jumping to __afl_setup_abort if something goes wrong.\n" + " We do not save FPU/MMX/SSE registers here, but hopefully, nobody\n" + " will notice this early in the game. */\n" + "\n" + " pushl %eax\n" + " pushl %ecx\n" + "\n" + " pushl $.AFL_SHM_ENV\n" + " call getenv\n" + " addl $4, %esp\n" + "\n" + " testl %eax, %eax\n" + " je __afl_setup_abort\n" + "\n" + " pushl %eax\n" + " call atoi\n" + " addl $4, %esp\n" + "\n" + " pushl $0 /* shmat flags */\n" + " pushl $0 /* requested addr */\n" + " pushl %eax /* SHM ID */\n" + " call shmat\n" + " addl $12, %esp\n" + "\n" + " cmpl $-1, %eax\n" + " je __afl_setup_abort\n" + "\n" + " /* Store the address of the SHM region. */\n" + "\n" + " movl %eax, __afl_area_ptr\n" + " movl %eax, %edx\n" + "\n" + " popl %ecx\n" + " popl %eax\n" + "\n" + "__afl_forkserver:\n" + "\n" + " /* Enter the fork server mode to avoid the overhead of execve() calls. */\n" + "\n" + " pushl %eax\n" + " pushl %ecx\n" + " pushl %edx\n" + "\n" + " /* Phone home and tell the parent that we're OK. (Note that signals with\n" + " no SA_RESTART will mess it up). If this fails, assume that the fd is\n" + " closed because we were execve()d from an instrumented binary, or because\n" + " the parent doesn't want to use the fork server. */\n" + "\n" + " pushl $4 /* length */\n" + " pushl $__afl_temp /* data */\n" + " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n" + " call write\n" + " addl $12, %esp\n" + "\n" + " cmpl $4, %eax\n" + " jne __afl_fork_resume\n" + "\n" + "__afl_fork_wait_loop:\n" + "\n" + " /* Wait for parent by reading from the pipe. Abort if read fails. */\n" + "\n" + " pushl $4 /* length */\n" + " pushl $__afl_temp /* data */\n" + " pushl $" STRINGIFY(FORKSRV_FD) " /* file desc */\n" + " call read\n" + " addl $12, %esp\n" + "\n" + " cmpl $4, %eax\n" + " jne __afl_die\n" + "\n" + " /* Once woken up, create a clone of our process. This is an excellent use\n" + " case for syscall(__NR_clone, 0, CLONE_PARENT), but glibc boneheadedly\n" + " caches getpid() results and offers no way to update the value, breaking\n" + " abort(), raise(), and a bunch of other things :-( */\n" + "\n" + " call fork\n" + "\n" + " cmpl $0, %eax\n" + " jl __afl_die\n" + " je __afl_fork_resume\n" + "\n" + " /* In parent process: write PID to pipe, then wait for child. */\n" + "\n" + " movl %eax, __afl_fork_pid\n" + "\n" + " pushl $4 /* length */\n" + " pushl $__afl_fork_pid /* data */\n" + " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n" + " call write\n" + " addl $12, %esp\n" + "\n" + " pushl $0 /* no flags */\n" + " pushl $__afl_temp /* status */\n" + " pushl __afl_fork_pid /* PID */\n" + " call waitpid\n" + " addl $12, %esp\n" + "\n" + " cmpl $0, %eax\n" + " jle __afl_die\n" + "\n" + " /* Relay wait status to pipe, then loop back. */\n" + "\n" + " pushl $4 /* length */\n" + " pushl $__afl_temp /* data */\n" + " pushl $" STRINGIFY((FORKSRV_FD + 1)) " /* file desc */\n" + " call write\n" + " addl $12, %esp\n" + "\n" + " jmp __afl_fork_wait_loop\n" + "\n" + "__afl_fork_resume:\n" + "\n" + " /* In child process: close fds, resume execution. */\n" + "\n" + " pushl $" STRINGIFY(FORKSRV_FD) "\n" + " call close\n" + "\n" + " pushl $" STRINGIFY((FORKSRV_FD + 1)) "\n" + " call close\n" + "\n" + " addl $8, %esp\n" + "\n" + " popl %edx\n" + " popl %ecx\n" + " popl %eax\n" + " jmp __afl_store\n" + "\n" + "__afl_die:\n" + "\n" + " xorl %eax, %eax\n" + " call _exit\n" + "\n" + "__afl_setup_abort:\n" + "\n" + " /* Record setup failure so that we don't keep calling\n" + " shmget() / shmat() over and over again. */\n" + "\n" + " incb __afl_setup_failure\n" + " popl %ecx\n" + " popl %eax\n" + " jmp __afl_return\n" + "\n" + ".AFL_VARS:\n" + "\n" + " .comm __afl_area_ptr, 4, 32\n" + " .comm __afl_setup_failure, 1, 32\n" +#ifndef COVERAGE_ONLY + " .comm __afl_prev_loc, 4, 32\n" +#endif /* !COVERAGE_ONLY */ + " .comm __afl_fork_pid, 4, 32\n" + " .comm __afl_temp, 4, 32\n" + "\n" + ".AFL_SHM_ENV:\n" + " .asciz \"" SHM_ENV_VAR "\"\n" + "\n" + "/* --- END --- */\n" + "\n"; + +/* The OpenBSD hack is due to lahf and sahf not being recognized by some + versions of binutils: http://marc.info/?l=openbsd-cvs&m=141636589924400 + + The Apple code is a bit different when calling libc functions because + they are doing relocations differently from everybody else. We also need + to work around the crash issue with .lcomm and the fact that they don't + recognize .string. */ + +#ifdef __APPLE__ +# define CALL_L64(str) "call _" str "\n" +#else +# define CALL_L64(str) "call " str "@PLT\n" +#endif /* ^__APPLE__ */ + +static const u8* main_payload_64 = + + "\n" + "/* --- AFL MAIN PAYLOAD (64-BIT) --- */\n" + "\n" + ".text\n" + ".att_syntax\n" + ".code64\n" + ".align 8\n" + "\n" + "__afl_maybe_log:\n" + "\n" +#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9)) + " .byte 0x9f /* lahf */\n" +#else + " lahf\n" +#endif /* ^__OpenBSD__, etc */ + " seto %al\n" + "\n" + " /* Check if SHM region is already mapped. */\n" + "\n" + " movq __afl_area_ptr(%rip), %rdx\n" + " testq %rdx, %rdx\n" + " je __afl_setup\n" + "\n" + "__afl_store:\n" + "\n" + " /* Calculate and store hit for the code location specified in rcx. */\n" + "\n" +#ifndef COVERAGE_ONLY + " xorq __afl_prev_loc(%rip), %rcx\n" + " xorq %rcx, __afl_prev_loc(%rip)\n" + " shrq $1, __afl_prev_loc(%rip)\n" +#endif /* ^!COVERAGE_ONLY */ + "\n" +#ifdef SKIP_COUNTS + " orb $1, (%rdx, %rcx, 1)\n" +#else + " incb (%rdx, %rcx, 1)\n" +#endif /* ^SKIP_COUNTS */ + "\n" + "__afl_return:\n" + "\n" + " addb $127, %al\n" +#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9)) + " .byte 0x9e /* sahf */\n" +#else + " sahf\n" +#endif /* ^__OpenBSD__, etc */ + " ret\n" + "\n" + ".align 8\n" + "\n" + "__afl_setup:\n" + "\n" + " /* Do not retry setup if we had previous failures. */\n" + "\n" + " cmpb $0, __afl_setup_failure(%rip)\n" + " jne __afl_return\n" + "\n" + " /* Check out if we have a global pointer on file. */\n" + "\n" +#ifndef __APPLE__ + " movq __afl_global_area_ptr@GOTPCREL(%rip), %rdx\n" + " movq (%rdx), %rdx\n" +#else + " movq __afl_global_area_ptr(%rip), %rdx\n" +#endif /* !^__APPLE__ */ + " testq %rdx, %rdx\n" + " je __afl_setup_first\n" + "\n" + " movq %rdx, __afl_area_ptr(%rip)\n" + " jmp __afl_store\n" + "\n" + "__afl_setup_first:\n" + "\n" + " /* Save everything that is not yet saved and that may be touched by\n" + " getenv() and several other libcalls we'll be relying on. */\n" + "\n" + " leaq -352(%rsp), %rsp\n" + "\n" + " movq %rax, 0(%rsp)\n" + " movq %rcx, 8(%rsp)\n" + " movq %rdi, 16(%rsp)\n" + " movq %rsi, 32(%rsp)\n" + " movq %r8, 40(%rsp)\n" + " movq %r9, 48(%rsp)\n" + " movq %r10, 56(%rsp)\n" + " movq %r11, 64(%rsp)\n" + "\n" + " movq %xmm0, 96(%rsp)\n" + " movq %xmm1, 112(%rsp)\n" + " movq %xmm2, 128(%rsp)\n" + " movq %xmm3, 144(%rsp)\n" + " movq %xmm4, 160(%rsp)\n" + " movq %xmm5, 176(%rsp)\n" + " movq %xmm6, 192(%rsp)\n" + " movq %xmm7, 208(%rsp)\n" + " movq %xmm8, 224(%rsp)\n" + " movq %xmm9, 240(%rsp)\n" + " movq %xmm10, 256(%rsp)\n" + " movq %xmm11, 272(%rsp)\n" + " movq %xmm12, 288(%rsp)\n" + " movq %xmm13, 304(%rsp)\n" + " movq %xmm14, 320(%rsp)\n" + " movq %xmm15, 336(%rsp)\n" + "\n" + " /* Map SHM, jumping to __afl_setup_abort if something goes wrong. */\n" + "\n" + " /* The 64-bit ABI requires 16-byte stack alignment. We'll keep the\n" + " original stack ptr in the callee-saved r12. */\n" + "\n" + " pushq %r12\n" + " movq %rsp, %r12\n" + " subq $16, %rsp\n" + " andq $0xfffffffffffffff0, %rsp\n" + "\n" + " leaq .AFL_SHM_ENV(%rip), %rdi\n" + CALL_L64("getenv") + "\n" + " testq %rax, %rax\n" + " je __afl_setup_abort\n" + "\n" + " movq %rax, %rdi\n" + CALL_L64("atoi") + "\n" + " xorq %rdx, %rdx /* shmat flags */\n" + " xorq %rsi, %rsi /* requested addr */\n" + " movq %rax, %rdi /* SHM ID */\n" + CALL_L64("shmat") + "\n" + " cmpq $-1, %rax\n" + " je __afl_setup_abort\n" + "\n" + " /* Store the address of the SHM region. */\n" + "\n" + " movq %rax, %rdx\n" + " movq %rax, __afl_area_ptr(%rip)\n" + "\n" +#ifdef __APPLE__ + " movq %rax, __afl_global_area_ptr(%rip)\n" +#else + " movq __afl_global_area_ptr@GOTPCREL(%rip), %rdx\n" + " movq %rax, (%rdx)\n" +#endif /* ^__APPLE__ */ + " movq %rax, %rdx\n" + "\n" + "__afl_forkserver:\n" + "\n" + " /* Enter the fork server mode to avoid the overhead of execve() calls. We\n" + " push rdx (area ptr) twice to keep stack alignment neat. */\n" + "\n" + " pushq %rdx\n" + " pushq %rdx\n" + "\n" + " /* Phone home and tell the parent that we're OK. (Note that signals with\n" + " no SA_RESTART will mess it up). If this fails, assume that the fd is\n" + " closed because we were execve()d from an instrumented binary, or because\n" + " the parent doesn't want to use the fork server. */\n" + "\n" + " movq $4, %rdx /* length */\n" + " leaq __afl_temp(%rip), %rsi /* data */\n" + " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n" + CALL_L64("write") + "\n" + " cmpq $4, %rax\n" + " jne __afl_fork_resume\n" + "\n" + "__afl_fork_wait_loop:\n" + "\n" + " /* Wait for parent by reading from the pipe. Abort if read fails. */\n" + "\n" + " movq $4, %rdx /* length */\n" + " leaq __afl_temp(%rip), %rsi /* data */\n" + " movq $" STRINGIFY(FORKSRV_FD) ", %rdi /* file desc */\n" + CALL_L64("read") + " cmpq $4, %rax\n" + " jne __afl_die\n" + "\n" + " /* Once woken up, create a clone of our process. This is an excellent use\n" + " case for syscall(__NR_clone, 0, CLONE_PARENT), but glibc boneheadedly\n" + " caches getpid() results and offers no way to update the value, breaking\n" + " abort(), raise(), and a bunch of other things :-( */\n" + "\n" + CALL_L64("fork") + " cmpq $0, %rax\n" + " jl __afl_die\n" + " je __afl_fork_resume\n" + "\n" + " /* In parent process: write PID to pipe, then wait for child. */\n" + "\n" + " movl %eax, __afl_fork_pid(%rip)\n" + "\n" + " movq $4, %rdx /* length */\n" + " leaq __afl_fork_pid(%rip), %rsi /* data */\n" + " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n" + CALL_L64("write") + "\n" + " movq $0, %rdx /* no flags */\n" + " leaq __afl_temp(%rip), %rsi /* status */\n" + " movq __afl_fork_pid(%rip), %rdi /* PID */\n" + CALL_L64("waitpid") + " cmpq $0, %rax\n" + " jle __afl_die\n" + "\n" + " /* Relay wait status to pipe, then loop back. */\n" + "\n" + " movq $4, %rdx /* length */\n" + " leaq __afl_temp(%rip), %rsi /* data */\n" + " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi /* file desc */\n" + CALL_L64("write") + "\n" + " jmp __afl_fork_wait_loop\n" + "\n" + "__afl_fork_resume:\n" + "\n" + " /* In child process: close fds, resume execution. */\n" + "\n" + " movq $" STRINGIFY(FORKSRV_FD) ", %rdi\n" + CALL_L64("close") + "\n" + " movq $" STRINGIFY((FORKSRV_FD + 1)) ", %rdi\n" + CALL_L64("close") + "\n" + " popq %rdx\n" + " popq %rdx\n" + "\n" + " movq %r12, %rsp\n" + " popq %r12\n" + "\n" + " movq 0(%rsp), %rax\n" + " movq 8(%rsp), %rcx\n" + " movq 16(%rsp), %rdi\n" + " movq 32(%rsp), %rsi\n" + " movq 40(%rsp), %r8\n" + " movq 48(%rsp), %r9\n" + " movq 56(%rsp), %r10\n" + " movq 64(%rsp), %r11\n" + "\n" + " movq 96(%rsp), %xmm0\n" + " movq 112(%rsp), %xmm1\n" + " movq 128(%rsp), %xmm2\n" + " movq 144(%rsp), %xmm3\n" + " movq 160(%rsp), %xmm4\n" + " movq 176(%rsp), %xmm5\n" + " movq 192(%rsp), %xmm6\n" + " movq 208(%rsp), %xmm7\n" + " movq 224(%rsp), %xmm8\n" + " movq 240(%rsp), %xmm9\n" + " movq 256(%rsp), %xmm10\n" + " movq 272(%rsp), %xmm11\n" + " movq 288(%rsp), %xmm12\n" + " movq 304(%rsp), %xmm13\n" + " movq 320(%rsp), %xmm14\n" + " movq 336(%rsp), %xmm15\n" + "\n" + " leaq 352(%rsp), %rsp\n" + "\n" + " jmp __afl_store\n" + "\n" + "__afl_die:\n" + "\n" + " xorq %rax, %rax\n" + CALL_L64("_exit") + "\n" + "__afl_setup_abort:\n" + "\n" + " /* Record setup failure so that we don't keep calling\n" + " shmget() / shmat() over and over again. */\n" + "\n" + " incb __afl_setup_failure(%rip)\n" + "\n" + " movq %r12, %rsp\n" + " popq %r12\n" + "\n" + " movq 0(%rsp), %rax\n" + " movq 8(%rsp), %rcx\n" + " movq 16(%rsp), %rdi\n" + " movq 32(%rsp), %rsi\n" + " movq 40(%rsp), %r8\n" + " movq 48(%rsp), %r9\n" + " movq 56(%rsp), %r10\n" + " movq 64(%rsp), %r11\n" + "\n" + " movq 96(%rsp), %xmm0\n" + " movq 112(%rsp), %xmm1\n" + " movq 128(%rsp), %xmm2\n" + " movq 144(%rsp), %xmm3\n" + " movq 160(%rsp), %xmm4\n" + " movq 176(%rsp), %xmm5\n" + " movq 192(%rsp), %xmm6\n" + " movq 208(%rsp), %xmm7\n" + " movq 224(%rsp), %xmm8\n" + " movq 240(%rsp), %xmm9\n" + " movq 256(%rsp), %xmm10\n" + " movq 272(%rsp), %xmm11\n" + " movq 288(%rsp), %xmm12\n" + " movq 304(%rsp), %xmm13\n" + " movq 320(%rsp), %xmm14\n" + " movq 336(%rsp), %xmm15\n" + "\n" + " leaq 352(%rsp), %rsp\n" + "\n" + " jmp __afl_return\n" + "\n" + ".AFL_VARS:\n" + "\n" + +#ifdef __APPLE__ + + " .comm __afl_area_ptr, 8\n" +#ifndef COVERAGE_ONLY + " .comm __afl_prev_loc, 8\n" +#endif /* !COVERAGE_ONLY */ + " .comm __afl_fork_pid, 4\n" + " .comm __afl_temp, 4\n" + " .comm __afl_setup_failure, 1\n" + +#else + + " .lcomm __afl_area_ptr, 8\n" +#ifndef COVERAGE_ONLY + " .lcomm __afl_prev_loc, 8\n" +#endif /* !COVERAGE_ONLY */ + " .lcomm __afl_fork_pid, 4\n" + " .lcomm __afl_temp, 4\n" + " .lcomm __afl_setup_failure, 1\n" + +#endif /* ^__APPLE__ */ + + " .comm __afl_global_area_ptr, 8, 8\n" + "\n" + ".AFL_SHM_ENV:\n" + " .asciz \"" SHM_ENV_VAR "\"\n" + "\n" + "/* --- END --- */\n" + "\n"; + +#endif /* !_HAVE_AFL_AS_H */ diff --git a/afl-cmin b/afl-cmin index 147f320..e89b895 100644 --- a/afl-cmin +++ b/afl-cmin @@ -1,461 +1,461 @@ -#!/usr/bin/env bash -# -# american fuzzy lop - corpus minimization tool -# --------------------------------------------- -# -# Written and maintained by Michal Zalewski -# -# Copyright 2014, 2015 Google LLC All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# This tool tries to find the smallest subset of files in the input directory -# that still trigger the full range of instrumentation data points seen in -# the starting corpus. This has two uses: -# -# - Screening large corpora of input files before using them as a seed for -# afl-fuzz. The tool will remove functionally redundant files and likely -# leave you with a much smaller set. -# -# (In this case, you probably also want to consider running afl-tmin on -# the individual files later on to reduce their size.) -# -# - Minimizing the corpus generated organically by afl-fuzz, perhaps when -# planning to feed it to more resource-intensive tools. The tool achieves -# this by removing all entries that used to trigger unique behaviors in the -# past, but have been made obsolete by later finds. -# -# Note that the tool doesn't modify the files themselves. For that, you want -# afl-tmin. -# -# This script must use bash because other shells may have hardcoded limits on -# array sizes. -# - -echo "corpus minimization tool for afl-fuzz by " -echo - -######### -# SETUP # -######### - -# Process command-line options... - -MEM_LIMIT=100 -TIMEOUT=none - -unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \ - AFL_CMIN_CRASHES_ONLY AFL_CMIN_ALLOW_ANY QEMU_MODE - -while getopts "+i:o:f:m:t:eQC" opt; do - - case "$opt" in - - "i") - IN_DIR="$OPTARG" - ;; - - "o") - OUT_DIR="$OPTARG" - ;; - "f") - STDIN_FILE="$OPTARG" - ;; - "m") - MEM_LIMIT="$OPTARG" - MEM_LIMIT_GIVEN=1 - ;; - "t") - TIMEOUT="$OPTARG" - ;; - "e") - EXTRA_PAR="$EXTRA_PAR -e" - ;; - "C") - export AFL_CMIN_CRASHES_ONLY=1 - ;; - "Q") - EXTRA_PAR="$EXTRA_PAR -Q" - test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250 - QEMU_MODE=1 - ;; - "?") - exit 1 - ;; - - esac - -done - -shift $((OPTIND-1)) - -TARGET_BIN="$1" - -if [ "$TARGET_BIN" = "" -o "$IN_DIR" = "" -o "$OUT_DIR" = "" ]; then - - cat 1>&2 <<_EOF_ -Usage: $0 [ options ] -- /path/to/target_app [ ... ] - -Required parameters: - - -i dir - input directory with the starting corpus - -o dir - output directory for minimized files - -Execution control settings: - - -f file - location read by the fuzzed program (stdin) - -m megs - memory limit for child process ($MEM_LIMIT MB) - -t msec - run time limit for child process (none) - -Q - use binary-only instrumentation (QEMU mode) - -Minimization settings: - - -C - keep crashing inputs, reject everything else - -e - solve for edge coverage only, ignore hit counts - -For additional tips, please consult docs/README. - -_EOF_ - exit 1 -fi - -# Do a sanity check to discourage the use of /tmp, since we can't really -# handle this safely from a shell script. - -if [ "$AFL_ALLOW_TMP" = "" ]; then - - echo "$IN_DIR" | grep -qE '^(/var)?/tmp/' - T1="$?" - - echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/' - T2="$?" - - echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/' - T3="$?" - - echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/' - T4="$?" - - echo "$PWD" | grep -qE '^(/var)?/tmp/' - T5="$?" - - if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then - echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2 - exit 1 - fi - -fi - -# If @@ is specified, but there's no -f, let's come up with a temporary input -# file name. - -TRACE_DIR="$OUT_DIR/.traces" - -if [ "$STDIN_FILE" = "" ]; then - - if echo "$*" | grep -qF '@@'; then - STDIN_FILE="$TRACE_DIR/.cur_input" - fi - -fi - -# Check for obvious errors. - -if [ ! "$MEM_LIMIT" = "none" ]; then - - if [ "$MEM_LIMIT" -lt "5" ]; then - echo "[-] Error: dangerously low memory limit." 1>&2 - exit 1 - fi - -fi - -if [ ! "$TIMEOUT" = "none" ]; then - - if [ "$TIMEOUT" -lt "10" ]; then - echo "[-] Error: dangerously low timeout." 1>&2 - exit 1 - fi - -fi - -if [ ! -f "$TARGET_BIN" -o ! -x "$TARGET_BIN" ]; then - - TNEW="`which "$TARGET_BIN" 2>/dev/null`" - - if [ ! -f "$TNEW" -o ! -x "$TNEW" ]; then - echo "[-] Error: binary '$TARGET_BIN' not found or not executable." 1>&2 - exit 1 - fi - - TARGET_BIN="$TNEW" - -fi - -if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" ]; then - - if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then - echo "[-] Error: binary '$TARGET_BIN' doesn't appear to be instrumented." 1>&2 - exit 1 - fi - -fi - -if [ ! -d "$IN_DIR" ]; then - echo "[-] Error: directory '$IN_DIR' not found." 1>&2 - exit 1 -fi - -test -d "$IN_DIR/queue" && IN_DIR="$IN_DIR/queue" - -find "$OUT_DIR" -name 'id[:_]*' -maxdepth 1 -exec rm -- {} \; 2>/dev/null -rm -rf "$TRACE_DIR" 2>/dev/null - -rmdir "$OUT_DIR" 2>/dev/null - -if [ -d "$OUT_DIR" ]; then - echo "[-] Error: directory '$OUT_DIR' exists and is not empty - delete it first." 1>&2 - exit 1 -fi - -mkdir -m 700 -p "$TRACE_DIR" || exit 1 - -if [ ! "$STDIN_FILE" = "" ]; then - rm -f "$STDIN_FILE" || exit 1 - touch "$STDIN_FILE" || exit 1 -fi - -if [ "$AFL_PATH" = "" ]; then - SHOWMAP="${0%/afl-cmin}/afl-showmap" -else - SHOWMAP="$AFL_PATH/afl-showmap" -fi - -if [ ! -x "$SHOWMAP" ]; then - echo "[-] Error: can't find 'afl-showmap' - please set AFL_PATH." 1>&2 - rm -rf "$TRACE_DIR" - exit 1 -fi - -IN_COUNT=$((`ls -- "$IN_DIR" 2>/dev/null | wc -l`)) - -if [ "$IN_COUNT" = "0" ]; then - echo "[+] Hmm, no inputs in the target directory. Nothing to be done." - rm -rf "$TRACE_DIR" - exit 1 -fi - -FIRST_FILE=`ls "$IN_DIR" | head -1` - -# Make sure that we're not dealing with a directory. - -if [ -d "$IN_DIR/$FIRST_FILE" ]; then - echo "[-] Error: The target directory contains subdirectories - please fix." 1>&2 - rm -rf "$TRACE_DIR" - exit 1 -fi - -# Check for the more efficient way to copy files... - -if ln "$IN_DIR/$FIRST_FILE" "$TRACE_DIR/.link_test" 2>/dev/null; then - CP_TOOL=ln -else - CP_TOOL=cp -fi - -# Make sure that we can actually get anything out of afl-showmap before we -# waste too much time. - -echo "[*] Testing the target binary..." - -if [ "$STDIN_FILE" = "" ]; then - - AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$FIRST_FILE" - -else - - cp "$IN_DIR/$FIRST_FILE" "$STDIN_FILE" - AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" &2 - test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR" - exit 1 - -fi - -# Let's roll! - -############################# -# STEP 1: COLLECTING TRACES # -############################# - -echo "[*] Obtaining traces for input files in '$IN_DIR'..." - -( - - CUR=0 - - if [ "$STDIN_FILE" = "" ]; then - - while read -r fn; do - - CUR=$((CUR+1)) - printf "\\r Processing file $CUR/$IN_COUNT... " - - "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn" - - done < <(ls "$IN_DIR") - - else - - while read -r fn; do - - CUR=$((CUR+1)) - printf "\\r Processing file $CUR/$IN_COUNT... " - - cp "$IN_DIR/$fn" "$STDIN_FILE" - - "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" "$TRACE_DIR/.all_uniq" - -TUPLE_COUNT=$((`grep -c . "$TRACE_DIR/.all_uniq"`)) - -echo "[+] Found $TUPLE_COUNT unique tuples across $IN_COUNT files." - -##################################### -# STEP 3: SELECTING CANDIDATE FILES # -##################################### - -# The next step is to find the best candidate for each tuple. The "best" -# part is understood simply as the smallest input that includes a particular -# tuple in its trace. Empirical evidence suggests that this produces smaller -# datasets than more involved algorithms that could be still pulled off in -# a shell script. - -echo "[*] Finding best candidates for each tuple..." - -CUR=0 - -while read -r fn; do - - CUR=$((CUR+1)) - printf "\\r Processing file $CUR/$IN_COUNT... " - - sed "s#\$# $fn#" "$TRACE_DIR/$fn" >>"$TRACE_DIR/.candidate_list" - -done < <(ls -rS "$IN_DIR") - -echo - -############################## -# STEP 4: LOADING CANDIDATES # -############################## - -# At this point, we have a file of tuple-file pairs, sorted by file size -# in ascending order (as a consequence of ls -rS). By doing sort keyed -# only by tuple (-k 1,1) and configured to output only the first line for -# every key (-s -u), we end up with the smallest file for each tuple. - -echo "[*] Sorting candidate list (be patient)..." - -sort -k1,1 -s -u "$TRACE_DIR/.candidate_list" | \ - sed 's/^/BEST_FILE[/;s/ /]="/;s/$/"/' >"$TRACE_DIR/.candidate_script" - -if [ ! -s "$TRACE_DIR/.candidate_script" ]; then - echo "[-] Error: no traces obtained from test cases, check syntax!" 1>&2 - test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR" - exit 1 -fi - -# The sed command converted the sorted list to a shell script that populates -# BEST_FILE[tuple]="fname". Let's load that! - -. "$TRACE_DIR/.candidate_script" - -########################## -# STEP 5: WRITING OUTPUT # -########################## - -# The final trick is to grab the top pick for each tuple, unless said tuple is -# already set due to the inclusion of an earlier candidate; and then put all -# tuples associated with the newly-added file to the "already have" list. The -# loop works from least popular tuples and toward the most common ones. - -echo "[*] Processing candidates and writing output files..." - -CUR=0 - -touch "$TRACE_DIR/.already_have" - -while read -r cnt tuple; do - - CUR=$((CUR+1)) - printf "\\r Processing tuple $CUR/$TUPLE_COUNT... " - - # If we already have this tuple, skip it. - - grep -q "^$tuple\$" "$TRACE_DIR/.already_have" && continue - - FN=${BEST_FILE[tuple]} - - $CP_TOOL "$IN_DIR/$FN" "$OUT_DIR/$FN" - - if [ "$((CUR % 5))" = "0" ]; then - sort -u "$TRACE_DIR/$FN" "$TRACE_DIR/.already_have" >"$TRACE_DIR/.tmp" - mv -f "$TRACE_DIR/.tmp" "$TRACE_DIR/.already_have" - else - cat "$TRACE_DIR/$FN" >>"$TRACE_DIR/.already_have" - fi - -done <"$TRACE_DIR/.all_uniq" - -echo - -OUT_COUNT=`ls -- "$OUT_DIR" | wc -l` - -if [ "$OUT_COUNT" = "1" ]; then - echo "[!] WARNING: All test cases had the same traces, check syntax!" -fi - -echo "[+] Narrowed down to $OUT_COUNT files, saved in '$OUT_DIR'." -echo - -test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR" - -exit 0 +#!/usr/bin/env bash +# +# american fuzzy lop - corpus minimization tool +# --------------------------------------------- +# +# Written and maintained by Michal Zalewski +# +# Copyright 2014, 2015 Google LLC All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# This tool tries to find the smallest subset of files in the input directory +# that still trigger the full range of instrumentation data points seen in +# the starting corpus. This has two uses: +# +# - Screening large corpora of input files before using them as a seed for +# afl-fuzz. The tool will remove functionally redundant files and likely +# leave you with a much smaller set. +# +# (In this case, you probably also want to consider running afl-tmin on +# the individual files later on to reduce their size.) +# +# - Minimizing the corpus generated organically by afl-fuzz, perhaps when +# planning to feed it to more resource-intensive tools. The tool achieves +# this by removing all entries that used to trigger unique behaviors in the +# past, but have been made obsolete by later finds. +# +# Note that the tool doesn't modify the files themselves. For that, you want +# afl-tmin. +# +# This script must use bash because other shells may have hardcoded limits on +# array sizes. +# + +echo "corpus minimization tool for afl-fuzz by " +echo + +######### +# SETUP # +######### + +# Process command-line options... + +MEM_LIMIT=100 +TIMEOUT=none + +unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \ + AFL_CMIN_CRASHES_ONLY AFL_CMIN_ALLOW_ANY QEMU_MODE + +while getopts "+i:o:f:m:t:eQC" opt; do + + case "$opt" in + + "i") + IN_DIR="$OPTARG" + ;; + + "o") + OUT_DIR="$OPTARG" + ;; + "f") + STDIN_FILE="$OPTARG" + ;; + "m") + MEM_LIMIT="$OPTARG" + MEM_LIMIT_GIVEN=1 + ;; + "t") + TIMEOUT="$OPTARG" + ;; + "e") + EXTRA_PAR="$EXTRA_PAR -e" + ;; + "C") + export AFL_CMIN_CRASHES_ONLY=1 + ;; + "Q") + EXTRA_PAR="$EXTRA_PAR -Q" + test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250 + QEMU_MODE=1 + ;; + "?") + exit 1 + ;; + + esac + +done + +shift $((OPTIND-1)) + +TARGET_BIN="$1" + +if [ "$TARGET_BIN" = "" -o "$IN_DIR" = "" -o "$OUT_DIR" = "" ]; then + + cat 1>&2 <<_EOF_ +Usage: $0 [ options ] -- /path/to/target_app [ ... ] + +Required parameters: + + -i dir - input directory with the starting corpus + -o dir - output directory for minimized files + +Execution control settings: + + -f file - location read by the fuzzed program (stdin) + -m megs - memory limit for child process ($MEM_LIMIT MB) + -t msec - run time limit for child process (none) + -Q - use binary-only instrumentation (QEMU mode) + +Minimization settings: + + -C - keep crashing inputs, reject everything else + -e - solve for edge coverage only, ignore hit counts + +For additional tips, please consult docs/README. + +_EOF_ + exit 1 +fi + +# Do a sanity check to discourage the use of /tmp, since we can't really +# handle this safely from a shell script. + +if [ "$AFL_ALLOW_TMP" = "" ]; then + + echo "$IN_DIR" | grep -qE '^(/var)?/tmp/' + T1="$?" + + echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/' + T2="$?" + + echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/' + T3="$?" + + echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/' + T4="$?" + + echo "$PWD" | grep -qE '^(/var)?/tmp/' + T5="$?" + + if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then + echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2 + exit 1 + fi + +fi + +# If @@ is specified, but there's no -f, let's come up with a temporary input +# file name. + +TRACE_DIR="$OUT_DIR/.traces" + +if [ "$STDIN_FILE" = "" ]; then + + if echo "$*" | grep -qF '@@'; then + STDIN_FILE="$TRACE_DIR/.cur_input" + fi + +fi + +# Check for obvious errors. + +if [ ! "$MEM_LIMIT" = "none" ]; then + + if [ "$MEM_LIMIT" -lt "5" ]; then + echo "[-] Error: dangerously low memory limit." 1>&2 + exit 1 + fi + +fi + +if [ ! "$TIMEOUT" = "none" ]; then + + if [ "$TIMEOUT" -lt "10" ]; then + echo "[-] Error: dangerously low timeout." 1>&2 + exit 1 + fi + +fi + +if [ ! -f "$TARGET_BIN" -o ! -x "$TARGET_BIN" ]; then + + TNEW="`which "$TARGET_BIN" 2>/dev/null`" + + if [ ! -f "$TNEW" -o ! -x "$TNEW" ]; then + echo "[-] Error: binary '$TARGET_BIN' not found or not executable." 1>&2 + exit 1 + fi + + TARGET_BIN="$TNEW" + +fi + +if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" ]; then + + if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then + echo "[-] Error: binary '$TARGET_BIN' doesn't appear to be instrumented." 1>&2 + exit 1 + fi + +fi + +if [ ! -d "$IN_DIR" ]; then + echo "[-] Error: directory '$IN_DIR' not found." 1>&2 + exit 1 +fi + +test -d "$IN_DIR/queue" && IN_DIR="$IN_DIR/queue" + +find "$OUT_DIR" -name 'id[:_]*' -maxdepth 1 -exec rm -- {} \; 2>/dev/null +rm -rf "$TRACE_DIR" 2>/dev/null + +rmdir "$OUT_DIR" 2>/dev/null + +if [ -d "$OUT_DIR" ]; then + echo "[-] Error: directory '$OUT_DIR' exists and is not empty - delete it first." 1>&2 + exit 1 +fi + +mkdir -m 700 -p "$TRACE_DIR" || exit 1 + +if [ ! "$STDIN_FILE" = "" ]; then + rm -f "$STDIN_FILE" || exit 1 + touch "$STDIN_FILE" || exit 1 +fi + +if [ "$AFL_PATH" = "" ]; then + SHOWMAP="${0%/afl-cmin}/afl-showmap" +else + SHOWMAP="$AFL_PATH/afl-showmap" +fi + +if [ ! -x "$SHOWMAP" ]; then + echo "[-] Error: can't find 'afl-showmap' - please set AFL_PATH." 1>&2 + rm -rf "$TRACE_DIR" + exit 1 +fi + +IN_COUNT=$((`ls -- "$IN_DIR" 2>/dev/null | wc -l`)) + +if [ "$IN_COUNT" = "0" ]; then + echo "[+] Hmm, no inputs in the target directory. Nothing to be done." + rm -rf "$TRACE_DIR" + exit 1 +fi + +FIRST_FILE=`ls "$IN_DIR" | head -1` + +# Make sure that we're not dealing with a directory. + +if [ -d "$IN_DIR/$FIRST_FILE" ]; then + echo "[-] Error: The target directory contains subdirectories - please fix." 1>&2 + rm -rf "$TRACE_DIR" + exit 1 +fi + +# Check for the more efficient way to copy files... + +if ln "$IN_DIR/$FIRST_FILE" "$TRACE_DIR/.link_test" 2>/dev/null; then + CP_TOOL=ln +else + CP_TOOL=cp +fi + +# Make sure that we can actually get anything out of afl-showmap before we +# waste too much time. + +echo "[*] Testing the target binary..." + +if [ "$STDIN_FILE" = "" ]; then + + AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$FIRST_FILE" + +else + + cp "$IN_DIR/$FIRST_FILE" "$STDIN_FILE" + AFL_CMIN_ALLOW_ANY=1 "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/.run_test" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" &2 + test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR" + exit 1 + +fi + +# Let's roll! + +############################# +# STEP 1: COLLECTING TRACES # +############################# + +echo "[*] Obtaining traces for input files in '$IN_DIR'..." + +( + + CUR=0 + + if [ "$STDIN_FILE" = "" ]; then + + while read -r fn; do + + CUR=$((CUR+1)) + printf "\\r Processing file $CUR/$IN_COUNT... " + + "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -- "$@" <"$IN_DIR/$fn" + + done < <(ls "$IN_DIR") + + else + + while read -r fn; do + + CUR=$((CUR+1)) + printf "\\r Processing file $CUR/$IN_COUNT... " + + cp "$IN_DIR/$fn" "$STDIN_FILE" + + "$SHOWMAP" -m "$MEM_LIMIT" -t "$TIMEOUT" -o "$TRACE_DIR/$fn" -Z $EXTRA_PAR -A "$STDIN_FILE" -- "$@" "$TRACE_DIR/.all_uniq" + +TUPLE_COUNT=$((`grep -c . "$TRACE_DIR/.all_uniq"`)) + +echo "[+] Found $TUPLE_COUNT unique tuples across $IN_COUNT files." + +##################################### +# STEP 3: SELECTING CANDIDATE FILES # +##################################### + +# The next step is to find the best candidate for each tuple. The "best" +# part is understood simply as the smallest input that includes a particular +# tuple in its trace. Empirical evidence suggests that this produces smaller +# datasets than more involved algorithms that could be still pulled off in +# a shell script. + +echo "[*] Finding best candidates for each tuple..." + +CUR=0 + +while read -r fn; do + + CUR=$((CUR+1)) + printf "\\r Processing file $CUR/$IN_COUNT... " + + sed "s#\$# $fn#" "$TRACE_DIR/$fn" >>"$TRACE_DIR/.candidate_list" + +done < <(ls -rS "$IN_DIR") + +echo + +############################## +# STEP 4: LOADING CANDIDATES # +############################## + +# At this point, we have a file of tuple-file pairs, sorted by file size +# in ascending order (as a consequence of ls -rS). By doing sort keyed +# only by tuple (-k 1,1) and configured to output only the first line for +# every key (-s -u), we end up with the smallest file for each tuple. + +echo "[*] Sorting candidate list (be patient)..." + +sort -k1,1 -s -u "$TRACE_DIR/.candidate_list" | \ + sed 's/^/BEST_FILE[/;s/ /]="/;s/$/"/' >"$TRACE_DIR/.candidate_script" + +if [ ! -s "$TRACE_DIR/.candidate_script" ]; then + echo "[-] Error: no traces obtained from test cases, check syntax!" 1>&2 + test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR" + exit 1 +fi + +# The sed command converted the sorted list to a shell script that populates +# BEST_FILE[tuple]="fname". Let's load that! + +. "$TRACE_DIR/.candidate_script" + +########################## +# STEP 5: WRITING OUTPUT # +########################## + +# The final trick is to grab the top pick for each tuple, unless said tuple is +# already set due to the inclusion of an earlier candidate; and then put all +# tuples associated with the newly-added file to the "already have" list. The +# loop works from least popular tuples and toward the most common ones. + +echo "[*] Processing candidates and writing output files..." + +CUR=0 + +touch "$TRACE_DIR/.already_have" + +while read -r cnt tuple; do + + CUR=$((CUR+1)) + printf "\\r Processing tuple $CUR/$TUPLE_COUNT... " + + # If we already have this tuple, skip it. + + grep -q "^$tuple\$" "$TRACE_DIR/.already_have" && continue + + FN=${BEST_FILE[tuple]} + + $CP_TOOL "$IN_DIR/$FN" "$OUT_DIR/$FN" + + if [ "$((CUR % 5))" = "0" ]; then + sort -u "$TRACE_DIR/$FN" "$TRACE_DIR/.already_have" >"$TRACE_DIR/.tmp" + mv -f "$TRACE_DIR/.tmp" "$TRACE_DIR/.already_have" + else + cat "$TRACE_DIR/$FN" >>"$TRACE_DIR/.already_have" + fi + +done <"$TRACE_DIR/.all_uniq" + +echo + +OUT_COUNT=`ls -- "$OUT_DIR" | wc -l` + +if [ "$OUT_COUNT" = "1" ]; then + echo "[!] WARNING: All test cases had the same traces, check syntax!" +fi + +echo "[+] Narrowed down to $OUT_COUNT files, saved in '$OUT_DIR'." +echo + +test "$AFL_KEEP_TRACES" = "" && rm -rf "$TRACE_DIR" + +exit 0 diff --git a/afl-fuzz.c b/afl-fuzz.c index 61479b6..46a216c 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -1,8197 +1,8197 @@ -/* - Copyright 2013 Google LLC All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -/* - american fuzzy lop - fuzzer code - -------------------------------- - - Written and maintained by Michal Zalewski - - Forkserver design by Jann Horn - - This is the real deal: the program takes an instrumented binary and - attempts a variety of basic fuzzing tricks, paying close attention to - how they affect the execution path. - -*/ - -#define AFL_MAIN -#include "android-ashmem.h" -#define MESSAGES_TO_STDOUT - -#ifndef _GNU_SOURCE -#define _GNU_SOURCE -#endif -#define _FILE_OFFSET_BITS 64 - -#include "config.h" -#include "types.h" -#include "debug.h" -#include "alloc-inl.h" -#include "hash.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) -# include -#endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ - -/* For systems that have sched_setaffinity; right now just Linux, but one - can hope... */ - -#ifdef __linux__ -# define HAVE_AFFINITY 1 -#endif /* __linux__ */ - -/* A toggle to export some variables when building as a library. Not very - useful for the general public. */ - -#ifdef AFL_LIB -# define EXP_ST -#else -# define EXP_ST static -#endif /* ^AFL_LIB */ - -/* Lots of globals, but mostly for the status UI and other things where it - really makes no sense to haul them around as function parameters. */ - - -EXP_ST u8 *in_dir, /* Input directory with test cases */ - *out_file, /* File to fuzz, if any */ - *out_dir, /* Working & output directory */ - *sync_dir, /* Synchronization directory */ - *sync_id, /* Fuzzer ID */ - *use_banner, /* Display banner */ - *in_bitmap, /* Input bitmap */ - *doc_path, /* Path to documentation dir */ - *target_path, /* Path to target binary */ - *orig_cmdline; /* Original command line */ - -EXP_ST u32 exec_tmout = EXEC_TIMEOUT; /* Configurable exec timeout (ms) */ -static u32 hang_tmout = EXEC_TIMEOUT; /* Timeout used for hang det (ms) */ - -EXP_ST u64 mem_limit = MEM_LIMIT; /* Memory cap for child (MB) */ - -EXP_ST u32 cpu_to_bind = 0; /* id of free CPU core to bind */ - -static u32 stats_update_freq = 1; /* Stats update frequency (execs) */ - -EXP_ST u8 skip_deterministic, /* Skip deterministic stages? */ - force_deterministic, /* Force deterministic stages? */ - use_splicing, /* Recombine input files? */ - dumb_mode, /* Run in non-instrumented mode? */ - score_changed, /* Scoring for favorites changed? */ - kill_signal, /* Signal that killed the child */ - resuming_fuzz, /* Resuming an older fuzzing job? */ - timeout_given, /* Specific timeout given? */ - cpu_to_bind_given, /* Specified cpu_to_bind given? */ - not_on_tty, /* stdout is not a tty */ - term_too_small, /* terminal dimensions too small */ - uses_asan, /* Target uses ASAN? */ - no_forkserver, /* Disable forkserver? */ - crash_mode, /* Crash mode! Yeah! */ - in_place_resume, /* Attempt in-place resume? */ - auto_changed, /* Auto-generated tokens changed? */ - no_cpu_meter_red, /* Feng shui on the status screen */ - no_arith, /* Skip most arithmetic ops */ - shuffle_queue, /* Shuffle input queue? */ - bitmap_changed = 1, /* Time to update bitmap? */ - qemu_mode, /* Running in QEMU mode? */ - skip_requested, /* Skip request, via SIGUSR1 */ - run_over10m, /* Run time over 10 minutes? */ - persistent_mode, /* Running in persistent mode? */ - deferred_mode, /* Deferred forkserver mode? */ - fast_cal; /* Try to calibrate faster? */ - -static s32 out_fd, /* Persistent fd for out_file */ - dev_urandom_fd = -1, /* Persistent fd for /dev/urandom */ - dev_null_fd = -1, /* Persistent fd for /dev/null */ - fsrv_ctl_fd, /* Fork server control pipe (write) */ - fsrv_st_fd; /* Fork server status pipe (read) */ - -static s32 forksrv_pid, /* PID of the fork server */ - child_pid = -1, /* PID of the fuzzed program */ - out_dir_fd = -1; /* FD of the lock file */ - -EXP_ST u8* trace_bits; /* SHM with instrumentation bitmap */ - -EXP_ST u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */ - virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */ - virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */ - -static u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */ - -static s32 shm_id; /* ID of the SHM region */ - -static volatile u8 stop_soon, /* Ctrl-C pressed? */ - clear_screen = 1, /* Window resized? */ - child_timed_out; /* Traced process timed out? */ - -EXP_ST u32 queued_paths, /* Total number of queued testcases */ - queued_variable, /* Testcases with variable behavior */ - queued_at_start, /* Total number of initial inputs */ - queued_discovered, /* Items discovered during this run */ - queued_imported, /* Items imported via -S */ - queued_favored, /* Paths deemed favorable */ - queued_with_cov, /* Paths with new coverage bytes */ - pending_not_fuzzed, /* Queued but not done yet */ - pending_favored, /* Pending favored paths */ - cur_skipped_paths, /* Abandoned inputs in cur cycle */ - cur_depth, /* Current path depth */ - max_depth, /* Max path depth */ - useless_at_start, /* Number of useless starting paths */ - var_byte_count, /* Bitmap bytes with var behavior */ - current_entry, /* Current queue entry ID */ - havoc_div = 1; /* Cycle count divisor for havoc */ - -EXP_ST u64 total_crashes, /* Total number of crashes */ - unique_crashes, /* Crashes with unique signatures */ - total_tmouts, /* Total number of timeouts */ - unique_tmouts, /* Timeouts with unique signatures */ - unique_hangs, /* Hangs with unique signatures */ - total_execs, /* Total execve() calls */ - slowest_exec_ms, /* Slowest testcase non hang in ms */ - start_time, /* Unix start time (ms) */ - last_path_time, /* Time for most recent path (ms) */ - last_crash_time, /* Time for most recent crash (ms) */ - last_hang_time, /* Time for most recent hang (ms) */ - last_crash_execs, /* Exec counter at last crash */ - queue_cycle, /* Queue round counter */ - cycles_wo_finds, /* Cycles without any new paths */ - trim_execs, /* Execs done to trim input files */ - bytes_trim_in, /* Bytes coming into the trimmer */ - bytes_trim_out, /* Bytes coming outa the trimmer */ - blocks_eff_total, /* Blocks subject to effector maps */ - blocks_eff_select; /* Blocks selected as fuzzable */ - -static u32 subseq_tmouts; /* Number of timeouts in a row */ - -static u8 *stage_name = "init", /* Name of the current fuzz stage */ - *stage_short, /* Short stage name */ - *syncing_party; /* Currently syncing with... */ - -static s32 stage_cur, stage_max; /* Stage progression */ -static s32 splicing_with = -1; /* Splicing with which test case? */ - -static u32 master_id, master_max; /* Master instance job splitting */ - -static u32 syncing_case; /* Syncing with case #... */ - -static s32 stage_cur_byte, /* Byte offset of current stage op */ - stage_cur_val; /* Value used for stage op */ - -static u8 stage_val_type; /* Value type (STAGE_VAL_*) */ - -static u64 stage_finds[32], /* Patterns found per fuzz stage */ - stage_cycles[32]; /* Execs per fuzz stage */ - -static u32 rand_cnt; /* Random number counter */ - -static u64 total_cal_us, /* Total calibration time (us) */ - total_cal_cycles; /* Total calibration cycles */ - -static u64 total_bitmap_size, /* Total bit count for all bitmaps */ - total_bitmap_entries; /* Number of bitmaps counted */ - -static s32 cpu_core_count; /* CPU core count */ - -#ifdef HAVE_AFFINITY - -static s32 cpu_aff = -1; /* Selected CPU core */ - -#endif /* HAVE_AFFINITY */ - -static FILE* plot_file; /* Gnuplot output file */ - -struct queue_entry { - - u8* fname; /* File name for the test case */ - u32 len; /* Input length */ - - u8 cal_failed, /* Calibration failed? */ - trim_done, /* Trimmed? */ - was_fuzzed, /* Had any fuzzing done yet? */ - passed_det, /* Deterministic stages passed? */ - has_new_cov, /* Triggers new coverage? */ - var_behavior, /* Variable behavior? */ - favored, /* Currently favored? */ - fs_redundant; /* Marked as redundant in the fs? */ - - u32 bitmap_size, /* Number of bits set in bitmap */ - exec_cksum; /* Checksum of the execution trace */ - - u64 exec_us, /* Execution time (us) */ - handicap, /* Number of queue cycles behind */ - depth; /* Path depth */ - - u8* trace_mini; /* Trace bytes, if kept */ - u32 tc_ref; /* Trace bytes ref count */ - - struct queue_entry *next, /* Next element, if any */ - *next_100; /* 100 elements ahead */ - -}; - -static struct queue_entry *queue, /* Fuzzing queue (linked list) */ - *queue_cur, /* Current offset within the queue */ - *queue_top, /* Top of the list */ - *q_prev100; /* Previous 100 marker */ - -static struct queue_entry* - top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ - -struct extra_data { - u8* data; /* Dictionary token data */ - u32 len; /* Dictionary token length */ - u32 hit_cnt; /* Use count in the corpus */ -}; - -static struct extra_data* extras; /* Extra tokens to fuzz with */ -static u32 extras_cnt; /* Total number of tokens read */ - -static struct extra_data* a_extras; /* Automatically selected extras */ -static u32 a_extras_cnt; /* Total number of tokens available */ - -static u8* (*post_handler)(u8* buf, u32* len); - -/* Interesting values, as per config.h */ - -static s8 interesting_8[] = { INTERESTING_8 }; -static s16 interesting_16[] = { INTERESTING_8, INTERESTING_16 }; -static s32 interesting_32[] = { INTERESTING_8, INTERESTING_16, INTERESTING_32 }; - -/* Fuzzing stages */ - -enum { - /* 00 */ STAGE_FLIP1, - /* 01 */ STAGE_FLIP2, - /* 02 */ STAGE_FLIP4, - /* 03 */ STAGE_FLIP8, - /* 04 */ STAGE_FLIP16, - /* 05 */ STAGE_FLIP32, - /* 06 */ STAGE_ARITH8, - /* 07 */ STAGE_ARITH16, - /* 08 */ STAGE_ARITH32, - /* 09 */ STAGE_INTEREST8, - /* 10 */ STAGE_INTEREST16, - /* 11 */ STAGE_INTEREST32, - /* 12 */ STAGE_EXTRAS_UO, - /* 13 */ STAGE_EXTRAS_UI, - /* 14 */ STAGE_EXTRAS_AO, - /* 15 */ STAGE_HAVOC, - /* 16 */ STAGE_SPLICE -}; - -/* Stage value types */ - -enum { - /* 00 */ STAGE_VAL_NONE, - /* 01 */ STAGE_VAL_LE, - /* 02 */ STAGE_VAL_BE -}; - -/* Execution status fault codes */ - -enum { - /* 00 */ FAULT_NONE, - /* 01 */ FAULT_TMOUT, - /* 02 */ FAULT_CRASH, - /* 03 */ FAULT_ERROR, - /* 04 */ FAULT_NOINST, - /* 05 */ FAULT_NOBITS -}; - - -/* Get unix time in milliseconds */ - -static u64 get_cur_time(void) { - - struct timeval tv; - struct timezone tz; - - gettimeofday(&tv, &tz); - - return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000); - -} - - -/* Get unix time in microseconds */ - -static u64 get_cur_time_us(void) { - - struct timeval tv; - struct timezone tz; - - gettimeofday(&tv, &tz); - - return (tv.tv_sec * 1000000ULL) + tv.tv_usec; - -} - - -/* Generate a random number (from 0 to limit - 1). This may - have slight bias. */ - -static inline u32 UR(u32 limit) { - - if (unlikely(!rand_cnt--)) { - - u32 seed[2]; - - ck_read(dev_urandom_fd, &seed, sizeof(seed), "/dev/urandom"); - - srandom(seed[0]); - rand_cnt = (RESEED_RNG / 2) + (seed[1] % RESEED_RNG); - - } - - return random() % limit; - -} - - -/* Shuffle an array of pointers. Might be slightly biased. */ - -static void shuffle_ptrs(void** ptrs, u32 cnt) { - - u32 i; - - for (i = 0; i < cnt - 2; i++) { - - u32 j = i + UR(cnt - i); - void *s = ptrs[i]; - ptrs[i] = ptrs[j]; - ptrs[j] = s; - - } - -} - - -#ifdef HAVE_AFFINITY - -/* Build a list of processes bound to specific cores. Returns -1 if nothing - can be found. Assumes an upper bound of 4k CPUs. */ - -static void bind_to_free_cpu(void) { - - DIR* d; - struct dirent* de; - cpu_set_t c; - - u8 cpu_used[4096] = { 0 }; - u32 i; - - if (cpu_core_count < 2) return; - - if (getenv("AFL_NO_AFFINITY")) { - - WARNF("Not binding to a CPU core (AFL_NO_AFFINITY set)."); - return; - - } - - d = opendir("/proc"); - - if (!d) { - - WARNF("Unable to access /proc - can't scan for free CPU cores."); - return; - - } - - ACTF("Checking CPU core loadout..."); - - /* Introduce some jitter, in case multiple AFL tasks are doing the same - thing at the same time... */ - - usleep(R(1000) * 250); - - /* Scan all /proc//status entries, checking for Cpus_allowed_list. - Flag all processes bound to a specific CPU using cpu_used[]. This will - fail for some exotic binding setups, but is likely good enough in almost - all real-world use cases. */ - - while ((de = readdir(d))) { - - u8* fn; - FILE* f; - u8 tmp[MAX_LINE]; - u8 has_vmsize = 0; - - if (!isdigit(de->d_name[0])) continue; - - fn = alloc_printf("/proc/%s/status", de->d_name); - - if (!(f = fopen(fn, "r"))) { - ck_free(fn); - continue; - } - - while (fgets(tmp, MAX_LINE, f)) { - - u32 hval; - - /* Processes without VmSize are probably kernel tasks. */ - - if (!strncmp(tmp, "VmSize:\t", 8)) has_vmsize = 1; - - if (!strncmp(tmp, "Cpus_allowed_list:\t", 19) && - !strchr(tmp, '-') && !strchr(tmp, ',') && - sscanf(tmp + 19, "%u", &hval) == 1 && hval < sizeof(cpu_used) && - has_vmsize) { - - cpu_used[hval] = 1; - break; - - } - - } - - ck_free(fn); - fclose(f); - - } - - closedir(d); - if (cpu_to_bind_given) { - - if (cpu_to_bind >= cpu_core_count) - FATAL("The CPU core id to bind should be between 0 and %u", cpu_core_count - 1); - - if (cpu_used[cpu_to_bind]) - FATAL("The CPU core #%u to bind is not free!", cpu_to_bind); - - i = cpu_to_bind; - - } else { - - for (i = 0; i < cpu_core_count; i++) if (!cpu_used[i]) break; - - } - - if (i == cpu_core_count) { - - SAYF("\n" cLRD "[-] " cRST - "Uh-oh, looks like all %u CPU cores on your system are allocated to\n" - " other instances of afl-fuzz (or similar CPU-locked tasks). Starting\n" - " another fuzzer on this machine is probably a bad plan, but if you are\n" - " absolutely sure, you can set AFL_NO_AFFINITY and try again.\n", - cpu_core_count); - - FATAL("No more free CPU cores"); - - } - - OKF("Found a free CPU core, binding to #%u.", i); - - cpu_aff = i; - - CPU_ZERO(&c); - CPU_SET(i, &c); - - if (sched_setaffinity(0, sizeof(c), &c)) - PFATAL("sched_setaffinity failed"); - -} - -#endif /* HAVE_AFFINITY */ - -#ifndef IGNORE_FINDS - -/* Helper function to compare buffers; returns first and last differing offset. We - use this to find reasonable locations for splicing two files. */ - -static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) { - - s32 f_loc = -1; - s32 l_loc = -1; - u32 pos; - - for (pos = 0; pos < len; pos++) { - - if (*(ptr1++) != *(ptr2++)) { - - if (f_loc == -1) f_loc = pos; - l_loc = pos; - - } - - } - - *first = f_loc; - *last = l_loc; - - return; - -} - -#endif /* !IGNORE_FINDS */ - - -/* Describe integer. Uses 12 cyclic static buffers for return values. The value - returned should be five characters or less for all the integers we reasonably - expect to see. */ - -static u8* DI(u64 val) { - - static u8 tmp[12][16]; - static u8 cur; - - cur = (cur + 1) % 12; - -#define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) do { \ - if (val < (_divisor) * (_limit_mult)) { \ - sprintf(tmp[cur], _fmt, ((_cast)val) / (_divisor)); \ - return tmp[cur]; \ - } \ - } while (0) - - /* 0-9999 */ - CHK_FORMAT(1, 10000, "%llu", u64); - - /* 10.0k - 99.9k */ - CHK_FORMAT(1000, 99.95, "%0.01fk", double); - - /* 100k - 999k */ - CHK_FORMAT(1000, 1000, "%lluk", u64); - - /* 1.00M - 9.99M */ - CHK_FORMAT(1000 * 1000, 9.995, "%0.02fM", double); - - /* 10.0M - 99.9M */ - CHK_FORMAT(1000 * 1000, 99.95, "%0.01fM", double); - - /* 100M - 999M */ - CHK_FORMAT(1000 * 1000, 1000, "%lluM", u64); - - /* 1.00G - 9.99G */ - CHK_FORMAT(1000LL * 1000 * 1000, 9.995, "%0.02fG", double); - - /* 10.0G - 99.9G */ - CHK_FORMAT(1000LL * 1000 * 1000, 99.95, "%0.01fG", double); - - /* 100G - 999G */ - CHK_FORMAT(1000LL * 1000 * 1000, 1000, "%lluG", u64); - - /* 1.00T - 9.99G */ - CHK_FORMAT(1000LL * 1000 * 1000 * 1000, 9.995, "%0.02fT", double); - - /* 10.0T - 99.9T */ - CHK_FORMAT(1000LL * 1000 * 1000 * 1000, 99.95, "%0.01fT", double); - - /* 100T+ */ - strcpy(tmp[cur], "infty"); - return tmp[cur]; - -} - - -/* Describe float. Similar to the above, except with a single - static buffer. */ - -static u8* DF(double val) { - - static u8 tmp[16]; - - if (val < 99.995) { - sprintf(tmp, "%0.02f", val); - return tmp; - } - - if (val < 999.95) { - sprintf(tmp, "%0.01f", val); - return tmp; - } - - return DI((u64)val); - -} - - -/* Describe integer as memory size. */ - -static u8* DMS(u64 val) { - - static u8 tmp[12][16]; - static u8 cur; - - cur = (cur + 1) % 12; - - /* 0-9999 */ - CHK_FORMAT(1, 10000, "%llu B", u64); - - /* 10.0k - 99.9k */ - CHK_FORMAT(1024, 99.95, "%0.01f kB", double); - - /* 100k - 999k */ - CHK_FORMAT(1024, 1000, "%llu kB", u64); - - /* 1.00M - 9.99M */ - CHK_FORMAT(1024 * 1024, 9.995, "%0.02f MB", double); - - /* 10.0M - 99.9M */ - CHK_FORMAT(1024 * 1024, 99.95, "%0.01f MB", double); - - /* 100M - 999M */ - CHK_FORMAT(1024 * 1024, 1000, "%llu MB", u64); - - /* 1.00G - 9.99G */ - CHK_FORMAT(1024LL * 1024 * 1024, 9.995, "%0.02f GB", double); - - /* 10.0G - 99.9G */ - CHK_FORMAT(1024LL * 1024 * 1024, 99.95, "%0.01f GB", double); - - /* 100G - 999G */ - CHK_FORMAT(1024LL * 1024 * 1024, 1000, "%llu GB", u64); - - /* 1.00T - 9.99G */ - CHK_FORMAT(1024LL * 1024 * 1024 * 1024, 9.995, "%0.02f TB", double); - - /* 10.0T - 99.9T */ - CHK_FORMAT(1024LL * 1024 * 1024 * 1024, 99.95, "%0.01f TB", double); - -#undef CHK_FORMAT - - /* 100T+ */ - strcpy(tmp[cur], "infty"); - return tmp[cur]; - -} - - -/* Describe time delta. Returns one static buffer, 34 chars of less. */ - -static u8* DTD(u64 cur_ms, u64 event_ms) { - - static u8 tmp[64]; - u64 delta; - s32 t_d, t_h, t_m, t_s; - - if (!event_ms) return "none seen yet"; - - delta = cur_ms - event_ms; - - t_d = delta / 1000 / 60 / 60 / 24; - t_h = (delta / 1000 / 60 / 60) % 24; - t_m = (delta / 1000 / 60) % 60; - t_s = (delta / 1000) % 60; - - sprintf(tmp, "%s days, %u hrs, %u min, %u sec", DI(t_d), t_h, t_m, t_s); - return tmp; - -} - - -/* Mark deterministic checks as done for a particular queue entry. We use the - .state file to avoid repeating deterministic fuzzing when resuming aborted - scans. */ - -static void mark_as_det_done(struct queue_entry* q) { - - u8* fn = strrchr(q->fname, '/'); - s32 fd; - - fn = alloc_printf("%s/queue/.state/deterministic_done/%s", out_dir, fn + 1); - - fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", fn); - close(fd); - - ck_free(fn); - - q->passed_det = 1; - -} - - -/* Mark as variable. Create symlinks if possible to make it easier to examine - the files. */ - -static void mark_as_variable(struct queue_entry* q) { - - u8 *fn = strrchr(q->fname, '/') + 1, *ldest; - - ldest = alloc_printf("../../%s", fn); - fn = alloc_printf("%s/queue/.state/variable_behavior/%s", out_dir, fn); - - if (symlink(ldest, fn)) { - - s32 fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", fn); - close(fd); - - } - - ck_free(ldest); - ck_free(fn); - - q->var_behavior = 1; - -} - - -/* Mark / unmark as redundant (edge-only). This is not used for restoring state, - but may be useful for post-processing datasets. */ - -static void mark_as_redundant(struct queue_entry* q, u8 state) { - - u8* fn; - s32 fd; - - if (state == q->fs_redundant) return; - - q->fs_redundant = state; - - fn = strrchr(q->fname, '/'); - fn = alloc_printf("%s/queue/.state/redundant_edges/%s", out_dir, fn + 1); - - if (state) { - - fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", fn); - close(fd); - - } else { - - if (unlink(fn)) PFATAL("Unable to remove '%s'", fn); - - } - - ck_free(fn); - -} - - -/* Append new test case to the queue. */ - -static void add_to_queue(u8* fname, u32 len, u8 passed_det) { - - struct queue_entry* q = ck_alloc(sizeof(struct queue_entry)); - - q->fname = fname; - q->len = len; - q->depth = cur_depth + 1; - q->passed_det = passed_det; - - if (q->depth > max_depth) max_depth = q->depth; - - if (queue_top) { - - queue_top->next = q; - queue_top = q; - - } else q_prev100 = queue = queue_top = q; - - queued_paths++; - pending_not_fuzzed++; - - cycles_wo_finds = 0; - - /* Set next_100 pointer for every 100th element (index 0, 100, etc) to allow faster iteration. */ - if ((queued_paths - 1) % 100 == 0 && queued_paths > 1) { - - q_prev100->next_100 = q; - q_prev100 = q; - - } - - last_path_time = get_cur_time(); - -} - - -/* Destroy the entire queue. */ - -EXP_ST void destroy_queue(void) { - - struct queue_entry *q = queue, *n; - - while (q) { - - n = q->next; - ck_free(q->fname); - ck_free(q->trace_mini); - ck_free(q); - q = n; - - } - -} - - -/* Write bitmap to file. The bitmap is useful mostly for the secret - -B option, to focus a separate fuzzing session on a particular - interesting input without rediscovering all the others. */ - -EXP_ST void write_bitmap(void) { - - u8* fname; - s32 fd; - - if (!bitmap_changed) return; - bitmap_changed = 0; - - fname = alloc_printf("%s/fuzz_bitmap", out_dir); - fd = open(fname, O_WRONLY | O_CREAT | O_TRUNC, 0600); - - if (fd < 0) PFATAL("Unable to open '%s'", fname); - - ck_write(fd, virgin_bits, MAP_SIZE, fname); - - close(fd); - ck_free(fname); - -} - - -/* Read bitmap from file. This is for the -B option again. */ - -EXP_ST void read_bitmap(u8* fname) { - - s32 fd = open(fname, O_RDONLY); - - if (fd < 0) PFATAL("Unable to open '%s'", fname); - - ck_read(fd, virgin_bits, MAP_SIZE, fname); - - close(fd); - -} - - -/* Check if the current execution path brings anything new to the table. - Update virgin bits to reflect the finds. Returns 1 if the only change is - the hit-count for a particular tuple; 2 if there are new tuples seen. - Updates the map, so subsequent calls will always return 0. - - This function is called after every exec() on a fairly large buffer, so - it needs to be fast. We do this in 32-bit and 64-bit flavors. */ - -static inline u8 has_new_bits(u8* virgin_map) { - -#ifdef WORD_SIZE_64 - - u64* current = (u64*)trace_bits; - u64* virgin = (u64*)virgin_map; - - u32 i = (MAP_SIZE >> 3); - -#else - - u32* current = (u32*)trace_bits; - u32* virgin = (u32*)virgin_map; - - u32 i = (MAP_SIZE >> 2); - -#endif /* ^WORD_SIZE_64 */ - - u8 ret = 0; - - while (i--) { - - /* Optimize for (*current & *virgin) == 0 - i.e., no bits in current bitmap - that have not been already cleared from the virgin map - since this will - almost always be the case. */ - - if (unlikely(*current) && unlikely(*current & *virgin)) { - - if (likely(ret < 2)) { - - u8* cur = (u8*)current; - u8* vir = (u8*)virgin; - - /* Looks like we have not found any new bytes yet; see if any non-zero - bytes in current[] are pristine in virgin[]. */ - -#ifdef WORD_SIZE_64 - - if ((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || - (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff) || - (cur[4] && vir[4] == 0xff) || (cur[5] && vir[5] == 0xff) || - (cur[6] && vir[6] == 0xff) || (cur[7] && vir[7] == 0xff)) ret = 2; - else ret = 1; - -#else - - if ((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || - (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff)) ret = 2; - else ret = 1; - -#endif /* ^WORD_SIZE_64 */ - - } - - *virgin &= ~*current; - - } - - current++; - virgin++; - - } - - if (ret && virgin_map == virgin_bits) bitmap_changed = 1; - - return ret; - -} - - -/* Count the number of bits set in the provided bitmap. Used for the status - screen several times every second, does not have to be fast. */ - -static u32 count_bits(u8* mem) { - - u32* ptr = (u32*)mem; - u32 i = (MAP_SIZE >> 2); - u32 ret = 0; - - while (i--) { - - u32 v = *(ptr++); - - /* This gets called on the inverse, virgin bitmap; optimize for sparse - data. */ - - if (v == 0xffffffff) { - ret += 32; - continue; - } - - v -= ((v >> 1) & 0x55555555); - v = (v & 0x33333333) + ((v >> 2) & 0x33333333); - ret += (((v + (v >> 4)) & 0xF0F0F0F) * 0x01010101) >> 24; - - } - - return ret; - -} - - -#define FF(_b) (0xff << ((_b) << 3)) - -/* Count the number of bytes set in the bitmap. Called fairly sporadically, - mostly to update the status screen or calibrate and examine confirmed - new paths. */ - -static u32 count_bytes(u8* mem) { - - u32* ptr = (u32*)mem; - u32 i = (MAP_SIZE >> 2); - u32 ret = 0; - - while (i--) { - - u32 v = *(ptr++); - - if (!v) continue; - if (v & FF(0)) ret++; - if (v & FF(1)) ret++; - if (v & FF(2)) ret++; - if (v & FF(3)) ret++; - - } - - return ret; - -} - - -/* Count the number of non-255 bytes set in the bitmap. Used strictly for the - status screen, several calls per second or so. */ - -static u32 count_non_255_bytes(u8* mem) { - - u32* ptr = (u32*)mem; - u32 i = (MAP_SIZE >> 2); - u32 ret = 0; - - while (i--) { - - u32 v = *(ptr++); - - /* This is called on the virgin bitmap, so optimize for the most likely - case. */ - - if (v == 0xffffffff) continue; - if ((v & FF(0)) != FF(0)) ret++; - if ((v & FF(1)) != FF(1)) ret++; - if ((v & FF(2)) != FF(2)) ret++; - if ((v & FF(3)) != FF(3)) ret++; - - } - - return ret; - -} - - -/* Destructively simplify trace by eliminating hit count information - and replacing it with 0x80 or 0x01 depending on whether the tuple - is hit or not. Called on every new crash or timeout, should be - reasonably fast. */ - -static const u8 simplify_lookup[256] = { - - [0] = 1, - [1 ... 255] = 128 - -}; - -#ifdef WORD_SIZE_64 - -static void simplify_trace(u64* mem) { - - u32 i = MAP_SIZE >> 3; - - while (i--) { - - /* Optimize for sparse bitmaps. */ - - if (unlikely(*mem)) { - - u8* mem8 = (u8*)mem; - - mem8[0] = simplify_lookup[mem8[0]]; - mem8[1] = simplify_lookup[mem8[1]]; - mem8[2] = simplify_lookup[mem8[2]]; - mem8[3] = simplify_lookup[mem8[3]]; - mem8[4] = simplify_lookup[mem8[4]]; - mem8[5] = simplify_lookup[mem8[5]]; - mem8[6] = simplify_lookup[mem8[6]]; - mem8[7] = simplify_lookup[mem8[7]]; - - } else *mem = 0x0101010101010101ULL; - - mem++; - - } - -} - -#else - -static void simplify_trace(u32* mem) { - - u32 i = MAP_SIZE >> 2; - - while (i--) { - - /* Optimize for sparse bitmaps. */ - - if (unlikely(*mem)) { - - u8* mem8 = (u8*)mem; - - mem8[0] = simplify_lookup[mem8[0]]; - mem8[1] = simplify_lookup[mem8[1]]; - mem8[2] = simplify_lookup[mem8[2]]; - mem8[3] = simplify_lookup[mem8[3]]; - - } else *mem = 0x01010101; - - mem++; - } - -} - -#endif /* ^WORD_SIZE_64 */ - - -/* Destructively classify execution counts in a trace. This is used as a - preprocessing step for any newly acquired traces. Called on every exec, - must be fast. */ - -static const u8 count_class_lookup8[256] = { - - [0] = 0, - [1] = 1, - [2] = 2, - [3] = 4, - [4 ... 7] = 8, - [8 ... 15] = 16, - [16 ... 31] = 32, - [32 ... 127] = 64, - [128 ... 255] = 128 - -}; - -static u16 count_class_lookup16[65536]; - - -EXP_ST void init_count_class16(void) { - - u32 b1, b2; - - for (b1 = 0; b1 < 256; b1++) - for (b2 = 0; b2 < 256; b2++) - count_class_lookup16[(b1 << 8) + b2] = - (count_class_lookup8[b1] << 8) | - count_class_lookup8[b2]; - -} - - -#ifdef WORD_SIZE_64 - -static inline void classify_counts(u64* mem) { - - u32 i = MAP_SIZE >> 3; - - while (i--) { - - /* Optimize for sparse bitmaps. */ - - if (unlikely(*mem)) { - - u16* mem16 = (u16*)mem; - - mem16[0] = count_class_lookup16[mem16[0]]; - mem16[1] = count_class_lookup16[mem16[1]]; - mem16[2] = count_class_lookup16[mem16[2]]; - mem16[3] = count_class_lookup16[mem16[3]]; - - } - - mem++; - - } - -} - -#else - -static inline void classify_counts(u32* mem) { - - u32 i = MAP_SIZE >> 2; - - while (i--) { - - /* Optimize for sparse bitmaps. */ - - if (unlikely(*mem)) { - - u16* mem16 = (u16*)mem; - - mem16[0] = count_class_lookup16[mem16[0]]; - mem16[1] = count_class_lookup16[mem16[1]]; - - } - - mem++; - - } - -} - -#endif /* ^WORD_SIZE_64 */ - - -/* Get rid of shared memory (atexit handler). */ - -static void remove_shm(void) { - - shmctl(shm_id, IPC_RMID, NULL); - -} - - -/* Compact trace bytes into a smaller bitmap. We effectively just drop the - count information here. This is called only sporadically, for some - new paths. */ - -static void minimize_bits(u8* dst, u8* src) { - - u32 i = 0; - - while (i < MAP_SIZE) { - - if (*(src++)) dst[i >> 3] |= 1 << (i & 7); - i++; - - } - -} - - -/* When we bump into a new path, we call this to see if the path appears - more "favorable" than any of the existing ones. The purpose of the - "favorables" is to have a minimal set of paths that trigger all the bits - seen in the bitmap so far, and focus on fuzzing them at the expense of - the rest. - - The first step of the process is to maintain a list of top_rated[] entries - for every byte in the bitmap. We win that slot if there is no previous - contender, or if the contender has a more favorable speed x size factor. */ - -static void update_bitmap_score(struct queue_entry* q) { - - u32 i; - u64 fav_factor = q->exec_us * q->len; - - /* For every byte set in trace_bits[], see if there is a previous winner, - and how it compares to us. */ - - for (i = 0; i < MAP_SIZE; i++) - - if (trace_bits[i]) { - - if (top_rated[i]) { - - /* Faster-executing or smaller test cases are favored. */ - - if (fav_factor > top_rated[i]->exec_us * top_rated[i]->len) continue; - - /* Looks like we're going to win. Decrease ref count for the - previous winner, discard its trace_bits[] if necessary. */ - - if (!--top_rated[i]->tc_ref) { - ck_free(top_rated[i]->trace_mini); - top_rated[i]->trace_mini = 0; - } - - } - - /* Insert ourselves as the new winner. */ - - top_rated[i] = q; - q->tc_ref++; - - if (!q->trace_mini) { - q->trace_mini = ck_alloc(MAP_SIZE >> 3); - minimize_bits(q->trace_mini, trace_bits); - } - - score_changed = 1; - - } - -} - - -/* The second part of the mechanism discussed above is a routine that - goes over top_rated[] entries, and then sequentially grabs winners for - previously-unseen bytes (temp_v) and marks them as favored, at least - until the next run. The favored entries are given more air time during - all fuzzing steps. */ - -static void cull_queue(void) { - - struct queue_entry* q; - static u8 temp_v[MAP_SIZE >> 3]; - u32 i; - - if (dumb_mode || !score_changed) return; - - score_changed = 0; - - memset(temp_v, 255, MAP_SIZE >> 3); - - queued_favored = 0; - pending_favored = 0; - - q = queue; - - while (q) { - q->favored = 0; - q = q->next; - } - - /* Let's see if anything in the bitmap isn't captured in temp_v. - If yes, and if it has a top_rated[] contender, let's use it. */ - - for (i = 0; i < MAP_SIZE; i++) - if (top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) { - - u32 j = MAP_SIZE >> 3; - - /* Remove all bits belonging to the current entry from temp_v. */ - - while (j--) - if (top_rated[i]->trace_mini[j]) - temp_v[j] &= ~top_rated[i]->trace_mini[j]; - - top_rated[i]->favored = 1; - queued_favored++; - - if (!top_rated[i]->was_fuzzed) pending_favored++; - - } - - q = queue; - - while (q) { - mark_as_redundant(q, !q->favored); - q = q->next; - } - -} - - -/* Configure shared memory and virgin_bits. This is called at startup. */ - -EXP_ST void setup_shm(void) { - - u8* shm_str; - - if (!in_bitmap) memset(virgin_bits, 255, MAP_SIZE); - - memset(virgin_tmout, 255, MAP_SIZE); - memset(virgin_crash, 255, MAP_SIZE); - - shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600); - - if (shm_id < 0) PFATAL("shmget() failed"); - - atexit(remove_shm); - - shm_str = alloc_printf("%d", shm_id); - - /* If somebody is asking us to fuzz instrumented binaries in dumb mode, - we don't want them to detect instrumentation, since we won't be sending - fork server commands. This should be replaced with better auto-detection - later on, perhaps? */ - - if (!dumb_mode) setenv(SHM_ENV_VAR, shm_str, 1); - - ck_free(shm_str); - - trace_bits = shmat(shm_id, NULL, 0); - - if (trace_bits == (void *)-1) PFATAL("shmat() failed"); - -} - - -/* Load postprocessor, if available. */ - -static void setup_post(void) { - - void* dh; - u8* fn = getenv("AFL_POST_LIBRARY"); - u32 tlen = 6; - - if (!fn) return; - - ACTF("Loading postprocessor from '%s'...", fn); - - dh = dlopen(fn, RTLD_NOW); - if (!dh) FATAL("%s", dlerror()); - - post_handler = dlsym(dh, "afl_postprocess"); - if (!post_handler) FATAL("Symbol 'afl_postprocess' not found."); - - /* Do a quick test. It's better to segfault now than later =) */ - - post_handler("hello", &tlen); - - OKF("Postprocessor installed successfully."); - -} - - -/* Read all testcases from the input directory, then queue them for testing. - Called at startup. */ - -static void read_testcases(void) { - - struct dirent **nl; - s32 nl_cnt; - u32 i; - u8* fn; - - /* Auto-detect non-in-place resumption attempts. */ - - fn = alloc_printf("%s/queue", in_dir); - if (!access(fn, F_OK)) in_dir = fn; else ck_free(fn); - - ACTF("Scanning '%s'...", in_dir); - - /* We use scandir() + alphasort() rather than readdir() because otherwise, - the ordering of test cases would vary somewhat randomly and would be - difficult to control. */ - - nl_cnt = scandir(in_dir, &nl, NULL, alphasort); - - if (nl_cnt < 0) { - - if (errno == ENOENT || errno == ENOTDIR) - - SAYF("\n" cLRD "[-] " cRST - "The input directory does not seem to be valid - try again. The fuzzer needs\n" - " one or more test case to start with - ideally, a small file under 1 kB\n" - " or so. The cases must be stored as regular files directly in the input\n" - " directory.\n"); - - PFATAL("Unable to open '%s'", in_dir); - - } - - if (shuffle_queue && nl_cnt > 1) { - - ACTF("Shuffling queue..."); - shuffle_ptrs((void**)nl, nl_cnt); - - } - - for (i = 0; i < nl_cnt; i++) { - - struct stat st; - - u8* fn = alloc_printf("%s/%s", in_dir, nl[i]->d_name); - u8* dfn = alloc_printf("%s/.state/deterministic_done/%s", in_dir, nl[i]->d_name); - - u8 passed_det = 0; - - free(nl[i]); /* not tracked */ - - if (lstat(fn, &st) || access(fn, R_OK)) - PFATAL("Unable to access '%s'", fn); - - /* This also takes care of . and .. */ - - if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn, "/README.testcases")) { - - ck_free(fn); - ck_free(dfn); - continue; - - } - - if (st.st_size > MAX_FILE) - FATAL("Test case '%s' is too big (%s, limit is %s)", fn, - DMS(st.st_size), DMS(MAX_FILE)); - - /* Check for metadata that indicates that deterministic fuzzing - is complete for this entry. We don't want to repeat deterministic - fuzzing when resuming aborted scans, because it would be pointless - and probably very time-consuming. */ - - if (!access(dfn, F_OK)) passed_det = 1; - ck_free(dfn); - - add_to_queue(fn, st.st_size, passed_det); - - } - - free(nl); /* not tracked */ - - if (!queued_paths) { - - SAYF("\n" cLRD "[-] " cRST - "Looks like there are no valid test cases in the input directory! The fuzzer\n" - " needs one or more test case to start with - ideally, a small file under\n" - " 1 kB or so. The cases must be stored as regular files directly in the\n" - " input directory.\n"); - - FATAL("No usable test cases in '%s'", in_dir); - - } - - last_path_time = 0; - queued_at_start = queued_paths; - -} - - -/* Helper function for load_extras. */ - -static int compare_extras_len(const void* p1, const void* p2) { - struct extra_data *e1 = (struct extra_data*)p1, - *e2 = (struct extra_data*)p2; - - return e1->len - e2->len; -} - -static int compare_extras_use_d(const void* p1, const void* p2) { - struct extra_data *e1 = (struct extra_data*)p1, - *e2 = (struct extra_data*)p2; - - return e2->hit_cnt - e1->hit_cnt; -} - - -/* Read extras from a file, sort by size. */ - -static void load_extras_file(u8* fname, u32* min_len, u32* max_len, - u32 dict_level) { - - FILE* f; - u8 buf[MAX_LINE]; - u8 *lptr; - u32 cur_line = 0; - - f = fopen(fname, "r"); - - if (!f) PFATAL("Unable to open '%s'", fname); - - while ((lptr = fgets(buf, MAX_LINE, f))) { - - u8 *rptr, *wptr; - u32 klen = 0; - - cur_line++; - - /* Trim on left and right. */ - - while (isspace(*lptr)) lptr++; - - rptr = lptr + strlen(lptr) - 1; - while (rptr >= lptr && isspace(*rptr)) rptr--; - rptr++; - *rptr = 0; - - /* Skip empty lines and comments. */ - - if (!*lptr || *lptr == '#') continue; - - /* All other lines must end with '"', which we can consume. */ - - rptr--; - - if (rptr < lptr || *rptr != '"') - FATAL("Malformed name=\"value\" pair in line %u.", cur_line); - - *rptr = 0; - - /* Skip alphanumerics and dashes (label). */ - - while (isalnum(*lptr) || *lptr == '_') lptr++; - - /* If @number follows, parse that. */ - - if (*lptr == '@') { - - lptr++; - if (atoi(lptr) > dict_level) continue; - while (isdigit(*lptr)) lptr++; - - } - - /* Skip whitespace and = signs. */ - - while (isspace(*lptr) || *lptr == '=') lptr++; - - /* Consume opening '"'. */ - - if (*lptr != '"') - FATAL("Malformed name=\"keyword\" pair in line %u.", cur_line); - - lptr++; - - if (!*lptr) FATAL("Empty keyword in line %u.", cur_line); - - /* Okay, let's allocate memory and copy data between "...", handling - \xNN escaping, \\, and \". */ - - extras = ck_realloc_block(extras, (extras_cnt + 1) * - sizeof(struct extra_data)); - - wptr = extras[extras_cnt].data = ck_alloc(rptr - lptr); - - while (*lptr) { - - char* hexdigits = "0123456789abcdef"; - - switch (*lptr) { - - case 1 ... 31: - case 128 ... 255: - FATAL("Non-printable characters in line %u.", cur_line); - - case '\\': - - lptr++; - - if (*lptr == '\\' || *lptr == '"') { - *(wptr++) = *(lptr++); - klen++; - break; - } - - if (*lptr != 'x' || !isxdigit(lptr[1]) || !isxdigit(lptr[2])) - FATAL("Invalid escaping (not \\xNN) in line %u.", cur_line); - - *(wptr++) = - ((strchr(hexdigits, tolower(lptr[1])) - hexdigits) << 4) | - (strchr(hexdigits, tolower(lptr[2])) - hexdigits); - - lptr += 3; - klen++; - - break; - - default: - - *(wptr++) = *(lptr++); - klen++; - - } - - } - - extras[extras_cnt].len = klen; - - if (extras[extras_cnt].len > MAX_DICT_FILE) - FATAL("Keyword too big in line %u (%s, limit is %s)", cur_line, - DMS(klen), DMS(MAX_DICT_FILE)); - - if (*min_len > klen) *min_len = klen; - if (*max_len < klen) *max_len = klen; - - extras_cnt++; - - } - - fclose(f); - -} - - -/* Read extras from the extras directory and sort them by size. */ - -static void load_extras(u8* dir) { - - DIR* d; - struct dirent* de; - u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0; - u8* x; - - /* If the name ends with @, extract level and continue. */ - - if ((x = strchr(dir, '@'))) { - - *x = 0; - dict_level = atoi(x + 1); - - } - - ACTF("Loading extra dictionary from '%s' (level %u)...", dir, dict_level); - - d = opendir(dir); - - if (!d) { - - if (errno == ENOTDIR) { - load_extras_file(dir, &min_len, &max_len, dict_level); - goto check_and_sort; - } - - PFATAL("Unable to open '%s'", dir); - - } - - if (x) FATAL("Dictionary levels not supported for directories."); - - while ((de = readdir(d))) { - - struct stat st; - u8* fn = alloc_printf("%s/%s", dir, de->d_name); - s32 fd; - - if (lstat(fn, &st) || access(fn, R_OK)) - PFATAL("Unable to access '%s'", fn); - - /* This also takes care of . and .. */ - if (!S_ISREG(st.st_mode) || !st.st_size) { - - ck_free(fn); - continue; - - } - - if (st.st_size > MAX_DICT_FILE) - FATAL("Extra '%s' is too big (%s, limit is %s)", fn, - DMS(st.st_size), DMS(MAX_DICT_FILE)); - - if (min_len > st.st_size) min_len = st.st_size; - if (max_len < st.st_size) max_len = st.st_size; - - extras = ck_realloc_block(extras, (extras_cnt + 1) * - sizeof(struct extra_data)); - - extras[extras_cnt].data = ck_alloc(st.st_size); - extras[extras_cnt].len = st.st_size; - - fd = open(fn, O_RDONLY); - - if (fd < 0) PFATAL("Unable to open '%s'", fn); - - ck_read(fd, extras[extras_cnt].data, st.st_size, fn); - - close(fd); - ck_free(fn); - - extras_cnt++; - - } - - closedir(d); - -check_and_sort: - - if (!extras_cnt) FATAL("No usable files in '%s'", dir); - - qsort(extras, extras_cnt, sizeof(struct extra_data), compare_extras_len); - - OKF("Loaded %u extra tokens, size range %s to %s.", extras_cnt, - DMS(min_len), DMS(max_len)); - - if (max_len > 32) - WARNF("Some tokens are relatively large (%s) - consider trimming.", - DMS(max_len)); - - if (extras_cnt > MAX_DET_EXTRAS) - WARNF("More than %u tokens - will use them probabilistically.", - MAX_DET_EXTRAS); - -} - - - - -/* Helper function for maybe_add_auto() */ - -static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) { - - while (len--) if (tolower(*(m1++)) ^ tolower(*(m2++))) return 1; - return 0; - -} - - -/* Maybe add automatic extra. */ - -static void maybe_add_auto(u8* mem, u32 len) { - - u32 i; - - /* Allow users to specify that they don't want auto dictionaries. */ - - if (!MAX_AUTO_EXTRAS || !USE_AUTO_EXTRAS) return; - - /* Skip runs of identical bytes. */ - - for (i = 1; i < len; i++) - if (mem[0] ^ mem[i]) break; - - if (i == len) return; - - /* Reject builtin interesting values. */ - - if (len == 2) { - - i = sizeof(interesting_16) >> 1; - - while (i--) - if (*((u16*)mem) == interesting_16[i] || - *((u16*)mem) == SWAP16(interesting_16[i])) return; - - } - - if (len == 4) { - - i = sizeof(interesting_32) >> 2; - - while (i--) - if (*((u32*)mem) == interesting_32[i] || - *((u32*)mem) == SWAP32(interesting_32[i])) return; - - } - - /* Reject anything that matches existing extras. Do a case-insensitive - match. We optimize by exploiting the fact that extras[] are sorted - by size. */ - - for (i = 0; i < extras_cnt; i++) - if (extras[i].len >= len) break; - - for (; i < extras_cnt && extras[i].len == len; i++) - if (!memcmp_nocase(extras[i].data, mem, len)) return; - - /* Last but not least, check a_extras[] for matches. There are no - guarantees of a particular sort order. */ - - auto_changed = 1; - - for (i = 0; i < a_extras_cnt; i++) { - - if (a_extras[i].len == len && !memcmp_nocase(a_extras[i].data, mem, len)) { - - a_extras[i].hit_cnt++; - goto sort_a_extras; - - } - - } - - /* At this point, looks like we're dealing with a new entry. So, let's - append it if we have room. Otherwise, let's randomly evict some other - entry from the bottom half of the list. */ - - if (a_extras_cnt < MAX_AUTO_EXTRAS) { - - a_extras = ck_realloc_block(a_extras, (a_extras_cnt + 1) * - sizeof(struct extra_data)); - - a_extras[a_extras_cnt].data = ck_memdup(mem, len); - a_extras[a_extras_cnt].len = len; - a_extras_cnt++; - - } else { - - i = MAX_AUTO_EXTRAS / 2 + - UR((MAX_AUTO_EXTRAS + 1) / 2); - - ck_free(a_extras[i].data); - - a_extras[i].data = ck_memdup(mem, len); - a_extras[i].len = len; - a_extras[i].hit_cnt = 0; - - } - -sort_a_extras: - - /* First, sort all auto extras by use count, descending order. */ - - qsort(a_extras, a_extras_cnt, sizeof(struct extra_data), - compare_extras_use_d); - - /* Then, sort the top USE_AUTO_EXTRAS entries by size. */ - - qsort(a_extras, MIN(USE_AUTO_EXTRAS, a_extras_cnt), - sizeof(struct extra_data), compare_extras_len); - -} - - -/* Save automatically generated extras. */ - -static void save_auto(void) { - - u32 i; - - if (!auto_changed) return; - auto_changed = 0; - - for (i = 0; i < MIN(USE_AUTO_EXTRAS, a_extras_cnt); i++) { - - u8* fn = alloc_printf("%s/queue/.state/auto_extras/auto_%06u", out_dir, i); - s32 fd; - - fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); - - if (fd < 0) PFATAL("Unable to create '%s'", fn); - - ck_write(fd, a_extras[i].data, a_extras[i].len, fn); - - close(fd); - ck_free(fn); - - } - -} - - -/* Load automatically generated extras. */ - -static void load_auto(void) { - - u32 i; - - for (i = 0; i < USE_AUTO_EXTRAS; i++) { - - u8 tmp[MAX_AUTO_EXTRA + 1]; - u8* fn = alloc_printf("%s/.state/auto_extras/auto_%06u", in_dir, i); - s32 fd, len; - - fd = open(fn, O_RDONLY, 0600); - - if (fd < 0) { - - if (errno != ENOENT) PFATAL("Unable to open '%s'", fn); - ck_free(fn); - break; - - } - - /* We read one byte more to cheaply detect tokens that are too - long (and skip them). */ - - len = read(fd, tmp, MAX_AUTO_EXTRA + 1); - - if (len < 0) PFATAL("Unable to read from '%s'", fn); - - if (len >= MIN_AUTO_EXTRA && len <= MAX_AUTO_EXTRA) - maybe_add_auto(tmp, len); - - close(fd); - ck_free(fn); - - } - - if (i) OKF("Loaded %u auto-discovered dictionary tokens.", i); - else OKF("No auto-generated dictionary tokens to reuse."); - -} - - -/* Destroy extras. */ - -static void destroy_extras(void) { - - u32 i; - - for (i = 0; i < extras_cnt; i++) - ck_free(extras[i].data); - - ck_free(extras); - - for (i = 0; i < a_extras_cnt; i++) - ck_free(a_extras[i].data); - - ck_free(a_extras); - -} - - -/* Spin up fork server (instrumented mode only). The idea is explained here: - - http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html - - In essence, the instrumentation allows us to skip execve(), and just keep - cloning a stopped child. So, we just execute once, and then send commands - through a pipe. The other part of this logic is in afl-as.h. */ - -EXP_ST void init_forkserver(char** argv) { - - static struct itimerval it; - int st_pipe[2], ctl_pipe[2]; - int status; - s32 rlen; - - ACTF("Spinning up the fork server..."); - - if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); - - forksrv_pid = fork(); - - if (forksrv_pid < 0) PFATAL("fork() failed"); - - if (!forksrv_pid) { - - struct rlimit r; - - /* Umpf. On OpenBSD, the default fd limit for root users is set to - soft 128. Let's try to fix that... */ - - if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) { - - r.rlim_cur = FORKSRV_FD + 2; - setrlimit(RLIMIT_NOFILE, &r); /* Ignore errors */ - - } - - if (mem_limit) { - - r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; - -#ifdef RLIMIT_AS - - setrlimit(RLIMIT_AS, &r); /* Ignore errors */ - -#else - - /* This takes care of OpenBSD, which doesn't have RLIMIT_AS, but - according to reliable sources, RLIMIT_DATA covers anonymous - maps - so we should be getting good protection against OOM bugs. */ - - setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ - -#endif /* ^RLIMIT_AS */ - - - } - - /* Dumping cores is slow and can lead to anomalies if SIGKILL is delivered - before the dump is complete. */ - - r.rlim_max = r.rlim_cur = 0; - - setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ - - /* Isolate the process and configure standard descriptors. If out_file is - specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ - - setsid(); - - dup2(dev_null_fd, 1); - dup2(dev_null_fd, 2); - - if (out_file) { - - dup2(dev_null_fd, 0); - - } else { - - dup2(out_fd, 0); - close(out_fd); - - } - - /* Set up control and status pipes, close the unneeded original fds. */ - - if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed"); - if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed"); - - close(ctl_pipe[0]); - close(ctl_pipe[1]); - close(st_pipe[0]); - close(st_pipe[1]); - - close(out_dir_fd); - close(dev_null_fd); - close(dev_urandom_fd); - close(fileno(plot_file)); - - /* This should improve performance a bit, since it stops the linker from - doing extra work post-fork(). */ - - if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); - - /* Set sane defaults for ASAN if nothing else specified. */ - - setenv("ASAN_OPTIONS", "abort_on_error=1:" - "detect_leaks=0:" - "symbolize=0:" - "allocator_may_return_null=1", 0); - - /* MSAN is tricky, because it doesn't support abort_on_error=1 at this - point. So, we do this in a very hacky way. */ - - setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" - "symbolize=0:" - "abort_on_error=1:" - "allocator_may_return_null=1:" - "msan_track_origins=0", 0); - - execv(target_path, argv); - - /* Use a distinctive bitmap signature to tell the parent about execv() - falling through. */ - - *(u32*)trace_bits = EXEC_FAIL_SIG; - exit(0); - - } - - /* Close the unneeded endpoints. */ - - close(ctl_pipe[0]); - close(st_pipe[1]); - - fsrv_ctl_fd = ctl_pipe[1]; - fsrv_st_fd = st_pipe[0]; - - /* Wait for the fork server to come up, but don't wait too long. */ - - it.it_value.tv_sec = ((exec_tmout * FORK_WAIT_MULT) / 1000); - it.it_value.tv_usec = ((exec_tmout * FORK_WAIT_MULT) % 1000) * 1000; - - setitimer(ITIMER_REAL, &it, NULL); - - rlen = read(fsrv_st_fd, &status, 4); - - it.it_value.tv_sec = 0; - it.it_value.tv_usec = 0; - - setitimer(ITIMER_REAL, &it, NULL); - - /* If we have a four-byte "hello" message from the server, we're all set. - Otherwise, try to figure out what went wrong. */ - - if (rlen == 4) { - OKF("All right - fork server is up."); - return; - } - - if (child_timed_out) - FATAL("Timeout while initializing fork server (adjusting -t may help)"); - - if (waitpid(forksrv_pid, &status, 0) <= 0) - PFATAL("waitpid() failed"); - - if (WIFSIGNALED(status)) { - - if (mem_limit && mem_limit < 500 && uses_asan) { - - SAYF("\n" cLRD "[-] " cRST - "Whoops, the target binary crashed suddenly, before receiving any input\n" - " from the fuzzer! Since it seems to be built with ASAN and you have a\n" - " restrictive memory limit configured, this is expected; please read\n" - " %s/notes_for_asan.txt for help.\n", doc_path); - - } else if (!mem_limit) { - - SAYF("\n" cLRD "[-] " cRST - "Whoops, the target binary crashed suddenly, before receiving any input\n" - " from the fuzzer! There are several probable explanations:\n\n" - - " - The binary is just buggy and explodes entirely on its own. If so, you\n" - " need to fix the underlying problem or find a better replacement.\n\n" - -#ifdef __APPLE__ - - " - On MacOS X, the semantics of fork() syscalls are non-standard and may\n" - " break afl-fuzz performance optimizations when running platform-specific\n" - " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" - -#endif /* __APPLE__ */ - - " - Less likely, there is a horrible bug in the fuzzer. If other options\n" - " fail, poke for troubleshooting tips.\n"); - - } else { - - SAYF("\n" cLRD "[-] " cRST - "Whoops, the target binary crashed suddenly, before receiving any input\n" - " from the fuzzer! There are several probable explanations:\n\n" - - " - The current memory limit (%s) is too restrictive, causing the\n" - " target to hit an OOM condition in the dynamic linker. Try bumping up\n" - " the limit with the -m setting in the command line. A simple way confirm\n" - " this diagnosis would be:\n\n" - -#ifdef RLIMIT_AS - " ( ulimit -Sv $[%llu << 10]; /path/to/fuzzed_app )\n\n" -#else - " ( ulimit -Sd $[%llu << 10]; /path/to/fuzzed_app )\n\n" -#endif /* ^RLIMIT_AS */ - - " Tip: you can use http://jwilk.net/software/recidivm to quickly\n" - " estimate the required amount of virtual memory for the binary.\n\n" - - " - The binary is just buggy and explodes entirely on its own. If so, you\n" - " need to fix the underlying problem or find a better replacement.\n\n" - -#ifdef __APPLE__ - - " - On MacOS X, the semantics of fork() syscalls are non-standard and may\n" - " break afl-fuzz performance optimizations when running platform-specific\n" - " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" - -#endif /* __APPLE__ */ - - " - Less likely, there is a horrible bug in the fuzzer. If other options\n" - " fail, poke for troubleshooting tips.\n", - DMS(mem_limit << 20), mem_limit - 1); - - } - - FATAL("Fork server crashed with signal %d", WTERMSIG(status)); - - } - - if (*(u32*)trace_bits == EXEC_FAIL_SIG) - FATAL("Unable to execute target application ('%s')", argv[0]); - - if (mem_limit && mem_limit < 500 && uses_asan) { - - SAYF("\n" cLRD "[-] " cRST - "Hmm, looks like the target binary terminated before we could complete a\n" - " handshake with the injected code. Since it seems to be built with ASAN and\n" - " you have a restrictive memory limit configured, this is expected; please\n" - " read %s/notes_for_asan.txt for help.\n", doc_path); - - } else if (!mem_limit) { - - SAYF("\n" cLRD "[-] " cRST - "Hmm, looks like the target binary terminated before we could complete a\n" - " handshake with the injected code. Perhaps there is a horrible bug in the\n" - " fuzzer. Poke for troubleshooting tips.\n"); - - } else { - - SAYF("\n" cLRD "[-] " cRST - "Hmm, looks like the target binary terminated before we could complete a\n" - " handshake with the injected code. There are %s probable explanations:\n\n" - - "%s" - " - The current memory limit (%s) is too restrictive, causing an OOM\n" - " fault in the dynamic linker. This can be fixed with the -m option. A\n" - " simple way to confirm the diagnosis may be:\n\n" - -#ifdef RLIMIT_AS - " ( ulimit -Sv $[%llu << 10]; /path/to/fuzzed_app )\n\n" -#else - " ( ulimit -Sd $[%llu << 10]; /path/to/fuzzed_app )\n\n" -#endif /* ^RLIMIT_AS */ - - " Tip: you can use http://jwilk.net/software/recidivm to quickly\n" - " estimate the required amount of virtual memory for the binary.\n\n" - - " - Less likely, there is a horrible bug in the fuzzer. If other options\n" - " fail, poke for troubleshooting tips.\n", - getenv(DEFER_ENV_VAR) ? "three" : "two", - getenv(DEFER_ENV_VAR) ? - " - You are using deferred forkserver, but __AFL_INIT() is never\n" - " reached before the program terminates.\n\n" : "", - DMS(mem_limit << 20), mem_limit - 1); - - } - - FATAL("Fork server handshake failed"); - -} - - -/* Execute target application, monitoring for timeouts. Return status - information. The called program will update trace_bits[]. */ - -static u8 run_target(char** argv, u32 timeout) { - - static struct itimerval it; - static u32 prev_timed_out = 0; - static u64 exec_ms = 0; - - int status = 0; - u32 tb4; - - child_timed_out = 0; - - /* After this memset, trace_bits[] are effectively volatile, so we - must prevent any earlier operations from venturing into that - territory. */ - - memset(trace_bits, 0, MAP_SIZE); - MEM_BARRIER(); - - /* If we're running in "dumb" mode, we can't rely on the fork server - logic compiled into the target program, so we will just keep calling - execve(). There is a bit of code duplication between here and - init_forkserver(), but c'est la vie. */ - - if (dumb_mode == 1 || no_forkserver) { - - child_pid = fork(); - - if (child_pid < 0) PFATAL("fork() failed"); - - if (!child_pid) { - - struct rlimit r; - - if (mem_limit) { - - r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; - -#ifdef RLIMIT_AS - - setrlimit(RLIMIT_AS, &r); /* Ignore errors */ - -#else - - setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ - -#endif /* ^RLIMIT_AS */ - - } - - r.rlim_max = r.rlim_cur = 0; - - setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ - - /* Isolate the process and configure standard descriptors. If out_file is - specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ - - setsid(); - - dup2(dev_null_fd, 1); - dup2(dev_null_fd, 2); - - if (out_file) { - - dup2(dev_null_fd, 0); - - } else { - - dup2(out_fd, 0); - close(out_fd); - - } - - /* On Linux, would be faster to use O_CLOEXEC. Maybe TODO. */ - - close(dev_null_fd); - close(out_dir_fd); - close(dev_urandom_fd); - close(fileno(plot_file)); - - /* Set sane defaults for ASAN if nothing else specified. */ - - setenv("ASAN_OPTIONS", "abort_on_error=1:" - "detect_leaks=0:" - "symbolize=0:" - "allocator_may_return_null=1", 0); - - setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" - "symbolize=0:" - "msan_track_origins=0", 0); - - execv(target_path, argv); - - /* Use a distinctive bitmap value to tell the parent about execv() - falling through. */ - - *(u32*)trace_bits = EXEC_FAIL_SIG; - exit(0); - - } - - } else { - - s32 res; - - /* In non-dumb mode, we have the fork server up and running, so simply - tell it to have at it, and then read back PID. */ - - if ((res = write(fsrv_ctl_fd, &prev_timed_out, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to request new process from fork server (OOM?)"); - - } - - if ((res = read(fsrv_st_fd, &child_pid, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to request new process from fork server (OOM?)"); - - } - - if (child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); - - } - - /* Configure timeout, as requested by user, then wait for child to terminate. */ - - it.it_value.tv_sec = (timeout / 1000); - it.it_value.tv_usec = (timeout % 1000) * 1000; - - setitimer(ITIMER_REAL, &it, NULL); - - /* The SIGALRM handler simply kills the child_pid and sets child_timed_out. */ - - if (dumb_mode == 1 || no_forkserver) { - - if (waitpid(child_pid, &status, 0) <= 0) PFATAL("waitpid() failed"); - - } else { - - s32 res; - - if ((res = read(fsrv_st_fd, &status, 4)) != 4) { - - if (stop_soon) return 0; - RPFATAL(res, "Unable to communicate with fork server (OOM?)"); - - } - - } - - if (!WIFSTOPPED(status)) child_pid = 0; - - getitimer(ITIMER_REAL, &it); - exec_ms = (u64) timeout - (it.it_value.tv_sec * 1000 + - it.it_value.tv_usec / 1000); - - it.it_value.tv_sec = 0; - it.it_value.tv_usec = 0; - - setitimer(ITIMER_REAL, &it, NULL); - - total_execs++; - - /* Any subsequent operations on trace_bits must not be moved by the - compiler below this point. Past this location, trace_bits[] behave - very normally and do not have to be treated as volatile. */ - - MEM_BARRIER(); - - tb4 = *(u32*)trace_bits; - -#ifdef WORD_SIZE_64 - classify_counts((u64*)trace_bits); -#else - classify_counts((u32*)trace_bits); -#endif /* ^WORD_SIZE_64 */ - - prev_timed_out = child_timed_out; - - /* Report outcome to caller. */ - - if (WIFSIGNALED(status) && !stop_soon) { - - kill_signal = WTERMSIG(status); - - if (child_timed_out && kill_signal == SIGKILL) return FAULT_TMOUT; - - return FAULT_CRASH; - - } - - /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and - must use a special exit code. */ - - if (uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { - kill_signal = 0; - return FAULT_CRASH; - } - - if ((dumb_mode == 1 || no_forkserver) && tb4 == EXEC_FAIL_SIG) - return FAULT_ERROR; - - /* It makes sense to account for the slowest units only if the testcase was run - under the user defined timeout. */ - if (!(timeout > exec_tmout) && (slowest_exec_ms < exec_ms)) { - slowest_exec_ms = exec_ms; - } - - return FAULT_NONE; - -} - - -/* Write modified data to file for testing. If out_file is set, the old file - is unlinked and a new one is created. Otherwise, out_fd is rewound and - truncated. */ - -static void write_to_testcase(void* mem, u32 len) { - - s32 fd = out_fd; - - if (out_file) { - - unlink(out_file); /* Ignore errors. */ - - fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); - - if (fd < 0) PFATAL("Unable to create '%s'", out_file); - - } else lseek(fd, 0, SEEK_SET); - - ck_write(fd, mem, len, out_file); - - if (!out_file) { - - if (ftruncate(fd, len)) PFATAL("ftruncate() failed"); - lseek(fd, 0, SEEK_SET); - - } else close(fd); - -} - - -/* The same, but with an adjustable gap. Used for trimming. */ - -static void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { - - s32 fd = out_fd; - u32 tail_len = len - skip_at - skip_len; - - if (out_file) { - - unlink(out_file); /* Ignore errors. */ - - fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); - - if (fd < 0) PFATAL("Unable to create '%s'", out_file); - - } else lseek(fd, 0, SEEK_SET); - - if (skip_at) ck_write(fd, mem, skip_at, out_file); - - if (tail_len) ck_write(fd, mem + skip_at + skip_len, tail_len, out_file); - - if (!out_file) { - - if (ftruncate(fd, len - skip_len)) PFATAL("ftruncate() failed"); - lseek(fd, 0, SEEK_SET); - - } else close(fd); - -} - - -static void show_stats(void); - -/* Calibrate a new test case. This is done when processing the input directory - to warn about flaky or otherwise problematic test cases early on; and when - new paths are discovered to detect variable behavior and so on. */ - -static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, - u32 handicap, u8 from_queue) { - - static u8 first_trace[MAP_SIZE]; - - u8 fault = 0, new_bits = 0, var_detected = 0, hnb = 0, - first_run = (q->exec_cksum == 0); - - u64 start_us, stop_us; - - s32 old_sc = stage_cur, old_sm = stage_max; - u32 use_tmout = exec_tmout; - u8* old_sn = stage_name; - - /* Be a bit more generous about timeouts when resuming sessions, or when - trying to calibrate already-added finds. This helps avoid trouble due - to intermittent latency. */ - - if (!from_queue || resuming_fuzz) - use_tmout = MAX(exec_tmout + CAL_TMOUT_ADD, - exec_tmout * CAL_TMOUT_PERC / 100); - - q->cal_failed++; - - stage_name = "calibration"; - stage_max = fast_cal ? 3 : CAL_CYCLES; - - /* Make sure the forkserver is up before we do anything, and let's not - count its spin-up time toward binary calibration. */ - - if (dumb_mode != 1 && !no_forkserver && !forksrv_pid) - init_forkserver(argv); - - if (q->exec_cksum) { - - memcpy(first_trace, trace_bits, MAP_SIZE); - hnb = has_new_bits(virgin_bits); - if (hnb > new_bits) new_bits = hnb; - - } - - start_us = get_cur_time_us(); - - for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { - - u32 cksum; - - if (!first_run && !(stage_cur % stats_update_freq)) show_stats(); - - write_to_testcase(use_mem, q->len); - - fault = run_target(argv, use_tmout); - - /* stop_soon is set by the handler for Ctrl+C. When it's pressed, - we want to bail out quickly. */ - - if (stop_soon || fault != crash_mode) goto abort_calibration; - - if (!dumb_mode && !stage_cur && !count_bytes(trace_bits)) { - fault = FAULT_NOINST; - goto abort_calibration; - } - - cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - - if (q->exec_cksum != cksum) { - - hnb = has_new_bits(virgin_bits); - if (hnb > new_bits) new_bits = hnb; - - if (q->exec_cksum) { - - u32 i; - - for (i = 0; i < MAP_SIZE; i++) { - - if (!var_bytes[i] && first_trace[i] != trace_bits[i]) { - - var_bytes[i] = 1; - stage_max = CAL_CYCLES_LONG; - - } - - } - - var_detected = 1; - - } else { - - q->exec_cksum = cksum; - memcpy(first_trace, trace_bits, MAP_SIZE); - - } - - } - - } - - stop_us = get_cur_time_us(); - - total_cal_us += stop_us - start_us; - total_cal_cycles += stage_max; - - /* OK, let's collect some stats about the performance of this test case. - This is used for fuzzing air time calculations in calculate_score(). */ - - q->exec_us = (stop_us - start_us) / stage_max; - q->bitmap_size = count_bytes(trace_bits); - q->handicap = handicap; - q->cal_failed = 0; - - total_bitmap_size += q->bitmap_size; - total_bitmap_entries++; - - update_bitmap_score(q); - - /* If this case didn't result in new output from the instrumentation, tell - parent. This is a non-critical problem, but something to warn the user - about. */ - - if (!dumb_mode && first_run && !fault && !new_bits) fault = FAULT_NOBITS; - -abort_calibration: - - if (new_bits == 2 && !q->has_new_cov) { - q->has_new_cov = 1; - queued_with_cov++; - } - - /* Mark variable paths. */ - - if (var_detected) { - - var_byte_count = count_bytes(var_bytes); - - if (!q->var_behavior) { - mark_as_variable(q); - queued_variable++; - } - - } - - stage_name = old_sn; - stage_cur = old_sc; - stage_max = old_sm; - - if (!first_run) show_stats(); - - return fault; - -} - - -/* Examine map coverage. Called once, for first test case. */ - -static void check_map_coverage(void) { - - u32 i; - - if (count_bytes(trace_bits) < 100) return; - - for (i = (1 << (MAP_SIZE_POW2 - 1)); i < MAP_SIZE; i++) - if (trace_bits[i]) return; - - WARNF("Recompile binary with newer version of afl to improve coverage!"); - -} - - -/* Perform dry run of all test cases to confirm that the app is working as - expected. This is done only for the initial inputs, and only once. */ - -static void perform_dry_run(char** argv) { - - struct queue_entry* q = queue; - u32 cal_failures = 0; - u8* skip_crashes = getenv("AFL_SKIP_CRASHES"); - - while (q) { - - u8* use_mem; - u8 res; - s32 fd; - - u8* fn = strrchr(q->fname, '/') + 1; - - ACTF("Attempting dry run with '%s'...", fn); - - fd = open(q->fname, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", q->fname); - - use_mem = ck_alloc_nozero(q->len); - - if (read(fd, use_mem, q->len) != q->len) - FATAL("Short read from '%s'", q->fname); - - close(fd); - - res = calibrate_case(argv, q, use_mem, 0, 1); - ck_free(use_mem); - - if (stop_soon) return; - - if (res == crash_mode || res == FAULT_NOBITS) - SAYF(cGRA " len = %u, map size = %u, exec speed = %llu us\n" cRST, - q->len, q->bitmap_size, q->exec_us); - - switch (res) { - - case FAULT_NONE: - - if (q == queue) check_map_coverage(); - - if (crash_mode) FATAL("Test case '%s' does *NOT* crash", fn); - - break; - - case FAULT_TMOUT: - - if (timeout_given) { - - /* The -t nn+ syntax in the command line sets timeout_given to '2' and - instructs afl-fuzz to tolerate but skip queue entries that time - out. */ - - if (timeout_given > 1) { - WARNF("Test case results in a timeout (skipping)"); - q->cal_failed = CAL_CHANCES; - cal_failures++; - break; - } - - SAYF("\n" cLRD "[-] " cRST - "The program took more than %u ms to process one of the initial test cases.\n" - " Usually, the right thing to do is to relax the -t option - or to delete it\n" - " altogether and allow the fuzzer to auto-calibrate. That said, if you know\n" - " what you are doing and want to simply skip the unruly test cases, append\n" - " '+' at the end of the value passed to -t ('-t %u+').\n", exec_tmout, - exec_tmout); - - FATAL("Test case '%s' results in a timeout", fn); - - } else { - - SAYF("\n" cLRD "[-] " cRST - "The program took more than %u ms to process one of the initial test cases.\n" - " This is bad news; raising the limit with the -t option is possible, but\n" - " will probably make the fuzzing process extremely slow.\n\n" - - " If this test case is just a fluke, the other option is to just avoid it\n" - " altogether, and find one that is less of a CPU hog.\n", exec_tmout); - - FATAL("Test case '%s' results in a timeout", fn); - - } - - case FAULT_CRASH: - - if (crash_mode) break; - - if (skip_crashes) { - WARNF("Test case results in a crash (skipping)"); - q->cal_failed = CAL_CHANCES; - cal_failures++; - break; - } - - if (mem_limit) { - - SAYF("\n" cLRD "[-] " cRST - "Oops, the program crashed with one of the test cases provided. There are\n" - " several possible explanations:\n\n" - - " - The test case causes known crashes under normal working conditions. If\n" - " so, please remove it. The fuzzer should be seeded with interesting\n" - " inputs - but not ones that cause an outright crash.\n\n" - - " - The current memory limit (%s) is too low for this program, causing\n" - " it to die due to OOM when parsing valid files. To fix this, try\n" - " bumping it up with the -m setting in the command line. If in doubt,\n" - " try something along the lines of:\n\n" - -#ifdef RLIMIT_AS - " ( ulimit -Sv $[%llu << 10]; /path/to/binary [...] for troubleshooting tips.\n", - DMS(mem_limit << 20), mem_limit - 1, doc_path); - - } else { - - SAYF("\n" cLRD "[-] " cRST - "Oops, the program crashed with one of the test cases provided. There are\n" - " several possible explanations:\n\n" - - " - The test case causes known crashes under normal working conditions. If\n" - " so, please remove it. The fuzzer should be seeded with interesting\n" - " inputs - but not ones that cause an outright crash.\n\n" - -#ifdef __APPLE__ - - " - On MacOS X, the semantics of fork() syscalls are non-standard and may\n" - " break afl-fuzz performance optimizations when running platform-specific\n" - " binaries. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" - -#endif /* __APPLE__ */ - - " - Least likely, there is a horrible bug in the fuzzer. If other options\n" - " fail, poke for troubleshooting tips.\n"); - - } - - FATAL("Test case '%s' results in a crash", fn); - - case FAULT_ERROR: - - FATAL("Unable to execute target application ('%s')", argv[0]); - - case FAULT_NOINST: - - FATAL("No instrumentation detected"); - - case FAULT_NOBITS: - - useless_at_start++; - - if (!in_bitmap && !shuffle_queue) - WARNF("No new instrumentation output, test case may be useless."); - - break; - - } - - if (q->var_behavior) WARNF("Instrumentation output varies across runs."); - - q = q->next; - - } - - if (cal_failures) { - - if (cal_failures == queued_paths) - FATAL("All test cases time out%s, giving up!", - skip_crashes ? " or crash" : ""); - - WARNF("Skipped %u test cases (%0.02f%%) due to timeouts%s.", cal_failures, - ((double)cal_failures) * 100 / queued_paths, - skip_crashes ? " or crashes" : ""); - - if (cal_failures * 5 > queued_paths) - WARNF(cLRD "High percentage of rejected test cases, check settings!"); - - } - - OKF("All test cases processed."); - -} - - -/* Helper function: link() if possible, copy otherwise. */ - -static void link_or_copy(u8* old_path, u8* new_path) { - - s32 i = link(old_path, new_path); - s32 sfd, dfd; - u8* tmp; - - if (!i) return; - - sfd = open(old_path, O_RDONLY); - if (sfd < 0) PFATAL("Unable to open '%s'", old_path); - - dfd = open(new_path, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (dfd < 0) PFATAL("Unable to create '%s'", new_path); - - tmp = ck_alloc(64 * 1024); - - while ((i = read(sfd, tmp, 64 * 1024)) > 0) - ck_write(dfd, tmp, i, new_path); - - if (i < 0) PFATAL("read() failed"); - - ck_free(tmp); - close(sfd); - close(dfd); - -} - - -static void nuke_resume_dir(void); - -/* Create hard links for input test cases in the output directory, choosing - good names and pivoting accordingly. */ - -static void pivot_inputs(void) { - - struct queue_entry* q = queue; - u32 id = 0; - - ACTF("Creating hard links for all input files..."); - - while (q) { - - u8 *nfn, *rsl = strrchr(q->fname, '/'); - u32 orig_id; - - if (!rsl) rsl = q->fname; else rsl++; - - /* If the original file name conforms to the syntax and the recorded - ID matches the one we'd assign, just use the original file name. - This is valuable for resuming fuzzing runs. */ - -#ifndef SIMPLE_FILES -# define CASE_PREFIX "id:" -#else -# define CASE_PREFIX "id_" -#endif /* ^!SIMPLE_FILES */ - - if (!strncmp(rsl, CASE_PREFIX, 3) && - sscanf(rsl + 3, "%06u", &orig_id) == 1 && orig_id == id) { - - u8* src_str; - u32 src_id; - - resuming_fuzz = 1; - nfn = alloc_printf("%s/queue/%s", out_dir, rsl); - - /* Since we're at it, let's also try to find parent and figure out the - appropriate depth for this entry. */ - - src_str = strchr(rsl + 3, ':'); - - if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) { - - struct queue_entry* s = queue; - while (src_id-- && s) s = s->next; - if (s) q->depth = s->depth + 1; - - if (max_depth < q->depth) max_depth = q->depth; - - } - - } else { - - /* No dice - invent a new name, capturing the original one as a - substring. */ - -#ifndef SIMPLE_FILES - - u8* use_name = strstr(rsl, ",orig:"); - - if (use_name) use_name += 6; else use_name = rsl; - nfn = alloc_printf("%s/queue/id:%06u,orig:%s", out_dir, id, use_name); - -#else - - nfn = alloc_printf("%s/queue/id_%06u", out_dir, id); - -#endif /* ^!SIMPLE_FILES */ - - } - - /* Pivot to the new queue entry. */ - - link_or_copy(q->fname, nfn); - ck_free(q->fname); - q->fname = nfn; - - /* Make sure that the passed_det value carries over, too. */ - - if (q->passed_det) mark_as_det_done(q); - - q = q->next; - id++; - - } - - if (in_place_resume) nuke_resume_dir(); - -} - - -#ifndef SIMPLE_FILES - -/* Construct a file name for a new test case, capturing the operation - that led to its discovery. Uses a static buffer. */ - -static u8* describe_op(u8 hnb) { - - static u8 ret[256]; - - if (syncing_party) { - - sprintf(ret, "sync:%s,src:%06u", syncing_party, syncing_case); - - } else { - - sprintf(ret, "src:%06u", current_entry); - - if (splicing_with >= 0) - sprintf(ret + strlen(ret), "+%06u", splicing_with); - - sprintf(ret + strlen(ret), ",op:%s", stage_short); - - if (stage_cur_byte >= 0) { - - sprintf(ret + strlen(ret), ",pos:%u", stage_cur_byte); - - if (stage_val_type != STAGE_VAL_NONE) - sprintf(ret + strlen(ret), ",val:%s%+d", - (stage_val_type == STAGE_VAL_BE) ? "be:" : "", - stage_cur_val); - - } else sprintf(ret + strlen(ret), ",rep:%u", stage_cur_val); - - } - - if (hnb == 2) strcat(ret, ",+cov"); - - return ret; - -} - -#endif /* !SIMPLE_FILES */ - - -/* Write a message accompanying the crash directory :-) */ - -static void write_crash_readme(void) { - - u8* fn = alloc_printf("%s/crashes/README.txt", out_dir); - s32 fd; - FILE* f; - - fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); - ck_free(fn); - - /* Do not die on errors here - that would be impolite. */ - - if (fd < 0) return; - - f = fdopen(fd, "w"); - - if (!f) { - close(fd); - return; - } - - fprintf(f, "Command line used to find this crash:\n\n" - - "%s\n\n" - - "If you can't reproduce a bug outside of afl-fuzz, be sure to set the same\n" - "memory limit. The limit used for this fuzzing session was %s.\n\n" - - "Need a tool to minimize test cases before investigating the crashes or sending\n" - "them to a vendor? Check out the afl-tmin that comes with the fuzzer!\n\n" - - "Found any cool bugs in open-source tools using afl-fuzz? If yes, please drop\n" - "me a mail at once the issues are fixed - I'd love to\n" - "add your finds to the gallery at:\n\n" - - " http://lcamtuf.coredump.cx/afl/\n\n" - - "Thanks :-)\n", - - orig_cmdline, DMS(mem_limit << 20)); /* ignore errors */ - - fclose(f); - -} - - -/* Check if the result of an execve() during routine fuzzing is interesting, - save or queue the input test case for further analysis if so. Returns 1 if - entry is saved, 0 otherwise. */ - -static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { - - u8 *fn = ""; - u8 hnb; - s32 fd; - u8 keeping = 0, res; - - if (fault == crash_mode) { - - /* Keep only if there are new bits in the map, add to queue for - future fuzzing, etc. */ - - if (!(hnb = has_new_bits(virgin_bits))) { - if (crash_mode) total_crashes++; - return 0; - } - -#ifndef SIMPLE_FILES - - fn = alloc_printf("%s/queue/id:%06u,%s", out_dir, queued_paths, - describe_op(hnb)); - -#else - - fn = alloc_printf("%s/queue/id_%06u", out_dir, queued_paths); - -#endif /* ^!SIMPLE_FILES */ - - add_to_queue(fn, len, 0); - - if (hnb == 2) { - queue_top->has_new_cov = 1; - queued_with_cov++; - } - - queue_top->exec_cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - - /* Try to calibrate inline; this also calls update_bitmap_score() when - successful. */ - - res = calibrate_case(argv, queue_top, mem, queue_cycle - 1, 0); - - if (res == FAULT_ERROR) - FATAL("Unable to execute target application"); - - fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", fn); - ck_write(fd, mem, len, fn); - close(fd); - - keeping = 1; - - } - - switch (fault) { - - case FAULT_TMOUT: - - /* Timeouts are not very interesting, but we're still obliged to keep - a handful of samples. We use the presence of new bits in the - hang-specific bitmap as a signal of uniqueness. In "dumb" mode, we - just keep everything. */ - - total_tmouts++; - - if (unique_hangs >= KEEP_UNIQUE_HANG) return keeping; - - if (!dumb_mode) { - -#ifdef WORD_SIZE_64 - simplify_trace((u64*)trace_bits); -#else - simplify_trace((u32*)trace_bits); -#endif /* ^WORD_SIZE_64 */ - - if (!has_new_bits(virgin_tmout)) return keeping; - - } - - unique_tmouts++; - - /* Before saving, we make sure that it's a genuine hang by re-running - the target with a more generous timeout (unless the default timeout - is already generous). */ - - if (exec_tmout < hang_tmout) { - - u8 new_fault; - write_to_testcase(mem, len); - new_fault = run_target(argv, hang_tmout); - - /* A corner case that one user reported bumping into: increasing the - timeout actually uncovers a crash. Make sure we don't discard it if - so. */ - - if (!stop_soon && new_fault == FAULT_CRASH) goto keep_as_crash; - - if (stop_soon || new_fault != FAULT_TMOUT) return keeping; - - } - -#ifndef SIMPLE_FILES - - fn = alloc_printf("%s/hangs/id:%06llu,%s", out_dir, - unique_hangs, describe_op(0)); - -#else - - fn = alloc_printf("%s/hangs/id_%06llu", out_dir, - unique_hangs); - -#endif /* ^!SIMPLE_FILES */ - - unique_hangs++; - - last_hang_time = get_cur_time(); - - break; - - case FAULT_CRASH: - -keep_as_crash: - - /* This is handled in a manner roughly similar to timeouts, - except for slightly different limits and no need to re-run test - cases. */ - - total_crashes++; - - if (unique_crashes >= KEEP_UNIQUE_CRASH) return keeping; - - if (!dumb_mode) { - -#ifdef WORD_SIZE_64 - simplify_trace((u64*)trace_bits); -#else - simplify_trace((u32*)trace_bits); -#endif /* ^WORD_SIZE_64 */ - - if (!has_new_bits(virgin_crash)) return keeping; - - } - - if (!unique_crashes) write_crash_readme(); - -#ifndef SIMPLE_FILES - - fn = alloc_printf("%s/crashes/id:%06llu,sig:%02u,%s", out_dir, - unique_crashes, kill_signal, describe_op(0)); - -#else - - fn = alloc_printf("%s/crashes/id_%06llu_%02u", out_dir, unique_crashes, - kill_signal); - -#endif /* ^!SIMPLE_FILES */ - - unique_crashes++; - - last_crash_time = get_cur_time(); - last_crash_execs = total_execs; - - break; - - case FAULT_ERROR: FATAL("Unable to execute target application"); - - default: return keeping; - - } - - /* If we're here, we apparently want to save the crash or hang - test case, too. */ - - fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", fn); - ck_write(fd, mem, len, fn); - close(fd); - - ck_free(fn); - - return keeping; - -} - - -/* When resuming, try to find the queue position to start from. This makes sense - only when resuming, and when we can find the original fuzzer_stats. */ - -static u32 find_start_position(void) { - - static u8 tmp[4096]; /* Ought to be enough for anybody. */ - - u8 *fn, *off; - s32 fd, i; - u32 ret; - - if (!resuming_fuzz) return 0; - - if (in_place_resume) fn = alloc_printf("%s/fuzzer_stats", out_dir); - else fn = alloc_printf("%s/../fuzzer_stats", in_dir); - - fd = open(fn, O_RDONLY); - ck_free(fn); - - if (fd < 0) return 0; - - i = read(fd, tmp, sizeof(tmp) - 1); (void)i; /* Ignore errors */ - close(fd); - - off = strstr(tmp, "cur_path : "); - if (!off) return 0; - - ret = atoi(off + 20); - if (ret >= queued_paths) ret = 0; - return ret; - -} - - -/* The same, but for timeouts. The idea is that when resuming sessions without - -t given, we don't want to keep auto-scaling the timeout over and over - again to prevent it from growing due to random flukes. */ - -static void find_timeout(void) { - - static u8 tmp[4096]; /* Ought to be enough for anybody. */ - - u8 *fn, *off; - s32 fd, i; - u32 ret; - - if (!resuming_fuzz) return; - - if (in_place_resume) fn = alloc_printf("%s/fuzzer_stats", out_dir); - else fn = alloc_printf("%s/../fuzzer_stats", in_dir); - - fd = open(fn, O_RDONLY); - ck_free(fn); - - if (fd < 0) return; - - i = read(fd, tmp, sizeof(tmp) - 1); (void)i; /* Ignore errors */ - close(fd); - - off = strstr(tmp, "exec_timeout : "); - if (!off) return; - - ret = atoi(off + 20); - if (ret <= 4) return; - - exec_tmout = ret; - timeout_given = 3; - -} - - -/* Update stats file for unattended monitoring. */ - -static void write_stats_file(double bitmap_cvg, double stability, double eps) { - - static double last_bcvg, last_stab, last_eps; - static struct rusage usage; - - u8* fn = alloc_printf("%s/fuzzer_stats", out_dir); - s32 fd; - FILE* f; - - fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); - - if (fd < 0) PFATAL("Unable to create '%s'", fn); - - ck_free(fn); - - f = fdopen(fd, "w"); - - if (!f) PFATAL("fdopen() failed"); - - /* Keep last values in case we're called from another context - where exec/sec stats and such are not readily available. */ - - if (!bitmap_cvg && !stability && !eps) { - bitmap_cvg = last_bcvg; - stability = last_stab; - eps = last_eps; - } else { - last_bcvg = bitmap_cvg; - last_stab = stability; - last_eps = eps; - } - - fprintf(f, "start_time : %llu\n" - "last_update : %llu\n" - "fuzzer_pid : %u\n" - "cycles_done : %llu\n" - "execs_done : %llu\n" - "execs_per_sec : %0.02f\n" - "paths_total : %u\n" - "paths_favored : %u\n" - "paths_found : %u\n" - "paths_imported : %u\n" - "max_depth : %u\n" - "cur_path : %u\n" /* Must match find_start_position() */ - "pending_favs : %u\n" - "pending_total : %u\n" - "variable_paths : %u\n" - "stability : %0.02f%%\n" - "bitmap_cvg : %0.02f%%\n" - "unique_crashes : %llu\n" - "unique_hangs : %llu\n" - "last_path : %llu\n" - "last_crash : %llu\n" - "last_hang : %llu\n" - "execs_since_crash : %llu\n" - "exec_timeout : %u\n" /* Must match find_timeout() */ - "afl_banner : %s\n" - "afl_version : " VERSION "\n" - "target_mode : %s%s%s%s%s%s%s\n" - "command_line : %s\n" - "slowest_exec_ms : %llu\n", - start_time / 1000, get_cur_time() / 1000, getpid(), - queue_cycle ? (queue_cycle - 1) : 0, total_execs, eps, - queued_paths, queued_favored, queued_discovered, queued_imported, - max_depth, current_entry, pending_favored, pending_not_fuzzed, - queued_variable, stability, bitmap_cvg, unique_crashes, - unique_hangs, last_path_time / 1000, last_crash_time / 1000, - last_hang_time / 1000, total_execs - last_crash_execs, - exec_tmout, use_banner, - qemu_mode ? "qemu " : "", dumb_mode ? " dumb " : "", - no_forkserver ? "no_forksrv " : "", crash_mode ? "crash " : "", - persistent_mode ? "persistent " : "", deferred_mode ? "deferred " : "", - (qemu_mode || dumb_mode || no_forkserver || crash_mode || - persistent_mode || deferred_mode) ? "" : "default", - orig_cmdline, slowest_exec_ms); - /* ignore errors */ - - /* Get rss value from the children - We must have killed the forkserver process and called waitpid - before calling getrusage */ - if (getrusage(RUSAGE_CHILDREN, &usage)) { - WARNF("getrusage failed"); - } else if (usage.ru_maxrss == 0) { - fprintf(f, "peak_rss_mb : not available while afl is running\n"); - } else { -#ifdef __APPLE__ - fprintf(f, "peak_rss_mb : %zu\n", usage.ru_maxrss >> 20); -#else - fprintf(f, "peak_rss_mb : %zu\n", usage.ru_maxrss >> 10); -#endif /* ^__APPLE__ */ - } - - fclose(f); - -} - - -/* Update the plot file if there is a reason to. */ - -static void maybe_update_plot_file(double bitmap_cvg, double eps) { - - static u32 prev_qp, prev_pf, prev_pnf, prev_ce, prev_md; - static u64 prev_qc, prev_uc, prev_uh; - - if (prev_qp == queued_paths && prev_pf == pending_favored && - prev_pnf == pending_not_fuzzed && prev_ce == current_entry && - prev_qc == queue_cycle && prev_uc == unique_crashes && - prev_uh == unique_hangs && prev_md == max_depth) return; - - prev_qp = queued_paths; - prev_pf = pending_favored; - prev_pnf = pending_not_fuzzed; - prev_ce = current_entry; - prev_qc = queue_cycle; - prev_uc = unique_crashes; - prev_uh = unique_hangs; - prev_md = max_depth; - - /* Fields in the file: - - unix_time, cycles_done, cur_path, paths_total, paths_not_fuzzed, - favored_not_fuzzed, unique_crashes, unique_hangs, max_depth, - execs_per_sec */ - - fprintf(plot_file, - "%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f\n", - get_cur_time() / 1000, queue_cycle - 1, current_entry, queued_paths, - pending_not_fuzzed, pending_favored, bitmap_cvg, unique_crashes, - unique_hangs, max_depth, eps); /* ignore errors */ - - fflush(plot_file); - -} - - - -/* A helper function for maybe_delete_out_dir(), deleting all prefixed - files in a directory. */ - -static u8 delete_files(u8* path, u8* prefix) { - - DIR* d; - struct dirent* d_ent; - - d = opendir(path); - - if (!d) return 0; - - while ((d_ent = readdir(d))) { - - if (d_ent->d_name[0] != '.' && (!prefix || - !strncmp(d_ent->d_name, prefix, strlen(prefix)))) { - - u8* fname = alloc_printf("%s/%s", path, d_ent->d_name); - if (unlink(fname)) PFATAL("Unable to delete '%s'", fname); - ck_free(fname); - - } - - } - - closedir(d); - - return !!rmdir(path); - -} - - -/* Get the number of runnable processes, with some simple smoothing. */ - -static double get_runnable_processes(void) { - - static double res; - -#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) - - /* I don't see any portable sysctl or so that would quickly give us the - number of runnable processes; the 1-minute load average can be a - semi-decent approximation, though. */ - - if (getloadavg(&res, 1) != 1) return 0; - -#else - - /* On Linux, /proc/stat is probably the best way; load averages are - computed in funny ways and sometimes don't reflect extremely short-lived - processes well. */ - - FILE* f = fopen("/proc/stat", "r"); - u8 tmp[1024]; - u32 val = 0; - - if (!f) return 0; - - while (fgets(tmp, sizeof(tmp), f)) { - - if (!strncmp(tmp, "procs_running ", 14) || - !strncmp(tmp, "procs_blocked ", 14)) val += atoi(tmp + 14); - - } - - fclose(f); - - if (!res) { - - res = val; - - } else { - - res = res * (1.0 - 1.0 / AVG_SMOOTHING) + - ((double)val) * (1.0 / AVG_SMOOTHING); - - } - -#endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ - - return res; - -} - - -/* Delete the temporary directory used for in-place session resume. */ - -static void nuke_resume_dir(void) { - - u8* fn; - - fn = alloc_printf("%s/_resume/.state/deterministic_done", out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; - ck_free(fn); - - fn = alloc_printf("%s/_resume/.state/auto_extras", out_dir); - if (delete_files(fn, "auto_")) goto dir_cleanup_failed; - ck_free(fn); - - fn = alloc_printf("%s/_resume/.state/redundant_edges", out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; - ck_free(fn); - - fn = alloc_printf("%s/_resume/.state/variable_behavior", out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; - ck_free(fn); - - fn = alloc_printf("%s/_resume/.state", out_dir); - if (rmdir(fn) && errno != ENOENT) goto dir_cleanup_failed; - ck_free(fn); - - fn = alloc_printf("%s/_resume", out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; - ck_free(fn); - - return; - -dir_cleanup_failed: - - FATAL("_resume directory cleanup failed"); - -} - - -/* Delete fuzzer output directory if we recognize it as ours, if the fuzzer - is not currently running, and if the last run time isn't too great. */ - -static void maybe_delete_out_dir(void) { - - FILE* f; - u8 *fn = alloc_printf("%s/fuzzer_stats", out_dir); - - /* See if the output directory is locked. If yes, bail out. If not, - create a lock that will persist for the lifetime of the process - (this requires leaving the descriptor open).*/ - - out_dir_fd = open(out_dir, O_RDONLY); - if (out_dir_fd < 0) PFATAL("Unable to open '%s'", out_dir); - -#ifndef __sun - - if (flock(out_dir_fd, LOCK_EX | LOCK_NB) && errno == EWOULDBLOCK) { - - SAYF("\n" cLRD "[-] " cRST - "Looks like the job output directory is being actively used by another\n" - " instance of afl-fuzz. You will need to choose a different %s\n" - " or stop the other process first.\n", - sync_id ? "fuzzer ID" : "output location"); - - FATAL("Directory '%s' is in use", out_dir); - - } - -#endif /* !__sun */ - - f = fopen(fn, "r"); - - if (f) { - - u64 start_time, last_update; - - if (fscanf(f, "start_time : %llu\n" - "last_update : %llu\n", &start_time, &last_update) != 2) - FATAL("Malformed data in '%s'", fn); - - fclose(f); - - /* Let's see how much work is at stake. */ - - if (!in_place_resume && last_update - start_time > OUTPUT_GRACE * 60) { - - SAYF("\n" cLRD "[-] " cRST - "The job output directory already exists and contains the results of more\n" - " than %u minutes worth of fuzzing. To avoid data loss, afl-fuzz will *NOT*\n" - " automatically delete this data for you.\n\n" - - " If you wish to start a new session, remove or rename the directory manually,\n" - " or specify a different output location for this job. To resume the old\n" - " session, put '-' as the input directory in the command line ('-i -') and\n" - " try again.\n", OUTPUT_GRACE); - - FATAL("At-risk data found in '%s'", out_dir); - - } - - } - - ck_free(fn); - - /* The idea for in-place resume is pretty simple: we temporarily move the old - queue/ to a new location that gets deleted once import to the new queue/ - is finished. If _resume/ already exists, the current queue/ may be - incomplete due to an earlier abort, so we want to use the old _resume/ - dir instead, and we let rename() fail silently. */ - - if (in_place_resume) { - - u8* orig_q = alloc_printf("%s/queue", out_dir); - - in_dir = alloc_printf("%s/_resume", out_dir); - - rename(orig_q, in_dir); /* Ignore errors */ - - OKF("Output directory exists, will attempt session resume."); - - ck_free(orig_q); - - } else { - - OKF("Output directory exists but deemed OK to reuse."); - - } - - ACTF("Deleting old session data..."); - - /* Okay, let's get the ball rolling! First, we need to get rid of the entries - in /.synced/.../id:*, if any are present. */ - - if (!in_place_resume) { - - fn = alloc_printf("%s/.synced", out_dir); - if (delete_files(fn, NULL)) goto dir_cleanup_failed; - ck_free(fn); - - } - - /* Next, we need to clean up /queue/.state/ subdirectories: */ - - fn = alloc_printf("%s/queue/.state/deterministic_done", out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; - ck_free(fn); - - fn = alloc_printf("%s/queue/.state/auto_extras", out_dir); - if (delete_files(fn, "auto_")) goto dir_cleanup_failed; - ck_free(fn); - - fn = alloc_printf("%s/queue/.state/redundant_edges", out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; - ck_free(fn); - - fn = alloc_printf("%s/queue/.state/variable_behavior", out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; - ck_free(fn); - - /* Then, get rid of the .state subdirectory itself (should be empty by now) - and everything matching /queue/id:*. */ - - fn = alloc_printf("%s/queue/.state", out_dir); - if (rmdir(fn) && errno != ENOENT) goto dir_cleanup_failed; - ck_free(fn); - - fn = alloc_printf("%s/queue", out_dir); - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; - ck_free(fn); - - /* All right, let's do /crashes/id:* and /hangs/id:*. */ - - if (!in_place_resume) { - - fn = alloc_printf("%s/crashes/README.txt", out_dir); - unlink(fn); /* Ignore errors */ - ck_free(fn); - - } - - fn = alloc_printf("%s/crashes", out_dir); - - /* Make backup of the crashes directory if it's not empty and if we're - doing in-place resume. */ - - if (in_place_resume && rmdir(fn)) { - - time_t cur_t = time(0); - struct tm* t = localtime(&cur_t); - -#ifndef SIMPLE_FILES - - u8* nfn = alloc_printf("%s.%04u-%02u-%02u-%02u:%02u:%02u", fn, - t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, - t->tm_hour, t->tm_min, t->tm_sec); - -#else - - u8* nfn = alloc_printf("%s_%04u%02u%02u%02u%02u%02u", fn, - t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, - t->tm_hour, t->tm_min, t->tm_sec); - -#endif /* ^!SIMPLE_FILES */ - - rename(fn, nfn); /* Ignore errors. */ - ck_free(nfn); - - } - - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; - ck_free(fn); - - fn = alloc_printf("%s/hangs", out_dir); - - /* Backup hangs, too. */ - - if (in_place_resume && rmdir(fn)) { - - time_t cur_t = time(0); - struct tm* t = localtime(&cur_t); - -#ifndef SIMPLE_FILES - - u8* nfn = alloc_printf("%s.%04u-%02u-%02u-%02u:%02u:%02u", fn, - t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, - t->tm_hour, t->tm_min, t->tm_sec); - -#else - - u8* nfn = alloc_printf("%s_%04u%02u%02u%02u%02u%02u", fn, - t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, - t->tm_hour, t->tm_min, t->tm_sec); - -#endif /* ^!SIMPLE_FILES */ - - rename(fn, nfn); /* Ignore errors. */ - ck_free(nfn); - - } - - if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; - ck_free(fn); - - /* And now, for some finishing touches. */ - - fn = alloc_printf("%s/.cur_input", out_dir); - if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; - ck_free(fn); - - fn = alloc_printf("%s/fuzz_bitmap", out_dir); - if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; - ck_free(fn); - - if (!in_place_resume) { - fn = alloc_printf("%s/fuzzer_stats", out_dir); - if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; - ck_free(fn); - } - - fn = alloc_printf("%s/plot_data", out_dir); - if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; - ck_free(fn); - - OKF("Output dir cleanup successful."); - - /* Wow... is that all? If yes, celebrate! */ - - return; - -dir_cleanup_failed: - - SAYF("\n" cLRD "[-] " cRST - "Whoops, the fuzzer tried to reuse your output directory, but bumped into\n" - " some files that shouldn't be there or that couldn't be removed - so it\n" - " decided to abort! This happened while processing this path:\n\n" - - " %s\n\n" - " Please examine and manually delete the files, or specify a different\n" - " output location for the tool.\n", fn); - - FATAL("Output directory cleanup failed"); - -} - - -static void check_term_size(void); - - -/* A spiffy retro stats screen! This is called every stats_update_freq - execve() calls, plus in several other circumstances. */ - -static void show_stats(void) { - - static u64 last_stats_ms, last_plot_ms, last_ms, last_execs; - static double avg_exec; - double t_byte_ratio, stab_ratio; - - u64 cur_ms; - u32 t_bytes, t_bits; - - u32 banner_len, banner_pad; - u8 tmp[256]; - - cur_ms = get_cur_time(); - - /* If not enough time has passed since last UI update, bail out. */ - - if (cur_ms - last_ms < 1000 / UI_TARGET_HZ) return; - - /* Check if we're past the 10 minute mark. */ - - if (cur_ms - start_time > 10 * 60 * 1000) run_over10m = 1; - - /* Calculate smoothed exec speed stats. */ - - if (!last_execs) { - - avg_exec = ((double)total_execs) * 1000 / (cur_ms - start_time); - - } else { - - double cur_avg = ((double)(total_execs - last_execs)) * 1000 / - (cur_ms - last_ms); - - /* If there is a dramatic (5x+) jump in speed, reset the indicator - more quickly. */ - - if (cur_avg * 5 < avg_exec || cur_avg / 5 > avg_exec) - avg_exec = cur_avg; - - avg_exec = avg_exec * (1.0 - 1.0 / AVG_SMOOTHING) + - cur_avg * (1.0 / AVG_SMOOTHING); - - } - - last_ms = cur_ms; - last_execs = total_execs; - - /* Tell the callers when to contact us (as measured in execs). */ - - stats_update_freq = avg_exec / (UI_TARGET_HZ * 10); - if (!stats_update_freq) stats_update_freq = 1; - - /* Do some bitmap stats. */ - - t_bytes = count_non_255_bytes(virgin_bits); - t_byte_ratio = ((double)t_bytes * 100) / MAP_SIZE; - - if (t_bytes) - stab_ratio = 100 - ((double)var_byte_count) * 100 / t_bytes; - else - stab_ratio = 100; - - /* Roughly every minute, update fuzzer stats and save auto tokens. */ - - if (cur_ms - last_stats_ms > STATS_UPDATE_SEC * 1000) { - - last_stats_ms = cur_ms; - write_stats_file(t_byte_ratio, stab_ratio, avg_exec); - save_auto(); - write_bitmap(); - - } - - /* Every now and then, write plot data. */ - - if (cur_ms - last_plot_ms > PLOT_UPDATE_SEC * 1000) { - - last_plot_ms = cur_ms; - maybe_update_plot_file(t_byte_ratio, avg_exec); - - } - - /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ - - if (!dumb_mode && cycles_wo_finds > 100 && !pending_not_fuzzed && - getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 2; - - if (total_crashes && getenv("AFL_BENCH_UNTIL_CRASH")) stop_soon = 2; - - /* If we're not on TTY, bail out. */ - - if (not_on_tty) return; - - /* Compute some mildly useful bitmap stats. */ - - t_bits = (MAP_SIZE << 3) - count_bits(virgin_bits); - - /* Now, for the visuals... */ - - if (clear_screen) { - - SAYF(TERM_CLEAR CURSOR_HIDE); - clear_screen = 0; - - check_term_size(); - - } - - SAYF(TERM_HOME); - - if (term_too_small) { - - SAYF(cBRI "Your terminal is too small to display the UI.\n" - "Please resize terminal window to at least 80x25.\n" cRST); - - return; - - } - - /* Let's start by drawing a centered banner. */ - - banner_len = (crash_mode ? 24 : 22) + strlen(VERSION) + strlen(use_banner); - banner_pad = (80 - banner_len) / 2; - memset(tmp, ' ', banner_pad); - - sprintf(tmp + banner_pad, "%s " cLCY VERSION cLGN - " (%s)", crash_mode ? cPIN "peruvian were-rabbit" : - cYEL "american fuzzy lop", use_banner); - - SAYF("\n%s\n\n", tmp); - - /* "Handy" shortcuts for drawing boxes... */ - -#define bSTG bSTART cGRA -#define bH2 bH bH -#define bH5 bH2 bH2 bH -#define bH10 bH5 bH5 -#define bH20 bH10 bH10 -#define bH30 bH20 bH10 -#define SP5 " " -#define SP10 SP5 SP5 -#define SP20 SP10 SP10 - - /* Lord, forgive me this. */ - - SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH2 bHB - bH bSTOP cCYA " overall results " bSTG bH5 bRT "\n"); - - if (dumb_mode) { - - strcpy(tmp, cRST); - - } else { - - u64 min_wo_finds = (cur_ms - last_path_time) / 1000 / 60; - - /* First queue cycle: don't stop now! */ - if (queue_cycle == 1 || min_wo_finds < 15) strcpy(tmp, cMGN); else - - /* Subsequent cycles, but we're still making finds. */ - if (cycles_wo_finds < 25 || min_wo_finds < 30) strcpy(tmp, cYEL); else - - /* No finds for a long time and no test cases to try. */ - if (cycles_wo_finds > 100 && !pending_not_fuzzed && min_wo_finds > 120) - strcpy(tmp, cLGN); - - /* Default: cautiously OK to stop? */ - else strcpy(tmp, cLBL); - - } - - SAYF(bV bSTOP " run time : " cRST "%-34s " bSTG bV bSTOP - " cycles done : %s%-5s " bSTG bV "\n", - DTD(cur_ms, start_time), tmp, DI(queue_cycle - 1)); - - /* We want to warn people about not seeing new paths after a full cycle, - except when resuming fuzzing or running in non-instrumented mode. */ - - if (!dumb_mode && (last_path_time || resuming_fuzz || queue_cycle == 1 || - in_bitmap || crash_mode)) { - - SAYF(bV bSTOP " last new path : " cRST "%-34s ", - DTD(cur_ms, last_path_time)); - - } else { - - if (dumb_mode) - - SAYF(bV bSTOP " last new path : " cPIN "n/a" cRST - " (non-instrumented mode) "); - - else - - SAYF(bV bSTOP " last new path : " cRST "none yet " cLRD - "(odd, check syntax!) "); - - } - - SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n", - DI(queued_paths)); - - /* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH - limit with a '+' appended to the count. */ - - sprintf(tmp, "%s%s", DI(unique_crashes), - (unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); - - SAYF(bV bSTOP " last uniq crash : " cRST "%-34s " bSTG bV bSTOP - " uniq crashes : %s%-6s " bSTG bV "\n", - DTD(cur_ms, last_crash_time), unique_crashes ? cLRD : cRST, - tmp); - - sprintf(tmp, "%s%s", DI(unique_hangs), - (unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); - - SAYF(bV bSTOP " last uniq hang : " cRST "%-34s " bSTG bV bSTOP - " uniq hangs : " cRST "%-6s " bSTG bV "\n", - DTD(cur_ms, last_hang_time), tmp); - - SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH20 bHB bH bSTOP cCYA - " map coverage " bSTG bH bHT bH20 bH2 bH bVL "\n"); - - /* This gets funny because we want to print several variable-length variables - together, but then cram them into a fixed-width field - so we need to - put them in a temporary buffer first. */ - - sprintf(tmp, "%s%s (%0.02f%%)", DI(current_entry), - queue_cur->favored ? "" : "*", - ((double)current_entry * 100) / queued_paths); - - SAYF(bV bSTOP " now processing : " cRST "%-17s " bSTG bV bSTOP, tmp); - - sprintf(tmp, "%0.02f%% / %0.02f%%", ((double)queue_cur->bitmap_size) * - 100 / MAP_SIZE, t_byte_ratio); - - SAYF(" map density : %s%-21s " bSTG bV "\n", t_byte_ratio > 70 ? cLRD : - ((t_bytes < 200 && !dumb_mode) ? cPIN : cRST), tmp); - - sprintf(tmp, "%s (%0.02f%%)", DI(cur_skipped_paths), - ((double)cur_skipped_paths * 100) / queued_paths); - - SAYF(bV bSTOP " paths timed out : " cRST "%-17s " bSTG bV, tmp); - - sprintf(tmp, "%0.02f bits/tuple", - t_bytes ? (((double)t_bits) / t_bytes) : 0); - - SAYF(bSTOP " count coverage : " cRST "%-21s " bSTG bV "\n", tmp); - - SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH20 bX bH bSTOP cCYA - " findings in depth " bSTG bH20 bVL "\n"); - - sprintf(tmp, "%s (%0.02f%%)", DI(queued_favored), - ((double)queued_favored) * 100 / queued_paths); - - /* Yeah... it's still going on... halp? */ - - SAYF(bV bSTOP " now trying : " cRST "%-21s " bSTG bV bSTOP - " favored paths : " cRST "%-22s " bSTG bV "\n", stage_name, tmp); - - if (!stage_max) { - - sprintf(tmp, "%s/-", DI(stage_cur)); - - } else { - - sprintf(tmp, "%s/%s (%0.02f%%)", DI(stage_cur), DI(stage_max), - ((double)stage_cur) * 100 / stage_max); - - } - - SAYF(bV bSTOP " stage execs : " cRST "%-21s " bSTG bV bSTOP, tmp); - - sprintf(tmp, "%s (%0.02f%%)", DI(queued_with_cov), - ((double)queued_with_cov) * 100 / queued_paths); - - SAYF(" new edges on : " cRST "%-22s " bSTG bV "\n", tmp); - - sprintf(tmp, "%s (%s%s unique)", DI(total_crashes), DI(unique_crashes), - (unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); - - if (crash_mode) { - - SAYF(bV bSTOP " total execs : " cRST "%-21s " bSTG bV bSTOP - " new crashes : %s%-22s " bSTG bV "\n", DI(total_execs), - unique_crashes ? cLRD : cRST, tmp); - - } else { - - SAYF(bV bSTOP " total execs : " cRST "%-21s " bSTG bV bSTOP - " total crashes : %s%-22s " bSTG bV "\n", DI(total_execs), - unique_crashes ? cLRD : cRST, tmp); - - } - - /* Show a warning about slow execution. */ - - if (avg_exec < 100) { - - sprintf(tmp, "%s/sec (%s)", DF(avg_exec), avg_exec < 20 ? - "zzzz..." : "slow!"); - - SAYF(bV bSTOP " exec speed : " cLRD "%-21s ", tmp); - - } else { - - sprintf(tmp, "%s/sec", DF(avg_exec)); - SAYF(bV bSTOP " exec speed : " cRST "%-21s ", tmp); - - } - - sprintf(tmp, "%s (%s%s unique)", DI(total_tmouts), DI(unique_tmouts), - (unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); - - SAYF (bSTG bV bSTOP " total tmouts : " cRST "%-22s " bSTG bV "\n", tmp); - - /* Aaaalmost there... hold on! */ - - SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bH bHT bH10 - bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bH bVL "\n"); - - if (skip_deterministic) { - - strcpy(tmp, "n/a, n/a, n/a"); - - } else { - - sprintf(tmp, "%s/%s, %s/%s, %s/%s", - DI(stage_finds[STAGE_FLIP1]), DI(stage_cycles[STAGE_FLIP1]), - DI(stage_finds[STAGE_FLIP2]), DI(stage_cycles[STAGE_FLIP2]), - DI(stage_finds[STAGE_FLIP4]), DI(stage_cycles[STAGE_FLIP4])); - - } - - SAYF(bV bSTOP " bit flips : " cRST "%-37s " bSTG bV bSTOP " levels : " - cRST "%-10s " bSTG bV "\n", tmp, DI(max_depth)); - - if (!skip_deterministic) - sprintf(tmp, "%s/%s, %s/%s, %s/%s", - DI(stage_finds[STAGE_FLIP8]), DI(stage_cycles[STAGE_FLIP8]), - DI(stage_finds[STAGE_FLIP16]), DI(stage_cycles[STAGE_FLIP16]), - DI(stage_finds[STAGE_FLIP32]), DI(stage_cycles[STAGE_FLIP32])); - - SAYF(bV bSTOP " byte flips : " cRST "%-37s " bSTG bV bSTOP " pending : " - cRST "%-10s " bSTG bV "\n", tmp, DI(pending_not_fuzzed)); - - if (!skip_deterministic) - sprintf(tmp, "%s/%s, %s/%s, %s/%s", - DI(stage_finds[STAGE_ARITH8]), DI(stage_cycles[STAGE_ARITH8]), - DI(stage_finds[STAGE_ARITH16]), DI(stage_cycles[STAGE_ARITH16]), - DI(stage_finds[STAGE_ARITH32]), DI(stage_cycles[STAGE_ARITH32])); - - SAYF(bV bSTOP " arithmetics : " cRST "%-37s " bSTG bV bSTOP " pend fav : " - cRST "%-10s " bSTG bV "\n", tmp, DI(pending_favored)); - - if (!skip_deterministic) - sprintf(tmp, "%s/%s, %s/%s, %s/%s", - DI(stage_finds[STAGE_INTEREST8]), DI(stage_cycles[STAGE_INTEREST8]), - DI(stage_finds[STAGE_INTEREST16]), DI(stage_cycles[STAGE_INTEREST16]), - DI(stage_finds[STAGE_INTEREST32]), DI(stage_cycles[STAGE_INTEREST32])); - - SAYF(bV bSTOP " known ints : " cRST "%-37s " bSTG bV bSTOP " own finds : " - cRST "%-10s " bSTG bV "\n", tmp, DI(queued_discovered)); - - if (!skip_deterministic) - sprintf(tmp, "%s/%s, %s/%s, %s/%s", - DI(stage_finds[STAGE_EXTRAS_UO]), DI(stage_cycles[STAGE_EXTRAS_UO]), - DI(stage_finds[STAGE_EXTRAS_UI]), DI(stage_cycles[STAGE_EXTRAS_UI]), - DI(stage_finds[STAGE_EXTRAS_AO]), DI(stage_cycles[STAGE_EXTRAS_AO])); - - SAYF(bV bSTOP " dictionary : " cRST "%-37s " bSTG bV bSTOP - " imported : " cRST "%-10s " bSTG bV "\n", tmp, - sync_id ? DI(queued_imported) : (u8*)"n/a"); - - sprintf(tmp, "%s/%s, %s/%s", - DI(stage_finds[STAGE_HAVOC]), DI(stage_cycles[STAGE_HAVOC]), - DI(stage_finds[STAGE_SPLICE]), DI(stage_cycles[STAGE_SPLICE])); - - SAYF(bV bSTOP " havoc : " cRST "%-37s " bSTG bV bSTOP, tmp); - - if (t_bytes) sprintf(tmp, "%0.02f%%", stab_ratio); - else strcpy(tmp, "n/a"); - - SAYF(" stability : %s%-10s " bSTG bV "\n", (stab_ratio < 85 && var_byte_count > 40) - ? cLRD : ((queued_variable && (!persistent_mode || var_byte_count > 20)) - ? cMGN : cRST), tmp); - - if (!bytes_trim_out) { - - sprintf(tmp, "n/a, "); - - } else { - - sprintf(tmp, "%0.02f%%/%s, ", - ((double)(bytes_trim_in - bytes_trim_out)) * 100 / bytes_trim_in, - DI(trim_execs)); - - } - - if (!blocks_eff_total) { - - u8 tmp2[128]; - - sprintf(tmp2, "n/a"); - strcat(tmp, tmp2); - - } else { - - u8 tmp2[128]; - - sprintf(tmp2, "%0.02f%%", - ((double)(blocks_eff_total - blocks_eff_select)) * 100 / - blocks_eff_total); - - strcat(tmp, tmp2); - - } - - SAYF(bV bSTOP " trim : " cRST "%-37s " bSTG bVR bH20 bH2 bH2 bRB "\n" - bLB bH30 bH20 bH2 bH bRB bSTOP cRST RESET_G1, tmp); - - /* Provide some CPU utilization stats. */ - - if (cpu_core_count) { - - double cur_runnable = get_runnable_processes(); - u32 cur_utilization = cur_runnable * 100 / cpu_core_count; - - u8* cpu_color = cCYA; - - /* If we could still run one or more processes, use green. */ - - if (cpu_core_count > 1 && cur_runnable + 1 <= cpu_core_count) - cpu_color = cLGN; - - /* If we're clearly oversubscribed, use red. */ - - if (!no_cpu_meter_red && cur_utilization >= 150) cpu_color = cLRD; - -#ifdef HAVE_AFFINITY - - if (cpu_aff >= 0) { - - SAYF(SP10 cGRA "[cpu%03u:%s%3u%%" cGRA "]\r" cRST, - MIN(cpu_aff, 999), cpu_color, - MIN(cur_utilization, 999)); - - } else { - - SAYF(SP10 cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST, - cpu_color, MIN(cur_utilization, 999)); - - } - -#else - - SAYF(SP10 cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST, - cpu_color, MIN(cur_utilization, 999)); - -#endif /* ^HAVE_AFFINITY */ - - } else SAYF("\r"); - - /* Hallelujah! */ - - fflush(0); - -} - - -/* Display quick statistics at the end of processing the input directory, - plus a bunch of warnings. Some calibration stuff also ended up here, - along with several hardcoded constants. Maybe clean up eventually. */ - -static void show_init_stats(void) { - - struct queue_entry* q = queue; - u32 min_bits = 0, max_bits = 0; - u64 min_us = 0, max_us = 0; - u64 avg_us = 0; - u32 max_len = 0; - - if (total_cal_cycles) avg_us = total_cal_us / total_cal_cycles; - - while (q) { - - if (!min_us || q->exec_us < min_us) min_us = q->exec_us; - if (q->exec_us > max_us) max_us = q->exec_us; - - if (!min_bits || q->bitmap_size < min_bits) min_bits = q->bitmap_size; - if (q->bitmap_size > max_bits) max_bits = q->bitmap_size; - - if (q->len > max_len) max_len = q->len; - - q = q->next; - - } - - SAYF("\n"); - - if (avg_us > (qemu_mode ? 50000 : 10000)) - WARNF(cLRD "The target binary is pretty slow! See %s/perf_tips.txt.", - doc_path); - - /* Let's keep things moving with slow binaries. */ - - if (avg_us > 50000) havoc_div = 10; /* 0-19 execs/sec */ - else if (avg_us > 20000) havoc_div = 5; /* 20-49 execs/sec */ - else if (avg_us > 10000) havoc_div = 2; /* 50-100 execs/sec */ - - if (!resuming_fuzz) { - - if (max_len > 50 * 1024) - WARNF(cLRD "Some test cases are huge (%s) - see %s/perf_tips.txt!", - DMS(max_len), doc_path); - else if (max_len > 10 * 1024) - WARNF("Some test cases are big (%s) - see %s/perf_tips.txt.", - DMS(max_len), doc_path); - - if (useless_at_start && !in_bitmap) - WARNF(cLRD "Some test cases look useless. Consider using a smaller set."); - - if (queued_paths > 100) - WARNF(cLRD "You probably have far too many input files! Consider trimming down."); - else if (queued_paths > 20) - WARNF("You have lots of input files; try starting small."); - - } - - OKF("Here are some useful stats:\n\n" - - cGRA " Test case count : " cRST "%u favored, %u variable, %u total\n" - cGRA " Bitmap range : " cRST "%u to %u bits (average: %0.02f bits)\n" - cGRA " Exec timing : " cRST "%s to %s us (average: %s us)\n", - queued_favored, queued_variable, queued_paths, min_bits, max_bits, - ((double)total_bitmap_size) / (total_bitmap_entries ? total_bitmap_entries : 1), - DI(min_us), DI(max_us), DI(avg_us)); - - if (!timeout_given) { - - /* Figure out the appropriate timeout. The basic idea is: 5x average or - 1x max, rounded up to EXEC_TM_ROUND ms and capped at 1 second. - - If the program is slow, the multiplier is lowered to 2x or 3x, because - random scheduler jitter is less likely to have any impact, and because - our patience is wearing thin =) */ - - if (avg_us > 50000) exec_tmout = avg_us * 2 / 1000; - else if (avg_us > 10000) exec_tmout = avg_us * 3 / 1000; - else exec_tmout = avg_us * 5 / 1000; - - exec_tmout = MAX(exec_tmout, max_us / 1000); - exec_tmout = (exec_tmout + EXEC_TM_ROUND) / EXEC_TM_ROUND * EXEC_TM_ROUND; - - if (exec_tmout > EXEC_TIMEOUT) exec_tmout = EXEC_TIMEOUT; - - ACTF("No -t option specified, so I'll use exec timeout of %u ms.", - exec_tmout); - - timeout_given = 1; - - } else if (timeout_given == 3) { - - ACTF("Applying timeout settings from resumed session (%u ms).", exec_tmout); - - } - - /* In dumb mode, re-running every timing out test case with a generous time - limit is very expensive, so let's select a more conservative default. */ - - if (dumb_mode && !getenv("AFL_HANG_TMOUT")) - hang_tmout = MIN(EXEC_TIMEOUT, exec_tmout * 2 + 100); - - OKF("All set and ready to roll!"); - -} - - -/* Find first power of two greater or equal to val (assuming val under - 2^31). */ - -static u32 next_p2(u32 val) { - - u32 ret = 1; - while (val > ret) ret <<= 1; - return ret; - -} - - -/* Trim all new test cases to save cycles when doing deterministic checks. The - trimmer uses power-of-two increments somewhere between 1/16 and 1/1024 of - file size, to keep the stage short and sweet. */ - -static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { - - static u8 tmp[64]; - static u8 clean_trace[MAP_SIZE]; - - u8 needs_write = 0, fault = 0; - u32 trim_exec = 0; - u32 remove_len; - u32 len_p2; - - /* Although the trimmer will be less useful when variable behavior is - detected, it will still work to some extent, so we don't check for - this. */ - - if (q->len < 5) return 0; - - stage_name = tmp; - bytes_trim_in += q->len; - - /* Select initial chunk len, starting with large steps. */ - - len_p2 = next_p2(q->len); - - remove_len = MAX(len_p2 / TRIM_START_STEPS, TRIM_MIN_BYTES); - - /* Continue until the number of steps gets too high or the stepover - gets too small. */ - - while (remove_len >= MAX(len_p2 / TRIM_END_STEPS, TRIM_MIN_BYTES)) { - - u32 remove_pos = remove_len; - - sprintf(tmp, "trim %s/%s", DI(remove_len), DI(remove_len)); - - stage_cur = 0; - stage_max = q->len / remove_len; - - while (remove_pos < q->len) { - - u32 trim_avail = MIN(remove_len, q->len - remove_pos); - u32 cksum; - - write_with_gap(in_buf, q->len, remove_pos, trim_avail); - - fault = run_target(argv, exec_tmout); - trim_execs++; - - if (stop_soon || fault == FAULT_ERROR) goto abort_trimming; - - /* Note that we don't keep track of crashes or hangs here; maybe TODO? */ - - cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - - /* If the deletion had no impact on the trace, make it permanent. This - isn't perfect for variable-path inputs, but we're just making a - best-effort pass, so it's not a big deal if we end up with false - negatives every now and then. */ - - if (cksum == q->exec_cksum) { - - u32 move_tail = q->len - remove_pos - trim_avail; - - q->len -= trim_avail; - len_p2 = next_p2(q->len); - - memmove(in_buf + remove_pos, in_buf + remove_pos + trim_avail, - move_tail); - - /* Let's save a clean trace, which will be needed by - update_bitmap_score once we're done with the trimming stuff. */ - - if (!needs_write) { - - needs_write = 1; - memcpy(clean_trace, trace_bits, MAP_SIZE); - - } - - } else remove_pos += remove_len; - - /* Since this can be slow, update the screen every now and then. */ - - if (!(trim_exec++ % stats_update_freq)) show_stats(); - stage_cur++; - - } - - remove_len >>= 1; - - } - - /* If we have made changes to in_buf, we also need to update the on-disk - version of the test case. */ - - if (needs_write) { - - s32 fd; - - unlink(q->fname); /* ignore errors */ - - fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, 0600); - - if (fd < 0) PFATAL("Unable to create '%s'", q->fname); - - ck_write(fd, in_buf, q->len, q->fname); - close(fd); - - memcpy(trace_bits, clean_trace, MAP_SIZE); - update_bitmap_score(q); - - } - -abort_trimming: - - bytes_trim_out += q->len; - return fault; - -} - - -/* Write a modified test case, run program, process results. Handle - error conditions, returning 1 if it's time to bail out. This is - a helper function for fuzz_one(). */ - -EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) { - - u8 fault; - - if (post_handler) { - - out_buf = post_handler(out_buf, &len); - if (!out_buf || !len) return 0; - - } - - write_to_testcase(out_buf, len); - - fault = run_target(argv, exec_tmout); - - if (stop_soon) return 1; - - if (fault == FAULT_TMOUT) { - - if (subseq_tmouts++ > TMOUT_LIMIT) { - cur_skipped_paths++; - return 1; - } - - } else subseq_tmouts = 0; - - /* Users can hit us with SIGUSR1 to request the current input - to be abandoned. */ - - if (skip_requested) { - - skip_requested = 0; - cur_skipped_paths++; - return 1; - - } - - /* This handles FAULT_ERROR for us: */ - - queued_discovered += save_if_interesting(argv, out_buf, len, fault); - - if (!(stage_cur % stats_update_freq) || stage_cur + 1 == stage_max) - show_stats(); - - return 0; - -} - - -/* Helper to choose random block len for block operations in fuzz_one(). - Doesn't return zero, provided that max_len is > 0. */ - -static u32 choose_block_len(u32 limit) { - - u32 min_value, max_value; - u32 rlim = MIN(queue_cycle, 3); - - if (!run_over10m) rlim = 1; - - switch (UR(rlim)) { - - case 0: min_value = 1; - max_value = HAVOC_BLK_SMALL; - break; - - case 1: min_value = HAVOC_BLK_SMALL; - max_value = HAVOC_BLK_MEDIUM; - break; - - default: - - if (UR(10)) { - - min_value = HAVOC_BLK_MEDIUM; - max_value = HAVOC_BLK_LARGE; - - } else { - - min_value = HAVOC_BLK_LARGE; - max_value = HAVOC_BLK_XL; - - } - - } - - if (min_value >= limit) min_value = 1; - - return min_value + UR(MIN(max_value, limit) - min_value + 1); - -} - - -/* Calculate case desirability score to adjust the length of havoc fuzzing. - A helper function for fuzz_one(). Maybe some of these constants should - go into config.h. */ - -static u32 calculate_score(struct queue_entry* q) { - - u32 avg_exec_us = total_cal_us / total_cal_cycles; - u32 avg_bitmap_size = total_bitmap_size / total_bitmap_entries; - u32 perf_score = 100; - - /* Adjust score based on execution speed of this path, compared to the - global average. Multiplier ranges from 0.1x to 3x. Fast inputs are - less expensive to fuzz, so we're giving them more air time. */ - - if (q->exec_us * 0.1 > avg_exec_us) perf_score = 10; - else if (q->exec_us * 0.25 > avg_exec_us) perf_score = 25; - else if (q->exec_us * 0.5 > avg_exec_us) perf_score = 50; - else if (q->exec_us * 0.75 > avg_exec_us) perf_score = 75; - else if (q->exec_us * 4 < avg_exec_us) perf_score = 300; - else if (q->exec_us * 3 < avg_exec_us) perf_score = 200; - else if (q->exec_us * 2 < avg_exec_us) perf_score = 150; - - /* Adjust score based on bitmap size. The working theory is that better - coverage translates to better targets. Multiplier from 0.25x to 3x. */ - - if (q->bitmap_size * 0.3 > avg_bitmap_size) perf_score *= 3; - else if (q->bitmap_size * 0.5 > avg_bitmap_size) perf_score *= 2; - else if (q->bitmap_size * 0.75 > avg_bitmap_size) perf_score *= 1.5; - else if (q->bitmap_size * 3 < avg_bitmap_size) perf_score *= 0.25; - else if (q->bitmap_size * 2 < avg_bitmap_size) perf_score *= 0.5; - else if (q->bitmap_size * 1.5 < avg_bitmap_size) perf_score *= 0.75; - - /* Adjust score based on handicap. Handicap is proportional to how late - in the game we learned about this path. Latecomers are allowed to run - for a bit longer until they catch up with the rest. */ - - if (q->handicap >= 4) { - - perf_score *= 4; - q->handicap -= 4; - - } else if (q->handicap) { - - perf_score *= 2; - q->handicap--; - - } - - /* Final adjustment based on input depth, under the assumption that fuzzing - deeper test cases is more likely to reveal stuff that can't be - discovered with traditional fuzzers. */ - - switch (q->depth) { - - case 0 ... 3: break; - case 4 ... 7: perf_score *= 2; break; - case 8 ... 13: perf_score *= 3; break; - case 14 ... 25: perf_score *= 4; break; - default: perf_score *= 5; - - } - - /* Make sure that we don't go over limit. */ - - if (perf_score > HAVOC_MAX_MULT * 100) perf_score = HAVOC_MAX_MULT * 100; - - return perf_score; - -} - - -/* Helper function to see if a particular change (xor_val = old ^ new) could - be a product of deterministic bit flips with the lengths and stepovers - attempted by afl-fuzz. This is used to avoid dupes in some of the - deterministic fuzzing operations that follow bit flips. We also - return 1 if xor_val is zero, which implies that the old and attempted new - values are identical and the exec would be a waste of time. */ - -static u8 could_be_bitflip(u32 xor_val) { - - u32 sh = 0; - - if (!xor_val) return 1; - - /* Shift left until first bit set. */ - - while (!(xor_val & 1)) { sh++; xor_val >>= 1; } - - /* 1-, 2-, and 4-bit patterns are OK anywhere. */ - - if (xor_val == 1 || xor_val == 3 || xor_val == 15) return 1; - - /* 8-, 16-, and 32-bit patterns are OK only if shift factor is - divisible by 8, since that's the stepover for these ops. */ - - if (sh & 7) return 0; - - if (xor_val == 0xff || xor_val == 0xffff || xor_val == 0xffffffff) - return 1; - - return 0; - -} - - -/* Helper function to see if a particular value is reachable through - arithmetic operations. Used for similar purposes. */ - -static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { - - u32 i, ov = 0, nv = 0, diffs = 0; - - if (old_val == new_val) return 1; - - /* See if one-byte adjustments to any byte could produce this result. */ - - for (i = 0; i < blen; i++) { - - u8 a = old_val >> (8 * i), - b = new_val >> (8 * i); - - if (a != b) { diffs++; ov = a; nv = b; } - - } - - /* If only one byte differs and the values are within range, return 1. */ - - if (diffs == 1) { - - if ((u8)(ov - nv) <= ARITH_MAX || - (u8)(nv - ov) <= ARITH_MAX) return 1; - - } - - if (blen == 1) return 0; - - /* See if two-byte adjustments to any byte would produce this result. */ - - diffs = 0; - - for (i = 0; i < blen / 2; i++) { - - u16 a = old_val >> (16 * i), - b = new_val >> (16 * i); - - if (a != b) { diffs++; ov = a; nv = b; } - - } - - /* If only one word differs and the values are within range, return 1. */ - - if (diffs == 1) { - - if ((u16)(ov - nv) <= ARITH_MAX || - (u16)(nv - ov) <= ARITH_MAX) return 1; - - ov = SWAP16(ov); nv = SWAP16(nv); - - if ((u16)(ov - nv) <= ARITH_MAX || - (u16)(nv - ov) <= ARITH_MAX) return 1; - - } - - /* Finally, let's do the same thing for dwords. */ - - if (blen == 4) { - - if ((u32)(old_val - new_val) <= ARITH_MAX || - (u32)(new_val - old_val) <= ARITH_MAX) return 1; - - new_val = SWAP32(new_val); - old_val = SWAP32(old_val); - - if ((u32)(old_val - new_val) <= ARITH_MAX || - (u32)(new_val - old_val) <= ARITH_MAX) return 1; - - } - - return 0; - -} - - -/* Last but not least, a similar helper to see if insertion of an - interesting integer is redundant given the insertions done for - shorter blen. The last param (check_le) is set if the caller - already executed LE insertion for current blen and wants to see - if BE variant passed in new_val is unique. */ - -static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { - - u32 i, j; - - if (old_val == new_val) return 1; - - /* See if one-byte insertions from interesting_8 over old_val could - produce new_val. */ - - for (i = 0; i < blen; i++) { - - for (j = 0; j < sizeof(interesting_8); j++) { - - u32 tval = (old_val & ~(0xff << (i * 8))) | - (((u8)interesting_8[j]) << (i * 8)); - - if (new_val == tval) return 1; - - } - - } - - /* Bail out unless we're also asked to examine two-byte LE insertions - as a preparation for BE attempts. */ - - if (blen == 2 && !check_le) return 0; - - /* See if two-byte insertions over old_val could give us new_val. */ - - for (i = 0; i < blen - 1; i++) { - - for (j = 0; j < sizeof(interesting_16) / 2; j++) { - - u32 tval = (old_val & ~(0xffff << (i * 8))) | - (((u16)interesting_16[j]) << (i * 8)); - - if (new_val == tval) return 1; - - /* Continue here only if blen > 2. */ - - if (blen > 2) { - - tval = (old_val & ~(0xffff << (i * 8))) | - (SWAP16(interesting_16[j]) << (i * 8)); - - if (new_val == tval) return 1; - - } - - } - - } - - if (blen == 4 && check_le) { - - /* See if four-byte insertions could produce the same result - (LE only). */ - - for (j = 0; j < sizeof(interesting_32) / 4; j++) - if (new_val == (u32)interesting_32[j]) return 1; - - } - - return 0; - -} - - -/* Take the current entry from the queue, fuzz it for a while. This - function is a tad too long... returns 0 if fuzzed successfully, 1 if - skipped or bailed out. */ - -static u8 fuzz_one(char** argv) { - - s32 len, fd, temp_len, i, j; - u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; - u64 havoc_queued, orig_hit_cnt, new_hit_cnt; - u32 splice_cycle = 0, perf_score = 100, orig_perf, prev_cksum, eff_cnt = 1; - - u8 ret_val = 1, doing_det = 0; - - u8 a_collect[MAX_AUTO_EXTRA]; - u32 a_len = 0; - -#ifdef IGNORE_FINDS - - /* In IGNORE_FINDS mode, skip any entries that weren't in the - initial data set. */ - - if (queue_cur->depth > 1) return 1; - -#else - - if (pending_favored) { - - /* If we have any favored, non-fuzzed new arrivals in the queue, - possibly skip to them at the expense of already-fuzzed or non-favored - cases. */ - - if ((queue_cur->was_fuzzed || !queue_cur->favored) && - UR(100) < SKIP_TO_NEW_PROB) return 1; - - } else if (!dumb_mode && !queue_cur->favored && queued_paths > 10) { - - /* Otherwise, still possibly skip non-favored cases, albeit less often. - The odds of skipping stuff are higher for already-fuzzed inputs and - lower for never-fuzzed entries. */ - - if (queue_cycle > 1 && !queue_cur->was_fuzzed) { - - if (UR(100) < SKIP_NFAV_NEW_PROB) return 1; - - } else { - - if (UR(100) < SKIP_NFAV_OLD_PROB) return 1; - - } - - } - -#endif /* ^IGNORE_FINDS */ - - if (not_on_tty) { - ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", - current_entry, queued_paths, unique_crashes); - fflush(stdout); - } - - /* Map the test case into memory. */ - - fd = open(queue_cur->fname, O_RDONLY); - - if (fd < 0) PFATAL("Unable to open '%s'", queue_cur->fname); - - len = queue_cur->len; - - orig_in = in_buf = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); - - if (orig_in == MAP_FAILED) PFATAL("Unable to mmap '%s'", queue_cur->fname); - - close(fd); - - /* We could mmap() out_buf as MAP_PRIVATE, but we end up clobbering every - single byte anyway, so it wouldn't give us any performance or memory usage - benefits. */ - - out_buf = ck_alloc_nozero(len); - - subseq_tmouts = 0; - - cur_depth = queue_cur->depth; - - /******************************************* - * CALIBRATION (only if failed earlier on) * - *******************************************/ - - if (queue_cur->cal_failed) { - - u8 res = FAULT_TMOUT; - - if (queue_cur->cal_failed < CAL_CHANCES) { - - /* Reset exec_cksum to tell calibrate_case to re-execute the testcase - avoiding the usage of an invalid trace_bits. - For more info: https://github.com/AFLplusplus/AFLplusplus/pull/425 */ - - queue_cur->exec_cksum = 0; - - res = calibrate_case(argv, queue_cur, in_buf, queue_cycle - 1, 0); - - if (res == FAULT_ERROR) - FATAL("Unable to execute target application"); - - } - - if (stop_soon || res != crash_mode) { - cur_skipped_paths++; - goto abandon_entry; - } - - } - - /************ - * TRIMMING * - ************/ - - if (!dumb_mode && !queue_cur->trim_done) { - - u8 res = trim_case(argv, queue_cur, in_buf); - - if (res == FAULT_ERROR) - FATAL("Unable to execute target application"); - - if (stop_soon) { - cur_skipped_paths++; - goto abandon_entry; - } - - /* Don't retry trimming, even if it failed. */ - - queue_cur->trim_done = 1; - - if (len != queue_cur->len) len = queue_cur->len; - - } - - memcpy(out_buf, in_buf, len); - - /********************* - * PERFORMANCE SCORE * - *********************/ - - orig_perf = perf_score = calculate_score(queue_cur); - - /* Skip right away if -d is given, if we have done deterministic fuzzing on - this entry ourselves (was_fuzzed), or if it has gone through deterministic - testing in earlier, resumed runs (passed_det). */ - - if (skip_deterministic || queue_cur->was_fuzzed || queue_cur->passed_det) - goto havoc_stage; - - /* Skip deterministic fuzzing if exec path checksum puts this out of scope - for this master instance. */ - - if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) - goto havoc_stage; - - doing_det = 1; - - /********************************************* - * SIMPLE BITFLIP (+dictionary construction) * - *********************************************/ - -#define FLIP_BIT(_ar, _b) do { \ - u8* _arf = (u8*)(_ar); \ - u32 _bf = (_b); \ - _arf[(_bf) >> 3] ^= (128 >> ((_bf) & 7)); \ - } while (0) - - /* Single walking bit. */ - - stage_short = "flip1"; - stage_max = len << 3; - stage_name = "bitflip 1/1"; - - stage_val_type = STAGE_VAL_NONE; - - orig_hit_cnt = queued_paths + unique_crashes; - - prev_cksum = queue_cur->exec_cksum; - - for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { - - stage_cur_byte = stage_cur >> 3; - - FLIP_BIT(out_buf, stage_cur); - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - - FLIP_BIT(out_buf, stage_cur); - - /* While flipping the least significant bit in every byte, pull of an extra - trick to detect possible syntax tokens. In essence, the idea is that if - you have a binary blob like this: - - xxxxxxxxIHDRxxxxxxxx - - ...and changing the leading and trailing bytes causes variable or no - changes in program flow, but touching any character in the "IHDR" string - always produces the same, distinctive path, it's highly likely that - "IHDR" is an atomically-checked magic value of special significance to - the fuzzed format. - - We do this here, rather than as a separate stage, because it's a nice - way to keep the operation approximately "free" (i.e., no extra execs). - - Empirically, performing the check when flipping the least significant bit - is advantageous, compared to doing it at the time of more disruptive - changes, where the program flow may be affected in more violent ways. - - The caveat is that we won't generate dictionaries in the -d mode or -S - mode - but that's probably a fair trade-off. - - This won't work particularly well with paths that exhibit variable - behavior, but fails gracefully, so we'll carry out the checks anyway. - - */ - - if (!dumb_mode && (stage_cur & 7) == 7) { - - u32 cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - - if (stage_cur == stage_max - 1 && cksum == prev_cksum) { - - /* If at end of file and we are still collecting a string, grab the - final character and force output. */ - - if (a_len < MAX_AUTO_EXTRA) a_collect[a_len] = out_buf[stage_cur >> 3]; - a_len++; - - if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) - maybe_add_auto(a_collect, a_len); - - } else if (cksum != prev_cksum) { - - /* Otherwise, if the checksum has changed, see if we have something - worthwhile queued up, and collect that if the answer is yes. */ - - if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) - maybe_add_auto(a_collect, a_len); - - a_len = 0; - prev_cksum = cksum; - - } - - /* Continue collecting string, but only if the bit flip actually made - any difference - we don't want no-op tokens. */ - - if (cksum != queue_cur->exec_cksum) { - - if (a_len < MAX_AUTO_EXTRA) a_collect[a_len] = out_buf[stage_cur >> 3]; - a_len++; - - } - - } - - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_FLIP1] += stage_max; - - /* Two walking bits. */ - - stage_name = "bitflip 2/1"; - stage_short = "flip2"; - stage_max = (len << 3) - 1; - - orig_hit_cnt = new_hit_cnt; - - for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { - - stage_cur_byte = stage_cur >> 3; - - FLIP_BIT(out_buf, stage_cur); - FLIP_BIT(out_buf, stage_cur + 1); - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - - FLIP_BIT(out_buf, stage_cur); - FLIP_BIT(out_buf, stage_cur + 1); - - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_FLIP2] += stage_max; - - /* Four walking bits. */ - - stage_name = "bitflip 4/1"; - stage_short = "flip4"; - stage_max = (len << 3) - 3; - - orig_hit_cnt = new_hit_cnt; - - for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { - - stage_cur_byte = stage_cur >> 3; - - FLIP_BIT(out_buf, stage_cur); - FLIP_BIT(out_buf, stage_cur + 1); - FLIP_BIT(out_buf, stage_cur + 2); - FLIP_BIT(out_buf, stage_cur + 3); - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - - FLIP_BIT(out_buf, stage_cur); - FLIP_BIT(out_buf, stage_cur + 1); - FLIP_BIT(out_buf, stage_cur + 2); - FLIP_BIT(out_buf, stage_cur + 3); - - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_FLIP4] += stage_max; - - /* Effector map setup. These macros calculate: - - EFF_APOS - position of a particular file offset in the map. - EFF_ALEN - length of a map with a particular number of bytes. - EFF_SPAN_ALEN - map span for a sequence of bytes. - - */ - -#define EFF_APOS(_p) ((_p) >> EFF_MAP_SCALE2) -#define EFF_REM(_x) ((_x) & ((1 << EFF_MAP_SCALE2) - 1)) -#define EFF_ALEN(_l) (EFF_APOS(_l) + !!EFF_REM(_l)) -#define EFF_SPAN_ALEN(_p, _l) (EFF_APOS((_p) + (_l) - 1) - EFF_APOS(_p) + 1) - - /* Initialize effector map for the next step (see comments below). Always - flag first and last byte as doing something. */ - - eff_map = ck_alloc(EFF_ALEN(len)); - eff_map[0] = 1; - - if (EFF_APOS(len - 1) != 0) { - eff_map[EFF_APOS(len - 1)] = 1; - eff_cnt++; - } - - /* Walking byte. */ - - stage_name = "bitflip 8/8"; - stage_short = "flip8"; - stage_max = len; - - orig_hit_cnt = new_hit_cnt; - - for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { - - stage_cur_byte = stage_cur; - - out_buf[stage_cur] ^= 0xFF; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - - /* We also use this stage to pull off a simple trick: we identify - bytes that seem to have no effect on the current execution path - even when fully flipped - and we skip them during more expensive - deterministic stages, such as arithmetics or known ints. */ - - if (!eff_map[EFF_APOS(stage_cur)]) { - - u32 cksum; - - /* If in dumb mode or if the file is very short, just flag everything - without wasting time on checksums. */ - - if (!dumb_mode && len >= EFF_MIN_LEN) - cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - else - cksum = ~queue_cur->exec_cksum; - - if (cksum != queue_cur->exec_cksum) { - eff_map[EFF_APOS(stage_cur)] = 1; - eff_cnt++; - } - - } - - out_buf[stage_cur] ^= 0xFF; - - } - - /* If the effector map is more than EFF_MAX_PERC dense, just flag the - whole thing as worth fuzzing, since we wouldn't be saving much time - anyway. */ - - if (eff_cnt != EFF_ALEN(len) && - eff_cnt * 100 / EFF_ALEN(len) > EFF_MAX_PERC) { - - memset(eff_map, 1, EFF_ALEN(len)); - - blocks_eff_select += EFF_ALEN(len); - - } else { - - blocks_eff_select += eff_cnt; - - } - - blocks_eff_total += EFF_ALEN(len); - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_FLIP8] += stage_max; - - /* Two walking bytes. */ - - if (len < 2) goto skip_bitflip; - - stage_name = "bitflip 16/8"; - stage_short = "flip16"; - stage_cur = 0; - stage_max = len - 1; - - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len - 1; i++) { - - /* Let's consult the effector map... */ - - if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { - stage_max--; - continue; - } - - stage_cur_byte = i; - - *(u16*)(out_buf + i) ^= 0xFFFF; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - *(u16*)(out_buf + i) ^= 0xFFFF; - - - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_FLIP16] += stage_max; - - if (len < 4) goto skip_bitflip; - - /* Four walking bytes. */ - - stage_name = "bitflip 32/8"; - stage_short = "flip32"; - stage_cur = 0; - stage_max = len - 3; - - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len - 3; i++) { - - /* Let's consult the effector map... */ - if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && - !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { - stage_max--; - continue; - } - - stage_cur_byte = i; - - *(u32*)(out_buf + i) ^= 0xFFFFFFFF; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - *(u32*)(out_buf + i) ^= 0xFFFFFFFF; - - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_FLIP32] += stage_max; - -skip_bitflip: - - if (no_arith) goto skip_arith; - - /********************** - * ARITHMETIC INC/DEC * - **********************/ - - /* 8-bit arithmetics. */ - - stage_name = "arith 8/8"; - stage_short = "arith8"; - stage_cur = 0; - stage_max = 2 * len * ARITH_MAX; - - stage_val_type = STAGE_VAL_LE; - - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len; i++) { - - u8 orig = out_buf[i]; - - /* Let's consult the effector map... */ - - if (!eff_map[EFF_APOS(i)]) { - stage_max -= 2 * ARITH_MAX; - continue; - } - - stage_cur_byte = i; - - for (j = 1; j <= ARITH_MAX; j++) { - - u8 r = orig ^ (orig + j); - - /* Do arithmetic operations only if the result couldn't be a product - of a bitflip. */ - - if (!could_be_bitflip(r)) { - - stage_cur_val = j; - out_buf[i] = orig + j; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - r = orig ^ (orig - j); - - if (!could_be_bitflip(r)) { - - stage_cur_val = -j; - out_buf[i] = orig - j; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - out_buf[i] = orig; - - } - - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_ARITH8] += stage_max; - - /* 16-bit arithmetics, both endians. */ - - if (len < 2) goto skip_arith; - - stage_name = "arith 16/8"; - stage_short = "arith16"; - stage_cur = 0; - stage_max = 4 * (len - 1) * ARITH_MAX; - - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len - 1; i++) { - - u16 orig = *(u16*)(out_buf + i); - - /* Let's consult the effector map... */ - - if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { - stage_max -= 4 * ARITH_MAX; - continue; - } - - stage_cur_byte = i; - - for (j = 1; j <= ARITH_MAX; j++) { - - u16 r1 = orig ^ (orig + j), - r2 = orig ^ (orig - j), - r3 = orig ^ SWAP16(SWAP16(orig) + j), - r4 = orig ^ SWAP16(SWAP16(orig) - j); - - /* Try little endian addition and subtraction first. Do it only - if the operation would affect more than one byte (hence the - & 0xff overflow checks) and if it couldn't be a product of - a bitflip. */ - - stage_val_type = STAGE_VAL_LE; - - if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) { - - stage_cur_val = j; - *(u16*)(out_buf + i) = orig + j; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - if ((orig & 0xff) < j && !could_be_bitflip(r2)) { - - stage_cur_val = -j; - *(u16*)(out_buf + i) = orig - j; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - /* Big endian comes next. Same deal. */ - - stage_val_type = STAGE_VAL_BE; - - - if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) { - - stage_cur_val = j; - *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) + j); - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - if ((orig >> 8) < j && !could_be_bitflip(r4)) { - - stage_cur_val = -j; - *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) - j); - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - *(u16*)(out_buf + i) = orig; - - } - - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_ARITH16] += stage_max; - - /* 32-bit arithmetics, both endians. */ - - if (len < 4) goto skip_arith; - - stage_name = "arith 32/8"; - stage_short = "arith32"; - stage_cur = 0; - stage_max = 4 * (len - 3) * ARITH_MAX; - - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len - 3; i++) { - - u32 orig = *(u32*)(out_buf + i); - - /* Let's consult the effector map... */ - - if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && - !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { - stage_max -= 4 * ARITH_MAX; - continue; - } - - stage_cur_byte = i; - - for (j = 1; j <= ARITH_MAX; j++) { - - u32 r1 = orig ^ (orig + j), - r2 = orig ^ (orig - j), - r3 = orig ^ SWAP32(SWAP32(orig) + j), - r4 = orig ^ SWAP32(SWAP32(orig) - j); - - /* Little endian first. Same deal as with 16-bit: we only want to - try if the operation would have effect on more than two bytes. */ - - stage_val_type = STAGE_VAL_LE; - - if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) { - - stage_cur_val = j; - *(u32*)(out_buf + i) = orig + j; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - if ((orig & 0xffff) < j && !could_be_bitflip(r2)) { - - stage_cur_val = -j; - *(u32*)(out_buf + i) = orig - j; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - /* Big endian next. */ - - stage_val_type = STAGE_VAL_BE; - - if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) { - - stage_cur_val = j; - *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) + j); - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) { - - stage_cur_val = -j; - *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) - j); - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - *(u32*)(out_buf + i) = orig; - - } - - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_ARITH32] += stage_max; - -skip_arith: - - /********************** - * INTERESTING VALUES * - **********************/ - - stage_name = "interest 8/8"; - stage_short = "int8"; - stage_cur = 0; - stage_max = len * sizeof(interesting_8); - - stage_val_type = STAGE_VAL_LE; - - orig_hit_cnt = new_hit_cnt; - - /* Setting 8-bit integers. */ - - for (i = 0; i < len; i++) { - - u8 orig = out_buf[i]; - - /* Let's consult the effector map... */ - - if (!eff_map[EFF_APOS(i)]) { - stage_max -= sizeof(interesting_8); - continue; - } - - stage_cur_byte = i; - - for (j = 0; j < sizeof(interesting_8); j++) { - - /* Skip if the value could be a product of bitflips or arithmetics. */ - - if (could_be_bitflip(orig ^ (u8)interesting_8[j]) || - could_be_arith(orig, (u8)interesting_8[j], 1)) { - stage_max--; - continue; - } - - stage_cur_val = interesting_8[j]; - out_buf[i] = interesting_8[j]; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - - out_buf[i] = orig; - stage_cur++; - - } - - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_INTEREST8] += stage_max; - - /* Setting 16-bit integers, both endians. */ - - if (no_arith || len < 2) goto skip_interest; - - stage_name = "interest 16/8"; - stage_short = "int16"; - stage_cur = 0; - stage_max = 2 * (len - 1) * (sizeof(interesting_16) >> 1); - - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len - 1; i++) { - - u16 orig = *(u16*)(out_buf + i); - - /* Let's consult the effector map... */ - - if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { - stage_max -= sizeof(interesting_16); - continue; - } - - stage_cur_byte = i; - - for (j = 0; j < sizeof(interesting_16) / 2; j++) { - - stage_cur_val = interesting_16[j]; - - /* Skip if this could be a product of a bitflip, arithmetics, - or single-byte interesting value insertion. */ - - if (!could_be_bitflip(orig ^ (u16)interesting_16[j]) && - !could_be_arith(orig, (u16)interesting_16[j], 2) && - !could_be_interest(orig, (u16)interesting_16[j], 2, 0)) { - - stage_val_type = STAGE_VAL_LE; - - *(u16*)(out_buf + i) = interesting_16[j]; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - if ((u16)interesting_16[j] != SWAP16(interesting_16[j]) && - !could_be_bitflip(orig ^ SWAP16(interesting_16[j])) && - !could_be_arith(orig, SWAP16(interesting_16[j]), 2) && - !could_be_interest(orig, SWAP16(interesting_16[j]), 2, 1)) { - - stage_val_type = STAGE_VAL_BE; - - *(u16*)(out_buf + i) = SWAP16(interesting_16[j]); - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - } - - *(u16*)(out_buf + i) = orig; - - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_INTEREST16] += stage_max; - - if (len < 4) goto skip_interest; - - /* Setting 32-bit integers, both endians. */ - - stage_name = "interest 32/8"; - stage_short = "int32"; - stage_cur = 0; - stage_max = 2 * (len - 3) * (sizeof(interesting_32) >> 2); - - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len - 3; i++) { - - u32 orig = *(u32*)(out_buf + i); - - /* Let's consult the effector map... */ - - if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && - !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { - stage_max -= sizeof(interesting_32) >> 1; - continue; - } - - stage_cur_byte = i; - - for (j = 0; j < sizeof(interesting_32) / 4; j++) { - - stage_cur_val = interesting_32[j]; - - /* Skip if this could be a product of a bitflip, arithmetics, - or word interesting value insertion. */ - - if (!could_be_bitflip(orig ^ (u32)interesting_32[j]) && - !could_be_arith(orig, interesting_32[j], 4) && - !could_be_interest(orig, interesting_32[j], 4, 0)) { - - stage_val_type = STAGE_VAL_LE; - - *(u32*)(out_buf + i) = interesting_32[j]; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - if ((u32)interesting_32[j] != SWAP32(interesting_32[j]) && - !could_be_bitflip(orig ^ SWAP32(interesting_32[j])) && - !could_be_arith(orig, SWAP32(interesting_32[j]), 4) && - !could_be_interest(orig, SWAP32(interesting_32[j]), 4, 1)) { - - stage_val_type = STAGE_VAL_BE; - - *(u32*)(out_buf + i) = SWAP32(interesting_32[j]); - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - } - - *(u32*)(out_buf + i) = orig; - - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_INTEREST32] += stage_max; - -skip_interest: - - /******************** - * DICTIONARY STUFF * - ********************/ - - if (!extras_cnt) goto skip_user_extras; - - /* Overwrite with user-supplied extras. */ - - stage_name = "user extras (over)"; - stage_short = "ext_UO"; - stage_cur = 0; - stage_max = extras_cnt * len; - - stage_val_type = STAGE_VAL_NONE; - - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len; i++) { - - u32 last_len = 0; - - stage_cur_byte = i; - - /* Extras are sorted by size, from smallest to largest. This means - that we don't have to worry about restoring the buffer in - between writes at a particular offset determined by the outer - loop. */ - - for (j = 0; j < extras_cnt; j++) { - - /* Skip extras probabilistically if extras_cnt > MAX_DET_EXTRAS. Also - skip them if there's no room to insert the payload, if the token - is redundant, or if its entire span has no bytes set in the effector - map. */ - - if ((extras_cnt > MAX_DET_EXTRAS && UR(extras_cnt) >= MAX_DET_EXTRAS) || - extras[j].len > len - i || - !memcmp(extras[j].data, out_buf + i, extras[j].len) || - !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, extras[j].len))) { - - stage_max--; - continue; - - } - - last_len = extras[j].len; - memcpy(out_buf + i, extras[j].data, last_len); - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - - stage_cur++; - - } - - /* Restore all the clobbered memory. */ - memcpy(out_buf + i, in_buf + i, last_len); - - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_EXTRAS_UO] += stage_max; - - /* Insertion of user-supplied extras. */ - - stage_name = "user extras (insert)"; - stage_short = "ext_UI"; - stage_cur = 0; - stage_max = extras_cnt * (len + 1); - - orig_hit_cnt = new_hit_cnt; - - ex_tmp = ck_alloc(len + MAX_DICT_FILE); - - for (i = 0; i <= len; i++) { - - stage_cur_byte = i; - - for (j = 0; j < extras_cnt; j++) { - - if (len + extras[j].len > MAX_FILE) { - stage_max--; - continue; - } - - /* Insert token */ - memcpy(ex_tmp + i, extras[j].data, extras[j].len); - - /* Copy tail */ - memcpy(ex_tmp + i + extras[j].len, out_buf + i, len - i); - - if (common_fuzz_stuff(argv, ex_tmp, len + extras[j].len)) { - ck_free(ex_tmp); - goto abandon_entry; - } - - stage_cur++; - - } - - /* Copy head */ - ex_tmp[i] = out_buf[i]; - - } - - ck_free(ex_tmp); - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_EXTRAS_UI] += stage_max; - -skip_user_extras: - - if (!a_extras_cnt) goto skip_extras; - - stage_name = "auto extras (over)"; - stage_short = "ext_AO"; - stage_cur = 0; - stage_max = MIN(a_extras_cnt, USE_AUTO_EXTRAS) * len; - - stage_val_type = STAGE_VAL_NONE; - - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len; i++) { - - u32 last_len = 0; - - stage_cur_byte = i; - - for (j = 0; j < MIN(a_extras_cnt, USE_AUTO_EXTRAS); j++) { - - /* See the comment in the earlier code; extras are sorted by size. */ - - if (a_extras[j].len > len - i || - !memcmp(a_extras[j].data, out_buf + i, a_extras[j].len) || - !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, a_extras[j].len))) { - - stage_max--; - continue; - - } - - last_len = a_extras[j].len; - memcpy(out_buf + i, a_extras[j].data, last_len); - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - - stage_cur++; - - } - - /* Restore all the clobbered memory. */ - memcpy(out_buf + i, in_buf + i, last_len); - - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_EXTRAS_AO] += stage_max; - -skip_extras: - - /* If we made this to here without jumping to havoc_stage or abandon_entry, - we're properly done with deterministic steps and can mark it as such - in the .state/ directory. */ - - if (!queue_cur->passed_det) mark_as_det_done(queue_cur); - - /**************** - * RANDOM HAVOC * - ****************/ - -havoc_stage: - - stage_cur_byte = -1; - - /* The havoc stage mutation code is also invoked when splicing files; if the - splice_cycle variable is set, generate different descriptions and such. */ - - if (!splice_cycle) { - - stage_name = "havoc"; - stage_short = "havoc"; - stage_max = (doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) * - perf_score / havoc_div / 100; - - } else { - - static u8 tmp[32]; - - perf_score = orig_perf; - - sprintf(tmp, "splice %u", splice_cycle); - stage_name = tmp; - stage_short = "splice"; - stage_max = SPLICE_HAVOC * perf_score / havoc_div / 100; - - } - - if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN; - - temp_len = len; - - orig_hit_cnt = queued_paths + unique_crashes; - - havoc_queued = queued_paths; - - /* We essentially just do several thousand runs (depending on perf_score) - where we take the input file and make random stacked tweaks. */ - - for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { - - u32 use_stacking = 1 << (1 + UR(HAVOC_STACK_POW2)); - - stage_cur_val = use_stacking; - - for (i = 0; i < use_stacking; i++) { - - switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { - - case 0: - - /* Flip a single bit somewhere. Spooky! */ - - FLIP_BIT(out_buf, UR(temp_len << 3)); - break; - - case 1: - - /* Set byte to interesting value. */ - - out_buf[UR(temp_len)] = interesting_8[UR(sizeof(interesting_8))]; - break; - - case 2: - - /* Set word to interesting value, randomly choosing endian. */ - - if (temp_len < 2) break; - - if (UR(2)) { - - *(u16*)(out_buf + UR(temp_len - 1)) = - interesting_16[UR(sizeof(interesting_16) >> 1)]; - - } else { - - *(u16*)(out_buf + UR(temp_len - 1)) = SWAP16( - interesting_16[UR(sizeof(interesting_16) >> 1)]); - - } - - break; - - case 3: - - /* Set dword to interesting value, randomly choosing endian. */ - - if (temp_len < 4) break; - - if (UR(2)) { - - *(u32*)(out_buf + UR(temp_len - 3)) = - interesting_32[UR(sizeof(interesting_32) >> 2)]; - - } else { - - *(u32*)(out_buf + UR(temp_len - 3)) = SWAP32( - interesting_32[UR(sizeof(interesting_32) >> 2)]); - - } - - break; - - case 4: - - /* Randomly subtract from byte. */ - - out_buf[UR(temp_len)] -= 1 + UR(ARITH_MAX); - break; - - case 5: - - /* Randomly add to byte. */ - - out_buf[UR(temp_len)] += 1 + UR(ARITH_MAX); - break; - - case 6: - - /* Randomly subtract from word, random endian. */ - - if (temp_len < 2) break; - - if (UR(2)) { - - u32 pos = UR(temp_len - 1); - - *(u16*)(out_buf + pos) -= 1 + UR(ARITH_MAX); - - } else { - - u32 pos = UR(temp_len - 1); - u16 num = 1 + UR(ARITH_MAX); - - *(u16*)(out_buf + pos) = - SWAP16(SWAP16(*(u16*)(out_buf + pos)) - num); - - } - - break; - - case 7: - - /* Randomly add to word, random endian. */ - - if (temp_len < 2) break; - - if (UR(2)) { - - u32 pos = UR(temp_len - 1); - - *(u16*)(out_buf + pos) += 1 + UR(ARITH_MAX); - - } else { - - u32 pos = UR(temp_len - 1); - u16 num = 1 + UR(ARITH_MAX); - - *(u16*)(out_buf + pos) = - SWAP16(SWAP16(*(u16*)(out_buf + pos)) + num); - - } - - break; - - case 8: - - /* Randomly subtract from dword, random endian. */ - - if (temp_len < 4) break; - - if (UR(2)) { - - u32 pos = UR(temp_len - 3); - - *(u32*)(out_buf + pos) -= 1 + UR(ARITH_MAX); - - } else { - - u32 pos = UR(temp_len - 3); - u32 num = 1 + UR(ARITH_MAX); - - *(u32*)(out_buf + pos) = - SWAP32(SWAP32(*(u32*)(out_buf + pos)) - num); - - } - - break; - - case 9: - - /* Randomly add to dword, random endian. */ - - if (temp_len < 4) break; - - if (UR(2)) { - - u32 pos = UR(temp_len - 3); - - *(u32*)(out_buf + pos) += 1 + UR(ARITH_MAX); - - } else { - - u32 pos = UR(temp_len - 3); - u32 num = 1 + UR(ARITH_MAX); - - *(u32*)(out_buf + pos) = - SWAP32(SWAP32(*(u32*)(out_buf + pos)) + num); - - } - - break; - - case 10: - - /* Just set a random byte to a random value. Because, - why not. We use XOR with 1-255 to eliminate the - possibility of a no-op. */ - - out_buf[UR(temp_len)] ^= 1 + UR(255); - break; - - case 11 ... 12: { - - /* Delete bytes. We're making this a bit more likely - than insertion (the next option) in hopes of keeping - files reasonably small. */ - - u32 del_from, del_len; - - if (temp_len < 2) break; - - /* Don't delete too much. */ - - del_len = choose_block_len(temp_len - 1); - - del_from = UR(temp_len - del_len + 1); - - memmove(out_buf + del_from, out_buf + del_from + del_len, - temp_len - del_from - del_len); - - temp_len -= del_len; - - break; - - } - - case 13: - - if (temp_len + HAVOC_BLK_XL < MAX_FILE) { - - /* Clone bytes (75%) or insert a block of constant bytes (25%). */ - - u8 actually_clone = UR(4); - u32 clone_from, clone_to, clone_len; - u8* new_buf; - - if (actually_clone) { - - clone_len = choose_block_len(temp_len); - clone_from = UR(temp_len - clone_len + 1); - - } else { - - clone_len = choose_block_len(HAVOC_BLK_XL); - clone_from = 0; - - } - - clone_to = UR(temp_len); - - new_buf = ck_alloc_nozero(temp_len + clone_len); - - /* Head */ - - memcpy(new_buf, out_buf, clone_to); - - /* Inserted part */ - - if (actually_clone) - memcpy(new_buf + clone_to, out_buf + clone_from, clone_len); - else - memset(new_buf + clone_to, - UR(2) ? UR(256) : out_buf[UR(temp_len)], clone_len); - - /* Tail */ - memcpy(new_buf + clone_to + clone_len, out_buf + clone_to, - temp_len - clone_to); - - ck_free(out_buf); - out_buf = new_buf; - temp_len += clone_len; - - } - - break; - - case 14: { - - /* Overwrite bytes with a randomly selected chunk (75%) or fixed - bytes (25%). */ - - u32 copy_from, copy_to, copy_len; - - if (temp_len < 2) break; - - copy_len = choose_block_len(temp_len - 1); - - copy_from = UR(temp_len - copy_len + 1); - copy_to = UR(temp_len - copy_len + 1); - - if (UR(4)) { - - if (copy_from != copy_to) - memmove(out_buf + copy_to, out_buf + copy_from, copy_len); - - } else memset(out_buf + copy_to, - UR(2) ? UR(256) : out_buf[UR(temp_len)], copy_len); - - break; - - } - - /* Values 15 and 16 can be selected only if there are any extras - present in the dictionaries. */ - - case 15: { - - /* Overwrite bytes with an extra. */ - - if (!extras_cnt || (a_extras_cnt && UR(2))) { - - /* No user-specified extras or odds in our favor. Let's use an - auto-detected one. */ - - u32 use_extra = UR(a_extras_cnt); - u32 extra_len = a_extras[use_extra].len; - u32 insert_at; - - if (extra_len > temp_len) break; - - insert_at = UR(temp_len - extra_len + 1); - memcpy(out_buf + insert_at, a_extras[use_extra].data, extra_len); - - } else { - - /* No auto extras or odds in our favor. Use the dictionary. */ - - u32 use_extra = UR(extras_cnt); - u32 extra_len = extras[use_extra].len; - u32 insert_at; - - if (extra_len > temp_len) break; - - insert_at = UR(temp_len - extra_len + 1); - memcpy(out_buf + insert_at, extras[use_extra].data, extra_len); - - } - - break; - - } - - case 16: { - - u32 use_extra, extra_len, insert_at = UR(temp_len + 1); - u8* new_buf; - - /* Insert an extra. Do the same dice-rolling stuff as for the - previous case. */ - - if (!extras_cnt || (a_extras_cnt && UR(2))) { - - use_extra = UR(a_extras_cnt); - extra_len = a_extras[use_extra].len; - - if (temp_len + extra_len >= MAX_FILE) break; - - new_buf = ck_alloc_nozero(temp_len + extra_len); - - /* Head */ - memcpy(new_buf, out_buf, insert_at); - - /* Inserted part */ - memcpy(new_buf + insert_at, a_extras[use_extra].data, extra_len); - - } else { - - use_extra = UR(extras_cnt); - extra_len = extras[use_extra].len; - - if (temp_len + extra_len >= MAX_FILE) break; - - new_buf = ck_alloc_nozero(temp_len + extra_len); - - /* Head */ - memcpy(new_buf, out_buf, insert_at); - - /* Inserted part */ - memcpy(new_buf + insert_at, extras[use_extra].data, extra_len); - - } - - /* Tail */ - memcpy(new_buf + insert_at + extra_len, out_buf + insert_at, - temp_len - insert_at); - - ck_free(out_buf); - out_buf = new_buf; - temp_len += extra_len; - - break; - - } - - } - - } - - if (common_fuzz_stuff(argv, out_buf, temp_len)) - goto abandon_entry; - - /* out_buf might have been mangled a bit, so let's restore it to its - original size and shape. */ - - if (temp_len < len) out_buf = ck_realloc(out_buf, len); - temp_len = len; - memcpy(out_buf, in_buf, len); - - /* If we're finding new stuff, let's run for a bit longer, limits - permitting. */ - - if (queued_paths != havoc_queued) { - - if (perf_score <= HAVOC_MAX_MULT * 100) { - stage_max *= 2; - perf_score *= 2; - } - - havoc_queued = queued_paths; - - } - - } - - new_hit_cnt = queued_paths + unique_crashes; - - if (!splice_cycle) { - stage_finds[STAGE_HAVOC] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_HAVOC] += stage_max; - } else { - stage_finds[STAGE_SPLICE] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_SPLICE] += stage_max; - } - -#ifndef IGNORE_FINDS - - /************ - * SPLICING * - ************/ - - /* This is a last-resort strategy triggered by a full round with no findings. - It takes the current input file, randomly selects another input, and - splices them together at some offset, then relies on the havoc - code to mutate that blob. */ - -retry_splicing: - - if (use_splicing && splice_cycle++ < SPLICE_CYCLES && - queued_paths > 1 && queue_cur->len > 1) { - - struct queue_entry* target; - u32 tid, split_at; - u8* new_buf; - s32 f_diff, l_diff; - - /* First of all, if we've modified in_buf for havoc, let's clean that - up... */ - - if (in_buf != orig_in) { - ck_free(in_buf); - in_buf = orig_in; - len = queue_cur->len; - } - - /* Pick a random queue entry and seek to it. Don't splice with yourself. */ - - do { tid = UR(queued_paths); } while (tid == current_entry); - - splicing_with = tid; - target = queue; - - while (tid >= 100) { target = target->next_100; tid -= 100; } - while (tid--) target = target->next; - - /* Make sure that the target has a reasonable length. */ - - while (target && (target->len < 2 || target == queue_cur)) { - target = target->next; - splicing_with++; - } - - if (!target) goto retry_splicing; - - /* Read the testcase into a new buffer. */ - - fd = open(target->fname, O_RDONLY); - - if (fd < 0) PFATAL("Unable to open '%s'", target->fname); - - new_buf = ck_alloc_nozero(target->len); - - ck_read(fd, new_buf, target->len, target->fname); - - close(fd); - - /* Find a suitable splicing location, somewhere between the first and - the last differing byte. Bail out if the difference is just a single - byte or so. */ - - locate_diffs(in_buf, new_buf, MIN(len, target->len), &f_diff, &l_diff); - - if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) { - ck_free(new_buf); - goto retry_splicing; - } - - /* Split somewhere between the first and last differing byte. */ - - split_at = f_diff + UR(l_diff - f_diff); - - /* Do the thing. */ - - len = target->len; - memcpy(new_buf, in_buf, split_at); - in_buf = new_buf; - - ck_free(out_buf); - out_buf = ck_alloc_nozero(len); - memcpy(out_buf, in_buf, len); - - goto havoc_stage; - - } - -#endif /* !IGNORE_FINDS */ - - ret_val = 0; - -abandon_entry: - - splicing_with = -1; - - /* Update pending_not_fuzzed count if we made it through the calibration - cycle and have not seen this entry before. */ - - if (!stop_soon && !queue_cur->cal_failed && !queue_cur->was_fuzzed) { - queue_cur->was_fuzzed = 1; - pending_not_fuzzed--; - if (queue_cur->favored) pending_favored--; - } - - munmap(orig_in, queue_cur->len); - - if (in_buf != orig_in) ck_free(in_buf); - ck_free(out_buf); - ck_free(eff_map); - - return ret_val; - -#undef FLIP_BIT - -} - - -/* Grab interesting test cases from other fuzzers. */ - -static void sync_fuzzers(char** argv) { - - DIR* sd; - struct dirent* sd_ent; - u32 sync_cnt = 0; - - sd = opendir(sync_dir); - if (!sd) PFATAL("Unable to open '%s'", sync_dir); - - stage_max = stage_cur = 0; - cur_depth = 0; - - /* Look at the entries created for every other fuzzer in the sync directory. */ - - while ((sd_ent = readdir(sd))) { - - static u8 stage_tmp[128]; - - DIR* qd; - struct dirent* qd_ent; - u8 *qd_path, *qd_synced_path; - u32 min_accept = 0, next_min_accept; - - s32 id_fd; - - /* Skip dot files and our own output directory. */ - - if (sd_ent->d_name[0] == '.' || !strcmp(sync_id, sd_ent->d_name)) continue; - - /* Skip anything that doesn't have a queue/ subdirectory. */ - - qd_path = alloc_printf("%s/%s/queue", sync_dir, sd_ent->d_name); - - if (!(qd = opendir(qd_path))) { - ck_free(qd_path); - continue; - } - - /* Retrieve the ID of the last seen test case. */ - - qd_synced_path = alloc_printf("%s/.synced/%s", out_dir, sd_ent->d_name); - - id_fd = open(qd_synced_path, O_RDWR | O_CREAT, 0600); - - if (id_fd < 0) PFATAL("Unable to create '%s'", qd_synced_path); - - if (read(id_fd, &min_accept, sizeof(u32)) > 0) - lseek(id_fd, 0, SEEK_SET); - - next_min_accept = min_accept; - - /* Show stats */ - - sprintf(stage_tmp, "sync %u", ++sync_cnt); - stage_name = stage_tmp; - stage_cur = 0; - stage_max = 0; - - /* For every file queued by this fuzzer, parse ID and see if we have looked at - it before; exec a test case if not. */ - - while ((qd_ent = readdir(qd))) { - - u8* path; - s32 fd; - struct stat st; - - if (qd_ent->d_name[0] == '.' || - sscanf(qd_ent->d_name, CASE_PREFIX "%06u", &syncing_case) != 1 || - syncing_case < min_accept) continue; - - /* OK, sounds like a new one. Let's give it a try. */ - - if (syncing_case >= next_min_accept) - next_min_accept = syncing_case + 1; - - path = alloc_printf("%s/%s", qd_path, qd_ent->d_name); - - /* Allow this to fail in case the other fuzzer is resuming or so... */ - - fd = open(path, O_RDONLY); - - if (fd < 0) { - ck_free(path); - continue; - } - - if (fstat(fd, &st)) PFATAL("fstat() failed"); - - /* Ignore zero-sized or oversized files. */ - - if (st.st_size && st.st_size <= MAX_FILE) { - - u8 fault; - u8* mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); - - if (mem == MAP_FAILED) PFATAL("Unable to mmap '%s'", path); - - /* See what happens. We rely on save_if_interesting() to catch major - errors and save the test case. */ - - write_to_testcase(mem, st.st_size); - - fault = run_target(argv, exec_tmout); - - if (stop_soon) return; - - syncing_party = sd_ent->d_name; - queued_imported += save_if_interesting(argv, mem, st.st_size, fault); - syncing_party = 0; - - munmap(mem, st.st_size); - - if (!(stage_cur++ % stats_update_freq)) show_stats(); - - } - - ck_free(path); - close(fd); - - } - - ck_write(id_fd, &next_min_accept, sizeof(u32), qd_synced_path); - - close(id_fd); - closedir(qd); - ck_free(qd_path); - ck_free(qd_synced_path); - - } - - closedir(sd); - -} - - -/* Handle stop signal (Ctrl-C, etc). */ - -static void handle_stop_sig(int sig) { - - stop_soon = 1; - - if (child_pid > 0) kill(child_pid, SIGKILL); - if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); - -} - - -/* Handle skip request (SIGUSR1). */ - -static void handle_skipreq(int sig) { - - skip_requested = 1; - -} - -/* Handle timeout (SIGALRM). */ - -static void handle_timeout(int sig) { - - if (child_pid > 0) { - - child_timed_out = 1; - kill(child_pid, SIGKILL); - - } else if (child_pid == -1 && forksrv_pid > 0) { - - child_timed_out = 1; - kill(forksrv_pid, SIGKILL); - - } - -} - - -/* Do a PATH search and find target binary to see that it exists and - isn't a shell script - a common and painful mistake. We also check for - a valid ELF header and for evidence of AFL instrumentation. */ - -EXP_ST void check_binary(u8* fname) { - - u8* env_path = 0; - struct stat st; - - s32 fd; - u8* f_data; - u32 f_len = 0; - - ACTF("Validating target binary..."); - - if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { - - target_path = ck_strdup(fname); - if (stat(target_path, &st) || !S_ISREG(st.st_mode) || - !(st.st_mode & 0111) || (f_len = st.st_size) < 4) - FATAL("Program '%s' not found or not executable", fname); - - } else { - - while (env_path) { - - u8 *cur_elem, *delim = strchr(env_path, ':'); - - if (delim) { - - cur_elem = ck_alloc(delim - env_path + 1); - memcpy(cur_elem, env_path, delim - env_path); - delim++; - - } else cur_elem = ck_strdup(env_path); - - env_path = delim; - - if (cur_elem[0]) - target_path = alloc_printf("%s/%s", cur_elem, fname); - else - target_path = ck_strdup(fname); - - ck_free(cur_elem); - - if (!stat(target_path, &st) && S_ISREG(st.st_mode) && - (st.st_mode & 0111) && (f_len = st.st_size) >= 4) break; - - ck_free(target_path); - target_path = 0; - - } - - if (!target_path) FATAL("Program '%s' not found or not executable", fname); - - } - - if (getenv("AFL_SKIP_BIN_CHECK")) return; - - /* Check for blatant user errors. */ - - if ((!strncmp(target_path, "/tmp/", 5) && !strchr(target_path + 5, '/')) || - (!strncmp(target_path, "/var/tmp/", 9) && !strchr(target_path + 9, '/'))) - FATAL("Please don't keep binaries in /tmp or /var/tmp"); - - fd = open(target_path, O_RDONLY); - - if (fd < 0) PFATAL("Unable to open '%s'", target_path); - - f_data = mmap(0, f_len, PROT_READ, MAP_PRIVATE, fd, 0); - - if (f_data == MAP_FAILED) PFATAL("Unable to mmap file '%s'", target_path); - - close(fd); - - if (f_data[0] == '#' && f_data[1] == '!') { - - SAYF("\n" cLRD "[-] " cRST - "Oops, the target binary looks like a shell script. Some build systems will\n" - " sometimes generate shell stubs for dynamically linked programs; try static\n" - " library mode (./configure --disable-shared) if that's the case.\n\n" - - " Another possible cause is that you are actually trying to use a shell\n" - " wrapper around the fuzzed component. Invoking shell can slow down the\n" - " fuzzing process by a factor of 20x or more; it's best to write the wrapper\n" - " in a compiled language instead.\n"); - - FATAL("Program '%s' is a shell script", target_path); - - } - -#ifndef __APPLE__ - - if (f_data[0] != 0x7f || memcmp(f_data + 1, "ELF", 3)) - FATAL("Program '%s' is not an ELF binary", target_path); - -#else - - if (f_data[0] != 0xCF || f_data[1] != 0xFA || f_data[2] != 0xED) - FATAL("Program '%s' is not a 64-bit Mach-O binary", target_path); - -#endif /* ^!__APPLE__ */ - - if (!qemu_mode && !dumb_mode && - !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { - - SAYF("\n" cLRD "[-] " cRST - "Looks like the target binary is not instrumented! The fuzzer depends on\n" - " compile-time instrumentation to isolate interesting test cases while\n" - " mutating the input data. For more information, and for tips on how to\n" - " instrument binaries, please see %s/README.\n\n" - - " When source code is not available, you may be able to leverage QEMU\n" - " mode support. Consult the README for tips on how to enable this.\n" - - " (It is also possible to use afl-fuzz as a traditional, \"dumb\" fuzzer.\n" - " For that, you can use the -n option - but expect much worse results.)\n", - doc_path); - - FATAL("No instrumentation detected"); - - } - - if (qemu_mode && - memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { - - SAYF("\n" cLRD "[-] " cRST - "This program appears to be instrumented with afl-gcc, but is being run in\n" - " QEMU mode (-Q). This is probably not what you want - this setup will be\n" - " slow and offer no practical benefits.\n"); - - FATAL("Instrumentation found in -Q mode"); - - } - - if (memmem(f_data, f_len, "libasan.so", 10) || - memmem(f_data, f_len, "__msan_init", 11)) uses_asan = 1; - - /* Detect persistent & deferred init signatures in the binary. */ - - if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) { - - OKF(cPIN "Persistent mode binary detected."); - setenv(PERSIST_ENV_VAR, "1", 1); - persistent_mode = 1; - - } else if (getenv("AFL_PERSISTENT")) { - - WARNF("AFL_PERSISTENT is no longer supported and may misbehave!"); - - } - - if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { - - OKF(cPIN "Deferred forkserver binary detected."); - setenv(DEFER_ENV_VAR, "1", 1); - deferred_mode = 1; - - } else if (getenv("AFL_DEFER_FORKSRV")) { - - WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!"); - - } - - if (munmap(f_data, f_len)) PFATAL("unmap() failed"); - -} - - -/* Trim and possibly create a banner for the run. */ - -static void fix_up_banner(u8* name) { - - if (!use_banner) { - - if (sync_id) { - - use_banner = sync_id; - - } else { - - u8* trim = strrchr(name, '/'); - if (!trim) use_banner = name; else use_banner = trim + 1; - - } - - } - - if (strlen(use_banner) > 40) { - - u8* tmp = ck_alloc(44); - sprintf(tmp, "%.40s...", use_banner); - use_banner = tmp; - - } - -} - - -/* Check if we're on TTY. */ - -static void check_if_tty(void) { - - struct winsize ws; - - if (getenv("AFL_NO_UI")) { - OKF("Disabling the UI because AFL_NO_UI is set."); - not_on_tty = 1; - return; - } - - if (ioctl(1, TIOCGWINSZ, &ws)) { - - if (errno == ENOTTY) { - OKF("Looks like we're not running on a tty, so I'll be a bit less verbose."); - not_on_tty = 1; - } - - return; - } - -} - - -/* Check terminal dimensions after resize. */ - -static void check_term_size(void) { - - struct winsize ws; - - term_too_small = 0; - - if (ioctl(1, TIOCGWINSZ, &ws)) return; - - if (ws.ws_row == 0 && ws.ws_col == 0) return; - if (ws.ws_row < 25 || ws.ws_col < 80) term_too_small = 1; - -} - - - -/* Display usage hints. */ - -static void usage(u8* argv0) { - - SAYF("\n%s [ options ] -- /path/to/fuzzed_app [ ... ]\n\n" - - "Required parameters:\n\n" - - " -i dir - input directory with test cases\n" - " -o dir - output directory for fuzzer findings\n\n" - - "Execution control settings:\n\n" - - " -f file - location read by the fuzzed program (stdin)\n" - " -t msec - timeout for each run (auto-scaled, 50-%u ms)\n" - " -m megs - memory limit for child process (%u MB)\n" - " -Q - use binary-only instrumentation (QEMU mode)\n\n" - - "Fuzzing behavior settings:\n\n" - - " -d - quick & dirty mode (skips deterministic steps)\n" - " -n - fuzz without instrumentation (dumb mode)\n" - " -x dir - optional fuzzer dictionary (see README)\n\n" - - "Other stuff:\n\n" - - " -T text - text banner to show on the screen\n" - " -M / -S id - distributed mode (see parallel_fuzzing.txt)\n" - " -C - crash exploration mode (the peruvian rabbit thing)\n" - " -V - show version number and exit\n\n" - " -b cpu_id - bind the fuzzing process to the specified CPU core\n\n" - - "For additional tips, please consult %s/README.\n\n", - - argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); - - exit(1); - -} - - -/* Prepare output directories and fds. */ - -EXP_ST void setup_dirs_fds(void) { - - u8* tmp; - s32 fd; - - ACTF("Setting up output directories..."); - - if (sync_id && mkdir(sync_dir, 0700) && errno != EEXIST) - PFATAL("Unable to create '%s'", sync_dir); - - if (mkdir(out_dir, 0700)) { - - if (errno != EEXIST) PFATAL("Unable to create '%s'", out_dir); - - maybe_delete_out_dir(); - - } else { - - if (in_place_resume) - FATAL("Resume attempted but old output directory not found"); - - out_dir_fd = open(out_dir, O_RDONLY); - -#ifndef __sun - - if (out_dir_fd < 0 || flock(out_dir_fd, LOCK_EX | LOCK_NB)) - PFATAL("Unable to flock() output directory."); - -#endif /* !__sun */ - - } - - /* Queue directory for any starting & discovered paths. */ - - tmp = alloc_printf("%s/queue", out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); - ck_free(tmp); - - /* Top-level directory for queue metadata used for session - resume and related tasks. */ - - tmp = alloc_printf("%s/queue/.state/", out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); - ck_free(tmp); - - /* Directory for flagging queue entries that went through - deterministic fuzzing in the past. */ - - tmp = alloc_printf("%s/queue/.state/deterministic_done/", out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); - ck_free(tmp); - - /* Directory with the auto-selected dictionary entries. */ - - tmp = alloc_printf("%s/queue/.state/auto_extras/", out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); - ck_free(tmp); - - /* The set of paths currently deemed redundant. */ - - tmp = alloc_printf("%s/queue/.state/redundant_edges/", out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); - ck_free(tmp); - - /* The set of paths showing variable behavior. */ - - tmp = alloc_printf("%s/queue/.state/variable_behavior/", out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); - ck_free(tmp); - - /* Sync directory for keeping track of cooperating fuzzers. */ - - if (sync_id) { - - tmp = alloc_printf("%s/.synced/", out_dir); - - if (mkdir(tmp, 0700) && (!in_place_resume || errno != EEXIST)) - PFATAL("Unable to create '%s'", tmp); - - ck_free(tmp); - - } - - /* All recorded crashes. */ - - tmp = alloc_printf("%s/crashes", out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); - ck_free(tmp); - - /* All recorded hangs. */ - - tmp = alloc_printf("%s/hangs", out_dir); - if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); - ck_free(tmp); - - /* Generally useful file descriptors. */ - - dev_null_fd = open("/dev/null", O_RDWR); - if (dev_null_fd < 0) PFATAL("Unable to open /dev/null"); - - dev_urandom_fd = open("/dev/urandom", O_RDONLY); - if (dev_urandom_fd < 0) PFATAL("Unable to open /dev/urandom"); - - /* Gnuplot output file. */ - - tmp = alloc_printf("%s/plot_data", out_dir); - fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", tmp); - ck_free(tmp); - - plot_file = fdopen(fd, "w"); - if (!plot_file) PFATAL("fdopen() failed"); - - fprintf(plot_file, "# unix_time, cycles_done, cur_path, paths_total, " - "pending_total, pending_favs, map_size, unique_crashes, " - "unique_hangs, max_depth, execs_per_sec\n"); - /* ignore errors */ - -} - - -/* Setup the output file for fuzzed data, if not using -f. */ - -EXP_ST void setup_stdio_file(void) { - - u8* fn = alloc_printf("%s/.cur_input", out_dir); - - unlink(fn); /* Ignore errors */ - - out_fd = open(fn, O_RDWR | O_CREAT | O_EXCL, 0600); - - if (out_fd < 0) PFATAL("Unable to create '%s'", fn); - - ck_free(fn); - -} - - -/* Make sure that core dumps don't go to a program. */ - -static void check_crash_handling(void) { - -#ifdef __APPLE__ - - /* Yuck! There appears to be no simple C API to query for the state of - loaded daemons on MacOS X, and I'm a bit hesitant to do something - more sophisticated, such as disabling crash reporting via Mach ports, - until I get a box to test the code. So, for now, we check for crash - reporting the awful way. */ - - if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return; - - SAYF("\n" cLRD "[-] " cRST - "Whoops, your system is configured to forward crash notifications to an\n" - " external crash reporting utility. This will cause issues due to the\n" - " extended delay between the fuzzed binary malfunctioning and this fact\n" - " being relayed to the fuzzer via the standard waitpid() API.\n\n" - " To avoid having crashes misinterpreted as timeouts, please run the\n" - " following commands:\n\n" - - " SL=/System/Library; PL=com.apple.ReportCrash\n" - " launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n" - " sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n"); - - if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) - FATAL("Crash reporter detected"); - -#else - - /* This is Linux specific, but I don't think there's anything equivalent on - *BSD, so we can just let it slide for now. */ - - s32 fd = open("/proc/sys/kernel/core_pattern", O_RDONLY); - u8 fchar; - - if (fd < 0) return; - - ACTF("Checking core_pattern..."); - - if (read(fd, &fchar, 1) == 1 && fchar == '|') { - - SAYF("\n" cLRD "[-] " cRST - "Hmm, your system is configured to send core dump notifications to an\n" - " external utility. This will cause issues: there will be an extended delay\n" - " between stumbling upon a crash and having this information relayed to the\n" - " fuzzer via the standard waitpid() API.\n\n" - - " To avoid having crashes misinterpreted as timeouts, please log in as root\n" - " and temporarily modify /proc/sys/kernel/core_pattern, like so:\n\n" - - " echo core >/proc/sys/kernel/core_pattern\n"); - - if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) - FATAL("Pipe at the beginning of 'core_pattern'"); - - } - - close(fd); - -#endif /* ^__APPLE__ */ - -} - - -/* Check CPU governor. */ - -static void check_cpu_governor(void) { - - FILE* f; - u8 tmp[128]; - u64 min = 0, max = 0; - - if (getenv("AFL_SKIP_CPUFREQ")) return; - - f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor", "r"); - if (!f) return; - - ACTF("Checking CPU scaling governor..."); - - if (!fgets(tmp, 128, f)) PFATAL("fgets() failed"); - - fclose(f); - - if (!strncmp(tmp, "perf", 4)) return; - - f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", "r"); - - if (f) { - if (fscanf(f, "%llu", &min) != 1) min = 0; - fclose(f); - } - - f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", "r"); - - if (f) { - if (fscanf(f, "%llu", &max) != 1) max = 0; - fclose(f); - } - - if (min == max) return; - - SAYF("\n" cLRD "[-] " cRST - "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n" - " between %llu and %llu MHz. Unfortunately, the scaling algorithm in the\n" - " kernel is imperfect and can miss the short-lived processes spawned by\n" - " afl-fuzz. To keep things moving, run these commands as root:\n\n" - - " cd /sys/devices/system/cpu\n" - " echo performance | tee cpu*/cpufreq/scaling_governor\n\n" - - " You can later go back to the original state by replacing 'performance' with\n" - " 'ondemand'. If you don't want to change the settings, set AFL_SKIP_CPUFREQ\n" - " to make afl-fuzz skip this check - but expect some performance drop.\n", - min / 1024, max / 1024); - - FATAL("Suboptimal CPU scaling governor"); - -} - - -/* Count the number of logical CPU cores. */ - -static void get_core_count(void) { - - u32 cur_runnable = 0; - -#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) - - size_t s = sizeof(cpu_core_count); - - /* On *BSD systems, we can just use a sysctl to get the number of CPUs. */ - -#ifdef __APPLE__ - - if (sysctlbyname("hw.logicalcpu", &cpu_core_count, &s, NULL, 0) < 0) - return; - -#else - - int s_name[2] = { CTL_HW, HW_NCPU }; - - if (sysctl(s_name, 2, &cpu_core_count, &s, NULL, 0) < 0) return; - -#endif /* ^__APPLE__ */ - -#else - -#ifdef HAVE_AFFINITY - - cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN); - -#else - - FILE* f = fopen("/proc/stat", "r"); - u8 tmp[1024]; - - if (!f) return; - - while (fgets(tmp, sizeof(tmp), f)) - if (!strncmp(tmp, "cpu", 3) && isdigit(tmp[3])) cpu_core_count++; - - fclose(f); - -#endif /* ^HAVE_AFFINITY */ - -#endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ - - if (cpu_core_count > 0) { - - cur_runnable = (u32)get_runnable_processes(); - -#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) - - /* Add ourselves, since the 1-minute average doesn't include that yet. */ - - cur_runnable++; - -#endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ - - OKF("You have %u CPU core%s and %u runnable tasks (utilization: %0.0f%%).", - cpu_core_count, cpu_core_count > 1 ? "s" : "", - cur_runnable, cur_runnable * 100.0 / cpu_core_count); - - if (cpu_core_count > 1) { - - if (cur_runnable > cpu_core_count * 1.5) { - - WARNF("System under apparent load, performance may be spotty."); - - } else if (cur_runnable + 1 <= cpu_core_count) { - - OKF("Try parallel jobs - see %s/parallel_fuzzing.txt.", doc_path); - - } - - } - - } else { - - cpu_core_count = 0; - WARNF("Unable to figure out the number of CPU cores."); - - } - -} - - -/* Validate and fix up out_dir and sync_dir when using -S. */ - -static void fix_up_sync(void) { - - u8* x = sync_id; - - if (dumb_mode) - FATAL("-S / -M and -n are mutually exclusive"); - - if (skip_deterministic) { - - if (force_deterministic) - FATAL("use -S instead of -M -d"); - else - FATAL("-S already implies -d"); - - } - - while (*x) { - - if (!isalnum(*x) && *x != '_' && *x != '-') - FATAL("Non-alphanumeric fuzzer ID specified via -S or -M"); - - x++; - - } - - if (strlen(sync_id) > 32) FATAL("Fuzzer ID too long"); - - x = alloc_printf("%s/%s", out_dir, sync_id); - - sync_dir = out_dir; - out_dir = x; - - if (!force_deterministic) { - skip_deterministic = 1; - use_splicing = 1; - } - -} - - -/* Handle screen resize (SIGWINCH). */ - -static void handle_resize(int sig) { - clear_screen = 1; -} - - -/* Check ASAN options. */ - -static void check_asan_opts(void) { - u8* x = getenv("ASAN_OPTIONS"); - - if (x) { - - if (!strstr(x, "abort_on_error=1")) - FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!"); - - if (!strstr(x, "symbolize=0")) - FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!"); - - } - - x = getenv("MSAN_OPTIONS"); - - if (x) { - - if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) - FATAL("Custom MSAN_OPTIONS set without exit_code=" - STRINGIFY(MSAN_ERROR) " - please fix!"); - - if (!strstr(x, "symbolize=0")) - FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!"); - - } - -} - - -/* Detect @@ in args. */ - -EXP_ST void detect_file_args(char** argv) { - - u32 i = 0; - u8* cwd = getcwd(NULL, 0); - - if (!cwd) PFATAL("getcwd() failed"); - - while (argv[i]) { - - u8* aa_loc = strstr(argv[i], "@@"); - - if (aa_loc) { - - u8 *aa_subst, *n_arg; - - /* If we don't have a file name chosen yet, use a safe default. */ - - if (!out_file) - out_file = alloc_printf("%s/.cur_input", out_dir); - - /* Be sure that we're always using fully-qualified paths. */ - - if (out_file[0] == '/') aa_subst = out_file; - else aa_subst = alloc_printf("%s/%s", cwd, out_file); - - /* Construct a replacement argv value. */ - - *aa_loc = 0; - n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2); - argv[i] = n_arg; - *aa_loc = '@'; - - if (out_file[0] != '/') ck_free(aa_subst); - - } - - i++; - - } - - free(cwd); /* not tracked */ - -} - - -/* Set up signal handlers. More complicated that needs to be, because libc on - Solaris doesn't resume interrupted reads(), sets SA_RESETHAND when you call - siginterrupt(), and does other unnecessary things. */ - -EXP_ST void setup_signal_handlers(void) { - - struct sigaction sa; - - sa.sa_handler = NULL; - sa.sa_flags = SA_RESTART; - sa.sa_sigaction = NULL; - - sigemptyset(&sa.sa_mask); - - /* Various ways of saying "stop". */ - - sa.sa_handler = handle_stop_sig; - sigaction(SIGHUP, &sa, NULL); - sigaction(SIGINT, &sa, NULL); - sigaction(SIGTERM, &sa, NULL); - - /* Exec timeout notifications. */ - - sa.sa_handler = handle_timeout; - sigaction(SIGALRM, &sa, NULL); - - /* Window resize */ - - sa.sa_handler = handle_resize; - sigaction(SIGWINCH, &sa, NULL); - - /* SIGUSR1: skip entry */ - - sa.sa_handler = handle_skipreq; - sigaction(SIGUSR1, &sa, NULL); - - /* Things we don't care about. */ - - sa.sa_handler = SIG_IGN; - sigaction(SIGTSTP, &sa, NULL); - sigaction(SIGPIPE, &sa, NULL); - -} - - -/* Rewrite argv for QEMU. */ - -static char** get_qemu_argv(u8* own_loc, char** argv, int argc) { - - char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); - u8 *tmp, *cp, *rsl, *own_copy; - - /* Workaround for a QEMU stability glitch. */ - - setenv("QEMU_LOG", "nochain", 1); - - memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); - - new_argv[2] = target_path; - new_argv[1] = "--"; - - /* Now we need to actually find the QEMU binary to put in argv[0]. */ - - tmp = getenv("AFL_PATH"); - - if (tmp) { - - cp = alloc_printf("%s/afl-qemu-trace", tmp); - - if (access(cp, X_OK)) - FATAL("Unable to find '%s'", tmp); - - target_path = new_argv[0] = cp; - return new_argv; - - } - - own_copy = ck_strdup(own_loc); - rsl = strrchr(own_copy, '/'); - - if (rsl) { - - *rsl = 0; - - cp = alloc_printf("%s/afl-qemu-trace", own_copy); - ck_free(own_copy); - - if (!access(cp, X_OK)) { - - target_path = new_argv[0] = cp; - return new_argv; - - } - - } else ck_free(own_copy); - - if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { - - target_path = new_argv[0] = ck_strdup(BIN_PATH "/afl-qemu-trace"); - return new_argv; - - } - - SAYF("\n" cLRD "[-] " cRST - "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be built\n" - " separately by following the instructions in qemu_mode/README.qemu. If you\n" - " already have the binary installed, you may need to specify AFL_PATH in the\n" - " environment.\n\n" - - " Of course, even without QEMU, afl-fuzz can still work with binaries that are\n" - " instrumented at compile time with afl-gcc. It is also possible to use it as a\n" - " traditional \"dumb\" fuzzer by specifying '-n' in the command line.\n"); - - FATAL("Failed to locate 'afl-qemu-trace'."); - -} - - -/* Make a copy of the current command line. */ - -static void save_cmdline(u32 argc, char** argv) { - - u32 len = 1, i; - u8* buf; - - for (i = 0; i < argc; i++) - len += strlen(argv[i]) + 1; - - buf = orig_cmdline = ck_alloc(len); - - for (i = 0; i < argc; i++) { - - u32 l = strlen(argv[i]); - - memcpy(buf, argv[i], l); - buf += l; - - if (i != argc - 1) *(buf++) = ' '; - - } - - *buf = 0; - -} - - -#ifndef AFL_LIB - -/* Main entry point */ - -int main(int argc, char** argv) { - - s32 opt; - u64 prev_queued = 0; - u32 sync_interval_cnt = 0, seek_to; - u8 *extras_dir = 0; - u8 mem_limit_given = 0; - u8 exit_1 = !!getenv("AFL_BENCH_JUST_ONE"); - char** use_argv; - - struct timeval tv; - struct timezone tz; - - SAYF(cCYA "afl-fuzz " cBRI VERSION cRST " by \n"); - - doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - - gettimeofday(&tv, &tz); - srandom(tv.tv_sec ^ tv.tv_usec ^ getpid()); - - while ((opt = getopt(argc, argv, "+i:o:f:m:b:t:T:dnCB:S:M:x:QV")) > 0) - - switch (opt) { - - case 'i': /* input dir */ - - if (in_dir) FATAL("Multiple -i options not supported"); - in_dir = optarg; - - if (!strcmp(in_dir, "-")) in_place_resume = 1; - - break; - - case 'o': /* output dir */ - - if (out_dir) FATAL("Multiple -o options not supported"); - out_dir = optarg; - break; - - case 'M': { /* master sync ID */ - - u8* c; - - if (sync_id) FATAL("Multiple -S or -M options not supported"); - sync_id = ck_strdup(optarg); - - if ((c = strchr(sync_id, ':'))) { - - *c = 0; - - if (sscanf(c + 1, "%u/%u", &master_id, &master_max) != 2 || - !master_id || !master_max || master_id > master_max || - master_max > 1000000) FATAL("Bogus master ID passed to -M"); - - } - - force_deterministic = 1; - - } - - break; - - case 'S': - - if (sync_id) FATAL("Multiple -S or -M options not supported"); - sync_id = ck_strdup(optarg); - break; - - case 'f': /* target file */ - - if (out_file) FATAL("Multiple -f options not supported"); - out_file = optarg; - break; - - case 'x': /* dictionary */ - - if (extras_dir) FATAL("Multiple -x options not supported"); - extras_dir = optarg; - break; - - case 't': { /* timeout */ - - u8 suffix = 0; - - if (timeout_given) FATAL("Multiple -t options not supported"); - - if (sscanf(optarg, "%u%c", &exec_tmout, &suffix) < 1 || - optarg[0] == '-') FATAL("Bad syntax used for -t"); - - if (exec_tmout < 5) FATAL("Dangerously low value of -t"); - - if (suffix == '+') timeout_given = 2; else timeout_given = 1; - - break; - - } - - case 'm': { /* mem limit */ - - u8 suffix = 'M'; - - if (mem_limit_given) FATAL("Multiple -m options not supported"); - mem_limit_given = 1; - - if (!strcmp(optarg, "none")) { - - mem_limit = 0; - break; - - } - - if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || - optarg[0] == '-') FATAL("Bad syntax used for -m"); - - switch (suffix) { - - case 'T': mem_limit *= 1024 * 1024; break; - case 'G': mem_limit *= 1024; break; - case 'k': mem_limit /= 1024; break; - case 'M': break; - - default: FATAL("Unsupported suffix or bad syntax for -m"); - - } - - if (mem_limit < 5) FATAL("Dangerously low value of -m"); - - if (sizeof(rlim_t) == 4 && mem_limit > 2000) - FATAL("Value of -m out of range on 32-bit systems"); - - } - - break; - - case 'b': { /* bind CPU core */ - - if (cpu_to_bind_given) FATAL("Multiple -b options not supported"); - cpu_to_bind_given = 1; - - if (sscanf(optarg, "%u", &cpu_to_bind) < 1 || - optarg[0] == '-') FATAL("Bad syntax used for -b"); - - break; - - } - - case 'd': /* skip deterministic */ - - if (skip_deterministic) FATAL("Multiple -d options not supported"); - skip_deterministic = 1; - use_splicing = 1; - break; - - case 'B': /* load bitmap */ - - /* This is a secret undocumented option! It is useful if you find - an interesting test case during a normal fuzzing process, and want - to mutate it without rediscovering any of the test cases already - found during an earlier run. - - To use this mode, you need to point -B to the fuzz_bitmap produced - by an earlier run for the exact same binary... and that's it. - - I only used this once or twice to get variants of a particular - file, so I'm not making this an official setting. */ - - if (in_bitmap) FATAL("Multiple -B options not supported"); - - in_bitmap = optarg; - read_bitmap(in_bitmap); - break; - - case 'C': /* crash mode */ - - if (crash_mode) FATAL("Multiple -C options not supported"); - crash_mode = FAULT_CRASH; - break; - - case 'n': /* dumb mode */ - - if (dumb_mode) FATAL("Multiple -n options not supported"); - if (getenv("AFL_DUMB_FORKSRV")) dumb_mode = 2; else dumb_mode = 1; - - break; - - case 'T': /* banner */ - - if (use_banner) FATAL("Multiple -T options not supported"); - use_banner = optarg; - break; - - case 'Q': /* QEMU mode */ - - if (qemu_mode) FATAL("Multiple -Q options not supported"); - qemu_mode = 1; - - if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU; - - break; - - case 'V': /* Show version number */ - - /* Version number has been printed already, just quit. */ - exit(0); - - default: - - usage(argv[0]); - - } - - if (optind == argc || !in_dir || !out_dir) usage(argv[0]); - - setup_signal_handlers(); - check_asan_opts(); - - if (sync_id) fix_up_sync(); - - if (!strcmp(in_dir, out_dir)) - FATAL("Input and output directories can't be the same"); - - if (dumb_mode) { - - if (crash_mode) FATAL("-C and -n are mutually exclusive"); - if (qemu_mode) FATAL("-Q and -n are mutually exclusive"); - - } - - if (getenv("AFL_NO_FORKSRV")) no_forkserver = 1; - if (getenv("AFL_NO_CPU_RED")) no_cpu_meter_red = 1; - if (getenv("AFL_NO_ARITH")) no_arith = 1; - if (getenv("AFL_SHUFFLE_QUEUE")) shuffle_queue = 1; - if (getenv("AFL_FAST_CAL")) fast_cal = 1; - - if (getenv("AFL_HANG_TMOUT")) { - hang_tmout = atoi(getenv("AFL_HANG_TMOUT")); - if (!hang_tmout) FATAL("Invalid value of AFL_HANG_TMOUT"); - } - - if (dumb_mode == 2 && no_forkserver) - FATAL("AFL_DUMB_FORKSRV and AFL_NO_FORKSRV are mutually exclusive"); - - if (getenv("AFL_PRELOAD")) { - setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); - setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); - } - - if (getenv("AFL_LD_PRELOAD")) - FATAL("Use AFL_PRELOAD instead of AFL_LD_PRELOAD"); - - save_cmdline(argc, argv); - - fix_up_banner(argv[optind]); - - check_if_tty(); - - get_core_count(); - -#ifdef HAVE_AFFINITY - bind_to_free_cpu(); -#endif /* HAVE_AFFINITY */ - - check_crash_handling(); - check_cpu_governor(); - - setup_post(); - setup_shm(); - init_count_class16(); - - setup_dirs_fds(); - read_testcases(); - load_auto(); - - pivot_inputs(); - - if (extras_dir) load_extras(extras_dir); - - if (!timeout_given) find_timeout(); - - detect_file_args(argv + optind + 1); - - if (!out_file) setup_stdio_file(); - - check_binary(argv[optind]); - - start_time = get_cur_time(); - - if (qemu_mode) - use_argv = get_qemu_argv(argv[0], argv + optind, argc - optind); - else - use_argv = argv + optind; - - perform_dry_run(use_argv); - - cull_queue(); - - show_init_stats(); - - seek_to = find_start_position(); - - write_stats_file(0, 0, 0); - save_auto(); - - if (stop_soon) goto stop_fuzzing; - - /* Woop woop woop */ - - if (!not_on_tty) { - sleep(4); - start_time += 4000; - if (stop_soon) goto stop_fuzzing; - } - - while (1) { - - u8 skipped_fuzz; - - cull_queue(); - - if (!queue_cur) { - - queue_cycle++; - current_entry = 0; - cur_skipped_paths = 0; - queue_cur = queue; - - while (seek_to) { - current_entry++; - seek_to--; - queue_cur = queue_cur->next; - } - - show_stats(); - - if (not_on_tty) { - ACTF("Entering queue cycle %llu.", queue_cycle); - fflush(stdout); - } - - /* If we had a full queue cycle with no new finds, try - recombination strategies next. */ - - if (queued_paths == prev_queued) { - - if (use_splicing) cycles_wo_finds++; else use_splicing = 1; - - } else cycles_wo_finds = 0; - - prev_queued = queued_paths; - - if (sync_id && queue_cycle == 1 && getenv("AFL_IMPORT_FIRST")) - sync_fuzzers(use_argv); - - } - - skipped_fuzz = fuzz_one(use_argv); - - if (!stop_soon && sync_id && !skipped_fuzz) { - - if (!(sync_interval_cnt++ % SYNC_INTERVAL)) - sync_fuzzers(use_argv); - - } - - if (!stop_soon && exit_1) stop_soon = 2; - - if (stop_soon) break; - - queue_cur = queue_cur->next; - current_entry++; - - } - - if (queue_cur) show_stats(); - - /* If we stopped programmatically, we kill the forkserver and the current runner. - If we stopped manually, this is done by the signal handler. */ - if (stop_soon == 2) { - if (child_pid > 0) kill(child_pid, SIGKILL); - if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); - } - /* Now that we've killed the forkserver, we wait for it to be able to get rusage stats. */ - if (waitpid(forksrv_pid, NULL, 0) <= 0) { - WARNF("error waitpid\n"); - } - - write_bitmap(); - write_stats_file(0, 0, 0); - save_auto(); - -stop_fuzzing: - - SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted %s +++\n" cRST, - stop_soon == 2 ? "programmatically" : "by user"); - - /* Running for more than 30 minutes but still doing first cycle? */ - - if (queue_cycle == 1 && get_cur_time() - start_time > 30 * 60 * 1000) { - - SAYF("\n" cYEL "[!] " cRST - "Stopped during the first cycle, results may be incomplete.\n" - " (For info on resuming, see %s/README.)\n", doc_path); - - } - - fclose(plot_file); - destroy_queue(); - destroy_extras(); - ck_free(target_path); - ck_free(sync_id); - - alloc_report(); - - OKF("We're done here. Have a nice day!\n"); - - exit(0); - -} - -#endif /* !AFL_LIB */ +/* + Copyright 2013 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +/* + american fuzzy lop - fuzzer code + -------------------------------- + + Written and maintained by Michal Zalewski + + Forkserver design by Jann Horn + + This is the real deal: the program takes an instrumented binary and + attempts a variety of basic fuzzing tricks, paying close attention to + how they affect the execution path. + +*/ + +#define AFL_MAIN +#include "android-ashmem.h" +#define MESSAGES_TO_STDOUT + +#ifndef _GNU_SOURCE +#define _GNU_SOURCE +#endif +#define _FILE_OFFSET_BITS 64 + +#include "config.h" +#include "types.h" +#include "debug.h" +#include "alloc-inl.h" +#include "hash.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) +# include +#endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ + +/* For systems that have sched_setaffinity; right now just Linux, but one + can hope... */ + +#ifdef __linux__ +# define HAVE_AFFINITY 1 +#endif /* __linux__ */ + +/* A toggle to export some variables when building as a library. Not very + useful for the general public. */ + +#ifdef AFL_LIB +# define EXP_ST +#else +# define EXP_ST static +#endif /* ^AFL_LIB */ + +/* Lots of globals, but mostly for the status UI and other things where it + really makes no sense to haul them around as function parameters. */ + + +EXP_ST u8 *in_dir, /* Input directory with test cases */ + *out_file, /* File to fuzz, if any */ + *out_dir, /* Working & output directory */ + *sync_dir, /* Synchronization directory */ + *sync_id, /* Fuzzer ID */ + *use_banner, /* Display banner */ + *in_bitmap, /* Input bitmap */ + *doc_path, /* Path to documentation dir */ + *target_path, /* Path to target binary */ + *orig_cmdline; /* Original command line */ + +EXP_ST u32 exec_tmout = EXEC_TIMEOUT; /* Configurable exec timeout (ms) */ +static u32 hang_tmout = EXEC_TIMEOUT; /* Timeout used for hang det (ms) */ + +EXP_ST u64 mem_limit = MEM_LIMIT; /* Memory cap for child (MB) */ + +EXP_ST u32 cpu_to_bind = 0; /* id of free CPU core to bind */ + +static u32 stats_update_freq = 1; /* Stats update frequency (execs) */ + +EXP_ST u8 skip_deterministic, /* Skip deterministic stages? */ + force_deterministic, /* Force deterministic stages? */ + use_splicing, /* Recombine input files? */ + dumb_mode, /* Run in non-instrumented mode? */ + score_changed, /* Scoring for favorites changed? */ + kill_signal, /* Signal that killed the child */ + resuming_fuzz, /* Resuming an older fuzzing job? */ + timeout_given, /* Specific timeout given? */ + cpu_to_bind_given, /* Specified cpu_to_bind given? */ + not_on_tty, /* stdout is not a tty */ + term_too_small, /* terminal dimensions too small */ + uses_asan, /* Target uses ASAN? */ + no_forkserver, /* Disable forkserver? */ + crash_mode, /* Crash mode! Yeah! */ + in_place_resume, /* Attempt in-place resume? */ + auto_changed, /* Auto-generated tokens changed? */ + no_cpu_meter_red, /* Feng shui on the status screen */ + no_arith, /* Skip most arithmetic ops */ + shuffle_queue, /* Shuffle input queue? */ + bitmap_changed = 1, /* Time to update bitmap? */ + qemu_mode, /* Running in QEMU mode? */ + skip_requested, /* Skip request, via SIGUSR1 */ + run_over10m, /* Run time over 10 minutes? */ + persistent_mode, /* Running in persistent mode? */ + deferred_mode, /* Deferred forkserver mode? */ + fast_cal; /* Try to calibrate faster? */ + +static s32 out_fd, /* Persistent fd for out_file */ + dev_urandom_fd = -1, /* Persistent fd for /dev/urandom */ + dev_null_fd = -1, /* Persistent fd for /dev/null */ + fsrv_ctl_fd, /* Fork server control pipe (write) */ + fsrv_st_fd; /* Fork server status pipe (read) */ + +static s32 forksrv_pid, /* PID of the fork server */ + child_pid = -1, /* PID of the fuzzed program */ + out_dir_fd = -1; /* FD of the lock file */ + +EXP_ST u8* trace_bits; /* SHM with instrumentation bitmap */ + +EXP_ST u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */ + virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */ + virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */ + +static u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */ + +static s32 shm_id; /* ID of the SHM region */ + +static volatile u8 stop_soon, /* Ctrl-C pressed? */ + clear_screen = 1, /* Window resized? */ + child_timed_out; /* Traced process timed out? */ + +EXP_ST u32 queued_paths, /* Total number of queued testcases */ + queued_variable, /* Testcases with variable behavior */ + queued_at_start, /* Total number of initial inputs */ + queued_discovered, /* Items discovered during this run */ + queued_imported, /* Items imported via -S */ + queued_favored, /* Paths deemed favorable */ + queued_with_cov, /* Paths with new coverage bytes */ + pending_not_fuzzed, /* Queued but not done yet */ + pending_favored, /* Pending favored paths */ + cur_skipped_paths, /* Abandoned inputs in cur cycle */ + cur_depth, /* Current path depth */ + max_depth, /* Max path depth */ + useless_at_start, /* Number of useless starting paths */ + var_byte_count, /* Bitmap bytes with var behavior */ + current_entry, /* Current queue entry ID */ + havoc_div = 1; /* Cycle count divisor for havoc */ + +EXP_ST u64 total_crashes, /* Total number of crashes */ + unique_crashes, /* Crashes with unique signatures */ + total_tmouts, /* Total number of timeouts */ + unique_tmouts, /* Timeouts with unique signatures */ + unique_hangs, /* Hangs with unique signatures */ + total_execs, /* Total execve() calls */ + slowest_exec_ms, /* Slowest testcase non hang in ms */ + start_time, /* Unix start time (ms) */ + last_path_time, /* Time for most recent path (ms) */ + last_crash_time, /* Time for most recent crash (ms) */ + last_hang_time, /* Time for most recent hang (ms) */ + last_crash_execs, /* Exec counter at last crash */ + queue_cycle, /* Queue round counter */ + cycles_wo_finds, /* Cycles without any new paths */ + trim_execs, /* Execs done to trim input files */ + bytes_trim_in, /* Bytes coming into the trimmer */ + bytes_trim_out, /* Bytes coming outa the trimmer */ + blocks_eff_total, /* Blocks subject to effector maps */ + blocks_eff_select; /* Blocks selected as fuzzable */ + +static u32 subseq_tmouts; /* Number of timeouts in a row */ + +static u8 *stage_name = "init", /* Name of the current fuzz stage */ + *stage_short, /* Short stage name */ + *syncing_party; /* Currently syncing with... */ + +static s32 stage_cur, stage_max; /* Stage progression */ +static s32 splicing_with = -1; /* Splicing with which test case? */ + +static u32 master_id, master_max; /* Master instance job splitting */ + +static u32 syncing_case; /* Syncing with case #... */ + +static s32 stage_cur_byte, /* Byte offset of current stage op */ + stage_cur_val; /* Value used for stage op */ + +static u8 stage_val_type; /* Value type (STAGE_VAL_*) */ + +static u64 stage_finds[32], /* Patterns found per fuzz stage */ + stage_cycles[32]; /* Execs per fuzz stage */ + +static u32 rand_cnt; /* Random number counter */ + +static u64 total_cal_us, /* Total calibration time (us) */ + total_cal_cycles; /* Total calibration cycles */ + +static u64 total_bitmap_size, /* Total bit count for all bitmaps */ + total_bitmap_entries; /* Number of bitmaps counted */ + +static s32 cpu_core_count; /* CPU core count */ + +#ifdef HAVE_AFFINITY + +static s32 cpu_aff = -1; /* Selected CPU core */ + +#endif /* HAVE_AFFINITY */ + +static FILE* plot_file; /* Gnuplot output file */ + +struct queue_entry { + + u8* fname; /* File name for the test case */ + u32 len; /* Input length */ + + u8 cal_failed, /* Calibration failed? */ + trim_done, /* Trimmed? */ + was_fuzzed, /* Had any fuzzing done yet? */ + passed_det, /* Deterministic stages passed? */ + has_new_cov, /* Triggers new coverage? */ + var_behavior, /* Variable behavior? */ + favored, /* Currently favored? */ + fs_redundant; /* Marked as redundant in the fs? */ + + u32 bitmap_size, /* Number of bits set in bitmap */ + exec_cksum; /* Checksum of the execution trace */ + + u64 exec_us, /* Execution time (us) */ + handicap, /* Number of queue cycles behind */ + depth; /* Path depth */ + + u8* trace_mini; /* Trace bytes, if kept */ + u32 tc_ref; /* Trace bytes ref count */ + + struct queue_entry *next, /* Next element, if any */ + *next_100; /* 100 elements ahead */ + +}; + +static struct queue_entry *queue, /* Fuzzing queue (linked list) */ + *queue_cur, /* Current offset within the queue */ + *queue_top, /* Top of the list */ + *q_prev100; /* Previous 100 marker */ + +static struct queue_entry* + top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ + +struct extra_data { + u8* data; /* Dictionary token data */ + u32 len; /* Dictionary token length */ + u32 hit_cnt; /* Use count in the corpus */ +}; + +static struct extra_data* extras; /* Extra tokens to fuzz with */ +static u32 extras_cnt; /* Total number of tokens read */ + +static struct extra_data* a_extras; /* Automatically selected extras */ +static u32 a_extras_cnt; /* Total number of tokens available */ + +static u8* (*post_handler)(u8* buf, u32* len); + +/* Interesting values, as per config.h */ + +static s8 interesting_8[] = { INTERESTING_8 }; +static s16 interesting_16[] = { INTERESTING_8, INTERESTING_16 }; +static s32 interesting_32[] = { INTERESTING_8, INTERESTING_16, INTERESTING_32 }; + +/* Fuzzing stages */ + +enum { + /* 00 */ STAGE_FLIP1, + /* 01 */ STAGE_FLIP2, + /* 02 */ STAGE_FLIP4, + /* 03 */ STAGE_FLIP8, + /* 04 */ STAGE_FLIP16, + /* 05 */ STAGE_FLIP32, + /* 06 */ STAGE_ARITH8, + /* 07 */ STAGE_ARITH16, + /* 08 */ STAGE_ARITH32, + /* 09 */ STAGE_INTEREST8, + /* 10 */ STAGE_INTEREST16, + /* 11 */ STAGE_INTEREST32, + /* 12 */ STAGE_EXTRAS_UO, + /* 13 */ STAGE_EXTRAS_UI, + /* 14 */ STAGE_EXTRAS_AO, + /* 15 */ STAGE_HAVOC, + /* 16 */ STAGE_SPLICE +}; + +/* Stage value types */ + +enum { + /* 00 */ STAGE_VAL_NONE, + /* 01 */ STAGE_VAL_LE, + /* 02 */ STAGE_VAL_BE +}; + +/* Execution status fault codes */ + +enum { + /* 00 */ FAULT_NONE, + /* 01 */ FAULT_TMOUT, + /* 02 */ FAULT_CRASH, + /* 03 */ FAULT_ERROR, + /* 04 */ FAULT_NOINST, + /* 05 */ FAULT_NOBITS +}; + + +/* Get unix time in milliseconds */ + +static u64 get_cur_time(void) { + + struct timeval tv; + struct timezone tz; + + gettimeofday(&tv, &tz); + + return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000); + +} + + +/* Get unix time in microseconds */ + +static u64 get_cur_time_us(void) { + + struct timeval tv; + struct timezone tz; + + gettimeofday(&tv, &tz); + + return (tv.tv_sec * 1000000ULL) + tv.tv_usec; + +} + + +/* Generate a random number (from 0 to limit - 1). This may + have slight bias. */ + +static inline u32 UR(u32 limit) { + + if (unlikely(!rand_cnt--)) { + + u32 seed[2]; + + ck_read(dev_urandom_fd, &seed, sizeof(seed), "/dev/urandom"); + + srandom(seed[0]); + rand_cnt = (RESEED_RNG / 2) + (seed[1] % RESEED_RNG); + + } + + return random() % limit; + +} + + +/* Shuffle an array of pointers. Might be slightly biased. */ + +static void shuffle_ptrs(void** ptrs, u32 cnt) { + + u32 i; + + for (i = 0; i < cnt - 2; i++) { + + u32 j = i + UR(cnt - i); + void *s = ptrs[i]; + ptrs[i] = ptrs[j]; + ptrs[j] = s; + + } + +} + + +#ifdef HAVE_AFFINITY + +/* Build a list of processes bound to specific cores. Returns -1 if nothing + can be found. Assumes an upper bound of 4k CPUs. */ + +static void bind_to_free_cpu(void) { + + DIR* d; + struct dirent* de; + cpu_set_t c; + + u8 cpu_used[4096] = { 0 }; + u32 i; + + if (cpu_core_count < 2) return; + + if (getenv("AFL_NO_AFFINITY")) { + + WARNF("Not binding to a CPU core (AFL_NO_AFFINITY set)."); + return; + + } + + d = opendir("/proc"); + + if (!d) { + + WARNF("Unable to access /proc - can't scan for free CPU cores."); + return; + + } + + ACTF("Checking CPU core loadout..."); + + /* Introduce some jitter, in case multiple AFL tasks are doing the same + thing at the same time... */ + + usleep(R(1000) * 250); + + /* Scan all /proc//status entries, checking for Cpus_allowed_list. + Flag all processes bound to a specific CPU using cpu_used[]. This will + fail for some exotic binding setups, but is likely good enough in almost + all real-world use cases. */ + + while ((de = readdir(d))) { + + u8* fn; + FILE* f; + u8 tmp[MAX_LINE]; + u8 has_vmsize = 0; + + if (!isdigit(de->d_name[0])) continue; + + fn = alloc_printf("/proc/%s/status", de->d_name); + + if (!(f = fopen(fn, "r"))) { + ck_free(fn); + continue; + } + + while (fgets(tmp, MAX_LINE, f)) { + + u32 hval; + + /* Processes without VmSize are probably kernel tasks. */ + + if (!strncmp(tmp, "VmSize:\t", 8)) has_vmsize = 1; + + if (!strncmp(tmp, "Cpus_allowed_list:\t", 19) && + !strchr(tmp, '-') && !strchr(tmp, ',') && + sscanf(tmp + 19, "%u", &hval) == 1 && hval < sizeof(cpu_used) && + has_vmsize) { + + cpu_used[hval] = 1; + break; + + } + + } + + ck_free(fn); + fclose(f); + + } + + closedir(d); + if (cpu_to_bind_given) { + + if (cpu_to_bind >= cpu_core_count) + FATAL("The CPU core id to bind should be between 0 and %u", cpu_core_count - 1); + + if (cpu_used[cpu_to_bind]) + FATAL("The CPU core #%u to bind is not free!", cpu_to_bind); + + i = cpu_to_bind; + + } else { + + for (i = 0; i < cpu_core_count; i++) if (!cpu_used[i]) break; + + } + + if (i == cpu_core_count) { + + SAYF("\n" cLRD "[-] " cRST + "Uh-oh, looks like all %u CPU cores on your system are allocated to\n" + " other instances of afl-fuzz (or similar CPU-locked tasks). Starting\n" + " another fuzzer on this machine is probably a bad plan, but if you are\n" + " absolutely sure, you can set AFL_NO_AFFINITY and try again.\n", + cpu_core_count); + + FATAL("No more free CPU cores"); + + } + + OKF("Found a free CPU core, binding to #%u.", i); + + cpu_aff = i; + + CPU_ZERO(&c); + CPU_SET(i, &c); + + if (sched_setaffinity(0, sizeof(c), &c)) + PFATAL("sched_setaffinity failed"); + +} + +#endif /* HAVE_AFFINITY */ + +#ifndef IGNORE_FINDS + +/* Helper function to compare buffers; returns first and last differing offset. We + use this to find reasonable locations for splicing two files. */ + +static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) { + + s32 f_loc = -1; + s32 l_loc = -1; + u32 pos; + + for (pos = 0; pos < len; pos++) { + + if (*(ptr1++) != *(ptr2++)) { + + if (f_loc == -1) f_loc = pos; + l_loc = pos; + + } + + } + + *first = f_loc; + *last = l_loc; + + return; + +} + +#endif /* !IGNORE_FINDS */ + + +/* Describe integer. Uses 12 cyclic static buffers for return values. The value + returned should be five characters or less for all the integers we reasonably + expect to see. */ + +static u8* DI(u64 val) { + + static u8 tmp[12][16]; + static u8 cur; + + cur = (cur + 1) % 12; + +#define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) do { \ + if (val < (_divisor) * (_limit_mult)) { \ + sprintf(tmp[cur], _fmt, ((_cast)val) / (_divisor)); \ + return tmp[cur]; \ + } \ + } while (0) + + /* 0-9999 */ + CHK_FORMAT(1, 10000, "%llu", u64); + + /* 10.0k - 99.9k */ + CHK_FORMAT(1000, 99.95, "%0.01fk", double); + + /* 100k - 999k */ + CHK_FORMAT(1000, 1000, "%lluk", u64); + + /* 1.00M - 9.99M */ + CHK_FORMAT(1000 * 1000, 9.995, "%0.02fM", double); + + /* 10.0M - 99.9M */ + CHK_FORMAT(1000 * 1000, 99.95, "%0.01fM", double); + + /* 100M - 999M */ + CHK_FORMAT(1000 * 1000, 1000, "%lluM", u64); + + /* 1.00G - 9.99G */ + CHK_FORMAT(1000LL * 1000 * 1000, 9.995, "%0.02fG", double); + + /* 10.0G - 99.9G */ + CHK_FORMAT(1000LL * 1000 * 1000, 99.95, "%0.01fG", double); + + /* 100G - 999G */ + CHK_FORMAT(1000LL * 1000 * 1000, 1000, "%lluG", u64); + + /* 1.00T - 9.99G */ + CHK_FORMAT(1000LL * 1000 * 1000 * 1000, 9.995, "%0.02fT", double); + + /* 10.0T - 99.9T */ + CHK_FORMAT(1000LL * 1000 * 1000 * 1000, 99.95, "%0.01fT", double); + + /* 100T+ */ + strcpy(tmp[cur], "infty"); + return tmp[cur]; + +} + + +/* Describe float. Similar to the above, except with a single + static buffer. */ + +static u8* DF(double val) { + + static u8 tmp[16]; + + if (val < 99.995) { + sprintf(tmp, "%0.02f", val); + return tmp; + } + + if (val < 999.95) { + sprintf(tmp, "%0.01f", val); + return tmp; + } + + return DI((u64)val); + +} + + +/* Describe integer as memory size. */ + +static u8* DMS(u64 val) { + + static u8 tmp[12][16]; + static u8 cur; + + cur = (cur + 1) % 12; + + /* 0-9999 */ + CHK_FORMAT(1, 10000, "%llu B", u64); + + /* 10.0k - 99.9k */ + CHK_FORMAT(1024, 99.95, "%0.01f kB", double); + + /* 100k - 999k */ + CHK_FORMAT(1024, 1000, "%llu kB", u64); + + /* 1.00M - 9.99M */ + CHK_FORMAT(1024 * 1024, 9.995, "%0.02f MB", double); + + /* 10.0M - 99.9M */ + CHK_FORMAT(1024 * 1024, 99.95, "%0.01f MB", double); + + /* 100M - 999M */ + CHK_FORMAT(1024 * 1024, 1000, "%llu MB", u64); + + /* 1.00G - 9.99G */ + CHK_FORMAT(1024LL * 1024 * 1024, 9.995, "%0.02f GB", double); + + /* 10.0G - 99.9G */ + CHK_FORMAT(1024LL * 1024 * 1024, 99.95, "%0.01f GB", double); + + /* 100G - 999G */ + CHK_FORMAT(1024LL * 1024 * 1024, 1000, "%llu GB", u64); + + /* 1.00T - 9.99G */ + CHK_FORMAT(1024LL * 1024 * 1024 * 1024, 9.995, "%0.02f TB", double); + + /* 10.0T - 99.9T */ + CHK_FORMAT(1024LL * 1024 * 1024 * 1024, 99.95, "%0.01f TB", double); + +#undef CHK_FORMAT + + /* 100T+ */ + strcpy(tmp[cur], "infty"); + return tmp[cur]; + +} + + +/* Describe time delta. Returns one static buffer, 34 chars of less. */ + +static u8* DTD(u64 cur_ms, u64 event_ms) { + + static u8 tmp[64]; + u64 delta; + s32 t_d, t_h, t_m, t_s; + + if (!event_ms) return "none seen yet"; + + delta = cur_ms - event_ms; + + t_d = delta / 1000 / 60 / 60 / 24; + t_h = (delta / 1000 / 60 / 60) % 24; + t_m = (delta / 1000 / 60) % 60; + t_s = (delta / 1000) % 60; + + sprintf(tmp, "%s days, %u hrs, %u min, %u sec", DI(t_d), t_h, t_m, t_s); + return tmp; + +} + + +/* Mark deterministic checks as done for a particular queue entry. We use the + .state file to avoid repeating deterministic fuzzing when resuming aborted + scans. */ + +static void mark_as_det_done(struct queue_entry* q) { + + u8* fn = strrchr(q->fname, '/'); + s32 fd; + + fn = alloc_printf("%s/queue/.state/deterministic_done/%s", out_dir, fn + 1); + + fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) PFATAL("Unable to create '%s'", fn); + close(fd); + + ck_free(fn); + + q->passed_det = 1; + +} + + +/* Mark as variable. Create symlinks if possible to make it easier to examine + the files. */ + +static void mark_as_variable(struct queue_entry* q) { + + u8 *fn = strrchr(q->fname, '/') + 1, *ldest; + + ldest = alloc_printf("../../%s", fn); + fn = alloc_printf("%s/queue/.state/variable_behavior/%s", out_dir, fn); + + if (symlink(ldest, fn)) { + + s32 fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) PFATAL("Unable to create '%s'", fn); + close(fd); + + } + + ck_free(ldest); + ck_free(fn); + + q->var_behavior = 1; + +} + + +/* Mark / unmark as redundant (edge-only). This is not used for restoring state, + but may be useful for post-processing datasets. */ + +static void mark_as_redundant(struct queue_entry* q, u8 state) { + + u8* fn; + s32 fd; + + if (state == q->fs_redundant) return; + + q->fs_redundant = state; + + fn = strrchr(q->fname, '/'); + fn = alloc_printf("%s/queue/.state/redundant_edges/%s", out_dir, fn + 1); + + if (state) { + + fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) PFATAL("Unable to create '%s'", fn); + close(fd); + + } else { + + if (unlink(fn)) PFATAL("Unable to remove '%s'", fn); + + } + + ck_free(fn); + +} + + +/* Append new test case to the queue. */ + +static void add_to_queue(u8* fname, u32 len, u8 passed_det) { + + struct queue_entry* q = ck_alloc(sizeof(struct queue_entry)); + + q->fname = fname; + q->len = len; + q->depth = cur_depth + 1; + q->passed_det = passed_det; + + if (q->depth > max_depth) max_depth = q->depth; + + if (queue_top) { + + queue_top->next = q; + queue_top = q; + + } else q_prev100 = queue = queue_top = q; + + queued_paths++; + pending_not_fuzzed++; + + cycles_wo_finds = 0; + + /* Set next_100 pointer for every 100th element (index 0, 100, etc) to allow faster iteration. */ + if ((queued_paths - 1) % 100 == 0 && queued_paths > 1) { + + q_prev100->next_100 = q; + q_prev100 = q; + + } + + last_path_time = get_cur_time(); + +} + + +/* Destroy the entire queue. */ + +EXP_ST void destroy_queue(void) { + + struct queue_entry *q = queue, *n; + + while (q) { + + n = q->next; + ck_free(q->fname); + ck_free(q->trace_mini); + ck_free(q); + q = n; + + } + +} + + +/* Write bitmap to file. The bitmap is useful mostly for the secret + -B option, to focus a separate fuzzing session on a particular + interesting input without rediscovering all the others. */ + +EXP_ST void write_bitmap(void) { + + u8* fname; + s32 fd; + + if (!bitmap_changed) return; + bitmap_changed = 0; + + fname = alloc_printf("%s/fuzz_bitmap", out_dir); + fd = open(fname, O_WRONLY | O_CREAT | O_TRUNC, 0600); + + if (fd < 0) PFATAL("Unable to open '%s'", fname); + + ck_write(fd, virgin_bits, MAP_SIZE, fname); + + close(fd); + ck_free(fname); + +} + + +/* Read bitmap from file. This is for the -B option again. */ + +EXP_ST void read_bitmap(u8* fname) { + + s32 fd = open(fname, O_RDONLY); + + if (fd < 0) PFATAL("Unable to open '%s'", fname); + + ck_read(fd, virgin_bits, MAP_SIZE, fname); + + close(fd); + +} + + +/* Check if the current execution path brings anything new to the table. + Update virgin bits to reflect the finds. Returns 1 if the only change is + the hit-count for a particular tuple; 2 if there are new tuples seen. + Updates the map, so subsequent calls will always return 0. + + This function is called after every exec() on a fairly large buffer, so + it needs to be fast. We do this in 32-bit and 64-bit flavors. */ + +static inline u8 has_new_bits(u8* virgin_map) { + +#ifdef WORD_SIZE_64 + + u64* current = (u64*)trace_bits; + u64* virgin = (u64*)virgin_map; + + u32 i = (MAP_SIZE >> 3); + +#else + + u32* current = (u32*)trace_bits; + u32* virgin = (u32*)virgin_map; + + u32 i = (MAP_SIZE >> 2); + +#endif /* ^WORD_SIZE_64 */ + + u8 ret = 0; + + while (i--) { + + /* Optimize for (*current & *virgin) == 0 - i.e., no bits in current bitmap + that have not been already cleared from the virgin map - since this will + almost always be the case. */ + + if (unlikely(*current) && unlikely(*current & *virgin)) { + + if (likely(ret < 2)) { + + u8* cur = (u8*)current; + u8* vir = (u8*)virgin; + + /* Looks like we have not found any new bytes yet; see if any non-zero + bytes in current[] are pristine in virgin[]. */ + +#ifdef WORD_SIZE_64 + + if ((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || + (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff) || + (cur[4] && vir[4] == 0xff) || (cur[5] && vir[5] == 0xff) || + (cur[6] && vir[6] == 0xff) || (cur[7] && vir[7] == 0xff)) ret = 2; + else ret = 1; + +#else + + if ((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || + (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff)) ret = 2; + else ret = 1; + +#endif /* ^WORD_SIZE_64 */ + + } + + *virgin &= ~*current; + + } + + current++; + virgin++; + + } + + if (ret && virgin_map == virgin_bits) bitmap_changed = 1; + + return ret; + +} + + +/* Count the number of bits set in the provided bitmap. Used for the status + screen several times every second, does not have to be fast. */ + +static u32 count_bits(u8* mem) { + + u32* ptr = (u32*)mem; + u32 i = (MAP_SIZE >> 2); + u32 ret = 0; + + while (i--) { + + u32 v = *(ptr++); + + /* This gets called on the inverse, virgin bitmap; optimize for sparse + data. */ + + if (v == 0xffffffff) { + ret += 32; + continue; + } + + v -= ((v >> 1) & 0x55555555); + v = (v & 0x33333333) + ((v >> 2) & 0x33333333); + ret += (((v + (v >> 4)) & 0xF0F0F0F) * 0x01010101) >> 24; + + } + + return ret; + +} + + +#define FF(_b) (0xff << ((_b) << 3)) + +/* Count the number of bytes set in the bitmap. Called fairly sporadically, + mostly to update the status screen or calibrate and examine confirmed + new paths. */ + +static u32 count_bytes(u8* mem) { + + u32* ptr = (u32*)mem; + u32 i = (MAP_SIZE >> 2); + u32 ret = 0; + + while (i--) { + + u32 v = *(ptr++); + + if (!v) continue; + if (v & FF(0)) ret++; + if (v & FF(1)) ret++; + if (v & FF(2)) ret++; + if (v & FF(3)) ret++; + + } + + return ret; + +} + + +/* Count the number of non-255 bytes set in the bitmap. Used strictly for the + status screen, several calls per second or so. */ + +static u32 count_non_255_bytes(u8* mem) { + + u32* ptr = (u32*)mem; + u32 i = (MAP_SIZE >> 2); + u32 ret = 0; + + while (i--) { + + u32 v = *(ptr++); + + /* This is called on the virgin bitmap, so optimize for the most likely + case. */ + + if (v == 0xffffffff) continue; + if ((v & FF(0)) != FF(0)) ret++; + if ((v & FF(1)) != FF(1)) ret++; + if ((v & FF(2)) != FF(2)) ret++; + if ((v & FF(3)) != FF(3)) ret++; + + } + + return ret; + +} + + +/* Destructively simplify trace by eliminating hit count information + and replacing it with 0x80 or 0x01 depending on whether the tuple + is hit or not. Called on every new crash or timeout, should be + reasonably fast. */ + +static const u8 simplify_lookup[256] = { + + [0] = 1, + [1 ... 255] = 128 + +}; + +#ifdef WORD_SIZE_64 + +static void simplify_trace(u64* mem) { + + u32 i = MAP_SIZE >> 3; + + while (i--) { + + /* Optimize for sparse bitmaps. */ + + if (unlikely(*mem)) { + + u8* mem8 = (u8*)mem; + + mem8[0] = simplify_lookup[mem8[0]]; + mem8[1] = simplify_lookup[mem8[1]]; + mem8[2] = simplify_lookup[mem8[2]]; + mem8[3] = simplify_lookup[mem8[3]]; + mem8[4] = simplify_lookup[mem8[4]]; + mem8[5] = simplify_lookup[mem8[5]]; + mem8[6] = simplify_lookup[mem8[6]]; + mem8[7] = simplify_lookup[mem8[7]]; + + } else *mem = 0x0101010101010101ULL; + + mem++; + + } + +} + +#else + +static void simplify_trace(u32* mem) { + + u32 i = MAP_SIZE >> 2; + + while (i--) { + + /* Optimize for sparse bitmaps. */ + + if (unlikely(*mem)) { + + u8* mem8 = (u8*)mem; + + mem8[0] = simplify_lookup[mem8[0]]; + mem8[1] = simplify_lookup[mem8[1]]; + mem8[2] = simplify_lookup[mem8[2]]; + mem8[3] = simplify_lookup[mem8[3]]; + + } else *mem = 0x01010101; + + mem++; + } + +} + +#endif /* ^WORD_SIZE_64 */ + + +/* Destructively classify execution counts in a trace. This is used as a + preprocessing step for any newly acquired traces. Called on every exec, + must be fast. */ + +static const u8 count_class_lookup8[256] = { + + [0] = 0, + [1] = 1, + [2] = 2, + [3] = 4, + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 + +}; + +static u16 count_class_lookup16[65536]; + + +EXP_ST void init_count_class16(void) { + + u32 b1, b2; + + for (b1 = 0; b1 < 256; b1++) + for (b2 = 0; b2 < 256; b2++) + count_class_lookup16[(b1 << 8) + b2] = + (count_class_lookup8[b1] << 8) | + count_class_lookup8[b2]; + +} + + +#ifdef WORD_SIZE_64 + +static inline void classify_counts(u64* mem) { + + u32 i = MAP_SIZE >> 3; + + while (i--) { + + /* Optimize for sparse bitmaps. */ + + if (unlikely(*mem)) { + + u16* mem16 = (u16*)mem; + + mem16[0] = count_class_lookup16[mem16[0]]; + mem16[1] = count_class_lookup16[mem16[1]]; + mem16[2] = count_class_lookup16[mem16[2]]; + mem16[3] = count_class_lookup16[mem16[3]]; + + } + + mem++; + + } + +} + +#else + +static inline void classify_counts(u32* mem) { + + u32 i = MAP_SIZE >> 2; + + while (i--) { + + /* Optimize for sparse bitmaps. */ + + if (unlikely(*mem)) { + + u16* mem16 = (u16*)mem; + + mem16[0] = count_class_lookup16[mem16[0]]; + mem16[1] = count_class_lookup16[mem16[1]]; + + } + + mem++; + + } + +} + +#endif /* ^WORD_SIZE_64 */ + + +/* Get rid of shared memory (atexit handler). */ + +static void remove_shm(void) { + + shmctl(shm_id, IPC_RMID, NULL); + +} + + +/* Compact trace bytes into a smaller bitmap. We effectively just drop the + count information here. This is called only sporadically, for some + new paths. */ + +static void minimize_bits(u8* dst, u8* src) { + + u32 i = 0; + + while (i < MAP_SIZE) { + + if (*(src++)) dst[i >> 3] |= 1 << (i & 7); + i++; + + } + +} + + +/* When we bump into a new path, we call this to see if the path appears + more "favorable" than any of the existing ones. The purpose of the + "favorables" is to have a minimal set of paths that trigger all the bits + seen in the bitmap so far, and focus on fuzzing them at the expense of + the rest. + + The first step of the process is to maintain a list of top_rated[] entries + for every byte in the bitmap. We win that slot if there is no previous + contender, or if the contender has a more favorable speed x size factor. */ + +static void update_bitmap_score(struct queue_entry* q) { + + u32 i; + u64 fav_factor = q->exec_us * q->len; + + /* For every byte set in trace_bits[], see if there is a previous winner, + and how it compares to us. */ + + for (i = 0; i < MAP_SIZE; i++) + + if (trace_bits[i]) { + + if (top_rated[i]) { + + /* Faster-executing or smaller test cases are favored. */ + + if (fav_factor > top_rated[i]->exec_us * top_rated[i]->len) continue; + + /* Looks like we're going to win. Decrease ref count for the + previous winner, discard its trace_bits[] if necessary. */ + + if (!--top_rated[i]->tc_ref) { + ck_free(top_rated[i]->trace_mini); + top_rated[i]->trace_mini = 0; + } + + } + + /* Insert ourselves as the new winner. */ + + top_rated[i] = q; + q->tc_ref++; + + if (!q->trace_mini) { + q->trace_mini = ck_alloc(MAP_SIZE >> 3); + minimize_bits(q->trace_mini, trace_bits); + } + + score_changed = 1; + + } + +} + + +/* The second part of the mechanism discussed above is a routine that + goes over top_rated[] entries, and then sequentially grabs winners for + previously-unseen bytes (temp_v) and marks them as favored, at least + until the next run. The favored entries are given more air time during + all fuzzing steps. */ + +static void cull_queue(void) { + + struct queue_entry* q; + static u8 temp_v[MAP_SIZE >> 3]; + u32 i; + + if (dumb_mode || !score_changed) return; + + score_changed = 0; + + memset(temp_v, 255, MAP_SIZE >> 3); + + queued_favored = 0; + pending_favored = 0; + + q = queue; + + while (q) { + q->favored = 0; + q = q->next; + } + + /* Let's see if anything in the bitmap isn't captured in temp_v. + If yes, and if it has a top_rated[] contender, let's use it. */ + + for (i = 0; i < MAP_SIZE; i++) + if (top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) { + + u32 j = MAP_SIZE >> 3; + + /* Remove all bits belonging to the current entry from temp_v. */ + + while (j--) + if (top_rated[i]->trace_mini[j]) + temp_v[j] &= ~top_rated[i]->trace_mini[j]; + + top_rated[i]->favored = 1; + queued_favored++; + + if (!top_rated[i]->was_fuzzed) pending_favored++; + + } + + q = queue; + + while (q) { + mark_as_redundant(q, !q->favored); + q = q->next; + } + +} + + +/* Configure shared memory and virgin_bits. This is called at startup. */ + +EXP_ST void setup_shm(void) { + + u8* shm_str; + + if (!in_bitmap) memset(virgin_bits, 255, MAP_SIZE); + + memset(virgin_tmout, 255, MAP_SIZE); + memset(virgin_crash, 255, MAP_SIZE); + + shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600); + + if (shm_id < 0) PFATAL("shmget() failed"); + + atexit(remove_shm); + + shm_str = alloc_printf("%d", shm_id); + + /* If somebody is asking us to fuzz instrumented binaries in dumb mode, + we don't want them to detect instrumentation, since we won't be sending + fork server commands. This should be replaced with better auto-detection + later on, perhaps? */ + + if (!dumb_mode) setenv(SHM_ENV_VAR, shm_str, 1); + + ck_free(shm_str); + + trace_bits = shmat(shm_id, NULL, 0); + + if (trace_bits == (void *)-1) PFATAL("shmat() failed"); + +} + + +/* Load postprocessor, if available. */ + +static void setup_post(void) { + + void* dh; + u8* fn = getenv("AFL_POST_LIBRARY"); + u32 tlen = 6; + + if (!fn) return; + + ACTF("Loading postprocessor from '%s'...", fn); + + dh = dlopen(fn, RTLD_NOW); + if (!dh) FATAL("%s", dlerror()); + + post_handler = dlsym(dh, "afl_postprocess"); + if (!post_handler) FATAL("Symbol 'afl_postprocess' not found."); + + /* Do a quick test. It's better to segfault now than later =) */ + + post_handler("hello", &tlen); + + OKF("Postprocessor installed successfully."); + +} + + +/* Read all testcases from the input directory, then queue them for testing. + Called at startup. */ + +static void read_testcases(void) { + + struct dirent **nl; + s32 nl_cnt; + u32 i; + u8* fn; + + /* Auto-detect non-in-place resumption attempts. */ + + fn = alloc_printf("%s/queue", in_dir); + if (!access(fn, F_OK)) in_dir = fn; else ck_free(fn); + + ACTF("Scanning '%s'...", in_dir); + + /* We use scandir() + alphasort() rather than readdir() because otherwise, + the ordering of test cases would vary somewhat randomly and would be + difficult to control. */ + + nl_cnt = scandir(in_dir, &nl, NULL, alphasort); + + if (nl_cnt < 0) { + + if (errno == ENOENT || errno == ENOTDIR) + + SAYF("\n" cLRD "[-] " cRST + "The input directory does not seem to be valid - try again. The fuzzer needs\n" + " one or more test case to start with - ideally, a small file under 1 kB\n" + " or so. The cases must be stored as regular files directly in the input\n" + " directory.\n"); + + PFATAL("Unable to open '%s'", in_dir); + + } + + if (shuffle_queue && nl_cnt > 1) { + + ACTF("Shuffling queue..."); + shuffle_ptrs((void**)nl, nl_cnt); + + } + + for (i = 0; i < nl_cnt; i++) { + + struct stat st; + + u8* fn = alloc_printf("%s/%s", in_dir, nl[i]->d_name); + u8* dfn = alloc_printf("%s/.state/deterministic_done/%s", in_dir, nl[i]->d_name); + + u8 passed_det = 0; + + free(nl[i]); /* not tracked */ + + if (lstat(fn, &st) || access(fn, R_OK)) + PFATAL("Unable to access '%s'", fn); + + /* This also takes care of . and .. */ + + if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn, "/README.testcases")) { + + ck_free(fn); + ck_free(dfn); + continue; + + } + + if (st.st_size > MAX_FILE) + FATAL("Test case '%s' is too big (%s, limit is %s)", fn, + DMS(st.st_size), DMS(MAX_FILE)); + + /* Check for metadata that indicates that deterministic fuzzing + is complete for this entry. We don't want to repeat deterministic + fuzzing when resuming aborted scans, because it would be pointless + and probably very time-consuming. */ + + if (!access(dfn, F_OK)) passed_det = 1; + ck_free(dfn); + + add_to_queue(fn, st.st_size, passed_det); + + } + + free(nl); /* not tracked */ + + if (!queued_paths) { + + SAYF("\n" cLRD "[-] " cRST + "Looks like there are no valid test cases in the input directory! The fuzzer\n" + " needs one or more test case to start with - ideally, a small file under\n" + " 1 kB or so. The cases must be stored as regular files directly in the\n" + " input directory.\n"); + + FATAL("No usable test cases in '%s'", in_dir); + + } + + last_path_time = 0; + queued_at_start = queued_paths; + +} + + +/* Helper function for load_extras. */ + +static int compare_extras_len(const void* p1, const void* p2) { + struct extra_data *e1 = (struct extra_data*)p1, + *e2 = (struct extra_data*)p2; + + return e1->len - e2->len; +} + +static int compare_extras_use_d(const void* p1, const void* p2) { + struct extra_data *e1 = (struct extra_data*)p1, + *e2 = (struct extra_data*)p2; + + return e2->hit_cnt - e1->hit_cnt; +} + + +/* Read extras from a file, sort by size. */ + +static void load_extras_file(u8* fname, u32* min_len, u32* max_len, + u32 dict_level) { + + FILE* f; + u8 buf[MAX_LINE]; + u8 *lptr; + u32 cur_line = 0; + + f = fopen(fname, "r"); + + if (!f) PFATAL("Unable to open '%s'", fname); + + while ((lptr = fgets(buf, MAX_LINE, f))) { + + u8 *rptr, *wptr; + u32 klen = 0; + + cur_line++; + + /* Trim on left and right. */ + + while (isspace(*lptr)) lptr++; + + rptr = lptr + strlen(lptr) - 1; + while (rptr >= lptr && isspace(*rptr)) rptr--; + rptr++; + *rptr = 0; + + /* Skip empty lines and comments. */ + + if (!*lptr || *lptr == '#') continue; + + /* All other lines must end with '"', which we can consume. */ + + rptr--; + + if (rptr < lptr || *rptr != '"') + FATAL("Malformed name=\"value\" pair in line %u.", cur_line); + + *rptr = 0; + + /* Skip alphanumerics and dashes (label). */ + + while (isalnum(*lptr) || *lptr == '_') lptr++; + + /* If @number follows, parse that. */ + + if (*lptr == '@') { + + lptr++; + if (atoi(lptr) > dict_level) continue; + while (isdigit(*lptr)) lptr++; + + } + + /* Skip whitespace and = signs. */ + + while (isspace(*lptr) || *lptr == '=') lptr++; + + /* Consume opening '"'. */ + + if (*lptr != '"') + FATAL("Malformed name=\"keyword\" pair in line %u.", cur_line); + + lptr++; + + if (!*lptr) FATAL("Empty keyword in line %u.", cur_line); + + /* Okay, let's allocate memory and copy data between "...", handling + \xNN escaping, \\, and \". */ + + extras = ck_realloc_block(extras, (extras_cnt + 1) * + sizeof(struct extra_data)); + + wptr = extras[extras_cnt].data = ck_alloc(rptr - lptr); + + while (*lptr) { + + char* hexdigits = "0123456789abcdef"; + + switch (*lptr) { + + case 1 ... 31: + case 128 ... 255: + FATAL("Non-printable characters in line %u.", cur_line); + + case '\\': + + lptr++; + + if (*lptr == '\\' || *lptr == '"') { + *(wptr++) = *(lptr++); + klen++; + break; + } + + if (*lptr != 'x' || !isxdigit(lptr[1]) || !isxdigit(lptr[2])) + FATAL("Invalid escaping (not \\xNN) in line %u.", cur_line); + + *(wptr++) = + ((strchr(hexdigits, tolower(lptr[1])) - hexdigits) << 4) | + (strchr(hexdigits, tolower(lptr[2])) - hexdigits); + + lptr += 3; + klen++; + + break; + + default: + + *(wptr++) = *(lptr++); + klen++; + + } + + } + + extras[extras_cnt].len = klen; + + if (extras[extras_cnt].len > MAX_DICT_FILE) + FATAL("Keyword too big in line %u (%s, limit is %s)", cur_line, + DMS(klen), DMS(MAX_DICT_FILE)); + + if (*min_len > klen) *min_len = klen; + if (*max_len < klen) *max_len = klen; + + extras_cnt++; + + } + + fclose(f); + +} + + +/* Read extras from the extras directory and sort them by size. */ + +static void load_extras(u8* dir) { + + DIR* d; + struct dirent* de; + u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0; + u8* x; + + /* If the name ends with @, extract level and continue. */ + + if ((x = strchr(dir, '@'))) { + + *x = 0; + dict_level = atoi(x + 1); + + } + + ACTF("Loading extra dictionary from '%s' (level %u)...", dir, dict_level); + + d = opendir(dir); + + if (!d) { + + if (errno == ENOTDIR) { + load_extras_file(dir, &min_len, &max_len, dict_level); + goto check_and_sort; + } + + PFATAL("Unable to open '%s'", dir); + + } + + if (x) FATAL("Dictionary levels not supported for directories."); + + while ((de = readdir(d))) { + + struct stat st; + u8* fn = alloc_printf("%s/%s", dir, de->d_name); + s32 fd; + + if (lstat(fn, &st) || access(fn, R_OK)) + PFATAL("Unable to access '%s'", fn); + + /* This also takes care of . and .. */ + if (!S_ISREG(st.st_mode) || !st.st_size) { + + ck_free(fn); + continue; + + } + + if (st.st_size > MAX_DICT_FILE) + FATAL("Extra '%s' is too big (%s, limit is %s)", fn, + DMS(st.st_size), DMS(MAX_DICT_FILE)); + + if (min_len > st.st_size) min_len = st.st_size; + if (max_len < st.st_size) max_len = st.st_size; + + extras = ck_realloc_block(extras, (extras_cnt + 1) * + sizeof(struct extra_data)); + + extras[extras_cnt].data = ck_alloc(st.st_size); + extras[extras_cnt].len = st.st_size; + + fd = open(fn, O_RDONLY); + + if (fd < 0) PFATAL("Unable to open '%s'", fn); + + ck_read(fd, extras[extras_cnt].data, st.st_size, fn); + + close(fd); + ck_free(fn); + + extras_cnt++; + + } + + closedir(d); + +check_and_sort: + + if (!extras_cnt) FATAL("No usable files in '%s'", dir); + + qsort(extras, extras_cnt, sizeof(struct extra_data), compare_extras_len); + + OKF("Loaded %u extra tokens, size range %s to %s.", extras_cnt, + DMS(min_len), DMS(max_len)); + + if (max_len > 32) + WARNF("Some tokens are relatively large (%s) - consider trimming.", + DMS(max_len)); + + if (extras_cnt > MAX_DET_EXTRAS) + WARNF("More than %u tokens - will use them probabilistically.", + MAX_DET_EXTRAS); + +} + + + + +/* Helper function for maybe_add_auto() */ + +static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) { + + while (len--) if (tolower(*(m1++)) ^ tolower(*(m2++))) return 1; + return 0; + +} + + +/* Maybe add automatic extra. */ + +static void maybe_add_auto(u8* mem, u32 len) { + + u32 i; + + /* Allow users to specify that they don't want auto dictionaries. */ + + if (!MAX_AUTO_EXTRAS || !USE_AUTO_EXTRAS) return; + + /* Skip runs of identical bytes. */ + + for (i = 1; i < len; i++) + if (mem[0] ^ mem[i]) break; + + if (i == len) return; + + /* Reject builtin interesting values. */ + + if (len == 2) { + + i = sizeof(interesting_16) >> 1; + + while (i--) + if (*((u16*)mem) == interesting_16[i] || + *((u16*)mem) == SWAP16(interesting_16[i])) return; + + } + + if (len == 4) { + + i = sizeof(interesting_32) >> 2; + + while (i--) + if (*((u32*)mem) == interesting_32[i] || + *((u32*)mem) == SWAP32(interesting_32[i])) return; + + } + + /* Reject anything that matches existing extras. Do a case-insensitive + match. We optimize by exploiting the fact that extras[] are sorted + by size. */ + + for (i = 0; i < extras_cnt; i++) + if (extras[i].len >= len) break; + + for (; i < extras_cnt && extras[i].len == len; i++) + if (!memcmp_nocase(extras[i].data, mem, len)) return; + + /* Last but not least, check a_extras[] for matches. There are no + guarantees of a particular sort order. */ + + auto_changed = 1; + + for (i = 0; i < a_extras_cnt; i++) { + + if (a_extras[i].len == len && !memcmp_nocase(a_extras[i].data, mem, len)) { + + a_extras[i].hit_cnt++; + goto sort_a_extras; + + } + + } + + /* At this point, looks like we're dealing with a new entry. So, let's + append it if we have room. Otherwise, let's randomly evict some other + entry from the bottom half of the list. */ + + if (a_extras_cnt < MAX_AUTO_EXTRAS) { + + a_extras = ck_realloc_block(a_extras, (a_extras_cnt + 1) * + sizeof(struct extra_data)); + + a_extras[a_extras_cnt].data = ck_memdup(mem, len); + a_extras[a_extras_cnt].len = len; + a_extras_cnt++; + + } else { + + i = MAX_AUTO_EXTRAS / 2 + + UR((MAX_AUTO_EXTRAS + 1) / 2); + + ck_free(a_extras[i].data); + + a_extras[i].data = ck_memdup(mem, len); + a_extras[i].len = len; + a_extras[i].hit_cnt = 0; + + } + +sort_a_extras: + + /* First, sort all auto extras by use count, descending order. */ + + qsort(a_extras, a_extras_cnt, sizeof(struct extra_data), + compare_extras_use_d); + + /* Then, sort the top USE_AUTO_EXTRAS entries by size. */ + + qsort(a_extras, MIN(USE_AUTO_EXTRAS, a_extras_cnt), + sizeof(struct extra_data), compare_extras_len); + +} + + +/* Save automatically generated extras. */ + +static void save_auto(void) { + + u32 i; + + if (!auto_changed) return; + auto_changed = 0; + + for (i = 0; i < MIN(USE_AUTO_EXTRAS, a_extras_cnt); i++) { + + u8* fn = alloc_printf("%s/queue/.state/auto_extras/auto_%06u", out_dir, i); + s32 fd; + + fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); + + if (fd < 0) PFATAL("Unable to create '%s'", fn); + + ck_write(fd, a_extras[i].data, a_extras[i].len, fn); + + close(fd); + ck_free(fn); + + } + +} + + +/* Load automatically generated extras. */ + +static void load_auto(void) { + + u32 i; + + for (i = 0; i < USE_AUTO_EXTRAS; i++) { + + u8 tmp[MAX_AUTO_EXTRA + 1]; + u8* fn = alloc_printf("%s/.state/auto_extras/auto_%06u", in_dir, i); + s32 fd, len; + + fd = open(fn, O_RDONLY, 0600); + + if (fd < 0) { + + if (errno != ENOENT) PFATAL("Unable to open '%s'", fn); + ck_free(fn); + break; + + } + + /* We read one byte more to cheaply detect tokens that are too + long (and skip them). */ + + len = read(fd, tmp, MAX_AUTO_EXTRA + 1); + + if (len < 0) PFATAL("Unable to read from '%s'", fn); + + if (len >= MIN_AUTO_EXTRA && len <= MAX_AUTO_EXTRA) + maybe_add_auto(tmp, len); + + close(fd); + ck_free(fn); + + } + + if (i) OKF("Loaded %u auto-discovered dictionary tokens.", i); + else OKF("No auto-generated dictionary tokens to reuse."); + +} + + +/* Destroy extras. */ + +static void destroy_extras(void) { + + u32 i; + + for (i = 0; i < extras_cnt; i++) + ck_free(extras[i].data); + + ck_free(extras); + + for (i = 0; i < a_extras_cnt; i++) + ck_free(a_extras[i].data); + + ck_free(a_extras); + +} + + +/* Spin up fork server (instrumented mode only). The idea is explained here: + + http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html + + In essence, the instrumentation allows us to skip execve(), and just keep + cloning a stopped child. So, we just execute once, and then send commands + through a pipe. The other part of this logic is in afl-as.h. */ + +EXP_ST void init_forkserver(char** argv) { + + static struct itimerval it; + int st_pipe[2], ctl_pipe[2]; + int status; + s32 rlen; + + ACTF("Spinning up the fork server..."); + + if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); + + forksrv_pid = fork(); + + if (forksrv_pid < 0) PFATAL("fork() failed"); + + if (!forksrv_pid) { + + struct rlimit r; + + /* Umpf. On OpenBSD, the default fd limit for root users is set to + soft 128. Let's try to fix that... */ + + if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) { + + r.rlim_cur = FORKSRV_FD + 2; + setrlimit(RLIMIT_NOFILE, &r); /* Ignore errors */ + + } + + if (mem_limit) { + + r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; + +#ifdef RLIMIT_AS + + setrlimit(RLIMIT_AS, &r); /* Ignore errors */ + +#else + + /* This takes care of OpenBSD, which doesn't have RLIMIT_AS, but + according to reliable sources, RLIMIT_DATA covers anonymous + maps - so we should be getting good protection against OOM bugs. */ + + setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ + +#endif /* ^RLIMIT_AS */ + + + } + + /* Dumping cores is slow and can lead to anomalies if SIGKILL is delivered + before the dump is complete. */ + + r.rlim_max = r.rlim_cur = 0; + + setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + + /* Isolate the process and configure standard descriptors. If out_file is + specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ + + setsid(); + + dup2(dev_null_fd, 1); + dup2(dev_null_fd, 2); + + if (out_file) { + + dup2(dev_null_fd, 0); + + } else { + + dup2(out_fd, 0); + close(out_fd); + + } + + /* Set up control and status pipes, close the unneeded original fds. */ + + if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed"); + if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed"); + + close(ctl_pipe[0]); + close(ctl_pipe[1]); + close(st_pipe[0]); + close(st_pipe[1]); + + close(out_dir_fd); + close(dev_null_fd); + close(dev_urandom_fd); + close(fileno(plot_file)); + + /* This should improve performance a bit, since it stops the linker from + doing extra work post-fork(). */ + + if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); + + /* Set sane defaults for ASAN if nothing else specified. */ + + setenv("ASAN_OPTIONS", "abort_on_error=1:" + "detect_leaks=0:" + "symbolize=0:" + "allocator_may_return_null=1", 0); + + /* MSAN is tricky, because it doesn't support abort_on_error=1 at this + point. So, we do this in a very hacky way. */ + + setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" + "symbolize=0:" + "abort_on_error=1:" + "allocator_may_return_null=1:" + "msan_track_origins=0", 0); + + execv(target_path, argv); + + /* Use a distinctive bitmap signature to tell the parent about execv() + falling through. */ + + *(u32*)trace_bits = EXEC_FAIL_SIG; + exit(0); + + } + + /* Close the unneeded endpoints. */ + + close(ctl_pipe[0]); + close(st_pipe[1]); + + fsrv_ctl_fd = ctl_pipe[1]; + fsrv_st_fd = st_pipe[0]; + + /* Wait for the fork server to come up, but don't wait too long. */ + + it.it_value.tv_sec = ((exec_tmout * FORK_WAIT_MULT) / 1000); + it.it_value.tv_usec = ((exec_tmout * FORK_WAIT_MULT) % 1000) * 1000; + + setitimer(ITIMER_REAL, &it, NULL); + + rlen = read(fsrv_st_fd, &status, 4); + + it.it_value.tv_sec = 0; + it.it_value.tv_usec = 0; + + setitimer(ITIMER_REAL, &it, NULL); + + /* If we have a four-byte "hello" message from the server, we're all set. + Otherwise, try to figure out what went wrong. */ + + if (rlen == 4) { + OKF("All right - fork server is up."); + return; + } + + if (child_timed_out) + FATAL("Timeout while initializing fork server (adjusting -t may help)"); + + if (waitpid(forksrv_pid, &status, 0) <= 0) + PFATAL("waitpid() failed"); + + if (WIFSIGNALED(status)) { + + if (mem_limit && mem_limit < 500 && uses_asan) { + + SAYF("\n" cLRD "[-] " cRST + "Whoops, the target binary crashed suddenly, before receiving any input\n" + " from the fuzzer! Since it seems to be built with ASAN and you have a\n" + " restrictive memory limit configured, this is expected; please read\n" + " %s/notes_for_asan.txt for help.\n", doc_path); + + } else if (!mem_limit) { + + SAYF("\n" cLRD "[-] " cRST + "Whoops, the target binary crashed suddenly, before receiving any input\n" + " from the fuzzer! There are several probable explanations:\n\n" + + " - The binary is just buggy and explodes entirely on its own. If so, you\n" + " need to fix the underlying problem or find a better replacement.\n\n" + +#ifdef __APPLE__ + + " - On MacOS X, the semantics of fork() syscalls are non-standard and may\n" + " break afl-fuzz performance optimizations when running platform-specific\n" + " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" + +#endif /* __APPLE__ */ + + " - Less likely, there is a horrible bug in the fuzzer. If other options\n" + " fail, poke for troubleshooting tips.\n"); + + } else { + + SAYF("\n" cLRD "[-] " cRST + "Whoops, the target binary crashed suddenly, before receiving any input\n" + " from the fuzzer! There are several probable explanations:\n\n" + + " - The current memory limit (%s) is too restrictive, causing the\n" + " target to hit an OOM condition in the dynamic linker. Try bumping up\n" + " the limit with the -m setting in the command line. A simple way confirm\n" + " this diagnosis would be:\n\n" + +#ifdef RLIMIT_AS + " ( ulimit -Sv $[%llu << 10]; /path/to/fuzzed_app )\n\n" +#else + " ( ulimit -Sd $[%llu << 10]; /path/to/fuzzed_app )\n\n" +#endif /* ^RLIMIT_AS */ + + " Tip: you can use http://jwilk.net/software/recidivm to quickly\n" + " estimate the required amount of virtual memory for the binary.\n\n" + + " - The binary is just buggy and explodes entirely on its own. If so, you\n" + " need to fix the underlying problem or find a better replacement.\n\n" + +#ifdef __APPLE__ + + " - On MacOS X, the semantics of fork() syscalls are non-standard and may\n" + " break afl-fuzz performance optimizations when running platform-specific\n" + " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" + +#endif /* __APPLE__ */ + + " - Less likely, there is a horrible bug in the fuzzer. If other options\n" + " fail, poke for troubleshooting tips.\n", + DMS(mem_limit << 20), mem_limit - 1); + + } + + FATAL("Fork server crashed with signal %d", WTERMSIG(status)); + + } + + if (*(u32*)trace_bits == EXEC_FAIL_SIG) + FATAL("Unable to execute target application ('%s')", argv[0]); + + if (mem_limit && mem_limit < 500 && uses_asan) { + + SAYF("\n" cLRD "[-] " cRST + "Hmm, looks like the target binary terminated before we could complete a\n" + " handshake with the injected code. Since it seems to be built with ASAN and\n" + " you have a restrictive memory limit configured, this is expected; please\n" + " read %s/notes_for_asan.txt for help.\n", doc_path); + + } else if (!mem_limit) { + + SAYF("\n" cLRD "[-] " cRST + "Hmm, looks like the target binary terminated before we could complete a\n" + " handshake with the injected code. Perhaps there is a horrible bug in the\n" + " fuzzer. Poke for troubleshooting tips.\n"); + + } else { + + SAYF("\n" cLRD "[-] " cRST + "Hmm, looks like the target binary terminated before we could complete a\n" + " handshake with the injected code. There are %s probable explanations:\n\n" + + "%s" + " - The current memory limit (%s) is too restrictive, causing an OOM\n" + " fault in the dynamic linker. This can be fixed with the -m option. A\n" + " simple way to confirm the diagnosis may be:\n\n" + +#ifdef RLIMIT_AS + " ( ulimit -Sv $[%llu << 10]; /path/to/fuzzed_app )\n\n" +#else + " ( ulimit -Sd $[%llu << 10]; /path/to/fuzzed_app )\n\n" +#endif /* ^RLIMIT_AS */ + + " Tip: you can use http://jwilk.net/software/recidivm to quickly\n" + " estimate the required amount of virtual memory for the binary.\n\n" + + " - Less likely, there is a horrible bug in the fuzzer. If other options\n" + " fail, poke for troubleshooting tips.\n", + getenv(DEFER_ENV_VAR) ? "three" : "two", + getenv(DEFER_ENV_VAR) ? + " - You are using deferred forkserver, but __AFL_INIT() is never\n" + " reached before the program terminates.\n\n" : "", + DMS(mem_limit << 20), mem_limit - 1); + + } + + FATAL("Fork server handshake failed"); + +} + + +/* Execute target application, monitoring for timeouts. Return status + information. The called program will update trace_bits[]. */ + +static u8 run_target(char** argv, u32 timeout) { + + static struct itimerval it; + static u32 prev_timed_out = 0; + static u64 exec_ms = 0; + + int status = 0; + u32 tb4; + + child_timed_out = 0; + + /* After this memset, trace_bits[] are effectively volatile, so we + must prevent any earlier operations from venturing into that + territory. */ + + memset(trace_bits, 0, MAP_SIZE); + MEM_BARRIER(); + + /* If we're running in "dumb" mode, we can't rely on the fork server + logic compiled into the target program, so we will just keep calling + execve(). There is a bit of code duplication between here and + init_forkserver(), but c'est la vie. */ + + if (dumb_mode == 1 || no_forkserver) { + + child_pid = fork(); + + if (child_pid < 0) PFATAL("fork() failed"); + + if (!child_pid) { + + struct rlimit r; + + if (mem_limit) { + + r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; + +#ifdef RLIMIT_AS + + setrlimit(RLIMIT_AS, &r); /* Ignore errors */ + +#else + + setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ + +#endif /* ^RLIMIT_AS */ + + } + + r.rlim_max = r.rlim_cur = 0; + + setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + + /* Isolate the process and configure standard descriptors. If out_file is + specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ + + setsid(); + + dup2(dev_null_fd, 1); + dup2(dev_null_fd, 2); + + if (out_file) { + + dup2(dev_null_fd, 0); + + } else { + + dup2(out_fd, 0); + close(out_fd); + + } + + /* On Linux, would be faster to use O_CLOEXEC. Maybe TODO. */ + + close(dev_null_fd); + close(out_dir_fd); + close(dev_urandom_fd); + close(fileno(plot_file)); + + /* Set sane defaults for ASAN if nothing else specified. */ + + setenv("ASAN_OPTIONS", "abort_on_error=1:" + "detect_leaks=0:" + "symbolize=0:" + "allocator_may_return_null=1", 0); + + setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" + "symbolize=0:" + "msan_track_origins=0", 0); + + execv(target_path, argv); + + /* Use a distinctive bitmap value to tell the parent about execv() + falling through. */ + + *(u32*)trace_bits = EXEC_FAIL_SIG; + exit(0); + + } + + } else { + + s32 res; + + /* In non-dumb mode, we have the fork server up and running, so simply + tell it to have at it, and then read back PID. */ + + if ((res = write(fsrv_ctl_fd, &prev_timed_out, 4)) != 4) { + + if (stop_soon) return 0; + RPFATAL(res, "Unable to request new process from fork server (OOM?)"); + + } + + if ((res = read(fsrv_st_fd, &child_pid, 4)) != 4) { + + if (stop_soon) return 0; + RPFATAL(res, "Unable to request new process from fork server (OOM?)"); + + } + + if (child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); + + } + + /* Configure timeout, as requested by user, then wait for child to terminate. */ + + it.it_value.tv_sec = (timeout / 1000); + it.it_value.tv_usec = (timeout % 1000) * 1000; + + setitimer(ITIMER_REAL, &it, NULL); + + /* The SIGALRM handler simply kills the child_pid and sets child_timed_out. */ + + if (dumb_mode == 1 || no_forkserver) { + + if (waitpid(child_pid, &status, 0) <= 0) PFATAL("waitpid() failed"); + + } else { + + s32 res; + + if ((res = read(fsrv_st_fd, &status, 4)) != 4) { + + if (stop_soon) return 0; + RPFATAL(res, "Unable to communicate with fork server (OOM?)"); + + } + + } + + if (!WIFSTOPPED(status)) child_pid = 0; + + getitimer(ITIMER_REAL, &it); + exec_ms = (u64) timeout - (it.it_value.tv_sec * 1000 + + it.it_value.tv_usec / 1000); + + it.it_value.tv_sec = 0; + it.it_value.tv_usec = 0; + + setitimer(ITIMER_REAL, &it, NULL); + + total_execs++; + + /* Any subsequent operations on trace_bits must not be moved by the + compiler below this point. Past this location, trace_bits[] behave + very normally and do not have to be treated as volatile. */ + + MEM_BARRIER(); + + tb4 = *(u32*)trace_bits; + +#ifdef WORD_SIZE_64 + classify_counts((u64*)trace_bits); +#else + classify_counts((u32*)trace_bits); +#endif /* ^WORD_SIZE_64 */ + + prev_timed_out = child_timed_out; + + /* Report outcome to caller. */ + + if (WIFSIGNALED(status) && !stop_soon) { + + kill_signal = WTERMSIG(status); + + if (child_timed_out && kill_signal == SIGKILL) return FAULT_TMOUT; + + return FAULT_CRASH; + + } + + /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and + must use a special exit code. */ + + if (uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { + kill_signal = 0; + return FAULT_CRASH; + } + + if ((dumb_mode == 1 || no_forkserver) && tb4 == EXEC_FAIL_SIG) + return FAULT_ERROR; + + /* It makes sense to account for the slowest units only if the testcase was run + under the user defined timeout. */ + if (!(timeout > exec_tmout) && (slowest_exec_ms < exec_ms)) { + slowest_exec_ms = exec_ms; + } + + return FAULT_NONE; + +} + + +/* Write modified data to file for testing. If out_file is set, the old file + is unlinked and a new one is created. Otherwise, out_fd is rewound and + truncated. */ + +static void write_to_testcase(void* mem, u32 len) { + + s32 fd = out_fd; + + if (out_file) { + + unlink(out_file); /* Ignore errors. */ + + fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); + + if (fd < 0) PFATAL("Unable to create '%s'", out_file); + + } else lseek(fd, 0, SEEK_SET); + + ck_write(fd, mem, len, out_file); + + if (!out_file) { + + if (ftruncate(fd, len)) PFATAL("ftruncate() failed"); + lseek(fd, 0, SEEK_SET); + + } else close(fd); + +} + + +/* The same, but with an adjustable gap. Used for trimming. */ + +static void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { + + s32 fd = out_fd; + u32 tail_len = len - skip_at - skip_len; + + if (out_file) { + + unlink(out_file); /* Ignore errors. */ + + fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); + + if (fd < 0) PFATAL("Unable to create '%s'", out_file); + + } else lseek(fd, 0, SEEK_SET); + + if (skip_at) ck_write(fd, mem, skip_at, out_file); + + if (tail_len) ck_write(fd, mem + skip_at + skip_len, tail_len, out_file); + + if (!out_file) { + + if (ftruncate(fd, len - skip_len)) PFATAL("ftruncate() failed"); + lseek(fd, 0, SEEK_SET); + + } else close(fd); + +} + + +static void show_stats(void); + +/* Calibrate a new test case. This is done when processing the input directory + to warn about flaky or otherwise problematic test cases early on; and when + new paths are discovered to detect variable behavior and so on. */ + +static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, + u32 handicap, u8 from_queue) { + + static u8 first_trace[MAP_SIZE]; + + u8 fault = 0, new_bits = 0, var_detected = 0, hnb = 0, + first_run = (q->exec_cksum == 0); + + u64 start_us, stop_us; + + s32 old_sc = stage_cur, old_sm = stage_max; + u32 use_tmout = exec_tmout; + u8* old_sn = stage_name; + + /* Be a bit more generous about timeouts when resuming sessions, or when + trying to calibrate already-added finds. This helps avoid trouble due + to intermittent latency. */ + + if (!from_queue || resuming_fuzz) + use_tmout = MAX(exec_tmout + CAL_TMOUT_ADD, + exec_tmout * CAL_TMOUT_PERC / 100); + + q->cal_failed++; + + stage_name = "calibration"; + stage_max = fast_cal ? 3 : CAL_CYCLES; + + /* Make sure the forkserver is up before we do anything, and let's not + count its spin-up time toward binary calibration. */ + + if (dumb_mode != 1 && !no_forkserver && !forksrv_pid) + init_forkserver(argv); + + if (q->exec_cksum) { + + memcpy(first_trace, trace_bits, MAP_SIZE); + hnb = has_new_bits(virgin_bits); + if (hnb > new_bits) new_bits = hnb; + + } + + start_us = get_cur_time_us(); + + for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + + u32 cksum; + + if (!first_run && !(stage_cur % stats_update_freq)) show_stats(); + + write_to_testcase(use_mem, q->len); + + fault = run_target(argv, use_tmout); + + /* stop_soon is set by the handler for Ctrl+C. When it's pressed, + we want to bail out quickly. */ + + if (stop_soon || fault != crash_mode) goto abort_calibration; + + if (!dumb_mode && !stage_cur && !count_bytes(trace_bits)) { + fault = FAULT_NOINST; + goto abort_calibration; + } + + cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + + if (q->exec_cksum != cksum) { + + hnb = has_new_bits(virgin_bits); + if (hnb > new_bits) new_bits = hnb; + + if (q->exec_cksum) { + + u32 i; + + for (i = 0; i < MAP_SIZE; i++) { + + if (!var_bytes[i] && first_trace[i] != trace_bits[i]) { + + var_bytes[i] = 1; + stage_max = CAL_CYCLES_LONG; + + } + + } + + var_detected = 1; + + } else { + + q->exec_cksum = cksum; + memcpy(first_trace, trace_bits, MAP_SIZE); + + } + + } + + } + + stop_us = get_cur_time_us(); + + total_cal_us += stop_us - start_us; + total_cal_cycles += stage_max; + + /* OK, let's collect some stats about the performance of this test case. + This is used for fuzzing air time calculations in calculate_score(). */ + + q->exec_us = (stop_us - start_us) / stage_max; + q->bitmap_size = count_bytes(trace_bits); + q->handicap = handicap; + q->cal_failed = 0; + + total_bitmap_size += q->bitmap_size; + total_bitmap_entries++; + + update_bitmap_score(q); + + /* If this case didn't result in new output from the instrumentation, tell + parent. This is a non-critical problem, but something to warn the user + about. */ + + if (!dumb_mode && first_run && !fault && !new_bits) fault = FAULT_NOBITS; + +abort_calibration: + + if (new_bits == 2 && !q->has_new_cov) { + q->has_new_cov = 1; + queued_with_cov++; + } + + /* Mark variable paths. */ + + if (var_detected) { + + var_byte_count = count_bytes(var_bytes); + + if (!q->var_behavior) { + mark_as_variable(q); + queued_variable++; + } + + } + + stage_name = old_sn; + stage_cur = old_sc; + stage_max = old_sm; + + if (!first_run) show_stats(); + + return fault; + +} + + +/* Examine map coverage. Called once, for first test case. */ + +static void check_map_coverage(void) { + + u32 i; + + if (count_bytes(trace_bits) < 100) return; + + for (i = (1 << (MAP_SIZE_POW2 - 1)); i < MAP_SIZE; i++) + if (trace_bits[i]) return; + + WARNF("Recompile binary with newer version of afl to improve coverage!"); + +} + + +/* Perform dry run of all test cases to confirm that the app is working as + expected. This is done only for the initial inputs, and only once. */ + +static void perform_dry_run(char** argv) { + + struct queue_entry* q = queue; + u32 cal_failures = 0; + u8* skip_crashes = getenv("AFL_SKIP_CRASHES"); + + while (q) { + + u8* use_mem; + u8 res; + s32 fd; + + u8* fn = strrchr(q->fname, '/') + 1; + + ACTF("Attempting dry run with '%s'...", fn); + + fd = open(q->fname, O_RDONLY); + if (fd < 0) PFATAL("Unable to open '%s'", q->fname); + + use_mem = ck_alloc_nozero(q->len); + + if (read(fd, use_mem, q->len) != q->len) + FATAL("Short read from '%s'", q->fname); + + close(fd); + + res = calibrate_case(argv, q, use_mem, 0, 1); + ck_free(use_mem); + + if (stop_soon) return; + + if (res == crash_mode || res == FAULT_NOBITS) + SAYF(cGRA " len = %u, map size = %u, exec speed = %llu us\n" cRST, + q->len, q->bitmap_size, q->exec_us); + + switch (res) { + + case FAULT_NONE: + + if (q == queue) check_map_coverage(); + + if (crash_mode) FATAL("Test case '%s' does *NOT* crash", fn); + + break; + + case FAULT_TMOUT: + + if (timeout_given) { + + /* The -t nn+ syntax in the command line sets timeout_given to '2' and + instructs afl-fuzz to tolerate but skip queue entries that time + out. */ + + if (timeout_given > 1) { + WARNF("Test case results in a timeout (skipping)"); + q->cal_failed = CAL_CHANCES; + cal_failures++; + break; + } + + SAYF("\n" cLRD "[-] " cRST + "The program took more than %u ms to process one of the initial test cases.\n" + " Usually, the right thing to do is to relax the -t option - or to delete it\n" + " altogether and allow the fuzzer to auto-calibrate. That said, if you know\n" + " what you are doing and want to simply skip the unruly test cases, append\n" + " '+' at the end of the value passed to -t ('-t %u+').\n", exec_tmout, + exec_tmout); + + FATAL("Test case '%s' results in a timeout", fn); + + } else { + + SAYF("\n" cLRD "[-] " cRST + "The program took more than %u ms to process one of the initial test cases.\n" + " This is bad news; raising the limit with the -t option is possible, but\n" + " will probably make the fuzzing process extremely slow.\n\n" + + " If this test case is just a fluke, the other option is to just avoid it\n" + " altogether, and find one that is less of a CPU hog.\n", exec_tmout); + + FATAL("Test case '%s' results in a timeout", fn); + + } + + case FAULT_CRASH: + + if (crash_mode) break; + + if (skip_crashes) { + WARNF("Test case results in a crash (skipping)"); + q->cal_failed = CAL_CHANCES; + cal_failures++; + break; + } + + if (mem_limit) { + + SAYF("\n" cLRD "[-] " cRST + "Oops, the program crashed with one of the test cases provided. There are\n" + " several possible explanations:\n\n" + + " - The test case causes known crashes under normal working conditions. If\n" + " so, please remove it. The fuzzer should be seeded with interesting\n" + " inputs - but not ones that cause an outright crash.\n\n" + + " - The current memory limit (%s) is too low for this program, causing\n" + " it to die due to OOM when parsing valid files. To fix this, try\n" + " bumping it up with the -m setting in the command line. If in doubt,\n" + " try something along the lines of:\n\n" + +#ifdef RLIMIT_AS + " ( ulimit -Sv $[%llu << 10]; /path/to/binary [...] for troubleshooting tips.\n", + DMS(mem_limit << 20), mem_limit - 1, doc_path); + + } else { + + SAYF("\n" cLRD "[-] " cRST + "Oops, the program crashed with one of the test cases provided. There are\n" + " several possible explanations:\n\n" + + " - The test case causes known crashes under normal working conditions. If\n" + " so, please remove it. The fuzzer should be seeded with interesting\n" + " inputs - but not ones that cause an outright crash.\n\n" + +#ifdef __APPLE__ + + " - On MacOS X, the semantics of fork() syscalls are non-standard and may\n" + " break afl-fuzz performance optimizations when running platform-specific\n" + " binaries. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" + +#endif /* __APPLE__ */ + + " - Least likely, there is a horrible bug in the fuzzer. If other options\n" + " fail, poke for troubleshooting tips.\n"); + + } + + FATAL("Test case '%s' results in a crash", fn); + + case FAULT_ERROR: + + FATAL("Unable to execute target application ('%s')", argv[0]); + + case FAULT_NOINST: + + FATAL("No instrumentation detected"); + + case FAULT_NOBITS: + + useless_at_start++; + + if (!in_bitmap && !shuffle_queue) + WARNF("No new instrumentation output, test case may be useless."); + + break; + + } + + if (q->var_behavior) WARNF("Instrumentation output varies across runs."); + + q = q->next; + + } + + if (cal_failures) { + + if (cal_failures == queued_paths) + FATAL("All test cases time out%s, giving up!", + skip_crashes ? " or crash" : ""); + + WARNF("Skipped %u test cases (%0.02f%%) due to timeouts%s.", cal_failures, + ((double)cal_failures) * 100 / queued_paths, + skip_crashes ? " or crashes" : ""); + + if (cal_failures * 5 > queued_paths) + WARNF(cLRD "High percentage of rejected test cases, check settings!"); + + } + + OKF("All test cases processed."); + +} + + +/* Helper function: link() if possible, copy otherwise. */ + +static void link_or_copy(u8* old_path, u8* new_path) { + + s32 i = link(old_path, new_path); + s32 sfd, dfd; + u8* tmp; + + if (!i) return; + + sfd = open(old_path, O_RDONLY); + if (sfd < 0) PFATAL("Unable to open '%s'", old_path); + + dfd = open(new_path, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (dfd < 0) PFATAL("Unable to create '%s'", new_path); + + tmp = ck_alloc(64 * 1024); + + while ((i = read(sfd, tmp, 64 * 1024)) > 0) + ck_write(dfd, tmp, i, new_path); + + if (i < 0) PFATAL("read() failed"); + + ck_free(tmp); + close(sfd); + close(dfd); + +} + + +static void nuke_resume_dir(void); + +/* Create hard links for input test cases in the output directory, choosing + good names and pivoting accordingly. */ + +static void pivot_inputs(void) { + + struct queue_entry* q = queue; + u32 id = 0; + + ACTF("Creating hard links for all input files..."); + + while (q) { + + u8 *nfn, *rsl = strrchr(q->fname, '/'); + u32 orig_id; + + if (!rsl) rsl = q->fname; else rsl++; + + /* If the original file name conforms to the syntax and the recorded + ID matches the one we'd assign, just use the original file name. + This is valuable for resuming fuzzing runs. */ + +#ifndef SIMPLE_FILES +# define CASE_PREFIX "id:" +#else +# define CASE_PREFIX "id_" +#endif /* ^!SIMPLE_FILES */ + + if (!strncmp(rsl, CASE_PREFIX, 3) && + sscanf(rsl + 3, "%06u", &orig_id) == 1 && orig_id == id) { + + u8* src_str; + u32 src_id; + + resuming_fuzz = 1; + nfn = alloc_printf("%s/queue/%s", out_dir, rsl); + + /* Since we're at it, let's also try to find parent and figure out the + appropriate depth for this entry. */ + + src_str = strchr(rsl + 3, ':'); + + if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) { + + struct queue_entry* s = queue; + while (src_id-- && s) s = s->next; + if (s) q->depth = s->depth + 1; + + if (max_depth < q->depth) max_depth = q->depth; + + } + + } else { + + /* No dice - invent a new name, capturing the original one as a + substring. */ + +#ifndef SIMPLE_FILES + + u8* use_name = strstr(rsl, ",orig:"); + + if (use_name) use_name += 6; else use_name = rsl; + nfn = alloc_printf("%s/queue/id:%06u,orig:%s", out_dir, id, use_name); + +#else + + nfn = alloc_printf("%s/queue/id_%06u", out_dir, id); + +#endif /* ^!SIMPLE_FILES */ + + } + + /* Pivot to the new queue entry. */ + + link_or_copy(q->fname, nfn); + ck_free(q->fname); + q->fname = nfn; + + /* Make sure that the passed_det value carries over, too. */ + + if (q->passed_det) mark_as_det_done(q); + + q = q->next; + id++; + + } + + if (in_place_resume) nuke_resume_dir(); + +} + + +#ifndef SIMPLE_FILES + +/* Construct a file name for a new test case, capturing the operation + that led to its discovery. Uses a static buffer. */ + +static u8* describe_op(u8 hnb) { + + static u8 ret[256]; + + if (syncing_party) { + + sprintf(ret, "sync:%s,src:%06u", syncing_party, syncing_case); + + } else { + + sprintf(ret, "src:%06u", current_entry); + + if (splicing_with >= 0) + sprintf(ret + strlen(ret), "+%06u", splicing_with); + + sprintf(ret + strlen(ret), ",op:%s", stage_short); + + if (stage_cur_byte >= 0) { + + sprintf(ret + strlen(ret), ",pos:%u", stage_cur_byte); + + if (stage_val_type != STAGE_VAL_NONE) + sprintf(ret + strlen(ret), ",val:%s%+d", + (stage_val_type == STAGE_VAL_BE) ? "be:" : "", + stage_cur_val); + + } else sprintf(ret + strlen(ret), ",rep:%u", stage_cur_val); + + } + + if (hnb == 2) strcat(ret, ",+cov"); + + return ret; + +} + +#endif /* !SIMPLE_FILES */ + + +/* Write a message accompanying the crash directory :-) */ + +static void write_crash_readme(void) { + + u8* fn = alloc_printf("%s/crashes/README.txt", out_dir); + s32 fd; + FILE* f; + + fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); + ck_free(fn); + + /* Do not die on errors here - that would be impolite. */ + + if (fd < 0) return; + + f = fdopen(fd, "w"); + + if (!f) { + close(fd); + return; + } + + fprintf(f, "Command line used to find this crash:\n\n" + + "%s\n\n" + + "If you can't reproduce a bug outside of afl-fuzz, be sure to set the same\n" + "memory limit. The limit used for this fuzzing session was %s.\n\n" + + "Need a tool to minimize test cases before investigating the crashes or sending\n" + "them to a vendor? Check out the afl-tmin that comes with the fuzzer!\n\n" + + "Found any cool bugs in open-source tools using afl-fuzz? If yes, please drop\n" + "me a mail at once the issues are fixed - I'd love to\n" + "add your finds to the gallery at:\n\n" + + " http://lcamtuf.coredump.cx/afl/\n\n" + + "Thanks :-)\n", + + orig_cmdline, DMS(mem_limit << 20)); /* ignore errors */ + + fclose(f); + +} + + +/* Check if the result of an execve() during routine fuzzing is interesting, + save or queue the input test case for further analysis if so. Returns 1 if + entry is saved, 0 otherwise. */ + +static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { + + u8 *fn = ""; + u8 hnb; + s32 fd; + u8 keeping = 0, res; + + if (fault == crash_mode) { + + /* Keep only if there are new bits in the map, add to queue for + future fuzzing, etc. */ + + if (!(hnb = has_new_bits(virgin_bits))) { + if (crash_mode) total_crashes++; + return 0; + } + +#ifndef SIMPLE_FILES + + fn = alloc_printf("%s/queue/id:%06u,%s", out_dir, queued_paths, + describe_op(hnb)); + +#else + + fn = alloc_printf("%s/queue/id_%06u", out_dir, queued_paths); + +#endif /* ^!SIMPLE_FILES */ + + add_to_queue(fn, len, 0); + + if (hnb == 2) { + queue_top->has_new_cov = 1; + queued_with_cov++; + } + + queue_top->exec_cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + + /* Try to calibrate inline; this also calls update_bitmap_score() when + successful. */ + + res = calibrate_case(argv, queue_top, mem, queue_cycle - 1, 0); + + if (res == FAULT_ERROR) + FATAL("Unable to execute target application"); + + fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) PFATAL("Unable to create '%s'", fn); + ck_write(fd, mem, len, fn); + close(fd); + + keeping = 1; + + } + + switch (fault) { + + case FAULT_TMOUT: + + /* Timeouts are not very interesting, but we're still obliged to keep + a handful of samples. We use the presence of new bits in the + hang-specific bitmap as a signal of uniqueness. In "dumb" mode, we + just keep everything. */ + + total_tmouts++; + + if (unique_hangs >= KEEP_UNIQUE_HANG) return keeping; + + if (!dumb_mode) { + +#ifdef WORD_SIZE_64 + simplify_trace((u64*)trace_bits); +#else + simplify_trace((u32*)trace_bits); +#endif /* ^WORD_SIZE_64 */ + + if (!has_new_bits(virgin_tmout)) return keeping; + + } + + unique_tmouts++; + + /* Before saving, we make sure that it's a genuine hang by re-running + the target with a more generous timeout (unless the default timeout + is already generous). */ + + if (exec_tmout < hang_tmout) { + + u8 new_fault; + write_to_testcase(mem, len); + new_fault = run_target(argv, hang_tmout); + + /* A corner case that one user reported bumping into: increasing the + timeout actually uncovers a crash. Make sure we don't discard it if + so. */ + + if (!stop_soon && new_fault == FAULT_CRASH) goto keep_as_crash; + + if (stop_soon || new_fault != FAULT_TMOUT) return keeping; + + } + +#ifndef SIMPLE_FILES + + fn = alloc_printf("%s/hangs/id:%06llu,%s", out_dir, + unique_hangs, describe_op(0)); + +#else + + fn = alloc_printf("%s/hangs/id_%06llu", out_dir, + unique_hangs); + +#endif /* ^!SIMPLE_FILES */ + + unique_hangs++; + + last_hang_time = get_cur_time(); + + break; + + case FAULT_CRASH: + +keep_as_crash: + + /* This is handled in a manner roughly similar to timeouts, + except for slightly different limits and no need to re-run test + cases. */ + + total_crashes++; + + if (unique_crashes >= KEEP_UNIQUE_CRASH) return keeping; + + if (!dumb_mode) { + +#ifdef WORD_SIZE_64 + simplify_trace((u64*)trace_bits); +#else + simplify_trace((u32*)trace_bits); +#endif /* ^WORD_SIZE_64 */ + + if (!has_new_bits(virgin_crash)) return keeping; + + } + + if (!unique_crashes) write_crash_readme(); + +#ifndef SIMPLE_FILES + + fn = alloc_printf("%s/crashes/id:%06llu,sig:%02u,%s", out_dir, + unique_crashes, kill_signal, describe_op(0)); + +#else + + fn = alloc_printf("%s/crashes/id_%06llu_%02u", out_dir, unique_crashes, + kill_signal); + +#endif /* ^!SIMPLE_FILES */ + + unique_crashes++; + + last_crash_time = get_cur_time(); + last_crash_execs = total_execs; + + break; + + case FAULT_ERROR: FATAL("Unable to execute target application"); + + default: return keeping; + + } + + /* If we're here, we apparently want to save the crash or hang + test case, too. */ + + fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) PFATAL("Unable to create '%s'", fn); + ck_write(fd, mem, len, fn); + close(fd); + + ck_free(fn); + + return keeping; + +} + + +/* When resuming, try to find the queue position to start from. This makes sense + only when resuming, and when we can find the original fuzzer_stats. */ + +static u32 find_start_position(void) { + + static u8 tmp[4096]; /* Ought to be enough for anybody. */ + + u8 *fn, *off; + s32 fd, i; + u32 ret; + + if (!resuming_fuzz) return 0; + + if (in_place_resume) fn = alloc_printf("%s/fuzzer_stats", out_dir); + else fn = alloc_printf("%s/../fuzzer_stats", in_dir); + + fd = open(fn, O_RDONLY); + ck_free(fn); + + if (fd < 0) return 0; + + i = read(fd, tmp, sizeof(tmp) - 1); (void)i; /* Ignore errors */ + close(fd); + + off = strstr(tmp, "cur_path : "); + if (!off) return 0; + + ret = atoi(off + 20); + if (ret >= queued_paths) ret = 0; + return ret; + +} + + +/* The same, but for timeouts. The idea is that when resuming sessions without + -t given, we don't want to keep auto-scaling the timeout over and over + again to prevent it from growing due to random flukes. */ + +static void find_timeout(void) { + + static u8 tmp[4096]; /* Ought to be enough for anybody. */ + + u8 *fn, *off; + s32 fd, i; + u32 ret; + + if (!resuming_fuzz) return; + + if (in_place_resume) fn = alloc_printf("%s/fuzzer_stats", out_dir); + else fn = alloc_printf("%s/../fuzzer_stats", in_dir); + + fd = open(fn, O_RDONLY); + ck_free(fn); + + if (fd < 0) return; + + i = read(fd, tmp, sizeof(tmp) - 1); (void)i; /* Ignore errors */ + close(fd); + + off = strstr(tmp, "exec_timeout : "); + if (!off) return; + + ret = atoi(off + 20); + if (ret <= 4) return; + + exec_tmout = ret; + timeout_given = 3; + +} + + +/* Update stats file for unattended monitoring. */ + +static void write_stats_file(double bitmap_cvg, double stability, double eps) { + + static double last_bcvg, last_stab, last_eps; + static struct rusage usage; + + u8* fn = alloc_printf("%s/fuzzer_stats", out_dir); + s32 fd; + FILE* f; + + fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); + + if (fd < 0) PFATAL("Unable to create '%s'", fn); + + ck_free(fn); + + f = fdopen(fd, "w"); + + if (!f) PFATAL("fdopen() failed"); + + /* Keep last values in case we're called from another context + where exec/sec stats and such are not readily available. */ + + if (!bitmap_cvg && !stability && !eps) { + bitmap_cvg = last_bcvg; + stability = last_stab; + eps = last_eps; + } else { + last_bcvg = bitmap_cvg; + last_stab = stability; + last_eps = eps; + } + + fprintf(f, "start_time : %llu\n" + "last_update : %llu\n" + "fuzzer_pid : %u\n" + "cycles_done : %llu\n" + "execs_done : %llu\n" + "execs_per_sec : %0.02f\n" + "paths_total : %u\n" + "paths_favored : %u\n" + "paths_found : %u\n" + "paths_imported : %u\n" + "max_depth : %u\n" + "cur_path : %u\n" /* Must match find_start_position() */ + "pending_favs : %u\n" + "pending_total : %u\n" + "variable_paths : %u\n" + "stability : %0.02f%%\n" + "bitmap_cvg : %0.02f%%\n" + "unique_crashes : %llu\n" + "unique_hangs : %llu\n" + "last_path : %llu\n" + "last_crash : %llu\n" + "last_hang : %llu\n" + "execs_since_crash : %llu\n" + "exec_timeout : %u\n" /* Must match find_timeout() */ + "afl_banner : %s\n" + "afl_version : " VERSION "\n" + "target_mode : %s%s%s%s%s%s%s\n" + "command_line : %s\n" + "slowest_exec_ms : %llu\n", + start_time / 1000, get_cur_time() / 1000, getpid(), + queue_cycle ? (queue_cycle - 1) : 0, total_execs, eps, + queued_paths, queued_favored, queued_discovered, queued_imported, + max_depth, current_entry, pending_favored, pending_not_fuzzed, + queued_variable, stability, bitmap_cvg, unique_crashes, + unique_hangs, last_path_time / 1000, last_crash_time / 1000, + last_hang_time / 1000, total_execs - last_crash_execs, + exec_tmout, use_banner, + qemu_mode ? "qemu " : "", dumb_mode ? " dumb " : "", + no_forkserver ? "no_forksrv " : "", crash_mode ? "crash " : "", + persistent_mode ? "persistent " : "", deferred_mode ? "deferred " : "", + (qemu_mode || dumb_mode || no_forkserver || crash_mode || + persistent_mode || deferred_mode) ? "" : "default", + orig_cmdline, slowest_exec_ms); + /* ignore errors */ + + /* Get rss value from the children + We must have killed the forkserver process and called waitpid + before calling getrusage */ + if (getrusage(RUSAGE_CHILDREN, &usage)) { + WARNF("getrusage failed"); + } else if (usage.ru_maxrss == 0) { + fprintf(f, "peak_rss_mb : not available while afl is running\n"); + } else { +#ifdef __APPLE__ + fprintf(f, "peak_rss_mb : %zu\n", usage.ru_maxrss >> 20); +#else + fprintf(f, "peak_rss_mb : %zu\n", usage.ru_maxrss >> 10); +#endif /* ^__APPLE__ */ + } + + fclose(f); + +} + + +/* Update the plot file if there is a reason to. */ + +static void maybe_update_plot_file(double bitmap_cvg, double eps) { + + static u32 prev_qp, prev_pf, prev_pnf, prev_ce, prev_md; + static u64 prev_qc, prev_uc, prev_uh; + + if (prev_qp == queued_paths && prev_pf == pending_favored && + prev_pnf == pending_not_fuzzed && prev_ce == current_entry && + prev_qc == queue_cycle && prev_uc == unique_crashes && + prev_uh == unique_hangs && prev_md == max_depth) return; + + prev_qp = queued_paths; + prev_pf = pending_favored; + prev_pnf = pending_not_fuzzed; + prev_ce = current_entry; + prev_qc = queue_cycle; + prev_uc = unique_crashes; + prev_uh = unique_hangs; + prev_md = max_depth; + + /* Fields in the file: + + unix_time, cycles_done, cur_path, paths_total, paths_not_fuzzed, + favored_not_fuzzed, unique_crashes, unique_hangs, max_depth, + execs_per_sec */ + + fprintf(plot_file, + "%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f\n", + get_cur_time() / 1000, queue_cycle - 1, current_entry, queued_paths, + pending_not_fuzzed, pending_favored, bitmap_cvg, unique_crashes, + unique_hangs, max_depth, eps); /* ignore errors */ + + fflush(plot_file); + +} + + + +/* A helper function for maybe_delete_out_dir(), deleting all prefixed + files in a directory. */ + +static u8 delete_files(u8* path, u8* prefix) { + + DIR* d; + struct dirent* d_ent; + + d = opendir(path); + + if (!d) return 0; + + while ((d_ent = readdir(d))) { + + if (d_ent->d_name[0] != '.' && (!prefix || + !strncmp(d_ent->d_name, prefix, strlen(prefix)))) { + + u8* fname = alloc_printf("%s/%s", path, d_ent->d_name); + if (unlink(fname)) PFATAL("Unable to delete '%s'", fname); + ck_free(fname); + + } + + } + + closedir(d); + + return !!rmdir(path); + +} + + +/* Get the number of runnable processes, with some simple smoothing. */ + +static double get_runnable_processes(void) { + + static double res; + +#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) + + /* I don't see any portable sysctl or so that would quickly give us the + number of runnable processes; the 1-minute load average can be a + semi-decent approximation, though. */ + + if (getloadavg(&res, 1) != 1) return 0; + +#else + + /* On Linux, /proc/stat is probably the best way; load averages are + computed in funny ways and sometimes don't reflect extremely short-lived + processes well. */ + + FILE* f = fopen("/proc/stat", "r"); + u8 tmp[1024]; + u32 val = 0; + + if (!f) return 0; + + while (fgets(tmp, sizeof(tmp), f)) { + + if (!strncmp(tmp, "procs_running ", 14) || + !strncmp(tmp, "procs_blocked ", 14)) val += atoi(tmp + 14); + + } + + fclose(f); + + if (!res) { + + res = val; + + } else { + + res = res * (1.0 - 1.0 / AVG_SMOOTHING) + + ((double)val) * (1.0 / AVG_SMOOTHING); + + } + +#endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ + + return res; + +} + + +/* Delete the temporary directory used for in-place session resume. */ + +static void nuke_resume_dir(void) { + + u8* fn; + + fn = alloc_printf("%s/_resume/.state/deterministic_done", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/_resume/.state/auto_extras", out_dir); + if (delete_files(fn, "auto_")) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/_resume/.state/redundant_edges", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/_resume/.state/variable_behavior", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/_resume/.state", out_dir); + if (rmdir(fn) && errno != ENOENT) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/_resume", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + return; + +dir_cleanup_failed: + + FATAL("_resume directory cleanup failed"); + +} + + +/* Delete fuzzer output directory if we recognize it as ours, if the fuzzer + is not currently running, and if the last run time isn't too great. */ + +static void maybe_delete_out_dir(void) { + + FILE* f; + u8 *fn = alloc_printf("%s/fuzzer_stats", out_dir); + + /* See if the output directory is locked. If yes, bail out. If not, + create a lock that will persist for the lifetime of the process + (this requires leaving the descriptor open).*/ + + out_dir_fd = open(out_dir, O_RDONLY); + if (out_dir_fd < 0) PFATAL("Unable to open '%s'", out_dir); + +#ifndef __sun + + if (flock(out_dir_fd, LOCK_EX | LOCK_NB) && errno == EWOULDBLOCK) { + + SAYF("\n" cLRD "[-] " cRST + "Looks like the job output directory is being actively used by another\n" + " instance of afl-fuzz. You will need to choose a different %s\n" + " or stop the other process first.\n", + sync_id ? "fuzzer ID" : "output location"); + + FATAL("Directory '%s' is in use", out_dir); + + } + +#endif /* !__sun */ + + f = fopen(fn, "r"); + + if (f) { + + u64 start_time, last_update; + + if (fscanf(f, "start_time : %llu\n" + "last_update : %llu\n", &start_time, &last_update) != 2) + FATAL("Malformed data in '%s'", fn); + + fclose(f); + + /* Let's see how much work is at stake. */ + + if (!in_place_resume && last_update - start_time > OUTPUT_GRACE * 60) { + + SAYF("\n" cLRD "[-] " cRST + "The job output directory already exists and contains the results of more\n" + " than %u minutes worth of fuzzing. To avoid data loss, afl-fuzz will *NOT*\n" + " automatically delete this data for you.\n\n" + + " If you wish to start a new session, remove or rename the directory manually,\n" + " or specify a different output location for this job. To resume the old\n" + " session, put '-' as the input directory in the command line ('-i -') and\n" + " try again.\n", OUTPUT_GRACE); + + FATAL("At-risk data found in '%s'", out_dir); + + } + + } + + ck_free(fn); + + /* The idea for in-place resume is pretty simple: we temporarily move the old + queue/ to a new location that gets deleted once import to the new queue/ + is finished. If _resume/ already exists, the current queue/ may be + incomplete due to an earlier abort, so we want to use the old _resume/ + dir instead, and we let rename() fail silently. */ + + if (in_place_resume) { + + u8* orig_q = alloc_printf("%s/queue", out_dir); + + in_dir = alloc_printf("%s/_resume", out_dir); + + rename(orig_q, in_dir); /* Ignore errors */ + + OKF("Output directory exists, will attempt session resume."); + + ck_free(orig_q); + + } else { + + OKF("Output directory exists but deemed OK to reuse."); + + } + + ACTF("Deleting old session data..."); + + /* Okay, let's get the ball rolling! First, we need to get rid of the entries + in /.synced/.../id:*, if any are present. */ + + if (!in_place_resume) { + + fn = alloc_printf("%s/.synced", out_dir); + if (delete_files(fn, NULL)) goto dir_cleanup_failed; + ck_free(fn); + + } + + /* Next, we need to clean up /queue/.state/ subdirectories: */ + + fn = alloc_printf("%s/queue/.state/deterministic_done", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/queue/.state/auto_extras", out_dir); + if (delete_files(fn, "auto_")) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/queue/.state/redundant_edges", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/queue/.state/variable_behavior", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + /* Then, get rid of the .state subdirectory itself (should be empty by now) + and everything matching /queue/id:*. */ + + fn = alloc_printf("%s/queue/.state", out_dir); + if (rmdir(fn) && errno != ENOENT) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/queue", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + /* All right, let's do /crashes/id:* and /hangs/id:*. */ + + if (!in_place_resume) { + + fn = alloc_printf("%s/crashes/README.txt", out_dir); + unlink(fn); /* Ignore errors */ + ck_free(fn); + + } + + fn = alloc_printf("%s/crashes", out_dir); + + /* Make backup of the crashes directory if it's not empty and if we're + doing in-place resume. */ + + if (in_place_resume && rmdir(fn)) { + + time_t cur_t = time(0); + struct tm* t = localtime(&cur_t); + +#ifndef SIMPLE_FILES + + u8* nfn = alloc_printf("%s.%04u-%02u-%02u-%02u:%02u:%02u", fn, + t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, + t->tm_hour, t->tm_min, t->tm_sec); + +#else + + u8* nfn = alloc_printf("%s_%04u%02u%02u%02u%02u%02u", fn, + t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, + t->tm_hour, t->tm_min, t->tm_sec); + +#endif /* ^!SIMPLE_FILES */ + + rename(fn, nfn); /* Ignore errors. */ + ck_free(nfn); + + } + + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/hangs", out_dir); + + /* Backup hangs, too. */ + + if (in_place_resume && rmdir(fn)) { + + time_t cur_t = time(0); + struct tm* t = localtime(&cur_t); + +#ifndef SIMPLE_FILES + + u8* nfn = alloc_printf("%s.%04u-%02u-%02u-%02u:%02u:%02u", fn, + t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, + t->tm_hour, t->tm_min, t->tm_sec); + +#else + + u8* nfn = alloc_printf("%s_%04u%02u%02u%02u%02u%02u", fn, + t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, + t->tm_hour, t->tm_min, t->tm_sec); + +#endif /* ^!SIMPLE_FILES */ + + rename(fn, nfn); /* Ignore errors. */ + ck_free(nfn); + + } + + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + /* And now, for some finishing touches. */ + + fn = alloc_printf("%s/.cur_input", out_dir); + if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/fuzz_bitmap", out_dir); + if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; + ck_free(fn); + + if (!in_place_resume) { + fn = alloc_printf("%s/fuzzer_stats", out_dir); + if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; + ck_free(fn); + } + + fn = alloc_printf("%s/plot_data", out_dir); + if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; + ck_free(fn); + + OKF("Output dir cleanup successful."); + + /* Wow... is that all? If yes, celebrate! */ + + return; + +dir_cleanup_failed: + + SAYF("\n" cLRD "[-] " cRST + "Whoops, the fuzzer tried to reuse your output directory, but bumped into\n" + " some files that shouldn't be there or that couldn't be removed - so it\n" + " decided to abort! This happened while processing this path:\n\n" + + " %s\n\n" + " Please examine and manually delete the files, or specify a different\n" + " output location for the tool.\n", fn); + + FATAL("Output directory cleanup failed"); + +} + + +static void check_term_size(void); + + +/* A spiffy retro stats screen! This is called every stats_update_freq + execve() calls, plus in several other circumstances. */ + +static void show_stats(void) { + + static u64 last_stats_ms, last_plot_ms, last_ms, last_execs; + static double avg_exec; + double t_byte_ratio, stab_ratio; + + u64 cur_ms; + u32 t_bytes, t_bits; + + u32 banner_len, banner_pad; + u8 tmp[256]; + + cur_ms = get_cur_time(); + + /* If not enough time has passed since last UI update, bail out. */ + + if (cur_ms - last_ms < 1000 / UI_TARGET_HZ) return; + + /* Check if we're past the 10 minute mark. */ + + if (cur_ms - start_time > 10 * 60 * 1000) run_over10m = 1; + + /* Calculate smoothed exec speed stats. */ + + if (!last_execs) { + + avg_exec = ((double)total_execs) * 1000 / (cur_ms - start_time); + + } else { + + double cur_avg = ((double)(total_execs - last_execs)) * 1000 / + (cur_ms - last_ms); + + /* If there is a dramatic (5x+) jump in speed, reset the indicator + more quickly. */ + + if (cur_avg * 5 < avg_exec || cur_avg / 5 > avg_exec) + avg_exec = cur_avg; + + avg_exec = avg_exec * (1.0 - 1.0 / AVG_SMOOTHING) + + cur_avg * (1.0 / AVG_SMOOTHING); + + } + + last_ms = cur_ms; + last_execs = total_execs; + + /* Tell the callers when to contact us (as measured in execs). */ + + stats_update_freq = avg_exec / (UI_TARGET_HZ * 10); + if (!stats_update_freq) stats_update_freq = 1; + + /* Do some bitmap stats. */ + + t_bytes = count_non_255_bytes(virgin_bits); + t_byte_ratio = ((double)t_bytes * 100) / MAP_SIZE; + + if (t_bytes) + stab_ratio = 100 - ((double)var_byte_count) * 100 / t_bytes; + else + stab_ratio = 100; + + /* Roughly every minute, update fuzzer stats and save auto tokens. */ + + if (cur_ms - last_stats_ms > STATS_UPDATE_SEC * 1000) { + + last_stats_ms = cur_ms; + write_stats_file(t_byte_ratio, stab_ratio, avg_exec); + save_auto(); + write_bitmap(); + + } + + /* Every now and then, write plot data. */ + + if (cur_ms - last_plot_ms > PLOT_UPDATE_SEC * 1000) { + + last_plot_ms = cur_ms; + maybe_update_plot_file(t_byte_ratio, avg_exec); + + } + + /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ + + if (!dumb_mode && cycles_wo_finds > 100 && !pending_not_fuzzed && + getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 2; + + if (total_crashes && getenv("AFL_BENCH_UNTIL_CRASH")) stop_soon = 2; + + /* If we're not on TTY, bail out. */ + + if (not_on_tty) return; + + /* Compute some mildly useful bitmap stats. */ + + t_bits = (MAP_SIZE << 3) - count_bits(virgin_bits); + + /* Now, for the visuals... */ + + if (clear_screen) { + + SAYF(TERM_CLEAR CURSOR_HIDE); + clear_screen = 0; + + check_term_size(); + + } + + SAYF(TERM_HOME); + + if (term_too_small) { + + SAYF(cBRI "Your terminal is too small to display the UI.\n" + "Please resize terminal window to at least 80x25.\n" cRST); + + return; + + } + + /* Let's start by drawing a centered banner. */ + + banner_len = (crash_mode ? 24 : 22) + strlen(VERSION) + strlen(use_banner); + banner_pad = (80 - banner_len) / 2; + memset(tmp, ' ', banner_pad); + + sprintf(tmp + banner_pad, "%s " cLCY VERSION cLGN + " (%s)", crash_mode ? cPIN "peruvian were-rabbit" : + cYEL "american fuzzy lop", use_banner); + + SAYF("\n%s\n\n", tmp); + + /* "Handy" shortcuts for drawing boxes... */ + +#define bSTG bSTART cGRA +#define bH2 bH bH +#define bH5 bH2 bH2 bH +#define bH10 bH5 bH5 +#define bH20 bH10 bH10 +#define bH30 bH20 bH10 +#define SP5 " " +#define SP10 SP5 SP5 +#define SP20 SP10 SP10 + + /* Lord, forgive me this. */ + + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH2 bHB + bH bSTOP cCYA " overall results " bSTG bH5 bRT "\n"); + + if (dumb_mode) { + + strcpy(tmp, cRST); + + } else { + + u64 min_wo_finds = (cur_ms - last_path_time) / 1000 / 60; + + /* First queue cycle: don't stop now! */ + if (queue_cycle == 1 || min_wo_finds < 15) strcpy(tmp, cMGN); else + + /* Subsequent cycles, but we're still making finds. */ + if (cycles_wo_finds < 25 || min_wo_finds < 30) strcpy(tmp, cYEL); else + + /* No finds for a long time and no test cases to try. */ + if (cycles_wo_finds > 100 && !pending_not_fuzzed && min_wo_finds > 120) + strcpy(tmp, cLGN); + + /* Default: cautiously OK to stop? */ + else strcpy(tmp, cLBL); + + } + + SAYF(bV bSTOP " run time : " cRST "%-34s " bSTG bV bSTOP + " cycles done : %s%-5s " bSTG bV "\n", + DTD(cur_ms, start_time), tmp, DI(queue_cycle - 1)); + + /* We want to warn people about not seeing new paths after a full cycle, + except when resuming fuzzing or running in non-instrumented mode. */ + + if (!dumb_mode && (last_path_time || resuming_fuzz || queue_cycle == 1 || + in_bitmap || crash_mode)) { + + SAYF(bV bSTOP " last new path : " cRST "%-34s ", + DTD(cur_ms, last_path_time)); + + } else { + + if (dumb_mode) + + SAYF(bV bSTOP " last new path : " cPIN "n/a" cRST + " (non-instrumented mode) "); + + else + + SAYF(bV bSTOP " last new path : " cRST "none yet " cLRD + "(odd, check syntax!) "); + + } + + SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n", + DI(queued_paths)); + + /* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH + limit with a '+' appended to the count. */ + + sprintf(tmp, "%s%s", DI(unique_crashes), + (unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); + + SAYF(bV bSTOP " last uniq crash : " cRST "%-34s " bSTG bV bSTOP + " uniq crashes : %s%-6s " bSTG bV "\n", + DTD(cur_ms, last_crash_time), unique_crashes ? cLRD : cRST, + tmp); + + sprintf(tmp, "%s%s", DI(unique_hangs), + (unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); + + SAYF(bV bSTOP " last uniq hang : " cRST "%-34s " bSTG bV bSTOP + " uniq hangs : " cRST "%-6s " bSTG bV "\n", + DTD(cur_ms, last_hang_time), tmp); + + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH20 bHB bH bSTOP cCYA + " map coverage " bSTG bH bHT bH20 bH2 bH bVL "\n"); + + /* This gets funny because we want to print several variable-length variables + together, but then cram them into a fixed-width field - so we need to + put them in a temporary buffer first. */ + + sprintf(tmp, "%s%s (%0.02f%%)", DI(current_entry), + queue_cur->favored ? "" : "*", + ((double)current_entry * 100) / queued_paths); + + SAYF(bV bSTOP " now processing : " cRST "%-17s " bSTG bV bSTOP, tmp); + + sprintf(tmp, "%0.02f%% / %0.02f%%", ((double)queue_cur->bitmap_size) * + 100 / MAP_SIZE, t_byte_ratio); + + SAYF(" map density : %s%-21s " bSTG bV "\n", t_byte_ratio > 70 ? cLRD : + ((t_bytes < 200 && !dumb_mode) ? cPIN : cRST), tmp); + + sprintf(tmp, "%s (%0.02f%%)", DI(cur_skipped_paths), + ((double)cur_skipped_paths * 100) / queued_paths); + + SAYF(bV bSTOP " paths timed out : " cRST "%-17s " bSTG bV, tmp); + + sprintf(tmp, "%0.02f bits/tuple", + t_bytes ? (((double)t_bits) / t_bytes) : 0); + + SAYF(bSTOP " count coverage : " cRST "%-21s " bSTG bV "\n", tmp); + + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH20 bX bH bSTOP cCYA + " findings in depth " bSTG bH20 bVL "\n"); + + sprintf(tmp, "%s (%0.02f%%)", DI(queued_favored), + ((double)queued_favored) * 100 / queued_paths); + + /* Yeah... it's still going on... halp? */ + + SAYF(bV bSTOP " now trying : " cRST "%-21s " bSTG bV bSTOP + " favored paths : " cRST "%-22s " bSTG bV "\n", stage_name, tmp); + + if (!stage_max) { + + sprintf(tmp, "%s/-", DI(stage_cur)); + + } else { + + sprintf(tmp, "%s/%s (%0.02f%%)", DI(stage_cur), DI(stage_max), + ((double)stage_cur) * 100 / stage_max); + + } + + SAYF(bV bSTOP " stage execs : " cRST "%-21s " bSTG bV bSTOP, tmp); + + sprintf(tmp, "%s (%0.02f%%)", DI(queued_with_cov), + ((double)queued_with_cov) * 100 / queued_paths); + + SAYF(" new edges on : " cRST "%-22s " bSTG bV "\n", tmp); + + sprintf(tmp, "%s (%s%s unique)", DI(total_crashes), DI(unique_crashes), + (unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); + + if (crash_mode) { + + SAYF(bV bSTOP " total execs : " cRST "%-21s " bSTG bV bSTOP + " new crashes : %s%-22s " bSTG bV "\n", DI(total_execs), + unique_crashes ? cLRD : cRST, tmp); + + } else { + + SAYF(bV bSTOP " total execs : " cRST "%-21s " bSTG bV bSTOP + " total crashes : %s%-22s " bSTG bV "\n", DI(total_execs), + unique_crashes ? cLRD : cRST, tmp); + + } + + /* Show a warning about slow execution. */ + + if (avg_exec < 100) { + + sprintf(tmp, "%s/sec (%s)", DF(avg_exec), avg_exec < 20 ? + "zzzz..." : "slow!"); + + SAYF(bV bSTOP " exec speed : " cLRD "%-21s ", tmp); + + } else { + + sprintf(tmp, "%s/sec", DF(avg_exec)); + SAYF(bV bSTOP " exec speed : " cRST "%-21s ", tmp); + + } + + sprintf(tmp, "%s (%s%s unique)", DI(total_tmouts), DI(unique_tmouts), + (unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); + + SAYF (bSTG bV bSTOP " total tmouts : " cRST "%-22s " bSTG bV "\n", tmp); + + /* Aaaalmost there... hold on! */ + + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bH bHT bH10 + bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bH bVL "\n"); + + if (skip_deterministic) { + + strcpy(tmp, "n/a, n/a, n/a"); + + } else { + + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + DI(stage_finds[STAGE_FLIP1]), DI(stage_cycles[STAGE_FLIP1]), + DI(stage_finds[STAGE_FLIP2]), DI(stage_cycles[STAGE_FLIP2]), + DI(stage_finds[STAGE_FLIP4]), DI(stage_cycles[STAGE_FLIP4])); + + } + + SAYF(bV bSTOP " bit flips : " cRST "%-37s " bSTG bV bSTOP " levels : " + cRST "%-10s " bSTG bV "\n", tmp, DI(max_depth)); + + if (!skip_deterministic) + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + DI(stage_finds[STAGE_FLIP8]), DI(stage_cycles[STAGE_FLIP8]), + DI(stage_finds[STAGE_FLIP16]), DI(stage_cycles[STAGE_FLIP16]), + DI(stage_finds[STAGE_FLIP32]), DI(stage_cycles[STAGE_FLIP32])); + + SAYF(bV bSTOP " byte flips : " cRST "%-37s " bSTG bV bSTOP " pending : " + cRST "%-10s " bSTG bV "\n", tmp, DI(pending_not_fuzzed)); + + if (!skip_deterministic) + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + DI(stage_finds[STAGE_ARITH8]), DI(stage_cycles[STAGE_ARITH8]), + DI(stage_finds[STAGE_ARITH16]), DI(stage_cycles[STAGE_ARITH16]), + DI(stage_finds[STAGE_ARITH32]), DI(stage_cycles[STAGE_ARITH32])); + + SAYF(bV bSTOP " arithmetics : " cRST "%-37s " bSTG bV bSTOP " pend fav : " + cRST "%-10s " bSTG bV "\n", tmp, DI(pending_favored)); + + if (!skip_deterministic) + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + DI(stage_finds[STAGE_INTEREST8]), DI(stage_cycles[STAGE_INTEREST8]), + DI(stage_finds[STAGE_INTEREST16]), DI(stage_cycles[STAGE_INTEREST16]), + DI(stage_finds[STAGE_INTEREST32]), DI(stage_cycles[STAGE_INTEREST32])); + + SAYF(bV bSTOP " known ints : " cRST "%-37s " bSTG bV bSTOP " own finds : " + cRST "%-10s " bSTG bV "\n", tmp, DI(queued_discovered)); + + if (!skip_deterministic) + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + DI(stage_finds[STAGE_EXTRAS_UO]), DI(stage_cycles[STAGE_EXTRAS_UO]), + DI(stage_finds[STAGE_EXTRAS_UI]), DI(stage_cycles[STAGE_EXTRAS_UI]), + DI(stage_finds[STAGE_EXTRAS_AO]), DI(stage_cycles[STAGE_EXTRAS_AO])); + + SAYF(bV bSTOP " dictionary : " cRST "%-37s " bSTG bV bSTOP + " imported : " cRST "%-10s " bSTG bV "\n", tmp, + sync_id ? DI(queued_imported) : (u8*)"n/a"); + + sprintf(tmp, "%s/%s, %s/%s", + DI(stage_finds[STAGE_HAVOC]), DI(stage_cycles[STAGE_HAVOC]), + DI(stage_finds[STAGE_SPLICE]), DI(stage_cycles[STAGE_SPLICE])); + + SAYF(bV bSTOP " havoc : " cRST "%-37s " bSTG bV bSTOP, tmp); + + if (t_bytes) sprintf(tmp, "%0.02f%%", stab_ratio); + else strcpy(tmp, "n/a"); + + SAYF(" stability : %s%-10s " bSTG bV "\n", (stab_ratio < 85 && var_byte_count > 40) + ? cLRD : ((queued_variable && (!persistent_mode || var_byte_count > 20)) + ? cMGN : cRST), tmp); + + if (!bytes_trim_out) { + + sprintf(tmp, "n/a, "); + + } else { + + sprintf(tmp, "%0.02f%%/%s, ", + ((double)(bytes_trim_in - bytes_trim_out)) * 100 / bytes_trim_in, + DI(trim_execs)); + + } + + if (!blocks_eff_total) { + + u8 tmp2[128]; + + sprintf(tmp2, "n/a"); + strcat(tmp, tmp2); + + } else { + + u8 tmp2[128]; + + sprintf(tmp2, "%0.02f%%", + ((double)(blocks_eff_total - blocks_eff_select)) * 100 / + blocks_eff_total); + + strcat(tmp, tmp2); + + } + + SAYF(bV bSTOP " trim : " cRST "%-37s " bSTG bVR bH20 bH2 bH2 bRB "\n" + bLB bH30 bH20 bH2 bH bRB bSTOP cRST RESET_G1, tmp); + + /* Provide some CPU utilization stats. */ + + if (cpu_core_count) { + + double cur_runnable = get_runnable_processes(); + u32 cur_utilization = cur_runnable * 100 / cpu_core_count; + + u8* cpu_color = cCYA; + + /* If we could still run one or more processes, use green. */ + + if (cpu_core_count > 1 && cur_runnable + 1 <= cpu_core_count) + cpu_color = cLGN; + + /* If we're clearly oversubscribed, use red. */ + + if (!no_cpu_meter_red && cur_utilization >= 150) cpu_color = cLRD; + +#ifdef HAVE_AFFINITY + + if (cpu_aff >= 0) { + + SAYF(SP10 cGRA "[cpu%03u:%s%3u%%" cGRA "]\r" cRST, + MIN(cpu_aff, 999), cpu_color, + MIN(cur_utilization, 999)); + + } else { + + SAYF(SP10 cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST, + cpu_color, MIN(cur_utilization, 999)); + + } + +#else + + SAYF(SP10 cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST, + cpu_color, MIN(cur_utilization, 999)); + +#endif /* ^HAVE_AFFINITY */ + + } else SAYF("\r"); + + /* Hallelujah! */ + + fflush(0); + +} + + +/* Display quick statistics at the end of processing the input directory, + plus a bunch of warnings. Some calibration stuff also ended up here, + along with several hardcoded constants. Maybe clean up eventually. */ + +static void show_init_stats(void) { + + struct queue_entry* q = queue; + u32 min_bits = 0, max_bits = 0; + u64 min_us = 0, max_us = 0; + u64 avg_us = 0; + u32 max_len = 0; + + if (total_cal_cycles) avg_us = total_cal_us / total_cal_cycles; + + while (q) { + + if (!min_us || q->exec_us < min_us) min_us = q->exec_us; + if (q->exec_us > max_us) max_us = q->exec_us; + + if (!min_bits || q->bitmap_size < min_bits) min_bits = q->bitmap_size; + if (q->bitmap_size > max_bits) max_bits = q->bitmap_size; + + if (q->len > max_len) max_len = q->len; + + q = q->next; + + } + + SAYF("\n"); + + if (avg_us > (qemu_mode ? 50000 : 10000)) + WARNF(cLRD "The target binary is pretty slow! See %s/perf_tips.txt.", + doc_path); + + /* Let's keep things moving with slow binaries. */ + + if (avg_us > 50000) havoc_div = 10; /* 0-19 execs/sec */ + else if (avg_us > 20000) havoc_div = 5; /* 20-49 execs/sec */ + else if (avg_us > 10000) havoc_div = 2; /* 50-100 execs/sec */ + + if (!resuming_fuzz) { + + if (max_len > 50 * 1024) + WARNF(cLRD "Some test cases are huge (%s) - see %s/perf_tips.txt!", + DMS(max_len), doc_path); + else if (max_len > 10 * 1024) + WARNF("Some test cases are big (%s) - see %s/perf_tips.txt.", + DMS(max_len), doc_path); + + if (useless_at_start && !in_bitmap) + WARNF(cLRD "Some test cases look useless. Consider using a smaller set."); + + if (queued_paths > 100) + WARNF(cLRD "You probably have far too many input files! Consider trimming down."); + else if (queued_paths > 20) + WARNF("You have lots of input files; try starting small."); + + } + + OKF("Here are some useful stats:\n\n" + + cGRA " Test case count : " cRST "%u favored, %u variable, %u total\n" + cGRA " Bitmap range : " cRST "%u to %u bits (average: %0.02f bits)\n" + cGRA " Exec timing : " cRST "%s to %s us (average: %s us)\n", + queued_favored, queued_variable, queued_paths, min_bits, max_bits, + ((double)total_bitmap_size) / (total_bitmap_entries ? total_bitmap_entries : 1), + DI(min_us), DI(max_us), DI(avg_us)); + + if (!timeout_given) { + + /* Figure out the appropriate timeout. The basic idea is: 5x average or + 1x max, rounded up to EXEC_TM_ROUND ms and capped at 1 second. + + If the program is slow, the multiplier is lowered to 2x or 3x, because + random scheduler jitter is less likely to have any impact, and because + our patience is wearing thin =) */ + + if (avg_us > 50000) exec_tmout = avg_us * 2 / 1000; + else if (avg_us > 10000) exec_tmout = avg_us * 3 / 1000; + else exec_tmout = avg_us * 5 / 1000; + + exec_tmout = MAX(exec_tmout, max_us / 1000); + exec_tmout = (exec_tmout + EXEC_TM_ROUND) / EXEC_TM_ROUND * EXEC_TM_ROUND; + + if (exec_tmout > EXEC_TIMEOUT) exec_tmout = EXEC_TIMEOUT; + + ACTF("No -t option specified, so I'll use exec timeout of %u ms.", + exec_tmout); + + timeout_given = 1; + + } else if (timeout_given == 3) { + + ACTF("Applying timeout settings from resumed session (%u ms).", exec_tmout); + + } + + /* In dumb mode, re-running every timing out test case with a generous time + limit is very expensive, so let's select a more conservative default. */ + + if (dumb_mode && !getenv("AFL_HANG_TMOUT")) + hang_tmout = MIN(EXEC_TIMEOUT, exec_tmout * 2 + 100); + + OKF("All set and ready to roll!"); + +} + + +/* Find first power of two greater or equal to val (assuming val under + 2^31). */ + +static u32 next_p2(u32 val) { + + u32 ret = 1; + while (val > ret) ret <<= 1; + return ret; + +} + + +/* Trim all new test cases to save cycles when doing deterministic checks. The + trimmer uses power-of-two increments somewhere between 1/16 and 1/1024 of + file size, to keep the stage short and sweet. */ + +static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { + + static u8 tmp[64]; + static u8 clean_trace[MAP_SIZE]; + + u8 needs_write = 0, fault = 0; + u32 trim_exec = 0; + u32 remove_len; + u32 len_p2; + + /* Although the trimmer will be less useful when variable behavior is + detected, it will still work to some extent, so we don't check for + this. */ + + if (q->len < 5) return 0; + + stage_name = tmp; + bytes_trim_in += q->len; + + /* Select initial chunk len, starting with large steps. */ + + len_p2 = next_p2(q->len); + + remove_len = MAX(len_p2 / TRIM_START_STEPS, TRIM_MIN_BYTES); + + /* Continue until the number of steps gets too high or the stepover + gets too small. */ + + while (remove_len >= MAX(len_p2 / TRIM_END_STEPS, TRIM_MIN_BYTES)) { + + u32 remove_pos = remove_len; + + sprintf(tmp, "trim %s/%s", DI(remove_len), DI(remove_len)); + + stage_cur = 0; + stage_max = q->len / remove_len; + + while (remove_pos < q->len) { + + u32 trim_avail = MIN(remove_len, q->len - remove_pos); + u32 cksum; + + write_with_gap(in_buf, q->len, remove_pos, trim_avail); + + fault = run_target(argv, exec_tmout); + trim_execs++; + + if (stop_soon || fault == FAULT_ERROR) goto abort_trimming; + + /* Note that we don't keep track of crashes or hangs here; maybe TODO? */ + + cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + + /* If the deletion had no impact on the trace, make it permanent. This + isn't perfect for variable-path inputs, but we're just making a + best-effort pass, so it's not a big deal if we end up with false + negatives every now and then. */ + + if (cksum == q->exec_cksum) { + + u32 move_tail = q->len - remove_pos - trim_avail; + + q->len -= trim_avail; + len_p2 = next_p2(q->len); + + memmove(in_buf + remove_pos, in_buf + remove_pos + trim_avail, + move_tail); + + /* Let's save a clean trace, which will be needed by + update_bitmap_score once we're done with the trimming stuff. */ + + if (!needs_write) { + + needs_write = 1; + memcpy(clean_trace, trace_bits, MAP_SIZE); + + } + + } else remove_pos += remove_len; + + /* Since this can be slow, update the screen every now and then. */ + + if (!(trim_exec++ % stats_update_freq)) show_stats(); + stage_cur++; + + } + + remove_len >>= 1; + + } + + /* If we have made changes to in_buf, we also need to update the on-disk + version of the test case. */ + + if (needs_write) { + + s32 fd; + + unlink(q->fname); /* ignore errors */ + + fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, 0600); + + if (fd < 0) PFATAL("Unable to create '%s'", q->fname); + + ck_write(fd, in_buf, q->len, q->fname); + close(fd); + + memcpy(trace_bits, clean_trace, MAP_SIZE); + update_bitmap_score(q); + + } + +abort_trimming: + + bytes_trim_out += q->len; + return fault; + +} + + +/* Write a modified test case, run program, process results. Handle + error conditions, returning 1 if it's time to bail out. This is + a helper function for fuzz_one(). */ + +EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) { + + u8 fault; + + if (post_handler) { + + out_buf = post_handler(out_buf, &len); + if (!out_buf || !len) return 0; + + } + + write_to_testcase(out_buf, len); + + fault = run_target(argv, exec_tmout); + + if (stop_soon) return 1; + + if (fault == FAULT_TMOUT) { + + if (subseq_tmouts++ > TMOUT_LIMIT) { + cur_skipped_paths++; + return 1; + } + + } else subseq_tmouts = 0; + + /* Users can hit us with SIGUSR1 to request the current input + to be abandoned. */ + + if (skip_requested) { + + skip_requested = 0; + cur_skipped_paths++; + return 1; + + } + + /* This handles FAULT_ERROR for us: */ + + queued_discovered += save_if_interesting(argv, out_buf, len, fault); + + if (!(stage_cur % stats_update_freq) || stage_cur + 1 == stage_max) + show_stats(); + + return 0; + +} + + +/* Helper to choose random block len for block operations in fuzz_one(). + Doesn't return zero, provided that max_len is > 0. */ + +static u32 choose_block_len(u32 limit) { + + u32 min_value, max_value; + u32 rlim = MIN(queue_cycle, 3); + + if (!run_over10m) rlim = 1; + + switch (UR(rlim)) { + + case 0: min_value = 1; + max_value = HAVOC_BLK_SMALL; + break; + + case 1: min_value = HAVOC_BLK_SMALL; + max_value = HAVOC_BLK_MEDIUM; + break; + + default: + + if (UR(10)) { + + min_value = HAVOC_BLK_MEDIUM; + max_value = HAVOC_BLK_LARGE; + + } else { + + min_value = HAVOC_BLK_LARGE; + max_value = HAVOC_BLK_XL; + + } + + } + + if (min_value >= limit) min_value = 1; + + return min_value + UR(MIN(max_value, limit) - min_value + 1); + +} + + +/* Calculate case desirability score to adjust the length of havoc fuzzing. + A helper function for fuzz_one(). Maybe some of these constants should + go into config.h. */ + +static u32 calculate_score(struct queue_entry* q) { + + u32 avg_exec_us = total_cal_us / total_cal_cycles; + u32 avg_bitmap_size = total_bitmap_size / total_bitmap_entries; + u32 perf_score = 100; + + /* Adjust score based on execution speed of this path, compared to the + global average. Multiplier ranges from 0.1x to 3x. Fast inputs are + less expensive to fuzz, so we're giving them more air time. */ + + if (q->exec_us * 0.1 > avg_exec_us) perf_score = 10; + else if (q->exec_us * 0.25 > avg_exec_us) perf_score = 25; + else if (q->exec_us * 0.5 > avg_exec_us) perf_score = 50; + else if (q->exec_us * 0.75 > avg_exec_us) perf_score = 75; + else if (q->exec_us * 4 < avg_exec_us) perf_score = 300; + else if (q->exec_us * 3 < avg_exec_us) perf_score = 200; + else if (q->exec_us * 2 < avg_exec_us) perf_score = 150; + + /* Adjust score based on bitmap size. The working theory is that better + coverage translates to better targets. Multiplier from 0.25x to 3x. */ + + if (q->bitmap_size * 0.3 > avg_bitmap_size) perf_score *= 3; + else if (q->bitmap_size * 0.5 > avg_bitmap_size) perf_score *= 2; + else if (q->bitmap_size * 0.75 > avg_bitmap_size) perf_score *= 1.5; + else if (q->bitmap_size * 3 < avg_bitmap_size) perf_score *= 0.25; + else if (q->bitmap_size * 2 < avg_bitmap_size) perf_score *= 0.5; + else if (q->bitmap_size * 1.5 < avg_bitmap_size) perf_score *= 0.75; + + /* Adjust score based on handicap. Handicap is proportional to how late + in the game we learned about this path. Latecomers are allowed to run + for a bit longer until they catch up with the rest. */ + + if (q->handicap >= 4) { + + perf_score *= 4; + q->handicap -= 4; + + } else if (q->handicap) { + + perf_score *= 2; + q->handicap--; + + } + + /* Final adjustment based on input depth, under the assumption that fuzzing + deeper test cases is more likely to reveal stuff that can't be + discovered with traditional fuzzers. */ + + switch (q->depth) { + + case 0 ... 3: break; + case 4 ... 7: perf_score *= 2; break; + case 8 ... 13: perf_score *= 3; break; + case 14 ... 25: perf_score *= 4; break; + default: perf_score *= 5; + + } + + /* Make sure that we don't go over limit. */ + + if (perf_score > HAVOC_MAX_MULT * 100) perf_score = HAVOC_MAX_MULT * 100; + + return perf_score; + +} + + +/* Helper function to see if a particular change (xor_val = old ^ new) could + be a product of deterministic bit flips with the lengths and stepovers + attempted by afl-fuzz. This is used to avoid dupes in some of the + deterministic fuzzing operations that follow bit flips. We also + return 1 if xor_val is zero, which implies that the old and attempted new + values are identical and the exec would be a waste of time. */ + +static u8 could_be_bitflip(u32 xor_val) { + + u32 sh = 0; + + if (!xor_val) return 1; + + /* Shift left until first bit set. */ + + while (!(xor_val & 1)) { sh++; xor_val >>= 1; } + + /* 1-, 2-, and 4-bit patterns are OK anywhere. */ + + if (xor_val == 1 || xor_val == 3 || xor_val == 15) return 1; + + /* 8-, 16-, and 32-bit patterns are OK only if shift factor is + divisible by 8, since that's the stepover for these ops. */ + + if (sh & 7) return 0; + + if (xor_val == 0xff || xor_val == 0xffff || xor_val == 0xffffffff) + return 1; + + return 0; + +} + + +/* Helper function to see if a particular value is reachable through + arithmetic operations. Used for similar purposes. */ + +static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { + + u32 i, ov = 0, nv = 0, diffs = 0; + + if (old_val == new_val) return 1; + + /* See if one-byte adjustments to any byte could produce this result. */ + + for (i = 0; i < blen; i++) { + + u8 a = old_val >> (8 * i), + b = new_val >> (8 * i); + + if (a != b) { diffs++; ov = a; nv = b; } + + } + + /* If only one byte differs and the values are within range, return 1. */ + + if (diffs == 1) { + + if ((u8)(ov - nv) <= ARITH_MAX || + (u8)(nv - ov) <= ARITH_MAX) return 1; + + } + + if (blen == 1) return 0; + + /* See if two-byte adjustments to any byte would produce this result. */ + + diffs = 0; + + for (i = 0; i < blen / 2; i++) { + + u16 a = old_val >> (16 * i), + b = new_val >> (16 * i); + + if (a != b) { diffs++; ov = a; nv = b; } + + } + + /* If only one word differs and the values are within range, return 1. */ + + if (diffs == 1) { + + if ((u16)(ov - nv) <= ARITH_MAX || + (u16)(nv - ov) <= ARITH_MAX) return 1; + + ov = SWAP16(ov); nv = SWAP16(nv); + + if ((u16)(ov - nv) <= ARITH_MAX || + (u16)(nv - ov) <= ARITH_MAX) return 1; + + } + + /* Finally, let's do the same thing for dwords. */ + + if (blen == 4) { + + if ((u32)(old_val - new_val) <= ARITH_MAX || + (u32)(new_val - old_val) <= ARITH_MAX) return 1; + + new_val = SWAP32(new_val); + old_val = SWAP32(old_val); + + if ((u32)(old_val - new_val) <= ARITH_MAX || + (u32)(new_val - old_val) <= ARITH_MAX) return 1; + + } + + return 0; + +} + + +/* Last but not least, a similar helper to see if insertion of an + interesting integer is redundant given the insertions done for + shorter blen. The last param (check_le) is set if the caller + already executed LE insertion for current blen and wants to see + if BE variant passed in new_val is unique. */ + +static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { + + u32 i, j; + + if (old_val == new_val) return 1; + + /* See if one-byte insertions from interesting_8 over old_val could + produce new_val. */ + + for (i = 0; i < blen; i++) { + + for (j = 0; j < sizeof(interesting_8); j++) { + + u32 tval = (old_val & ~(0xff << (i * 8))) | + (((u8)interesting_8[j]) << (i * 8)); + + if (new_val == tval) return 1; + + } + + } + + /* Bail out unless we're also asked to examine two-byte LE insertions + as a preparation for BE attempts. */ + + if (blen == 2 && !check_le) return 0; + + /* See if two-byte insertions over old_val could give us new_val. */ + + for (i = 0; i < blen - 1; i++) { + + for (j = 0; j < sizeof(interesting_16) / 2; j++) { + + u32 tval = (old_val & ~(0xffff << (i * 8))) | + (((u16)interesting_16[j]) << (i * 8)); + + if (new_val == tval) return 1; + + /* Continue here only if blen > 2. */ + + if (blen > 2) { + + tval = (old_val & ~(0xffff << (i * 8))) | + (SWAP16(interesting_16[j]) << (i * 8)); + + if (new_val == tval) return 1; + + } + + } + + } + + if (blen == 4 && check_le) { + + /* See if four-byte insertions could produce the same result + (LE only). */ + + for (j = 0; j < sizeof(interesting_32) / 4; j++) + if (new_val == (u32)interesting_32[j]) return 1; + + } + + return 0; + +} + + +/* Take the current entry from the queue, fuzz it for a while. This + function is a tad too long... returns 0 if fuzzed successfully, 1 if + skipped or bailed out. */ + +static u8 fuzz_one(char** argv) { + + s32 len, fd, temp_len, i, j; + u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; + u64 havoc_queued, orig_hit_cnt, new_hit_cnt; + u32 splice_cycle = 0, perf_score = 100, orig_perf, prev_cksum, eff_cnt = 1; + + u8 ret_val = 1, doing_det = 0; + + u8 a_collect[MAX_AUTO_EXTRA]; + u32 a_len = 0; + +#ifdef IGNORE_FINDS + + /* In IGNORE_FINDS mode, skip any entries that weren't in the + initial data set. */ + + if (queue_cur->depth > 1) return 1; + +#else + + if (pending_favored) { + + /* If we have any favored, non-fuzzed new arrivals in the queue, + possibly skip to them at the expense of already-fuzzed or non-favored + cases. */ + + if ((queue_cur->was_fuzzed || !queue_cur->favored) && + UR(100) < SKIP_TO_NEW_PROB) return 1; + + } else if (!dumb_mode && !queue_cur->favored && queued_paths > 10) { + + /* Otherwise, still possibly skip non-favored cases, albeit less often. + The odds of skipping stuff are higher for already-fuzzed inputs and + lower for never-fuzzed entries. */ + + if (queue_cycle > 1 && !queue_cur->was_fuzzed) { + + if (UR(100) < SKIP_NFAV_NEW_PROB) return 1; + + } else { + + if (UR(100) < SKIP_NFAV_OLD_PROB) return 1; + + } + + } + +#endif /* ^IGNORE_FINDS */ + + if (not_on_tty) { + ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", + current_entry, queued_paths, unique_crashes); + fflush(stdout); + } + + /* Map the test case into memory. */ + + fd = open(queue_cur->fname, O_RDONLY); + + if (fd < 0) PFATAL("Unable to open '%s'", queue_cur->fname); + + len = queue_cur->len; + + orig_in = in_buf = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + + if (orig_in == MAP_FAILED) PFATAL("Unable to mmap '%s'", queue_cur->fname); + + close(fd); + + /* We could mmap() out_buf as MAP_PRIVATE, but we end up clobbering every + single byte anyway, so it wouldn't give us any performance or memory usage + benefits. */ + + out_buf = ck_alloc_nozero(len); + + subseq_tmouts = 0; + + cur_depth = queue_cur->depth; + + /******************************************* + * CALIBRATION (only if failed earlier on) * + *******************************************/ + + if (queue_cur->cal_failed) { + + u8 res = FAULT_TMOUT; + + if (queue_cur->cal_failed < CAL_CHANCES) { + + /* Reset exec_cksum to tell calibrate_case to re-execute the testcase + avoiding the usage of an invalid trace_bits. + For more info: https://github.com/AFLplusplus/AFLplusplus/pull/425 */ + + queue_cur->exec_cksum = 0; + + res = calibrate_case(argv, queue_cur, in_buf, queue_cycle - 1, 0); + + if (res == FAULT_ERROR) + FATAL("Unable to execute target application"); + + } + + if (stop_soon || res != crash_mode) { + cur_skipped_paths++; + goto abandon_entry; + } + + } + + /************ + * TRIMMING * + ************/ + + if (!dumb_mode && !queue_cur->trim_done) { + + u8 res = trim_case(argv, queue_cur, in_buf); + + if (res == FAULT_ERROR) + FATAL("Unable to execute target application"); + + if (stop_soon) { + cur_skipped_paths++; + goto abandon_entry; + } + + /* Don't retry trimming, even if it failed. */ + + queue_cur->trim_done = 1; + + if (len != queue_cur->len) len = queue_cur->len; + + } + + memcpy(out_buf, in_buf, len); + + /********************* + * PERFORMANCE SCORE * + *********************/ + + orig_perf = perf_score = calculate_score(queue_cur); + + /* Skip right away if -d is given, if we have done deterministic fuzzing on + this entry ourselves (was_fuzzed), or if it has gone through deterministic + testing in earlier, resumed runs (passed_det). */ + + if (skip_deterministic || queue_cur->was_fuzzed || queue_cur->passed_det) + goto havoc_stage; + + /* Skip deterministic fuzzing if exec path checksum puts this out of scope + for this master instance. */ + + if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) + goto havoc_stage; + + doing_det = 1; + + /********************************************* + * SIMPLE BITFLIP (+dictionary construction) * + *********************************************/ + +#define FLIP_BIT(_ar, _b) do { \ + u8* _arf = (u8*)(_ar); \ + u32 _bf = (_b); \ + _arf[(_bf) >> 3] ^= (128 >> ((_bf) & 7)); \ + } while (0) + + /* Single walking bit. */ + + stage_short = "flip1"; + stage_max = len << 3; + stage_name = "bitflip 1/1"; + + stage_val_type = STAGE_VAL_NONE; + + orig_hit_cnt = queued_paths + unique_crashes; + + prev_cksum = queue_cur->exec_cksum; + + for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + + stage_cur_byte = stage_cur >> 3; + + FLIP_BIT(out_buf, stage_cur); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + FLIP_BIT(out_buf, stage_cur); + + /* While flipping the least significant bit in every byte, pull of an extra + trick to detect possible syntax tokens. In essence, the idea is that if + you have a binary blob like this: + + xxxxxxxxIHDRxxxxxxxx + + ...and changing the leading and trailing bytes causes variable or no + changes in program flow, but touching any character in the "IHDR" string + always produces the same, distinctive path, it's highly likely that + "IHDR" is an atomically-checked magic value of special significance to + the fuzzed format. + + We do this here, rather than as a separate stage, because it's a nice + way to keep the operation approximately "free" (i.e., no extra execs). + + Empirically, performing the check when flipping the least significant bit + is advantageous, compared to doing it at the time of more disruptive + changes, where the program flow may be affected in more violent ways. + + The caveat is that we won't generate dictionaries in the -d mode or -S + mode - but that's probably a fair trade-off. + + This won't work particularly well with paths that exhibit variable + behavior, but fails gracefully, so we'll carry out the checks anyway. + + */ + + if (!dumb_mode && (stage_cur & 7) == 7) { + + u32 cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + + if (stage_cur == stage_max - 1 && cksum == prev_cksum) { + + /* If at end of file and we are still collecting a string, grab the + final character and force output. */ + + if (a_len < MAX_AUTO_EXTRA) a_collect[a_len] = out_buf[stage_cur >> 3]; + a_len++; + + if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) + maybe_add_auto(a_collect, a_len); + + } else if (cksum != prev_cksum) { + + /* Otherwise, if the checksum has changed, see if we have something + worthwhile queued up, and collect that if the answer is yes. */ + + if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) + maybe_add_auto(a_collect, a_len); + + a_len = 0; + prev_cksum = cksum; + + } + + /* Continue collecting string, but only if the bit flip actually made + any difference - we don't want no-op tokens. */ + + if (cksum != queue_cur->exec_cksum) { + + if (a_len < MAX_AUTO_EXTRA) a_collect[a_len] = out_buf[stage_cur >> 3]; + a_len++; + + } + + } + + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_FLIP1] += stage_max; + + /* Two walking bits. */ + + stage_name = "bitflip 2/1"; + stage_short = "flip2"; + stage_max = (len << 3) - 1; + + orig_hit_cnt = new_hit_cnt; + + for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + + stage_cur_byte = stage_cur >> 3; + + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); + + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_FLIP2] += stage_max; + + /* Four walking bits. */ + + stage_name = "bitflip 4/1"; + stage_short = "flip4"; + stage_max = (len << 3) - 3; + + orig_hit_cnt = new_hit_cnt; + + for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + + stage_cur_byte = stage_cur >> 3; + + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); + FLIP_BIT(out_buf, stage_cur + 2); + FLIP_BIT(out_buf, stage_cur + 3); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); + FLIP_BIT(out_buf, stage_cur + 2); + FLIP_BIT(out_buf, stage_cur + 3); + + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_FLIP4] += stage_max; + + /* Effector map setup. These macros calculate: + + EFF_APOS - position of a particular file offset in the map. + EFF_ALEN - length of a map with a particular number of bytes. + EFF_SPAN_ALEN - map span for a sequence of bytes. + + */ + +#define EFF_APOS(_p) ((_p) >> EFF_MAP_SCALE2) +#define EFF_REM(_x) ((_x) & ((1 << EFF_MAP_SCALE2) - 1)) +#define EFF_ALEN(_l) (EFF_APOS(_l) + !!EFF_REM(_l)) +#define EFF_SPAN_ALEN(_p, _l) (EFF_APOS((_p) + (_l) - 1) - EFF_APOS(_p) + 1) + + /* Initialize effector map for the next step (see comments below). Always + flag first and last byte as doing something. */ + + eff_map = ck_alloc(EFF_ALEN(len)); + eff_map[0] = 1; + + if (EFF_APOS(len - 1) != 0) { + eff_map[EFF_APOS(len - 1)] = 1; + eff_cnt++; + } + + /* Walking byte. */ + + stage_name = "bitflip 8/8"; + stage_short = "flip8"; + stage_max = len; + + orig_hit_cnt = new_hit_cnt; + + for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + + stage_cur_byte = stage_cur; + + out_buf[stage_cur] ^= 0xFF; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + /* We also use this stage to pull off a simple trick: we identify + bytes that seem to have no effect on the current execution path + even when fully flipped - and we skip them during more expensive + deterministic stages, such as arithmetics or known ints. */ + + if (!eff_map[EFF_APOS(stage_cur)]) { + + u32 cksum; + + /* If in dumb mode or if the file is very short, just flag everything + without wasting time on checksums. */ + + if (!dumb_mode && len >= EFF_MIN_LEN) + cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + else + cksum = ~queue_cur->exec_cksum; + + if (cksum != queue_cur->exec_cksum) { + eff_map[EFF_APOS(stage_cur)] = 1; + eff_cnt++; + } + + } + + out_buf[stage_cur] ^= 0xFF; + + } + + /* If the effector map is more than EFF_MAX_PERC dense, just flag the + whole thing as worth fuzzing, since we wouldn't be saving much time + anyway. */ + + if (eff_cnt != EFF_ALEN(len) && + eff_cnt * 100 / EFF_ALEN(len) > EFF_MAX_PERC) { + + memset(eff_map, 1, EFF_ALEN(len)); + + blocks_eff_select += EFF_ALEN(len); + + } else { + + blocks_eff_select += eff_cnt; + + } + + blocks_eff_total += EFF_ALEN(len); + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_FLIP8] += stage_max; + + /* Two walking bytes. */ + + if (len < 2) goto skip_bitflip; + + stage_name = "bitflip 16/8"; + stage_short = "flip16"; + stage_cur = 0; + stage_max = len - 1; + + orig_hit_cnt = new_hit_cnt; + + for (i = 0; i < len - 1; i++) { + + /* Let's consult the effector map... */ + + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { + stage_max--; + continue; + } + + stage_cur_byte = i; + + *(u16*)(out_buf + i) ^= 0xFFFF; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + *(u16*)(out_buf + i) ^= 0xFFFF; + + + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_FLIP16] += stage_max; + + if (len < 4) goto skip_bitflip; + + /* Four walking bytes. */ + + stage_name = "bitflip 32/8"; + stage_short = "flip32"; + stage_cur = 0; + stage_max = len - 3; + + orig_hit_cnt = new_hit_cnt; + + for (i = 0; i < len - 3; i++) { + + /* Let's consult the effector map... */ + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && + !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { + stage_max--; + continue; + } + + stage_cur_byte = i; + + *(u32*)(out_buf + i) ^= 0xFFFFFFFF; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + *(u32*)(out_buf + i) ^= 0xFFFFFFFF; + + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_FLIP32] += stage_max; + +skip_bitflip: + + if (no_arith) goto skip_arith; + + /********************** + * ARITHMETIC INC/DEC * + **********************/ + + /* 8-bit arithmetics. */ + + stage_name = "arith 8/8"; + stage_short = "arith8"; + stage_cur = 0; + stage_max = 2 * len * ARITH_MAX; + + stage_val_type = STAGE_VAL_LE; + + orig_hit_cnt = new_hit_cnt; + + for (i = 0; i < len; i++) { + + u8 orig = out_buf[i]; + + /* Let's consult the effector map... */ + + if (!eff_map[EFF_APOS(i)]) { + stage_max -= 2 * ARITH_MAX; + continue; + } + + stage_cur_byte = i; + + for (j = 1; j <= ARITH_MAX; j++) { + + u8 r = orig ^ (orig + j); + + /* Do arithmetic operations only if the result couldn't be a product + of a bitflip. */ + + if (!could_be_bitflip(r)) { + + stage_cur_val = j; + out_buf[i] = orig + j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + r = orig ^ (orig - j); + + if (!could_be_bitflip(r)) { + + stage_cur_val = -j; + out_buf[i] = orig - j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + out_buf[i] = orig; + + } + + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_ARITH8] += stage_max; + + /* 16-bit arithmetics, both endians. */ + + if (len < 2) goto skip_arith; + + stage_name = "arith 16/8"; + stage_short = "arith16"; + stage_cur = 0; + stage_max = 4 * (len - 1) * ARITH_MAX; + + orig_hit_cnt = new_hit_cnt; + + for (i = 0; i < len - 1; i++) { + + u16 orig = *(u16*)(out_buf + i); + + /* Let's consult the effector map... */ + + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { + stage_max -= 4 * ARITH_MAX; + continue; + } + + stage_cur_byte = i; + + for (j = 1; j <= ARITH_MAX; j++) { + + u16 r1 = orig ^ (orig + j), + r2 = orig ^ (orig - j), + r3 = orig ^ SWAP16(SWAP16(orig) + j), + r4 = orig ^ SWAP16(SWAP16(orig) - j); + + /* Try little endian addition and subtraction first. Do it only + if the operation would affect more than one byte (hence the + & 0xff overflow checks) and if it couldn't be a product of + a bitflip. */ + + stage_val_type = STAGE_VAL_LE; + + if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) { + + stage_cur_val = j; + *(u16*)(out_buf + i) = orig + j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + if ((orig & 0xff) < j && !could_be_bitflip(r2)) { + + stage_cur_val = -j; + *(u16*)(out_buf + i) = orig - j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + /* Big endian comes next. Same deal. */ + + stage_val_type = STAGE_VAL_BE; + + + if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) { + + stage_cur_val = j; + *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) + j); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + if ((orig >> 8) < j && !could_be_bitflip(r4)) { + + stage_cur_val = -j; + *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) - j); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + *(u16*)(out_buf + i) = orig; + + } + + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_ARITH16] += stage_max; + + /* 32-bit arithmetics, both endians. */ + + if (len < 4) goto skip_arith; + + stage_name = "arith 32/8"; + stage_short = "arith32"; + stage_cur = 0; + stage_max = 4 * (len - 3) * ARITH_MAX; + + orig_hit_cnt = new_hit_cnt; + + for (i = 0; i < len - 3; i++) { + + u32 orig = *(u32*)(out_buf + i); + + /* Let's consult the effector map... */ + + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && + !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { + stage_max -= 4 * ARITH_MAX; + continue; + } + + stage_cur_byte = i; + + for (j = 1; j <= ARITH_MAX; j++) { + + u32 r1 = orig ^ (orig + j), + r2 = orig ^ (orig - j), + r3 = orig ^ SWAP32(SWAP32(orig) + j), + r4 = orig ^ SWAP32(SWAP32(orig) - j); + + /* Little endian first. Same deal as with 16-bit: we only want to + try if the operation would have effect on more than two bytes. */ + + stage_val_type = STAGE_VAL_LE; + + if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) { + + stage_cur_val = j; + *(u32*)(out_buf + i) = orig + j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + if ((orig & 0xffff) < j && !could_be_bitflip(r2)) { + + stage_cur_val = -j; + *(u32*)(out_buf + i) = orig - j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + /* Big endian next. */ + + stage_val_type = STAGE_VAL_BE; + + if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) { + + stage_cur_val = j; + *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) + j); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) { + + stage_cur_val = -j; + *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) - j); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + *(u32*)(out_buf + i) = orig; + + } + + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_ARITH32] += stage_max; + +skip_arith: + + /********************** + * INTERESTING VALUES * + **********************/ + + stage_name = "interest 8/8"; + stage_short = "int8"; + stage_cur = 0; + stage_max = len * sizeof(interesting_8); + + stage_val_type = STAGE_VAL_LE; + + orig_hit_cnt = new_hit_cnt; + + /* Setting 8-bit integers. */ + + for (i = 0; i < len; i++) { + + u8 orig = out_buf[i]; + + /* Let's consult the effector map... */ + + if (!eff_map[EFF_APOS(i)]) { + stage_max -= sizeof(interesting_8); + continue; + } + + stage_cur_byte = i; + + for (j = 0; j < sizeof(interesting_8); j++) { + + /* Skip if the value could be a product of bitflips or arithmetics. */ + + if (could_be_bitflip(orig ^ (u8)interesting_8[j]) || + could_be_arith(orig, (u8)interesting_8[j], 1)) { + stage_max--; + continue; + } + + stage_cur_val = interesting_8[j]; + out_buf[i] = interesting_8[j]; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + out_buf[i] = orig; + stage_cur++; + + } + + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_INTEREST8] += stage_max; + + /* Setting 16-bit integers, both endians. */ + + if (no_arith || len < 2) goto skip_interest; + + stage_name = "interest 16/8"; + stage_short = "int16"; + stage_cur = 0; + stage_max = 2 * (len - 1) * (sizeof(interesting_16) >> 1); + + orig_hit_cnt = new_hit_cnt; + + for (i = 0; i < len - 1; i++) { + + u16 orig = *(u16*)(out_buf + i); + + /* Let's consult the effector map... */ + + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { + stage_max -= sizeof(interesting_16); + continue; + } + + stage_cur_byte = i; + + for (j = 0; j < sizeof(interesting_16) / 2; j++) { + + stage_cur_val = interesting_16[j]; + + /* Skip if this could be a product of a bitflip, arithmetics, + or single-byte interesting value insertion. */ + + if (!could_be_bitflip(orig ^ (u16)interesting_16[j]) && + !could_be_arith(orig, (u16)interesting_16[j], 2) && + !could_be_interest(orig, (u16)interesting_16[j], 2, 0)) { + + stage_val_type = STAGE_VAL_LE; + + *(u16*)(out_buf + i) = interesting_16[j]; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + if ((u16)interesting_16[j] != SWAP16(interesting_16[j]) && + !could_be_bitflip(orig ^ SWAP16(interesting_16[j])) && + !could_be_arith(orig, SWAP16(interesting_16[j]), 2) && + !could_be_interest(orig, SWAP16(interesting_16[j]), 2, 1)) { + + stage_val_type = STAGE_VAL_BE; + + *(u16*)(out_buf + i) = SWAP16(interesting_16[j]); + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + } + + *(u16*)(out_buf + i) = orig; + + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_INTEREST16] += stage_max; + + if (len < 4) goto skip_interest; + + /* Setting 32-bit integers, both endians. */ + + stage_name = "interest 32/8"; + stage_short = "int32"; + stage_cur = 0; + stage_max = 2 * (len - 3) * (sizeof(interesting_32) >> 2); + + orig_hit_cnt = new_hit_cnt; + + for (i = 0; i < len - 3; i++) { + + u32 orig = *(u32*)(out_buf + i); + + /* Let's consult the effector map... */ + + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && + !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { + stage_max -= sizeof(interesting_32) >> 1; + continue; + } + + stage_cur_byte = i; + + for (j = 0; j < sizeof(interesting_32) / 4; j++) { + + stage_cur_val = interesting_32[j]; + + /* Skip if this could be a product of a bitflip, arithmetics, + or word interesting value insertion. */ + + if (!could_be_bitflip(orig ^ (u32)interesting_32[j]) && + !could_be_arith(orig, interesting_32[j], 4) && + !could_be_interest(orig, interesting_32[j], 4, 0)) { + + stage_val_type = STAGE_VAL_LE; + + *(u32*)(out_buf + i) = interesting_32[j]; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + if ((u32)interesting_32[j] != SWAP32(interesting_32[j]) && + !could_be_bitflip(orig ^ SWAP32(interesting_32[j])) && + !could_be_arith(orig, SWAP32(interesting_32[j]), 4) && + !could_be_interest(orig, SWAP32(interesting_32[j]), 4, 1)) { + + stage_val_type = STAGE_VAL_BE; + + *(u32*)(out_buf + i) = SWAP32(interesting_32[j]); + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + } + + *(u32*)(out_buf + i) = orig; + + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_INTEREST32] += stage_max; + +skip_interest: + + /******************** + * DICTIONARY STUFF * + ********************/ + + if (!extras_cnt) goto skip_user_extras; + + /* Overwrite with user-supplied extras. */ + + stage_name = "user extras (over)"; + stage_short = "ext_UO"; + stage_cur = 0; + stage_max = extras_cnt * len; + + stage_val_type = STAGE_VAL_NONE; + + orig_hit_cnt = new_hit_cnt; + + for (i = 0; i < len; i++) { + + u32 last_len = 0; + + stage_cur_byte = i; + + /* Extras are sorted by size, from smallest to largest. This means + that we don't have to worry about restoring the buffer in + between writes at a particular offset determined by the outer + loop. */ + + for (j = 0; j < extras_cnt; j++) { + + /* Skip extras probabilistically if extras_cnt > MAX_DET_EXTRAS. Also + skip them if there's no room to insert the payload, if the token + is redundant, or if its entire span has no bytes set in the effector + map. */ + + if ((extras_cnt > MAX_DET_EXTRAS && UR(extras_cnt) >= MAX_DET_EXTRAS) || + extras[j].len > len - i || + !memcmp(extras[j].data, out_buf + i, extras[j].len) || + !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, extras[j].len))) { + + stage_max--; + continue; + + } + + last_len = extras[j].len; + memcpy(out_buf + i, extras[j].data, last_len); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + stage_cur++; + + } + + /* Restore all the clobbered memory. */ + memcpy(out_buf + i, in_buf + i, last_len); + + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_EXTRAS_UO] += stage_max; + + /* Insertion of user-supplied extras. */ + + stage_name = "user extras (insert)"; + stage_short = "ext_UI"; + stage_cur = 0; + stage_max = extras_cnt * (len + 1); + + orig_hit_cnt = new_hit_cnt; + + ex_tmp = ck_alloc(len + MAX_DICT_FILE); + + for (i = 0; i <= len; i++) { + + stage_cur_byte = i; + + for (j = 0; j < extras_cnt; j++) { + + if (len + extras[j].len > MAX_FILE) { + stage_max--; + continue; + } + + /* Insert token */ + memcpy(ex_tmp + i, extras[j].data, extras[j].len); + + /* Copy tail */ + memcpy(ex_tmp + i + extras[j].len, out_buf + i, len - i); + + if (common_fuzz_stuff(argv, ex_tmp, len + extras[j].len)) { + ck_free(ex_tmp); + goto abandon_entry; + } + + stage_cur++; + + } + + /* Copy head */ + ex_tmp[i] = out_buf[i]; + + } + + ck_free(ex_tmp); + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_EXTRAS_UI] += stage_max; + +skip_user_extras: + + if (!a_extras_cnt) goto skip_extras; + + stage_name = "auto extras (over)"; + stage_short = "ext_AO"; + stage_cur = 0; + stage_max = MIN(a_extras_cnt, USE_AUTO_EXTRAS) * len; + + stage_val_type = STAGE_VAL_NONE; + + orig_hit_cnt = new_hit_cnt; + + for (i = 0; i < len; i++) { + + u32 last_len = 0; + + stage_cur_byte = i; + + for (j = 0; j < MIN(a_extras_cnt, USE_AUTO_EXTRAS); j++) { + + /* See the comment in the earlier code; extras are sorted by size. */ + + if (a_extras[j].len > len - i || + !memcmp(a_extras[j].data, out_buf + i, a_extras[j].len) || + !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, a_extras[j].len))) { + + stage_max--; + continue; + + } + + last_len = a_extras[j].len; + memcpy(out_buf + i, a_extras[j].data, last_len); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + stage_cur++; + + } + + /* Restore all the clobbered memory. */ + memcpy(out_buf + i, in_buf + i, last_len); + + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_EXTRAS_AO] += stage_max; + +skip_extras: + + /* If we made this to here without jumping to havoc_stage or abandon_entry, + we're properly done with deterministic steps and can mark it as such + in the .state/ directory. */ + + if (!queue_cur->passed_det) mark_as_det_done(queue_cur); + + /**************** + * RANDOM HAVOC * + ****************/ + +havoc_stage: + + stage_cur_byte = -1; + + /* The havoc stage mutation code is also invoked when splicing files; if the + splice_cycle variable is set, generate different descriptions and such. */ + + if (!splice_cycle) { + + stage_name = "havoc"; + stage_short = "havoc"; + stage_max = (doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) * + perf_score / havoc_div / 100; + + } else { + + static u8 tmp[32]; + + perf_score = orig_perf; + + sprintf(tmp, "splice %u", splice_cycle); + stage_name = tmp; + stage_short = "splice"; + stage_max = SPLICE_HAVOC * perf_score / havoc_div / 100; + + } + + if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN; + + temp_len = len; + + orig_hit_cnt = queued_paths + unique_crashes; + + havoc_queued = queued_paths; + + /* We essentially just do several thousand runs (depending on perf_score) + where we take the input file and make random stacked tweaks. */ + + for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + + u32 use_stacking = 1 << (1 + UR(HAVOC_STACK_POW2)); + + stage_cur_val = use_stacking; + + for (i = 0; i < use_stacking; i++) { + + switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { + + case 0: + + /* Flip a single bit somewhere. Spooky! */ + + FLIP_BIT(out_buf, UR(temp_len << 3)); + break; + + case 1: + + /* Set byte to interesting value. */ + + out_buf[UR(temp_len)] = interesting_8[UR(sizeof(interesting_8))]; + break; + + case 2: + + /* Set word to interesting value, randomly choosing endian. */ + + if (temp_len < 2) break; + + if (UR(2)) { + + *(u16*)(out_buf + UR(temp_len - 1)) = + interesting_16[UR(sizeof(interesting_16) >> 1)]; + + } else { + + *(u16*)(out_buf + UR(temp_len - 1)) = SWAP16( + interesting_16[UR(sizeof(interesting_16) >> 1)]); + + } + + break; + + case 3: + + /* Set dword to interesting value, randomly choosing endian. */ + + if (temp_len < 4) break; + + if (UR(2)) { + + *(u32*)(out_buf + UR(temp_len - 3)) = + interesting_32[UR(sizeof(interesting_32) >> 2)]; + + } else { + + *(u32*)(out_buf + UR(temp_len - 3)) = SWAP32( + interesting_32[UR(sizeof(interesting_32) >> 2)]); + + } + + break; + + case 4: + + /* Randomly subtract from byte. */ + + out_buf[UR(temp_len)] -= 1 + UR(ARITH_MAX); + break; + + case 5: + + /* Randomly add to byte. */ + + out_buf[UR(temp_len)] += 1 + UR(ARITH_MAX); + break; + + case 6: + + /* Randomly subtract from word, random endian. */ + + if (temp_len < 2) break; + + if (UR(2)) { + + u32 pos = UR(temp_len - 1); + + *(u16*)(out_buf + pos) -= 1 + UR(ARITH_MAX); + + } else { + + u32 pos = UR(temp_len - 1); + u16 num = 1 + UR(ARITH_MAX); + + *(u16*)(out_buf + pos) = + SWAP16(SWAP16(*(u16*)(out_buf + pos)) - num); + + } + + break; + + case 7: + + /* Randomly add to word, random endian. */ + + if (temp_len < 2) break; + + if (UR(2)) { + + u32 pos = UR(temp_len - 1); + + *(u16*)(out_buf + pos) += 1 + UR(ARITH_MAX); + + } else { + + u32 pos = UR(temp_len - 1); + u16 num = 1 + UR(ARITH_MAX); + + *(u16*)(out_buf + pos) = + SWAP16(SWAP16(*(u16*)(out_buf + pos)) + num); + + } + + break; + + case 8: + + /* Randomly subtract from dword, random endian. */ + + if (temp_len < 4) break; + + if (UR(2)) { + + u32 pos = UR(temp_len - 3); + + *(u32*)(out_buf + pos) -= 1 + UR(ARITH_MAX); + + } else { + + u32 pos = UR(temp_len - 3); + u32 num = 1 + UR(ARITH_MAX); + + *(u32*)(out_buf + pos) = + SWAP32(SWAP32(*(u32*)(out_buf + pos)) - num); + + } + + break; + + case 9: + + /* Randomly add to dword, random endian. */ + + if (temp_len < 4) break; + + if (UR(2)) { + + u32 pos = UR(temp_len - 3); + + *(u32*)(out_buf + pos) += 1 + UR(ARITH_MAX); + + } else { + + u32 pos = UR(temp_len - 3); + u32 num = 1 + UR(ARITH_MAX); + + *(u32*)(out_buf + pos) = + SWAP32(SWAP32(*(u32*)(out_buf + pos)) + num); + + } + + break; + + case 10: + + /* Just set a random byte to a random value. Because, + why not. We use XOR with 1-255 to eliminate the + possibility of a no-op. */ + + out_buf[UR(temp_len)] ^= 1 + UR(255); + break; + + case 11 ... 12: { + + /* Delete bytes. We're making this a bit more likely + than insertion (the next option) in hopes of keeping + files reasonably small. */ + + u32 del_from, del_len; + + if (temp_len < 2) break; + + /* Don't delete too much. */ + + del_len = choose_block_len(temp_len - 1); + + del_from = UR(temp_len - del_len + 1); + + memmove(out_buf + del_from, out_buf + del_from + del_len, + temp_len - del_from - del_len); + + temp_len -= del_len; + + break; + + } + + case 13: + + if (temp_len + HAVOC_BLK_XL < MAX_FILE) { + + /* Clone bytes (75%) or insert a block of constant bytes (25%). */ + + u8 actually_clone = UR(4); + u32 clone_from, clone_to, clone_len; + u8* new_buf; + + if (actually_clone) { + + clone_len = choose_block_len(temp_len); + clone_from = UR(temp_len - clone_len + 1); + + } else { + + clone_len = choose_block_len(HAVOC_BLK_XL); + clone_from = 0; + + } + + clone_to = UR(temp_len); + + new_buf = ck_alloc_nozero(temp_len + clone_len); + + /* Head */ + + memcpy(new_buf, out_buf, clone_to); + + /* Inserted part */ + + if (actually_clone) + memcpy(new_buf + clone_to, out_buf + clone_from, clone_len); + else + memset(new_buf + clone_to, + UR(2) ? UR(256) : out_buf[UR(temp_len)], clone_len); + + /* Tail */ + memcpy(new_buf + clone_to + clone_len, out_buf + clone_to, + temp_len - clone_to); + + ck_free(out_buf); + out_buf = new_buf; + temp_len += clone_len; + + } + + break; + + case 14: { + + /* Overwrite bytes with a randomly selected chunk (75%) or fixed + bytes (25%). */ + + u32 copy_from, copy_to, copy_len; + + if (temp_len < 2) break; + + copy_len = choose_block_len(temp_len - 1); + + copy_from = UR(temp_len - copy_len + 1); + copy_to = UR(temp_len - copy_len + 1); + + if (UR(4)) { + + if (copy_from != copy_to) + memmove(out_buf + copy_to, out_buf + copy_from, copy_len); + + } else memset(out_buf + copy_to, + UR(2) ? UR(256) : out_buf[UR(temp_len)], copy_len); + + break; + + } + + /* Values 15 and 16 can be selected only if there are any extras + present in the dictionaries. */ + + case 15: { + + /* Overwrite bytes with an extra. */ + + if (!extras_cnt || (a_extras_cnt && UR(2))) { + + /* No user-specified extras or odds in our favor. Let's use an + auto-detected one. */ + + u32 use_extra = UR(a_extras_cnt); + u32 extra_len = a_extras[use_extra].len; + u32 insert_at; + + if (extra_len > temp_len) break; + + insert_at = UR(temp_len - extra_len + 1); + memcpy(out_buf + insert_at, a_extras[use_extra].data, extra_len); + + } else { + + /* No auto extras or odds in our favor. Use the dictionary. */ + + u32 use_extra = UR(extras_cnt); + u32 extra_len = extras[use_extra].len; + u32 insert_at; + + if (extra_len > temp_len) break; + + insert_at = UR(temp_len - extra_len + 1); + memcpy(out_buf + insert_at, extras[use_extra].data, extra_len); + + } + + break; + + } + + case 16: { + + u32 use_extra, extra_len, insert_at = UR(temp_len + 1); + u8* new_buf; + + /* Insert an extra. Do the same dice-rolling stuff as for the + previous case. */ + + if (!extras_cnt || (a_extras_cnt && UR(2))) { + + use_extra = UR(a_extras_cnt); + extra_len = a_extras[use_extra].len; + + if (temp_len + extra_len >= MAX_FILE) break; + + new_buf = ck_alloc_nozero(temp_len + extra_len); + + /* Head */ + memcpy(new_buf, out_buf, insert_at); + + /* Inserted part */ + memcpy(new_buf + insert_at, a_extras[use_extra].data, extra_len); + + } else { + + use_extra = UR(extras_cnt); + extra_len = extras[use_extra].len; + + if (temp_len + extra_len >= MAX_FILE) break; + + new_buf = ck_alloc_nozero(temp_len + extra_len); + + /* Head */ + memcpy(new_buf, out_buf, insert_at); + + /* Inserted part */ + memcpy(new_buf + insert_at, extras[use_extra].data, extra_len); + + } + + /* Tail */ + memcpy(new_buf + insert_at + extra_len, out_buf + insert_at, + temp_len - insert_at); + + ck_free(out_buf); + out_buf = new_buf; + temp_len += extra_len; + + break; + + } + + } + + } + + if (common_fuzz_stuff(argv, out_buf, temp_len)) + goto abandon_entry; + + /* out_buf might have been mangled a bit, so let's restore it to its + original size and shape. */ + + if (temp_len < len) out_buf = ck_realloc(out_buf, len); + temp_len = len; + memcpy(out_buf, in_buf, len); + + /* If we're finding new stuff, let's run for a bit longer, limits + permitting. */ + + if (queued_paths != havoc_queued) { + + if (perf_score <= HAVOC_MAX_MULT * 100) { + stage_max *= 2; + perf_score *= 2; + } + + havoc_queued = queued_paths; + + } + + } + + new_hit_cnt = queued_paths + unique_crashes; + + if (!splice_cycle) { + stage_finds[STAGE_HAVOC] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_HAVOC] += stage_max; + } else { + stage_finds[STAGE_SPLICE] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_SPLICE] += stage_max; + } + +#ifndef IGNORE_FINDS + + /************ + * SPLICING * + ************/ + + /* This is a last-resort strategy triggered by a full round with no findings. + It takes the current input file, randomly selects another input, and + splices them together at some offset, then relies on the havoc + code to mutate that blob. */ + +retry_splicing: + + if (use_splicing && splice_cycle++ < SPLICE_CYCLES && + queued_paths > 1 && queue_cur->len > 1) { + + struct queue_entry* target; + u32 tid, split_at; + u8* new_buf; + s32 f_diff, l_diff; + + /* First of all, if we've modified in_buf for havoc, let's clean that + up... */ + + if (in_buf != orig_in) { + ck_free(in_buf); + in_buf = orig_in; + len = queue_cur->len; + } + + /* Pick a random queue entry and seek to it. Don't splice with yourself. */ + + do { tid = UR(queued_paths); } while (tid == current_entry); + + splicing_with = tid; + target = queue; + + while (tid >= 100) { target = target->next_100; tid -= 100; } + while (tid--) target = target->next; + + /* Make sure that the target has a reasonable length. */ + + while (target && (target->len < 2 || target == queue_cur)) { + target = target->next; + splicing_with++; + } + + if (!target) goto retry_splicing; + + /* Read the testcase into a new buffer. */ + + fd = open(target->fname, O_RDONLY); + + if (fd < 0) PFATAL("Unable to open '%s'", target->fname); + + new_buf = ck_alloc_nozero(target->len); + + ck_read(fd, new_buf, target->len, target->fname); + + close(fd); + + /* Find a suitable splicing location, somewhere between the first and + the last differing byte. Bail out if the difference is just a single + byte or so. */ + + locate_diffs(in_buf, new_buf, MIN(len, target->len), &f_diff, &l_diff); + + if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) { + ck_free(new_buf); + goto retry_splicing; + } + + /* Split somewhere between the first and last differing byte. */ + + split_at = f_diff + UR(l_diff - f_diff); + + /* Do the thing. */ + + len = target->len; + memcpy(new_buf, in_buf, split_at); + in_buf = new_buf; + + ck_free(out_buf); + out_buf = ck_alloc_nozero(len); + memcpy(out_buf, in_buf, len); + + goto havoc_stage; + + } + +#endif /* !IGNORE_FINDS */ + + ret_val = 0; + +abandon_entry: + + splicing_with = -1; + + /* Update pending_not_fuzzed count if we made it through the calibration + cycle and have not seen this entry before. */ + + if (!stop_soon && !queue_cur->cal_failed && !queue_cur->was_fuzzed) { + queue_cur->was_fuzzed = 1; + pending_not_fuzzed--; + if (queue_cur->favored) pending_favored--; + } + + munmap(orig_in, queue_cur->len); + + if (in_buf != orig_in) ck_free(in_buf); + ck_free(out_buf); + ck_free(eff_map); + + return ret_val; + +#undef FLIP_BIT + +} + + +/* Grab interesting test cases from other fuzzers. */ + +static void sync_fuzzers(char** argv) { + + DIR* sd; + struct dirent* sd_ent; + u32 sync_cnt = 0; + + sd = opendir(sync_dir); + if (!sd) PFATAL("Unable to open '%s'", sync_dir); + + stage_max = stage_cur = 0; + cur_depth = 0; + + /* Look at the entries created for every other fuzzer in the sync directory. */ + + while ((sd_ent = readdir(sd))) { + + static u8 stage_tmp[128]; + + DIR* qd; + struct dirent* qd_ent; + u8 *qd_path, *qd_synced_path; + u32 min_accept = 0, next_min_accept; + + s32 id_fd; + + /* Skip dot files and our own output directory. */ + + if (sd_ent->d_name[0] == '.' || !strcmp(sync_id, sd_ent->d_name)) continue; + + /* Skip anything that doesn't have a queue/ subdirectory. */ + + qd_path = alloc_printf("%s/%s/queue", sync_dir, sd_ent->d_name); + + if (!(qd = opendir(qd_path))) { + ck_free(qd_path); + continue; + } + + /* Retrieve the ID of the last seen test case. */ + + qd_synced_path = alloc_printf("%s/.synced/%s", out_dir, sd_ent->d_name); + + id_fd = open(qd_synced_path, O_RDWR | O_CREAT, 0600); + + if (id_fd < 0) PFATAL("Unable to create '%s'", qd_synced_path); + + if (read(id_fd, &min_accept, sizeof(u32)) > 0) + lseek(id_fd, 0, SEEK_SET); + + next_min_accept = min_accept; + + /* Show stats */ + + sprintf(stage_tmp, "sync %u", ++sync_cnt); + stage_name = stage_tmp; + stage_cur = 0; + stage_max = 0; + + /* For every file queued by this fuzzer, parse ID and see if we have looked at + it before; exec a test case if not. */ + + while ((qd_ent = readdir(qd))) { + + u8* path; + s32 fd; + struct stat st; + + if (qd_ent->d_name[0] == '.' || + sscanf(qd_ent->d_name, CASE_PREFIX "%06u", &syncing_case) != 1 || + syncing_case < min_accept) continue; + + /* OK, sounds like a new one. Let's give it a try. */ + + if (syncing_case >= next_min_accept) + next_min_accept = syncing_case + 1; + + path = alloc_printf("%s/%s", qd_path, qd_ent->d_name); + + /* Allow this to fail in case the other fuzzer is resuming or so... */ + + fd = open(path, O_RDONLY); + + if (fd < 0) { + ck_free(path); + continue; + } + + if (fstat(fd, &st)) PFATAL("fstat() failed"); + + /* Ignore zero-sized or oversized files. */ + + if (st.st_size && st.st_size <= MAX_FILE) { + + u8 fault; + u8* mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); + + if (mem == MAP_FAILED) PFATAL("Unable to mmap '%s'", path); + + /* See what happens. We rely on save_if_interesting() to catch major + errors and save the test case. */ + + write_to_testcase(mem, st.st_size); + + fault = run_target(argv, exec_tmout); + + if (stop_soon) return; + + syncing_party = sd_ent->d_name; + queued_imported += save_if_interesting(argv, mem, st.st_size, fault); + syncing_party = 0; + + munmap(mem, st.st_size); + + if (!(stage_cur++ % stats_update_freq)) show_stats(); + + } + + ck_free(path); + close(fd); + + } + + ck_write(id_fd, &next_min_accept, sizeof(u32), qd_synced_path); + + close(id_fd); + closedir(qd); + ck_free(qd_path); + ck_free(qd_synced_path); + + } + + closedir(sd); + +} + + +/* Handle stop signal (Ctrl-C, etc). */ + +static void handle_stop_sig(int sig) { + + stop_soon = 1; + + if (child_pid > 0) kill(child_pid, SIGKILL); + if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); + +} + + +/* Handle skip request (SIGUSR1). */ + +static void handle_skipreq(int sig) { + + skip_requested = 1; + +} + +/* Handle timeout (SIGALRM). */ + +static void handle_timeout(int sig) { + + if (child_pid > 0) { + + child_timed_out = 1; + kill(child_pid, SIGKILL); + + } else if (child_pid == -1 && forksrv_pid > 0) { + + child_timed_out = 1; + kill(forksrv_pid, SIGKILL); + + } + +} + + +/* Do a PATH search and find target binary to see that it exists and + isn't a shell script - a common and painful mistake. We also check for + a valid ELF header and for evidence of AFL instrumentation. */ + +EXP_ST void check_binary(u8* fname) { + + u8* env_path = 0; + struct stat st; + + s32 fd; + u8* f_data; + u32 f_len = 0; + + ACTF("Validating target binary..."); + + if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { + + target_path = ck_strdup(fname); + if (stat(target_path, &st) || !S_ISREG(st.st_mode) || + !(st.st_mode & 0111) || (f_len = st.st_size) < 4) + FATAL("Program '%s' not found or not executable", fname); + + } else { + + while (env_path) { + + u8 *cur_elem, *delim = strchr(env_path, ':'); + + if (delim) { + + cur_elem = ck_alloc(delim - env_path + 1); + memcpy(cur_elem, env_path, delim - env_path); + delim++; + + } else cur_elem = ck_strdup(env_path); + + env_path = delim; + + if (cur_elem[0]) + target_path = alloc_printf("%s/%s", cur_elem, fname); + else + target_path = ck_strdup(fname); + + ck_free(cur_elem); + + if (!stat(target_path, &st) && S_ISREG(st.st_mode) && + (st.st_mode & 0111) && (f_len = st.st_size) >= 4) break; + + ck_free(target_path); + target_path = 0; + + } + + if (!target_path) FATAL("Program '%s' not found or not executable", fname); + + } + + if (getenv("AFL_SKIP_BIN_CHECK")) return; + + /* Check for blatant user errors. */ + + if ((!strncmp(target_path, "/tmp/", 5) && !strchr(target_path + 5, '/')) || + (!strncmp(target_path, "/var/tmp/", 9) && !strchr(target_path + 9, '/'))) + FATAL("Please don't keep binaries in /tmp or /var/tmp"); + + fd = open(target_path, O_RDONLY); + + if (fd < 0) PFATAL("Unable to open '%s'", target_path); + + f_data = mmap(0, f_len, PROT_READ, MAP_PRIVATE, fd, 0); + + if (f_data == MAP_FAILED) PFATAL("Unable to mmap file '%s'", target_path); + + close(fd); + + if (f_data[0] == '#' && f_data[1] == '!') { + + SAYF("\n" cLRD "[-] " cRST + "Oops, the target binary looks like a shell script. Some build systems will\n" + " sometimes generate shell stubs for dynamically linked programs; try static\n" + " library mode (./configure --disable-shared) if that's the case.\n\n" + + " Another possible cause is that you are actually trying to use a shell\n" + " wrapper around the fuzzed component. Invoking shell can slow down the\n" + " fuzzing process by a factor of 20x or more; it's best to write the wrapper\n" + " in a compiled language instead.\n"); + + FATAL("Program '%s' is a shell script", target_path); + + } + +#ifndef __APPLE__ + + if (f_data[0] != 0x7f || memcmp(f_data + 1, "ELF", 3)) + FATAL("Program '%s' is not an ELF binary", target_path); + +#else + + if (f_data[0] != 0xCF || f_data[1] != 0xFA || f_data[2] != 0xED) + FATAL("Program '%s' is not a 64-bit Mach-O binary", target_path); + +#endif /* ^!__APPLE__ */ + + if (!qemu_mode && !dumb_mode && + !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { + + SAYF("\n" cLRD "[-] " cRST + "Looks like the target binary is not instrumented! The fuzzer depends on\n" + " compile-time instrumentation to isolate interesting test cases while\n" + " mutating the input data. For more information, and for tips on how to\n" + " instrument binaries, please see %s/README.\n\n" + + " When source code is not available, you may be able to leverage QEMU\n" + " mode support. Consult the README for tips on how to enable this.\n" + + " (It is also possible to use afl-fuzz as a traditional, \"dumb\" fuzzer.\n" + " For that, you can use the -n option - but expect much worse results.)\n", + doc_path); + + FATAL("No instrumentation detected"); + + } + + if (qemu_mode && + memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { + + SAYF("\n" cLRD "[-] " cRST + "This program appears to be instrumented with afl-gcc, but is being run in\n" + " QEMU mode (-Q). This is probably not what you want - this setup will be\n" + " slow and offer no practical benefits.\n"); + + FATAL("Instrumentation found in -Q mode"); + + } + + if (memmem(f_data, f_len, "libasan.so", 10) || + memmem(f_data, f_len, "__msan_init", 11)) uses_asan = 1; + + /* Detect persistent & deferred init signatures in the binary. */ + + if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) { + + OKF(cPIN "Persistent mode binary detected."); + setenv(PERSIST_ENV_VAR, "1", 1); + persistent_mode = 1; + + } else if (getenv("AFL_PERSISTENT")) { + + WARNF("AFL_PERSISTENT is no longer supported and may misbehave!"); + + } + + if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { + + OKF(cPIN "Deferred forkserver binary detected."); + setenv(DEFER_ENV_VAR, "1", 1); + deferred_mode = 1; + + } else if (getenv("AFL_DEFER_FORKSRV")) { + + WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!"); + + } + + if (munmap(f_data, f_len)) PFATAL("unmap() failed"); + +} + + +/* Trim and possibly create a banner for the run. */ + +static void fix_up_banner(u8* name) { + + if (!use_banner) { + + if (sync_id) { + + use_banner = sync_id; + + } else { + + u8* trim = strrchr(name, '/'); + if (!trim) use_banner = name; else use_banner = trim + 1; + + } + + } + + if (strlen(use_banner) > 40) { + + u8* tmp = ck_alloc(44); + sprintf(tmp, "%.40s...", use_banner); + use_banner = tmp; + + } + +} + + +/* Check if we're on TTY. */ + +static void check_if_tty(void) { + + struct winsize ws; + + if (getenv("AFL_NO_UI")) { + OKF("Disabling the UI because AFL_NO_UI is set."); + not_on_tty = 1; + return; + } + + if (ioctl(1, TIOCGWINSZ, &ws)) { + + if (errno == ENOTTY) { + OKF("Looks like we're not running on a tty, so I'll be a bit less verbose."); + not_on_tty = 1; + } + + return; + } + +} + + +/* Check terminal dimensions after resize. */ + +static void check_term_size(void) { + + struct winsize ws; + + term_too_small = 0; + + if (ioctl(1, TIOCGWINSZ, &ws)) return; + + if (ws.ws_row == 0 && ws.ws_col == 0) return; + if (ws.ws_row < 25 || ws.ws_col < 80) term_too_small = 1; + +} + + + +/* Display usage hints. */ + +static void usage(u8* argv0) { + + SAYF("\n%s [ options ] -- /path/to/fuzzed_app [ ... ]\n\n" + + "Required parameters:\n\n" + + " -i dir - input directory with test cases\n" + " -o dir - output directory for fuzzer findings\n\n" + + "Execution control settings:\n\n" + + " -f file - location read by the fuzzed program (stdin)\n" + " -t msec - timeout for each run (auto-scaled, 50-%u ms)\n" + " -m megs - memory limit for child process (%u MB)\n" + " -Q - use binary-only instrumentation (QEMU mode)\n\n" + + "Fuzzing behavior settings:\n\n" + + " -d - quick & dirty mode (skips deterministic steps)\n" + " -n - fuzz without instrumentation (dumb mode)\n" + " -x dir - optional fuzzer dictionary (see README)\n\n" + + "Other stuff:\n\n" + + " -T text - text banner to show on the screen\n" + " -M / -S id - distributed mode (see parallel_fuzzing.txt)\n" + " -C - crash exploration mode (the peruvian rabbit thing)\n" + " -V - show version number and exit\n\n" + " -b cpu_id - bind the fuzzing process to the specified CPU core\n\n" + + "For additional tips, please consult %s/README.\n\n", + + argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); + + exit(1); + +} + + +/* Prepare output directories and fds. */ + +EXP_ST void setup_dirs_fds(void) { + + u8* tmp; + s32 fd; + + ACTF("Setting up output directories..."); + + if (sync_id && mkdir(sync_dir, 0700) && errno != EEXIST) + PFATAL("Unable to create '%s'", sync_dir); + + if (mkdir(out_dir, 0700)) { + + if (errno != EEXIST) PFATAL("Unable to create '%s'", out_dir); + + maybe_delete_out_dir(); + + } else { + + if (in_place_resume) + FATAL("Resume attempted but old output directory not found"); + + out_dir_fd = open(out_dir, O_RDONLY); + +#ifndef __sun + + if (out_dir_fd < 0 || flock(out_dir_fd, LOCK_EX | LOCK_NB)) + PFATAL("Unable to flock() output directory."); + +#endif /* !__sun */ + + } + + /* Queue directory for any starting & discovered paths. */ + + tmp = alloc_printf("%s/queue", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + /* Top-level directory for queue metadata used for session + resume and related tasks. */ + + tmp = alloc_printf("%s/queue/.state/", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + /* Directory for flagging queue entries that went through + deterministic fuzzing in the past. */ + + tmp = alloc_printf("%s/queue/.state/deterministic_done/", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + /* Directory with the auto-selected dictionary entries. */ + + tmp = alloc_printf("%s/queue/.state/auto_extras/", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + /* The set of paths currently deemed redundant. */ + + tmp = alloc_printf("%s/queue/.state/redundant_edges/", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + /* The set of paths showing variable behavior. */ + + tmp = alloc_printf("%s/queue/.state/variable_behavior/", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + /* Sync directory for keeping track of cooperating fuzzers. */ + + if (sync_id) { + + tmp = alloc_printf("%s/.synced/", out_dir); + + if (mkdir(tmp, 0700) && (!in_place_resume || errno != EEXIST)) + PFATAL("Unable to create '%s'", tmp); + + ck_free(tmp); + + } + + /* All recorded crashes. */ + + tmp = alloc_printf("%s/crashes", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + /* All recorded hangs. */ + + tmp = alloc_printf("%s/hangs", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + /* Generally useful file descriptors. */ + + dev_null_fd = open("/dev/null", O_RDWR); + if (dev_null_fd < 0) PFATAL("Unable to open /dev/null"); + + dev_urandom_fd = open("/dev/urandom", O_RDONLY); + if (dev_urandom_fd < 0) PFATAL("Unable to open /dev/urandom"); + + /* Gnuplot output file. */ + + tmp = alloc_printf("%s/plot_data", out_dir); + fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + plot_file = fdopen(fd, "w"); + if (!plot_file) PFATAL("fdopen() failed"); + + fprintf(plot_file, "# unix_time, cycles_done, cur_path, paths_total, " + "pending_total, pending_favs, map_size, unique_crashes, " + "unique_hangs, max_depth, execs_per_sec\n"); + /* ignore errors */ + +} + + +/* Setup the output file for fuzzed data, if not using -f. */ + +EXP_ST void setup_stdio_file(void) { + + u8* fn = alloc_printf("%s/.cur_input", out_dir); + + unlink(fn); /* Ignore errors */ + + out_fd = open(fn, O_RDWR | O_CREAT | O_EXCL, 0600); + + if (out_fd < 0) PFATAL("Unable to create '%s'", fn); + + ck_free(fn); + +} + + +/* Make sure that core dumps don't go to a program. */ + +static void check_crash_handling(void) { + +#ifdef __APPLE__ + + /* Yuck! There appears to be no simple C API to query for the state of + loaded daemons on MacOS X, and I'm a bit hesitant to do something + more sophisticated, such as disabling crash reporting via Mach ports, + until I get a box to test the code. So, for now, we check for crash + reporting the awful way. */ + + if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return; + + SAYF("\n" cLRD "[-] " cRST + "Whoops, your system is configured to forward crash notifications to an\n" + " external crash reporting utility. This will cause issues due to the\n" + " extended delay between the fuzzed binary malfunctioning and this fact\n" + " being relayed to the fuzzer via the standard waitpid() API.\n\n" + " To avoid having crashes misinterpreted as timeouts, please run the\n" + " following commands:\n\n" + + " SL=/System/Library; PL=com.apple.ReportCrash\n" + " launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n" + " sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n"); + + if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) + FATAL("Crash reporter detected"); + +#else + + /* This is Linux specific, but I don't think there's anything equivalent on + *BSD, so we can just let it slide for now. */ + + s32 fd = open("/proc/sys/kernel/core_pattern", O_RDONLY); + u8 fchar; + + if (fd < 0) return; + + ACTF("Checking core_pattern..."); + + if (read(fd, &fchar, 1) == 1 && fchar == '|') { + + SAYF("\n" cLRD "[-] " cRST + "Hmm, your system is configured to send core dump notifications to an\n" + " external utility. This will cause issues: there will be an extended delay\n" + " between stumbling upon a crash and having this information relayed to the\n" + " fuzzer via the standard waitpid() API.\n\n" + + " To avoid having crashes misinterpreted as timeouts, please log in as root\n" + " and temporarily modify /proc/sys/kernel/core_pattern, like so:\n\n" + + " echo core >/proc/sys/kernel/core_pattern\n"); + + if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) + FATAL("Pipe at the beginning of 'core_pattern'"); + + } + + close(fd); + +#endif /* ^__APPLE__ */ + +} + + +/* Check CPU governor. */ + +static void check_cpu_governor(void) { + + FILE* f; + u8 tmp[128]; + u64 min = 0, max = 0; + + if (getenv("AFL_SKIP_CPUFREQ")) return; + + f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor", "r"); + if (!f) return; + + ACTF("Checking CPU scaling governor..."); + + if (!fgets(tmp, 128, f)) PFATAL("fgets() failed"); + + fclose(f); + + if (!strncmp(tmp, "perf", 4)) return; + + f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", "r"); + + if (f) { + if (fscanf(f, "%llu", &min) != 1) min = 0; + fclose(f); + } + + f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", "r"); + + if (f) { + if (fscanf(f, "%llu", &max) != 1) max = 0; + fclose(f); + } + + if (min == max) return; + + SAYF("\n" cLRD "[-] " cRST + "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n" + " between %llu and %llu MHz. Unfortunately, the scaling algorithm in the\n" + " kernel is imperfect and can miss the short-lived processes spawned by\n" + " afl-fuzz. To keep things moving, run these commands as root:\n\n" + + " cd /sys/devices/system/cpu\n" + " echo performance | tee cpu*/cpufreq/scaling_governor\n\n" + + " You can later go back to the original state by replacing 'performance' with\n" + " 'ondemand'. If you don't want to change the settings, set AFL_SKIP_CPUFREQ\n" + " to make afl-fuzz skip this check - but expect some performance drop.\n", + min / 1024, max / 1024); + + FATAL("Suboptimal CPU scaling governor"); + +} + + +/* Count the number of logical CPU cores. */ + +static void get_core_count(void) { + + u32 cur_runnable = 0; + +#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) + + size_t s = sizeof(cpu_core_count); + + /* On *BSD systems, we can just use a sysctl to get the number of CPUs. */ + +#ifdef __APPLE__ + + if (sysctlbyname("hw.logicalcpu", &cpu_core_count, &s, NULL, 0) < 0) + return; + +#else + + int s_name[2] = { CTL_HW, HW_NCPU }; + + if (sysctl(s_name, 2, &cpu_core_count, &s, NULL, 0) < 0) return; + +#endif /* ^__APPLE__ */ + +#else + +#ifdef HAVE_AFFINITY + + cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN); + +#else + + FILE* f = fopen("/proc/stat", "r"); + u8 tmp[1024]; + + if (!f) return; + + while (fgets(tmp, sizeof(tmp), f)) + if (!strncmp(tmp, "cpu", 3) && isdigit(tmp[3])) cpu_core_count++; + + fclose(f); + +#endif /* ^HAVE_AFFINITY */ + +#endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ + + if (cpu_core_count > 0) { + + cur_runnable = (u32)get_runnable_processes(); + +#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) + + /* Add ourselves, since the 1-minute average doesn't include that yet. */ + + cur_runnable++; + +#endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ + + OKF("You have %u CPU core%s and %u runnable tasks (utilization: %0.0f%%).", + cpu_core_count, cpu_core_count > 1 ? "s" : "", + cur_runnable, cur_runnable * 100.0 / cpu_core_count); + + if (cpu_core_count > 1) { + + if (cur_runnable > cpu_core_count * 1.5) { + + WARNF("System under apparent load, performance may be spotty."); + + } else if (cur_runnable + 1 <= cpu_core_count) { + + OKF("Try parallel jobs - see %s/parallel_fuzzing.txt.", doc_path); + + } + + } + + } else { + + cpu_core_count = 0; + WARNF("Unable to figure out the number of CPU cores."); + + } + +} + + +/* Validate and fix up out_dir and sync_dir when using -S. */ + +static void fix_up_sync(void) { + + u8* x = sync_id; + + if (dumb_mode) + FATAL("-S / -M and -n are mutually exclusive"); + + if (skip_deterministic) { + + if (force_deterministic) + FATAL("use -S instead of -M -d"); + else + FATAL("-S already implies -d"); + + } + + while (*x) { + + if (!isalnum(*x) && *x != '_' && *x != '-') + FATAL("Non-alphanumeric fuzzer ID specified via -S or -M"); + + x++; + + } + + if (strlen(sync_id) > 32) FATAL("Fuzzer ID too long"); + + x = alloc_printf("%s/%s", out_dir, sync_id); + + sync_dir = out_dir; + out_dir = x; + + if (!force_deterministic) { + skip_deterministic = 1; + use_splicing = 1; + } + +} + + +/* Handle screen resize (SIGWINCH). */ + +static void handle_resize(int sig) { + clear_screen = 1; +} + + +/* Check ASAN options. */ + +static void check_asan_opts(void) { + u8* x = getenv("ASAN_OPTIONS"); + + if (x) { + + if (!strstr(x, "abort_on_error=1")) + FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!"); + + if (!strstr(x, "symbolize=0")) + FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!"); + + } + + x = getenv("MSAN_OPTIONS"); + + if (x) { + + if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) + FATAL("Custom MSAN_OPTIONS set without exit_code=" + STRINGIFY(MSAN_ERROR) " - please fix!"); + + if (!strstr(x, "symbolize=0")) + FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!"); + + } + +} + + +/* Detect @@ in args. */ + +EXP_ST void detect_file_args(char** argv) { + + u32 i = 0; + u8* cwd = getcwd(NULL, 0); + + if (!cwd) PFATAL("getcwd() failed"); + + while (argv[i]) { + + u8* aa_loc = strstr(argv[i], "@@"); + + if (aa_loc) { + + u8 *aa_subst, *n_arg; + + /* If we don't have a file name chosen yet, use a safe default. */ + + if (!out_file) + out_file = alloc_printf("%s/.cur_input", out_dir); + + /* Be sure that we're always using fully-qualified paths. */ + + if (out_file[0] == '/') aa_subst = out_file; + else aa_subst = alloc_printf("%s/%s", cwd, out_file); + + /* Construct a replacement argv value. */ + + *aa_loc = 0; + n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2); + argv[i] = n_arg; + *aa_loc = '@'; + + if (out_file[0] != '/') ck_free(aa_subst); + + } + + i++; + + } + + free(cwd); /* not tracked */ + +} + + +/* Set up signal handlers. More complicated that needs to be, because libc on + Solaris doesn't resume interrupted reads(), sets SA_RESETHAND when you call + siginterrupt(), and does other unnecessary things. */ + +EXP_ST void setup_signal_handlers(void) { + + struct sigaction sa; + + sa.sa_handler = NULL; + sa.sa_flags = SA_RESTART; + sa.sa_sigaction = NULL; + + sigemptyset(&sa.sa_mask); + + /* Various ways of saying "stop". */ + + sa.sa_handler = handle_stop_sig; + sigaction(SIGHUP, &sa, NULL); + sigaction(SIGINT, &sa, NULL); + sigaction(SIGTERM, &sa, NULL); + + /* Exec timeout notifications. */ + + sa.sa_handler = handle_timeout; + sigaction(SIGALRM, &sa, NULL); + + /* Window resize */ + + sa.sa_handler = handle_resize; + sigaction(SIGWINCH, &sa, NULL); + + /* SIGUSR1: skip entry */ + + sa.sa_handler = handle_skipreq; + sigaction(SIGUSR1, &sa, NULL); + + /* Things we don't care about. */ + + sa.sa_handler = SIG_IGN; + sigaction(SIGTSTP, &sa, NULL); + sigaction(SIGPIPE, &sa, NULL); + +} + + +/* Rewrite argv for QEMU. */ + +static char** get_qemu_argv(u8* own_loc, char** argv, int argc) { + + char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); + u8 *tmp, *cp, *rsl, *own_copy; + + /* Workaround for a QEMU stability glitch. */ + + setenv("QEMU_LOG", "nochain", 1); + + memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); + + new_argv[2] = target_path; + new_argv[1] = "--"; + + /* Now we need to actually find the QEMU binary to put in argv[0]. */ + + tmp = getenv("AFL_PATH"); + + if (tmp) { + + cp = alloc_printf("%s/afl-qemu-trace", tmp); + + if (access(cp, X_OK)) + FATAL("Unable to find '%s'", tmp); + + target_path = new_argv[0] = cp; + return new_argv; + + } + + own_copy = ck_strdup(own_loc); + rsl = strrchr(own_copy, '/'); + + if (rsl) { + + *rsl = 0; + + cp = alloc_printf("%s/afl-qemu-trace", own_copy); + ck_free(own_copy); + + if (!access(cp, X_OK)) { + + target_path = new_argv[0] = cp; + return new_argv; + + } + + } else ck_free(own_copy); + + if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { + + target_path = new_argv[0] = ck_strdup(BIN_PATH "/afl-qemu-trace"); + return new_argv; + + } + + SAYF("\n" cLRD "[-] " cRST + "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be built\n" + " separately by following the instructions in qemu_mode/README.qemu. If you\n" + " already have the binary installed, you may need to specify AFL_PATH in the\n" + " environment.\n\n" + + " Of course, even without QEMU, afl-fuzz can still work with binaries that are\n" + " instrumented at compile time with afl-gcc. It is also possible to use it as a\n" + " traditional \"dumb\" fuzzer by specifying '-n' in the command line.\n"); + + FATAL("Failed to locate 'afl-qemu-trace'."); + +} + + +/* Make a copy of the current command line. */ + +static void save_cmdline(u32 argc, char** argv) { + + u32 len = 1, i; + u8* buf; + + for (i = 0; i < argc; i++) + len += strlen(argv[i]) + 1; + + buf = orig_cmdline = ck_alloc(len); + + for (i = 0; i < argc; i++) { + + u32 l = strlen(argv[i]); + + memcpy(buf, argv[i], l); + buf += l; + + if (i != argc - 1) *(buf++) = ' '; + + } + + *buf = 0; + +} + + +#ifndef AFL_LIB + +/* Main entry point */ + +int main(int argc, char** argv) { + + s32 opt; + u64 prev_queued = 0; + u32 sync_interval_cnt = 0, seek_to; + u8 *extras_dir = 0; + u8 mem_limit_given = 0; + u8 exit_1 = !!getenv("AFL_BENCH_JUST_ONE"); + char** use_argv; + + struct timeval tv; + struct timezone tz; + + SAYF(cCYA "afl-fuzz " cBRI VERSION cRST " by \n"); + + doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; + + gettimeofday(&tv, &tz); + srandom(tv.tv_sec ^ tv.tv_usec ^ getpid()); + + while ((opt = getopt(argc, argv, "+i:o:f:m:b:t:T:dnCB:S:M:x:QV")) > 0) + + switch (opt) { + + case 'i': /* input dir */ + + if (in_dir) FATAL("Multiple -i options not supported"); + in_dir = optarg; + + if (!strcmp(in_dir, "-")) in_place_resume = 1; + + break; + + case 'o': /* output dir */ + + if (out_dir) FATAL("Multiple -o options not supported"); + out_dir = optarg; + break; + + case 'M': { /* master sync ID */ + + u8* c; + + if (sync_id) FATAL("Multiple -S or -M options not supported"); + sync_id = ck_strdup(optarg); + + if ((c = strchr(sync_id, ':'))) { + + *c = 0; + + if (sscanf(c + 1, "%u/%u", &master_id, &master_max) != 2 || + !master_id || !master_max || master_id > master_max || + master_max > 1000000) FATAL("Bogus master ID passed to -M"); + + } + + force_deterministic = 1; + + } + + break; + + case 'S': + + if (sync_id) FATAL("Multiple -S or -M options not supported"); + sync_id = ck_strdup(optarg); + break; + + case 'f': /* target file */ + + if (out_file) FATAL("Multiple -f options not supported"); + out_file = optarg; + break; + + case 'x': /* dictionary */ + + if (extras_dir) FATAL("Multiple -x options not supported"); + extras_dir = optarg; + break; + + case 't': { /* timeout */ + + u8 suffix = 0; + + if (timeout_given) FATAL("Multiple -t options not supported"); + + if (sscanf(optarg, "%u%c", &exec_tmout, &suffix) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -t"); + + if (exec_tmout < 5) FATAL("Dangerously low value of -t"); + + if (suffix == '+') timeout_given = 2; else timeout_given = 1; + + break; + + } + + case 'm': { /* mem limit */ + + u8 suffix = 'M'; + + if (mem_limit_given) FATAL("Multiple -m options not supported"); + mem_limit_given = 1; + + if (!strcmp(optarg, "none")) { + + mem_limit = 0; + break; + + } + + if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -m"); + + switch (suffix) { + + case 'T': mem_limit *= 1024 * 1024; break; + case 'G': mem_limit *= 1024; break; + case 'k': mem_limit /= 1024; break; + case 'M': break; + + default: FATAL("Unsupported suffix or bad syntax for -m"); + + } + + if (mem_limit < 5) FATAL("Dangerously low value of -m"); + + if (sizeof(rlim_t) == 4 && mem_limit > 2000) + FATAL("Value of -m out of range on 32-bit systems"); + + } + + break; + + case 'b': { /* bind CPU core */ + + if (cpu_to_bind_given) FATAL("Multiple -b options not supported"); + cpu_to_bind_given = 1; + + if (sscanf(optarg, "%u", &cpu_to_bind) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -b"); + + break; + + } + + case 'd': /* skip deterministic */ + + if (skip_deterministic) FATAL("Multiple -d options not supported"); + skip_deterministic = 1; + use_splicing = 1; + break; + + case 'B': /* load bitmap */ + + /* This is a secret undocumented option! It is useful if you find + an interesting test case during a normal fuzzing process, and want + to mutate it without rediscovering any of the test cases already + found during an earlier run. + + To use this mode, you need to point -B to the fuzz_bitmap produced + by an earlier run for the exact same binary... and that's it. + + I only used this once or twice to get variants of a particular + file, so I'm not making this an official setting. */ + + if (in_bitmap) FATAL("Multiple -B options not supported"); + + in_bitmap = optarg; + read_bitmap(in_bitmap); + break; + + case 'C': /* crash mode */ + + if (crash_mode) FATAL("Multiple -C options not supported"); + crash_mode = FAULT_CRASH; + break; + + case 'n': /* dumb mode */ + + if (dumb_mode) FATAL("Multiple -n options not supported"); + if (getenv("AFL_DUMB_FORKSRV")) dumb_mode = 2; else dumb_mode = 1; + + break; + + case 'T': /* banner */ + + if (use_banner) FATAL("Multiple -T options not supported"); + use_banner = optarg; + break; + + case 'Q': /* QEMU mode */ + + if (qemu_mode) FATAL("Multiple -Q options not supported"); + qemu_mode = 1; + + if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU; + + break; + + case 'V': /* Show version number */ + + /* Version number has been printed already, just quit. */ + exit(0); + + default: + + usage(argv[0]); + + } + + if (optind == argc || !in_dir || !out_dir) usage(argv[0]); + + setup_signal_handlers(); + check_asan_opts(); + + if (sync_id) fix_up_sync(); + + if (!strcmp(in_dir, out_dir)) + FATAL("Input and output directories can't be the same"); + + if (dumb_mode) { + + if (crash_mode) FATAL("-C and -n are mutually exclusive"); + if (qemu_mode) FATAL("-Q and -n are mutually exclusive"); + + } + + if (getenv("AFL_NO_FORKSRV")) no_forkserver = 1; + if (getenv("AFL_NO_CPU_RED")) no_cpu_meter_red = 1; + if (getenv("AFL_NO_ARITH")) no_arith = 1; + if (getenv("AFL_SHUFFLE_QUEUE")) shuffle_queue = 1; + if (getenv("AFL_FAST_CAL")) fast_cal = 1; + + if (getenv("AFL_HANG_TMOUT")) { + hang_tmout = atoi(getenv("AFL_HANG_TMOUT")); + if (!hang_tmout) FATAL("Invalid value of AFL_HANG_TMOUT"); + } + + if (dumb_mode == 2 && no_forkserver) + FATAL("AFL_DUMB_FORKSRV and AFL_NO_FORKSRV are mutually exclusive"); + + if (getenv("AFL_PRELOAD")) { + setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); + setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); + } + + if (getenv("AFL_LD_PRELOAD")) + FATAL("Use AFL_PRELOAD instead of AFL_LD_PRELOAD"); + + save_cmdline(argc, argv); + + fix_up_banner(argv[optind]); + + check_if_tty(); + + get_core_count(); + +#ifdef HAVE_AFFINITY + bind_to_free_cpu(); +#endif /* HAVE_AFFINITY */ + + check_crash_handling(); + check_cpu_governor(); + + setup_post(); + setup_shm(); + init_count_class16(); + + setup_dirs_fds(); + read_testcases(); + load_auto(); + + pivot_inputs(); + + if (extras_dir) load_extras(extras_dir); + + if (!timeout_given) find_timeout(); + + detect_file_args(argv + optind + 1); + + if (!out_file) setup_stdio_file(); + + check_binary(argv[optind]); + + start_time = get_cur_time(); + + if (qemu_mode) + use_argv = get_qemu_argv(argv[0], argv + optind, argc - optind); + else + use_argv = argv + optind; + + perform_dry_run(use_argv); + + cull_queue(); + + show_init_stats(); + + seek_to = find_start_position(); + + write_stats_file(0, 0, 0); + save_auto(); + + if (stop_soon) goto stop_fuzzing; + + /* Woop woop woop */ + + if (!not_on_tty) { + sleep(4); + start_time += 4000; + if (stop_soon) goto stop_fuzzing; + } + + while (1) { + + u8 skipped_fuzz; + + cull_queue(); + + if (!queue_cur) { + + queue_cycle++; + current_entry = 0; + cur_skipped_paths = 0; + queue_cur = queue; + + while (seek_to) { + current_entry++; + seek_to--; + queue_cur = queue_cur->next; + } + + show_stats(); + + if (not_on_tty) { + ACTF("Entering queue cycle %llu.", queue_cycle); + fflush(stdout); + } + + /* If we had a full queue cycle with no new finds, try + recombination strategies next. */ + + if (queued_paths == prev_queued) { + + if (use_splicing) cycles_wo_finds++; else use_splicing = 1; + + } else cycles_wo_finds = 0; + + prev_queued = queued_paths; + + if (sync_id && queue_cycle == 1 && getenv("AFL_IMPORT_FIRST")) + sync_fuzzers(use_argv); + + } + + skipped_fuzz = fuzz_one(use_argv); + + if (!stop_soon && sync_id && !skipped_fuzz) { + + if (!(sync_interval_cnt++ % SYNC_INTERVAL)) + sync_fuzzers(use_argv); + + } + + if (!stop_soon && exit_1) stop_soon = 2; + + if (stop_soon) break; + + queue_cur = queue_cur->next; + current_entry++; + + } + + if (queue_cur) show_stats(); + + /* If we stopped programmatically, we kill the forkserver and the current runner. + If we stopped manually, this is done by the signal handler. */ + if (stop_soon == 2) { + if (child_pid > 0) kill(child_pid, SIGKILL); + if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); + } + /* Now that we've killed the forkserver, we wait for it to be able to get rusage stats. */ + if (waitpid(forksrv_pid, NULL, 0) <= 0) { + WARNF("error waitpid\n"); + } + + write_bitmap(); + write_stats_file(0, 0, 0); + save_auto(); + +stop_fuzzing: + + SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted %s +++\n" cRST, + stop_soon == 2 ? "programmatically" : "by user"); + + /* Running for more than 30 minutes but still doing first cycle? */ + + if (queue_cycle == 1 && get_cur_time() - start_time > 30 * 60 * 1000) { + + SAYF("\n" cYEL "[!] " cRST + "Stopped during the first cycle, results may be incomplete.\n" + " (For info on resuming, see %s/README.)\n", doc_path); + + } + + fclose(plot_file); + destroy_queue(); + destroy_extras(); + ck_free(target_path); + ck_free(sync_id); + + alloc_report(); + + OKF("We're done here. Have a nice day!\n"); + + exit(0); + +} + +#endif /* !AFL_LIB */ diff --git a/afl-gcc.c b/afl-gcc.c index 474253c..f0e4d85 100644 --- a/afl-gcc.c +++ b/afl-gcc.c @@ -1,346 +1,346 @@ -/* - Copyright 2013 Google LLC All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -/* - american fuzzy lop - wrapper for GCC and clang - ---------------------------------------------- - - Written and maintained by Michal Zalewski - - This program is a drop-in replacement for GCC or clang. The most common way - of using it is to pass the path to afl-gcc or afl-clang via CC when invoking - ./configure. - - (Of course, use CXX and point it to afl-g++ / afl-clang++ for C++ code.) - - The wrapper needs to know the path to afl-as (renamed to 'as'). The default - is /usr/local/lib/afl/. A convenient way to specify alternative directories - would be to set AFL_PATH. - - If AFL_HARDEN is set, the wrapper will compile the target app with various - hardening options that may help detect memory management issues more - reliably. You can also specify AFL_USE_ASAN to enable ASAN. - - If you want to call a non-default compiler as a next step of the chain, - specify its location via AFL_CC or AFL_CXX. - -*/ - -#define AFL_MAIN - -#include "config.h" -#include "types.h" -#include "debug.h" -#include "alloc-inl.h" - -#include -#include -#include -#include - -static u8* as_path; /* Path to the AFL 'as' wrapper */ -static u8** cc_params; /* Parameters passed to the real CC */ -static u32 cc_par_cnt = 1; /* Param count, including argv0 */ -static u8 be_quiet, /* Quiet mode */ - clang_mode; /* Invoked as afl-clang*? */ - - -/* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived - from argv[0]. If that fails, abort. */ - -static void find_as(u8* argv0) { - - u8 *afl_path = getenv("AFL_PATH"); - u8 *slash, *tmp; - - if (afl_path) { - - tmp = alloc_printf("%s/as", afl_path); - - if (!access(tmp, X_OK)) { - as_path = afl_path; - ck_free(tmp); - return; - } - - ck_free(tmp); - - } - - slash = strrchr(argv0, '/'); - - if (slash) { - - u8 *dir; - - *slash = 0; - dir = ck_strdup(argv0); - *slash = '/'; - - tmp = alloc_printf("%s/afl-as", dir); - - if (!access(tmp, X_OK)) { - as_path = dir; - ck_free(tmp); - return; - } - - ck_free(tmp); - ck_free(dir); - - } - - if (!access(AFL_PATH "/as", X_OK)) { - as_path = AFL_PATH; - return; - } - - FATAL("Unable to find AFL wrapper binary for 'as'. Please set AFL_PATH"); - -} - - -/* Copy argv to cc_params, making the necessary edits. */ - -static void edit_params(u32 argc, char** argv) { - - u8 fortify_set = 0, asan_set = 0; - u8 *name; - -#if defined(__FreeBSD__) && defined(__x86_64__) - u8 m32_set = 0; -#endif - - cc_params = ck_alloc((argc + 128) * sizeof(u8*)); - - name = strrchr(argv[0], '/'); - if (!name) name = argv[0]; else name++; - - if (!strncmp(name, "afl-clang", 9)) { - - clang_mode = 1; - - setenv(CLANG_ENV_VAR, "1", 1); - - if (!strcmp(name, "afl-clang++")) { - u8* alt_cxx = getenv("AFL_CXX"); - cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++"; - } else { - u8* alt_cc = getenv("AFL_CC"); - cc_params[0] = alt_cc ? alt_cc : (u8*)"clang"; - } - - } else { - - /* With GCJ and Eclipse installed, you can actually compile Java! The - instrumentation will work (amazingly). Alas, unhandled exceptions do - not call abort(), so afl-fuzz would need to be modified to equate - non-zero exit codes with crash conditions when working with Java - binaries. Meh. */ - -#ifdef __APPLE__ - - if (!strcmp(name, "afl-g++")) cc_params[0] = getenv("AFL_CXX"); - else if (!strcmp(name, "afl-gcj")) cc_params[0] = getenv("AFL_GCJ"); - else cc_params[0] = getenv("AFL_CC"); - - if (!cc_params[0]) { - - SAYF("\n" cLRD "[-] " cRST - "On Apple systems, 'gcc' is usually just a wrapper for clang. Please use the\n" - " 'afl-clang' utility instead of 'afl-gcc'. If you really have GCC installed,\n" - " set AFL_CC or AFL_CXX to specify the correct path to that compiler.\n"); - - FATAL("AFL_CC or AFL_CXX required on MacOS X"); - - } - -#else - - if (!strcmp(name, "afl-g++")) { - u8* alt_cxx = getenv("AFL_CXX"); - cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++"; - } else if (!strcmp(name, "afl-gcj")) { - u8* alt_cc = getenv("AFL_GCJ"); - cc_params[0] = alt_cc ? alt_cc : (u8*)"gcj"; - } else { - u8* alt_cc = getenv("AFL_CC"); - cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc"; - } - -#endif /* __APPLE__ */ - - } - - while (--argc) { - u8* cur = *(++argv); - - if (!strncmp(cur, "-B", 2)) { - - if (!be_quiet) WARNF("-B is already set, overriding"); - - if (!cur[2] && argc > 1) { argc--; argv++; } - continue; - - } - - if (!strcmp(cur, "-integrated-as")) continue; - - if (!strcmp(cur, "-pipe")) continue; - -#if defined(__FreeBSD__) && defined(__x86_64__) - if (!strcmp(cur, "-m32")) m32_set = 1; -#endif - - if (!strcmp(cur, "-fsanitize=address") || - !strcmp(cur, "-fsanitize=memory")) asan_set = 1; - - if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1; - - cc_params[cc_par_cnt++] = cur; - - } - - cc_params[cc_par_cnt++] = "-B"; - cc_params[cc_par_cnt++] = as_path; - - if (clang_mode) - cc_params[cc_par_cnt++] = "-no-integrated-as"; - - if (getenv("AFL_HARDEN")) { - - cc_params[cc_par_cnt++] = "-fstack-protector-all"; - - if (!fortify_set) - cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2"; - - } - - if (asan_set) { - - /* Pass this on to afl-as to adjust map density. */ - - setenv("AFL_USE_ASAN", "1", 1); - - } else if (getenv("AFL_USE_ASAN")) { - - if (getenv("AFL_USE_MSAN")) - FATAL("ASAN and MSAN are mutually exclusive"); - - if (getenv("AFL_HARDEN")) - FATAL("ASAN and AFL_HARDEN are mutually exclusive"); - - cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; - cc_params[cc_par_cnt++] = "-fsanitize=address"; - - } else if (getenv("AFL_USE_MSAN")) { - - if (getenv("AFL_USE_ASAN")) - FATAL("ASAN and MSAN are mutually exclusive"); - - if (getenv("AFL_HARDEN")) - FATAL("MSAN and AFL_HARDEN are mutually exclusive"); - - cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; - cc_params[cc_par_cnt++] = "-fsanitize=memory"; - - - } - - if (!getenv("AFL_DONT_OPTIMIZE")) { - -#if defined(__FreeBSD__) && defined(__x86_64__) - - /* On 64-bit FreeBSD systems, clang -g -m32 is broken, but -m32 itself - works OK. This has nothing to do with us, but let's avoid triggering - that bug. */ - - if (!clang_mode || !m32_set) - cc_params[cc_par_cnt++] = "-g"; - -#else - - cc_params[cc_par_cnt++] = "-g"; - -#endif - - cc_params[cc_par_cnt++] = "-O3"; - cc_params[cc_par_cnt++] = "-funroll-loops"; - - /* Two indicators that you're building for fuzzing; one of them is - AFL-specific, the other is shared with libfuzzer. */ - - cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1"; - cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1"; - - } - - if (getenv("AFL_NO_BUILTIN")) { - - cc_params[cc_par_cnt++] = "-fno-builtin-strcmp"; - cc_params[cc_par_cnt++] = "-fno-builtin-strncmp"; - cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp"; - cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp"; - cc_params[cc_par_cnt++] = "-fno-builtin-memcmp"; - cc_params[cc_par_cnt++] = "-fno-builtin-strstr"; - cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr"; - - } - - cc_params[cc_par_cnt] = NULL; - -} - - -/* Main entry point */ - -int main(int argc, char** argv) { - - if (isatty(2) && !getenv("AFL_QUIET")) { - - SAYF(cCYA "afl-cc " cBRI VERSION cRST " by \n"); - - } else be_quiet = 1; - - if (argc < 2) { - - SAYF("\n" - "This is a helper application for afl-fuzz. It serves as a drop-in replacement\n" - "for gcc or clang, letting you recompile third-party code with the required\n" - "runtime instrumentation. A common use pattern would be one of the following:\n\n" - - " CC=%s/afl-gcc ./configure\n" - " CXX=%s/afl-g++ ./configure\n\n" - - "You can specify custom next-stage toolchain via AFL_CC, AFL_CXX, and AFL_AS.\n" - "Setting AFL_HARDEN enables hardening optimizations in the compiled code.\n\n", - BIN_PATH, BIN_PATH); - - exit(1); - - } - - find_as(argv[0]); - - edit_params(argc, argv); - - execvp(cc_params[0], (char**)cc_params); - - FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]); - - return 0; - -} +/* + Copyright 2013 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +/* + american fuzzy lop - wrapper for GCC and clang + ---------------------------------------------- + + Written and maintained by Michal Zalewski + + This program is a drop-in replacement for GCC or clang. The most common way + of using it is to pass the path to afl-gcc or afl-clang via CC when invoking + ./configure. + + (Of course, use CXX and point it to afl-g++ / afl-clang++ for C++ code.) + + The wrapper needs to know the path to afl-as (renamed to 'as'). The default + is /usr/local/lib/afl/. A convenient way to specify alternative directories + would be to set AFL_PATH. + + If AFL_HARDEN is set, the wrapper will compile the target app with various + hardening options that may help detect memory management issues more + reliably. You can also specify AFL_USE_ASAN to enable ASAN. + + If you want to call a non-default compiler as a next step of the chain, + specify its location via AFL_CC or AFL_CXX. + +*/ + +#define AFL_MAIN + +#include "config.h" +#include "types.h" +#include "debug.h" +#include "alloc-inl.h" + +#include +#include +#include +#include + +static u8* as_path; /* Path to the AFL 'as' wrapper */ +static u8** cc_params; /* Parameters passed to the real CC */ +static u32 cc_par_cnt = 1; /* Param count, including argv0 */ +static u8 be_quiet, /* Quiet mode */ + clang_mode; /* Invoked as afl-clang*? */ + + +/* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived + from argv[0]. If that fails, abort. */ + +static void find_as(u8* argv0) { + + u8 *afl_path = getenv("AFL_PATH"); + u8 *slash, *tmp; + + if (afl_path) { + + tmp = alloc_printf("%s/as", afl_path); + + if (!access(tmp, X_OK)) { + as_path = afl_path; + ck_free(tmp); + return; + } + + ck_free(tmp); + + } + + slash = strrchr(argv0, '/'); + + if (slash) { + + u8 *dir; + + *slash = 0; + dir = ck_strdup(argv0); + *slash = '/'; + + tmp = alloc_printf("%s/afl-as", dir); + + if (!access(tmp, X_OK)) { + as_path = dir; + ck_free(tmp); + return; + } + + ck_free(tmp); + ck_free(dir); + + } + + if (!access(AFL_PATH "/as", X_OK)) { + as_path = AFL_PATH; + return; + } + + FATAL("Unable to find AFL wrapper binary for 'as'. Please set AFL_PATH"); + +} + + +/* Copy argv to cc_params, making the necessary edits. */ + +static void edit_params(u32 argc, char** argv) { + + u8 fortify_set = 0, asan_set = 0; + u8 *name; + +#if defined(__FreeBSD__) && defined(__x86_64__) + u8 m32_set = 0; +#endif + + cc_params = ck_alloc((argc + 128) * sizeof(u8*)); + + name = strrchr(argv[0], '/'); + if (!name) name = argv[0]; else name++; + + if (!strncmp(name, "afl-clang", 9)) { + + clang_mode = 1; + + setenv(CLANG_ENV_VAR, "1", 1); + + if (!strcmp(name, "afl-clang++")) { + u8* alt_cxx = getenv("AFL_CXX"); + cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++"; + } else { + u8* alt_cc = getenv("AFL_CC"); + cc_params[0] = alt_cc ? alt_cc : (u8*)"clang"; + } + + } else { + + /* With GCJ and Eclipse installed, you can actually compile Java! The + instrumentation will work (amazingly). Alas, unhandled exceptions do + not call abort(), so afl-fuzz would need to be modified to equate + non-zero exit codes with crash conditions when working with Java + binaries. Meh. */ + +#ifdef __APPLE__ + + if (!strcmp(name, "afl-g++")) cc_params[0] = getenv("AFL_CXX"); + else if (!strcmp(name, "afl-gcj")) cc_params[0] = getenv("AFL_GCJ"); + else cc_params[0] = getenv("AFL_CC"); + + if (!cc_params[0]) { + + SAYF("\n" cLRD "[-] " cRST + "On Apple systems, 'gcc' is usually just a wrapper for clang. Please use the\n" + " 'afl-clang' utility instead of 'afl-gcc'. If you really have GCC installed,\n" + " set AFL_CC or AFL_CXX to specify the correct path to that compiler.\n"); + + FATAL("AFL_CC or AFL_CXX required on MacOS X"); + + } + +#else + + if (!strcmp(name, "afl-g++")) { + u8* alt_cxx = getenv("AFL_CXX"); + cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++"; + } else if (!strcmp(name, "afl-gcj")) { + u8* alt_cc = getenv("AFL_GCJ"); + cc_params[0] = alt_cc ? alt_cc : (u8*)"gcj"; + } else { + u8* alt_cc = getenv("AFL_CC"); + cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc"; + } + +#endif /* __APPLE__ */ + + } + + while (--argc) { + u8* cur = *(++argv); + + if (!strncmp(cur, "-B", 2)) { + + if (!be_quiet) WARNF("-B is already set, overriding"); + + if (!cur[2] && argc > 1) { argc--; argv++; } + continue; + + } + + if (!strcmp(cur, "-integrated-as")) continue; + + if (!strcmp(cur, "-pipe")) continue; + +#if defined(__FreeBSD__) && defined(__x86_64__) + if (!strcmp(cur, "-m32")) m32_set = 1; +#endif + + if (!strcmp(cur, "-fsanitize=address") || + !strcmp(cur, "-fsanitize=memory")) asan_set = 1; + + if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1; + + cc_params[cc_par_cnt++] = cur; + + } + + cc_params[cc_par_cnt++] = "-B"; + cc_params[cc_par_cnt++] = as_path; + + if (clang_mode) + cc_params[cc_par_cnt++] = "-no-integrated-as"; + + if (getenv("AFL_HARDEN")) { + + cc_params[cc_par_cnt++] = "-fstack-protector-all"; + + if (!fortify_set) + cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2"; + + } + + if (asan_set) { + + /* Pass this on to afl-as to adjust map density. */ + + setenv("AFL_USE_ASAN", "1", 1); + + } else if (getenv("AFL_USE_ASAN")) { + + if (getenv("AFL_USE_MSAN")) + FATAL("ASAN and MSAN are mutually exclusive"); + + if (getenv("AFL_HARDEN")) + FATAL("ASAN and AFL_HARDEN are mutually exclusive"); + + cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; + cc_params[cc_par_cnt++] = "-fsanitize=address"; + + } else if (getenv("AFL_USE_MSAN")) { + + if (getenv("AFL_USE_ASAN")) + FATAL("ASAN and MSAN are mutually exclusive"); + + if (getenv("AFL_HARDEN")) + FATAL("MSAN and AFL_HARDEN are mutually exclusive"); + + cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; + cc_params[cc_par_cnt++] = "-fsanitize=memory"; + + + } + + if (!getenv("AFL_DONT_OPTIMIZE")) { + +#if defined(__FreeBSD__) && defined(__x86_64__) + + /* On 64-bit FreeBSD systems, clang -g -m32 is broken, but -m32 itself + works OK. This has nothing to do with us, but let's avoid triggering + that bug. */ + + if (!clang_mode || !m32_set) + cc_params[cc_par_cnt++] = "-g"; + +#else + + cc_params[cc_par_cnt++] = "-g"; + +#endif + + cc_params[cc_par_cnt++] = "-O3"; + cc_params[cc_par_cnt++] = "-funroll-loops"; + + /* Two indicators that you're building for fuzzing; one of them is + AFL-specific, the other is shared with libfuzzer. */ + + cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1"; + cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1"; + + } + + if (getenv("AFL_NO_BUILTIN")) { + + cc_params[cc_par_cnt++] = "-fno-builtin-strcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strncmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-memcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strstr"; + cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr"; + + } + + cc_params[cc_par_cnt] = NULL; + +} + + +/* Main entry point */ + +int main(int argc, char** argv) { + + if (isatty(2) && !getenv("AFL_QUIET")) { + + SAYF(cCYA "afl-cc " cBRI VERSION cRST " by \n"); + + } else be_quiet = 1; + + if (argc < 2) { + + SAYF("\n" + "This is a helper application for afl-fuzz. It serves as a drop-in replacement\n" + "for gcc or clang, letting you recompile third-party code with the required\n" + "runtime instrumentation. A common use pattern would be one of the following:\n\n" + + " CC=%s/afl-gcc ./configure\n" + " CXX=%s/afl-g++ ./configure\n\n" + + "You can specify custom next-stage toolchain via AFL_CC, AFL_CXX, and AFL_AS.\n" + "Setting AFL_HARDEN enables hardening optimizations in the compiled code.\n\n", + BIN_PATH, BIN_PATH); + + exit(1); + + } + + find_as(argv[0]); + + edit_params(argc, argv); + + execvp(cc_params[0], (char**)cc_params); + + FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]); + + return 0; + +} diff --git a/afl-gotcpu.c b/afl-gotcpu.c index 5813790..630b7ff 100644 --- a/afl-gotcpu.c +++ b/afl-gotcpu.c @@ -1,260 +1,260 @@ -/* - Copyright 2015 Google LLC All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -/* - american fuzzy lop - free CPU gizmo - ----------------------------------- - - Written and maintained by Michal Zalewski - - This tool provides a fairly accurate measurement of CPU preemption rate. - It is meant to complement the quick-and-dirty load average widget shown - in the afl-fuzz UI. See docs/parallel_fuzzing.txt for more info. - - For some work loads, the tool may actually suggest running more instances - than you have CPU cores. This can happen if the tested program is spending - a portion of its run time waiting for I/O, rather than being 100% - CPU-bound. - - The idea for the getrusage()-based approach comes from Jakub Wilk. -*/ - -#define AFL_MAIN -#include "android-ashmem.h" -#define _GNU_SOURCE - -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -#include "types.h" -#include "debug.h" - -#ifdef __linux__ -# define HAVE_AFFINITY 1 -#endif /* __linux__ */ - - -/* Get unix time in microseconds. */ - -static u64 get_cur_time_us(void) { - - struct timeval tv; - struct timezone tz; - - gettimeofday(&tv, &tz); - - return (tv.tv_sec * 1000000ULL) + tv.tv_usec; - -} - - -/* Get CPU usage in microseconds. */ - -static u64 get_cpu_usage_us(void) { - - struct rusage u; - - getrusage(RUSAGE_SELF, &u); - - return (u.ru_utime.tv_sec * 1000000ULL) + u.ru_utime.tv_usec + - (u.ru_stime.tv_sec * 1000000ULL) + u.ru_stime.tv_usec; - -} - - -/* Measure preemption rate. */ - -static u32 measure_preemption(u32 target_ms) { - - static volatile u32 v1, v2; - - u64 st_t, en_t, st_c, en_c, real_delta, slice_delta; - s32 loop_repeats = 0; - - st_t = get_cur_time_us(); - st_c = get_cpu_usage_us(); - -repeat_loop: - - v1 = CTEST_BUSY_CYCLES; - - while (v1--) v2++; - sched_yield(); - - en_t = get_cur_time_us(); - - if (en_t - st_t < target_ms * 1000) { - loop_repeats++; - goto repeat_loop; - } - - /* Let's see what percentage of this time we actually had a chance to - run, and how much time was spent in the penalty box. */ - - en_c = get_cpu_usage_us(); - - real_delta = (en_t - st_t) / 1000; - slice_delta = (en_c - st_c) / 1000; - - return real_delta * 100 / slice_delta; - -} - - -/* Do the benchmark thing. */ - -int main(int argc, char** argv) { - -#ifdef HAVE_AFFINITY - - u32 cpu_cnt = sysconf(_SC_NPROCESSORS_ONLN), - idle_cpus = 0, maybe_cpus = 0, i; - - SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by \n"); - - ACTF("Measuring per-core preemption rate (this will take %0.02f sec)...", - ((double)CTEST_CORE_TRG_MS) / 1000); - - for (i = 0; i < cpu_cnt; i++) { - - s32 fr = fork(); - - if (fr < 0) PFATAL("fork failed"); - - if (!fr) { - - cpu_set_t c; - u32 util_perc; - - CPU_ZERO(&c); - CPU_SET(i, &c); - - if (sched_setaffinity(0, sizeof(c), &c)) - PFATAL("sched_setaffinity failed for cpu %d", i); - - util_perc = measure_preemption(CTEST_CORE_TRG_MS); - - if (util_perc < 110) { - - SAYF(" Core #%u: " cLGN "AVAILABLE " cRST "(%u%%)\n", i, util_perc); - exit(0); - - } else if (util_perc < 250) { - - SAYF(" Core #%u: " cYEL "CAUTION " cRST "(%u%%)\n", i, util_perc); - exit(1); - - } - - SAYF(" Core #%u: " cLRD "OVERBOOKED " cRST "(%u%%)\n" cRST, i, - util_perc); - exit(2); - - } - - } - - for (i = 0; i < cpu_cnt; i++) { - - int ret; - if (waitpid(-1, &ret, 0) < 0) PFATAL("waitpid failed"); - - if (WEXITSTATUS(ret) == 0) idle_cpus++; - if (WEXITSTATUS(ret) <= 1) maybe_cpus++; - - } - - SAYF(cGRA "\n>>> "); - - if (idle_cpus) { - - if (maybe_cpus == idle_cpus) { - - SAYF(cLGN "PASS: " cRST "You can run more processes on %u core%s.", - idle_cpus, idle_cpus > 1 ? "s" : ""); - - } else { - - SAYF(cLGN "PASS: " cRST "You can run more processes on %u to %u core%s.", - idle_cpus, maybe_cpus, maybe_cpus > 1 ? "s" : ""); - - } - - SAYF(cGRA " <<<" cRST "\n\n"); - return 0; - - } - - if (maybe_cpus) { - - SAYF(cYEL "CAUTION: " cRST "You may still have %u core%s available.", - maybe_cpus, maybe_cpus > 1 ? "s" : ""); - SAYF(cGRA " <<<" cRST "\n\n"); - return 1; - - } - - SAYF(cLRD "FAIL: " cRST "All cores are overbooked."); - SAYF(cGRA " <<<" cRST "\n\n"); - return 2; - -#else - - u32 util_perc; - - SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by \n"); - - /* Run a busy loop for CTEST_TARGET_MS. */ - - ACTF("Measuring gross preemption rate (this will take %0.02f sec)...", - ((double)CTEST_TARGET_MS) / 1000); - - util_perc = measure_preemption(CTEST_TARGET_MS); - - /* Deliver the final verdict. */ - - SAYF(cGRA "\n>>> "); - - if (util_perc < 105) { - - SAYF(cLGN "PASS: " cRST "You can probably run additional processes."); - - } else if (util_perc < 130) { - - SAYF(cYEL "CAUTION: " cRST "Your CPU may be somewhat overbooked (%u%%).", - util_perc); - - } else { - - SAYF(cLRD "FAIL: " cRST "Your CPU is overbooked (%u%%).", util_perc); - - } - - SAYF(cGRA " <<<" cRST "\n\n"); - - return (util_perc > 105) + (util_perc > 130); - -#endif /* ^HAVE_AFFINITY */ - -} +/* + Copyright 2015 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +/* + american fuzzy lop - free CPU gizmo + ----------------------------------- + + Written and maintained by Michal Zalewski + + This tool provides a fairly accurate measurement of CPU preemption rate. + It is meant to complement the quick-and-dirty load average widget shown + in the afl-fuzz UI. See docs/parallel_fuzzing.txt for more info. + + For some work loads, the tool may actually suggest running more instances + than you have CPU cores. This can happen if the tested program is spending + a portion of its run time waiting for I/O, rather than being 100% + CPU-bound. + + The idea for the getrusage()-based approach comes from Jakub Wilk. +*/ + +#define AFL_MAIN +#include "android-ashmem.h" +#define _GNU_SOURCE + +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include "types.h" +#include "debug.h" + +#ifdef __linux__ +# define HAVE_AFFINITY 1 +#endif /* __linux__ */ + + +/* Get unix time in microseconds. */ + +static u64 get_cur_time_us(void) { + + struct timeval tv; + struct timezone tz; + + gettimeofday(&tv, &tz); + + return (tv.tv_sec * 1000000ULL) + tv.tv_usec; + +} + + +/* Get CPU usage in microseconds. */ + +static u64 get_cpu_usage_us(void) { + + struct rusage u; + + getrusage(RUSAGE_SELF, &u); + + return (u.ru_utime.tv_sec * 1000000ULL) + u.ru_utime.tv_usec + + (u.ru_stime.tv_sec * 1000000ULL) + u.ru_stime.tv_usec; + +} + + +/* Measure preemption rate. */ + +static u32 measure_preemption(u32 target_ms) { + + static volatile u32 v1, v2; + + u64 st_t, en_t, st_c, en_c, real_delta, slice_delta; + s32 loop_repeats = 0; + + st_t = get_cur_time_us(); + st_c = get_cpu_usage_us(); + +repeat_loop: + + v1 = CTEST_BUSY_CYCLES; + + while (v1--) v2++; + sched_yield(); + + en_t = get_cur_time_us(); + + if (en_t - st_t < target_ms * 1000) { + loop_repeats++; + goto repeat_loop; + } + + /* Let's see what percentage of this time we actually had a chance to + run, and how much time was spent in the penalty box. */ + + en_c = get_cpu_usage_us(); + + real_delta = (en_t - st_t) / 1000; + slice_delta = (en_c - st_c) / 1000; + + return real_delta * 100 / slice_delta; + +} + + +/* Do the benchmark thing. */ + +int main(int argc, char** argv) { + +#ifdef HAVE_AFFINITY + + u32 cpu_cnt = sysconf(_SC_NPROCESSORS_ONLN), + idle_cpus = 0, maybe_cpus = 0, i; + + SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by \n"); + + ACTF("Measuring per-core preemption rate (this will take %0.02f sec)...", + ((double)CTEST_CORE_TRG_MS) / 1000); + + for (i = 0; i < cpu_cnt; i++) { + + s32 fr = fork(); + + if (fr < 0) PFATAL("fork failed"); + + if (!fr) { + + cpu_set_t c; + u32 util_perc; + + CPU_ZERO(&c); + CPU_SET(i, &c); + + if (sched_setaffinity(0, sizeof(c), &c)) + PFATAL("sched_setaffinity failed for cpu %d", i); + + util_perc = measure_preemption(CTEST_CORE_TRG_MS); + + if (util_perc < 110) { + + SAYF(" Core #%u: " cLGN "AVAILABLE " cRST "(%u%%)\n", i, util_perc); + exit(0); + + } else if (util_perc < 250) { + + SAYF(" Core #%u: " cYEL "CAUTION " cRST "(%u%%)\n", i, util_perc); + exit(1); + + } + + SAYF(" Core #%u: " cLRD "OVERBOOKED " cRST "(%u%%)\n" cRST, i, + util_perc); + exit(2); + + } + + } + + for (i = 0; i < cpu_cnt; i++) { + + int ret; + if (waitpid(-1, &ret, 0) < 0) PFATAL("waitpid failed"); + + if (WEXITSTATUS(ret) == 0) idle_cpus++; + if (WEXITSTATUS(ret) <= 1) maybe_cpus++; + + } + + SAYF(cGRA "\n>>> "); + + if (idle_cpus) { + + if (maybe_cpus == idle_cpus) { + + SAYF(cLGN "PASS: " cRST "You can run more processes on %u core%s.", + idle_cpus, idle_cpus > 1 ? "s" : ""); + + } else { + + SAYF(cLGN "PASS: " cRST "You can run more processes on %u to %u core%s.", + idle_cpus, maybe_cpus, maybe_cpus > 1 ? "s" : ""); + + } + + SAYF(cGRA " <<<" cRST "\n\n"); + return 0; + + } + + if (maybe_cpus) { + + SAYF(cYEL "CAUTION: " cRST "You may still have %u core%s available.", + maybe_cpus, maybe_cpus > 1 ? "s" : ""); + SAYF(cGRA " <<<" cRST "\n\n"); + return 1; + + } + + SAYF(cLRD "FAIL: " cRST "All cores are overbooked."); + SAYF(cGRA " <<<" cRST "\n\n"); + return 2; + +#else + + u32 util_perc; + + SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by \n"); + + /* Run a busy loop for CTEST_TARGET_MS. */ + + ACTF("Measuring gross preemption rate (this will take %0.02f sec)...", + ((double)CTEST_TARGET_MS) / 1000); + + util_perc = measure_preemption(CTEST_TARGET_MS); + + /* Deliver the final verdict. */ + + SAYF(cGRA "\n>>> "); + + if (util_perc < 105) { + + SAYF(cLGN "PASS: " cRST "You can probably run additional processes."); + + } else if (util_perc < 130) { + + SAYF(cYEL "CAUTION: " cRST "Your CPU may be somewhat overbooked (%u%%).", + util_perc); + + } else { + + SAYF(cLRD "FAIL: " cRST "Your CPU is overbooked (%u%%).", util_perc); + + } + + SAYF(cGRA " <<<" cRST "\n\n"); + + return (util_perc > 105) + (util_perc > 130); + +#endif /* ^HAVE_AFFINITY */ + +} diff --git a/afl-plot b/afl-plot index 0dfa0d6..78825a9 100644 --- a/afl-plot +++ b/afl-plot @@ -1,170 +1,170 @@ -#!/bin/sh -# -# american fuzzy lop - Advanced Persistent Graphing -# ------------------------------------------------- -# -# Written and maintained by Michal Zalewski -# Based on a design & prototype by Michael Rash. -# -# Copyright 2014, 2015 Google LLC All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# - -echo "progress plotting utility for afl-fuzz by " -echo - -if [ ! "$#" = "2" ]; then - - cat 1>&2 <<_EOF_ -This program generates gnuplot images from afl-fuzz output data. Usage: - -$0 afl_state_dir graph_output_dir - -The afl_state_dir parameter should point to an existing state directory for any -active or stopped instance of afl-fuzz; while graph_output_dir should point to -an empty directory where this tool can write the resulting plots to. - -The program will put index.html and three PNG images in the output directory; -you should be able to view it with any web browser of your choice. - -_EOF_ - - exit 1 - -fi - -if [ "$AFL_ALLOW_TMP" = "" ]; then - - echo "$1" | grep -qE '^(/var)?/tmp/' - T1="$?" - - echo "$2" | grep -qE '^(/var)?/tmp/' - T2="$?" - - if [ "$T1" = "0" -o "$T2" = "0" ]; then - - echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2 - exit 1 - - fi - -fi - -if [ ! -f "$1/plot_data" ]; then - - echo "[-] Error: input directory is not valid (missing 'plot_data')." 1>&2 - exit 1 - -fi - -BANNER="`cat "$1/fuzzer_stats" | grep '^afl_banner ' | cut -d: -f2- | cut -b2-`" - -test "$BANNER" = "" && BANNER="(none)" - -GNUPLOT=`which gnuplot 2>/dev/null` - -if [ "$GNUPLOT" = "" ]; then - - echo "[-] Error: can't find 'gnuplot' in your \$PATH." 1>&2 - exit 1 - -fi - -mkdir "$2" 2>/dev/null - -if [ ! -d "$2" ]; then - - echo "[-] Error: unable to create the output directory - pick another location." 1>&2 - exit 1 - -fi - -rm -f "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png" -mv -f "$2/index.html" "$2/index.html.orig" 2>/dev/null - -echo "[*] Generating plots..." - -( - -cat <<_EOF_ -set terminal png truecolor enhanced size 1000,300 butt - -set output '$2/high_freq.png' - -set xdata time -set timefmt '%s' -set format x "%b %d\n%H:%M" -set tics font 'small' -unset mxtics -unset mytics - -set grid xtics linetype 0 linecolor rgb '#e0e0e0' -set grid ytics linetype 0 linecolor rgb '#e0e0e0' -set border linecolor rgb '#50c0f0' -set tics textcolor rgb '#000000' -set key outside - -set autoscale xfixmin -set autoscale xfixmax - -plot '$1/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\ - '' using 1:3 with filledcurve x1 title 'current path' linecolor rgb '#f0f0f0' fillstyle transparent solid 0.5 noborder, \\ - '' using 1:5 with lines title 'pending paths' linecolor rgb '#0090ff' linewidth 3, \\ - '' using 1:6 with lines title 'pending favs' linecolor rgb '#c00080' linewidth 3, \\ - '' using 1:2 with lines title 'cycles done' linecolor rgb '#c000f0' linewidth 3 - -set terminal png truecolor enhanced size 1000,200 butt -set output '$2/low_freq.png' - -plot '$1/plot_data' using 1:8 with filledcurve x1 title '' linecolor rgb '#c00080' fillstyle transparent solid 0.2 noborder, \\ - '' using 1:8 with lines title ' uniq crashes' linecolor rgb '#c00080' linewidth 3, \\ - '' using 1:9 with lines title 'uniq hangs' linecolor rgb '#c000f0' linewidth 3, \\ - '' using 1:10 with lines title 'levels' linecolor rgb '#0090ff' linewidth 3 - -set terminal png truecolor enhanced size 1000,200 butt -set output '$2/exec_speed.png' - -plot '$1/plot_data' using 1:11 with filledcurve x1 title '' linecolor rgb '#0090ff' fillstyle transparent solid 0.2 noborder, \\ - '$1/plot_data' using 1:11 with lines title ' execs/sec' linecolor rgb '#0090ff' linewidth 3 smooth bezier; - -_EOF_ - -) | gnuplot - -if [ ! -s "$2/exec_speed.png" ]; then - - echo "[-] Error: something went wrong! Perhaps you have an ancient version of gnuplot?" 1>&2 - exit 1 - -fi - -echo "[*] Generating index.html..." - -cat >"$2/index.html" <<_EOF_ - - - - -
Banner:$BANNER
Directory:$1
Generated on:`date`
-

-

-

- - -_EOF_ - -# Make it easy to remotely view results when outputting directly to a directory -# served by Apache or other HTTP daemon. Since the plots aren't horribly -# sensitive, this seems like a reasonable trade-off. - -chmod 755 "$2" -chmod 644 "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png" "$2/index.html" - -echo "[+] All done - enjoy your charts!" - -exit 0 +#!/bin/sh +# +# american fuzzy lop - Advanced Persistent Graphing +# ------------------------------------------------- +# +# Written and maintained by Michal Zalewski +# Based on a design & prototype by Michael Rash. +# +# Copyright 2014, 2015 Google LLC All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# + +echo "progress plotting utility for afl-fuzz by " +echo + +if [ ! "$#" = "2" ]; then + + cat 1>&2 <<_EOF_ +This program generates gnuplot images from afl-fuzz output data. Usage: + +$0 afl_state_dir graph_output_dir + +The afl_state_dir parameter should point to an existing state directory for any +active or stopped instance of afl-fuzz; while graph_output_dir should point to +an empty directory where this tool can write the resulting plots to. + +The program will put index.html and three PNG images in the output directory; +you should be able to view it with any web browser of your choice. + +_EOF_ + + exit 1 + +fi + +if [ "$AFL_ALLOW_TMP" = "" ]; then + + echo "$1" | grep -qE '^(/var)?/tmp/' + T1="$?" + + echo "$2" | grep -qE '^(/var)?/tmp/' + T2="$?" + + if [ "$T1" = "0" -o "$T2" = "0" ]; then + + echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2 + exit 1 + + fi + +fi + +if [ ! -f "$1/plot_data" ]; then + + echo "[-] Error: input directory is not valid (missing 'plot_data')." 1>&2 + exit 1 + +fi + +BANNER="`cat "$1/fuzzer_stats" | grep '^afl_banner ' | cut -d: -f2- | cut -b2-`" + +test "$BANNER" = "" && BANNER="(none)" + +GNUPLOT=`which gnuplot 2>/dev/null` + +if [ "$GNUPLOT" = "" ]; then + + echo "[-] Error: can't find 'gnuplot' in your \$PATH." 1>&2 + exit 1 + +fi + +mkdir "$2" 2>/dev/null + +if [ ! -d "$2" ]; then + + echo "[-] Error: unable to create the output directory - pick another location." 1>&2 + exit 1 + +fi + +rm -f "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png" +mv -f "$2/index.html" "$2/index.html.orig" 2>/dev/null + +echo "[*] Generating plots..." + +( + +cat <<_EOF_ +set terminal png truecolor enhanced size 1000,300 butt + +set output '$2/high_freq.png' + +set xdata time +set timefmt '%s' +set format x "%b %d\n%H:%M" +set tics font 'small' +unset mxtics +unset mytics + +set grid xtics linetype 0 linecolor rgb '#e0e0e0' +set grid ytics linetype 0 linecolor rgb '#e0e0e0' +set border linecolor rgb '#50c0f0' +set tics textcolor rgb '#000000' +set key outside + +set autoscale xfixmin +set autoscale xfixmax + +plot '$1/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\ + '' using 1:3 with filledcurve x1 title 'current path' linecolor rgb '#f0f0f0' fillstyle transparent solid 0.5 noborder, \\ + '' using 1:5 with lines title 'pending paths' linecolor rgb '#0090ff' linewidth 3, \\ + '' using 1:6 with lines title 'pending favs' linecolor rgb '#c00080' linewidth 3, \\ + '' using 1:2 with lines title 'cycles done' linecolor rgb '#c000f0' linewidth 3 + +set terminal png truecolor enhanced size 1000,200 butt +set output '$2/low_freq.png' + +plot '$1/plot_data' using 1:8 with filledcurve x1 title '' linecolor rgb '#c00080' fillstyle transparent solid 0.2 noborder, \\ + '' using 1:8 with lines title ' uniq crashes' linecolor rgb '#c00080' linewidth 3, \\ + '' using 1:9 with lines title 'uniq hangs' linecolor rgb '#c000f0' linewidth 3, \\ + '' using 1:10 with lines title 'levels' linecolor rgb '#0090ff' linewidth 3 + +set terminal png truecolor enhanced size 1000,200 butt +set output '$2/exec_speed.png' + +plot '$1/plot_data' using 1:11 with filledcurve x1 title '' linecolor rgb '#0090ff' fillstyle transparent solid 0.2 noborder, \\ + '$1/plot_data' using 1:11 with lines title ' execs/sec' linecolor rgb '#0090ff' linewidth 3 smooth bezier; + +_EOF_ + +) | gnuplot + +if [ ! -s "$2/exec_speed.png" ]; then + + echo "[-] Error: something went wrong! Perhaps you have an ancient version of gnuplot?" 1>&2 + exit 1 + +fi + +echo "[*] Generating index.html..." + +cat >"$2/index.html" <<_EOF_ + + + + +
Banner:$BANNER
Directory:$1
Generated on:`date`
+

+

+

+ + +_EOF_ + +# Make it easy to remotely view results when outputting directly to a directory +# served by Apache or other HTTP daemon. Since the plots aren't horribly +# sensitive, this seems like a reasonable trade-off. + +chmod 755 "$2" +chmod 644 "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png" "$2/index.html" + +echo "[+] All done - enjoy your charts!" + +exit 0 diff --git a/afl-showmap.c b/afl-showmap.c index 66dfbc5..4af6518 100644 --- a/afl-showmap.c +++ b/afl-showmap.c @@ -1,795 +1,795 @@ -/* - Copyright 2013 Google LLC All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -/* - american fuzzy lop - map display utility - ---------------------------------------- - - Written and maintained by Michal Zalewski - - A very simple tool that runs the targeted binary and displays - the contents of the trace bitmap in a human-readable form. Useful in - scripts to eliminate redundant inputs and perform other checks. - - Exit code is 2 if the target program crashes; 1 if it times out or - there is a problem executing it; or 0 if execution is successful. -*/ - -#define AFL_MAIN -#include "android-ashmem.h" - -#include "config.h" -#include "types.h" -#include "debug.h" -#include "alloc-inl.h" -#include "hash.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -static s32 child_pid; /* PID of the tested program */ - -static u8* trace_bits; /* SHM with instrumentation bitmap */ - -static u8 *out_file, /* Trace output file */ - *doc_path, /* Path to docs */ - *target_path, /* Path to target binary */ - *at_file; /* Substitution string for @@ */ - -static u32 exec_tmout; /* Exec timeout (ms) */ - -static u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ - -static s32 shm_id; /* ID of the SHM region */ - -static u8 quiet_mode, /* Hide non-essential messages? */ - edges_only, /* Ignore hit counts? */ - cmin_mode, /* Generate output in afl-cmin mode? */ - binary_mode, /* Write output as a binary map */ - keep_cores; /* Allow coredumps? */ - -static volatile u8 - stop_soon, /* Ctrl-C pressed? */ - child_timed_out, /* Child timed out? */ - child_crashed; /* Child crashed? */ - -/* Classify tuple counts. Instead of mapping to individual bits, as in - afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */ - -static const u8 count_class_human[256] = { - - [0] = 0, - [1] = 1, - [2] = 2, - [3] = 3, - [4 ... 7] = 4, - [8 ... 15] = 5, - [16 ... 31] = 6, - [32 ... 127] = 7, - [128 ... 255] = 8 - -}; - -static const u8 count_class_binary[256] = { - - [0] = 0, - [1] = 1, - [2] = 2, - [3] = 4, - [4 ... 7] = 8, - [8 ... 15] = 16, - [16 ... 31] = 32, - [32 ... 127] = 64, - [128 ... 255] = 128 - -}; - -static void classify_counts(u8* mem, const u8* map) { - - u32 i = MAP_SIZE; - - if (edges_only) { - - while (i--) { - if (*mem) *mem = 1; - mem++; - } - - } else { - - while (i--) { - *mem = map[*mem]; - mem++; - } - - } - -} - - -/* Get rid of shared memory (atexit handler). */ - -static void remove_shm(void) { - - shmctl(shm_id, IPC_RMID, NULL); - -} - - -/* Configure shared memory. */ - -static void setup_shm(void) { - - u8* shm_str; - - shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600); - - if (shm_id < 0) PFATAL("shmget() failed"); - - atexit(remove_shm); - - shm_str = alloc_printf("%d", shm_id); - - setenv(SHM_ENV_VAR, shm_str, 1); - - ck_free(shm_str); - - trace_bits = shmat(shm_id, NULL, 0); - - if (trace_bits == (void *)-1) PFATAL("shmat() failed"); - -} - -/* Write results. */ - -static u32 write_results(void) { - - s32 fd; - u32 i, ret = 0; - - u8 cco = !!getenv("AFL_CMIN_CRASHES_ONLY"), - caa = !!getenv("AFL_CMIN_ALLOW_ANY"); - - if (!strncmp(out_file, "/dev/", 5)) { - - fd = open(out_file, O_WRONLY, 0600); - if (fd < 0) PFATAL("Unable to open '%s'", out_file); - - } else if (!strcmp(out_file, "-")) { - - fd = dup(1); - if (fd < 0) PFATAL("Unable to open stdout"); - - } else { - - unlink(out_file); /* Ignore errors */ - fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", out_file); - - } - - - if (binary_mode) { - - for (i = 0; i < MAP_SIZE; i++) - if (trace_bits[i]) ret++; - - ck_write(fd, trace_bits, MAP_SIZE, out_file); - close(fd); - - } else { - - FILE* f = fdopen(fd, "w"); - - if (!f) PFATAL("fdopen() failed"); - - for (i = 0; i < MAP_SIZE; i++) { - - if (!trace_bits[i]) continue; - ret++; - - if (cmin_mode) { - - if (child_timed_out) break; - if (!caa && child_crashed != cco) break; - - fprintf(f, "%u%u\n", trace_bits[i], i); - - } else fprintf(f, "%06u:%u\n", i, trace_bits[i]); - - } - - fclose(f); - - } - - return ret; - -} - - -/* Handle timeout signal. */ - -static void handle_timeout(int sig) { - - child_timed_out = 1; - if (child_pid > 0) kill(child_pid, SIGKILL); - -} - - -/* Execute target application. */ - -static void run_target(char** argv) { - - static struct itimerval it; - int status = 0; - - if (!quiet_mode) - SAYF("-- Program output begins --\n" cRST); - - MEM_BARRIER(); - - child_pid = fork(); - - if (child_pid < 0) PFATAL("fork() failed"); - - if (!child_pid) { - - struct rlimit r; - - if (quiet_mode) { - - s32 fd = open("/dev/null", O_RDWR); - - if (fd < 0 || dup2(fd, 1) < 0 || dup2(fd, 2) < 0) { - *(u32*)trace_bits = EXEC_FAIL_SIG; - PFATAL("Descriptor initialization failed"); - } - - close(fd); - - } - - if (mem_limit) { - - r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; - -#ifdef RLIMIT_AS - - setrlimit(RLIMIT_AS, &r); /* Ignore errors */ - -#else - - setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ - -#endif /* ^RLIMIT_AS */ - - } - - if (!keep_cores) r.rlim_max = r.rlim_cur = 0; - else r.rlim_max = r.rlim_cur = RLIM_INFINITY; - - setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ - - if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); - - setsid(); - - execv(target_path, argv); - - *(u32*)trace_bits = EXEC_FAIL_SIG; - exit(0); - - } - - /* Configure timeout, wait for child, cancel timeout. */ - - if (exec_tmout) { - - child_timed_out = 0; - it.it_value.tv_sec = (exec_tmout / 1000); - it.it_value.tv_usec = (exec_tmout % 1000) * 1000; - - } - - setitimer(ITIMER_REAL, &it, NULL); - - if (waitpid(child_pid, &status, 0) <= 0) FATAL("waitpid() failed"); - - child_pid = 0; - it.it_value.tv_sec = 0; - it.it_value.tv_usec = 0; - setitimer(ITIMER_REAL, &it, NULL); - - MEM_BARRIER(); - - /* Clean up bitmap, analyze exit condition, etc. */ - - if (*(u32*)trace_bits == EXEC_FAIL_SIG) - FATAL("Unable to execute '%s'", argv[0]); - - classify_counts(trace_bits, binary_mode ? - count_class_binary : count_class_human); - - if (!quiet_mode) - SAYF(cRST "-- Program output ends --\n"); - - if (!child_timed_out && !stop_soon && WIFSIGNALED(status)) - child_crashed = 1; - - if (!quiet_mode) { - - if (child_timed_out) - SAYF(cLRD "\n+++ Program timed off +++\n" cRST); - else if (stop_soon) - SAYF(cLRD "\n+++ Program aborted by user +++\n" cRST); - else if (child_crashed) - SAYF(cLRD "\n+++ Program killed by signal %u +++\n" cRST, WTERMSIG(status)); - - } - - -} - - -/* Handle Ctrl-C and the like. */ - -static void handle_stop_sig(int sig) { - - stop_soon = 1; - - if (child_pid > 0) kill(child_pid, SIGKILL); - -} - - -/* Do basic preparations - persistent fds, filenames, etc. */ - -static void set_up_environment(void) { - - setenv("ASAN_OPTIONS", "abort_on_error=1:" - "detect_leaks=0:" - "symbolize=0:" - "allocator_may_return_null=1", 0); - - setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" - "symbolize=0:" - "abort_on_error=1:" - "allocator_may_return_null=1:" - "msan_track_origins=0", 0); - - if (getenv("AFL_PRELOAD")) { - setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); - setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); - } - -} - - -/* Setup signal handlers, duh. */ - -static void setup_signal_handlers(void) { - - struct sigaction sa; - - sa.sa_handler = NULL; - sa.sa_flags = SA_RESTART; - sa.sa_sigaction = NULL; - - sigemptyset(&sa.sa_mask); - - /* Various ways of saying "stop". */ - - sa.sa_handler = handle_stop_sig; - sigaction(SIGHUP, &sa, NULL); - sigaction(SIGINT, &sa, NULL); - sigaction(SIGTERM, &sa, NULL); - - /* Exec timeout notifications. */ - - sa.sa_handler = handle_timeout; - sigaction(SIGALRM, &sa, NULL); - -} - - -/* Detect @@ in args. */ - -static void detect_file_args(char** argv) { - - u32 i = 0; - u8* cwd = getcwd(NULL, 0); - - if (!cwd) PFATAL("getcwd() failed"); - - while (argv[i]) { - - u8* aa_loc = strstr(argv[i], "@@"); - - if (aa_loc) { - - u8 *aa_subst, *n_arg; - - if (!at_file) FATAL("@@ syntax is not supported by this tool."); - - /* Be sure that we're always using fully-qualified paths. */ - - if (at_file[0] == '/') aa_subst = at_file; - else aa_subst = alloc_printf("%s/%s", cwd, at_file); - - /* Construct a replacement argv value. */ - - *aa_loc = 0; - n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2); - argv[i] = n_arg; - *aa_loc = '@'; - - if (at_file[0] != '/') ck_free(aa_subst); - - } - - i++; - - } - - free(cwd); /* not tracked */ - -} - - -/* Show banner. */ - -static void show_banner(void) { - - SAYF(cCYA "afl-showmap " cBRI VERSION cRST " by \n"); - -} - -/* Display usage hints. */ - -static void usage(u8* argv0) { - - show_banner(); - - SAYF("\n%s [ options ] -- /path/to/target_app [ ... ]\n\n" - - "Required parameters:\n\n" - - " -o file - file to write the trace data to\n\n" - - "Execution control settings:\n\n" - - " -t msec - timeout for each run (none)\n" - " -m megs - memory limit for child process (%u MB)\n" - " -Q - use binary-only instrumentation (QEMU mode)\n\n" - - "Other settings:\n\n" - - " -q - sink program's output and don't show messages\n" - " -e - show edge coverage only, ignore hit counts\n" - " -c - allow core dumps\n" - " -V - show version number and exit\n\n" - - "This tool displays raw tuple data captured by AFL instrumentation.\n" - "For additional help, consult %s/README.\n\n" cRST, - - argv0, MEM_LIMIT, doc_path); - - exit(1); - -} - - -/* Find binary. */ - -static void find_binary(u8* fname) { - - u8* env_path = 0; - struct stat st; - - if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { - - target_path = ck_strdup(fname); - - if (stat(target_path, &st) || !S_ISREG(st.st_mode) || - !(st.st_mode & 0111) || st.st_size < 4) - FATAL("Program '%s' not found or not executable", fname); - - } else { - - while (env_path) { - - u8 *cur_elem, *delim = strchr(env_path, ':'); - - if (delim) { - - cur_elem = ck_alloc(delim - env_path + 1); - memcpy(cur_elem, env_path, delim - env_path); - delim++; - - } else cur_elem = ck_strdup(env_path); - - env_path = delim; - - if (cur_elem[0]) - target_path = alloc_printf("%s/%s", cur_elem, fname); - else - target_path = ck_strdup(fname); - - ck_free(cur_elem); - - if (!stat(target_path, &st) && S_ISREG(st.st_mode) && - (st.st_mode & 0111) && st.st_size >= 4) break; - - ck_free(target_path); - target_path = 0; - - } - - if (!target_path) FATAL("Program '%s' not found or not executable", fname); - - } - -} - - -/* Fix up argv for QEMU. */ - -static char** get_qemu_argv(u8* own_loc, char** argv, int argc) { - - char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); - u8 *tmp, *cp, *rsl, *own_copy; - - /* Workaround for a QEMU stability glitch. */ - - setenv("QEMU_LOG", "nochain", 1); - - memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); - - new_argv[2] = target_path; - new_argv[1] = "--"; - - /* Now we need to actually find qemu for argv[0]. */ - - tmp = getenv("AFL_PATH"); - - if (tmp) { - - cp = alloc_printf("%s/afl-qemu-trace", tmp); - - if (access(cp, X_OK)) - FATAL("Unable to find '%s'", tmp); - - target_path = new_argv[0] = cp; - return new_argv; - - } - - own_copy = ck_strdup(own_loc); - rsl = strrchr(own_copy, '/'); - - if (rsl) { - - *rsl = 0; - - cp = alloc_printf("%s/afl-qemu-trace", own_copy); - ck_free(own_copy); - - if (!access(cp, X_OK)) { - - target_path = new_argv[0] = cp; - return new_argv; - - } - - } else ck_free(own_copy); - - if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { - - target_path = new_argv[0] = BIN_PATH "/afl-qemu-trace"; - return new_argv; - - } - - FATAL("Unable to find 'afl-qemu-trace'."); - -} - - -/* Main entry point */ - -int main(int argc, char** argv) { - - s32 opt; - u8 mem_limit_given = 0, timeout_given = 0, qemu_mode = 0; - u32 tcnt; - char** use_argv; - - doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - - while ((opt = getopt(argc,argv,"+o:m:t:A:eqZQbcV")) > 0) - - switch (opt) { - - case 'o': - - if (out_file) FATAL("Multiple -o options not supported"); - out_file = optarg; - break; - - case 'm': { - - u8 suffix = 'M'; - - if (mem_limit_given) FATAL("Multiple -m options not supported"); - mem_limit_given = 1; - - if (!strcmp(optarg, "none")) { - - mem_limit = 0; - break; - - } - - if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || - optarg[0] == '-') FATAL("Bad syntax used for -m"); - - switch (suffix) { - - case 'T': mem_limit *= 1024 * 1024; break; - case 'G': mem_limit *= 1024; break; - case 'k': mem_limit /= 1024; break; - case 'M': break; - - default: FATAL("Unsupported suffix or bad syntax for -m"); - - } - - if (mem_limit < 5) FATAL("Dangerously low value of -m"); - - if (sizeof(rlim_t) == 4 && mem_limit > 2000) - FATAL("Value of -m out of range on 32-bit systems"); - - } - - break; - - case 't': - - if (timeout_given) FATAL("Multiple -t options not supported"); - timeout_given = 1; - - if (strcmp(optarg, "none")) { - exec_tmout = atoi(optarg); - - if (exec_tmout < 20 || optarg[0] == '-') - FATAL("Dangerously low value of -t"); - - } - - break; - - case 'e': - - if (edges_only) FATAL("Multiple -e options not supported"); - edges_only = 1; - break; - - case 'q': - - if (quiet_mode) FATAL("Multiple -q options not supported"); - quiet_mode = 1; - break; - - case 'Z': - - /* This is an undocumented option to write data in the syntax expected - by afl-cmin. Nobody else should have any use for this. */ - - cmin_mode = 1; - quiet_mode = 1; - break; - - case 'A': - - /* Another afl-cmin specific feature. */ - at_file = optarg; - break; - - case 'Q': - - if (qemu_mode) FATAL("Multiple -Q options not supported"); - if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU; - - qemu_mode = 1; - break; - - case 'b': - - /* Secret undocumented mode. Writes output in raw binary format - similar to that dumped by afl-fuzz in + + A very simple tool that runs the targeted binary and displays + the contents of the trace bitmap in a human-readable form. Useful in + scripts to eliminate redundant inputs and perform other checks. + + Exit code is 2 if the target program crashes; 1 if it times out or + there is a problem executing it; or 0 if execution is successful. +*/ + +#define AFL_MAIN +#include "android-ashmem.h" + +#include "config.h" +#include "types.h" +#include "debug.h" +#include "alloc-inl.h" +#include "hash.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +static s32 child_pid; /* PID of the tested program */ + +static u8* trace_bits; /* SHM with instrumentation bitmap */ + +static u8 *out_file, /* Trace output file */ + *doc_path, /* Path to docs */ + *target_path, /* Path to target binary */ + *at_file; /* Substitution string for @@ */ + +static u32 exec_tmout; /* Exec timeout (ms) */ + +static u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ + +static s32 shm_id; /* ID of the SHM region */ + +static u8 quiet_mode, /* Hide non-essential messages? */ + edges_only, /* Ignore hit counts? */ + cmin_mode, /* Generate output in afl-cmin mode? */ + binary_mode, /* Write output as a binary map */ + keep_cores; /* Allow coredumps? */ + +static volatile u8 + stop_soon, /* Ctrl-C pressed? */ + child_timed_out, /* Child timed out? */ + child_crashed; /* Child crashed? */ + +/* Classify tuple counts. Instead of mapping to individual bits, as in + afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */ + +static const u8 count_class_human[256] = { + + [0] = 0, + [1] = 1, + [2] = 2, + [3] = 3, + [4 ... 7] = 4, + [8 ... 15] = 5, + [16 ... 31] = 6, + [32 ... 127] = 7, + [128 ... 255] = 8 + +}; + +static const u8 count_class_binary[256] = { + + [0] = 0, + [1] = 1, + [2] = 2, + [3] = 4, + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 + +}; + +static void classify_counts(u8* mem, const u8* map) { + + u32 i = MAP_SIZE; + + if (edges_only) { + + while (i--) { + if (*mem) *mem = 1; + mem++; + } + + } else { + + while (i--) { + *mem = map[*mem]; + mem++; + } + + } + +} + + +/* Get rid of shared memory (atexit handler). */ + +static void remove_shm(void) { + + shmctl(shm_id, IPC_RMID, NULL); + +} + + +/* Configure shared memory. */ + +static void setup_shm(void) { + + u8* shm_str; + + shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600); + + if (shm_id < 0) PFATAL("shmget() failed"); + + atexit(remove_shm); + + shm_str = alloc_printf("%d", shm_id); + + setenv(SHM_ENV_VAR, shm_str, 1); + + ck_free(shm_str); + + trace_bits = shmat(shm_id, NULL, 0); + + if (trace_bits == (void *)-1) PFATAL("shmat() failed"); + +} + +/* Write results. */ + +static u32 write_results(void) { + + s32 fd; + u32 i, ret = 0; + + u8 cco = !!getenv("AFL_CMIN_CRASHES_ONLY"), + caa = !!getenv("AFL_CMIN_ALLOW_ANY"); + + if (!strncmp(out_file, "/dev/", 5)) { + + fd = open(out_file, O_WRONLY, 0600); + if (fd < 0) PFATAL("Unable to open '%s'", out_file); + + } else if (!strcmp(out_file, "-")) { + + fd = dup(1); + if (fd < 0) PFATAL("Unable to open stdout"); + + } else { + + unlink(out_file); /* Ignore errors */ + fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) PFATAL("Unable to create '%s'", out_file); + + } + + + if (binary_mode) { + + for (i = 0; i < MAP_SIZE; i++) + if (trace_bits[i]) ret++; + + ck_write(fd, trace_bits, MAP_SIZE, out_file); + close(fd); + + } else { + + FILE* f = fdopen(fd, "w"); + + if (!f) PFATAL("fdopen() failed"); + + for (i = 0; i < MAP_SIZE; i++) { + + if (!trace_bits[i]) continue; + ret++; + + if (cmin_mode) { + + if (child_timed_out) break; + if (!caa && child_crashed != cco) break; + + fprintf(f, "%u%u\n", trace_bits[i], i); + + } else fprintf(f, "%06u:%u\n", i, trace_bits[i]); + + } + + fclose(f); + + } + + return ret; + +} + + +/* Handle timeout signal. */ + +static void handle_timeout(int sig) { + + child_timed_out = 1; + if (child_pid > 0) kill(child_pid, SIGKILL); + +} + + +/* Execute target application. */ + +static void run_target(char** argv) { + + static struct itimerval it; + int status = 0; + + if (!quiet_mode) + SAYF("-- Program output begins --\n" cRST); + + MEM_BARRIER(); + + child_pid = fork(); + + if (child_pid < 0) PFATAL("fork() failed"); + + if (!child_pid) { + + struct rlimit r; + + if (quiet_mode) { + + s32 fd = open("/dev/null", O_RDWR); + + if (fd < 0 || dup2(fd, 1) < 0 || dup2(fd, 2) < 0) { + *(u32*)trace_bits = EXEC_FAIL_SIG; + PFATAL("Descriptor initialization failed"); + } + + close(fd); + + } + + if (mem_limit) { + + r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; + +#ifdef RLIMIT_AS + + setrlimit(RLIMIT_AS, &r); /* Ignore errors */ + +#else + + setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ + +#endif /* ^RLIMIT_AS */ + + } + + if (!keep_cores) r.rlim_max = r.rlim_cur = 0; + else r.rlim_max = r.rlim_cur = RLIM_INFINITY; + + setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + + if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); + + setsid(); + + execv(target_path, argv); + + *(u32*)trace_bits = EXEC_FAIL_SIG; + exit(0); + + } + + /* Configure timeout, wait for child, cancel timeout. */ + + if (exec_tmout) { + + child_timed_out = 0; + it.it_value.tv_sec = (exec_tmout / 1000); + it.it_value.tv_usec = (exec_tmout % 1000) * 1000; + + } + + setitimer(ITIMER_REAL, &it, NULL); + + if (waitpid(child_pid, &status, 0) <= 0) FATAL("waitpid() failed"); + + child_pid = 0; + it.it_value.tv_sec = 0; + it.it_value.tv_usec = 0; + setitimer(ITIMER_REAL, &it, NULL); + + MEM_BARRIER(); + + /* Clean up bitmap, analyze exit condition, etc. */ + + if (*(u32*)trace_bits == EXEC_FAIL_SIG) + FATAL("Unable to execute '%s'", argv[0]); + + classify_counts(trace_bits, binary_mode ? + count_class_binary : count_class_human); + + if (!quiet_mode) + SAYF(cRST "-- Program output ends --\n"); + + if (!child_timed_out && !stop_soon && WIFSIGNALED(status)) + child_crashed = 1; + + if (!quiet_mode) { + + if (child_timed_out) + SAYF(cLRD "\n+++ Program timed off +++\n" cRST); + else if (stop_soon) + SAYF(cLRD "\n+++ Program aborted by user +++\n" cRST); + else if (child_crashed) + SAYF(cLRD "\n+++ Program killed by signal %u +++\n" cRST, WTERMSIG(status)); + + } + + +} + + +/* Handle Ctrl-C and the like. */ + +static void handle_stop_sig(int sig) { + + stop_soon = 1; + + if (child_pid > 0) kill(child_pid, SIGKILL); + +} + + +/* Do basic preparations - persistent fds, filenames, etc. */ + +static void set_up_environment(void) { + + setenv("ASAN_OPTIONS", "abort_on_error=1:" + "detect_leaks=0:" + "symbolize=0:" + "allocator_may_return_null=1", 0); + + setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" + "symbolize=0:" + "abort_on_error=1:" + "allocator_may_return_null=1:" + "msan_track_origins=0", 0); + + if (getenv("AFL_PRELOAD")) { + setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); + setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); + } + +} + + +/* Setup signal handlers, duh. */ + +static void setup_signal_handlers(void) { + + struct sigaction sa; + + sa.sa_handler = NULL; + sa.sa_flags = SA_RESTART; + sa.sa_sigaction = NULL; + + sigemptyset(&sa.sa_mask); + + /* Various ways of saying "stop". */ + + sa.sa_handler = handle_stop_sig; + sigaction(SIGHUP, &sa, NULL); + sigaction(SIGINT, &sa, NULL); + sigaction(SIGTERM, &sa, NULL); + + /* Exec timeout notifications. */ + + sa.sa_handler = handle_timeout; + sigaction(SIGALRM, &sa, NULL); + +} + + +/* Detect @@ in args. */ + +static void detect_file_args(char** argv) { + + u32 i = 0; + u8* cwd = getcwd(NULL, 0); + + if (!cwd) PFATAL("getcwd() failed"); + + while (argv[i]) { + + u8* aa_loc = strstr(argv[i], "@@"); + + if (aa_loc) { + + u8 *aa_subst, *n_arg; + + if (!at_file) FATAL("@@ syntax is not supported by this tool."); + + /* Be sure that we're always using fully-qualified paths. */ + + if (at_file[0] == '/') aa_subst = at_file; + else aa_subst = alloc_printf("%s/%s", cwd, at_file); + + /* Construct a replacement argv value. */ + + *aa_loc = 0; + n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2); + argv[i] = n_arg; + *aa_loc = '@'; + + if (at_file[0] != '/') ck_free(aa_subst); + + } + + i++; + + } + + free(cwd); /* not tracked */ + +} + + +/* Show banner. */ + +static void show_banner(void) { + + SAYF(cCYA "afl-showmap " cBRI VERSION cRST " by \n"); + +} + +/* Display usage hints. */ + +static void usage(u8* argv0) { + + show_banner(); + + SAYF("\n%s [ options ] -- /path/to/target_app [ ... ]\n\n" + + "Required parameters:\n\n" + + " -o file - file to write the trace data to\n\n" + + "Execution control settings:\n\n" + + " -t msec - timeout for each run (none)\n" + " -m megs - memory limit for child process (%u MB)\n" + " -Q - use binary-only instrumentation (QEMU mode)\n\n" + + "Other settings:\n\n" + + " -q - sink program's output and don't show messages\n" + " -e - show edge coverage only, ignore hit counts\n" + " -c - allow core dumps\n" + " -V - show version number and exit\n\n" + + "This tool displays raw tuple data captured by AFL instrumentation.\n" + "For additional help, consult %s/README.\n\n" cRST, + + argv0, MEM_LIMIT, doc_path); + + exit(1); + +} + + +/* Find binary. */ + +static void find_binary(u8* fname) { + + u8* env_path = 0; + struct stat st; + + if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { + + target_path = ck_strdup(fname); + + if (stat(target_path, &st) || !S_ISREG(st.st_mode) || + !(st.st_mode & 0111) || st.st_size < 4) + FATAL("Program '%s' not found or not executable", fname); + + } else { + + while (env_path) { + + u8 *cur_elem, *delim = strchr(env_path, ':'); + + if (delim) { + + cur_elem = ck_alloc(delim - env_path + 1); + memcpy(cur_elem, env_path, delim - env_path); + delim++; + + } else cur_elem = ck_strdup(env_path); + + env_path = delim; + + if (cur_elem[0]) + target_path = alloc_printf("%s/%s", cur_elem, fname); + else + target_path = ck_strdup(fname); + + ck_free(cur_elem); + + if (!stat(target_path, &st) && S_ISREG(st.st_mode) && + (st.st_mode & 0111) && st.st_size >= 4) break; + + ck_free(target_path); + target_path = 0; + + } + + if (!target_path) FATAL("Program '%s' not found or not executable", fname); + + } + +} + + +/* Fix up argv for QEMU. */ + +static char** get_qemu_argv(u8* own_loc, char** argv, int argc) { + + char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); + u8 *tmp, *cp, *rsl, *own_copy; + + /* Workaround for a QEMU stability glitch. */ + + setenv("QEMU_LOG", "nochain", 1); + + memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); + + new_argv[2] = target_path; + new_argv[1] = "--"; + + /* Now we need to actually find qemu for argv[0]. */ + + tmp = getenv("AFL_PATH"); + + if (tmp) { + + cp = alloc_printf("%s/afl-qemu-trace", tmp); + + if (access(cp, X_OK)) + FATAL("Unable to find '%s'", tmp); + + target_path = new_argv[0] = cp; + return new_argv; + + } + + own_copy = ck_strdup(own_loc); + rsl = strrchr(own_copy, '/'); + + if (rsl) { + + *rsl = 0; + + cp = alloc_printf("%s/afl-qemu-trace", own_copy); + ck_free(own_copy); + + if (!access(cp, X_OK)) { + + target_path = new_argv[0] = cp; + return new_argv; + + } + + } else ck_free(own_copy); + + if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { + + target_path = new_argv[0] = BIN_PATH "/afl-qemu-trace"; + return new_argv; + + } + + FATAL("Unable to find 'afl-qemu-trace'."); + +} + + +/* Main entry point */ + +int main(int argc, char** argv) { + + s32 opt; + u8 mem_limit_given = 0, timeout_given = 0, qemu_mode = 0; + u32 tcnt; + char** use_argv; + + doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; + + while ((opt = getopt(argc,argv,"+o:m:t:A:eqZQbcV")) > 0) + + switch (opt) { + + case 'o': + + if (out_file) FATAL("Multiple -o options not supported"); + out_file = optarg; + break; + + case 'm': { + + u8 suffix = 'M'; + + if (mem_limit_given) FATAL("Multiple -m options not supported"); + mem_limit_given = 1; + + if (!strcmp(optarg, "none")) { + + mem_limit = 0; + break; + + } + + if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -m"); + + switch (suffix) { + + case 'T': mem_limit *= 1024 * 1024; break; + case 'G': mem_limit *= 1024; break; + case 'k': mem_limit /= 1024; break; + case 'M': break; + + default: FATAL("Unsupported suffix or bad syntax for -m"); + + } + + if (mem_limit < 5) FATAL("Dangerously low value of -m"); + + if (sizeof(rlim_t) == 4 && mem_limit > 2000) + FATAL("Value of -m out of range on 32-bit systems"); + + } + + break; + + case 't': + + if (timeout_given) FATAL("Multiple -t options not supported"); + timeout_given = 1; + + if (strcmp(optarg, "none")) { + exec_tmout = atoi(optarg); + + if (exec_tmout < 20 || optarg[0] == '-') + FATAL("Dangerously low value of -t"); + + } + + break; + + case 'e': + + if (edges_only) FATAL("Multiple -e options not supported"); + edges_only = 1; + break; + + case 'q': + + if (quiet_mode) FATAL("Multiple -q options not supported"); + quiet_mode = 1; + break; + + case 'Z': + + /* This is an undocumented option to write data in the syntax expected + by afl-cmin. Nobody else should have any use for this. */ + + cmin_mode = 1; + quiet_mode = 1; + break; + + case 'A': + + /* Another afl-cmin specific feature. */ + at_file = optarg; + break; + + case 'Q': + + if (qemu_mode) FATAL("Multiple -Q options not supported"); + if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU; + + qemu_mode = 1; + break; + + case 'b': + + /* Secret undocumented mode. Writes output in raw binary format + similar to that dumped by afl-fuzz in - - A simple test case minimizer that takes an input file and tries to remove - as much data as possible while keeping the binary in a crashing state - *or* producing consistent instrumentation output (the mode is auto-selected - based on the initially observed behavior). -*/ - -#define AFL_MAIN -#include "android-ashmem.h" - -#include "config.h" -#include "types.h" -#include "debug.h" -#include "alloc-inl.h" -#include "hash.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -static s32 child_pid; /* PID of the tested program */ - -static u8 *trace_bits, /* SHM with instrumentation bitmap */ - *mask_bitmap; /* Mask for trace bits (-B) */ - -static u8 *in_file, /* Minimizer input test case */ - *out_file, /* Minimizer output file */ - *prog_in, /* Targeted program input file */ - *target_path, /* Path to target binary */ - *doc_path; /* Path to docs */ - -static u8* in_data; /* Input data for trimming */ - -static u32 in_len, /* Input data length */ - orig_cksum, /* Original checksum */ - total_execs, /* Total number of execs */ - missed_hangs, /* Misses due to hangs */ - missed_crashes, /* Misses due to crashes */ - missed_paths, /* Misses due to exec path diffs */ - exec_tmout = EXEC_TIMEOUT; /* Exec timeout (ms) */ - -static u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ - -static s32 shm_id, /* ID of the SHM region */ - dev_null_fd = -1; /* FD to /dev/null */ - -static u8 crash_mode, /* Crash-centric mode? */ - exit_crash, /* Treat non-zero exit as crash? */ - edges_only, /* Ignore hit counts? */ - exact_mode, /* Require path match for crashes? */ - use_stdin = 1; /* Use stdin for program input? */ - -static volatile u8 - stop_soon, /* Ctrl-C pressed? */ - child_timed_out; /* Child timed out? */ - - -/* Classify tuple counts. This is a slow & naive version, but good enough here. */ - -static const u8 count_class_lookup[256] = { - - [0] = 0, - [1] = 1, - [2] = 2, - [3] = 4, - [4 ... 7] = 8, - [8 ... 15] = 16, - [16 ... 31] = 32, - [32 ... 127] = 64, - [128 ... 255] = 128 - -}; - -static void classify_counts(u8* mem) { - - u32 i = MAP_SIZE; - - if (edges_only) { - - while (i--) { - if (*mem) *mem = 1; - mem++; - } - - } else { - - while (i--) { - *mem = count_class_lookup[*mem]; - mem++; - } - - } - -} - - -/* Apply mask to classified bitmap (if set). */ - -static void apply_mask(u32* mem, u32* mask) { - - u32 i = (MAP_SIZE >> 2); - - if (!mask) return; - - while (i--) { - - *mem &= ~*mask; - mem++; - mask++; - - } - -} - - -/* See if any bytes are set in the bitmap. */ - -static inline u8 anything_set(void) { - - u32* ptr = (u32*)trace_bits; - u32 i = (MAP_SIZE >> 2); - - while (i--) if (*(ptr++)) return 1; - - return 0; - -} - - - -/* Get rid of shared memory and temp files (atexit handler). */ - -static void remove_shm(void) { - - if (prog_in) unlink(prog_in); /* Ignore errors */ - shmctl(shm_id, IPC_RMID, NULL); - -} - - -/* Configure shared memory. */ - -static void setup_shm(void) { - - u8* shm_str; - - shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600); - - if (shm_id < 0) PFATAL("shmget() failed"); - - atexit(remove_shm); - - shm_str = alloc_printf("%d", shm_id); - - setenv(SHM_ENV_VAR, shm_str, 1); - - ck_free(shm_str); - - trace_bits = shmat(shm_id, NULL, 0); - - if (trace_bits == (void *)-1) PFATAL("shmat() failed"); - -} - - -/* Read initial file. */ - -static void read_initial_file(void) { - - struct stat st; - s32 fd = open(in_file, O_RDONLY); - - if (fd < 0) PFATAL("Unable to open '%s'", in_file); - - if (fstat(fd, &st) || !st.st_size) - FATAL("Zero-sized input file."); - - if (st.st_size >= TMIN_MAX_FILE) - FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024); - - in_len = st.st_size; - in_data = ck_alloc_nozero(in_len); - - ck_read(fd, in_data, in_len, in_file); - - close(fd); - - OKF("Read %u byte%s from '%s'.", in_len, in_len == 1 ? "" : "s", in_file); - -} - - -/* Write output file. */ - -static s32 write_to_file(u8* path, u8* mem, u32 len) { - - s32 ret; - - unlink(path); /* Ignore errors */ - - ret = open(path, O_RDWR | O_CREAT | O_EXCL, 0600); - - if (ret < 0) PFATAL("Unable to create '%s'", path); - - ck_write(ret, mem, len, path); - - lseek(ret, 0, SEEK_SET); - - return ret; - -} - - -/* Handle timeout signal. */ - -static void handle_timeout(int sig) { - - child_timed_out = 1; - if (child_pid > 0) kill(child_pid, SIGKILL); - -} - - -/* Execute target application. Returns 0 if the changes are a dud, or - 1 if they should be kept. */ - -static u8 run_target(char** argv, u8* mem, u32 len, u8 first_run) { - - static struct itimerval it; - int status = 0; - - s32 prog_in_fd; - u32 cksum; - - memset(trace_bits, 0, MAP_SIZE); - MEM_BARRIER(); - - prog_in_fd = write_to_file(prog_in, mem, len); - - child_pid = fork(); - - if (child_pid < 0) PFATAL("fork() failed"); - - if (!child_pid) { - - struct rlimit r; - - if (dup2(use_stdin ? prog_in_fd : dev_null_fd, 0) < 0 || - dup2(dev_null_fd, 1) < 0 || - dup2(dev_null_fd, 2) < 0) { - - *(u32*)trace_bits = EXEC_FAIL_SIG; - PFATAL("dup2() failed"); - - } - - close(dev_null_fd); - close(prog_in_fd); - - setsid(); - - if (mem_limit) { - - r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; - -#ifdef RLIMIT_AS - - setrlimit(RLIMIT_AS, &r); /* Ignore errors */ - -#else - - setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ - -#endif /* ^RLIMIT_AS */ - - } - - r.rlim_max = r.rlim_cur = 0; - setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ - - execv(target_path, argv); - - *(u32*)trace_bits = EXEC_FAIL_SIG; - exit(0); - - } - - close(prog_in_fd); - - /* Configure timeout, wait for child, cancel timeout. */ - - child_timed_out = 0; - it.it_value.tv_sec = (exec_tmout / 1000); - it.it_value.tv_usec = (exec_tmout % 1000) * 1000; - - setitimer(ITIMER_REAL, &it, NULL); - - if (waitpid(child_pid, &status, 0) <= 0) FATAL("waitpid() failed"); - - child_pid = 0; - it.it_value.tv_sec = 0; - it.it_value.tv_usec = 0; - - setitimer(ITIMER_REAL, &it, NULL); - - MEM_BARRIER(); - - /* Clean up bitmap, analyze exit condition, etc. */ - - if (*(u32*)trace_bits == EXEC_FAIL_SIG) - FATAL("Unable to execute '%s'", argv[0]); - - classify_counts(trace_bits); - apply_mask((u32*)trace_bits, (u32*)mask_bitmap); - total_execs++; - - if (stop_soon) { - - SAYF(cRST cLRD "\n+++ Minimization aborted by user +++\n" cRST); - close(write_to_file(out_file, in_data, in_len)); - exit(1); - - } - - /* Always discard inputs that time out. */ - - if (child_timed_out) { - - missed_hangs++; - return 0; - - } - - /* Handle crashing inputs depending on current mode. */ - - if (WIFSIGNALED(status) || - (WIFEXITED(status) && WEXITSTATUS(status) == MSAN_ERROR) || - (WIFEXITED(status) && WEXITSTATUS(status) && exit_crash)) { - - if (first_run) crash_mode = 1; - - if (crash_mode) { - - if (!exact_mode) return 1; - - } else { - - missed_crashes++; - return 0; - - } - - } else - - /* Handle non-crashing inputs appropriately. */ - - if (crash_mode) { - - missed_paths++; - return 0; - - } - - cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - - if (first_run) orig_cksum = cksum; - - if (orig_cksum == cksum) return 1; - - missed_paths++; - return 0; - -} - - -/* Find first power of two greater or equal to val. */ - -static u32 next_p2(u32 val) { - - u32 ret = 1; - while (val > ret) ret <<= 1; - return ret; - -} - - -/* Actually minimize! */ - -static void minimize(char** argv) { - - static u32 alpha_map[256]; - - u8* tmp_buf = ck_alloc_nozero(in_len); - u32 orig_len = in_len, stage_o_len; - - u32 del_len, set_len, del_pos, set_pos, i, alpha_size, cur_pass = 0; - u32 syms_removed, alpha_del0 = 0, alpha_del1, alpha_del2, alpha_d_total = 0; - u8 changed_any, prev_del; - - /*********************** - * BLOCK NORMALIZATION * - ***********************/ - - set_len = next_p2(in_len / TMIN_SET_STEPS); - set_pos = 0; - - if (set_len < TMIN_SET_MIN_SIZE) set_len = TMIN_SET_MIN_SIZE; - - ACTF(cBRI "Stage #0: " cRST "One-time block normalization..."); - - while (set_pos < in_len) { - - u8 res; - u32 use_len = MIN(set_len, in_len - set_pos); - - for (i = 0; i < use_len; i++) - if (in_data[set_pos + i] != '0') break; - - if (i != use_len) { - - memcpy(tmp_buf, in_data, in_len); - memset(tmp_buf + set_pos, '0', use_len); - - res = run_target(argv, tmp_buf, in_len, 0); - - if (res) { - - memset(in_data + set_pos, '0', use_len); - changed_any = 1; - alpha_del0 += use_len; - - } - - } - - set_pos += set_len; - - } - - alpha_d_total += alpha_del0; - - OKF("Block normalization complete, %u byte%s replaced.", alpha_del0, - alpha_del0 == 1 ? "" : "s"); - -next_pass: - - ACTF(cYEL "--- " cBRI "Pass #%u " cYEL "---", ++cur_pass); - changed_any = 0; - - /****************** - * BLOCK DELETION * - ******************/ - - del_len = next_p2(in_len / TRIM_START_STEPS); - stage_o_len = in_len; - - ACTF(cBRI "Stage #1: " cRST "Removing blocks of data..."); - -next_del_blksize: - - if (!del_len) del_len = 1; - del_pos = 0; - prev_del = 1; - - SAYF(cGRA " Block length = %u, remaining size = %u\n" cRST, - del_len, in_len); - - while (del_pos < in_len) { - - u8 res; - s32 tail_len; - - tail_len = in_len - del_pos - del_len; - if (tail_len < 0) tail_len = 0; - - /* If we have processed at least one full block (initially, prev_del == 1), - and we did so without deleting the previous one, and we aren't at the - very end of the buffer (tail_len > 0), and the current block is the same - as the previous one... skip this step as a no-op. */ - - if (!prev_del && tail_len && !memcmp(in_data + del_pos - del_len, - in_data + del_pos, del_len)) { - - del_pos += del_len; - continue; - - } - - prev_del = 0; - - /* Head */ - memcpy(tmp_buf, in_data, del_pos); - - /* Tail */ - memcpy(tmp_buf + del_pos, in_data + del_pos + del_len, tail_len); - - res = run_target(argv, tmp_buf, del_pos + tail_len, 0); - - if (res) { - - memcpy(in_data, tmp_buf, del_pos + tail_len); - prev_del = 1; - in_len = del_pos + tail_len; - - changed_any = 1; - - } else del_pos += del_len; - - } - - if (del_len > 1 && in_len >= 1) { - - del_len /= 2; - goto next_del_blksize; - - } - - OKF("Block removal complete, %u bytes deleted.", stage_o_len - in_len); - - if (!in_len && changed_any) - WARNF(cLRD "Down to zero bytes - check the command line and mem limit!" cRST); - - if (cur_pass > 1 && !changed_any) goto finalize_all; - - /************************* - * ALPHABET MINIMIZATION * - *************************/ - - alpha_size = 0; - alpha_del1 = 0; - syms_removed = 0; - - memset(alpha_map, 0, 256 * sizeof(u32)); - - for (i = 0; i < in_len; i++) { - if (!alpha_map[in_data[i]]) alpha_size++; - alpha_map[in_data[i]]++; - } - - ACTF(cBRI "Stage #2: " cRST "Minimizing symbols (%u code point%s)...", - alpha_size, alpha_size == 1 ? "" : "s"); - - for (i = 0; i < 256; i++) { - - u32 r; - u8 res; - - if (i == '0' || !alpha_map[i]) continue; - - memcpy(tmp_buf, in_data, in_len); - - for (r = 0; r < in_len; r++) - if (tmp_buf[r] == i) tmp_buf[r] = '0'; - - res = run_target(argv, tmp_buf, in_len, 0); - - if (res) { - - memcpy(in_data, tmp_buf, in_len); - syms_removed++; - alpha_del1 += alpha_map[i]; - changed_any = 1; - - } - - } - - alpha_d_total += alpha_del1; - - OKF("Symbol minimization finished, %u symbol%s (%u byte%s) replaced.", - syms_removed, syms_removed == 1 ? "" : "s", - alpha_del1, alpha_del1 == 1 ? "" : "s"); - - /************************** - * CHARACTER MINIMIZATION * - **************************/ - - alpha_del2 = 0; - - ACTF(cBRI "Stage #3: " cRST "Character minimization..."); - - memcpy(tmp_buf, in_data, in_len); - - for (i = 0; i < in_len; i++) { - - u8 res, orig = tmp_buf[i]; - - if (orig == '0') continue; - tmp_buf[i] = '0'; - - res = run_target(argv, tmp_buf, in_len, 0); - - if (res) { - - in_data[i] = '0'; - alpha_del2++; - changed_any = 1; - - } else tmp_buf[i] = orig; - - } - - alpha_d_total += alpha_del2; - - OKF("Character minimization done, %u byte%s replaced.", - alpha_del2, alpha_del2 == 1 ? "" : "s"); - - if (changed_any) goto next_pass; - -finalize_all: - - SAYF("\n" - cGRA " File size reduced by : " cRST "%0.02f%% (to %u byte%s)\n" - cGRA " Characters simplified : " cRST "%0.02f%%\n" - cGRA " Number of execs done : " cRST "%u\n" - cGRA " Fruitless execs : " cRST "path=%u crash=%u hang=%s%u\n\n", - 100 - ((double)in_len) * 100 / orig_len, in_len, in_len == 1 ? "" : "s", - ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), - total_execs, missed_paths, missed_crashes, missed_hangs ? cLRD : "", - missed_hangs); - - if (total_execs > 50 && missed_hangs * 10 > total_execs) - WARNF(cLRD "Frequent timeouts - results may be skewed." cRST); - -} - - - -/* Handle Ctrl-C and the like. */ - -static void handle_stop_sig(int sig) { - - stop_soon = 1; - - if (child_pid > 0) kill(child_pid, SIGKILL); - -} - - -/* Do basic preparations - persistent fds, filenames, etc. */ - -static void set_up_environment(void) { - - u8* x; - - dev_null_fd = open("/dev/null", O_RDWR); - if (dev_null_fd < 0) PFATAL("Unable to open /dev/null"); - - if (!prog_in) { - - u8* use_dir = "."; - - if (access(use_dir, R_OK | W_OK | X_OK)) { - - use_dir = getenv("TMPDIR"); - if (!use_dir) use_dir = "/tmp"; - - } - - prog_in = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, getpid()); - - } - - /* Set sane defaults... */ - - x = getenv("ASAN_OPTIONS"); - - if (x) { - - if (!strstr(x, "abort_on_error=1")) - FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!"); - - if (!strstr(x, "symbolize=0")) - FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!"); - - } - - x = getenv("MSAN_OPTIONS"); - - if (x) { - - if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) - FATAL("Custom MSAN_OPTIONS set without exit_code=" - STRINGIFY(MSAN_ERROR) " - please fix!"); - - if (!strstr(x, "symbolize=0")) - FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!"); - - } - - setenv("ASAN_OPTIONS", "abort_on_error=1:" - "detect_leaks=0:" - "symbolize=0:" - "allocator_may_return_null=1", 0); - - setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" - "symbolize=0:" - "abort_on_error=1:" - "allocator_may_return_null=1:" - "msan_track_origins=0", 0); - - if (getenv("AFL_PRELOAD")) { - setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); - setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); - } - -} - - -/* Setup signal handlers, duh. */ - -static void setup_signal_handlers(void) { - - struct sigaction sa; - - sa.sa_handler = NULL; - sa.sa_flags = SA_RESTART; - sa.sa_sigaction = NULL; - - sigemptyset(&sa.sa_mask); - - /* Various ways of saying "stop". */ - - sa.sa_handler = handle_stop_sig; - sigaction(SIGHUP, &sa, NULL); - sigaction(SIGINT, &sa, NULL); - sigaction(SIGTERM, &sa, NULL); - - /* Exec timeout notifications. */ - - sa.sa_handler = handle_timeout; - sigaction(SIGALRM, &sa, NULL); - -} - - -/* Detect @@ in args. */ - -static void detect_file_args(char** argv) { - - u32 i = 0; - u8* cwd = getcwd(NULL, 0); - - if (!cwd) PFATAL("getcwd() failed"); - - while (argv[i]) { - - u8* aa_loc = strstr(argv[i], "@@"); - - if (aa_loc) { - - u8 *aa_subst, *n_arg; - - /* Be sure that we're always using fully-qualified paths. */ - - if (prog_in[0] == '/') aa_subst = prog_in; - else aa_subst = alloc_printf("%s/%s", cwd, prog_in); - - /* Construct a replacement argv value. */ - - *aa_loc = 0; - n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2); - argv[i] = n_arg; - *aa_loc = '@'; - - if (prog_in[0] != '/') ck_free(aa_subst); - - } - - i++; - - } - - free(cwd); /* not tracked */ - -} - - -/* Display usage hints. */ - -static void usage(u8* argv0) { - - SAYF("\n%s [ options ] -- /path/to/target_app [ ... ]\n\n" - - "Required parameters:\n\n" - - " -i file - input test case to be shrunk by the tool\n" - " -o file - final output location for the minimized data\n\n" - - "Execution control settings:\n\n" - - " -f file - input file read by the tested program (stdin)\n" - " -t msec - timeout for each run (%u ms)\n" - " -m megs - memory limit for child process (%u MB)\n" - " -Q - use binary-only instrumentation (QEMU mode)\n\n" - - "Minimization settings:\n\n" - - " -e - solve for edge coverage only, ignore hit counts\n" - " -x - treat non-zero exit codes as crashes\n\n" - - "Other stuff:\n\n" - - " -V - show version number and exit\n\n" - - "For additional tips, please consult %s/README.\n\n", - - argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); - - exit(1); - -} - - -/* Find binary. */ - -static void find_binary(u8* fname) { - - u8* env_path = 0; - struct stat st; - - if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { - - target_path = ck_strdup(fname); - - if (stat(target_path, &st) || !S_ISREG(st.st_mode) || - !(st.st_mode & 0111) || st.st_size < 4) - FATAL("Program '%s' not found or not executable", fname); - - } else { - - while (env_path) { - - u8 *cur_elem, *delim = strchr(env_path, ':'); - - if (delim) { - - cur_elem = ck_alloc(delim - env_path + 1); - memcpy(cur_elem, env_path, delim - env_path); - delim++; - - } else cur_elem = ck_strdup(env_path); - - env_path = delim; - - if (cur_elem[0]) - target_path = alloc_printf("%s/%s", cur_elem, fname); - else - target_path = ck_strdup(fname); - - ck_free(cur_elem); - - if (!stat(target_path, &st) && S_ISREG(st.st_mode) && - (st.st_mode & 0111) && st.st_size >= 4) break; - - ck_free(target_path); - target_path = 0; - - } - - if (!target_path) FATAL("Program '%s' not found or not executable", fname); - - } - -} - - -/* Fix up argv for QEMU. */ - -static char** get_qemu_argv(u8* own_loc, char** argv, int argc) { - - char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); - u8 *tmp, *cp, *rsl, *own_copy; - - /* Workaround for a QEMU stability glitch. */ - - setenv("QEMU_LOG", "nochain", 1); - - memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); - - /* Now we need to actually find qemu for argv[0]. */ - - new_argv[2] = target_path; - new_argv[1] = "--"; - - tmp = getenv("AFL_PATH"); - - if (tmp) { - - cp = alloc_printf("%s/afl-qemu-trace", tmp); - - if (access(cp, X_OK)) - FATAL("Unable to find '%s'", tmp); - - target_path = new_argv[0] = cp; - return new_argv; - - } - - own_copy = ck_strdup(own_loc); - rsl = strrchr(own_copy, '/'); - - if (rsl) { - - *rsl = 0; - - cp = alloc_printf("%s/afl-qemu-trace", own_copy); - ck_free(own_copy); - - if (!access(cp, X_OK)) { - - target_path = new_argv[0] = cp; - return new_argv; - - } - - } else ck_free(own_copy); - - if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { - - target_path = new_argv[0] = BIN_PATH "/afl-qemu-trace"; - return new_argv; - - } - - FATAL("Unable to find 'afl-qemu-trace'."); - -} - - -/* Read mask bitmap from file. This is for the -B option. */ - -static void read_bitmap(u8* fname) { - - s32 fd = open(fname, O_RDONLY); - - if (fd < 0) PFATAL("Unable to open '%s'", fname); - - ck_read(fd, mask_bitmap, MAP_SIZE, fname); - - close(fd); - -} - - - -/* Main entry point */ - -int main(int argc, char** argv) { - - s32 opt; - u8 mem_limit_given = 0, timeout_given = 0, qemu_mode = 0; - char** use_argv; - - doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - - SAYF(cCYA "afl-tmin " cBRI VERSION cRST " by \n"); - - while ((opt = getopt(argc,argv,"+i:o:f:m:t:B:xeQV")) > 0) - - switch (opt) { - - case 'i': - - if (in_file) FATAL("Multiple -i options not supported"); - in_file = optarg; - break; - - case 'o': - - if (out_file) FATAL("Multiple -o options not supported"); - out_file = optarg; - break; - - case 'f': - - if (prog_in) FATAL("Multiple -f options not supported"); - use_stdin = 0; - prog_in = optarg; - break; - - case 'e': - - if (edges_only) FATAL("Multiple -e options not supported"); - edges_only = 1; - break; - - case 'x': - - if (exit_crash) FATAL("Multiple -x options not supported"); - exit_crash = 1; - break; - - case 'm': { - - u8 suffix = 'M'; - - if (mem_limit_given) FATAL("Multiple -m options not supported"); - mem_limit_given = 1; - - if (!strcmp(optarg, "none")) { - - mem_limit = 0; - break; - - } - - if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || - optarg[0] == '-') FATAL("Bad syntax used for -m"); - - switch (suffix) { - - case 'T': mem_limit *= 1024 * 1024; break; - case 'G': mem_limit *= 1024; break; - case 'k': mem_limit /= 1024; break; - case 'M': break; - - default: FATAL("Unsupported suffix or bad syntax for -m"); - - } - - if (mem_limit < 5) FATAL("Dangerously low value of -m"); - - if (sizeof(rlim_t) == 4 && mem_limit > 2000) - FATAL("Value of -m out of range on 32-bit systems"); - - } - - break; - - case 't': - - if (timeout_given) FATAL("Multiple -t options not supported"); - timeout_given = 1; - - exec_tmout = atoi(optarg); - - if (exec_tmout < 10 || optarg[0] == '-') - FATAL("Dangerously low value of -t"); - - break; - - case 'Q': - - if (qemu_mode) FATAL("Multiple -Q options not supported"); - if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU; - - qemu_mode = 1; - break; - - case 'B': /* load bitmap */ - - /* This is a secret undocumented option! It is speculated to be useful - if you have a baseline "boring" input file and another "interesting" - file you want to minimize. - - You can dump a binary bitmap for the boring file using - afl-showmap -b, and then load it into afl-tmin via -B. The minimizer - will then minimize to preserve only the edges that are unique to - the interesting input file, but ignoring everything from the - original map. - - The option may be extended and made more official if it proves - to be useful. */ - - if (mask_bitmap) FATAL("Multiple -B options not supported"); - mask_bitmap = ck_alloc(MAP_SIZE); - read_bitmap(optarg); - break; - - case 'V': /* Show version number */ - - /* Version number has been printed already, just quit. */ - exit(0); - - default: - - usage(argv[0]); - - } - - if (optind == argc || !in_file || !out_file) usage(argv[0]); - - setup_shm(); - setup_signal_handlers(); - - set_up_environment(); - - find_binary(argv[optind]); - detect_file_args(argv + optind); - - if (qemu_mode) - use_argv = get_qemu_argv(argv[0], argv + optind, argc - optind); - else - use_argv = argv + optind; - - exact_mode = !!getenv("AFL_TMIN_EXACT"); - - SAYF("\n"); - - read_initial_file(); - - ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", - mem_limit, exec_tmout, edges_only ? ", edges only" : ""); - - run_target(use_argv, in_data, in_len, 1); - - if (child_timed_out) - FATAL("Target binary times out (adjusting -t may help)."); - - if (!crash_mode) { - - OKF("Program terminates normally, minimizing in " - cCYA "instrumented" cRST " mode."); - - if (!anything_set()) FATAL("No instrumentation detected."); - - } else { - - OKF("Program exits with a signal, minimizing in " cMGN "%scrash" cRST - " mode.", exact_mode ? "EXACT " : ""); - - } - - minimize(use_argv); - - ACTF("Writing output to '%s'...", out_file); - - unlink(prog_in); - prog_in = NULL; - - close(write_to_file(out_file, in_data, in_len)); - - OKF("We're done here. Have a nice day!\n"); - - exit(0); - -} - +/* + Copyright 2015 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +/* + american fuzzy lop - test case minimizer + ---------------------------------------- + + Written and maintained by Michal Zalewski + + A simple test case minimizer that takes an input file and tries to remove + as much data as possible while keeping the binary in a crashing state + *or* producing consistent instrumentation output (the mode is auto-selected + based on the initially observed behavior). +*/ + +#define AFL_MAIN +#include "android-ashmem.h" + +#include "config.h" +#include "types.h" +#include "debug.h" +#include "alloc-inl.h" +#include "hash.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +static s32 child_pid; /* PID of the tested program */ + +static u8 *trace_bits, /* SHM with instrumentation bitmap */ + *mask_bitmap; /* Mask for trace bits (-B) */ + +static u8 *in_file, /* Minimizer input test case */ + *out_file, /* Minimizer output file */ + *prog_in, /* Targeted program input file */ + *target_path, /* Path to target binary */ + *doc_path; /* Path to docs */ + +static u8* in_data; /* Input data for trimming */ + +static u32 in_len, /* Input data length */ + orig_cksum, /* Original checksum */ + total_execs, /* Total number of execs */ + missed_hangs, /* Misses due to hangs */ + missed_crashes, /* Misses due to crashes */ + missed_paths, /* Misses due to exec path diffs */ + exec_tmout = EXEC_TIMEOUT; /* Exec timeout (ms) */ + +static u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */ + +static s32 shm_id, /* ID of the SHM region */ + dev_null_fd = -1; /* FD to /dev/null */ + +static u8 crash_mode, /* Crash-centric mode? */ + exit_crash, /* Treat non-zero exit as crash? */ + edges_only, /* Ignore hit counts? */ + exact_mode, /* Require path match for crashes? */ + use_stdin = 1; /* Use stdin for program input? */ + +static volatile u8 + stop_soon, /* Ctrl-C pressed? */ + child_timed_out; /* Child timed out? */ + + +/* Classify tuple counts. This is a slow & naive version, but good enough here. */ + +static const u8 count_class_lookup[256] = { + + [0] = 0, + [1] = 1, + [2] = 2, + [3] = 4, + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 + +}; + +static void classify_counts(u8* mem) { + + u32 i = MAP_SIZE; + + if (edges_only) { + + while (i--) { + if (*mem) *mem = 1; + mem++; + } + + } else { + + while (i--) { + *mem = count_class_lookup[*mem]; + mem++; + } + + } + +} + + +/* Apply mask to classified bitmap (if set). */ + +static void apply_mask(u32* mem, u32* mask) { + + u32 i = (MAP_SIZE >> 2); + + if (!mask) return; + + while (i--) { + + *mem &= ~*mask; + mem++; + mask++; + + } + +} + + +/* See if any bytes are set in the bitmap. */ + +static inline u8 anything_set(void) { + + u32* ptr = (u32*)trace_bits; + u32 i = (MAP_SIZE >> 2); + + while (i--) if (*(ptr++)) return 1; + + return 0; + +} + + + +/* Get rid of shared memory and temp files (atexit handler). */ + +static void remove_shm(void) { + + if (prog_in) unlink(prog_in); /* Ignore errors */ + shmctl(shm_id, IPC_RMID, NULL); + +} + + +/* Configure shared memory. */ + +static void setup_shm(void) { + + u8* shm_str; + + shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600); + + if (shm_id < 0) PFATAL("shmget() failed"); + + atexit(remove_shm); + + shm_str = alloc_printf("%d", shm_id); + + setenv(SHM_ENV_VAR, shm_str, 1); + + ck_free(shm_str); + + trace_bits = shmat(shm_id, NULL, 0); + + if (trace_bits == (void *)-1) PFATAL("shmat() failed"); + +} + + +/* Read initial file. */ + +static void read_initial_file(void) { + + struct stat st; + s32 fd = open(in_file, O_RDONLY); + + if (fd < 0) PFATAL("Unable to open '%s'", in_file); + + if (fstat(fd, &st) || !st.st_size) + FATAL("Zero-sized input file."); + + if (st.st_size >= TMIN_MAX_FILE) + FATAL("Input file is too large (%u MB max)", TMIN_MAX_FILE / 1024 / 1024); + + in_len = st.st_size; + in_data = ck_alloc_nozero(in_len); + + ck_read(fd, in_data, in_len, in_file); + + close(fd); + + OKF("Read %u byte%s from '%s'.", in_len, in_len == 1 ? "" : "s", in_file); + +} + + +/* Write output file. */ + +static s32 write_to_file(u8* path, u8* mem, u32 len) { + + s32 ret; + + unlink(path); /* Ignore errors */ + + ret = open(path, O_RDWR | O_CREAT | O_EXCL, 0600); + + if (ret < 0) PFATAL("Unable to create '%s'", path); + + ck_write(ret, mem, len, path); + + lseek(ret, 0, SEEK_SET); + + return ret; + +} + + +/* Handle timeout signal. */ + +static void handle_timeout(int sig) { + + child_timed_out = 1; + if (child_pid > 0) kill(child_pid, SIGKILL); + +} + + +/* Execute target application. Returns 0 if the changes are a dud, or + 1 if they should be kept. */ + +static u8 run_target(char** argv, u8* mem, u32 len, u8 first_run) { + + static struct itimerval it; + int status = 0; + + s32 prog_in_fd; + u32 cksum; + + memset(trace_bits, 0, MAP_SIZE); + MEM_BARRIER(); + + prog_in_fd = write_to_file(prog_in, mem, len); + + child_pid = fork(); + + if (child_pid < 0) PFATAL("fork() failed"); + + if (!child_pid) { + + struct rlimit r; + + if (dup2(use_stdin ? prog_in_fd : dev_null_fd, 0) < 0 || + dup2(dev_null_fd, 1) < 0 || + dup2(dev_null_fd, 2) < 0) { + + *(u32*)trace_bits = EXEC_FAIL_SIG; + PFATAL("dup2() failed"); + + } + + close(dev_null_fd); + close(prog_in_fd); + + setsid(); + + if (mem_limit) { + + r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; + +#ifdef RLIMIT_AS + + setrlimit(RLIMIT_AS, &r); /* Ignore errors */ + +#else + + setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ + +#endif /* ^RLIMIT_AS */ + + } + + r.rlim_max = r.rlim_cur = 0; + setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + + execv(target_path, argv); + + *(u32*)trace_bits = EXEC_FAIL_SIG; + exit(0); + + } + + close(prog_in_fd); + + /* Configure timeout, wait for child, cancel timeout. */ + + child_timed_out = 0; + it.it_value.tv_sec = (exec_tmout / 1000); + it.it_value.tv_usec = (exec_tmout % 1000) * 1000; + + setitimer(ITIMER_REAL, &it, NULL); + + if (waitpid(child_pid, &status, 0) <= 0) FATAL("waitpid() failed"); + + child_pid = 0; + it.it_value.tv_sec = 0; + it.it_value.tv_usec = 0; + + setitimer(ITIMER_REAL, &it, NULL); + + MEM_BARRIER(); + + /* Clean up bitmap, analyze exit condition, etc. */ + + if (*(u32*)trace_bits == EXEC_FAIL_SIG) + FATAL("Unable to execute '%s'", argv[0]); + + classify_counts(trace_bits); + apply_mask((u32*)trace_bits, (u32*)mask_bitmap); + total_execs++; + + if (stop_soon) { + + SAYF(cRST cLRD "\n+++ Minimization aborted by user +++\n" cRST); + close(write_to_file(out_file, in_data, in_len)); + exit(1); + + } + + /* Always discard inputs that time out. */ + + if (child_timed_out) { + + missed_hangs++; + return 0; + + } + + /* Handle crashing inputs depending on current mode. */ + + if (WIFSIGNALED(status) || + (WIFEXITED(status) && WEXITSTATUS(status) == MSAN_ERROR) || + (WIFEXITED(status) && WEXITSTATUS(status) && exit_crash)) { + + if (first_run) crash_mode = 1; + + if (crash_mode) { + + if (!exact_mode) return 1; + + } else { + + missed_crashes++; + return 0; + + } + + } else + + /* Handle non-crashing inputs appropriately. */ + + if (crash_mode) { + + missed_paths++; + return 0; + + } + + cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + + if (first_run) orig_cksum = cksum; + + if (orig_cksum == cksum) return 1; + + missed_paths++; + return 0; + +} + + +/* Find first power of two greater or equal to val. */ + +static u32 next_p2(u32 val) { + + u32 ret = 1; + while (val > ret) ret <<= 1; + return ret; + +} + + +/* Actually minimize! */ + +static void minimize(char** argv) { + + static u32 alpha_map[256]; + + u8* tmp_buf = ck_alloc_nozero(in_len); + u32 orig_len = in_len, stage_o_len; + + u32 del_len, set_len, del_pos, set_pos, i, alpha_size, cur_pass = 0; + u32 syms_removed, alpha_del0 = 0, alpha_del1, alpha_del2, alpha_d_total = 0; + u8 changed_any, prev_del; + + /*********************** + * BLOCK NORMALIZATION * + ***********************/ + + set_len = next_p2(in_len / TMIN_SET_STEPS); + set_pos = 0; + + if (set_len < TMIN_SET_MIN_SIZE) set_len = TMIN_SET_MIN_SIZE; + + ACTF(cBRI "Stage #0: " cRST "One-time block normalization..."); + + while (set_pos < in_len) { + + u8 res; + u32 use_len = MIN(set_len, in_len - set_pos); + + for (i = 0; i < use_len; i++) + if (in_data[set_pos + i] != '0') break; + + if (i != use_len) { + + memcpy(tmp_buf, in_data, in_len); + memset(tmp_buf + set_pos, '0', use_len); + + res = run_target(argv, tmp_buf, in_len, 0); + + if (res) { + + memset(in_data + set_pos, '0', use_len); + changed_any = 1; + alpha_del0 += use_len; + + } + + } + + set_pos += set_len; + + } + + alpha_d_total += alpha_del0; + + OKF("Block normalization complete, %u byte%s replaced.", alpha_del0, + alpha_del0 == 1 ? "" : "s"); + +next_pass: + + ACTF(cYEL "--- " cBRI "Pass #%u " cYEL "---", ++cur_pass); + changed_any = 0; + + /****************** + * BLOCK DELETION * + ******************/ + + del_len = next_p2(in_len / TRIM_START_STEPS); + stage_o_len = in_len; + + ACTF(cBRI "Stage #1: " cRST "Removing blocks of data..."); + +next_del_blksize: + + if (!del_len) del_len = 1; + del_pos = 0; + prev_del = 1; + + SAYF(cGRA " Block length = %u, remaining size = %u\n" cRST, + del_len, in_len); + + while (del_pos < in_len) { + + u8 res; + s32 tail_len; + + tail_len = in_len - del_pos - del_len; + if (tail_len < 0) tail_len = 0; + + /* If we have processed at least one full block (initially, prev_del == 1), + and we did so without deleting the previous one, and we aren't at the + very end of the buffer (tail_len > 0), and the current block is the same + as the previous one... skip this step as a no-op. */ + + if (!prev_del && tail_len && !memcmp(in_data + del_pos - del_len, + in_data + del_pos, del_len)) { + + del_pos += del_len; + continue; + + } + + prev_del = 0; + + /* Head */ + memcpy(tmp_buf, in_data, del_pos); + + /* Tail */ + memcpy(tmp_buf + del_pos, in_data + del_pos + del_len, tail_len); + + res = run_target(argv, tmp_buf, del_pos + tail_len, 0); + + if (res) { + + memcpy(in_data, tmp_buf, del_pos + tail_len); + prev_del = 1; + in_len = del_pos + tail_len; + + changed_any = 1; + + } else del_pos += del_len; + + } + + if (del_len > 1 && in_len >= 1) { + + del_len /= 2; + goto next_del_blksize; + + } + + OKF("Block removal complete, %u bytes deleted.", stage_o_len - in_len); + + if (!in_len && changed_any) + WARNF(cLRD "Down to zero bytes - check the command line and mem limit!" cRST); + + if (cur_pass > 1 && !changed_any) goto finalize_all; + + /************************* + * ALPHABET MINIMIZATION * + *************************/ + + alpha_size = 0; + alpha_del1 = 0; + syms_removed = 0; + + memset(alpha_map, 0, 256 * sizeof(u32)); + + for (i = 0; i < in_len; i++) { + if (!alpha_map[in_data[i]]) alpha_size++; + alpha_map[in_data[i]]++; + } + + ACTF(cBRI "Stage #2: " cRST "Minimizing symbols (%u code point%s)...", + alpha_size, alpha_size == 1 ? "" : "s"); + + for (i = 0; i < 256; i++) { + + u32 r; + u8 res; + + if (i == '0' || !alpha_map[i]) continue; + + memcpy(tmp_buf, in_data, in_len); + + for (r = 0; r < in_len; r++) + if (tmp_buf[r] == i) tmp_buf[r] = '0'; + + res = run_target(argv, tmp_buf, in_len, 0); + + if (res) { + + memcpy(in_data, tmp_buf, in_len); + syms_removed++; + alpha_del1 += alpha_map[i]; + changed_any = 1; + + } + + } + + alpha_d_total += alpha_del1; + + OKF("Symbol minimization finished, %u symbol%s (%u byte%s) replaced.", + syms_removed, syms_removed == 1 ? "" : "s", + alpha_del1, alpha_del1 == 1 ? "" : "s"); + + /************************** + * CHARACTER MINIMIZATION * + **************************/ + + alpha_del2 = 0; + + ACTF(cBRI "Stage #3: " cRST "Character minimization..."); + + memcpy(tmp_buf, in_data, in_len); + + for (i = 0; i < in_len; i++) { + + u8 res, orig = tmp_buf[i]; + + if (orig == '0') continue; + tmp_buf[i] = '0'; + + res = run_target(argv, tmp_buf, in_len, 0); + + if (res) { + + in_data[i] = '0'; + alpha_del2++; + changed_any = 1; + + } else tmp_buf[i] = orig; + + } + + alpha_d_total += alpha_del2; + + OKF("Character minimization done, %u byte%s replaced.", + alpha_del2, alpha_del2 == 1 ? "" : "s"); + + if (changed_any) goto next_pass; + +finalize_all: + + SAYF("\n" + cGRA " File size reduced by : " cRST "%0.02f%% (to %u byte%s)\n" + cGRA " Characters simplified : " cRST "%0.02f%%\n" + cGRA " Number of execs done : " cRST "%u\n" + cGRA " Fruitless execs : " cRST "path=%u crash=%u hang=%s%u\n\n", + 100 - ((double)in_len) * 100 / orig_len, in_len, in_len == 1 ? "" : "s", + ((double)(alpha_d_total)) * 100 / (in_len ? in_len : 1), + total_execs, missed_paths, missed_crashes, missed_hangs ? cLRD : "", + missed_hangs); + + if (total_execs > 50 && missed_hangs * 10 > total_execs) + WARNF(cLRD "Frequent timeouts - results may be skewed." cRST); + +} + + + +/* Handle Ctrl-C and the like. */ + +static void handle_stop_sig(int sig) { + + stop_soon = 1; + + if (child_pid > 0) kill(child_pid, SIGKILL); + +} + + +/* Do basic preparations - persistent fds, filenames, etc. */ + +static void set_up_environment(void) { + + u8* x; + + dev_null_fd = open("/dev/null", O_RDWR); + if (dev_null_fd < 0) PFATAL("Unable to open /dev/null"); + + if (!prog_in) { + + u8* use_dir = "."; + + if (access(use_dir, R_OK | W_OK | X_OK)) { + + use_dir = getenv("TMPDIR"); + if (!use_dir) use_dir = "/tmp"; + + } + + prog_in = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, getpid()); + + } + + /* Set sane defaults... */ + + x = getenv("ASAN_OPTIONS"); + + if (x) { + + if (!strstr(x, "abort_on_error=1")) + FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!"); + + if (!strstr(x, "symbolize=0")) + FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!"); + + } + + x = getenv("MSAN_OPTIONS"); + + if (x) { + + if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) + FATAL("Custom MSAN_OPTIONS set without exit_code=" + STRINGIFY(MSAN_ERROR) " - please fix!"); + + if (!strstr(x, "symbolize=0")) + FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!"); + + } + + setenv("ASAN_OPTIONS", "abort_on_error=1:" + "detect_leaks=0:" + "symbolize=0:" + "allocator_may_return_null=1", 0); + + setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" + "symbolize=0:" + "abort_on_error=1:" + "allocator_may_return_null=1:" + "msan_track_origins=0", 0); + + if (getenv("AFL_PRELOAD")) { + setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); + setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); + } + +} + + +/* Setup signal handlers, duh. */ + +static void setup_signal_handlers(void) { + + struct sigaction sa; + + sa.sa_handler = NULL; + sa.sa_flags = SA_RESTART; + sa.sa_sigaction = NULL; + + sigemptyset(&sa.sa_mask); + + /* Various ways of saying "stop". */ + + sa.sa_handler = handle_stop_sig; + sigaction(SIGHUP, &sa, NULL); + sigaction(SIGINT, &sa, NULL); + sigaction(SIGTERM, &sa, NULL); + + /* Exec timeout notifications. */ + + sa.sa_handler = handle_timeout; + sigaction(SIGALRM, &sa, NULL); + +} + + +/* Detect @@ in args. */ + +static void detect_file_args(char** argv) { + + u32 i = 0; + u8* cwd = getcwd(NULL, 0); + + if (!cwd) PFATAL("getcwd() failed"); + + while (argv[i]) { + + u8* aa_loc = strstr(argv[i], "@@"); + + if (aa_loc) { + + u8 *aa_subst, *n_arg; + + /* Be sure that we're always using fully-qualified paths. */ + + if (prog_in[0] == '/') aa_subst = prog_in; + else aa_subst = alloc_printf("%s/%s", cwd, prog_in); + + /* Construct a replacement argv value. */ + + *aa_loc = 0; + n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2); + argv[i] = n_arg; + *aa_loc = '@'; + + if (prog_in[0] != '/') ck_free(aa_subst); + + } + + i++; + + } + + free(cwd); /* not tracked */ + +} + + +/* Display usage hints. */ + +static void usage(u8* argv0) { + + SAYF("\n%s [ options ] -- /path/to/target_app [ ... ]\n\n" + + "Required parameters:\n\n" + + " -i file - input test case to be shrunk by the tool\n" + " -o file - final output location for the minimized data\n\n" + + "Execution control settings:\n\n" + + " -f file - input file read by the tested program (stdin)\n" + " -t msec - timeout for each run (%u ms)\n" + " -m megs - memory limit for child process (%u MB)\n" + " -Q - use binary-only instrumentation (QEMU mode)\n\n" + + "Minimization settings:\n\n" + + " -e - solve for edge coverage only, ignore hit counts\n" + " -x - treat non-zero exit codes as crashes\n\n" + + "Other stuff:\n\n" + + " -V - show version number and exit\n\n" + + "For additional tips, please consult %s/README.\n\n", + + argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); + + exit(1); + +} + + +/* Find binary. */ + +static void find_binary(u8* fname) { + + u8* env_path = 0; + struct stat st; + + if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { + + target_path = ck_strdup(fname); + + if (stat(target_path, &st) || !S_ISREG(st.st_mode) || + !(st.st_mode & 0111) || st.st_size < 4) + FATAL("Program '%s' not found or not executable", fname); + + } else { + + while (env_path) { + + u8 *cur_elem, *delim = strchr(env_path, ':'); + + if (delim) { + + cur_elem = ck_alloc(delim - env_path + 1); + memcpy(cur_elem, env_path, delim - env_path); + delim++; + + } else cur_elem = ck_strdup(env_path); + + env_path = delim; + + if (cur_elem[0]) + target_path = alloc_printf("%s/%s", cur_elem, fname); + else + target_path = ck_strdup(fname); + + ck_free(cur_elem); + + if (!stat(target_path, &st) && S_ISREG(st.st_mode) && + (st.st_mode & 0111) && st.st_size >= 4) break; + + ck_free(target_path); + target_path = 0; + + } + + if (!target_path) FATAL("Program '%s' not found or not executable", fname); + + } + +} + + +/* Fix up argv for QEMU. */ + +static char** get_qemu_argv(u8* own_loc, char** argv, int argc) { + + char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); + u8 *tmp, *cp, *rsl, *own_copy; + + /* Workaround for a QEMU stability glitch. */ + + setenv("QEMU_LOG", "nochain", 1); + + memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); + + /* Now we need to actually find qemu for argv[0]. */ + + new_argv[2] = target_path; + new_argv[1] = "--"; + + tmp = getenv("AFL_PATH"); + + if (tmp) { + + cp = alloc_printf("%s/afl-qemu-trace", tmp); + + if (access(cp, X_OK)) + FATAL("Unable to find '%s'", tmp); + + target_path = new_argv[0] = cp; + return new_argv; + + } + + own_copy = ck_strdup(own_loc); + rsl = strrchr(own_copy, '/'); + + if (rsl) { + + *rsl = 0; + + cp = alloc_printf("%s/afl-qemu-trace", own_copy); + ck_free(own_copy); + + if (!access(cp, X_OK)) { + + target_path = new_argv[0] = cp; + return new_argv; + + } + + } else ck_free(own_copy); + + if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { + + target_path = new_argv[0] = BIN_PATH "/afl-qemu-trace"; + return new_argv; + + } + + FATAL("Unable to find 'afl-qemu-trace'."); + +} + + +/* Read mask bitmap from file. This is for the -B option. */ + +static void read_bitmap(u8* fname) { + + s32 fd = open(fname, O_RDONLY); + + if (fd < 0) PFATAL("Unable to open '%s'", fname); + + ck_read(fd, mask_bitmap, MAP_SIZE, fname); + + close(fd); + +} + + + +/* Main entry point */ + +int main(int argc, char** argv) { + + s32 opt; + u8 mem_limit_given = 0, timeout_given = 0, qemu_mode = 0; + char** use_argv; + + doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; + + SAYF(cCYA "afl-tmin " cBRI VERSION cRST " by \n"); + + while ((opt = getopt(argc,argv,"+i:o:f:m:t:B:xeQV")) > 0) + + switch (opt) { + + case 'i': + + if (in_file) FATAL("Multiple -i options not supported"); + in_file = optarg; + break; + + case 'o': + + if (out_file) FATAL("Multiple -o options not supported"); + out_file = optarg; + break; + + case 'f': + + if (prog_in) FATAL("Multiple -f options not supported"); + use_stdin = 0; + prog_in = optarg; + break; + + case 'e': + + if (edges_only) FATAL("Multiple -e options not supported"); + edges_only = 1; + break; + + case 'x': + + if (exit_crash) FATAL("Multiple -x options not supported"); + exit_crash = 1; + break; + + case 'm': { + + u8 suffix = 'M'; + + if (mem_limit_given) FATAL("Multiple -m options not supported"); + mem_limit_given = 1; + + if (!strcmp(optarg, "none")) { + + mem_limit = 0; + break; + + } + + if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -m"); + + switch (suffix) { + + case 'T': mem_limit *= 1024 * 1024; break; + case 'G': mem_limit *= 1024; break; + case 'k': mem_limit /= 1024; break; + case 'M': break; + + default: FATAL("Unsupported suffix or bad syntax for -m"); + + } + + if (mem_limit < 5) FATAL("Dangerously low value of -m"); + + if (sizeof(rlim_t) == 4 && mem_limit > 2000) + FATAL("Value of -m out of range on 32-bit systems"); + + } + + break; + + case 't': + + if (timeout_given) FATAL("Multiple -t options not supported"); + timeout_given = 1; + + exec_tmout = atoi(optarg); + + if (exec_tmout < 10 || optarg[0] == '-') + FATAL("Dangerously low value of -t"); + + break; + + case 'Q': + + if (qemu_mode) FATAL("Multiple -Q options not supported"); + if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU; + + qemu_mode = 1; + break; + + case 'B': /* load bitmap */ + + /* This is a secret undocumented option! It is speculated to be useful + if you have a baseline "boring" input file and another "interesting" + file you want to minimize. + + You can dump a binary bitmap for the boring file using + afl-showmap -b, and then load it into afl-tmin via -B. The minimizer + will then minimize to preserve only the edges that are unique to + the interesting input file, but ignoring everything from the + original map. + + The option may be extended and made more official if it proves + to be useful. */ + + if (mask_bitmap) FATAL("Multiple -B options not supported"); + mask_bitmap = ck_alloc(MAP_SIZE); + read_bitmap(optarg); + break; + + case 'V': /* Show version number */ + + /* Version number has been printed already, just quit. */ + exit(0); + + default: + + usage(argv[0]); + + } + + if (optind == argc || !in_file || !out_file) usage(argv[0]); + + setup_shm(); + setup_signal_handlers(); + + set_up_environment(); + + find_binary(argv[optind]); + detect_file_args(argv + optind); + + if (qemu_mode) + use_argv = get_qemu_argv(argv[0], argv + optind, argc - optind); + else + use_argv = argv + optind; + + exact_mode = !!getenv("AFL_TMIN_EXACT"); + + SAYF("\n"); + + read_initial_file(); + + ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...", + mem_limit, exec_tmout, edges_only ? ", edges only" : ""); + + run_target(use_argv, in_data, in_len, 1); + + if (child_timed_out) + FATAL("Target binary times out (adjusting -t may help)."); + + if (!crash_mode) { + + OKF("Program terminates normally, minimizing in " + cCYA "instrumented" cRST " mode."); + + if (!anything_set()) FATAL("No instrumentation detected."); + + } else { + + OKF("Program exits with a signal, minimizing in " cMGN "%scrash" cRST + " mode.", exact_mode ? "EXACT " : ""); + + } + + minimize(use_argv); + + ACTF("Writing output to '%s'...", out_file); + + unlink(prog_in); + prog_in = NULL; + + close(write_to_file(out_file, in_data, in_len)); + + OKF("We're done here. Have a nice day!\n"); + + exit(0); + +} + diff --git a/afl-whatsup b/afl-whatsup index a1497ed..bf1f7ca 100644 --- a/afl-whatsup +++ b/afl-whatsup @@ -1,163 +1,163 @@ -#!/bin/sh -# -# american fuzzy lop - status check tool -# -------------------------------------- -# -# Written and maintained by Michal Zalewski -# -# Copyright 2015 Google LLC All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# This tool summarizes the status of any locally-running synchronized -# instances of afl-fuzz. -# - -echo "status check tool for afl-fuzz by " -echo - -if [ "$1" = "-s" ]; then - - SUMMARY_ONLY=1 - DIR="$2" - -else - - unset SUMMARY_ONLY - DIR="$1" - -fi - -if [ "$DIR" = "" ]; then - - echo "Usage: $0 [ -s ] afl_sync_dir" 1>&2 - echo 1>&2 - echo "The -s option causes the tool to skip all the per-fuzzer trivia and show" 1>&2 - echo "just the summary results. See docs/parallel_fuzzing.txt for additional tips." 1>&2 - echo 1>&2 - exit 1 - -fi - -cd "$DIR" || exit 1 - -if [ -d queue ]; then - - echo "[-] Error: parameter is an individual output directory, not a sync dir." 1>&2 - exit 1 - -fi - -CUR_TIME=`date +%s` - -TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1 - -ALIVE_CNT=0 -DEAD_CNT=0 - -TOTAL_TIME=0 -TOTAL_EXECS=0 -TOTAL_EPS=0 -TOTAL_CRASHES=0 -TOTAL_PFAV=0 -TOTAL_PENDING=0 - -if [ "$SUMMARY_ONLY" = "" ]; then - - echo "Individual fuzzers" - echo "==================" - echo - -fi - -for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do - - sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP" - . "$TMP" - - RUN_UNIX=$((CUR_TIME - start_time)) - RUN_DAYS=$((RUN_UNIX / 60 / 60 / 24)) - RUN_HRS=$(((RUN_UNIX / 60 / 60) % 24)) - - if [ "$SUMMARY_ONLY" = "" ]; then - - echo ">>> $afl_banner ($RUN_DAYS days, $RUN_HRS hrs) <<<" - echo - - fi - - if ! kill -0 "$fuzzer_pid" 2>/dev/null; then - - if [ "$SUMMARY_ONLY" = "" ]; then - - echo " Instance is dead or running remotely, skipping." - echo - - fi - - DEAD_CNT=$((DEAD_CNT + 1)) - continue - - fi - - ALIVE_CNT=$((ALIVE_CNT + 1)) - - EXEC_SEC=$((execs_done / RUN_UNIX)) - PATH_PERC=$((cur_path * 100 / paths_total)) - - TOTAL_TIME=$((TOTAL_TIME + RUN_UNIX)) - TOTAL_EPS=$((TOTAL_EPS + EXEC_SEC)) - TOTAL_EXECS=$((TOTAL_EXECS + execs_done)) - TOTAL_CRASHES=$((TOTAL_CRASHES + unique_crashes)) - TOTAL_PENDING=$((TOTAL_PENDING + pending_total)) - TOTAL_PFAV=$((TOTAL_PFAV + pending_favs)) - - if [ "$SUMMARY_ONLY" = "" ]; then - - echo " cycle $((cycles_done + 1)), lifetime speed $EXEC_SEC execs/sec, path $cur_path/$paths_total (${PATH_PERC}%)" - - if [ "$unique_crashes" = "0" ]; then - echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, no crashes yet" - else - echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, crash count $unique_crashes (!)" - fi - - echo - - fi - -done - -rm -f "$TMP" - -TOTAL_DAYS=$((TOTAL_TIME / 60 / 60 / 24)) -TOTAL_HRS=$(((TOTAL_TIME / 60 / 60) % 24)) - -test "$TOTAL_TIME" = "0" && TOTAL_TIME=1 - -echo "Summary stats" -echo "=============" -echo -echo " Fuzzers alive : $ALIVE_CNT" - -if [ ! "$DEAD_CNT" = "0" ]; then - echo " Dead or remote : $DEAD_CNT (excluded from stats)" -fi - -echo " Total run time : $TOTAL_DAYS days, $TOTAL_HRS hours" -echo " Total execs : $((TOTAL_EXECS / 1000 / 1000)) million" -echo " Cumulative speed : $TOTAL_EPS execs/sec" -echo " Pending paths : $TOTAL_PFAV faves, $TOTAL_PENDING total" - -if [ "$ALIVE_CNT" -gt "1" ]; then - echo " Pending per fuzzer : $((TOTAL_PFAV/ALIVE_CNT)) faves, $((TOTAL_PENDING/ALIVE_CNT)) total (on average)" -fi - -echo " Crashes found : $TOTAL_CRASHES locally unique" -echo - -exit 0 +#!/bin/sh +# +# american fuzzy lop - status check tool +# -------------------------------------- +# +# Written and maintained by Michal Zalewski +# +# Copyright 2015 Google LLC All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# This tool summarizes the status of any locally-running synchronized +# instances of afl-fuzz. +# + +echo "status check tool for afl-fuzz by " +echo + +if [ "$1" = "-s" ]; then + + SUMMARY_ONLY=1 + DIR="$2" + +else + + unset SUMMARY_ONLY + DIR="$1" + +fi + +if [ "$DIR" = "" ]; then + + echo "Usage: $0 [ -s ] afl_sync_dir" 1>&2 + echo 1>&2 + echo "The -s option causes the tool to skip all the per-fuzzer trivia and show" 1>&2 + echo "just the summary results. See docs/parallel_fuzzing.txt for additional tips." 1>&2 + echo 1>&2 + exit 1 + +fi + +cd "$DIR" || exit 1 + +if [ -d queue ]; then + + echo "[-] Error: parameter is an individual output directory, not a sync dir." 1>&2 + exit 1 + +fi + +CUR_TIME=`date +%s` + +TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1 + +ALIVE_CNT=0 +DEAD_CNT=0 + +TOTAL_TIME=0 +TOTAL_EXECS=0 +TOTAL_EPS=0 +TOTAL_CRASHES=0 +TOTAL_PFAV=0 +TOTAL_PENDING=0 + +if [ "$SUMMARY_ONLY" = "" ]; then + + echo "Individual fuzzers" + echo "==================" + echo + +fi + +for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do + + sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP" + . "$TMP" + + RUN_UNIX=$((CUR_TIME - start_time)) + RUN_DAYS=$((RUN_UNIX / 60 / 60 / 24)) + RUN_HRS=$(((RUN_UNIX / 60 / 60) % 24)) + + if [ "$SUMMARY_ONLY" = "" ]; then + + echo ">>> $afl_banner ($RUN_DAYS days, $RUN_HRS hrs) <<<" + echo + + fi + + if ! kill -0 "$fuzzer_pid" 2>/dev/null; then + + if [ "$SUMMARY_ONLY" = "" ]; then + + echo " Instance is dead or running remotely, skipping." + echo + + fi + + DEAD_CNT=$((DEAD_CNT + 1)) + continue + + fi + + ALIVE_CNT=$((ALIVE_CNT + 1)) + + EXEC_SEC=$((execs_done / RUN_UNIX)) + PATH_PERC=$((cur_path * 100 / paths_total)) + + TOTAL_TIME=$((TOTAL_TIME + RUN_UNIX)) + TOTAL_EPS=$((TOTAL_EPS + EXEC_SEC)) + TOTAL_EXECS=$((TOTAL_EXECS + execs_done)) + TOTAL_CRASHES=$((TOTAL_CRASHES + unique_crashes)) + TOTAL_PENDING=$((TOTAL_PENDING + pending_total)) + TOTAL_PFAV=$((TOTAL_PFAV + pending_favs)) + + if [ "$SUMMARY_ONLY" = "" ]; then + + echo " cycle $((cycles_done + 1)), lifetime speed $EXEC_SEC execs/sec, path $cur_path/$paths_total (${PATH_PERC}%)" + + if [ "$unique_crashes" = "0" ]; then + echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, no crashes yet" + else + echo " pending $pending_favs/$pending_total, coverage $bitmap_cvg, crash count $unique_crashes (!)" + fi + + echo + + fi + +done + +rm -f "$TMP" + +TOTAL_DAYS=$((TOTAL_TIME / 60 / 60 / 24)) +TOTAL_HRS=$(((TOTAL_TIME / 60 / 60) % 24)) + +test "$TOTAL_TIME" = "0" && TOTAL_TIME=1 + +echo "Summary stats" +echo "=============" +echo +echo " Fuzzers alive : $ALIVE_CNT" + +if [ ! "$DEAD_CNT" = "0" ]; then + echo " Dead or remote : $DEAD_CNT (excluded from stats)" +fi + +echo " Total run time : $TOTAL_DAYS days, $TOTAL_HRS hours" +echo " Total execs : $((TOTAL_EXECS / 1000 / 1000)) million" +echo " Cumulative speed : $TOTAL_EPS execs/sec" +echo " Pending paths : $TOTAL_PFAV faves, $TOTAL_PENDING total" + +if [ "$ALIVE_CNT" -gt "1" ]; then + echo " Pending per fuzzer : $((TOTAL_PFAV/ALIVE_CNT)) faves, $((TOTAL_PENDING/ALIVE_CNT)) total (on average)" +fi + +echo " Crashes found : $TOTAL_CRASHES locally unique" +echo + +exit 0 diff --git a/alloc-inl.h b/alloc-inl.h index 88a16e8..9a68126 100644 --- a/alloc-inl.h +++ b/alloc-inl.h @@ -1,577 +1,577 @@ -/* - Copyright 2013 Google LLC All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -/* - american fuzzy lop - error-checking, memory-zeroing alloc routines - ------------------------------------------------------------------ - - Written and maintained by Michal Zalewski - - This allocator is not designed to resist malicious attackers (the canaries - are small and predictable), but provides a robust and portable way to detect - use-after-free, off-by-one writes, stale pointers, and so on. -*/ - -#ifndef _HAVE_ALLOC_INL_H -#define _HAVE_ALLOC_INL_H - -#include -#include -#include - -#include "config.h" -#include "types.h" -#include "debug.h" - -/* User-facing macro to sprintf() to a dynamically allocated buffer. */ - -#define alloc_printf(_str...) ({ \ - u8* _tmp; \ - s32 _len = snprintf(NULL, 0, _str); \ - if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ - _tmp = ck_alloc(_len + 1); \ - snprintf((char*)_tmp, _len + 1, _str); \ - _tmp; \ - }) - -/* Macro to enforce allocation limits as a last-resort defense against - integer overflows. */ - -#define ALLOC_CHECK_SIZE(_s) do { \ - if ((_s) > MAX_ALLOC) \ - ABORT("Bad alloc request: %u bytes", (_s)); \ - } while (0) - -/* Macro to check malloc() failures and the like. */ - -#define ALLOC_CHECK_RESULT(_r, _s) do { \ - if (!(_r)) \ - ABORT("Out of memory: can't allocate %u bytes", (_s)); \ - } while (0) - -/* Magic tokens used to mark used / freed chunks. */ - -#define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ -#define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ -#define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ - -/* Positions of guard tokens in relation to the user-visible pointer. */ - -#define ALLOC_C1(_ptr) (((u32*)(_ptr))[-2]) -#define ALLOC_S(_ptr) (((u32*)(_ptr))[-1]) -#define ALLOC_C2(_ptr) (((u8*)(_ptr))[ALLOC_S(_ptr)]) - -#define ALLOC_OFF_HEAD 8 -#define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1) - -/* Allocator increments for ck_realloc_block(). */ - -#define ALLOC_BLK_INC 256 - -/* Sanity-checking macros for pointers. */ - -#define CHECK_PTR(_p) do { \ - if (_p) { \ - if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\ - if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ - ABORT("Use after free."); \ - else ABORT("Corrupted head alloc canary."); \ - } \ - if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ - ABORT("Corrupted tail alloc canary."); \ - } \ - } while (0) - -#define CHECK_PTR_EXPR(_p) ({ \ - typeof (_p) _tmp = (_p); \ - CHECK_PTR(_tmp); \ - _tmp; \ - }) - - -/* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized - requests. */ - -static inline void* DFL_ck_alloc_nozero(u32 size) { - - void* ret; - - if (!size) return NULL; - - ALLOC_CHECK_SIZE(size); - ret = malloc(size + ALLOC_OFF_TOTAL); - ALLOC_CHECK_RESULT(ret, size); - - ret += ALLOC_OFF_HEAD; - - ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; - ALLOC_C2(ret) = ALLOC_MAGIC_C2; - - return ret; - -} - - -/* Allocate a buffer, returning zeroed memory. */ - -static inline void* DFL_ck_alloc(u32 size) { - - void* mem; - - if (!size) return NULL; - mem = DFL_ck_alloc_nozero(size); - - return memset(mem, 0, size); - -} - - -/* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD - is set, the old memory will be also clobbered with 0xFF. */ - -static inline void DFL_ck_free(void* mem) { - - if (!mem) return; - - CHECK_PTR(mem); - -#ifdef DEBUG_BUILD - - /* Catch pointer issues sooner. */ - memset(mem, 0xFF, ALLOC_S(mem)); - -#endif /* DEBUG_BUILD */ - - ALLOC_C1(mem) = ALLOC_MAGIC_F; - - free(mem - ALLOC_OFF_HEAD); - -} - - -/* Re-allocate a buffer, checking for issues and zeroing any newly-added tail. - With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the - old memory is clobbered with 0xFF. */ - -static inline void* DFL_ck_realloc(void* orig, u32 size) { - - void* ret; - u32 old_size = 0; - - if (!size) { - - DFL_ck_free(orig); - return NULL; - - } - - if (orig) { - - CHECK_PTR(orig); - -#ifndef DEBUG_BUILD - ALLOC_C1(orig) = ALLOC_MAGIC_F; -#endif /* !DEBUG_BUILD */ - - old_size = ALLOC_S(orig); - orig -= ALLOC_OFF_HEAD; - - ALLOC_CHECK_SIZE(old_size); - - } - - ALLOC_CHECK_SIZE(size); - -#ifndef DEBUG_BUILD - - ret = realloc(orig, size + ALLOC_OFF_TOTAL); - ALLOC_CHECK_RESULT(ret, size); - -#else - - /* Catch pointer issues sooner: force relocation and make sure that the - original buffer is wiped. */ - - ret = malloc(size + ALLOC_OFF_TOTAL); - ALLOC_CHECK_RESULT(ret, size); - - if (orig) { - - memcpy(ret + ALLOC_OFF_HEAD, orig + ALLOC_OFF_HEAD, MIN(size, old_size)); - memset(orig + ALLOC_OFF_HEAD, 0xFF, old_size); - - ALLOC_C1(orig + ALLOC_OFF_HEAD) = ALLOC_MAGIC_F; - - free(orig); - - } - -#endif /* ^!DEBUG_BUILD */ - - ret += ALLOC_OFF_HEAD; - - ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; - ALLOC_C2(ret) = ALLOC_MAGIC_C2; - - if (size > old_size) - memset(ret + old_size, 0, size - old_size); - - return ret; - -} - - -/* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up - repeated small reallocs without complicating the user code). */ - -static inline void* DFL_ck_realloc_block(void* orig, u32 size) { - -#ifndef DEBUG_BUILD - - if (orig) { - - CHECK_PTR(orig); - - if (ALLOC_S(orig) >= size) return orig; - - size += ALLOC_BLK_INC; - - } - -#endif /* !DEBUG_BUILD */ - - return DFL_ck_realloc(orig, size); - -} - - -/* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */ - -static inline u8* DFL_ck_strdup(u8* str) { - - void* ret; - u32 size; - - if (!str) return NULL; - - size = strlen((char*)str) + 1; - - ALLOC_CHECK_SIZE(size); - ret = malloc(size + ALLOC_OFF_TOTAL); - ALLOC_CHECK_RESULT(ret, size); - - ret += ALLOC_OFF_HEAD; - - ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; - ALLOC_C2(ret) = ALLOC_MAGIC_C2; - - return memcpy(ret, str, size); - -} - - -/* Create a buffer with a copy of a memory block. Returns NULL for zero-sized - or NULL inputs. */ - -static inline void* DFL_ck_memdup(void* mem, u32 size) { - - void* ret; - - if (!mem || !size) return NULL; - - ALLOC_CHECK_SIZE(size); - ret = malloc(size + ALLOC_OFF_TOTAL); - ALLOC_CHECK_RESULT(ret, size); - - ret += ALLOC_OFF_HEAD; - - ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; - ALLOC_C2(ret) = ALLOC_MAGIC_C2; - - return memcpy(ret, mem, size); - -} - - -/* Create a buffer with a block of text, appending a NUL terminator at the end. - Returns NULL for zero-sized or NULL inputs. */ - -static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) { - - u8* ret; - - if (!mem || !size) return NULL; - - ALLOC_CHECK_SIZE(size); - ret = malloc(size + ALLOC_OFF_TOTAL + 1); - ALLOC_CHECK_RESULT(ret, size); - - ret += ALLOC_OFF_HEAD; - - ALLOC_C1(ret) = ALLOC_MAGIC_C1; - ALLOC_S(ret) = size; - ALLOC_C2(ret) = ALLOC_MAGIC_C2; - - memcpy(ret, mem, size); - ret[size] = 0; - - return ret; - -} - - -#ifndef DEBUG_BUILD - -/* In non-debug mode, we just do straightforward aliasing of the above functions - to user-visible names such as ck_alloc(). */ - -#define ck_alloc DFL_ck_alloc -#define ck_alloc_nozero DFL_ck_alloc_nozero -#define ck_realloc DFL_ck_realloc -#define ck_realloc_block DFL_ck_realloc_block -#define ck_strdup DFL_ck_strdup -#define ck_memdup DFL_ck_memdup -#define ck_memdup_str DFL_ck_memdup_str -#define ck_free DFL_ck_free - -#define alloc_report() - -#else - -/* In debugging mode, we also track allocations to detect memory leaks, and the - flow goes through one more layer of indirection. */ - -/* Alloc tracking data structures: */ - -#define ALLOC_BUCKETS 4096 - -struct TRK_obj { - void *ptr; - char *file, *func; - u32 line; -}; - -#ifdef AFL_MAIN - -struct TRK_obj* TRK[ALLOC_BUCKETS]; -u32 TRK_cnt[ALLOC_BUCKETS]; - -# define alloc_report() TRK_report() - -#else - -extern struct TRK_obj* TRK[ALLOC_BUCKETS]; -extern u32 TRK_cnt[ALLOC_BUCKETS]; - -# define alloc_report() - -#endif /* ^AFL_MAIN */ - -/* Bucket-assigning function for a given pointer: */ - -#define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) - - -/* Add a new entry to the list of allocated objects. */ - -static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func, - u32 line) { - - u32 i, bucket; - - if (!ptr) return; - - bucket = TRKH(ptr); - - /* Find a free slot in the list of entries for that bucket. */ - - for (i = 0; i < TRK_cnt[bucket]; i++) - - if (!TRK[bucket][i].ptr) { - - TRK[bucket][i].ptr = ptr; - TRK[bucket][i].file = (char*)file; - TRK[bucket][i].func = (char*)func; - TRK[bucket][i].line = line; - return; - - } - - /* No space available - allocate more. */ - - TRK[bucket] = DFL_ck_realloc_block(TRK[bucket], - (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj)); - - TRK[bucket][i].ptr = ptr; - TRK[bucket][i].file = (char*)file; - TRK[bucket][i].func = (char*)func; - TRK[bucket][i].line = line; - - TRK_cnt[bucket]++; - -} - - -/* Remove entry from the list of allocated objects. */ - -static inline void TRK_free_buf(void* ptr, const char* file, const char* func, - u32 line) { - - u32 i, bucket; - - if (!ptr) return; - - bucket = TRKH(ptr); - - /* Find the element on the list... */ - - for (i = 0; i < TRK_cnt[bucket]; i++) - - if (TRK[bucket][i].ptr == ptr) { - - TRK[bucket][i].ptr = 0; - return; - - } - - WARNF("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)", - func, file, line); - -} - - -/* Do a final report on all non-deallocated objects. */ - -static inline void TRK_report(void) { - - u32 i, bucket; - - fflush(0); - - for (bucket = 0; bucket < ALLOC_BUCKETS; bucket++) - for (i = 0; i < TRK_cnt[bucket]; i++) - if (TRK[bucket][i].ptr) - WARNF("ALLOC: Memory never freed, created in %s (%s:%u)", - TRK[bucket][i].func, TRK[bucket][i].file, TRK[bucket][i].line); - -} - - -/* Simple wrappers for non-debugging functions: */ - -static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func, - u32 line) { - - void* ret = DFL_ck_alloc(size); - TRK_alloc_buf(ret, file, func, line); - return ret; - -} - - -static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file, - const char* func, u32 line) { - - void* ret = DFL_ck_realloc(orig, size); - TRK_free_buf(orig, file, func, line); - TRK_alloc_buf(ret, file, func, line); - return ret; - -} - - -static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file, - const char* func, u32 line) { - - void* ret = DFL_ck_realloc_block(orig, size); - TRK_free_buf(orig, file, func, line); - TRK_alloc_buf(ret, file, func, line); - return ret; - -} - - -static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func, - u32 line) { - - void* ret = DFL_ck_strdup(str); - TRK_alloc_buf(ret, file, func, line); - return ret; - -} - - -static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file, - const char* func, u32 line) { - - void* ret = DFL_ck_memdup(mem, size); - TRK_alloc_buf(ret, file, func, line); - return ret; - -} - - -static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file, - const char* func, u32 line) { - - void* ret = DFL_ck_memdup_str(mem, size); - TRK_alloc_buf(ret, file, func, line); - return ret; - -} - - -static inline void TRK_ck_free(void* ptr, const char* file, - const char* func, u32 line) { - - TRK_free_buf(ptr, file, func, line); - DFL_ck_free(ptr); - -} - -/* Aliasing user-facing names to tracking functions: */ - -#define ck_alloc(_p1) \ - TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) - -#define ck_alloc_nozero(_p1) \ - TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) - -#define ck_realloc(_p1, _p2) \ - TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) - -#define ck_realloc_block(_p1, _p2) \ - TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) - -#define ck_strdup(_p1) \ - TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) - -#define ck_memdup(_p1, _p2) \ - TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) - -#define ck_memdup_str(_p1, _p2) \ - TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) - -#define ck_free(_p1) \ - TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) - -#endif /* ^!DEBUG_BUILD */ - -#endif /* ! _HAVE_ALLOC_INL_H */ +/* + Copyright 2013 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +/* + american fuzzy lop - error-checking, memory-zeroing alloc routines + ------------------------------------------------------------------ + + Written and maintained by Michal Zalewski + + This allocator is not designed to resist malicious attackers (the canaries + are small and predictable), but provides a robust and portable way to detect + use-after-free, off-by-one writes, stale pointers, and so on. +*/ + +#ifndef _HAVE_ALLOC_INL_H +#define _HAVE_ALLOC_INL_H + +#include +#include +#include + +#include "config.h" +#include "types.h" +#include "debug.h" + +/* User-facing macro to sprintf() to a dynamically allocated buffer. */ + +#define alloc_printf(_str...) ({ \ + u8* _tmp; \ + s32 _len = snprintf(NULL, 0, _str); \ + if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \ + _tmp = ck_alloc(_len + 1); \ + snprintf((char*)_tmp, _len + 1, _str); \ + _tmp; \ + }) + +/* Macro to enforce allocation limits as a last-resort defense against + integer overflows. */ + +#define ALLOC_CHECK_SIZE(_s) do { \ + if ((_s) > MAX_ALLOC) \ + ABORT("Bad alloc request: %u bytes", (_s)); \ + } while (0) + +/* Macro to check malloc() failures and the like. */ + +#define ALLOC_CHECK_RESULT(_r, _s) do { \ + if (!(_r)) \ + ABORT("Out of memory: can't allocate %u bytes", (_s)); \ + } while (0) + +/* Magic tokens used to mark used / freed chunks. */ + +#define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */ +#define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */ +#define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */ + +/* Positions of guard tokens in relation to the user-visible pointer. */ + +#define ALLOC_C1(_ptr) (((u32*)(_ptr))[-2]) +#define ALLOC_S(_ptr) (((u32*)(_ptr))[-1]) +#define ALLOC_C2(_ptr) (((u8*)(_ptr))[ALLOC_S(_ptr)]) + +#define ALLOC_OFF_HEAD 8 +#define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1) + +/* Allocator increments for ck_realloc_block(). */ + +#define ALLOC_BLK_INC 256 + +/* Sanity-checking macros for pointers. */ + +#define CHECK_PTR(_p) do { \ + if (_p) { \ + if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\ + if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \ + ABORT("Use after free."); \ + else ABORT("Corrupted head alloc canary."); \ + } \ + if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \ + ABORT("Corrupted tail alloc canary."); \ + } \ + } while (0) + +#define CHECK_PTR_EXPR(_p) ({ \ + typeof (_p) _tmp = (_p); \ + CHECK_PTR(_tmp); \ + _tmp; \ + }) + + +/* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized + requests. */ + +static inline void* DFL_ck_alloc_nozero(u32 size) { + + void* ret; + + if (!size) return NULL; + + ALLOC_CHECK_SIZE(size); + ret = malloc(size + ALLOC_OFF_TOTAL); + ALLOC_CHECK_RESULT(ret, size); + + ret += ALLOC_OFF_HEAD; + + ALLOC_C1(ret) = ALLOC_MAGIC_C1; + ALLOC_S(ret) = size; + ALLOC_C2(ret) = ALLOC_MAGIC_C2; + + return ret; + +} + + +/* Allocate a buffer, returning zeroed memory. */ + +static inline void* DFL_ck_alloc(u32 size) { + + void* mem; + + if (!size) return NULL; + mem = DFL_ck_alloc_nozero(size); + + return memset(mem, 0, size); + +} + + +/* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD + is set, the old memory will be also clobbered with 0xFF. */ + +static inline void DFL_ck_free(void* mem) { + + if (!mem) return; + + CHECK_PTR(mem); + +#ifdef DEBUG_BUILD + + /* Catch pointer issues sooner. */ + memset(mem, 0xFF, ALLOC_S(mem)); + +#endif /* DEBUG_BUILD */ + + ALLOC_C1(mem) = ALLOC_MAGIC_F; + + free(mem - ALLOC_OFF_HEAD); + +} + + +/* Re-allocate a buffer, checking for issues and zeroing any newly-added tail. + With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the + old memory is clobbered with 0xFF. */ + +static inline void* DFL_ck_realloc(void* orig, u32 size) { + + void* ret; + u32 old_size = 0; + + if (!size) { + + DFL_ck_free(orig); + return NULL; + + } + + if (orig) { + + CHECK_PTR(orig); + +#ifndef DEBUG_BUILD + ALLOC_C1(orig) = ALLOC_MAGIC_F; +#endif /* !DEBUG_BUILD */ + + old_size = ALLOC_S(orig); + orig -= ALLOC_OFF_HEAD; + + ALLOC_CHECK_SIZE(old_size); + + } + + ALLOC_CHECK_SIZE(size); + +#ifndef DEBUG_BUILD + + ret = realloc(orig, size + ALLOC_OFF_TOTAL); + ALLOC_CHECK_RESULT(ret, size); + +#else + + /* Catch pointer issues sooner: force relocation and make sure that the + original buffer is wiped. */ + + ret = malloc(size + ALLOC_OFF_TOTAL); + ALLOC_CHECK_RESULT(ret, size); + + if (orig) { + + memcpy(ret + ALLOC_OFF_HEAD, orig + ALLOC_OFF_HEAD, MIN(size, old_size)); + memset(orig + ALLOC_OFF_HEAD, 0xFF, old_size); + + ALLOC_C1(orig + ALLOC_OFF_HEAD) = ALLOC_MAGIC_F; + + free(orig); + + } + +#endif /* ^!DEBUG_BUILD */ + + ret += ALLOC_OFF_HEAD; + + ALLOC_C1(ret) = ALLOC_MAGIC_C1; + ALLOC_S(ret) = size; + ALLOC_C2(ret) = ALLOC_MAGIC_C2; + + if (size > old_size) + memset(ret + old_size, 0, size - old_size); + + return ret; + +} + + +/* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up + repeated small reallocs without complicating the user code). */ + +static inline void* DFL_ck_realloc_block(void* orig, u32 size) { + +#ifndef DEBUG_BUILD + + if (orig) { + + CHECK_PTR(orig); + + if (ALLOC_S(orig) >= size) return orig; + + size += ALLOC_BLK_INC; + + } + +#endif /* !DEBUG_BUILD */ + + return DFL_ck_realloc(orig, size); + +} + + +/* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */ + +static inline u8* DFL_ck_strdup(u8* str) { + + void* ret; + u32 size; + + if (!str) return NULL; + + size = strlen((char*)str) + 1; + + ALLOC_CHECK_SIZE(size); + ret = malloc(size + ALLOC_OFF_TOTAL); + ALLOC_CHECK_RESULT(ret, size); + + ret += ALLOC_OFF_HEAD; + + ALLOC_C1(ret) = ALLOC_MAGIC_C1; + ALLOC_S(ret) = size; + ALLOC_C2(ret) = ALLOC_MAGIC_C2; + + return memcpy(ret, str, size); + +} + + +/* Create a buffer with a copy of a memory block. Returns NULL for zero-sized + or NULL inputs. */ + +static inline void* DFL_ck_memdup(void* mem, u32 size) { + + void* ret; + + if (!mem || !size) return NULL; + + ALLOC_CHECK_SIZE(size); + ret = malloc(size + ALLOC_OFF_TOTAL); + ALLOC_CHECK_RESULT(ret, size); + + ret += ALLOC_OFF_HEAD; + + ALLOC_C1(ret) = ALLOC_MAGIC_C1; + ALLOC_S(ret) = size; + ALLOC_C2(ret) = ALLOC_MAGIC_C2; + + return memcpy(ret, mem, size); + +} + + +/* Create a buffer with a block of text, appending a NUL terminator at the end. + Returns NULL for zero-sized or NULL inputs. */ + +static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) { + + u8* ret; + + if (!mem || !size) return NULL; + + ALLOC_CHECK_SIZE(size); + ret = malloc(size + ALLOC_OFF_TOTAL + 1); + ALLOC_CHECK_RESULT(ret, size); + + ret += ALLOC_OFF_HEAD; + + ALLOC_C1(ret) = ALLOC_MAGIC_C1; + ALLOC_S(ret) = size; + ALLOC_C2(ret) = ALLOC_MAGIC_C2; + + memcpy(ret, mem, size); + ret[size] = 0; + + return ret; + +} + + +#ifndef DEBUG_BUILD + +/* In non-debug mode, we just do straightforward aliasing of the above functions + to user-visible names such as ck_alloc(). */ + +#define ck_alloc DFL_ck_alloc +#define ck_alloc_nozero DFL_ck_alloc_nozero +#define ck_realloc DFL_ck_realloc +#define ck_realloc_block DFL_ck_realloc_block +#define ck_strdup DFL_ck_strdup +#define ck_memdup DFL_ck_memdup +#define ck_memdup_str DFL_ck_memdup_str +#define ck_free DFL_ck_free + +#define alloc_report() + +#else + +/* In debugging mode, we also track allocations to detect memory leaks, and the + flow goes through one more layer of indirection. */ + +/* Alloc tracking data structures: */ + +#define ALLOC_BUCKETS 4096 + +struct TRK_obj { + void *ptr; + char *file, *func; + u32 line; +}; + +#ifdef AFL_MAIN + +struct TRK_obj* TRK[ALLOC_BUCKETS]; +u32 TRK_cnt[ALLOC_BUCKETS]; + +# define alloc_report() TRK_report() + +#else + +extern struct TRK_obj* TRK[ALLOC_BUCKETS]; +extern u32 TRK_cnt[ALLOC_BUCKETS]; + +# define alloc_report() + +#endif /* ^AFL_MAIN */ + +/* Bucket-assigning function for a given pointer: */ + +#define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS) + + +/* Add a new entry to the list of allocated objects. */ + +static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func, + u32 line) { + + u32 i, bucket; + + if (!ptr) return; + + bucket = TRKH(ptr); + + /* Find a free slot in the list of entries for that bucket. */ + + for (i = 0; i < TRK_cnt[bucket]; i++) + + if (!TRK[bucket][i].ptr) { + + TRK[bucket][i].ptr = ptr; + TRK[bucket][i].file = (char*)file; + TRK[bucket][i].func = (char*)func; + TRK[bucket][i].line = line; + return; + + } + + /* No space available - allocate more. */ + + TRK[bucket] = DFL_ck_realloc_block(TRK[bucket], + (TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj)); + + TRK[bucket][i].ptr = ptr; + TRK[bucket][i].file = (char*)file; + TRK[bucket][i].func = (char*)func; + TRK[bucket][i].line = line; + + TRK_cnt[bucket]++; + +} + + +/* Remove entry from the list of allocated objects. */ + +static inline void TRK_free_buf(void* ptr, const char* file, const char* func, + u32 line) { + + u32 i, bucket; + + if (!ptr) return; + + bucket = TRKH(ptr); + + /* Find the element on the list... */ + + for (i = 0; i < TRK_cnt[bucket]; i++) + + if (TRK[bucket][i].ptr == ptr) { + + TRK[bucket][i].ptr = 0; + return; + + } + + WARNF("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)", + func, file, line); + +} + + +/* Do a final report on all non-deallocated objects. */ + +static inline void TRK_report(void) { + + u32 i, bucket; + + fflush(0); + + for (bucket = 0; bucket < ALLOC_BUCKETS; bucket++) + for (i = 0; i < TRK_cnt[bucket]; i++) + if (TRK[bucket][i].ptr) + WARNF("ALLOC: Memory never freed, created in %s (%s:%u)", + TRK[bucket][i].func, TRK[bucket][i].file, TRK[bucket][i].line); + +} + + +/* Simple wrappers for non-debugging functions: */ + +static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func, + u32 line) { + + void* ret = DFL_ck_alloc(size); + TRK_alloc_buf(ret, file, func, line); + return ret; + +} + + +static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file, + const char* func, u32 line) { + + void* ret = DFL_ck_realloc(orig, size); + TRK_free_buf(orig, file, func, line); + TRK_alloc_buf(ret, file, func, line); + return ret; + +} + + +static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file, + const char* func, u32 line) { + + void* ret = DFL_ck_realloc_block(orig, size); + TRK_free_buf(orig, file, func, line); + TRK_alloc_buf(ret, file, func, line); + return ret; + +} + + +static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func, + u32 line) { + + void* ret = DFL_ck_strdup(str); + TRK_alloc_buf(ret, file, func, line); + return ret; + +} + + +static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file, + const char* func, u32 line) { + + void* ret = DFL_ck_memdup(mem, size); + TRK_alloc_buf(ret, file, func, line); + return ret; + +} + + +static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file, + const char* func, u32 line) { + + void* ret = DFL_ck_memdup_str(mem, size); + TRK_alloc_buf(ret, file, func, line); + return ret; + +} + + +static inline void TRK_ck_free(void* ptr, const char* file, + const char* func, u32 line) { + + TRK_free_buf(ptr, file, func, line); + DFL_ck_free(ptr); + +} + +/* Aliasing user-facing names to tracking functions: */ + +#define ck_alloc(_p1) \ + TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) + +#define ck_alloc_nozero(_p1) \ + TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__) + +#define ck_realloc(_p1, _p2) \ + TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + +#define ck_realloc_block(_p1, _p2) \ + TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + +#define ck_strdup(_p1) \ + TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__) + +#define ck_memdup(_p1, _p2) \ + TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + +#define ck_memdup_str(_p1, _p2) \ + TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__) + +#define ck_free(_p1) \ + TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__) + +#endif /* ^!DEBUG_BUILD */ + +#endif /* ! _HAVE_ALLOC_INL_H */ diff --git a/android-ashmem.h b/android-ashmem.h index 0322d69..4922904 100644 --- a/android-ashmem.h +++ b/android-ashmem.h @@ -1,82 +1,82 @@ -#ifdef __ANDROID__ -#ifndef _ANDROID_ASHMEM_H -#define _ANDROID_ASHMEM_H - -#include -#include -#include -#include -#include - -#if __ANDROID_API__ >= 26 -#define shmat bionic_shmat -#define shmctl bionic_shmctl -#define shmdt bionic_shmdt -#define shmget bionic_shmget -#endif -#include -#undef shmat -#undef shmctl -#undef shmdt -#undef shmget -#include - -#define ASHMEM_DEVICE "/dev/ashmem" - -static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) { - int ret = 0; - if (__cmd == IPC_RMID) { - int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); - struct ashmem_pin pin = {0, length}; - ret = ioctl(__shmid, ASHMEM_UNPIN, &pin); - close(__shmid); - } - - return ret; -} - -static inline int shmget(key_t __key, size_t __size, int __shmflg) { - (void) __shmflg; - int fd, ret; - char ourkey[11]; - - fd = open(ASHMEM_DEVICE, O_RDWR); - if (fd < 0) - return fd; - - sprintf(ourkey, "%d", __key); - ret = ioctl(fd, ASHMEM_SET_NAME, ourkey); - if (ret < 0) - goto error; - - ret = ioctl(fd, ASHMEM_SET_SIZE, __size); - if (ret < 0) - goto error; - - return fd; - -error: - close(fd); - return ret; -} - -static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) { - (void) __shmflg; - int size; - void *ptr; - - size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); - if (size < 0) { - return NULL; - } - - ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0); - if (ptr == MAP_FAILED) { - return NULL; - } - - return ptr; -} - -#endif /* !_ANDROID_ASHMEM_H */ -#endif /* !__ANDROID__ */ +#ifdef __ANDROID__ +#ifndef _ANDROID_ASHMEM_H +#define _ANDROID_ASHMEM_H + +#include +#include +#include +#include +#include + +#if __ANDROID_API__ >= 26 +#define shmat bionic_shmat +#define shmctl bionic_shmctl +#define shmdt bionic_shmdt +#define shmget bionic_shmget +#endif +#include +#undef shmat +#undef shmctl +#undef shmdt +#undef shmget +#include + +#define ASHMEM_DEVICE "/dev/ashmem" + +static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) { + int ret = 0; + if (__cmd == IPC_RMID) { + int length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); + struct ashmem_pin pin = {0, length}; + ret = ioctl(__shmid, ASHMEM_UNPIN, &pin); + close(__shmid); + } + + return ret; +} + +static inline int shmget(key_t __key, size_t __size, int __shmflg) { + (void) __shmflg; + int fd, ret; + char ourkey[11]; + + fd = open(ASHMEM_DEVICE, O_RDWR); + if (fd < 0) + return fd; + + sprintf(ourkey, "%d", __key); + ret = ioctl(fd, ASHMEM_SET_NAME, ourkey); + if (ret < 0) + goto error; + + ret = ioctl(fd, ASHMEM_SET_SIZE, __size); + if (ret < 0) + goto error; + + return fd; + +error: + close(fd); + return ret; +} + +static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) { + (void) __shmflg; + int size; + void *ptr; + + size = ioctl(__shmid, ASHMEM_GET_SIZE, NULL); + if (size < 0) { + return NULL; + } + + ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, __shmid, 0); + if (ptr == MAP_FAILED) { + return NULL; + } + + return ptr; +} + +#endif /* !_ANDROID_ASHMEM_H */ +#endif /* !__ANDROID__ */ diff --git a/config.h b/config.h index 549b56f..46dd857 100644 --- a/config.h +++ b/config.h @@ -1,362 +1,362 @@ -/* - Copyright 2013 Google LLC All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -/* - american fuzzy lop - vaguely configurable bits - ---------------------------------------------- - - Written and maintained by Michal Zalewski -*/ - -#ifndef _HAVE_CONFIG_H -#define _HAVE_CONFIG_H - -#include "types.h" - -/* Version string: */ - -#define VERSION "2.57b" - -/****************************************************** - * * - * Settings that may be of interest to power users: * - * * - ******************************************************/ - -/* Comment out to disable terminal colors (note that this makes afl-analyze - a lot less nice): */ - -#define USE_COLOR - -/* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */ - -#define FANCY_BOXES - -/* Default timeout for fuzzed code (milliseconds). This is the upper bound, - also used for detecting hangs; the actual value is auto-scaled: */ - -#define EXEC_TIMEOUT 1000 - -/* Timeout rounding factor when auto-scaling (milliseconds): */ - -#define EXEC_TM_ROUND 20 - -/* 64bit arch MACRO */ -#if (defined (__x86_64__) || defined (__arm64__) || defined (__aarch64__)) -#define WORD_SIZE_64 1 -#endif - -/* Default memory limit for child process (MB): */ - -#ifndef WORD_SIZE_64 -# define MEM_LIMIT 25 -#else -# define MEM_LIMIT 50 -#endif /* ^!WORD_SIZE_64 */ - -/* Default memory limit when running in QEMU mode (MB): */ - -#define MEM_LIMIT_QEMU 200 - -/* Number of calibration cycles per every new test case (and for test - cases that show variable behavior): */ - -#define CAL_CYCLES 8 -#define CAL_CYCLES_LONG 40 - -/* Number of subsequent timeouts before abandoning an input file: */ - -#define TMOUT_LIMIT 250 - -/* Maximum number of unique hangs or crashes to record: */ - -#define KEEP_UNIQUE_HANG 500 -#define KEEP_UNIQUE_CRASH 5000 - -/* Baseline number of random tweaks during a single 'havoc' stage: */ - -#define HAVOC_CYCLES 256 -#define HAVOC_CYCLES_INIT 1024 - -/* Maximum multiplier for the above (should be a power of two, beware - of 32-bit int overflows): */ - -#define HAVOC_MAX_MULT 16 - -/* Absolute minimum number of havoc cycles (after all adjustments): */ - -#define HAVOC_MIN 16 - -/* Maximum stacking for havoc-stage tweaks. The actual value is calculated - like this: - - n = random between 1 and HAVOC_STACK_POW2 - stacking = 2^n - - In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or - 128 stacked tweaks: */ - -#define HAVOC_STACK_POW2 7 - -/* Caps on block sizes for cloning and deletion operations. Each of these - ranges has a 33% probability of getting picked, except for the first - two cycles where smaller blocks are favored: */ - -#define HAVOC_BLK_SMALL 32 -#define HAVOC_BLK_MEDIUM 128 -#define HAVOC_BLK_LARGE 1500 - -/* Extra-large blocks, selected very rarely (<5% of the time): */ - -#define HAVOC_BLK_XL 32768 - -/* Probabilities of skipping non-favored entries in the queue, expressed as - percentages: */ - -#define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */ -#define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */ -#define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */ - -/* Splicing cycle count: */ - -#define SPLICE_CYCLES 15 - -/* Nominal per-splice havoc cycle length: */ - -#define SPLICE_HAVOC 32 - -/* Maximum offset for integer addition / subtraction stages: */ - -#define ARITH_MAX 35 - -/* Limits for the test case trimmer. The absolute minimum chunk size; and - the starting and ending divisors for chopping up the input file: */ - -#define TRIM_MIN_BYTES 4 -#define TRIM_START_STEPS 16 -#define TRIM_END_STEPS 1024 - -/* Maximum size of input file, in bytes (keep under 100MB): */ - -#define MAX_FILE (1 * 1024 * 1024) - -/* The same, for the test case minimizer: */ - -#define TMIN_MAX_FILE (10 * 1024 * 1024) - -/* Block normalization steps for afl-tmin: */ - -#define TMIN_SET_MIN_SIZE 4 -#define TMIN_SET_STEPS 128 - -/* Maximum dictionary token size (-x), in bytes: */ - -#define MAX_DICT_FILE 128 - -/* Length limits for auto-detected dictionary tokens: */ - -#define MIN_AUTO_EXTRA 3 -#define MAX_AUTO_EXTRA 32 - -/* Maximum number of user-specified dictionary tokens to use in deterministic - steps; past this point, the "extras/user" step will be still carried out, - but with proportionally lower odds: */ - -#define MAX_DET_EXTRAS 200 - -/* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing - (first value), and to keep in memory as candidates. The latter should be much - higher than the former. */ - -#define USE_AUTO_EXTRAS 50 -#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10) - -/* Scaling factor for the effector map used to skip some of the more - expensive deterministic steps. The actual divisor is set to - 2^EFF_MAP_SCALE2 bytes: */ - -#define EFF_MAP_SCALE2 3 - -/* Minimum input file length at which the effector logic kicks in: */ - -#define EFF_MIN_LEN 128 - -/* Maximum effector density past which everything is just fuzzed - unconditionally (%): */ - -#define EFF_MAX_PERC 90 - -/* UI refresh frequency (Hz): */ - -#define UI_TARGET_HZ 5 - -/* Fuzzer stats file and plot update intervals (sec): */ - -#define STATS_UPDATE_SEC 60 -#define PLOT_UPDATE_SEC 5 - -/* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */ - -#define AVG_SMOOTHING 16 - -/* Sync interval (every n havoc cycles): */ - -#define SYNC_INTERVAL 5 - -/* Output directory reuse grace period (minutes): */ - -#define OUTPUT_GRACE 25 - -/* Uncomment to use simple file names (id_NNNNNN): */ - -// #define SIMPLE_FILES - -/* List of interesting values to use in fuzzing. */ - -#define INTERESTING_8 \ - -128, /* Overflow signed 8-bit when decremented */ \ - -1, /* */ \ - 0, /* */ \ - 1, /* */ \ - 16, /* One-off with common buffer size */ \ - 32, /* One-off with common buffer size */ \ - 64, /* One-off with common buffer size */ \ - 100, /* One-off with common buffer size */ \ - 127 /* Overflow signed 8-bit when incremented */ - -#define INTERESTING_16 \ - -32768, /* Overflow signed 16-bit when decremented */ \ - -129, /* Overflow signed 8-bit */ \ - 128, /* Overflow signed 8-bit */ \ - 255, /* Overflow unsig 8-bit when incremented */ \ - 256, /* Overflow unsig 8-bit */ \ - 512, /* One-off with common buffer size */ \ - 1000, /* One-off with common buffer size */ \ - 1024, /* One-off with common buffer size */ \ - 4096, /* One-off with common buffer size */ \ - 32767 /* Overflow signed 16-bit when incremented */ - -#define INTERESTING_32 \ - -2147483648LL, /* Overflow signed 32-bit when decremented */ \ - -100663046, /* Large negative number (endian-agnostic) */ \ - -32769, /* Overflow signed 16-bit */ \ - 32768, /* Overflow signed 16-bit */ \ - 65535, /* Overflow unsig 16-bit when incremented */ \ - 65536, /* Overflow unsig 16 bit */ \ - 100663045, /* Large positive number (endian-agnostic) */ \ - 2147483647 /* Overflow signed 32-bit when incremented */ - -/*********************************************************** - * * - * Really exotic stuff you probably don't want to touch: * - * * - ***********************************************************/ - -/* Call count interval between reseeding the libc PRNG from /dev/urandom: */ - -#define RESEED_RNG 10000 - -/* Maximum line length passed from GCC to 'as' and used for parsing - configuration files: */ - -#define MAX_LINE 8192 - -/* Environment variable used to pass SHM ID to the called program. */ - -#define SHM_ENV_VAR "__AFL_SHM_ID" - -/* Other less interesting, internal-only variables. */ - -#define CLANG_ENV_VAR "__AFL_CLANG_MODE" -#define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK" -#define PERSIST_ENV_VAR "__AFL_PERSISTENT" -#define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV" - -/* In-code signatures for deferred and persistent mode. */ - -#define PERSIST_SIG "##SIG_AFL_PERSISTENT##" -#define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##" - -/* Distinctive bitmap signature used to indicate failed execution: */ - -#define EXEC_FAIL_SIG 0xfee1dead - -/* Distinctive exit code used to indicate MSAN trip condition: */ - -#define MSAN_ERROR 86 - -/* Designated file descriptors for forkserver commands (the application will - use FORKSRV_FD and FORKSRV_FD + 1): */ - -#define FORKSRV_FD 198 - -/* Fork server init timeout multiplier: we'll wait the user-selected - timeout plus this much for the fork server to spin up. */ - -#define FORK_WAIT_MULT 10 - -/* Calibration timeout adjustments, to be a bit more generous when resuming - fuzzing sessions or trying to calibrate already-added internal finds. - The first value is a percentage, the other is in milliseconds: */ - -#define CAL_TMOUT_PERC 125 -#define CAL_TMOUT_ADD 50 - -/* Number of chances to calibrate a case before giving up: */ - -#define CAL_CHANCES 3 - -/* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than - 2; you probably want to keep it under 18 or so for performance reasons - (adjusting AFL_INST_RATIO when compiling is probably a better way to solve - problems with complex programs). You need to recompile the target binary - after changing this - otherwise, SEGVs may ensue. */ - -#define MAP_SIZE_POW2 16 -#define MAP_SIZE (1 << MAP_SIZE_POW2) - -/* Maximum allocator request size (keep well under INT_MAX): */ - -#define MAX_ALLOC 0x40000000 - -/* A made-up hashing seed: */ - -#define HASH_CONST 0xa5b35705 - -/* Constants for afl-gotcpu to control busy loop timing: */ - -#define CTEST_TARGET_MS 5000 -#define CTEST_CORE_TRG_MS 1000 -#define CTEST_BUSY_CYCLES (10 * 1000 * 1000) - -/* Uncomment this to use inferior block-coverage-based instrumentation. Note - that you need to recompile the target binary for this to have any effect: */ - -// #define COVERAGE_ONLY - -/* Uncomment this to ignore hit counts and output just one bit per tuple. - As with the previous setting, you will need to recompile the target - binary: */ - -// #define SKIP_COUNTS - -/* Uncomment this to use instrumentation data to record newly discovered paths, - but do not use them as seeds for fuzzing. This is useful for conveniently - measuring coverage that could be attained by a "dumb" fuzzing algorithm: */ - -// #define IGNORE_FINDS - -#endif /* ! _HAVE_CONFIG_H */ +/* + Copyright 2013 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +/* + american fuzzy lop - vaguely configurable bits + ---------------------------------------------- + + Written and maintained by Michal Zalewski +*/ + +#ifndef _HAVE_CONFIG_H +#define _HAVE_CONFIG_H + +#include "types.h" + +/* Version string: */ + +#define VERSION "2.57b" + +/****************************************************** + * * + * Settings that may be of interest to power users: * + * * + ******************************************************/ + +/* Comment out to disable terminal colors (note that this makes afl-analyze + a lot less nice): */ + +#define USE_COLOR + +/* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */ + +#define FANCY_BOXES + +/* Default timeout for fuzzed code (milliseconds). This is the upper bound, + also used for detecting hangs; the actual value is auto-scaled: */ + +#define EXEC_TIMEOUT 1000 + +/* Timeout rounding factor when auto-scaling (milliseconds): */ + +#define EXEC_TM_ROUND 20 + +/* 64bit arch MACRO */ +#if (defined (__x86_64__) || defined (__arm64__) || defined (__aarch64__)) +#define WORD_SIZE_64 1 +#endif + +/* Default memory limit for child process (MB): */ + +#ifndef WORD_SIZE_64 +# define MEM_LIMIT 25 +#else +# define MEM_LIMIT 50 +#endif /* ^!WORD_SIZE_64 */ + +/* Default memory limit when running in QEMU mode (MB): */ + +#define MEM_LIMIT_QEMU 200 + +/* Number of calibration cycles per every new test case (and for test + cases that show variable behavior): */ + +#define CAL_CYCLES 8 +#define CAL_CYCLES_LONG 40 + +/* Number of subsequent timeouts before abandoning an input file: */ + +#define TMOUT_LIMIT 250 + +/* Maximum number of unique hangs or crashes to record: */ + +#define KEEP_UNIQUE_HANG 500 +#define KEEP_UNIQUE_CRASH 5000 + +/* Baseline number of random tweaks during a single 'havoc' stage: */ + +#define HAVOC_CYCLES 256 +#define HAVOC_CYCLES_INIT 1024 + +/* Maximum multiplier for the above (should be a power of two, beware + of 32-bit int overflows): */ + +#define HAVOC_MAX_MULT 16 + +/* Absolute minimum number of havoc cycles (after all adjustments): */ + +#define HAVOC_MIN 16 + +/* Maximum stacking for havoc-stage tweaks. The actual value is calculated + like this: + + n = random between 1 and HAVOC_STACK_POW2 + stacking = 2^n + + In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or + 128 stacked tweaks: */ + +#define HAVOC_STACK_POW2 7 + +/* Caps on block sizes for cloning and deletion operations. Each of these + ranges has a 33% probability of getting picked, except for the first + two cycles where smaller blocks are favored: */ + +#define HAVOC_BLK_SMALL 32 +#define HAVOC_BLK_MEDIUM 128 +#define HAVOC_BLK_LARGE 1500 + +/* Extra-large blocks, selected very rarely (<5% of the time): */ + +#define HAVOC_BLK_XL 32768 + +/* Probabilities of skipping non-favored entries in the queue, expressed as + percentages: */ + +#define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */ +#define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */ +#define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */ + +/* Splicing cycle count: */ + +#define SPLICE_CYCLES 15 + +/* Nominal per-splice havoc cycle length: */ + +#define SPLICE_HAVOC 32 + +/* Maximum offset for integer addition / subtraction stages: */ + +#define ARITH_MAX 35 + +/* Limits for the test case trimmer. The absolute minimum chunk size; and + the starting and ending divisors for chopping up the input file: */ + +#define TRIM_MIN_BYTES 4 +#define TRIM_START_STEPS 16 +#define TRIM_END_STEPS 1024 + +/* Maximum size of input file, in bytes (keep under 100MB): */ + +#define MAX_FILE (1 * 1024 * 1024) + +/* The same, for the test case minimizer: */ + +#define TMIN_MAX_FILE (10 * 1024 * 1024) + +/* Block normalization steps for afl-tmin: */ + +#define TMIN_SET_MIN_SIZE 4 +#define TMIN_SET_STEPS 128 + +/* Maximum dictionary token size (-x), in bytes: */ + +#define MAX_DICT_FILE 128 + +/* Length limits for auto-detected dictionary tokens: */ + +#define MIN_AUTO_EXTRA 3 +#define MAX_AUTO_EXTRA 32 + +/* Maximum number of user-specified dictionary tokens to use in deterministic + steps; past this point, the "extras/user" step will be still carried out, + but with proportionally lower odds: */ + +#define MAX_DET_EXTRAS 200 + +/* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing + (first value), and to keep in memory as candidates. The latter should be much + higher than the former. */ + +#define USE_AUTO_EXTRAS 50 +#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10) + +/* Scaling factor for the effector map used to skip some of the more + expensive deterministic steps. The actual divisor is set to + 2^EFF_MAP_SCALE2 bytes: */ + +#define EFF_MAP_SCALE2 3 + +/* Minimum input file length at which the effector logic kicks in: */ + +#define EFF_MIN_LEN 128 + +/* Maximum effector density past which everything is just fuzzed + unconditionally (%): */ + +#define EFF_MAX_PERC 90 + +/* UI refresh frequency (Hz): */ + +#define UI_TARGET_HZ 5 + +/* Fuzzer stats file and plot update intervals (sec): */ + +#define STATS_UPDATE_SEC 60 +#define PLOT_UPDATE_SEC 5 + +/* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */ + +#define AVG_SMOOTHING 16 + +/* Sync interval (every n havoc cycles): */ + +#define SYNC_INTERVAL 5 + +/* Output directory reuse grace period (minutes): */ + +#define OUTPUT_GRACE 25 + +/* Uncomment to use simple file names (id_NNNNNN): */ + +// #define SIMPLE_FILES + +/* List of interesting values to use in fuzzing. */ + +#define INTERESTING_8 \ + -128, /* Overflow signed 8-bit when decremented */ \ + -1, /* */ \ + 0, /* */ \ + 1, /* */ \ + 16, /* One-off with common buffer size */ \ + 32, /* One-off with common buffer size */ \ + 64, /* One-off with common buffer size */ \ + 100, /* One-off with common buffer size */ \ + 127 /* Overflow signed 8-bit when incremented */ + +#define INTERESTING_16 \ + -32768, /* Overflow signed 16-bit when decremented */ \ + -129, /* Overflow signed 8-bit */ \ + 128, /* Overflow signed 8-bit */ \ + 255, /* Overflow unsig 8-bit when incremented */ \ + 256, /* Overflow unsig 8-bit */ \ + 512, /* One-off with common buffer size */ \ + 1000, /* One-off with common buffer size */ \ + 1024, /* One-off with common buffer size */ \ + 4096, /* One-off with common buffer size */ \ + 32767 /* Overflow signed 16-bit when incremented */ + +#define INTERESTING_32 \ + -2147483648LL, /* Overflow signed 32-bit when decremented */ \ + -100663046, /* Large negative number (endian-agnostic) */ \ + -32769, /* Overflow signed 16-bit */ \ + 32768, /* Overflow signed 16-bit */ \ + 65535, /* Overflow unsig 16-bit when incremented */ \ + 65536, /* Overflow unsig 16 bit */ \ + 100663045, /* Large positive number (endian-agnostic) */ \ + 2147483647 /* Overflow signed 32-bit when incremented */ + +/*********************************************************** + * * + * Really exotic stuff you probably don't want to touch: * + * * + ***********************************************************/ + +/* Call count interval between reseeding the libc PRNG from /dev/urandom: */ + +#define RESEED_RNG 10000 + +/* Maximum line length passed from GCC to 'as' and used for parsing + configuration files: */ + +#define MAX_LINE 8192 + +/* Environment variable used to pass SHM ID to the called program. */ + +#define SHM_ENV_VAR "__AFL_SHM_ID" + +/* Other less interesting, internal-only variables. */ + +#define CLANG_ENV_VAR "__AFL_CLANG_MODE" +#define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK" +#define PERSIST_ENV_VAR "__AFL_PERSISTENT" +#define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV" + +/* In-code signatures for deferred and persistent mode. */ + +#define PERSIST_SIG "##SIG_AFL_PERSISTENT##" +#define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##" + +/* Distinctive bitmap signature used to indicate failed execution: */ + +#define EXEC_FAIL_SIG 0xfee1dead + +/* Distinctive exit code used to indicate MSAN trip condition: */ + +#define MSAN_ERROR 86 + +/* Designated file descriptors for forkserver commands (the application will + use FORKSRV_FD and FORKSRV_FD + 1): */ + +#define FORKSRV_FD 198 + +/* Fork server init timeout multiplier: we'll wait the user-selected + timeout plus this much for the fork server to spin up. */ + +#define FORK_WAIT_MULT 10 + +/* Calibration timeout adjustments, to be a bit more generous when resuming + fuzzing sessions or trying to calibrate already-added internal finds. + The first value is a percentage, the other is in milliseconds: */ + +#define CAL_TMOUT_PERC 125 +#define CAL_TMOUT_ADD 50 + +/* Number of chances to calibrate a case before giving up: */ + +#define CAL_CHANCES 3 + +/* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than + 2; you probably want to keep it under 18 or so for performance reasons + (adjusting AFL_INST_RATIO when compiling is probably a better way to solve + problems with complex programs). You need to recompile the target binary + after changing this - otherwise, SEGVs may ensue. */ + +#define MAP_SIZE_POW2 16 +#define MAP_SIZE (1 << MAP_SIZE_POW2) + +/* Maximum allocator request size (keep well under INT_MAX): */ + +#define MAX_ALLOC 0x40000000 + +/* A made-up hashing seed: */ + +#define HASH_CONST 0xa5b35705 + +/* Constants for afl-gotcpu to control busy loop timing: */ + +#define CTEST_TARGET_MS 5000 +#define CTEST_CORE_TRG_MS 1000 +#define CTEST_BUSY_CYCLES (10 * 1000 * 1000) + +/* Uncomment this to use inferior block-coverage-based instrumentation. Note + that you need to recompile the target binary for this to have any effect: */ + +// #define COVERAGE_ONLY + +/* Uncomment this to ignore hit counts and output just one bit per tuple. + As with the previous setting, you will need to recompile the target + binary: */ + +// #define SKIP_COUNTS + +/* Uncomment this to use instrumentation data to record newly discovered paths, + but do not use them as seeds for fuzzing. This is useful for conveniently + measuring coverage that could be attained by a "dumb" fuzzing algorithm: */ + +// #define IGNORE_FINDS + +#endif /* ! _HAVE_CONFIG_H */ diff --git a/debug.h b/debug.h index ce219a3..5f75974 100644 --- a/debug.h +++ b/debug.h @@ -1,258 +1,258 @@ -/* - Copyright 2013 Google LLC All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -/* - american fuzzy lop - debug / error handling macros - -------------------------------------------------- - - Written and maintained by Michal Zalewski -*/ - -#ifndef _HAVE_DEBUG_H -#define _HAVE_DEBUG_H - -#include - -#include "types.h" -#include "config.h" - -/******************* - * Terminal colors * - *******************/ - -#ifdef USE_COLOR - -# define cBLK "\x1b[0;30m" -# define cRED "\x1b[0;31m" -# define cGRN "\x1b[0;32m" -# define cBRN "\x1b[0;33m" -# define cBLU "\x1b[0;34m" -# define cMGN "\x1b[0;35m" -# define cCYA "\x1b[0;36m" -# define cLGR "\x1b[0;37m" -# define cGRA "\x1b[1;90m" -# define cLRD "\x1b[1;91m" -# define cLGN "\x1b[1;92m" -# define cYEL "\x1b[1;93m" -# define cLBL "\x1b[1;94m" -# define cPIN "\x1b[1;95m" -# define cLCY "\x1b[1;96m" -# define cBRI "\x1b[1;97m" -# define cRST "\x1b[0m" - -# define bgBLK "\x1b[40m" -# define bgRED "\x1b[41m" -# define bgGRN "\x1b[42m" -# define bgBRN "\x1b[43m" -# define bgBLU "\x1b[44m" -# define bgMGN "\x1b[45m" -# define bgCYA "\x1b[46m" -# define bgLGR "\x1b[47m" -# define bgGRA "\x1b[100m" -# define bgLRD "\x1b[101m" -# define bgLGN "\x1b[102m" -# define bgYEL "\x1b[103m" -# define bgLBL "\x1b[104m" -# define bgPIN "\x1b[105m" -# define bgLCY "\x1b[106m" -# define bgBRI "\x1b[107m" - -#else - -# define cBLK "" -# define cRED "" -# define cGRN "" -# define cBRN "" -# define cBLU "" -# define cMGN "" -# define cCYA "" -# define cLGR "" -# define cGRA "" -# define cLRD "" -# define cLGN "" -# define cYEL "" -# define cLBL "" -# define cPIN "" -# define cLCY "" -# define cBRI "" -# define cRST "" - -# define bgBLK "" -# define bgRED "" -# define bgGRN "" -# define bgBRN "" -# define bgBLU "" -# define bgMGN "" -# define bgCYA "" -# define bgLGR "" -# define bgGRA "" -# define bgLRD "" -# define bgLGN "" -# define bgYEL "" -# define bgLBL "" -# define bgPIN "" -# define bgLCY "" -# define bgBRI "" - -#endif /* ^USE_COLOR */ - -/************************* - * Box drawing sequences * - *************************/ - -#ifdef FANCY_BOXES - -# define SET_G1 "\x1b)0" /* Set G1 for box drawing */ -# define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */ -# define bSTART "\x0e" /* Enter G1 drawing mode */ -# define bSTOP "\x0f" /* Leave G1 drawing mode */ -# define bH "q" /* Horizontal line */ -# define bV "x" /* Vertical line */ -# define bLT "l" /* Left top corner */ -# define bRT "k" /* Right top corner */ -# define bLB "m" /* Left bottom corner */ -# define bRB "j" /* Right bottom corner */ -# define bX "n" /* Cross */ -# define bVR "t" /* Vertical, branch right */ -# define bVL "u" /* Vertical, branch left */ -# define bHT "v" /* Horizontal, branch top */ -# define bHB "w" /* Horizontal, branch bottom */ - -#else - -# define SET_G1 "" -# define RESET_G1 "" -# define bSTART "" -# define bSTOP "" -# define bH "-" -# define bV "|" -# define bLT "+" -# define bRT "+" -# define bLB "+" -# define bRB "+" -# define bX "+" -# define bVR "+" -# define bVL "+" -# define bHT "+" -# define bHB "+" - -#endif /* ^FANCY_BOXES */ - -/*********************** - * Misc terminal codes * - ***********************/ - -#define TERM_HOME "\x1b[H" -#define TERM_CLEAR TERM_HOME "\x1b[2J" -#define cEOL "\x1b[0K" -#define CURSOR_HIDE "\x1b[?25l" -#define CURSOR_SHOW "\x1b[?25h" - -/************************ - * Debug & error macros * - ************************/ - -/* Just print stuff to the appropriate stream. */ - -#ifdef MESSAGES_TO_STDOUT -# define SAYF(x...) printf(x) -#else -# define SAYF(x...) fprintf(stderr, x) -#endif /* ^MESSAGES_TO_STDOUT */ - -/* Show a prefixed warning. */ - -#define WARNF(x...) do { \ - SAYF(cYEL "[!] " cBRI "WARNING: " cRST x); \ - SAYF(cRST "\n"); \ - } while (0) - -/* Show a prefixed "doing something" message. */ - -#define ACTF(x...) do { \ - SAYF(cLBL "[*] " cRST x); \ - SAYF(cRST "\n"); \ - } while (0) - -/* Show a prefixed "success" message. */ - -#define OKF(x...) do { \ - SAYF(cLGN "[+] " cRST x); \ - SAYF(cRST "\n"); \ - } while (0) - -/* Show a prefixed fatal error message (not used in afl). */ - -#define BADF(x...) do { \ - SAYF(cLRD "\n[-] " cRST x); \ - SAYF(cRST "\n"); \ - } while (0) - -/* Die with a verbose non-OS fatal error message. */ - -#define FATAL(x...) do { \ - SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \ - cBRI x); \ - SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", \ - __FUNCTION__, __FILE__, __LINE__); \ - exit(1); \ - } while (0) - -/* Die by calling abort() to provide a core dump. */ - -#define ABORT(x...) do { \ - SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \ - cBRI x); \ - SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", \ - __FUNCTION__, __FILE__, __LINE__); \ - abort(); \ - } while (0) - -/* Die while also including the output of perror(). */ - -#define PFATAL(x...) do { \ - fflush(stdout); \ - SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] SYSTEM ERROR : " \ - cBRI x); \ - SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", \ - __FUNCTION__, __FILE__, __LINE__); \ - SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \ - exit(1); \ - } while (0) - -/* Die with FAULT() or PFAULT() depending on the value of res (used to - interpret different failure modes for read(), write(), etc). */ - -#define RPFATAL(res, x...) do { \ - if (res < 0) PFATAL(x); else FATAL(x); \ - } while (0) - -/* Error-checking versions of read() and write() that call RPFATAL() as - appropriate. */ - -#define ck_write(fd, buf, len, fn) do { \ - u32 _len = (len); \ - s32 _res = write(fd, buf, _len); \ - if (_res != _len) RPFATAL(_res, "Short write to %s", fn); \ - } while (0) - -#define ck_read(fd, buf, len, fn) do { \ - u32 _len = (len); \ - s32 _res = read(fd, buf, _len); \ - if (_res != _len) RPFATAL(_res, "Short read from %s", fn); \ - } while (0) - -#endif /* ! _HAVE_DEBUG_H */ +/* + Copyright 2013 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +/* + american fuzzy lop - debug / error handling macros + -------------------------------------------------- + + Written and maintained by Michal Zalewski +*/ + +#ifndef _HAVE_DEBUG_H +#define _HAVE_DEBUG_H + +#include + +#include "types.h" +#include "config.h" + +/******************* + * Terminal colors * + *******************/ + +#ifdef USE_COLOR + +# define cBLK "\x1b[0;30m" +# define cRED "\x1b[0;31m" +# define cGRN "\x1b[0;32m" +# define cBRN "\x1b[0;33m" +# define cBLU "\x1b[0;34m" +# define cMGN "\x1b[0;35m" +# define cCYA "\x1b[0;36m" +# define cLGR "\x1b[0;37m" +# define cGRA "\x1b[1;90m" +# define cLRD "\x1b[1;91m" +# define cLGN "\x1b[1;92m" +# define cYEL "\x1b[1;93m" +# define cLBL "\x1b[1;94m" +# define cPIN "\x1b[1;95m" +# define cLCY "\x1b[1;96m" +# define cBRI "\x1b[1;97m" +# define cRST "\x1b[0m" + +# define bgBLK "\x1b[40m" +# define bgRED "\x1b[41m" +# define bgGRN "\x1b[42m" +# define bgBRN "\x1b[43m" +# define bgBLU "\x1b[44m" +# define bgMGN "\x1b[45m" +# define bgCYA "\x1b[46m" +# define bgLGR "\x1b[47m" +# define bgGRA "\x1b[100m" +# define bgLRD "\x1b[101m" +# define bgLGN "\x1b[102m" +# define bgYEL "\x1b[103m" +# define bgLBL "\x1b[104m" +# define bgPIN "\x1b[105m" +# define bgLCY "\x1b[106m" +# define bgBRI "\x1b[107m" + +#else + +# define cBLK "" +# define cRED "" +# define cGRN "" +# define cBRN "" +# define cBLU "" +# define cMGN "" +# define cCYA "" +# define cLGR "" +# define cGRA "" +# define cLRD "" +# define cLGN "" +# define cYEL "" +# define cLBL "" +# define cPIN "" +# define cLCY "" +# define cBRI "" +# define cRST "" + +# define bgBLK "" +# define bgRED "" +# define bgGRN "" +# define bgBRN "" +# define bgBLU "" +# define bgMGN "" +# define bgCYA "" +# define bgLGR "" +# define bgGRA "" +# define bgLRD "" +# define bgLGN "" +# define bgYEL "" +# define bgLBL "" +# define bgPIN "" +# define bgLCY "" +# define bgBRI "" + +#endif /* ^USE_COLOR */ + +/************************* + * Box drawing sequences * + *************************/ + +#ifdef FANCY_BOXES + +# define SET_G1 "\x1b)0" /* Set G1 for box drawing */ +# define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */ +# define bSTART "\x0e" /* Enter G1 drawing mode */ +# define bSTOP "\x0f" /* Leave G1 drawing mode */ +# define bH "q" /* Horizontal line */ +# define bV "x" /* Vertical line */ +# define bLT "l" /* Left top corner */ +# define bRT "k" /* Right top corner */ +# define bLB "m" /* Left bottom corner */ +# define bRB "j" /* Right bottom corner */ +# define bX "n" /* Cross */ +# define bVR "t" /* Vertical, branch right */ +# define bVL "u" /* Vertical, branch left */ +# define bHT "v" /* Horizontal, branch top */ +# define bHB "w" /* Horizontal, branch bottom */ + +#else + +# define SET_G1 "" +# define RESET_G1 "" +# define bSTART "" +# define bSTOP "" +# define bH "-" +# define bV "|" +# define bLT "+" +# define bRT "+" +# define bLB "+" +# define bRB "+" +# define bX "+" +# define bVR "+" +# define bVL "+" +# define bHT "+" +# define bHB "+" + +#endif /* ^FANCY_BOXES */ + +/*********************** + * Misc terminal codes * + ***********************/ + +#define TERM_HOME "\x1b[H" +#define TERM_CLEAR TERM_HOME "\x1b[2J" +#define cEOL "\x1b[0K" +#define CURSOR_HIDE "\x1b[?25l" +#define CURSOR_SHOW "\x1b[?25h" + +/************************ + * Debug & error macros * + ************************/ + +/* Just print stuff to the appropriate stream. */ + +#ifdef MESSAGES_TO_STDOUT +# define SAYF(x...) printf(x) +#else +# define SAYF(x...) fprintf(stderr, x) +#endif /* ^MESSAGES_TO_STDOUT */ + +/* Show a prefixed warning. */ + +#define WARNF(x...) do { \ + SAYF(cYEL "[!] " cBRI "WARNING: " cRST x); \ + SAYF(cRST "\n"); \ + } while (0) + +/* Show a prefixed "doing something" message. */ + +#define ACTF(x...) do { \ + SAYF(cLBL "[*] " cRST x); \ + SAYF(cRST "\n"); \ + } while (0) + +/* Show a prefixed "success" message. */ + +#define OKF(x...) do { \ + SAYF(cLGN "[+] " cRST x); \ + SAYF(cRST "\n"); \ + } while (0) + +/* Show a prefixed fatal error message (not used in afl). */ + +#define BADF(x...) do { \ + SAYF(cLRD "\n[-] " cRST x); \ + SAYF(cRST "\n"); \ + } while (0) + +/* Die with a verbose non-OS fatal error message. */ + +#define FATAL(x...) do { \ + SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \ + cBRI x); \ + SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", \ + __FUNCTION__, __FILE__, __LINE__); \ + exit(1); \ + } while (0) + +/* Die by calling abort() to provide a core dump. */ + +#define ABORT(x...) do { \ + SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \ + cBRI x); \ + SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", \ + __FUNCTION__, __FILE__, __LINE__); \ + abort(); \ + } while (0) + +/* Die while also including the output of perror(). */ + +#define PFATAL(x...) do { \ + fflush(stdout); \ + SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] SYSTEM ERROR : " \ + cBRI x); \ + SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", \ + __FUNCTION__, __FILE__, __LINE__); \ + SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \ + exit(1); \ + } while (0) + +/* Die with FAULT() or PFAULT() depending on the value of res (used to + interpret different failure modes for read(), write(), etc). */ + +#define RPFATAL(res, x...) do { \ + if (res < 0) PFATAL(x); else FATAL(x); \ + } while (0) + +/* Error-checking versions of read() and write() that call RPFATAL() as + appropriate. */ + +#define ck_write(fd, buf, len, fn) do { \ + u32 _len = (len); \ + s32 _res = write(fd, buf, _len); \ + if (_res != _len) RPFATAL(_res, "Short write to %s", fn); \ + } while (0) + +#define ck_read(fd, buf, len, fn) do { \ + u32 _len = (len); \ + s32 _res = read(fd, buf, _len); \ + if (_res != _len) RPFATAL(_res, "Short read from %s", fn); \ + } while (0) + +#endif /* ! _HAVE_DEBUG_H */ diff --git a/hash.h b/hash.h index 5429f0d..e17fc8f 100644 --- a/hash.h +++ b/hash.h @@ -1,111 +1,111 @@ -/* - Copyright 2016 Google LLC All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -/* - american fuzzy lop - hashing function - ------------------------------------- - - The hash32() function is a variant of MurmurHash3, a good - non-cryptosafe hashing function developed by Austin Appleby. - - For simplicity, this variant does *NOT* accept buffer lengths - that are not divisible by 8 bytes. The 32-bit version is otherwise - similar to the original; the 64-bit one is a custom hack with - mostly-unproven properties. - - Austin's original code is public domain. - - Other code written and maintained by Michal Zalewski -*/ - -#ifndef _HAVE_HASH_H -#define _HAVE_HASH_H - -#include "types.h" - -#ifdef __x86_64__ - -#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) - -static inline u32 hash32(const void* key, u32 len, u32 seed) { - - const u64* data = (u64*)key; - u64 h1 = seed ^ len; - - len >>= 3; - - while (len--) { - - u64 k1 = *data++; - - k1 *= 0x87c37b91114253d5ULL; - k1 = ROL64(k1, 31); - k1 *= 0x4cf5ad432745937fULL; - - h1 ^= k1; - h1 = ROL64(h1, 27); - h1 = h1 * 5 + 0x52dce729; - - } - - h1 ^= h1 >> 33; - h1 *= 0xff51afd7ed558ccdULL; - h1 ^= h1 >> 33; - h1 *= 0xc4ceb9fe1a85ec53ULL; - h1 ^= h1 >> 33; - - return h1; - -} - -#else - -#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) - -static inline u32 hash32(const void* key, u32 len, u32 seed) { - - const u32* data = (u32*)key; - u32 h1 = seed ^ len; - - len >>= 2; - - while (len--) { - - u32 k1 = *data++; - - k1 *= 0xcc9e2d51; - k1 = ROL32(k1, 15); - k1 *= 0x1b873593; - - h1 ^= k1; - h1 = ROL32(h1, 13); - h1 = h1 * 5 + 0xe6546b64; - - } - - h1 ^= h1 >> 16; - h1 *= 0x85ebca6b; - h1 ^= h1 >> 13; - h1 *= 0xc2b2ae35; - h1 ^= h1 >> 16; - - return h1; - -} - -#endif /* ^__x86_64__ */ - -#endif /* !_HAVE_HASH_H */ +/* + Copyright 2016 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +/* + american fuzzy lop - hashing function + ------------------------------------- + + The hash32() function is a variant of MurmurHash3, a good + non-cryptosafe hashing function developed by Austin Appleby. + + For simplicity, this variant does *NOT* accept buffer lengths + that are not divisible by 8 bytes. The 32-bit version is otherwise + similar to the original; the 64-bit one is a custom hack with + mostly-unproven properties. + + Austin's original code is public domain. + + Other code written and maintained by Michal Zalewski +*/ + +#ifndef _HAVE_HASH_H +#define _HAVE_HASH_H + +#include "types.h" + +#ifdef __x86_64__ + +#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r)))) + +static inline u32 hash32(const void* key, u32 len, u32 seed) { + + const u64* data = (u64*)key; + u64 h1 = seed ^ len; + + len >>= 3; + + while (len--) { + + u64 k1 = *data++; + + k1 *= 0x87c37b91114253d5ULL; + k1 = ROL64(k1, 31); + k1 *= 0x4cf5ad432745937fULL; + + h1 ^= k1; + h1 = ROL64(h1, 27); + h1 = h1 * 5 + 0x52dce729; + + } + + h1 ^= h1 >> 33; + h1 *= 0xff51afd7ed558ccdULL; + h1 ^= h1 >> 33; + h1 *= 0xc4ceb9fe1a85ec53ULL; + h1 ^= h1 >> 33; + + return h1; + +} + +#else + +#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r)))) + +static inline u32 hash32(const void* key, u32 len, u32 seed) { + + const u32* data = (u32*)key; + u32 h1 = seed ^ len; + + len >>= 2; + + while (len--) { + + u32 k1 = *data++; + + k1 *= 0xcc9e2d51; + k1 = ROL32(k1, 15); + k1 *= 0x1b873593; + + h1 ^= k1; + h1 = ROL32(h1, 13); + h1 = h1 * 5 + 0xe6546b64; + + } + + h1 ^= h1 >> 16; + h1 *= 0x85ebca6b; + h1 ^= h1 >> 13; + h1 *= 0xc2b2ae35; + h1 ^= h1 >> 16; + + return h1; + +} + +#endif /* ^__x86_64__ */ + +#endif /* !_HAVE_HASH_H */ diff --git a/test-instr.c b/test-instr.c index de4e1fe..68fe141 100644 --- a/test-instr.c +++ b/test-instr.c @@ -1,45 +1,45 @@ -/* - Copyright 2014 Google LLC All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - - -/* - american fuzzy lop - a trivial program to test the build - -------------------------------------------------------- - - Written and maintained by Michal Zalewski -*/ - -#include -#include -#include - -int main(int argc, char** argv) { - - char buf[8]; - - if (read(0, buf, 8) < 1) { - printf("Hum?\n"); - exit(1); - } - - if (buf[0] == '0') - printf("Looks like a zero to me!\n"); - else - printf("A non-zero value? How quaint!\n"); - - exit(0); - -} +/* + Copyright 2014 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + + +/* + american fuzzy lop - a trivial program to test the build + -------------------------------------------------------- + + Written and maintained by Michal Zalewski +*/ + +#include +#include +#include + +int main(int argc, char** argv) { + + char buf[8]; + + if (read(0, buf, 8) < 1) { + printf("Hum?\n"); + exit(1); + } + + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else + printf("A non-zero value? How quaint!\n"); + + exit(0); + +} diff --git a/test-libfuzzer-target.c b/test-libfuzzer-target.c index 3d950da..c021406 100644 --- a/test-libfuzzer-target.c +++ b/test-libfuzzer-target.c @@ -1,41 +1,41 @@ -/* - Copyright 2019 Google LLC All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - - -/* - american fuzzy lop - a trivial program to test libFuzzer target fuzzing. - ------------------------------------------------------------------------ - - Initially written and maintained by Michal Zalewski. -*/ - -#include -#include -#include - -// TODO(metzman): Create a test/ directory to store this and other similar -// files. -int LLVMFuzzerTestOneInput(uint8_t* buf, size_t size) { - if (size < 2) - return 0; - - if (buf[0] == '0') - printf("Looks like a zero to me!\n"); - else - printf("A non-zero value? How quaint!\n"); - - return 0; -} +/* + Copyright 2019 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + + +/* + american fuzzy lop - a trivial program to test libFuzzer target fuzzing. + ------------------------------------------------------------------------ + + Initially written and maintained by Michal Zalewski. +*/ + +#include +#include +#include + +// TODO(metzman): Create a test/ directory to store this and other similar +// files. +int LLVMFuzzerTestOneInput(uint8_t* buf, size_t size) { + if (size < 2) + return 0; + + if (buf[0] == '0') + printf("Looks like a zero to me!\n"); + else + printf("A non-zero value? How quaint!\n"); + + return 0; +} diff --git a/types.h b/types.h index 056e750..f4a5716 100644 --- a/types.h +++ b/types.h @@ -1,94 +1,94 @@ -/* - Copyright 2013 Google LLC All rights reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - - -/* - american fuzzy lop - type definitions and minor macros - ------------------------------------------------------ - - Written and maintained by Michal Zalewski -*/ - -#ifndef _HAVE_TYPES_H -#define _HAVE_TYPES_H - -#include -#include - -typedef uint8_t u8; -typedef uint16_t u16; -typedef uint32_t u32; - -/* - - Ugh. There is an unintended compiler / glibc #include glitch caused by - combining the u64 type an %llu in format strings, necessitating a workaround. - - In essence, the compiler is always looking for 'unsigned long long' for %llu. - On 32-bit systems, the u64 type (aliased to uint64_t) is expanded to - 'unsigned long long' in , so everything checks out. - - But on 64-bit systems, it is #ifdef'ed in the same file as 'unsigned long'. - Now, it only happens in circumstances where the type happens to have the - expected bit width, *but* the compiler does not know that... and complains - about 'unsigned long' being unsafe to pass to %llu. - - */ - -#ifdef __x86_64__ -typedef unsigned long long u64; -#else -typedef uint64_t u64; -#endif /* ^__x86_64__ */ - -typedef int8_t s8; -typedef int16_t s16; -typedef int32_t s32; -typedef int64_t s64; - -#ifndef MIN -# define MIN(_a,_b) ((_a) > (_b) ? (_b) : (_a)) -# define MAX(_a,_b) ((_a) > (_b) ? (_a) : (_b)) -#endif /* !MIN */ - -#define SWAP16(_x) ({ \ - u16 _ret = (_x); \ - (u16)((_ret << 8) | (_ret >> 8)); \ - }) - -#define SWAP32(_x) ({ \ - u32 _ret = (_x); \ - (u32)((_ret << 24) | (_ret >> 24) | \ - ((_ret << 8) & 0x00FF0000) | \ - ((_ret >> 8) & 0x0000FF00)); \ - }) - -#ifdef AFL_LLVM_PASS -# define AFL_R(x) (random() % (x)) -#else -# define R(x) (random() % (x)) -#endif /* ^AFL_LLVM_PASS */ - -#define STRINGIFY_INTERNAL(x) #x -#define STRINGIFY(x) STRINGIFY_INTERNAL(x) - -#define MEM_BARRIER() \ - __asm__ volatile("" ::: "memory") - -#define likely(_x) __builtin_expect(!!(_x), 1) -#define unlikely(_x) __builtin_expect(!!(_x), 0) - -#endif /* ! _HAVE_TYPES_H */ +/* + Copyright 2013 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + + +/* + american fuzzy lop - type definitions and minor macros + ------------------------------------------------------ + + Written and maintained by Michal Zalewski +*/ + +#ifndef _HAVE_TYPES_H +#define _HAVE_TYPES_H + +#include +#include + +typedef uint8_t u8; +typedef uint16_t u16; +typedef uint32_t u32; + +/* + + Ugh. There is an unintended compiler / glibc #include glitch caused by + combining the u64 type an %llu in format strings, necessitating a workaround. + + In essence, the compiler is always looking for 'unsigned long long' for %llu. + On 32-bit systems, the u64 type (aliased to uint64_t) is expanded to + 'unsigned long long' in , so everything checks out. + + But on 64-bit systems, it is #ifdef'ed in the same file as 'unsigned long'. + Now, it only happens in circumstances where the type happens to have the + expected bit width, *but* the compiler does not know that... and complains + about 'unsigned long' being unsafe to pass to %llu. + + */ + +#ifdef __x86_64__ +typedef unsigned long long u64; +#else +typedef uint64_t u64; +#endif /* ^__x86_64__ */ + +typedef int8_t s8; +typedef int16_t s16; +typedef int32_t s32; +typedef int64_t s64; + +#ifndef MIN +# define MIN(_a,_b) ((_a) > (_b) ? (_b) : (_a)) +# define MAX(_a,_b) ((_a) > (_b) ? (_a) : (_b)) +#endif /* !MIN */ + +#define SWAP16(_x) ({ \ + u16 _ret = (_x); \ + (u16)((_ret << 8) | (_ret >> 8)); \ + }) + +#define SWAP32(_x) ({ \ + u32 _ret = (_x); \ + (u32)((_ret << 24) | (_ret >> 24) | \ + ((_ret << 8) & 0x00FF0000) | \ + ((_ret >> 8) & 0x0000FF00)); \ + }) + +#ifdef AFL_LLVM_PASS +# define AFL_R(x) (random() % (x)) +#else +# define R(x) (random() % (x)) +#endif /* ^AFL_LLVM_PASS */ + +#define STRINGIFY_INTERNAL(x) #x +#define STRINGIFY(x) STRINGIFY_INTERNAL(x) + +#define MEM_BARRIER() \ + __asm__ volatile("" ::: "memory") + +#define likely(_x) __builtin_expect(!!(_x), 1) +#define unlikely(_x) __builtin_expect(!!(_x), 0) + +#endif /* ! _HAVE_TYPES_H */ -- 2.34.1 From 65b14554f7010fd14d3fe6a12b47feddfa789221 Mon Sep 17 00:00:00 2001 From: dongloong <1909842837@qq.com> Date: Mon, 21 Oct 2024 16:25:06 +0800 Subject: [PATCH 2/6] =?UTF-8?q?=E5=88=98=E6=98=8A=E5=86=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- afl-fuzz.c | 1064 +++++++++++++++++++++++----------------------------- 1 file changed, 459 insertions(+), 605 deletions(-) diff --git a/afl-fuzz.c b/afl-fuzz.c index 46a216c..7fd40d8 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -67,6 +67,7 @@ #include #include +/*检查编译环境是否定义了__APPLE__、__FreeBSD__或__OpenBSD__宏,这些宏分别代表苹果的macOS系统、FreeBSD操作系统和OpenBSD操作系统*/ #if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) # include #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ @@ -74,6 +75,7 @@ /* For systems that have sched_setaffinity; right now just Linux, but one can hope... */ +/*检查是否定义了__linux__宏,这个宏通常在编译Linux系统下的代码时被编译器定义*/ #ifdef __linux__ # define HAVE_AFFINITY 1 #endif /* __linux__ */ @@ -81,6 +83,8 @@ /* A toggle to export some variables when building as a library. Not very useful for the general public. */ +/*如果代码中定义了AFL_LIB宏,那么EXP_ST宏被定义为一个空的宏,可以作为布尔标志使用。 + 如果代码中没有定义AFL_LIB宏,那么EXP_ST宏被定义为static,用于限制作用域。*/ #ifdef AFL_LIB # define EXP_ST #else @@ -91,211 +95,211 @@ really makes no sense to haul them around as function parameters. */ -EXP_ST u8 *in_dir, /* Input directory with test cases */ - *out_file, /* File to fuzz, if any */ - *out_dir, /* Working & output directory */ - *sync_dir, /* Synchronization directory */ - *sync_id, /* Fuzzer ID */ - *use_banner, /* Display banner */ - *in_bitmap, /* Input bitmap */ - *doc_path, /* Path to documentation dir */ - *target_path, /* Path to target binary */ - *orig_cmdline; /* Original command line */ - -EXP_ST u32 exec_tmout = EXEC_TIMEOUT; /* Configurable exec timeout (ms) */ -static u32 hang_tmout = EXEC_TIMEOUT; /* Timeout used for hang det (ms) */ - -EXP_ST u64 mem_limit = MEM_LIMIT; /* Memory cap for child (MB) */ - -EXP_ST u32 cpu_to_bind = 0; /* id of free CPU core to bind */ - -static u32 stats_update_freq = 1; /* Stats update frequency (execs) */ - -EXP_ST u8 skip_deterministic, /* Skip deterministic stages? */ - force_deterministic, /* Force deterministic stages? */ - use_splicing, /* Recombine input files? */ - dumb_mode, /* Run in non-instrumented mode? */ - score_changed, /* Scoring for favorites changed? */ - kill_signal, /* Signal that killed the child */ - resuming_fuzz, /* Resuming an older fuzzing job? */ - timeout_given, /* Specific timeout given? */ - cpu_to_bind_given, /* Specified cpu_to_bind given? */ - not_on_tty, /* stdout is not a tty */ - term_too_small, /* terminal dimensions too small */ - uses_asan, /* Target uses ASAN? */ - no_forkserver, /* Disable forkserver? */ - crash_mode, /* Crash mode! Yeah! */ - in_place_resume, /* Attempt in-place resume? */ - auto_changed, /* Auto-generated tokens changed? */ - no_cpu_meter_red, /* Feng shui on the status screen */ - no_arith, /* Skip most arithmetic ops */ - shuffle_queue, /* Shuffle input queue? */ - bitmap_changed = 1, /* Time to update bitmap? */ - qemu_mode, /* Running in QEMU mode? */ - skip_requested, /* Skip request, via SIGUSR1 */ - run_over10m, /* Run time over 10 minutes? */ - persistent_mode, /* Running in persistent mode? */ - deferred_mode, /* Deferred forkserver mode? */ - fast_cal; /* Try to calibrate faster? */ - -static s32 out_fd, /* Persistent fd for out_file */ - dev_urandom_fd = -1, /* Persistent fd for /dev/urandom */ - dev_null_fd = -1, /* Persistent fd for /dev/null */ - fsrv_ctl_fd, /* Fork server control pipe (write) */ - fsrv_st_fd; /* Fork server status pipe (read) */ - -static s32 forksrv_pid, /* PID of the fork server */ - child_pid = -1, /* PID of the fuzzed program */ - out_dir_fd = -1; /* FD of the lock file */ - -EXP_ST u8* trace_bits; /* SHM with instrumentation bitmap */ - -EXP_ST u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */ - virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */ - virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */ - -static u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */ - -static s32 shm_id; /* ID of the SHM region */ - -static volatile u8 stop_soon, /* Ctrl-C pressed? */ - clear_screen = 1, /* Window resized? */ - child_timed_out; /* Traced process timed out? */ - -EXP_ST u32 queued_paths, /* Total number of queued testcases */ - queued_variable, /* Testcases with variable behavior */ - queued_at_start, /* Total number of initial inputs */ - queued_discovered, /* Items discovered during this run */ - queued_imported, /* Items imported via -S */ - queued_favored, /* Paths deemed favorable */ - queued_with_cov, /* Paths with new coverage bytes */ - pending_not_fuzzed, /* Queued but not done yet */ - pending_favored, /* Pending favored paths */ - cur_skipped_paths, /* Abandoned inputs in cur cycle */ - cur_depth, /* Current path depth */ - max_depth, /* Max path depth */ - useless_at_start, /* Number of useless starting paths */ - var_byte_count, /* Bitmap bytes with var behavior */ - current_entry, /* Current queue entry ID */ - havoc_div = 1; /* Cycle count divisor for havoc */ - -EXP_ST u64 total_crashes, /* Total number of crashes */ - unique_crashes, /* Crashes with unique signatures */ - total_tmouts, /* Total number of timeouts */ - unique_tmouts, /* Timeouts with unique signatures */ - unique_hangs, /* Hangs with unique signatures */ - total_execs, /* Total execve() calls */ - slowest_exec_ms, /* Slowest testcase non hang in ms */ - start_time, /* Unix start time (ms) */ - last_path_time, /* Time for most recent path (ms) */ - last_crash_time, /* Time for most recent crash (ms) */ - last_hang_time, /* Time for most recent hang (ms) */ - last_crash_execs, /* Exec counter at last crash */ - queue_cycle, /* Queue round counter */ - cycles_wo_finds, /* Cycles without any new paths */ - trim_execs, /* Execs done to trim input files */ - bytes_trim_in, /* Bytes coming into the trimmer */ - bytes_trim_out, /* Bytes coming outa the trimmer */ - blocks_eff_total, /* Blocks subject to effector maps */ - blocks_eff_select; /* Blocks selected as fuzzable */ - -static u32 subseq_tmouts; /* Number of timeouts in a row */ - -static u8 *stage_name = "init", /* Name of the current fuzz stage */ - *stage_short, /* Short stage name */ - *syncing_party; /* Currently syncing with... */ - -static s32 stage_cur, stage_max; /* Stage progression */ -static s32 splicing_with = -1; /* Splicing with which test case? */ - -static u32 master_id, master_max; /* Master instance job splitting */ - -static u32 syncing_case; /* Syncing with case #... */ - -static s32 stage_cur_byte, /* Byte offset of current stage op */ - stage_cur_val; /* Value used for stage op */ - -static u8 stage_val_type; /* Value type (STAGE_VAL_*) */ - -static u64 stage_finds[32], /* Patterns found per fuzz stage */ - stage_cycles[32]; /* Execs per fuzz stage */ - -static u32 rand_cnt; /* Random number counter */ - -static u64 total_cal_us, /* Total calibration time (us) */ - total_cal_cycles; /* Total calibration cycles */ - -static u64 total_bitmap_size, /* Total bit count for all bitmaps */ - total_bitmap_entries; /* Number of bitmaps counted */ - -static s32 cpu_core_count; /* CPU core count */ +EXP_ST u8 *in_dir, /* 包含测试用例的输入目录 */ + *out_file, /* 要模糊测试的文件(如果有的话) */ + *out_dir, /* 工作和输出目录 */ + *sync_dir, /* 同步目录 */ + *sync_id, /* 模糊测试器标识符 */ + *use_banner, /* 显示横幅 */ + *in_bitmap, /* 输入位图 */ + *doc_path, /* 文档目录的路径 */ + *target_path, /* 目标二进制文件路径 */ + *orig_cmdline; /* 原始命令行 */ + +EXP_ST u32 exec_tmout = EXEC_TIMEOUT; /* 可配置的执行超时 (ms) */ +static u32 hang_tmout = EXEC_TIMEOUT; /* 用于挂起的超时时间 (ms) */ + +EXP_ST u64 mem_limit = MEM_LIMIT; /* 子进程的内存限制 (MB) */ + +EXP_ST u32 cpu_to_bind = 0; /* 待绑定的空闲CPU核id */ + +static u32 stats_update_freq = 1; /* 统计更新频率 (执行次数)*/ + +EXP_ST u8 skip_deterministic, /* 跳过确定性阶段? */ + force_deterministic, /* 强制执行确定性阶段? */ + use_splicing, /* 重组输入文件? */ + dumb_mode, /* 在非插桩模式下运行? */ + score_changed, /* 收藏项的评分改变了? */ + kill_signal, /* 导致子进程退出的信号 */ + resuming_fuzz, /* 恢复旧的模糊测试工作? */ + timeout_given, /* 给出了特定的超时时间? */ + cpu_to_bind_given, /* 指定了cpu_to_bind? */ + not_on_tty, /* 标准输出不是tty */ + term_too_small, /* 终端尺寸太小 */ + uses_asan, /* 目标使用ASAN? */ + no_forkserver, /* 禁用forkserver? */ + crash_mode, /* 崩溃模式!耶! */ + in_place_resume, /* 尝试就地恢复? */ + auto_changed, /* 自动生成的令牌改变了? */ + no_cpu_meter_red, /* 状态屏幕上的风水 */ + no_arith, /* 跳过大多数算术操作 */ + shuffle_queue, /* 打乱输入队列? */ + bitmap_changed = 1, /* 更新位图的时间? */ + qemu_mode, /* 在QEMU模式下运行? */ + skip_requested, /* 通过SIGUSR1跳过请求 */ + run_over10m, /* 运行时间超过10分钟? */ + persistent_mode, /* 在持久模式下运行? */ + deferred_mode, /* 延迟forkserver模式? */ + fast_cal; /* 尝试更快地校准? */ + +static s32 out_fd, /* 用于out_file的持久文件描述符 */ + dev_urandom_fd = -1, /* 用于/dev/urandom的持久文件描述符 */ + dev_null_fd = -1, /* 用于/dev/null的持久文件描述符 */ + fsrv_ctl_fd, /* fork服务器控制管道(写入) */ + fsrv_st_fd; /* fork服务器状态管道(读取) */ + +static s32 forksrv_pid, /* fork服务器的进程ID */ + child_pid = -1, /* 被模糊测试的程序的进程ID */ + out_dir_fd = -1; /* 锁定文件的文件描述符 */ + +EXP_ST u8* trace_bits; /* 与插桩位图共享的共享内存 */ + +EXP_ST u8 virgin_bits[MAP_SIZE], /* 尚未被模糊测试触及的区域 */ + virgin_tmout[MAP_SIZE], /* 我们在超时中尚未见过的位 */ + virgin_crash[MAP_SIZE]; /* 我们在崩溃中尚未见过的位 */ + +static u8 var_bytes[MAP_SIZE]; /* 看起来是可变的字节 */ + +static s32 shm_id; /* 共享内存区域的ID */ + +static volatile u8 stop_soon, /* Ctrl-C 被按下了吗? */ + clear_screen = 1, /* 窗口被调整大小了吗? */ + child_timed_out; /* 被追踪的进程超时了吗? */ + +EXP_ST u32 queued_paths, /* 排队的测试用例总数 */ + queued_variable, /* 具有可变行为的测试用例 */ + queued_at_start, /* 初始输入的总数 */ + queued_discovered, /* 在此运行期间发现的项目 */ + queued_imported, /* 通过-S导入的项目 */ + queued_favored, /* 被认为有利的路径 */ + queued_with_cov, /* 有新的覆盖字节的路径 */ + pending_not_fuzzed, /* 已排队但尚未完成 */ + pending_favored, /* 等待中的优先路径 */ + cur_skipped_paths, /* 当前周期中放弃的输入 */ + cur_depth, /* 当前路径深度 */ + max_depth, /* 最大路径深度 */ + useless_at_start, /* 无用的起始路径数量 */ + var_byte_count, /* 具有可变行为的位图字节 */ + current_entry, /* 当前队列条目ID */ + havoc_div = 1; /* 对havoc的循环计数除数 */ + +EXP_ST u64 total_crashes, /* 崩溃总数 */ + unique_crashes, /* 具有唯一签名的崩溃 */ + total_tmouts, /* 超时总数 */ + unique_tmouts, /* 具有唯一签名的超时 */ + unique_hangs, /* 具有唯一签名的挂起 */ + total_execs, /* 总的execve()调用次数 */ + slowest_exec_ms, /* 最慢的测试用例非挂起时间(ms) */ + start_time, /* Unix开始时间(ms) */ + last_path_time, /* 最近路径的时间(ms) */ + last_crash_time, /* 最近崩溃的时间(ms) */ + last_hang_time, /* 最近挂起的时间(ms) */ + last_crash_execs, /* 上次崩溃时的执行计数器 */ + queue_cycle, /* 队列循环计数器 */ + cycles_wo_finds, /* 没有发现新路径的周期数 */ + trim_execs, /* 用于修剪输入文件的执行次数 */ + bytes_trim_in, /* 进入修剪器的字节 */ + bytes_trim_out, /* 从修剪器出来的字节 */ + blocks_eff_total, /* 受效应器映射影响的块 */ + blocks_eff_select; /* 被选为可模糊化的块 */ + +static u32 subseq_tmouts; /* 连续超时的次数 */ + +static u8 *stage_name = "init", /* 当前模糊测试阶段的名称 */ + *stage_short, /* 简短的阶段名称 */ + *syncing_party; /* 当前正在同步的... */ + +static s32 stage_cur, stage_max; /* 阶段进度 */ +static s32 splicing_with = -1; /* 与哪个测试用例混合? */ + +static u32 master_id, master_max; /* 主实例工作分割 */ + +static u32 syncing_case; /* 与案例#...同步 */ + +static s32 stage_cur_byte, /* 当前阶段操作的字节偏移量 */ + stage_cur_val; /* 用于阶段操作的值 */ + +static u8 stage_val_type; /* 值类型(STAGE_VAL_*) */ + +static u64 stage_finds[32], /* 每个模糊测试阶段发现的模式 */ + stage_cycles[32]; /* 每个模糊测试阶段的执行次数 */ + +static u32 rand_cnt; /* 随机数计数器 */ + +static u64 total_cal_us, /* 总校准时间(微秒) */ + total_cal_cycles; /* 总校准周期 */ + +static u64 total_bitmap_size, /* 所有位图的总位数 */ + total_bitmap_entries; /* 计算的位图数量 */ + +static s32 cpu_core_count; /* CPU核心数 */ #ifdef HAVE_AFFINITY -static s32 cpu_aff = -1; /* Selected CPU core */ +static s32 cpu_aff = -1; /* 选择的CPU核心 */ #endif /* HAVE_AFFINITY */ -static FILE* plot_file; /* Gnuplot output file */ +static FILE* plot_file; /* Gnuplot输出文件 */ struct queue_entry { + + u8* fname; /* 测试用例的文件名 */ + u32 len; /* 输入长度 */ - u8* fname; /* File name for the test case */ - u32 len; /* Input length */ - - u8 cal_failed, /* Calibration failed? */ - trim_done, /* Trimmed? */ - was_fuzzed, /* Had any fuzzing done yet? */ - passed_det, /* Deterministic stages passed? */ - has_new_cov, /* Triggers new coverage? */ - var_behavior, /* Variable behavior? */ - favored, /* Currently favored? */ - fs_redundant; /* Marked as redundant in the fs? */ + u8 cal_failed, /* 校准失败? */ + trim_done, /* 修剪完成? */ + was_fuzzed, /* 之前进行过模糊测试吗? */ + passed_det, /* 通过了确定性阶段吗? */ + has_new_cov, /* 触发了新的代码覆盖吗? */ + var_behavior, /* 表现出可变行为吗? */ + favored, /* 当前是否被优先考虑? */ + fs_redundant; /* 在文件系统中被标记为冗余了吗? */ - u32 bitmap_size, /* Number of bits set in bitmap */ - exec_cksum; /* Checksum of the execution trace */ + u32 bitmap_size, /* 位图中设置的位数 */ + exec_cksum; /* 执行轨迹的校验和 */ - u64 exec_us, /* Execution time (us) */ - handicap, /* Number of queue cycles behind */ - depth; /* Path depth */ + u64 exec_us, /* 执行时间(微秒) */ + handicap, /* 在队列中的落后周期数 */ + depth; /* 路径深度 */ - u8* trace_mini; /* Trace bytes, if kept */ - u32 tc_ref; /* Trace bytes ref count */ + u8* trace_mini; /* 如果保留,执行轨迹的字节 */ + u32 tc_ref; /* 执行轨迹字节的引用计数 */ - struct queue_entry *next, /* Next element, if any */ - *next_100; /* 100 elements ahead */ + struct queue_entry *next, /* 下一个元素,如果有的话 */ + *next_100; /* 100个元素之后的元素 */ }; -static struct queue_entry *queue, /* Fuzzing queue (linked list) */ - *queue_cur, /* Current offset within the queue */ - *queue_top, /* Top of the list */ - *q_prev100; /* Previous 100 marker */ +static struct queue_entry *queue, /* 模糊测试队列(链表) */ + *queue_cur, /* 队列中的当前偏移量 */ + *queue_top, /* 列表的顶部 */ + *q_prev100; /* 上一个100个标记 */ static struct queue_entry* - top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ + top_rated[MAP_SIZE]; /* 位图字节的顶级条目 */ struct extra_data { - u8* data; /* Dictionary token data */ - u32 len; /* Dictionary token length */ - u32 hit_cnt; /* Use count in the corpus */ + u8* data; /* 词典令牌数据 */ + u32 len; /* 词典令牌长度 */ + u32 hit_cnt; /* 在语料库中的使用次数 */ }; -static struct extra_data* extras; /* Extra tokens to fuzz with */ -static u32 extras_cnt; /* Total number of tokens read */ +static struct extra_data* extras; /* 用于模糊测试的额外令牌 */ +static u32 extras_cnt; /* 读取的令牌总数 */ -static struct extra_data* a_extras; /* Automatically selected extras */ -static u32 a_extras_cnt; /* Total number of tokens available */ +static struct extra_data* a_extras; /* 自动选择的额外令牌 */ +static u32 a_extras_cnt; /* 可用的令牌总数 */ static u8* (*post_handler)(u8* buf, u32* len); -/* Interesting values, as per config.h */ +/* 根据config.h中的设置interesting的值 */ static s8 interesting_8[] = { INTERESTING_8 }; static s16 interesting_16[] = { INTERESTING_8, INTERESTING_16 }; static s32 interesting_32[] = { INTERESTING_8, INTERESTING_16, INTERESTING_32 }; -/* Fuzzing stages */ +/* 模糊测试阶段 */ enum { /* 00 */ STAGE_FLIP1, @@ -317,7 +321,7 @@ enum { /* 16 */ STAGE_SPLICE }; -/* Stage value types */ +/*阶段值类型 */ enum { /* 00 */ STAGE_VAL_NONE, @@ -325,7 +329,7 @@ enum { /* 02 */ STAGE_VAL_BE }; -/* Execution status fault codes */ +/* 执行状态故障代码 */ enum { /* 00 */ FAULT_NONE, @@ -337,7 +341,7 @@ enum { }; -/* Get unix time in milliseconds */ +/* 获取毫秒级的Unix时间戳 */ static u64 get_cur_time(void) { @@ -351,7 +355,7 @@ static u64 get_cur_time(void) { } -/* Get unix time in microseconds */ +/* 获取微秒级的Unix时间戳 */ static u64 get_cur_time_us(void) { @@ -365,8 +369,7 @@ static u64 get_cur_time_us(void) { } -/* Generate a random number (from 0 to limit - 1). This may - have slight bias. */ +/* 生成一个随机数(从0到限值减1)。这可能存在轻微的偏差。 */ static inline u32 UR(u32 limit) { @@ -386,7 +389,7 @@ static inline u32 UR(u32 limit) { } -/* Shuffle an array of pointers. Might be slightly biased. */ +/* 洗牌一个指针数组。可能会有轻微的偏差。 */ static void shuffle_ptrs(void** ptrs, u32 cnt) { @@ -406,8 +409,7 @@ static void shuffle_ptrs(void** ptrs, u32 cnt) { #ifdef HAVE_AFFINITY -/* Build a list of processes bound to specific cores. Returns -1 if nothing - can be found. Assumes an upper bound of 4k CPUs. */ +/* 构建绑定到特定核心的进程列表。如果找不到任何东西,返回-1。假设cpu上限为4k。 */ static void bind_to_free_cpu(void) { @@ -438,15 +440,13 @@ static void bind_to_free_cpu(void) { ACTF("Checking CPU core loadout..."); - /* Introduce some jitter, in case multiple AFL tasks are doing the same - thing at the same time... */ + /* 引入一些抖动,以防多个AFL任务在同一时间做同一件事情... */ usleep(R(1000) * 250); - /* Scan all /proc//status entries, checking for Cpus_allowed_list. - Flag all processes bound to a specific CPU using cpu_used[]. This will - fail for some exotic binding setups, but is likely good enough in almost - all real-world use cases. */ + /* 扫描所有 /proc//status 条目,检查 Cpus_allowed_list。 + 使用 cpu_used[] 标记所有绑定到特定 CPU 的进程。 + 这在某些特殊的绑定设置中可能会失败,但在几乎所有现实世界的用例中都足够好。 */ while ((de = readdir(d))) { @@ -468,7 +468,7 @@ static void bind_to_free_cpu(void) { u32 hval; - /* Processes without VmSize are probably kernel tasks. */ + /* 没有VmSize的进程可能是内核任务。 */ if (!strncmp(tmp, "VmSize:\t", 8)) has_vmsize = 1; @@ -535,8 +535,7 @@ static void bind_to_free_cpu(void) { #ifndef IGNORE_FINDS -/* Helper function to compare buffers; returns first and last differing offset. We - use this to find reasonable locations for splicing two files. */ +/* 辅助函数用于比较缓冲区;返回第一个和最后一个不同的偏移量。我们用这个来找到合理的地点来拼接两个文件。 */ static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) { @@ -565,9 +564,8 @@ static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) { #endif /* !IGNORE_FINDS */ -/* Describe integer. Uses 12 cyclic static buffers for return values. The value - returned should be five characters or less for all the integers we reasonably - expect to see. */ +/*描述整数。使用12个循环的静态缓冲区来存储返回值。 +对于我们合理预期会看到的所有的整数,返回的值应该是五个字符或更少。 */ static u8* DI(u64 val) { @@ -623,8 +621,7 @@ static u8* DI(u64 val) { } -/* Describe float. Similar to the above, except with a single - static buffer. */ +/* 描述浮点数。与上面的类似,只是使用单个静态缓冲区。 */ static u8* DF(double val) { @@ -645,7 +642,7 @@ static u8* DF(double val) { } -/* Describe integer as memory size. */ +/* 将整数描述为内存大小。*/ static u8* DMS(u64 val) { @@ -696,7 +693,7 @@ static u8* DMS(u64 val) { } -/* Describe time delta. Returns one static buffer, 34 chars of less. */ +/* 描述时间增量。返回一个静态缓冲区,长度不超过34个字符。 */ static u8* DTD(u64 cur_ms, u64 event_ms) { @@ -719,9 +716,7 @@ static u8* DTD(u64 cur_ms, u64 event_ms) { } -/* Mark deterministic checks as done for a particular queue entry. We use the - .state file to avoid repeating deterministic fuzzing when resuming aborted - scans. */ +/* 标记特定队列条目的确定性检查为已完成。我们使用.state文件来避免在恢复中断的扫描时重复进行确定性模糊测试。 */ static void mark_as_det_done(struct queue_entry* q) { @@ -741,8 +736,7 @@ static void mark_as_det_done(struct queue_entry* q) { } -/* Mark as variable. Create symlinks if possible to make it easier to examine - the files. */ +/* 标记为变量。如果可能的话,创建符号链接以便于检查文件。 */ static void mark_as_variable(struct queue_entry* q) { @@ -767,8 +761,7 @@ static void mark_as_variable(struct queue_entry* q) { } -/* Mark / unmark as redundant (edge-only). This is not used for restoring state, - but may be useful for post-processing datasets. */ +/* 标记/取消标记为冗余(仅边)。这并不用于恢复状态,但可能对后处理数据集有用。 */ static void mark_as_redundant(struct queue_entry* q, u8 state) { @@ -799,7 +792,7 @@ static void mark_as_redundant(struct queue_entry* q, u8 state) { } -/* Append new test case to the queue. */ +/* 向队列追加新的测试用例。 */ static void add_to_queue(u8* fname, u32 len, u8 passed_det) { @@ -824,7 +817,7 @@ static void add_to_queue(u8* fname, u32 len, u8 passed_det) { cycles_wo_finds = 0; - /* Set next_100 pointer for every 100th element (index 0, 100, etc) to allow faster iteration. */ + /* 为每100个元素(索引0,100等)设置next_100指针,以允许更快的迭代。 */ if ((queued_paths - 1) % 100 == 0 && queued_paths > 1) { q_prev100->next_100 = q; @@ -837,7 +830,7 @@ static void add_to_queue(u8* fname, u32 len, u8 passed_det) { } -/* Destroy the entire queue. */ +/* 销毁整个队列。 */ EXP_ST void destroy_queue(void) { @@ -856,9 +849,8 @@ EXP_ST void destroy_queue(void) { } -/* Write bitmap to file. The bitmap is useful mostly for the secret - -B option, to focus a separate fuzzing session on a particular - interesting input without rediscovering all the others. */ +/* 将位图写入文件。位图主要用于秘密的 -B 选项,以便在不重新发现所有 + 其他内容的情况下,将单独的模糊测试会话集中在某个特定的有趣输入上。*/ EXP_ST void write_bitmap(void) { @@ -881,7 +873,7 @@ EXP_ST void write_bitmap(void) { } -/* Read bitmap from file. This is for the -B option again. */ +/* 从文件中读取位图。这是-B选项。 */ EXP_ST void read_bitmap(u8* fname) { @@ -896,13 +888,11 @@ EXP_ST void read_bitmap(u8* fname) { } -/* Check if the current execution path brings anything new to the table. - Update virgin bits to reflect the finds. Returns 1 if the only change is - the hit-count for a particular tuple; 2 if there are new tuples seen. - Updates the map, so subsequent calls will always return 0. +/* 检查当前的执行路径是否带来了新的内容。 +更新virgin bits以反映发现的内容。如果唯一的变化是某个特定元组的命中次数,则返回1;如果看到了新的元组,则返回2。 +更新映射,因此后续调用总是返回0。 - This function is called after every exec() on a fairly large buffer, so - it needs to be fast. We do this in 32-bit and 64-bit flavors. */ +这个函数在每次对相当大的缓冲区执行exec()之后被调用,所以它需要快速。我们在32位和64位版本中都这样做。 */ static inline u8 has_new_bits(u8* virgin_map) { @@ -926,9 +916,7 @@ static inline u8 has_new_bits(u8* virgin_map) { while (i--) { - /* Optimize for (*current & *virgin) == 0 - i.e., no bits in current bitmap - that have not been already cleared from the virgin map - since this will - almost always be the case. */ + /* 针对(*current & *virgin)== 0进行优化——即,当前位图中没有未从virgin map中清除的位——因为这种情况几乎总是会出现。 */ if (unlikely(*current) && unlikely(*current & *virgin)) { @@ -937,8 +925,7 @@ static inline u8 has_new_bits(u8* virgin_map) { u8* cur = (u8*)current; u8* vir = (u8*)virgin; - /* Looks like we have not found any new bytes yet; see if any non-zero - bytes in current[] are pristine in virgin[]. */ + /* 看起来我们还没有找到任何新的字节;检查current[]中的任何非零字节是否在virgin[]中是未被触碰的。*/ #ifdef WORD_SIZE_64 @@ -974,8 +961,7 @@ static inline u8 has_new_bits(u8* virgin_map) { } -/* Count the number of bits set in the provided bitmap. Used for the status - screen several times every second, does not have to be fast. */ +/* 计算提供的位图中设置的位数。它每秒多次用于状态屏幕,不需要太快。 */ static u32 count_bits(u8* mem) { @@ -987,8 +973,7 @@ static u32 count_bits(u8* mem) { u32 v = *(ptr++); - /* This gets called on the inverse, virgin bitmap; optimize for sparse - data. */ + /* 这个函数被调用在相反的,virgin bitmap上;针对稀疏数据进行优化。 */ if (v == 0xffffffff) { ret += 32; @@ -1008,9 +993,7 @@ static u32 count_bits(u8* mem) { #define FF(_b) (0xff << ((_b) << 3)) -/* Count the number of bytes set in the bitmap. Called fairly sporadically, - mostly to update the status screen or calibrate and examine confirmed - new paths. */ +/* 计算位图中设置的字节数。调用相对不频繁,主要用于更新状态屏幕或校准和检查确认的新路径。 */ static u32 count_bytes(u8* mem) { @@ -1035,8 +1018,7 @@ static u32 count_bytes(u8* mem) { } -/* Count the number of non-255 bytes set in the bitmap. Used strictly for the - status screen, several calls per second or so. */ +/* 计算位图中非255字节的数量。仅用于状态屏幕,每秒大约有几调用。*/ static u32 count_non_255_bytes(u8* mem) { @@ -1048,8 +1030,7 @@ static u32 count_non_255_bytes(u8* mem) { u32 v = *(ptr++); - /* This is called on the virgin bitmap, so optimize for the most likely - case. */ + /* 这个函数是在virgin bitmap上调用的,因此要针对最可能的情况进行优化。 */ if (v == 0xffffffff) continue; if ((v & FF(0)) != FF(0)) ret++; @@ -1064,10 +1045,8 @@ static u32 count_non_255_bytes(u8* mem) { } -/* Destructively simplify trace by eliminating hit count information - and replacing it with 0x80 or 0x01 depending on whether the tuple - is hit or not. Called on every new crash or timeout, should be - reasonably fast. */ +/* 通过消除命中次数信息,并根据元组是否被命中,用0x80或0x01替换, +来破坏性地简化跟踪信息。在每次新的崩溃或超时时被调用,应该足够快。 */ static const u8 simplify_lookup[256] = { @@ -1084,7 +1063,7 @@ static void simplify_trace(u64* mem) { while (i--) { - /* Optimize for sparse bitmaps. */ + /* 优化稀疏位图 */ if (unlikely(*mem)) { @@ -1115,7 +1094,7 @@ static void simplify_trace(u32* mem) { while (i--) { - /* Optimize for sparse bitmaps. */ + /* 优化稀疏位图 */ if (unlikely(*mem)) { @@ -1136,9 +1115,7 @@ static void simplify_trace(u32* mem) { #endif /* ^WORD_SIZE_64 */ -/* Destructively classify execution counts in a trace. This is used as a - preprocessing step for any newly acquired traces. Called on every exec, - must be fast. */ +/* 破坏性地对跟踪中的执行计数进行分类。这用作任何新获得的跟踪的预处理步骤。每次执行时都会被调用,必须快速。 */ static const u8 count_class_lookup8[256] = { @@ -1178,7 +1155,7 @@ static inline void classify_counts(u64* mem) { while (i--) { - /* Optimize for sparse bitmaps. */ + /* 优化稀疏位图 */ if (unlikely(*mem)) { @@ -1205,7 +1182,7 @@ static inline void classify_counts(u32* mem) { while (i--) { - /* Optimize for sparse bitmaps. */ + /* 优化稀疏位图 */ if (unlikely(*mem)) { @@ -1225,7 +1202,7 @@ static inline void classify_counts(u32* mem) { #endif /* ^WORD_SIZE_64 */ -/* Get rid of shared memory (atexit handler). */ +/* 摆脱共享内存(atexit处理程序) */ static void remove_shm(void) { @@ -1234,9 +1211,7 @@ static void remove_shm(void) { } -/* Compact trace bytes into a smaller bitmap. We effectively just drop the - count information here. This is called only sporadically, for some - new paths. */ +/* 将跟踪字节压缩到更小的位图中。我们实际上在这里只是丢弃了计数信息。这个函数只在一些新路径上偶尔被调用。 */ static void minimize_bits(u8* dst, u8* src) { @@ -1252,23 +1227,21 @@ static void minimize_bits(u8* dst, u8* src) { } -/* When we bump into a new path, we call this to see if the path appears - more "favorable" than any of the existing ones. The purpose of the - "favorables" is to have a minimal set of paths that trigger all the bits - seen in the bitmap so far, and focus on fuzzing them at the expense of - the rest. +/* 当我们遇到一个新的路径时,我们会调用这个函数来查看这个路径是否看起来比现有的任何路径都更“favorable”。 +“favorable”的目的是拥有一个最小的路径集合,这些路径触发了迄今为止在位图中看到的所有位, +并专注于对这些路径进行模糊测试,而牺牲其他路径。 + +这个过程的第一步是为位图中的每个字节维护一个top_rated[]条目列表。如果之前没有竞争者, +或者竞争者具有更有利的速度x大小因子,我们就赢得了那个位置。 - The first step of the process is to maintain a list of top_rated[] entries - for every byte in the bitmap. We win that slot if there is no previous - contender, or if the contender has a more favorable speed x size factor. */ +对于trace_bits[]中设置的每个字节,看看是否有之前的获胜者,以及它与我们的比较情况。 */ static void update_bitmap_score(struct queue_entry* q) { u32 i; u64 fav_factor = q->exec_us * q->len; - /* For every byte set in trace_bits[], see if there is a previous winner, - and how it compares to us. */ + /* 对于trace_bits[]中设置的每个字节,看看是否有之前的获胜者,以及它与我们的比较情况。 */ for (i = 0; i < MAP_SIZE; i++) @@ -1276,12 +1249,11 @@ static void update_bitmap_score(struct queue_entry* q) { if (top_rated[i]) { - /* Faster-executing or smaller test cases are favored. */ + /* 执行速度更快或更小的测试用例是受青睐的。*/ if (fav_factor > top_rated[i]->exec_us * top_rated[i]->len) continue; - /* Looks like we're going to win. Decrease ref count for the - previous winner, discard its trace_bits[] if necessary. */ + /* 看来我们要赢了。为之前的获胜者减少引用计数,如果需要的话,丢弃它的trace_bits[]。 */ if (!--top_rated[i]->tc_ref) { ck_free(top_rated[i]->trace_mini); @@ -1290,7 +1262,7 @@ static void update_bitmap_score(struct queue_entry* q) { } - /* Insert ourselves as the new winner. */ + /* 将自己插入为新的获胜者。 */ top_rated[i] = q; q->tc_ref++; @@ -1307,11 +1279,9 @@ static void update_bitmap_score(struct queue_entry* q) { } -/* The second part of the mechanism discussed above is a routine that - goes over top_rated[] entries, and then sequentially grabs winners for - previously-unseen bytes (temp_v) and marks them as favored, at least - until the next run. The favored entries are given more air time during - all fuzzing steps. */ +/* +上述机制的第二部分是一个例程,它遍历top_rated[]条目,然后依次获取之前未见过的字节(temp_v)的获胜者, +并将它们标记为受青睐的,至少直到下一次运行。在所有的模糊测试步骤中,受青睐的条目会被给予更多的测试时间。*/ static void cull_queue(void) { @@ -1335,15 +1305,14 @@ static void cull_queue(void) { q = q->next; } - /* Let's see if anything in the bitmap isn't captured in temp_v. - If yes, and if it has a top_rated[] contender, let's use it. */ + /* 让我们看看位图中是否有未在temp_v中捕获的内容。如果有,并且它在top_rated[]中有竞争者,那么我们就使用它。 */ for (i = 0; i < MAP_SIZE; i++) if (top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) { u32 j = MAP_SIZE >> 3; - /* Remove all bits belonging to the current entry from temp_v. */ + /* 从temp_v中删除属于当前条目的所有位。 */ while (j--) if (top_rated[i]->trace_mini[j]) @@ -1366,7 +1335,7 @@ static void cull_queue(void) { } -/* Configure shared memory and virgin_bits. This is called at startup. */ +/* 配置共享内存和virgin_bits。这在启动时被调用。 */ EXP_ST void setup_shm(void) { @@ -1385,10 +1354,8 @@ EXP_ST void setup_shm(void) { shm_str = alloc_printf("%d", shm_id); - /* If somebody is asking us to fuzz instrumented binaries in dumb mode, - we don't want them to detect instrumentation, since we won't be sending - fork server commands. This should be replaced with better auto-detection - later on, perhaps? */ + /* 如果有人要求我们在dump模式下对插桩的二进制文件进行模糊测试,我们不希望他们检测到插桩, + 因为我们不会发送fork服务器命令。这应该在以后被更好的自动检测所取代,对吗? */ if (!dumb_mode) setenv(SHM_ENV_VAR, shm_str, 1); @@ -1401,7 +1368,7 @@ EXP_ST void setup_shm(void) { } -/* Load postprocessor, if available. */ +/* 加载后处理器(如果可用) */ static void setup_post(void) { @@ -1419,7 +1386,7 @@ static void setup_post(void) { post_handler = dlsym(dh, "afl_postprocess"); if (!post_handler) FATAL("Symbol 'afl_postprocess' not found."); - /* Do a quick test. It's better to segfault now than later =) */ + /* 做一个快速测试。现在分段故障比以后好=) */ post_handler("hello", &tlen); @@ -1428,8 +1395,7 @@ static void setup_post(void) { } -/* Read all testcases from the input directory, then queue them for testing. - Called at startup. */ +/* 从输入目录读取所有测试用例,然后将它们排队进行测试。在启动时调用。*/ static void read_testcases(void) { @@ -1438,16 +1404,14 @@ static void read_testcases(void) { u32 i; u8* fn; - /* Auto-detect non-in-place resumption attempts. */ + /* 自动检测非原位恢复尝试。 */ fn = alloc_printf("%s/queue", in_dir); if (!access(fn, F_OK)) in_dir = fn; else ck_free(fn); ACTF("Scanning '%s'...", in_dir); - /* We use scandir() + alphasort() rather than readdir() because otherwise, - the ordering of test cases would vary somewhat randomly and would be - difficult to control. */ + /* 我们使用 scandir() + alphasort() 而不是 readdir(),因为如果不这样,测试用例的排序会有些随机,并且难以控制。 */ nl_cnt = scandir(in_dir, &nl, NULL, alphasort); @@ -1486,7 +1450,7 @@ static void read_testcases(void) { if (lstat(fn, &st) || access(fn, R_OK)) PFATAL("Unable to access '%s'", fn); - /* This also takes care of . and .. */ + /* 这也照顾.和. . */ if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn, "/README.testcases")) { @@ -1500,10 +1464,8 @@ static void read_testcases(void) { FATAL("Test case '%s' is too big (%s, limit is %s)", fn, DMS(st.st_size), DMS(MAX_FILE)); - /* Check for metadata that indicates that deterministic fuzzing - is complete for this entry. We don't want to repeat deterministic - fuzzing when resuming aborted scans, because it would be pointless - and probably very time-consuming. */ + /* 检查元数据,以确定是否已经完成了这项条目的确定性模糊测试。 + 我们不想在恢复中断的扫描时重复进行确定性模糊测试,因为这样做毫无意义,而且可能非常耗时。 */ if (!access(dfn, F_OK)) passed_det = 1; ck_free(dfn); @@ -1532,7 +1494,7 @@ static void read_testcases(void) { } -/* Helper function for load_extras. */ +/* load_extras的辅助函数 */ static int compare_extras_len(const void* p1, const void* p2) { struct extra_data *e1 = (struct extra_data*)p1, @@ -1549,7 +1511,7 @@ static int compare_extras_use_d(const void* p1, const void* p2) { } -/* Read extras from a file, sort by size. */ +/* 从文件中读取额外内容,按大小排序。 */ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, u32 dict_level) { @@ -1570,7 +1532,7 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, cur_line++; - /* Trim on left and right. */ + /* 修剪左右 */ while (isspace(*lptr)) lptr++; @@ -1579,11 +1541,11 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, rptr++; *rptr = 0; - /* Skip empty lines and comments. */ + /* 跳过空行和注释 */ if (!*lptr || *lptr == '#') continue; - /* All other lines must end with '"', which we can consume. */ + /* 所有其他行必须以‘ " ’结尾,我们可以使用它。 */ rptr--; @@ -1592,11 +1554,11 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, *rptr = 0; - /* Skip alphanumerics and dashes (label). */ + /* 跳过字母数字和破折号(标签) */ while (isalnum(*lptr) || *lptr == '_') lptr++; - /* If @number follows, parse that. */ + /* 如果后面跟着@number,解析它 */ if (*lptr == '@') { @@ -1606,11 +1568,11 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, } - /* Skip whitespace and = signs. */ + /* 跳过空格和=号 */ while (isspace(*lptr) || *lptr == '=') lptr++; - /* Consume opening '"'. */ + /* 消费开放‘ " ’ 。 */ if (*lptr != '"') FATAL("Malformed name=\"keyword\" pair in line %u.", cur_line); @@ -1619,8 +1581,7 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, if (!*lptr) FATAL("Empty keyword in line %u.", cur_line); - /* Okay, let's allocate memory and copy data between "...", handling - \xNN escaping, \\, and \". */ + /* 好的,我们来分配内存并在 "..." 之间复制数据,同时处理 \xNN 转义、\ 和 "*/ extras = ck_realloc_block(extras, (extras_cnt + 1) * sizeof(struct extra_data)); @@ -1686,7 +1647,7 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, } -/* Read extras from the extras directory and sort them by size. */ +/* 从extras目录中读取extras,并按大小排序。 */ static void load_extras(u8* dir) { @@ -1695,7 +1656,7 @@ static void load_extras(u8* dir) { u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0; u8* x; - /* If the name ends with @, extract level and continue. */ + /* 如果名称以@结尾,则提取level并继续 */ if ((x = strchr(dir, '@'))) { @@ -1730,7 +1691,7 @@ static void load_extras(u8* dir) { if (lstat(fn, &st) || access(fn, R_OK)) PFATAL("Unable to access '%s'", fn); - /* This also takes care of . and .. */ + /* 这也照顾.和. . */ if (!S_ISREG(st.st_mode) || !st.st_size) { ck_free(fn); @@ -1788,7 +1749,7 @@ check_and_sort: -/* Helper function for maybe_add_auto() */ +/* maybe_add_auto()的辅助函数 */ static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) { @@ -1798,24 +1759,24 @@ static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) { } -/* Maybe add automatic extra. */ +/* 也许可以加上自动附加功能 */ static void maybe_add_auto(u8* mem, u32 len) { u32 i; - /* Allow users to specify that they don't want auto dictionaries. */ + /* 允许用户指定他们不需要自动字典 */ if (!MAX_AUTO_EXTRAS || !USE_AUTO_EXTRAS) return; - /* Skip runs of identical bytes. */ + /* 跳过相同字节的运行 */ for (i = 1; i < len; i++) if (mem[0] ^ mem[i]) break; if (i == len) return; - /* Reject builtin interesting values. */ + /* 拒绝内置有趣的值 */ if (len == 2) { @@ -1837,9 +1798,7 @@ static void maybe_add_auto(u8* mem, u32 len) { } - /* Reject anything that matches existing extras. Do a case-insensitive - match. We optimize by exploiting the fact that extras[] are sorted - by size. */ + /* 拒绝任何与现有额外内容匹配的条目。进行不区分大小写的匹配。我们通过利用extras[]按大小排序的事实来优化这个过程。 */ for (i = 0; i < extras_cnt; i++) if (extras[i].len >= len) break; @@ -1847,8 +1806,7 @@ static void maybe_add_auto(u8* mem, u32 len) { for (; i < extras_cnt && extras[i].len == len; i++) if (!memcmp_nocase(extras[i].data, mem, len)) return; - /* Last but not least, check a_extras[] for matches. There are no - guarantees of a particular sort order. */ + /* 最后但同样重要的是,检查 a_extras[] 中是否有匹配项。没有保证特定的排序顺序。 */ auto_changed = 1; @@ -1863,9 +1821,8 @@ static void maybe_add_auto(u8* mem, u32 len) { } - /* At this point, looks like we're dealing with a new entry. So, let's - append it if we have room. Otherwise, let's randomly evict some other - entry from the bottom half of the list. */ + /* 在这一点上,看起来我们正在处理一个新的条目。所以,如果有空间的话, + 让我们把它追加上去。否则,让我们从列表的下半部分随机驱逐其他某个条目。 */ if (a_extras_cnt < MAX_AUTO_EXTRAS) { @@ -1891,12 +1848,12 @@ static void maybe_add_auto(u8* mem, u32 len) { sort_a_extras: - /* First, sort all auto extras by use count, descending order. */ + /* 首先,按使用次数降序对所有自动附加项进行排序 */ qsort(a_extras, a_extras_cnt, sizeof(struct extra_data), compare_extras_use_d); - /* Then, sort the top USE_AUTO_EXTRAS entries by size. */ + /* 然后,按大小对最上面的USE_AUTO_EXTRAS条目进行排序 */ qsort(a_extras, MIN(USE_AUTO_EXTRAS, a_extras_cnt), sizeof(struct extra_data), compare_extras_len); @@ -1904,7 +1861,7 @@ sort_a_extras: } -/* Save automatically generated extras. */ +/* 保存自动生成的附加内容 */ static void save_auto(void) { @@ -1932,7 +1889,7 @@ static void save_auto(void) { } -/* Load automatically generated extras. */ +/* 加载自动生成的附加内容 */ static void load_auto(void) { @@ -1954,8 +1911,7 @@ static void load_auto(void) { } - /* We read one byte more to cheaply detect tokens that are too - long (and skip them). */ + /* 我们多读了一个字节,以低成本检测过长的标记(并跳过它们) */ len = read(fd, tmp, MAX_AUTO_EXTRA + 1); @@ -1975,7 +1931,7 @@ static void load_auto(void) { } -/* Destroy extras. */ +/* 销毁额外的数据 */ static void destroy_extras(void) { @@ -1994,13 +1950,12 @@ static void destroy_extras(void) { } -/* Spin up fork server (instrumented mode only). The idea is explained here: +/* 启动fork服务器(仅在插桩模式下)。这个想法在这里有解释: - http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html +http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html - In essence, the instrumentation allows us to skip execve(), and just keep - cloning a stopped child. So, we just execute once, and then send commands - through a pipe. The other part of this logic is in afl-as.h. */ +本质上,插桩允许我们跳过execve(),只需持续克隆一个已停止的子进程。 +因此,我们只需要执行一次,然后通过管道发送命令。这部分逻辑的另一部分在afl-as.h中。 */ EXP_ST void init_forkserver(char** argv) { @@ -2021,13 +1976,12 @@ EXP_ST void init_forkserver(char** argv) { struct rlimit r; - /* Umpf. On OpenBSD, the default fd limit for root users is set to - soft 128. Let's try to fix that... */ + /* 在OpenBSD上,默认的文件描述符(fd)限制对于root用户设置为软限制128。让我们尝试修复这个问题... */ if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) { r.rlim_cur = FORKSRV_FD + 2; - setrlimit(RLIMIT_NOFILE, &r); /* Ignore errors */ + setrlimit(RLIMIT_NOFILE, &r); /* 忽略错误 */ } @@ -2037,13 +1991,12 @@ EXP_ST void init_forkserver(char** argv) { #ifdef RLIMIT_AS - setrlimit(RLIMIT_AS, &r); /* Ignore errors */ + setrlimit(RLIMIT_AS, &r); /* 忽略错误 */ #else - /* This takes care of OpenBSD, which doesn't have RLIMIT_AS, but - according to reliable sources, RLIMIT_DATA covers anonymous - maps - so we should be getting good protection against OOM bugs. */ + /* 这考虑到了OpenBSD,它没有RLIMIT_AS,但根据可靠来源, + RLIMIT_DATA涵盖了匿名映射——因此我们应该能够很好地防止内存溢出(OOM)错误。 */ setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ @@ -2052,15 +2005,13 @@ EXP_ST void init_forkserver(char** argv) { } - /* Dumping cores is slow and can lead to anomalies if SIGKILL is delivered - before the dump is complete. */ + /* 转储核心(core dumping)是缓慢的,如果在转储完成之前发送了SIGKILL信号,可能会导致异常。 */ r.rlim_max = r.rlim_cur = 0; setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ - /* Isolate the process and configure standard descriptors. If out_file is - specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ + /* 隔离进程并配置标准描述符。如果指定了out_file,那么stdin就是/dev/null;否则,会克隆out_fd。*/ setsid(); @@ -2078,7 +2029,7 @@ EXP_ST void init_forkserver(char** argv) { } - /* Set up control and status pipes, close the unneeded original fds. */ + /* 建立控制和状态管道,关闭不需要的原始文件。 */ if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed"); if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed"); @@ -2093,20 +2044,19 @@ EXP_ST void init_forkserver(char** argv) { close(dev_urandom_fd); close(fileno(plot_file)); - /* This should improve performance a bit, since it stops the linker from - doing extra work post-fork(). */ + /* 这应该会稍微提高性能,因为它阻止了链接器在fork()之后进行额外的工作。 */ if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); - /* Set sane defaults for ASAN if nothing else specified. */ + /* 如果没有其他指定,则为ASAN设置相同的默认值。 */ setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" "symbolize=0:" "allocator_may_return_null=1", 0); - /* MSAN is tricky, because it doesn't support abort_on_error=1 at this - point. So, we do this in a very hacky way. */ + /* MSAN(MemorySanitizer)有点棘手,因为目前它不支持abort_on_error=1这个选项。 + 因此,我们用一种非常hacky(即临时、不正规)的方式来实现这一点。 */ setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" "symbolize=0:" @@ -2116,15 +2066,14 @@ EXP_ST void init_forkserver(char** argv) { execv(target_path, argv); - /* Use a distinctive bitmap signature to tell the parent about execv() - falling through. */ + /* 使用一个独特的位图签名来告诉父进程execv()调用已经成功执行。*/ *(u32*)trace_bits = EXEC_FAIL_SIG; exit(0); } - /* Close the unneeded endpoints. */ + /* 关闭不需要的端点 */ close(ctl_pipe[0]); close(st_pipe[1]); @@ -2132,7 +2081,7 @@ EXP_ST void init_forkserver(char** argv) { fsrv_ctl_fd = ctl_pipe[1]; fsrv_st_fd = st_pipe[0]; - /* Wait for the fork server to come up, but don't wait too long. */ + /* 等待分叉服务器启动,但不要等待太久 */ it.it_value.tv_sec = ((exec_tmout * FORK_WAIT_MULT) / 1000); it.it_value.tv_usec = ((exec_tmout * FORK_WAIT_MULT) % 1000) * 1000; @@ -2146,8 +2095,7 @@ EXP_ST void init_forkserver(char** argv) { setitimer(ITIMER_REAL, &it, NULL); - /* If we have a four-byte "hello" message from the server, we're all set. - Otherwise, try to figure out what went wrong. */ + /* 如果我们从服务器收到了一个四字节的'hello'消息,那么一切就绪。否则,尝试弄清楚出了什么问题。 */ if (rlen == 4) { OKF("All right - fork server is up."); @@ -2284,8 +2232,7 @@ EXP_ST void init_forkserver(char** argv) { } -/* Execute target application, monitoring for timeouts. Return status - information. The called program will update trace_bits[]. */ +/* 执行目标应用程序,监控超时情况。返回状态信息。被调用的程序将更新trace_bits[] */ static u8 run_target(char** argv, u32 timeout) { @@ -2298,17 +2245,13 @@ static u8 run_target(char** argv, u32 timeout) { child_timed_out = 0; - /* After this memset, trace_bits[] are effectively volatile, so we - must prevent any earlier operations from venturing into that - territory. */ + /* 在这次memset之后,trace_bits[]实际上变成了易失性的,因此我们必须阻止任何早期操作进入该领域。 */ memset(trace_bits, 0, MAP_SIZE); MEM_BARRIER(); - /* If we're running in "dumb" mode, we can't rely on the fork server - logic compiled into the target program, so we will just keep calling - execve(). There is a bit of code duplication between here and - init_forkserver(), but c'est la vie. */ + /* 如果我们在‘dump’模式下运行,我们不能依赖于目标程序中编译的fork服务器逻辑,所以我们将不断调用execve()。 + 这里的代码和init_forkserver()之间有一些重复,但这就是生活。 */ if (dumb_mode == 1 || no_forkserver) { @@ -2326,11 +2269,11 @@ static u8 run_target(char** argv, u32 timeout) { #ifdef RLIMIT_AS - setrlimit(RLIMIT_AS, &r); /* Ignore errors */ + setrlimit(RLIMIT_AS, &r); /* 忽略错误 */ #else - setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ + setrlimit(RLIMIT_DATA, &r); /* 忽略错误 */ #endif /* ^RLIMIT_AS */ @@ -2338,10 +2281,9 @@ static u8 run_target(char** argv, u32 timeout) { r.rlim_max = r.rlim_cur = 0; - setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + setrlimit(RLIMIT_CORE, &r); /* 忽略错误 */ - /* Isolate the process and configure standard descriptors. If out_file is - specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ + /* 隔离进程并配置标准描述符。如果指定了out_file,那么stdin就是/dev/null;否则,将克隆out_fd。 */ setsid(); @@ -2359,14 +2301,14 @@ static u8 run_target(char** argv, u32 timeout) { } - /* On Linux, would be faster to use O_CLOEXEC. Maybe TODO. */ + /* 在Linux上,使用O_CLOEXEC会更快。也许TODO */ close(dev_null_fd); close(out_dir_fd); close(dev_urandom_fd); close(fileno(plot_file)); - /* Set sane defaults for ASAN if nothing else specified. */ + /* 如果没有其他指定,则为ASAN设置相同的默认值 */ setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" @@ -2379,8 +2321,7 @@ static u8 run_target(char** argv, u32 timeout) { execv(target_path, argv); - /* Use a distinctive bitmap value to tell the parent about execv() - falling through. */ + /* 使用一个独特的位图值来告知父进程execv()调用已经顺利执行 */ *(u32*)trace_bits = EXEC_FAIL_SIG; exit(0); @@ -2391,8 +2332,7 @@ static u8 run_target(char** argv, u32 timeout) { s32 res; - /* In non-dumb mode, we have the fork server up and running, so simply - tell it to have at it, and then read back PID. */ + /* 在non-dump模式下,我们的fork服务器正在运行,所以只需告诉它开始执行,然后读取返回的PID。 */ if ((res = write(fsrv_ctl_fd, &prev_timed_out, 4)) != 4) { @@ -2412,14 +2352,14 @@ static u8 run_target(char** argv, u32 timeout) { } - /* Configure timeout, as requested by user, then wait for child to terminate. */ + /* 根据用户的要求配置超时,然后等待子进程终止 */ it.it_value.tv_sec = (timeout / 1000); it.it_value.tv_usec = (timeout % 1000) * 1000; setitimer(ITIMER_REAL, &it, NULL); - /* The SIGALRM handler simply kills the child_pid and sets child_timed_out. */ + /* SIGALRM处理程序只是终止child_pid并设置child_timed_out */ if (dumb_mode == 1 || no_forkserver) { @@ -2451,9 +2391,8 @@ static u8 run_target(char** argv, u32 timeout) { total_execs++; - /* Any subsequent operations on trace_bits must not be moved by the - compiler below this point. Past this location, trace_bits[] behave - very normally and do not have to be treated as volatile. */ + /* 编译器不能将对trace_bits的任何后续操作移动到这一点以下。 + 在这个位置之后,trace_bits[]表现得非常正常,不需要被当作易失性的处理。 */ MEM_BARRIER(); @@ -2467,7 +2406,7 @@ static u8 run_target(char** argv, u32 timeout) { prev_timed_out = child_timed_out; - /* Report outcome to caller. */ + /* 向调用者报告结果 */ if (WIFSIGNALED(status) && !stop_soon) { @@ -2479,8 +2418,7 @@ static u8 run_target(char** argv, u32 timeout) { } - /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and - must use a special exit code. */ + /* 这是针对MSAN的一个有点恶劣的hack,因为MSAN不支持abort_on_error,必须使用一个特殊的退出代码。 */ if (uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { kill_signal = 0; @@ -2490,8 +2428,7 @@ static u8 run_target(char** argv, u32 timeout) { if ((dumb_mode == 1 || no_forkserver) && tb4 == EXEC_FAIL_SIG) return FAULT_ERROR; - /* It makes sense to account for the slowest units only if the testcase was run - under the user defined timeout. */ + /* 只有在测试用例在用户定义的超时下运行时,才有必要只考虑最慢的单元 */ if (!(timeout > exec_tmout) && (slowest_exec_ms < exec_ms)) { slowest_exec_ms = exec_ms; } @@ -2501,9 +2438,7 @@ static u8 run_target(char** argv, u32 timeout) { } -/* Write modified data to file for testing. If out_file is set, the old file - is unlinked and a new one is created. Otherwise, out_fd is rewound and - truncated. */ +/* 将修改后的数据写入文件以进行测试。如果设置了out_file,旧文件将被解除链接,并创建一个新的文件。否则,out_fd将被回卷并截断。 */ static void write_to_testcase(void* mem, u32 len) { @@ -2531,7 +2466,7 @@ static void write_to_testcase(void* mem, u32 len) { } -/* The same, but with an adjustable gap. Used for trimming. */ +/* 相同的,但有一个可调节的间隙。用于修剪。 */ static void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { @@ -2564,9 +2499,8 @@ static void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { static void show_stats(void); -/* Calibrate a new test case. This is done when processing the input directory - to warn about flaky or otherwise problematic test cases early on; and when - new paths are discovered to detect variable behavior and so on. */ +/* 校准一个新的测试用例。这在处理输入目录时完成,目的是为了提早警告 +关于不稳定或其他有问题的测试用例;以及在发现新路径时,用于检测可变行为等。 */ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, u32 handicap, u8 from_queue) { @@ -2582,9 +2516,8 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, u32 use_tmout = exec_tmout; u8* old_sn = stage_name; - /* Be a bit more generous about timeouts when resuming sessions, or when - trying to calibrate already-added finds. This helps avoid trouble due - to intermittent latency. */ + /* 在恢复会话或尝试校准已经添加的发现时,对超时更加宽容一些。 + 这有助于避免由于间歇性延迟引起的问题。 */ if (!from_queue || resuming_fuzz) use_tmout = MAX(exec_tmout + CAL_TMOUT_ADD, @@ -2595,8 +2528,7 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, stage_name = "calibration"; stage_max = fast_cal ? 3 : CAL_CYCLES; - /* Make sure the forkserver is up before we do anything, and let's not - count its spin-up time toward binary calibration. */ + /* 在我们做任何事情之前,确保fork服务器已经启动,并且我们不将其启动时间计入二进制校准。 */ if (dumb_mode != 1 && !no_forkserver && !forksrv_pid) init_forkserver(argv); @@ -2621,8 +2553,7 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, fault = run_target(argv, use_tmout); - /* stop_soon is set by the handler for Ctrl+C. When it's pressed, - we want to bail out quickly. */ + /* 如果按下Ctrl+C,stop_soon会被设置,我们希望快速退出。 */ if (stop_soon || fault != crash_mode) goto abort_calibration; @@ -2671,8 +2602,8 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, total_cal_us += stop_us - start_us; total_cal_cycles += stage_max; - /* OK, let's collect some stats about the performance of this test case. - This is used for fuzzing air time calculations in calculate_score(). */ + /* 好的,我们来收集一些关于这个测试用例性能的统计数据。 + 这将用于在calculate_score()中计算模糊测试的时间。 */ q->exec_us = (stop_us - start_us) / stage_max; q->bitmap_size = count_bytes(trace_bits); @@ -2684,9 +2615,8 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, update_bitmap_score(q); - /* If this case didn't result in new output from the instrumentation, tell - parent. This is a non-critical problem, but something to warn the user - about. */ + /* 如果这个案例没有产生新的来自插桩的输出,告诉父进程。 + 这是一个非关键性问题,但值得警告用户。 */ if (!dumb_mode && first_run && !fault && !new_bits) fault = FAULT_NOBITS; @@ -2697,7 +2627,7 @@ abort_calibration: queued_with_cov++; } - /* Mark variable paths. */ + /* 标记可变路径。 */ if (var_detected) { @@ -2721,7 +2651,7 @@ abort_calibration: } -/* Examine map coverage. Called once, for first test case. */ +/* 检查地图覆盖率。为第一个测试用例调用一次。 */ static void check_map_coverage(void) { @@ -2737,8 +2667,7 @@ static void check_map_coverage(void) { } -/* Perform dry run of all test cases to confirm that the app is working as - expected. This is done only for the initial inputs, and only once. */ +/* 对所有测试用例执行一次不实际执行的预运行,以确认应用程序按预期工作。这只针对初始输入进行,并且只执行一次。 */ static void perform_dry_run(char** argv) { @@ -2789,9 +2718,7 @@ static void perform_dry_run(char** argv) { if (timeout_given) { - /* The -t nn+ syntax in the command line sets timeout_given to '2' and - instructs afl-fuzz to tolerate but skip queue entries that time - out. */ + /* 命令行中的 -t nn+ 语法将 timeout_given 设置为 '2',并且指示 afl-fuzz 容忍但跳过超时的队列条目。 */ if (timeout_given > 1) { WARNF("Test case results in a timeout (skipping)"); @@ -2942,7 +2869,7 @@ static void perform_dry_run(char** argv) { } -/* Helper function: link() if possible, copy otherwise. */ +/* 辅助函数:link(),如果可能,复制 */ static void link_or_copy(u8* old_path, u8* new_path) { @@ -2974,8 +2901,7 @@ static void link_or_copy(u8* old_path, u8* new_path) { static void nuke_resume_dir(void); -/* Create hard links for input test cases in the output directory, choosing - good names and pivoting accordingly. */ +/* 在输出目录中为输入测试用例创建硬链接,选择合适的名字并相应地进行调整。 */ static void pivot_inputs(void) { @@ -2991,9 +2917,7 @@ static void pivot_inputs(void) { if (!rsl) rsl = q->fname; else rsl++; - /* If the original file name conforms to the syntax and the recorded - ID matches the one we'd assign, just use the original file name. - This is valuable for resuming fuzzing runs. */ + /* 如果原始文件名符合语法,并且记录的ID与我们要分配的ID匹配,就直接使用原始文件名。这对于恢复模糊测试运行非常有价值。 */ #ifndef SIMPLE_FILES # define CASE_PREFIX "id:" @@ -3010,8 +2934,7 @@ static void pivot_inputs(void) { resuming_fuzz = 1; nfn = alloc_printf("%s/queue/%s", out_dir, rsl); - /* Since we're at it, let's also try to find parent and figure out the - appropriate depth for this entry. */ + /* 既然我们已经在做了,让我们也尝试找到父项,并确定这个条目的适当深度。 */ src_str = strchr(rsl + 3, ':'); @@ -3027,8 +2950,7 @@ static void pivot_inputs(void) { } else { - /* No dice - invent a new name, capturing the original one as a - substring. */ + /* 没有成功 - 创建一个新名字,并将原始名字作为子字符串包含在内。 */ #ifndef SIMPLE_FILES @@ -3045,13 +2967,13 @@ static void pivot_inputs(void) { } - /* Pivot to the new queue entry. */ + /* 转向新的队列条目。 */ link_or_copy(q->fname, nfn); ck_free(q->fname); q->fname = nfn; - /* Make sure that the passed_det value carries over, too. */ + /* 确保passd_det值也被传递。 */ if (q->passed_det) mark_as_det_done(q); @@ -3067,8 +2989,7 @@ static void pivot_inputs(void) { #ifndef SIMPLE_FILES -/* Construct a file name for a new test case, capturing the operation - that led to its discovery. Uses a static buffer. */ +/* 为新测试用例构造一个包含导致其被发现的操作的文件名。使用一个静态缓冲区。 */ static u8* describe_op(u8 hnb) { @@ -3109,7 +3030,7 @@ static u8* describe_op(u8 hnb) { #endif /* !SIMPLE_FILES */ -/* Write a message accompanying the crash directory :-) */ +/* 为崩溃目录写一个伴随消息:-) */ static void write_crash_readme(void) { @@ -3120,7 +3041,7 @@ static void write_crash_readme(void) { fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); ck_free(fn); - /* Do not die on errors here - that would be impolite. */ + /* 不要死于错误——那是不礼貌的 */ if (fd < 0) return; @@ -3156,9 +3077,8 @@ static void write_crash_readme(void) { } -/* Check if the result of an execve() during routine fuzzing is interesting, - save or queue the input test case for further analysis if so. Returns 1 if - entry is saved, 0 otherwise. */ +/* 检查在常规模糊测试期间的execve()结果是否有趣,如果有趣,则保存 +或将输入测试用例排队以进行进一步分析。如果条目被保存,则返回1,否则返回0。 */ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { @@ -3169,8 +3089,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { if (fault == crash_mode) { - /* Keep only if there are new bits in the map, add to queue for - future fuzzing, etc. */ + /* 仅当映射中有新的位时才保留,将其添加到队列中以供将来的模糊测试等。 */ if (!(hnb = has_new_bits(virgin_bits))) { if (crash_mode) total_crashes++; @@ -3197,8 +3116,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { queue_top->exec_cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - /* Try to calibrate inline; this also calls update_bitmap_score() when - successful. */ + /* 尝试进行内联校准;成功时也会调用update_bitmap_score()。 */ res = calibrate_case(argv, queue_top, mem, queue_cycle - 1, 0); @@ -3218,10 +3136,8 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { case FAULT_TMOUT: - /* Timeouts are not very interesting, but we're still obliged to keep - a handful of samples. We use the presence of new bits in the - hang-specific bitmap as a signal of uniqueness. In "dumb" mode, we - just keep everything. */ + /* 超时并不是很有趣的情况,但我们仍然需要保留一些样本。我们使用在特定挂起的 + 位图中出现的新位作为独特性的信号。在“哑”模式下,我们只是保留所有内容。 */ total_tmouts++; @@ -3241,9 +3157,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { unique_tmouts++; - /* Before saving, we make sure that it's a genuine hang by re-running - the target with a more generous timeout (unless the default timeout - is already generous). */ + /* 在保存之前,我们通过使用更宽裕的超时时间重新运行目标程序来确保这是一个真正的挂起(除非默认的超时时间已经足够宽裕)。*/ if (exec_tmout < hang_tmout) { @@ -3251,9 +3165,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { write_to_testcase(mem, len); new_fault = run_target(argv, hang_tmout); - /* A corner case that one user reported bumping into: increasing the - timeout actually uncovers a crash. Make sure we don't discard it if - so. */ + /* 一个用户报告的特殊情况:增加超时时间实际上揭示了一个崩溃。确保如果出现这种情况,我们不会丢弃它。 */ if (!stop_soon && new_fault == FAULT_CRASH) goto keep_as_crash; @@ -3283,9 +3195,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { keep_as_crash: - /* This is handled in a manner roughly similar to timeouts, - except for slightly different limits and no need to re-run test - cases. */ + /* 这与处理超时的方式大致相似,只是限制略有不同,并且不需要重新运行测试用例。 */ total_crashes++; @@ -3330,8 +3240,7 @@ keep_as_crash: } - /* If we're here, we apparently want to save the crash or hang - test case, too. */ + /* 如果我们在这里,显然我们也想要保存崩溃或挂起的测试用例。 */ fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); if (fd < 0) PFATAL("Unable to create '%s'", fn); @@ -3345,12 +3254,11 @@ keep_as_crash: } -/* When resuming, try to find the queue position to start from. This makes sense - only when resuming, and when we can find the original fuzzer_stats. */ +/* 在恢复时,尝试找到开始的队列位置。这只在恢复时有意义,并且当我们能找到原始的fuzzer_stats时。 */ static u32 find_start_position(void) { - static u8 tmp[4096]; /* Ought to be enough for anybody. */ + static u8 tmp[4096]; /* 对任何人来说都足够了 */ u8 *fn, *off; s32 fd, i; @@ -3379,13 +3287,11 @@ static u32 find_start_position(void) { } -/* The same, but for timeouts. The idea is that when resuming sessions without - -t given, we don't want to keep auto-scaling the timeout over and over - again to prevent it from growing due to random flukes. */ +/* 同样,但针对超时情况。想法是在没有给定-t参数的情况下恢复会话时,我们不想一遍又一遍地自动调整超时时间,以防止它因为随机的异常而不断增长。 */ static void find_timeout(void) { - static u8 tmp[4096]; /* Ought to be enough for anybody. */ + static u8 tmp[4096]; /* 对任何人来说都足够了 */ u8 *fn, *off; s32 fd, i; @@ -3416,7 +3322,7 @@ static void find_timeout(void) { } -/* Update stats file for unattended monitoring. */ +/* 更新无人值守监控的统计文件 */ static void write_stats_file(double bitmap_cvg, double stability, double eps) { @@ -3437,8 +3343,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { if (!f) PFATAL("fdopen() failed"); - /* Keep last values in case we're called from another context - where exec/sec stats and such are not readily available. */ + /* 保留最后的值,以防我们被调用到另一个上下文中,那里每秒执行次数的统计数据等并不立即可用。 */ if (!bitmap_cvg && !stability && !eps) { bitmap_cvg = last_bcvg; @@ -3461,7 +3366,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { "paths_found : %u\n" "paths_imported : %u\n" "max_depth : %u\n" - "cur_path : %u\n" /* Must match find_start_position() */ + "cur_path : %u\n" /* 必须匹配find_start_position() */ "pending_favs : %u\n" "pending_total : %u\n" "variable_paths : %u\n" @@ -3473,7 +3378,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { "last_crash : %llu\n" "last_hang : %llu\n" "execs_since_crash : %llu\n" - "exec_timeout : %u\n" /* Must match find_timeout() */ + "exec_timeout : %u\n" /* 必须匹配find_timeout() */ "afl_banner : %s\n" "afl_version : " VERSION "\n" "target_mode : %s%s%s%s%s%s%s\n" @@ -3495,9 +3400,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { orig_cmdline, slowest_exec_ms); /* ignore errors */ - /* Get rss value from the children - We must have killed the forkserver process and called waitpid - before calling getrusage */ + /* 从子进程中获取rss值。在调用getrusage之前,我们必须已经杀死了fork服务器进程并调用了waitpid。 */ if (getrusage(RUSAGE_CHILDREN, &usage)) { WARNF("getrusage failed"); } else if (usage.ru_maxrss == 0) { @@ -3515,7 +3418,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { } -/* Update the plot file if there is a reason to. */ +/* 如果有必要,请更新情节文件。 */ static void maybe_update_plot_file(double bitmap_cvg, double eps) { @@ -3536,7 +3439,7 @@ static void maybe_update_plot_file(double bitmap_cvg, double eps) { prev_uh = unique_hangs; prev_md = max_depth; - /* Fields in the file: + /* 文件中的字段包括:: unix_time, cycles_done, cur_path, paths_total, paths_not_fuzzed, favored_not_fuzzed, unique_crashes, unique_hangs, max_depth, @@ -3554,8 +3457,7 @@ static void maybe_update_plot_file(double bitmap_cvg, double eps) { -/* A helper function for maybe_delete_out_dir(), deleting all prefixed - files in a directory. */ +/* maybe_delete_out_dir()的辅助函数,用于删除目录中所有具有特定前缀的文件 */ static u8 delete_files(u8* path, u8* prefix) { @@ -3586,7 +3488,7 @@ static u8 delete_files(u8* path, u8* prefix) { } -/* Get the number of runnable processes, with some simple smoothing. */ +/* 通过一些简单的平滑,获得可运行进程的数量。 */ static double get_runnable_processes(void) { @@ -3594,17 +3496,13 @@ static double get_runnable_processes(void) { #if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) - /* I don't see any portable sysctl or so that would quickly give us the - number of runnable processes; the 1-minute load average can be a - semi-decent approximation, though. */ + /*我没有看到任何可移植的sysctl命令或其他工具可以快速给出可运行进程的数量;不过,1分钟负载平均值可以作为一个半像样的近似值。 */ if (getloadavg(&res, 1) != 1) return 0; #else - /* On Linux, /proc/stat is probably the best way; load averages are - computed in funny ways and sometimes don't reflect extremely short-lived - processes well. */ + /* 在Linux上,/proc/stat可能是最佳方式;负载平均值的计算方式有些奇特,有时不能很好地反映非常短暂的进程。 */ FILE* f = fopen("/proc/stat", "r"); u8 tmp[1024]; @@ -3639,7 +3537,7 @@ static double get_runnable_processes(void) { } -/* Delete the temporary directory used for in-place session resume. */ +/* 删除用于就地恢复会话的临时目录。*/ static void nuke_resume_dir(void) { @@ -3678,17 +3576,14 @@ dir_cleanup_failed: } -/* Delete fuzzer output directory if we recognize it as ours, if the fuzzer - is not currently running, and if the last run time isn't too great. */ +/* 如果识别输出目录为我们的,并且fuzzer当前没有在运行,以及上次运行时间不是很长,就删除fuzzer的输出目录。 */ static void maybe_delete_out_dir(void) { FILE* f; u8 *fn = alloc_printf("%s/fuzzer_stats", out_dir); - /* See if the output directory is locked. If yes, bail out. If not, - create a lock that will persist for the lifetime of the process - (this requires leaving the descriptor open).*/ + /* 检查输出目录是否被锁定。如果是,就退出。如果不是,创建一个在进程生命周期内持续存在的锁(这需要保持描述符打开)。*/ out_dir_fd = open(out_dir, O_RDONLY); if (out_dir_fd < 0) PFATAL("Unable to open '%s'", out_dir); @@ -3721,7 +3616,7 @@ static void maybe_delete_out_dir(void) { fclose(f); - /* Let's see how much work is at stake. */ + /* 让我们看看有多少工作要做 */ if (!in_place_resume && last_update - start_time > OUTPUT_GRACE * 60) { @@ -3743,11 +3638,9 @@ static void maybe_delete_out_dir(void) { ck_free(fn); - /* The idea for in-place resume is pretty simple: we temporarily move the old - queue/ to a new location that gets deleted once import to the new queue/ - is finished. If _resume/ already exists, the current queue/ may be - incomplete due to an earlier abort, so we want to use the old _resume/ - dir instead, and we let rename() fail silently. */ + /* 就地恢复的想法非常简单:我们暂时将旧的queue/移动到一个新位置, + 一旦导入到新queue/完成,这个新位置就会被删除。如果_resume/已经存在, + 当前的queue/可能因为之前的中断而不完整,所以我们想使用旧的_resume/目录,我们让rename()默默失败。 */ if (in_place_resume) { @@ -3769,8 +3662,7 @@ static void maybe_delete_out_dir(void) { ACTF("Deleting old session data..."); - /* Okay, let's get the ball rolling! First, we need to get rid of the entries - in /.synced/.../id:*, if any are present. */ + /* 好的,让我们开始吧!首先,如果存在,我们需要清除/.synced/.../id:*中的条目。 */ if (!in_place_resume) { @@ -3780,7 +3672,7 @@ static void maybe_delete_out_dir(void) { } - /* Next, we need to clean up /queue/.state/ subdirectories: */ + /* 接下来,我们需要清理 /queue/.state/ 子目录: */ fn = alloc_printf("%s/queue/.state/deterministic_done", out_dir); if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; @@ -3798,8 +3690,7 @@ static void maybe_delete_out_dir(void) { if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; ck_free(fn); - /* Then, get rid of the .state subdirectory itself (should be empty by now) - and everything matching /queue/id:*. */ + /* 然后,删除 .state 子目录本身(现在应该已经为空),以及所有匹配 /queue/id:* 的内容。 */ fn = alloc_printf("%s/queue/.state", out_dir); if (rmdir(fn) && errno != ENOENT) goto dir_cleanup_failed; @@ -3809,7 +3700,7 @@ static void maybe_delete_out_dir(void) { if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; ck_free(fn); - /* All right, let's do /crashes/id:* and /hangs/id:*. */ + /* 好的,让我们处理 /crashes/id:* 和 /hangs/id:* */ if (!in_place_resume) { @@ -3821,8 +3712,7 @@ static void maybe_delete_out_dir(void) { fn = alloc_printf("%s/crashes", out_dir); - /* Make backup of the crashes directory if it's not empty and if we're - doing in-place resume. */ + /* 如果在进行就地恢复,并且crashes目录不为空,则备份该目录。 */ if (in_place_resume && rmdir(fn)) { @@ -3853,7 +3743,7 @@ static void maybe_delete_out_dir(void) { fn = alloc_printf("%s/hangs", out_dir); - /* Backup hangs, too. */ + /* 备份也挂起了 */ if (in_place_resume && rmdir(fn)) { @@ -3882,7 +3772,7 @@ static void maybe_delete_out_dir(void) { if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; ck_free(fn); - /* And now, for some finishing touches. */ + /* 现在,做一些收尾工作 */ fn = alloc_printf("%s/.cur_input", out_dir); if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; @@ -3904,7 +3794,7 @@ static void maybe_delete_out_dir(void) { OKF("Output dir cleanup successful."); - /* Wow... is that all? If yes, celebrate! */ + /* 哇……就这些吗?如果是,那就庆祝吧! */ return; @@ -3927,8 +3817,7 @@ dir_cleanup_failed: static void check_term_size(void); -/* A spiffy retro stats screen! This is called every stats_update_freq - execve() calls, plus in several other circumstances. */ +/* 一个时髦的复古统计屏幕!这在每stats_update_freq次execve()调用时被调用,以及在其他几种情况下。 */ static void show_stats(void) { @@ -3944,15 +3833,15 @@ static void show_stats(void) { cur_ms = get_cur_time(); - /* If not enough time has passed since last UI update, bail out. */ + /* 如果上次UI更新后没有经过足够的时间,就退出。 */ if (cur_ms - last_ms < 1000 / UI_TARGET_HZ) return; - /* Check if we're past the 10 minute mark. */ + /* 检查我们是否过了10分钟。 */ if (cur_ms - start_time > 10 * 60 * 1000) run_over10m = 1; - /* Calculate smoothed exec speed stats. */ + /* 计算平滑执行速度统计。 */ if (!last_execs) { @@ -3963,8 +3852,7 @@ static void show_stats(void) { double cur_avg = ((double)(total_execs - last_execs)) * 1000 / (cur_ms - last_ms); - /* If there is a dramatic (5x+) jump in speed, reset the indicator - more quickly. */ + /* 如果速度有显著(超过5倍)的提升,那么更快速地重置指示器。 */ if (cur_avg * 5 < avg_exec || cur_avg / 5 > avg_exec) avg_exec = cur_avg; @@ -3977,12 +3865,12 @@ static void show_stats(void) { last_ms = cur_ms; last_execs = total_execs; - /* Tell the callers when to contact us (as measured in execs). */ + /* 告诉来电者何时与我们联系(以高管为衡量标准) */ stats_update_freq = avg_exec / (UI_TARGET_HZ * 10); if (!stats_update_freq) stats_update_freq = 1; - /* Do some bitmap stats. */ + /* 做一些位图统计 */ t_bytes = count_non_255_bytes(virgin_bits); t_byte_ratio = ((double)t_bytes * 100) / MAP_SIZE; @@ -3992,7 +3880,7 @@ static void show_stats(void) { else stab_ratio = 100; - /* Roughly every minute, update fuzzer stats and save auto tokens. */ + /* 大约每分钟更新fuzzer统计数据并保存自动标记。 */ if (cur_ms - last_stats_ms > STATS_UPDATE_SEC * 1000) { @@ -4003,7 +3891,7 @@ static void show_stats(void) { } - /* Every now and then, write plot data. */ + /* 每隔一段时间,写一些情节数据。 */ if (cur_ms - last_plot_ms > PLOT_UPDATE_SEC * 1000) { @@ -4012,22 +3900,22 @@ static void show_stats(void) { } - /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ + /* 尊重AFL_EXIT_WHEN_DONE和AFL_BENCH_UNTIL_CRASH。 */ if (!dumb_mode && cycles_wo_finds > 100 && !pending_not_fuzzed && getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 2; if (total_crashes && getenv("AFL_BENCH_UNTIL_CRASH")) stop_soon = 2; - /* If we're not on TTY, bail out. */ + /* 如果我们不在TTY(终端)上,就退出。 */ if (not_on_tty) return; - /* Compute some mildly useful bitmap stats. */ + /* 计算一些稍微有用的位图统计。 */ t_bits = (MAP_SIZE << 3) - count_bits(virgin_bits); - /* Now, for the visuals... */ + /* 现在,对于视觉效果… */ if (clear_screen) { @@ -4049,7 +3937,7 @@ static void show_stats(void) { } - /* Let's start by drawing a centered banner. */ + /* 让我们从绘制居中横幅开始。*/ banner_len = (crash_mode ? 24 : 22) + strlen(VERSION) + strlen(use_banner); banner_pad = (80 - banner_len) / 2; @@ -4061,7 +3949,7 @@ static void show_stats(void) { SAYF("\n%s\n\n", tmp); - /* "Handy" shortcuts for drawing boxes... */ + /* "Handy" 快捷键绘制框… */ #define bSTG bSTART cGRA #define bH2 bH bH @@ -4086,17 +3974,17 @@ static void show_stats(void) { u64 min_wo_finds = (cur_ms - last_path_time) / 1000 / 60; - /* First queue cycle: don't stop now! */ + /* 第一个排队周期:现在不要停下来! */ if (queue_cycle == 1 || min_wo_finds < 15) strcpy(tmp, cMGN); else - /* Subsequent cycles, but we're still making finds. */ + /* 在后续的测试周期中,但我们仍在发现新问题。 */ if (cycles_wo_finds < 25 || min_wo_finds < 30) strcpy(tmp, cYEL); else - /* No finds for a long time and no test cases to try. */ + /* 很长一段时间没有发现,也没有测试用例可以尝试。 */ if (cycles_wo_finds > 100 && !pending_not_fuzzed && min_wo_finds > 120) strcpy(tmp, cLGN); - /* Default: cautiously OK to stop? */ + /* 默认情况:谨慎地询问是否可以停止? */ else strcpy(tmp, cLBL); } @@ -4105,8 +3993,7 @@ static void show_stats(void) { " cycles done : %s%-5s " bSTG bV "\n", DTD(cur_ms, start_time), tmp, DI(queue_cycle - 1)); - /* We want to warn people about not seeing new paths after a full cycle, - except when resuming fuzzing or running in non-instrumented mode. */ + /* 我们想要警告人们,在完成一个完整周期后没有看到新路径的情况,除非是在恢复模糊测试或在非插桩模式下运行。 */ if (!dumb_mode && (last_path_time || resuming_fuzz || queue_cycle == 1 || in_bitmap || crash_mode)) { @@ -4131,8 +4018,7 @@ static void show_stats(void) { SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n", DI(queued_paths)); - /* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH - limit with a '+' appended to the count. */ + /* 如果在发现崩溃时用红色高亮显示,并在超过KEEP_UNIQUE_CRASH限制时,在计数后追加一个'+'符号来表示。*/ sprintf(tmp, "%s%s", DI(unique_crashes), (unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); @@ -4152,9 +4038,8 @@ static void show_stats(void) { SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH20 bHB bH bSTOP cCYA " map coverage " bSTG bH bHT bH20 bH2 bH bVL "\n"); - /* This gets funny because we want to print several variable-length variables - together, but then cram them into a fixed-width field - so we need to - put them in a temporary buffer first. */ + /* 这有点有趣,因为我们想要一起打印几个可变长度的变量,但随后又想将它们 + 塞进一个固定宽度的字段——所以我们需要先将它们放入一个临时缓冲区。*/ sprintf(tmp, "%s%s (%0.02f%%)", DI(current_entry), queue_cur->favored ? "" : "*", @@ -4184,7 +4069,7 @@ static void show_stats(void) { sprintf(tmp, "%s (%0.02f%%)", DI(queued_favored), ((double)queued_favored) * 100 / queued_paths); - /* Yeah... it's still going on... halp? */ + /* 是的……它还在继续……帮忙? */ SAYF(bV bSTOP " now trying : " cRST "%-21s " bSTG bV bSTOP " favored paths : " cRST "%-22s " bSTG bV "\n", stage_name, tmp); @@ -4224,7 +4109,7 @@ static void show_stats(void) { } - /* Show a warning about slow execution. */ + /* 显示关于缓慢执行的警告。 */ if (avg_exec < 100) { @@ -4245,7 +4130,7 @@ static void show_stats(void) { SAYF (bSTG bV bSTOP " total tmouts : " cRST "%-22s " bSTG bV "\n", tmp); - /* Aaaalmost there... hold on! */ + /* Aaaalmost那里……坚持住! */ SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bH bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bH bVL "\n"); @@ -4350,7 +4235,7 @@ static void show_stats(void) { SAYF(bV bSTOP " trim : " cRST "%-37s " bSTG bVR bH20 bH2 bH2 bRB "\n" bLB bH30 bH20 bH2 bH bRB bSTOP cRST RESET_G1, tmp); - /* Provide some CPU utilization stats. */ + /* 提供一些CPU利用率统计信息。 */ if (cpu_core_count) { @@ -4359,12 +4244,12 @@ static void show_stats(void) { u8* cpu_color = cCYA; - /* If we could still run one or more processes, use green. */ + /* 如果我们仍然可以运行一个或多个进程,则使用绿色。 */ if (cpu_core_count > 1 && cur_runnable + 1 <= cpu_core_count) cpu_color = cLGN; - /* If we're clearly oversubscribed, use red. */ + /* 如果我们明显超额认购,就用红色。 */ if (!no_cpu_meter_red && cur_utilization >= 150) cpu_color = cLRD; @@ -4399,9 +4284,8 @@ static void show_stats(void) { } -/* Display quick statistics at the end of processing the input directory, - plus a bunch of warnings. Some calibration stuff also ended up here, - along with several hardcoded constants. Maybe clean up eventually. */ +/* 在处理完输入目录后显示快速统计信息,以及一堆警告。一些校准内容也 +最终放在这里,连同几个硬编码的常数。也许最终会清理一下。 */ static void show_init_stats(void) { @@ -4433,7 +4317,7 @@ static void show_init_stats(void) { WARNF(cLRD "The target binary is pretty slow! See %s/perf_tips.txt.", doc_path); - /* Let's keep things moving with slow binaries. */ + /* 让我们继续使用慢二进制代码。 */ if (avg_us > 50000) havoc_div = 10; /* 0-19 execs/sec */ else if (avg_us > 20000) havoc_div = 5; /* 20-49 execs/sec */ @@ -4469,12 +4353,9 @@ static void show_init_stats(void) { if (!timeout_given) { - /* Figure out the appropriate timeout. The basic idea is: 5x average or - 1x max, rounded up to EXEC_TM_ROUND ms and capped at 1 second. + /* 确定合适的超时时间。基本思路是:5倍的平均值或者1倍的最大值,四舍五入到EXEC_TM_ROUND毫秒,并限制在1秒内。 - If the program is slow, the multiplier is lowered to 2x or 3x, because - random scheduler jitter is less likely to have any impact, and because - our patience is wearing thin =) */ +如果程序运行缓慢,乘数会降低到2倍或3倍,因为随机调度抖动不太可能有任何影响,而且我们的耐心正在逐渐减少=) */ if (avg_us > 50000) exec_tmout = avg_us * 2 / 1000; else if (avg_us > 10000) exec_tmout = avg_us * 3 / 1000; @@ -4496,8 +4377,7 @@ static void show_init_stats(void) { } - /* In dumb mode, re-running every timing out test case with a generous time - limit is very expensive, so let's select a more conservative default. */ + /* 在dump模式下,用宽裕的时间限制重新运行每个超时的测试用例代价很高,因此我们选择一个更保守的默认值。 */ if (dumb_mode && !getenv("AFL_HANG_TMOUT")) hang_tmout = MIN(EXEC_TIMEOUT, exec_tmout * 2 + 100); @@ -4507,7 +4387,7 @@ static void show_init_stats(void) { } -/* Find first power of two greater or equal to val (assuming val under +/* 求大于等于val的2的第一次幂(假设val小于 2^31). */ static u32 next_p2(u32 val) { @@ -4519,9 +4399,8 @@ static u32 next_p2(u32 val) { } -/* Trim all new test cases to save cycles when doing deterministic checks. The - trimmer uses power-of-two increments somewhere between 1/16 and 1/1024 of - file size, to keep the stage short and sweet. */ +/* 在进行确定性检查时,修剪所有新的测试用例以节省周期。修剪器使用二的幂次方增加 +量,范围在文件大小的1/16到1/1024之间,以保持这个阶段简短而高效。 */ static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { @@ -4533,23 +4412,20 @@ static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { u32 remove_len; u32 len_p2; - /* Although the trimmer will be less useful when variable behavior is - detected, it will still work to some extent, so we don't check for - this. */ + /* 尽管在检测到可变行为时,修剪器的效用会降低,但它仍然会有一定程度的作用,因此我们不对此进行检查。 */ if (q->len < 5) return 0; stage_name = tmp; bytes_trim_in += q->len; - /* Select initial chunk len, starting with large steps. */ + /* 选择初始块len,从较大的步骤开始。*/ len_p2 = next_p2(q->len); remove_len = MAX(len_p2 / TRIM_START_STEPS, TRIM_MIN_BYTES); - /* Continue until the number of steps gets too high or the stepover - gets too small. */ + /* 继续进行,直到步骤数变得过高或步长变得过小。 */ while (remove_len >= MAX(len_p2 / TRIM_END_STEPS, TRIM_MIN_BYTES)) { @@ -4572,14 +4448,12 @@ static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { if (stop_soon || fault == FAULT_ERROR) goto abort_trimming; - /* Note that we don't keep track of crashes or hangs here; maybe TODO? */ + /* 请注意,我们在这里不跟踪崩溃或挂起;也许做? */ cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - /* If the deletion had no impact on the trace, make it permanent. This - isn't perfect for variable-path inputs, but we're just making a - best-effort pass, so it's not a big deal if we end up with false - negatives every now and then. */ + /* 如果删除对跟踪没有影响,使其成为永久性的。这对于变量路径输入来说并不 + 完美,但我们只是在尽力而为,所以如果我们偶尔出现假阴性,也不是什么大问题。 */ if (cksum == q->exec_cksum) { @@ -4591,8 +4465,7 @@ static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { memmove(in_buf + remove_pos, in_buf + remove_pos + trim_avail, move_tail); - /* Let's save a clean trace, which will be needed by - update_bitmap_score once we're done with the trimming stuff. */ + /* 让我们保存一个干净的跟踪信息,在我们完成修剪工作后,update_bitmap_score函数将会需要它。*/ if (!needs_write) { @@ -4603,7 +4476,7 @@ static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { } else remove_pos += remove_len; - /* Since this can be slow, update the screen every now and then. */ + /* 因为这可能很慢,所以要时不时地更新屏幕。 */ if (!(trim_exec++ % stats_update_freq)) show_stats(); stage_cur++; @@ -4614,8 +4487,7 @@ static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { } - /* If we have made changes to in_buf, we also need to update the on-disk - version of the test case. */ + /* 如果我们对in_buf做了更改,我们还需要更新磁盘上的测试用例版本。 */ if (needs_write) { @@ -4643,9 +4515,8 @@ abort_trimming: } -/* Write a modified test case, run program, process results. Handle - error conditions, returning 1 if it's time to bail out. This is - a helper function for fuzz_one(). */ +/* 写入一个修改后的测试用例,运行程序,处理结果。处理错误条件,如果到 +了该退出的时候则返回1。这是fuzz_one()的辅助函数。 */ EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) { @@ -4673,8 +4544,7 @@ EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) { } else subseq_tmouts = 0; - /* Users can hit us with SIGUSR1 to request the current input - to be abandoned. */ + /* 用户可以通过发送SIGUSR1信号来请求放弃当前的输入。 */ if (skip_requested) { @@ -4684,7 +4554,7 @@ EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) { } - /* This handles FAULT_ERROR for us: */ + /* 这将为我们处理FAULT_ERROR: */ queued_discovered += save_if_interesting(argv, out_buf, len, fault); @@ -4696,8 +4566,7 @@ EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) { } -/* Helper to choose random block len for block operations in fuzz_one(). - Doesn't return zero, provided that max_len is > 0. */ +/* 在fuzz_one()中用于选择块操作的随机块长度的辅助函数。只要最大长度max_len大于0,就不会返回零。 */ static u32 choose_block_len(u32 limit) { @@ -4739,9 +4608,7 @@ static u32 choose_block_len(u32 limit) { } -/* Calculate case desirability score to adjust the length of havoc fuzzing. - A helper function for fuzz_one(). Maybe some of these constants should - go into config.h. */ +/* 计算案例的期望分数,以调整havoc模糊测试的长度。这是fuzz_one()的辅助函数。也许这些常数中的一些应该放入config.h中。*/ static u32 calculate_score(struct queue_entry* q) { @@ -4749,9 +4616,7 @@ static u32 calculate_score(struct queue_entry* q) { u32 avg_bitmap_size = total_bitmap_size / total_bitmap_entries; u32 perf_score = 100; - /* Adjust score based on execution speed of this path, compared to the - global average. Multiplier ranges from 0.1x to 3x. Fast inputs are - less expensive to fuzz, so we're giving them more air time. */ + /* 根据此路径的执行速度与全局平均速度的比较,调整分数。乘数范围从0.1x到3x。快速输入的模糊测试成本较低,因此我们给予它们更多的测试时间。 */ if (q->exec_us * 0.1 > avg_exec_us) perf_score = 10; else if (q->exec_us * 0.25 > avg_exec_us) perf_score = 25; @@ -4761,8 +4626,7 @@ static u32 calculate_score(struct queue_entry* q) { else if (q->exec_us * 3 < avg_exec_us) perf_score = 200; else if (q->exec_us * 2 < avg_exec_us) perf_score = 150; - /* Adjust score based on bitmap size. The working theory is that better - coverage translates to better targets. Multiplier from 0.25x to 3x. */ + /* 根据位图大小调整分数。工作理论是更好的覆盖率转化为更好的目标。乘数从0.25x到3x。 */ if (q->bitmap_size * 0.3 > avg_bitmap_size) perf_score *= 3; else if (q->bitmap_size * 0.5 > avg_bitmap_size) perf_score *= 2; @@ -4771,9 +4635,7 @@ static u32 calculate_score(struct queue_entry* q) { else if (q->bitmap_size * 2 < avg_bitmap_size) perf_score *= 0.5; else if (q->bitmap_size * 1.5 < avg_bitmap_size) perf_score *= 0.75; - /* Adjust score based on handicap. Handicap is proportional to how late - in the game we learned about this path. Latecomers are allowed to run - for a bit longer until they catch up with the rest. */ + /* 根据handicap(障碍)调整分数。Handicap与我们在游戏中了解这条路径的时间成比例。后来者被允许运行更长时间,直到它们赶上其他路径。 */ if (q->handicap >= 4) { @@ -4787,9 +4649,7 @@ static u32 calculate_score(struct queue_entry* q) { } - /* Final adjustment based on input depth, under the assumption that fuzzing - deeper test cases is more likely to reveal stuff that can't be - discovered with traditional fuzzers. */ + /* 基于输入深度的最终调整,假设模糊测试更深层的测试用例更有可能揭示传统模糊测试工具无法发现的问题。 */ switch (q->depth) { @@ -4801,7 +4661,7 @@ static u32 calculate_score(struct queue_entry* q) { } - /* Make sure that we don't go over limit. */ + /* 确保我们不超过极限 */ if (perf_score > HAVOC_MAX_MULT * 100) perf_score = HAVOC_MAX_MULT * 100; @@ -4810,12 +4670,10 @@ static u32 calculate_score(struct queue_entry* q) { } -/* Helper function to see if a particular change (xor_val = old ^ new) could - be a product of deterministic bit flips with the lengths and stepovers - attempted by afl-fuzz. This is used to avoid dupes in some of the - deterministic fuzzing operations that follow bit flips. We also - return 1 if xor_val is zero, which implies that the old and attempted new - values are identical and the exec would be a waste of time. */ +/* 辅助函数,用于检查特定的变化(xor_val = old ^ new)是否可能是由afl-fuzz尝试的长度 +和步长确定性位翻转产生的结果。这用于避免在一些跟随位翻转的确定性模糊测试操作中的重复 +项。如果xor_val为零,我们也返回1,这意味着旧值和尝试的新值是相同的,执行将是一种时间 +浪费。*/ static u8 could_be_bitflip(u32 xor_val) { @@ -4823,16 +4681,15 @@ static u8 could_be_bitflip(u32 xor_val) { if (!xor_val) return 1; - /* Shift left until first bit set. */ + /* 左移直到第一个位设置 */ while (!(xor_val & 1)) { sh++; xor_val >>= 1; } - /* 1-, 2-, and 4-bit patterns are OK anywhere. */ + /* 1-、2-和4-bit模式在任何地方都是可以的。 */ if (xor_val == 1 || xor_val == 3 || xor_val == 15) return 1; - /* 8-, 16-, and 32-bit patterns are OK only if shift factor is - divisible by 8, since that's the stepover for these ops. */ + /* 8-,、16-、和 32-bit模式只有当位移因子能被8整除时,模式才有效,因为这是这些操作的步长。 */ if (sh & 7) return 0; @@ -4844,8 +4701,7 @@ static u8 could_be_bitflip(u32 xor_val) { } -/* Helper function to see if a particular value is reachable through - arithmetic operations. Used for similar purposes. */ +/* 辅助函数,用于检查是否可以通过算术操作达到某个特定值。用于类似的目的。 */ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { @@ -4853,7 +4709,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { if (old_val == new_val) return 1; - /* See if one-byte adjustments to any byte could produce this result. */ + /* 看看对任何字节进行一个字节的调整是否会产生此结果。 */ for (i = 0; i < blen; i++) { @@ -4864,7 +4720,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { } - /* If only one byte differs and the values are within range, return 1. */ + /* 如果只有一个字节不同并且值在范围内,则返回1。*/ if (diffs == 1) { @@ -4875,7 +4731,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { if (blen == 1) return 0; - /* See if two-byte adjustments to any byte would produce this result. */ + /* 看看对任何字节进行两个字节的调整是否会产生此结果。 */ diffs = 0; @@ -4888,7 +4744,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { } - /* If only one word differs and the values are within range, return 1. */ + /* 如果只有一个字不同且值在范围内,则返回1。 */ if (diffs == 1) { @@ -4902,7 +4758,7 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { } - /* Finally, let's do the same thing for dwords. */ + /* 最后,让我们对dwords做同样的事情。 */ if (blen == 4) { @@ -4922,11 +4778,9 @@ static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { } -/* Last but not least, a similar helper to see if insertion of an - interesting integer is redundant given the insertions done for - shorter blen. The last param (check_le) is set if the caller - already executed LE insertion for current blen and wants to see - if BE variant passed in new_val is unique. */ +/* 最后但同样重要的是,一个类似的辅助函数,用于检查在给定较短blen的插入操作后, +插入一个有趣的整数是否是多余的。最后一个参数(check_le)如果设置,意味着调用者 +已经为当前blen执行了LE(小端)插入,并希望查看传入的新值中的BE(大端)变体是否是唯一的。 */ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { -- 2.34.1 From ff4848b344e09af0086a89da34089e1c6abb0121 Mon Sep 17 00:00:00 2001 From: dongloong <1909842837@qq.com> Date: Mon, 21 Oct 2024 20:54:33 +0800 Subject: [PATCH 3/6] 1 --- 商硕/afl-fuzz.c | 8020 +++++++++++++++++++++++++++++++++++++++++++++ 商硕/afl-gcc.c | 357 ++ 2 files changed, 8377 insertions(+) create mode 100644 商硕/afl-fuzz.c create mode 100644 商硕/afl-gcc.c diff --git a/商硕/afl-fuzz.c b/商硕/afl-fuzz.c new file mode 100644 index 0000000..3d4a5a7 --- /dev/null +++ b/商硕/afl-fuzz.c @@ -0,0 +1,8020 @@ +/* + Copyright 2013 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +/* + american fuzzy lop - fuzzer code + -------------------------------- + + Written and maintained by Michal Zalewski + + Forkserver design by Jann Horn + + This is the real deal: the program takes an instrumented binary and + attempts a variety of basic fuzzing tricks, paying close attention to + how they affect the execution path. + +*/ + +#define AFL_MAIN +#include "android-ashmem.h" +#define MESSAGES_TO_STDOUT + +#ifndef _GNU_SOURCE +#define _GNU_SOURCE +#endif +#define _FILE_OFFSET_BITS 64 + +#include "config.h" +#include "types.h" +#include "debug.h" +#include "alloc-inl.h" +#include "hash.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) +# include +#endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ + +/* For systems that have sched_setaffinity; right now just Linux, but one + can hope... */ + +#ifdef __linux__ +# define HAVE_AFFINITY 1 +#endif /* __linux__ */ + +/* A toggle to export some variables when building as a library. Not very + useful for the general public. */ + +#ifdef AFL_LIB +# define EXP_ST +#else +# define EXP_ST static +#endif /* ^AFL_LIB */ + +/* Lots of globals, but mostly for the status UI and other things where it + really makes no sense to haul them around as function parameters. */ + + +EXP_ST u8 *in_dir, /* Input directory with test cases */ + *out_file, /* File to fuzz, if any */ + *out_dir, /* Working & output directory */ + *sync_dir, /* Synchronization directory */ + *sync_id, /* Fuzzer ID */ + *use_banner, /* Display banner */ + *in_bitmap, /* Input bitmap */ + *doc_path, /* Path to documentation dir */ + *target_path, /* Path to target binary */ + *orig_cmdline; /* Original command line */ + +EXP_ST u32 exec_tmout = EXEC_TIMEOUT; /* Configurable exec timeout (ms) */ +static u32 hang_tmout = EXEC_TIMEOUT; /* Timeout used for hang det (ms) */ + +EXP_ST u64 mem_limit = MEM_LIMIT; /* Memory cap for child (MB) */ + +EXP_ST u32 cpu_to_bind = 0; /* id of free CPU core to bind */ + +static u32 stats_update_freq = 1; /* Stats update frequency (execs) */ + +EXP_ST u8 skip_deterministic, /* Skip deterministic stages? */ + force_deterministic, /* Force deterministic stages? */ + use_splicing, /* Recombine input files? */ + dumb_mode, /* Run in non-instrumented mode? */ + score_changed, /* Scoring for favorites changed? */ + kill_signal, /* Signal that killed the child */ + resuming_fuzz, /* Resuming an older fuzzing job? */ + timeout_given, /* Specific timeout given? */ + cpu_to_bind_given, /* Specified cpu_to_bind given? */ + not_on_tty, /* stdout is not a tty */ + term_too_small, /* terminal dimensions too small */ + uses_asan, /* Target uses ASAN? */ + no_forkserver, /* Disable forkserver? */ + crash_mode, /* Crash mode! Yeah! */ + in_place_resume, /* Attempt in-place resume? */ + auto_changed, /* Auto-generated tokens changed? */ + no_cpu_meter_red, /* Feng shui on the status screen */ + no_arith, /* Skip most arithmetic ops */ + shuffle_queue, /* Shuffle input queue? */ + bitmap_changed = 1, /* Time to update bitmap? */ + qemu_mode, /* Running in QEMU mode? */ + skip_requested, /* Skip request, via SIGUSR1 */ + run_over10m, /* Run time over 10 minutes? */ + persistent_mode, /* Running in persistent mode? */ + deferred_mode, /* Deferred forkserver mode? */ + fast_cal; /* Try to calibrate faster? */ + +static s32 out_fd, /* Persistent fd for out_file */ + dev_urandom_fd = -1, /* Persistent fd for /dev/urandom */ + dev_null_fd = -1, /* Persistent fd for /dev/null */ + fsrv_ctl_fd, /* Fork server control pipe (write) */ + fsrv_st_fd; /* Fork server status pipe (read) */ + +static s32 forksrv_pid, /* PID of the fork server */ + child_pid = -1, /* PID of the fuzzed program */ + out_dir_fd = -1; /* FD of the lock file */ + +EXP_ST u8* trace_bits; /* SHM with instrumentation bitmap */ + +EXP_ST u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */ + virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */ + virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */ + +static u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */ + +static s32 shm_id; /* ID of the SHM region */ + +static volatile u8 stop_soon, /* Ctrl-C pressed? */ + clear_screen = 1, /* Window resized? */ + child_timed_out; /* Traced process timed out? */ + +EXP_ST u32 queued_paths, /* Total number of queued testcases */ + queued_variable, /* Testcases with variable behavior */ + queued_at_start, /* Total number of initial inputs */ + queued_discovered, /* Items discovered during this run */ + queued_imported, /* Items imported via -S */ + queued_favored, /* Paths deemed favorable */ + queued_with_cov, /* Paths with new coverage bytes */ + pending_not_fuzzed, /* Queued but not done yet */ + pending_favored, /* Pending favored paths */ + cur_skipped_paths, /* Abandoned inputs in cur cycle */ + cur_depth, /* Current path depth */ + max_depth, /* Max path depth */ + useless_at_start, /* Number of useless starting paths */ + var_byte_count, /* Bitmap bytes with var behavior */ + current_entry, /* Current queue entry ID */ + havoc_div = 1; /* Cycle count divisor for havoc */ + +EXP_ST u64 total_crashes, /* Total number of crashes */ + unique_crashes, /* Crashes with unique signatures */ + total_tmouts, /* Total number of timeouts */ + unique_tmouts, /* Timeouts with unique signatures */ + unique_hangs, /* Hangs with unique signatures */ + total_execs, /* Total execve() calls */ + slowest_exec_ms, /* Slowest testcase non hang in ms */ + start_time, /* Unix start time (ms) */ + last_path_time, /* Time for most recent path (ms) */ + last_crash_time, /* Time for most recent crash (ms) */ + last_hang_time, /* Time for most recent hang (ms) */ + last_crash_execs, /* Exec counter at last crash */ + queue_cycle, /* Queue round counter */ + cycles_wo_finds, /* Cycles without any new paths */ + trim_execs, /* Execs done to trim input files */ + bytes_trim_in, /* Bytes coming into the trimmer */ + bytes_trim_out, /* Bytes coming outa the trimmer */ + blocks_eff_total, /* Blocks subject to effector maps */ + blocks_eff_select; /* Blocks selected as fuzzable */ + +static u32 subseq_tmouts; /* Number of timeouts in a row */ + +static u8 *stage_name = "init", /* Name of the current fuzz stage */ + *stage_short, /* Short stage name */ + *syncing_party; /* Currently syncing with... */ + +static s32 stage_cur, stage_max; /* Stage progression */ +static s32 splicing_with = -1; /* Splicing with which test case? */ + +static u32 master_id, master_max; /* Master instance job splitting */ + +static u32 syncing_case; /* Syncing with case #... */ + +static s32 stage_cur_byte, /* Byte offset of current stage op */ + stage_cur_val; /* Value used for stage op */ + +static u8 stage_val_type; /* Value type (STAGE_VAL_*) */ + +static u64 stage_finds[32], /* Patterns found per fuzz stage */ + stage_cycles[32]; /* Execs per fuzz stage */ + +static u32 rand_cnt; /* Random number counter */ + +static u64 total_cal_us, /* Total calibration time (us) */ + total_cal_cycles; /* Total calibration cycles */ + +static u64 total_bitmap_size, /* Total bit count for all bitmaps */ + total_bitmap_entries; /* Number of bitmaps counted */ + +static s32 cpu_core_count; /* CPU core count */ + +#ifdef HAVE_AFFINITY + +static s32 cpu_aff = -1; /* Selected CPU core */ + +#endif /* HAVE_AFFINITY */ + +static FILE* plot_file; /* Gnuplot output file */ + +struct queue_entry { + + u8* fname; /* File name for the test case */ + u32 len; /* Input length */ + + u8 cal_failed, /* Calibration failed? */ + trim_done, /* Trimmed? */ + was_fuzzed, /* Had any fuzzing done yet? */ + passed_det, /* Deterministic stages passed? */ + has_new_cov, /* Triggers new coverage? */ + var_behavior, /* Variable behavior? */ + favored, /* Currently favored? */ + fs_redundant; /* Marked as redundant in the fs? */ + + u32 bitmap_size, /* Number of bits set in bitmap */ + exec_cksum; /* Checksum of the execution trace */ + + u64 exec_us, /* Execution time (us) */ + handicap, /* Number of queue cycles behind */ + depth; /* Path depth */ + + u8* trace_mini; /* Trace bytes, if kept */ + u32 tc_ref; /* Trace bytes ref count */ + + struct queue_entry *next, /* Next element, if any */ + *next_100; /* 100 elements ahead */ + +}; + +static struct queue_entry *queue, /* Fuzzing queue (linked list) */ + *queue_cur, /* Current offset within the queue */ + *queue_top, /* Top of the list */ + *q_prev100; /* Previous 100 marker */ + +static struct queue_entry* + top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ + +struct extra_data { + u8* data; /* Dictionary token data */ + u32 len; /* Dictionary token length */ + u32 hit_cnt; /* Use count in the corpus */ +}; + +static struct extra_data* extras; /* Extra tokens to fuzz with */ +static u32 extras_cnt; /* Total number of tokens read */ + +static struct extra_data* a_extras; /* Automatically selected extras */ +static u32 a_extras_cnt; /* Total number of tokens available */ + +static u8* (*post_handler)(u8* buf, u32* len); + +/* Interesting values, as per config.h */ + +static s8 interesting_8[] = { INTERESTING_8 }; +static s16 interesting_16[] = { INTERESTING_8, INTERESTING_16 }; +static s32 interesting_32[] = { INTERESTING_8, INTERESTING_16, INTERESTING_32 }; + +/* Fuzzing stages */ + +enum { + /* 00 */ STAGE_FLIP1, + /* 01 */ STAGE_FLIP2, + /* 02 */ STAGE_FLIP4, + /* 03 */ STAGE_FLIP8, + /* 04 */ STAGE_FLIP16, + /* 05 */ STAGE_FLIP32, + /* 06 */ STAGE_ARITH8, + /* 07 */ STAGE_ARITH16, + /* 08 */ STAGE_ARITH32, + /* 09 */ STAGE_INTEREST8, + /* 10 */ STAGE_INTEREST16, + /* 11 */ STAGE_INTEREST32, + /* 12 */ STAGE_EXTRAS_UO, + /* 13 */ STAGE_EXTRAS_UI, + /* 14 */ STAGE_EXTRAS_AO, + /* 15 */ STAGE_HAVOC, + /* 16 */ STAGE_SPLICE +}; + +/* Stage value types */ + +enum { + /* 00 */ STAGE_VAL_NONE, + /* 01 */ STAGE_VAL_LE, + /* 02 */ STAGE_VAL_BE +}; + +/* Execution status fault codes */ + +enum { + /* 00 */ FAULT_NONE, + /* 01 */ FAULT_TMOUT, + /* 02 */ FAULT_CRASH, + /* 03 */ FAULT_ERROR, + /* 04 */ FAULT_NOINST, + /* 05 */ FAULT_NOBITS +}; + + +/* Get unix time in milliseconds */ + +static u64 get_cur_time(void) { + + struct timeval tv; + struct timezone tz; + + gettimeofday(&tv, &tz); + + return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000); + +} + + +/* Get unix time in microseconds */ + +static u64 get_cur_time_us(void) { + + struct timeval tv; + struct timezone tz; + + gettimeofday(&tv, &tz); + + return (tv.tv_sec * 1000000ULL) + tv.tv_usec; + +} + + +/* Generate a random number (from 0 to limit - 1). This may + have slight bias. */ + +static inline u32 UR(u32 limit) { + + if (unlikely(!rand_cnt--)) { + + u32 seed[2]; + + ck_read(dev_urandom_fd, &seed, sizeof(seed), "/dev/urandom"); + + srandom(seed[0]); + rand_cnt = (RESEED_RNG / 2) + (seed[1] % RESEED_RNG); + + } + + return random() % limit; + +} + + +/* Shuffle an array of pointers. Might be slightly biased. */ + +static void shuffle_ptrs(void** ptrs, u32 cnt) { + + u32 i; + + for (i = 0; i < cnt - 2; i++) { + + u32 j = i + UR(cnt - i); + void *s = ptrs[i]; + ptrs[i] = ptrs[j]; + ptrs[j] = s; + + } + +} + + +#ifdef HAVE_AFFINITY + +/* Build a list of processes bound to specific cores. Returns -1 if nothing + can be found. Assumes an upper bound of 4k CPUs. */ + +static void bind_to_free_cpu(void) { + + DIR* d; + struct dirent* de; + cpu_set_t c; + + u8 cpu_used[4096] = { 0 }; + u32 i; + + if (cpu_core_count < 2) return; + + if (getenv("AFL_NO_AFFINITY")) { + + WARNF("Not binding to a CPU core (AFL_NO_AFFINITY set)."); + return; + + } + + d = opendir("/proc"); + + if (!d) { + + WARNF("Unable to access /proc - can't scan for free CPU cores."); + return; + + } + + ACTF("Checking CPU core loadout..."); + + /* Introduce some jitter, in case multiple AFL tasks are doing the same + thing at the same time... */ + + usleep(R(1000) * 250); + + /* Scan all /proc//status entries, checking for Cpus_allowed_list. + Flag all processes bound to a specific CPU using cpu_used[]. This will + fail for some exotic binding setups, but is likely good enough in almost + all real-world use cases. */ + + while ((de = readdir(d))) { + + u8* fn; + FILE* f; + u8 tmp[MAX_LINE]; + u8 has_vmsize = 0; + + if (!isdigit(de->d_name[0])) continue; + + fn = alloc_printf("/proc/%s/status", de->d_name); + + if (!(f = fopen(fn, "r"))) { + ck_free(fn); + continue; + } + + while (fgets(tmp, MAX_LINE, f)) { + + u32 hval; + + /* Processes without VmSize are probably kernel tasks. */ + + if (!strncmp(tmp, "VmSize:\t", 8)) has_vmsize = 1; + + if (!strncmp(tmp, "Cpus_allowed_list:\t", 19) && + !strchr(tmp, '-') && !strchr(tmp, ',') && + sscanf(tmp + 19, "%u", &hval) == 1 && hval < sizeof(cpu_used) && + has_vmsize) { + + cpu_used[hval] = 1; + break; + + } + + } + + ck_free(fn); + fclose(f); + + } + + closedir(d); + if (cpu_to_bind_given) { + + if (cpu_to_bind >= cpu_core_count) + FATAL("The CPU core id to bind should be between 0 and %u", cpu_core_count - 1); + + if (cpu_used[cpu_to_bind]) + FATAL("The CPU core #%u to bind is not free!", cpu_to_bind); + + i = cpu_to_bind; + + } else { + + for (i = 0; i < cpu_core_count; i++) if (!cpu_used[i]) break; + + } + + if (i == cpu_core_count) { + + SAYF("\n" cLRD "[-] " cRST + "Uh-oh, looks like all %u CPU cores on your system are allocated to\n" + " other instances of afl-fuzz (or similar CPU-locked tasks). Starting\n" + " another fuzzer on this machine is probably a bad plan, but if you are\n" + " absolutely sure, you can set AFL_NO_AFFINITY and try again.\n", + cpu_core_count); + + FATAL("No more free CPU cores"); + + } + + OKF("Found a free CPU core, binding to #%u.", i); + + cpu_aff = i; + + CPU_ZERO(&c); + CPU_SET(i, &c); + + if (sched_setaffinity(0, sizeof(c), &c)) + PFATAL("sched_setaffinity failed"); + +} + +#endif /* HAVE_AFFINITY */ + +#ifndef IGNORE_FINDS + +/* Helper function to compare buffers; returns first and last differing offset. We + use this to find reasonable locations for splicing two files. */ + +static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) { + + s32 f_loc = -1; + s32 l_loc = -1; + u32 pos; + + for (pos = 0; pos < len; pos++) { + + if (*(ptr1++) != *(ptr2++)) { + + if (f_loc == -1) f_loc = pos; + l_loc = pos; + + } + + } + + *first = f_loc; + *last = l_loc; + + return; + +} + +#endif /* !IGNORE_FINDS */ + + +/* Describe integer. Uses 12 cyclic static buffers for return values. The value + returned should be five characters or less for all the integers we reasonably + expect to see. */ + +static u8* DI(u64 val) { + + static u8 tmp[12][16]; + static u8 cur; + + cur = (cur + 1) % 12; + +#define CHK_FORMAT(_divisor, _limit_mult, _fmt, _cast) do { \ + if (val < (_divisor) * (_limit_mult)) { \ + sprintf(tmp[cur], _fmt, ((_cast)val) / (_divisor)); \ + return tmp[cur]; \ + } \ + } while (0) + + /* 0-9999 */ + CHK_FORMAT(1, 10000, "%llu", u64); + + /* 10.0k - 99.9k */ + CHK_FORMAT(1000, 99.95, "%0.01fk", double); + + /* 100k - 999k */ + CHK_FORMAT(1000, 1000, "%lluk", u64); + + /* 1.00M - 9.99M */ + CHK_FORMAT(1000 * 1000, 9.995, "%0.02fM", double); + + /* 10.0M - 99.9M */ + CHK_FORMAT(1000 * 1000, 99.95, "%0.01fM", double); + + /* 100M - 999M */ + CHK_FORMAT(1000 * 1000, 1000, "%lluM", u64); + + /* 1.00G - 9.99G */ + CHK_FORMAT(1000LL * 1000 * 1000, 9.995, "%0.02fG", double); + + /* 10.0G - 99.9G */ + CHK_FORMAT(1000LL * 1000 * 1000, 99.95, "%0.01fG", double); + + /* 100G - 999G */ + CHK_FORMAT(1000LL * 1000 * 1000, 1000, "%lluG", u64); + + /* 1.00T - 9.99G */ + CHK_FORMAT(1000LL * 1000 * 1000 * 1000, 9.995, "%0.02fT", double); + + /* 10.0T - 99.9T */ + CHK_FORMAT(1000LL * 1000 * 1000 * 1000, 99.95, "%0.01fT", double); + + /* 100T+ */ + strcpy(tmp[cur], "infty"); + return tmp[cur]; + +} + + +/* Describe float. Similar to the above, except with a single + static buffer. */ + +static u8* DF(double val) { + + static u8 tmp[16]; + + if (val < 99.995) { + sprintf(tmp, "%0.02f", val); + return tmp; + } + + if (val < 999.95) { + sprintf(tmp, "%0.01f", val); + return tmp; + } + + return DI((u64)val); + +} + + +/* Describe integer as memory size. */ + +static u8* DMS(u64 val) { + + static u8 tmp[12][16]; + static u8 cur; + + cur = (cur + 1) % 12; + + /* 0-9999 */ + CHK_FORMAT(1, 10000, "%llu B", u64); + + /* 10.0k - 99.9k */ + CHK_FORMAT(1024, 99.95, "%0.01f kB", double); + + /* 100k - 999k */ + CHK_FORMAT(1024, 1000, "%llu kB", u64); + + /* 1.00M - 9.99M */ + CHK_FORMAT(1024 * 1024, 9.995, "%0.02f MB", double); + + /* 10.0M - 99.9M */ + CHK_FORMAT(1024 * 1024, 99.95, "%0.01f MB", double); + + /* 100M - 999M */ + CHK_FORMAT(1024 * 1024, 1000, "%llu MB", u64); + + /* 1.00G - 9.99G */ + CHK_FORMAT(1024LL * 1024 * 1024, 9.995, "%0.02f GB", double); + + /* 10.0G - 99.9G */ + CHK_FORMAT(1024LL * 1024 * 1024, 99.95, "%0.01f GB", double); + + /* 100G - 999G */ + CHK_FORMAT(1024LL * 1024 * 1024, 1000, "%llu GB", u64); + + /* 1.00T - 9.99G */ + CHK_FORMAT(1024LL * 1024 * 1024 * 1024, 9.995, "%0.02f TB", double); + + /* 10.0T - 99.9T */ + CHK_FORMAT(1024LL * 1024 * 1024 * 1024, 99.95, "%0.01f TB", double); + +#undef CHK_FORMAT + + /* 100T+ */ + strcpy(tmp[cur], "infty"); + return tmp[cur]; + +} + + +/* Describe time delta. Returns one static buffer, 34 chars of less. */ + +static u8* DTD(u64 cur_ms, u64 event_ms) { + + static u8 tmp[64]; + u64 delta; + s32 t_d, t_h, t_m, t_s; + + if (!event_ms) return "none seen yet"; + + delta = cur_ms - event_ms; + + t_d = delta / 1000 / 60 / 60 / 24; + t_h = (delta / 1000 / 60 / 60) % 24; + t_m = (delta / 1000 / 60) % 60; + t_s = (delta / 1000) % 60; + + sprintf(tmp, "%s days, %u hrs, %u min, %u sec", DI(t_d), t_h, t_m, t_s); + return tmp; + +} + + +/* Mark deterministic checks as done for a particular queue entry. We use the + .state file to avoid repeating deterministic fuzzing when resuming aborted + scans. */ + +static void mark_as_det_done(struct queue_entry* q) { + + u8* fn = strrchr(q->fname, '/'); + s32 fd; + + fn = alloc_printf("%s/queue/.state/deterministic_done/%s", out_dir, fn + 1); + + fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) PFATAL("Unable to create '%s'", fn); + close(fd); + + ck_free(fn); + + q->passed_det = 1; + +} + + +/* Mark as variable. Create symlinks if possible to make it easier to examine + the files. */ + +static void mark_as_variable(struct queue_entry* q) { + + u8 *fn = strrchr(q->fname, '/') + 1, *ldest; + + ldest = alloc_printf("../../%s", fn); + fn = alloc_printf("%s/queue/.state/variable_behavior/%s", out_dir, fn); + + if (symlink(ldest, fn)) { + + s32 fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) PFATAL("Unable to create '%s'", fn); + close(fd); + + } + + ck_free(ldest); + ck_free(fn); + + q->var_behavior = 1; + +} + + +/* Mark / unmark as redundant (edge-only). This is not used for restoring state, + but may be useful for post-processing datasets. */ + +static void mark_as_redundant(struct queue_entry* q, u8 state) { + + u8* fn; + s32 fd; + + if (state == q->fs_redundant) return; + + q->fs_redundant = state; + + fn = strrchr(q->fname, '/'); + fn = alloc_printf("%s/queue/.state/redundant_edges/%s", out_dir, fn + 1); + + if (state) { + + fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) PFATAL("Unable to create '%s'", fn); + close(fd); + + } else { + + if (unlink(fn)) PFATAL("Unable to remove '%s'", fn); + + } + + ck_free(fn); + +} + + +/* Append new test case to the queue. */ + +static void add_to_queue(u8* fname, u32 len, u8 passed_det) { + + struct queue_entry* q = ck_alloc(sizeof(struct queue_entry)); + + q->fname = fname; + q->len = len; + q->depth = cur_depth + 1; + q->passed_det = passed_det; + + if (q->depth > max_depth) max_depth = q->depth; + + if (queue_top) { + + queue_top->next = q; + queue_top = q; + + } else q_prev100 = queue = queue_top = q; + + queued_paths++; + pending_not_fuzzed++; + + cycles_wo_finds = 0; + + /* Set next_100 pointer for every 100th element (index 0, 100, etc) to allow faster iteration. */ + if ((queued_paths - 1) % 100 == 0 && queued_paths > 1) { + + q_prev100->next_100 = q; + q_prev100 = q; + + } + + last_path_time = get_cur_time(); + +} + + +/* Destroy the entire queue. */ + +EXP_ST void destroy_queue(void) { + + struct queue_entry *q = queue, *n; + + while (q) { + + n = q->next; + ck_free(q->fname); + ck_free(q->trace_mini); + ck_free(q); + q = n; + + } + +} + + +/* Write bitmap to file. The bitmap is useful mostly for the secret + -B option, to focus a separate fuzzing session on a particular + interesting input without rediscovering all the others. */ + +EXP_ST void write_bitmap(void) { + + u8* fname; + s32 fd; + + if (!bitmap_changed) return; + bitmap_changed = 0; + + fname = alloc_printf("%s/fuzz_bitmap", out_dir); + fd = open(fname, O_WRONLY | O_CREAT | O_TRUNC, 0600); + + if (fd < 0) PFATAL("Unable to open '%s'", fname); + + ck_write(fd, virgin_bits, MAP_SIZE, fname); + + close(fd); + ck_free(fname); + +} + + +/* Read bitmap from file. This is for the -B option again. */ + +EXP_ST void read_bitmap(u8* fname) { + + s32 fd = open(fname, O_RDONLY); + + if (fd < 0) PFATAL("Unable to open '%s'", fname); + + ck_read(fd, virgin_bits, MAP_SIZE, fname); + + close(fd); + +} + + +/* Check if the current execution path brings anything new to the table. + Update virgin bits to reflect the finds. Returns 1 if the only change is + the hit-count for a particular tuple; 2 if there are new tuples seen. + Updates the map, so subsequent calls will always return 0. + + This function is called after every exec() on a fairly large buffer, so + it needs to be fast. We do this in 32-bit and 64-bit flavors. */ + +static inline u8 has_new_bits(u8* virgin_map) { + +#ifdef WORD_SIZE_64 + + u64* current = (u64*)trace_bits; + u64* virgin = (u64*)virgin_map; + + u32 i = (MAP_SIZE >> 3); + +#else + + u32* current = (u32*)trace_bits; + u32* virgin = (u32*)virgin_map; + + u32 i = (MAP_SIZE >> 2); + +#endif /* ^WORD_SIZE_64 */ + + u8 ret = 0; + + while (i--) { + + /* Optimize for (*current & *virgin) == 0 - i.e., no bits in current bitmap + that have not been already cleared from the virgin map - since this will + almost always be the case. */ + + if (unlikely(*current) && unlikely(*current & *virgin)) { + + if (likely(ret < 2)) { + + u8* cur = (u8*)current; + u8* vir = (u8*)virgin; + + /* Looks like we have not found any new bytes yet; see if any non-zero + bytes in current[] are pristine in virgin[]. */ + +#ifdef WORD_SIZE_64 + + if ((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || + (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff) || + (cur[4] && vir[4] == 0xff) || (cur[5] && vir[5] == 0xff) || + (cur[6] && vir[6] == 0xff) || (cur[7] && vir[7] == 0xff)) ret = 2; + else ret = 1; + +#else + + if ((cur[0] && vir[0] == 0xff) || (cur[1] && vir[1] == 0xff) || + (cur[2] && vir[2] == 0xff) || (cur[3] && vir[3] == 0xff)) ret = 2; + else ret = 1; + +#endif /* ^WORD_SIZE_64 */ + + } + + *virgin &= ~*current; + + } + + current++; + virgin++; + + } + + if (ret && virgin_map == virgin_bits) bitmap_changed = 1; + + return ret; + +} + + +/* Count the number of bits set in the provided bitmap. Used for the status + screen several times every second, does not have to be fast. */ + +static u32 count_bits(u8* mem) { + + u32* ptr = (u32*)mem; + u32 i = (MAP_SIZE >> 2); + u32 ret = 0; + + while (i--) { + + u32 v = *(ptr++); + + /* This gets called on the inverse, virgin bitmap; optimize for sparse + data. */ + + if (v == 0xffffffff) { + ret += 32; + continue; + } + + v -= ((v >> 1) & 0x55555555); + v = (v & 0x33333333) + ((v >> 2) & 0x33333333); + ret += (((v + (v >> 4)) & 0xF0F0F0F) * 0x01010101) >> 24; + + } + + return ret; + +} + + +#define FF(_b) (0xff << ((_b) << 3)) + +/* Count the number of bytes set in the bitmap. Called fairly sporadically, + mostly to update the status screen or calibrate and examine confirmed + new paths. */ + +static u32 count_bytes(u8* mem) { + + u32* ptr = (u32*)mem; + u32 i = (MAP_SIZE >> 2); + u32 ret = 0; + + while (i--) { + + u32 v = *(ptr++); + + if (!v) continue; + if (v & FF(0)) ret++; + if (v & FF(1)) ret++; + if (v & FF(2)) ret++; + if (v & FF(3)) ret++; + + } + + return ret; + +} + + +/* Count the number of non-255 bytes set in the bitmap. Used strictly for the + status screen, several calls per second or so. */ + +static u32 count_non_255_bytes(u8* mem) { + + u32* ptr = (u32*)mem; + u32 i = (MAP_SIZE >> 2); + u32 ret = 0; + + while (i--) { + + u32 v = *(ptr++); + + /* This is called on the virgin bitmap, so optimize for the most likely + case. */ + + if (v == 0xffffffff) continue; + if ((v & FF(0)) != FF(0)) ret++; + if ((v & FF(1)) != FF(1)) ret++; + if ((v & FF(2)) != FF(2)) ret++; + if ((v & FF(3)) != FF(3)) ret++; + + } + + return ret; + +} + + +/* Destructively simplify trace by eliminating hit count information + and replacing it with 0x80 or 0x01 depending on whether the tuple + is hit or not. Called on every new crash or timeout, should be + reasonably fast. */ + +static const u8 simplify_lookup[256] = { + + [0] = 1, + [1 ... 255] = 128 + +}; + +#ifdef WORD_SIZE_64 + +static void simplify_trace(u64* mem) { + + u32 i = MAP_SIZE >> 3; + + while (i--) { + + /* Optimize for sparse bitmaps. */ + + if (unlikely(*mem)) { + + u8* mem8 = (u8*)mem; + + mem8[0] = simplify_lookup[mem8[0]]; + mem8[1] = simplify_lookup[mem8[1]]; + mem8[2] = simplify_lookup[mem8[2]]; + mem8[3] = simplify_lookup[mem8[3]]; + mem8[4] = simplify_lookup[mem8[4]]; + mem8[5] = simplify_lookup[mem8[5]]; + mem8[6] = simplify_lookup[mem8[6]]; + mem8[7] = simplify_lookup[mem8[7]]; + + } else *mem = 0x0101010101010101ULL; + + mem++; + + } + +} + +#else + +static void simplify_trace(u32* mem) { + + u32 i = MAP_SIZE >> 2; + + while (i--) { + + /* Optimize for sparse bitmaps. */ + + if (unlikely(*mem)) { + + u8* mem8 = (u8*)mem; + + mem8[0] = simplify_lookup[mem8[0]]; + mem8[1] = simplify_lookup[mem8[1]]; + mem8[2] = simplify_lookup[mem8[2]]; + mem8[3] = simplify_lookup[mem8[3]]; + + } else *mem = 0x01010101; + + mem++; + } + +} + +#endif /* ^WORD_SIZE_64 */ + + +/* Destructively classify execution counts in a trace. This is used as a + preprocessing step for any newly acquired traces. Called on every exec, + must be fast. */ + +static const u8 count_class_lookup8[256] = { + + [0] = 0, + [1] = 1, + [2] = 2, + [3] = 4, + [4 ... 7] = 8, + [8 ... 15] = 16, + [16 ... 31] = 32, + [32 ... 127] = 64, + [128 ... 255] = 128 + +}; + +static u16 count_class_lookup16[65536]; + + +EXP_ST void init_count_class16(void) { + + u32 b1, b2; + + for (b1 = 0; b1 < 256; b1++) + for (b2 = 0; b2 < 256; b2++) + count_class_lookup16[(b1 << 8) + b2] = + (count_class_lookup8[b1] << 8) | + count_class_lookup8[b2]; + +} + + +#ifdef WORD_SIZE_64 + +static inline void classify_counts(u64* mem) { + + u32 i = MAP_SIZE >> 3; + + while (i--) { + + /* Optimize for sparse bitmaps. */ + + if (unlikely(*mem)) { + + u16* mem16 = (u16*)mem; + + mem16[0] = count_class_lookup16[mem16[0]]; + mem16[1] = count_class_lookup16[mem16[1]]; + mem16[2] = count_class_lookup16[mem16[2]]; + mem16[3] = count_class_lookup16[mem16[3]]; + + } + + mem++; + + } + +} + +#else + +static inline void classify_counts(u32* mem) { + + u32 i = MAP_SIZE >> 2; + + while (i--) { + + /* Optimize for sparse bitmaps. */ + + if (unlikely(*mem)) { + + u16* mem16 = (u16*)mem; + + mem16[0] = count_class_lookup16[mem16[0]]; + mem16[1] = count_class_lookup16[mem16[1]]; + + } + + mem++; + + } + +} + +#endif /* ^WORD_SIZE_64 */ + + +/* Get rid of shared memory (atexit handler). */ + +static void remove_shm(void) { + + shmctl(shm_id, IPC_RMID, NULL); + +} + + +/* Compact trace bytes into a smaller bitmap. We effectively just drop the + count information here. This is called only sporadically, for some + new paths. */ + +static void minimize_bits(u8* dst, u8* src) { + + u32 i = 0; + + while (i < MAP_SIZE) { + + if (*(src++)) dst[i >> 3] |= 1 << (i & 7); + i++; + + } + +} + + +/* When we bump into a new path, we call this to see if the path appears + more "favorable" than any of the existing ones. The purpose of the + "favorables" is to have a minimal set of paths that trigger all the bits + seen in the bitmap so far, and focus on fuzzing them at the expense of + the rest. + + The first step of the process is to maintain a list of top_rated[] entries + for every byte in the bitmap. We win that slot if there is no previous + contender, or if the contender has a more favorable speed x size factor. */ + +static void update_bitmap_score(struct queue_entry* q) { + + u32 i; + u64 fav_factor = q->exec_us * q->len; + + /* For every byte set in trace_bits[], see if there is a previous winner, + and how it compares to us. */ + + for (i = 0; i < MAP_SIZE; i++) + + if (trace_bits[i]) { + + if (top_rated[i]) { + + /* Faster-executing or smaller test cases are favored. */ + + if (fav_factor > top_rated[i]->exec_us * top_rated[i]->len) continue; + + /* Looks like we're going to win. Decrease ref count for the + previous winner, discard its trace_bits[] if necessary. */ + + if (!--top_rated[i]->tc_ref) { + ck_free(top_rated[i]->trace_mini); + top_rated[i]->trace_mini = 0; + } + + } + + /* Insert ourselves as the new winner. */ + + top_rated[i] = q; + q->tc_ref++; + + if (!q->trace_mini) { + q->trace_mini = ck_alloc(MAP_SIZE >> 3); + minimize_bits(q->trace_mini, trace_bits); + } + + score_changed = 1; + + } + +} + + +/* The second part of the mechanism discussed above is a routine that + goes over top_rated[] entries, and then sequentially grabs winners for + previously-unseen bytes (temp_v) and marks them as favored, at least + until the next run. The favored entries are given more air time during + all fuzzing steps. */ + +static void cull_queue(void) { + + struct queue_entry* q; + static u8 temp_v[MAP_SIZE >> 3]; + u32 i; + + if (dumb_mode || !score_changed) return; + + score_changed = 0; + + memset(temp_v, 255, MAP_SIZE >> 3); + + queued_favored = 0; + pending_favored = 0; + + q = queue; + + while (q) { + q->favored = 0; + q = q->next; + } + + /* Let's see if anything in the bitmap isn't captured in temp_v. + If yes, and if it has a top_rated[] contender, let's use it. */ + + for (i = 0; i < MAP_SIZE; i++) + if (top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) { + + u32 j = MAP_SIZE >> 3; + + /* Remove all bits belonging to the current entry from temp_v. */ + + while (j--) + if (top_rated[i]->trace_mini[j]) + temp_v[j] &= ~top_rated[i]->trace_mini[j]; + + top_rated[i]->favored = 1; + queued_favored++; + + if (!top_rated[i]->was_fuzzed) pending_favored++; + + } + + q = queue; + + while (q) { + mark_as_redundant(q, !q->favored); + q = q->next; + } + +} + + +/* Configure shared memory and virgin_bits. This is called at startup. */ + +EXP_ST void setup_shm(void) { + + u8* shm_str; + + if (!in_bitmap) memset(virgin_bits, 255, MAP_SIZE); + + memset(virgin_tmout, 255, MAP_SIZE); + memset(virgin_crash, 255, MAP_SIZE); + + shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600); + + if (shm_id < 0) PFATAL("shmget() failed"); + + atexit(remove_shm); + + shm_str = alloc_printf("%d", shm_id); + + /* If somebody is asking us to fuzz instrumented binaries in dumb mode, + we don't want them to detect instrumentation, since we won't be sending + fork server commands. This should be replaced with better auto-detection + later on, perhaps? */ + + if (!dumb_mode) setenv(SHM_ENV_VAR, shm_str, 1); + + ck_free(shm_str); + + trace_bits = shmat(shm_id, NULL, 0); + + if (trace_bits == (void *)-1) PFATAL("shmat() failed"); + +} + + +/* Load postprocessor, if available. */ + +static void setup_post(void) { + + void* dh; + u8* fn = getenv("AFL_POST_LIBRARY"); + u32 tlen = 6; + + if (!fn) return; + + ACTF("Loading postprocessor from '%s'...", fn); + + dh = dlopen(fn, RTLD_NOW); + if (!dh) FATAL("%s", dlerror()); + + post_handler = dlsym(dh, "afl_postprocess"); + if (!post_handler) FATAL("Symbol 'afl_postprocess' not found."); + + /* Do a quick test. It's better to segfault now than later =) */ + + post_handler("hello", &tlen); + + OKF("Postprocessor installed successfully."); + +} + + +/* Read all testcases from the input directory, then queue them for testing. + Called at startup. */ + +static void read_testcases(void) { + + struct dirent **nl; + s32 nl_cnt; + u32 i; + u8* fn; + + /* Auto-detect non-in-place resumption attempts. */ + + fn = alloc_printf("%s/queue", in_dir); + if (!access(fn, F_OK)) in_dir = fn; else ck_free(fn); + + ACTF("Scanning '%s'...", in_dir); + + /* We use scandir() + alphasort() rather than readdir() because otherwise, + the ordering of test cases would vary somewhat randomly and would be + difficult to control. */ + + nl_cnt = scandir(in_dir, &nl, NULL, alphasort); + + if (nl_cnt < 0) { + + if (errno == ENOENT || errno == ENOTDIR) + + SAYF("\n" cLRD "[-] " cRST + "The input directory does not seem to be valid - try again. The fuzzer needs\n" + " one or more test case to start with - ideally, a small file under 1 kB\n" + " or so. The cases must be stored as regular files directly in the input\n" + " directory.\n"); + + PFATAL("Unable to open '%s'", in_dir); + + } + + if (shuffle_queue && nl_cnt > 1) { + + ACTF("Shuffling queue..."); + shuffle_ptrs((void**)nl, nl_cnt); + + } + + for (i = 0; i < nl_cnt; i++) { + + struct stat st; + + u8* fn = alloc_printf("%s/%s", in_dir, nl[i]->d_name); + u8* dfn = alloc_printf("%s/.state/deterministic_done/%s", in_dir, nl[i]->d_name); + + u8 passed_det = 0; + + free(nl[i]); /* not tracked */ + + if (lstat(fn, &st) || access(fn, R_OK)) + PFATAL("Unable to access '%s'", fn); + + /* This also takes care of . and .. */ + + if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn, "/README.testcases")) { + + ck_free(fn); + ck_free(dfn); + continue; + + } + + if (st.st_size > MAX_FILE) + FATAL("Test case '%s' is too big (%s, limit is %s)", fn, + DMS(st.st_size), DMS(MAX_FILE)); + + /* Check for metadata that indicates that deterministic fuzzing + is complete for this entry. We don't want to repeat deterministic + fuzzing when resuming aborted scans, because it would be pointless + and probably very time-consuming. */ + + if (!access(dfn, F_OK)) passed_det = 1; + ck_free(dfn); + + add_to_queue(fn, st.st_size, passed_det); + + } + + free(nl); /* not tracked */ + + if (!queued_paths) { + + SAYF("\n" cLRD "[-] " cRST + "Looks like there are no valid test cases in the input directory! The fuzzer\n" + " needs one or more test case to start with - ideally, a small file under\n" + " 1 kB or so. The cases must be stored as regular files directly in the\n" + " input directory.\n"); + + FATAL("No usable test cases in '%s'", in_dir); + + } + + last_path_time = 0; + queued_at_start = queued_paths; + +} + + +/* Helper function for load_extras. */ + +static int compare_extras_len(const void* p1, const void* p2) { + struct extra_data *e1 = (struct extra_data*)p1, + *e2 = (struct extra_data*)p2; + + return e1->len - e2->len; +} + +static int compare_extras_use_d(const void* p1, const void* p2) { + struct extra_data *e1 = (struct extra_data*)p1, + *e2 = (struct extra_data*)p2; + + return e2->hit_cnt - e1->hit_cnt; +} + + +/* Read extras from a file, sort by size. */ + +static void load_extras_file(u8* fname, u32* min_len, u32* max_len, + u32 dict_level) { + + FILE* f; + u8 buf[MAX_LINE]; + u8 *lptr; + u32 cur_line = 0; + + f = fopen(fname, "r"); + + if (!f) PFATAL("Unable to open '%s'", fname); + + while ((lptr = fgets(buf, MAX_LINE, f))) { + + u8 *rptr, *wptr; + u32 klen = 0; + + cur_line++; + + /* Trim on left and right. */ + + while (isspace(*lptr)) lptr++; + + rptr = lptr + strlen(lptr) - 1; + while (rptr >= lptr && isspace(*rptr)) rptr--; + rptr++; + *rptr = 0; + + /* Skip empty lines and comments. */ + + if (!*lptr || *lptr == '#') continue; + + /* All other lines must end with '"', which we can consume. */ + + rptr--; + + if (rptr < lptr || *rptr != '"') + FATAL("Malformed name=\"value\" pair in line %u.", cur_line); + + *rptr = 0; + + /* Skip alphanumerics and dashes (label). */ + + while (isalnum(*lptr) || *lptr == '_') lptr++; + + /* If @number follows, parse that. */ + + if (*lptr == '@') { + + lptr++; + if (atoi(lptr) > dict_level) continue; + while (isdigit(*lptr)) lptr++; + + } + + /* Skip whitespace and = signs. */ + + while (isspace(*lptr) || *lptr == '=') lptr++; + + /* Consume opening '"'. */ + + if (*lptr != '"') + FATAL("Malformed name=\"keyword\" pair in line %u.", cur_line); + + lptr++; + + if (!*lptr) FATAL("Empty keyword in line %u.", cur_line); + + /* Okay, let's allocate memory and copy data between "...", handling + \xNN escaping, \\, and \". */ + + extras = ck_realloc_block(extras, (extras_cnt + 1) * + sizeof(struct extra_data)); + + wptr = extras[extras_cnt].data = ck_alloc(rptr - lptr); + + while (*lptr) { + + char* hexdigits = "0123456789abcdef"; + + switch (*lptr) { + + case 1 ... 31: + case 128 ... 255: + FATAL("Non-printable characters in line %u.", cur_line); + + case '\\': + + lptr++; + + if (*lptr == '\\' || *lptr == '"') { + *(wptr++) = *(lptr++); + klen++; + break; + } + + if (*lptr != 'x' || !isxdigit(lptr[1]) || !isxdigit(lptr[2])) + FATAL("Invalid escaping (not \\xNN) in line %u.", cur_line); + + *(wptr++) = + ((strchr(hexdigits, tolower(lptr[1])) - hexdigits) << 4) | + (strchr(hexdigits, tolower(lptr[2])) - hexdigits); + + lptr += 3; + klen++; + + break; + + default: + + *(wptr++) = *(lptr++); + klen++; + + } + + } + + extras[extras_cnt].len = klen; + + if (extras[extras_cnt].len > MAX_DICT_FILE) + FATAL("Keyword too big in line %u (%s, limit is %s)", cur_line, + DMS(klen), DMS(MAX_DICT_FILE)); + + if (*min_len > klen) *min_len = klen; + if (*max_len < klen) *max_len = klen; + + extras_cnt++; + + } + + fclose(f); + +} + + +/* Read extras from the extras directory and sort them by size. */ + +static void load_extras(u8* dir) { + + DIR* d; + struct dirent* de; + u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0; + u8* x; + + /* If the name ends with @, extract level and continue. */ + + if ((x = strchr(dir, '@'))) { + + *x = 0; + dict_level = atoi(x + 1); + + } + + ACTF("Loading extra dictionary from '%s' (level %u)...", dir, dict_level); + + d = opendir(dir); + + if (!d) { + + if (errno == ENOTDIR) { + load_extras_file(dir, &min_len, &max_len, dict_level); + goto check_and_sort; + } + + PFATAL("Unable to open '%s'", dir); + + } + + if (x) FATAL("Dictionary levels not supported for directories."); + + while ((de = readdir(d))) { + + struct stat st; + u8* fn = alloc_printf("%s/%s", dir, de->d_name); + s32 fd; + + if (lstat(fn, &st) || access(fn, R_OK)) + PFATAL("Unable to access '%s'", fn); + + /* This also takes care of . and .. */ + if (!S_ISREG(st.st_mode) || !st.st_size) { + + ck_free(fn); + continue; + + } + + if (st.st_size > MAX_DICT_FILE) + FATAL("Extra '%s' is too big (%s, limit is %s)", fn, + DMS(st.st_size), DMS(MAX_DICT_FILE)); + + if (min_len > st.st_size) min_len = st.st_size; + if (max_len < st.st_size) max_len = st.st_size; + + extras = ck_realloc_block(extras, (extras_cnt + 1) * + sizeof(struct extra_data)); + + extras[extras_cnt].data = ck_alloc(st.st_size); + extras[extras_cnt].len = st.st_size; + + fd = open(fn, O_RDONLY); + + if (fd < 0) PFATAL("Unable to open '%s'", fn); + + ck_read(fd, extras[extras_cnt].data, st.st_size, fn); + + close(fd); + ck_free(fn); + + extras_cnt++; + + } + + closedir(d); + +check_and_sort: + + if (!extras_cnt) FATAL("No usable files in '%s'", dir); + + qsort(extras, extras_cnt, sizeof(struct extra_data), compare_extras_len); + + OKF("Loaded %u extra tokens, size range %s to %s.", extras_cnt, + DMS(min_len), DMS(max_len)); + + if (max_len > 32) + WARNF("Some tokens are relatively large (%s) - consider trimming.", + DMS(max_len)); + + if (extras_cnt > MAX_DET_EXTRAS) + WARNF("More than %u tokens - will use them probabilistically.", + MAX_DET_EXTRAS); + +} + + + + +/* Helper function for maybe_add_auto() */ + +static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) { + + while (len--) if (tolower(*(m1++)) ^ tolower(*(m2++))) return 1; + return 0; + +} + + +/* Maybe add automatic extra. */ + +static void maybe_add_auto(u8* mem, u32 len) { + + u32 i; + + /* Allow users to specify that they don't want auto dictionaries. */ + + if (!MAX_AUTO_EXTRAS || !USE_AUTO_EXTRAS) return; + + /* Skip runs of identical bytes. */ + + for (i = 1; i < len; i++) + if (mem[0] ^ mem[i]) break; + + if (i == len) return; + + /* Reject builtin interesting values. */ + + if (len == 2) { + + i = sizeof(interesting_16) >> 1; + + while (i--) + if (*((u16*)mem) == interesting_16[i] || + *((u16*)mem) == SWAP16(interesting_16[i])) return; + + } + + if (len == 4) { + + i = sizeof(interesting_32) >> 2; + + while (i--) + if (*((u32*)mem) == interesting_32[i] || + *((u32*)mem) == SWAP32(interesting_32[i])) return; + + } + + /* Reject anything that matches existing extras. Do a case-insensitive + match. We optimize by exploiting the fact that extras[] are sorted + by size. */ + + for (i = 0; i < extras_cnt; i++) + if (extras[i].len >= len) break; + + for (; i < extras_cnt && extras[i].len == len; i++) + if (!memcmp_nocase(extras[i].data, mem, len)) return; + + /* Last but not least, check a_extras[] for matches. There are no + guarantees of a particular sort order. */ + + auto_changed = 1; + + for (i = 0; i < a_extras_cnt; i++) { + + if (a_extras[i].len == len && !memcmp_nocase(a_extras[i].data, mem, len)) { + + a_extras[i].hit_cnt++; + goto sort_a_extras; + + } + + } + + /* At this point, looks like we're dealing with a new entry. So, let's + append it if we have room. Otherwise, let's randomly evict some other + entry from the bottom half of the list. */ + + if (a_extras_cnt < MAX_AUTO_EXTRAS) { + + a_extras = ck_realloc_block(a_extras, (a_extras_cnt + 1) * + sizeof(struct extra_data)); + + a_extras[a_extras_cnt].data = ck_memdup(mem, len); + a_extras[a_extras_cnt].len = len; + a_extras_cnt++; + + } else { + + i = MAX_AUTO_EXTRAS / 2 + + UR((MAX_AUTO_EXTRAS + 1) / 2); + + ck_free(a_extras[i].data); + + a_extras[i].data = ck_memdup(mem, len); + a_extras[i].len = len; + a_extras[i].hit_cnt = 0; + + } + +sort_a_extras: + + /* First, sort all auto extras by use count, descending order. */ + + qsort(a_extras, a_extras_cnt, sizeof(struct extra_data), + compare_extras_use_d); + + /* Then, sort the top USE_AUTO_EXTRAS entries by size. */ + + qsort(a_extras, MIN(USE_AUTO_EXTRAS, a_extras_cnt), + sizeof(struct extra_data), compare_extras_len); + +} + + +/* Save automatically generated extras. */ + +static void save_auto(void) { + + u32 i; + + if (!auto_changed) return; + auto_changed = 0; + + for (i = 0; i < MIN(USE_AUTO_EXTRAS, a_extras_cnt); i++) { + + u8* fn = alloc_printf("%s/queue/.state/auto_extras/auto_%06u", out_dir, i); + s32 fd; + + fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); + + if (fd < 0) PFATAL("Unable to create '%s'", fn); + + ck_write(fd, a_extras[i].data, a_extras[i].len, fn); + + close(fd); + ck_free(fn); + + } + +} + + +/* Load automatically generated extras. */ + +static void load_auto(void) { + + u32 i; + + for (i = 0; i < USE_AUTO_EXTRAS; i++) { + + u8 tmp[MAX_AUTO_EXTRA + 1]; + u8* fn = alloc_printf("%s/.state/auto_extras/auto_%06u", in_dir, i); + s32 fd, len; + + fd = open(fn, O_RDONLY, 0600); + + if (fd < 0) { + + if (errno != ENOENT) PFATAL("Unable to open '%s'", fn); + ck_free(fn); + break; + + } + + /* We read one byte more to cheaply detect tokens that are too + long (and skip them). */ + + len = read(fd, tmp, MAX_AUTO_EXTRA + 1); + + if (len < 0) PFATAL("Unable to read from '%s'", fn); + + if (len >= MIN_AUTO_EXTRA && len <= MAX_AUTO_EXTRA) + maybe_add_auto(tmp, len); + + close(fd); + ck_free(fn); + + } + + if (i) OKF("Loaded %u auto-discovered dictionary tokens.", i); + else OKF("No auto-generated dictionary tokens to reuse."); + +} + + +/* Destroy extras. */ + +static void destroy_extras(void) { + + u32 i; + + for (i = 0; i < extras_cnt; i++) + ck_free(extras[i].data); + + ck_free(extras); + + for (i = 0; i < a_extras_cnt; i++) + ck_free(a_extras[i].data); + + ck_free(a_extras); + +} + + +/* Spin up fork server (instrumented mode only). The idea is explained here: + + http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html + + In essence, the instrumentation allows us to skip execve(), and just keep + cloning a stopped child. So, we just execute once, and then send commands + through a pipe. The other part of this logic is in afl-as.h. */ + +EXP_ST void init_forkserver(char** argv) { + + static struct itimerval it; + int st_pipe[2], ctl_pipe[2]; + int status; + s32 rlen; + + ACTF("Spinning up the fork server..."); + + if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed"); + + forksrv_pid = fork(); + + if (forksrv_pid < 0) PFATAL("fork() failed"); + + if (!forksrv_pid) { + + struct rlimit r; + + /* Umpf. On OpenBSD, the default fd limit for root users is set to + soft 128. Let's try to fix that... */ + + if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) { + + r.rlim_cur = FORKSRV_FD + 2; + setrlimit(RLIMIT_NOFILE, &r); /* Ignore errors */ + + } + + if (mem_limit) { + + r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; + +#ifdef RLIMIT_AS + + setrlimit(RLIMIT_AS, &r); /* Ignore errors */ + +#else + + /* This takes care of OpenBSD, which doesn't have RLIMIT_AS, but + according to reliable sources, RLIMIT_DATA covers anonymous + maps - so we should be getting good protection against OOM bugs. */ + + setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ + +#endif /* ^RLIMIT_AS */ + + + } + + /* Dumping cores is slow and can lead to anomalies if SIGKILL is delivered + before the dump is complete. */ + + r.rlim_max = r.rlim_cur = 0; + + setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + + /* Isolate the process and configure standard descriptors. If out_file is + specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ + + setsid(); + + dup2(dev_null_fd, 1); + dup2(dev_null_fd, 2); + + if (out_file) { + + dup2(dev_null_fd, 0); + + } else { + + dup2(out_fd, 0); + close(out_fd); + + } + + /* Set up control and status pipes, close the unneeded original fds. */ + + if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed"); + if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed"); + + close(ctl_pipe[0]); + close(ctl_pipe[1]); + close(st_pipe[0]); + close(st_pipe[1]); + + close(out_dir_fd); + close(dev_null_fd); + close(dev_urandom_fd); + close(fileno(plot_file)); + + /* This should improve performance a bit, since it stops the linker from + doing extra work post-fork(). */ + + if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); + + /* Set sane defaults for ASAN if nothing else specified. */ + + setenv("ASAN_OPTIONS", "abort_on_error=1:" + "detect_leaks=0:" + "symbolize=0:" + "allocator_may_return_null=1", 0); + + /* MSAN is tricky, because it doesn't support abort_on_error=1 at this + point. So, we do this in a very hacky way. */ + + setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" + "symbolize=0:" + "abort_on_error=1:" + "allocator_may_return_null=1:" + "msan_track_origins=0", 0); + + execv(target_path, argv); + + /* Use a distinctive bitmap signature to tell the parent about execv() + falling through. */ + + *(u32*)trace_bits = EXEC_FAIL_SIG; + exit(0); + + } + + /* Close the unneeded endpoints. */ + + close(ctl_pipe[0]); + close(st_pipe[1]); + + fsrv_ctl_fd = ctl_pipe[1]; + fsrv_st_fd = st_pipe[0]; + + /* Wait for the fork server to come up, but don't wait too long. */ + + it.it_value.tv_sec = ((exec_tmout * FORK_WAIT_MULT) / 1000); + it.it_value.tv_usec = ((exec_tmout * FORK_WAIT_MULT) % 1000) * 1000; + + setitimer(ITIMER_REAL, &it, NULL); + + rlen = read(fsrv_st_fd, &status, 4); + + it.it_value.tv_sec = 0; + it.it_value.tv_usec = 0; + + setitimer(ITIMER_REAL, &it, NULL); + + /* If we have a four-byte "hello" message from the server, we're all set. + Otherwise, try to figure out what went wrong. */ + + if (rlen == 4) { + OKF("All right - fork server is up."); + return; + } + + if (child_timed_out) + FATAL("Timeout while initializing fork server (adjusting -t may help)"); + + if (waitpid(forksrv_pid, &status, 0) <= 0) + PFATAL("waitpid() failed"); + + if (WIFSIGNALED(status)) { + + if (mem_limit && mem_limit < 500 && uses_asan) { + + SAYF("\n" cLRD "[-] " cRST + "Whoops, the target binary crashed suddenly, before receiving any input\n" + " from the fuzzer! Since it seems to be built with ASAN and you have a\n" + " restrictive memory limit configured, this is expected; please read\n" + " %s/notes_for_asan.txt for help.\n", doc_path); + + } else if (!mem_limit) { + + SAYF("\n" cLRD "[-] " cRST + "Whoops, the target binary crashed suddenly, before receiving any input\n" + " from the fuzzer! There are several probable explanations:\n\n" + + " - The binary is just buggy and explodes entirely on its own. If so, you\n" + " need to fix the underlying problem or find a better replacement.\n\n" + +#ifdef __APPLE__ + + " - On MacOS X, the semantics of fork() syscalls are non-standard and may\n" + " break afl-fuzz performance optimizations when running platform-specific\n" + " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" + +#endif /* __APPLE__ */ + + " - Less likely, there is a horrible bug in the fuzzer. If other options\n" + " fail, poke for troubleshooting tips.\n"); + + } else { + + SAYF("\n" cLRD "[-] " cRST + "Whoops, the target binary crashed suddenly, before receiving any input\n" + " from the fuzzer! There are several probable explanations:\n\n" + + " - The current memory limit (%s) is too restrictive, causing the\n" + " target to hit an OOM condition in the dynamic linker. Try bumping up\n" + " the limit with the -m setting in the command line. A simple way confirm\n" + " this diagnosis would be:\n\n" + +#ifdef RLIMIT_AS + " ( ulimit -Sv $[%llu << 10]; /path/to/fuzzed_app )\n\n" +#else + " ( ulimit -Sd $[%llu << 10]; /path/to/fuzzed_app )\n\n" +#endif /* ^RLIMIT_AS */ + + " Tip: you can use http://jwilk.net/software/recidivm to quickly\n" + " estimate the required amount of virtual memory for the binary.\n\n" + + " - The binary is just buggy and explodes entirely on its own. If so, you\n" + " need to fix the underlying problem or find a better replacement.\n\n" + +#ifdef __APPLE__ + + " - On MacOS X, the semantics of fork() syscalls are non-standard and may\n" + " break afl-fuzz performance optimizations when running platform-specific\n" + " targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" + +#endif /* __APPLE__ */ + + " - Less likely, there is a horrible bug in the fuzzer. If other options\n" + " fail, poke for troubleshooting tips.\n", + DMS(mem_limit << 20), mem_limit - 1); + + } + + FATAL("Fork server crashed with signal %d", WTERMSIG(status)); + + } + + if (*(u32*)trace_bits == EXEC_FAIL_SIG) + FATAL("Unable to execute target application ('%s')", argv[0]); + + if (mem_limit && mem_limit < 500 && uses_asan) { + + SAYF("\n" cLRD "[-] " cRST + "Hmm, looks like the target binary terminated before we could complete a\n" + " handshake with the injected code. Since it seems to be built with ASAN and\n" + " you have a restrictive memory limit configured, this is expected; please\n" + " read %s/notes_for_asan.txt for help.\n", doc_path); + + } else if (!mem_limit) { + + SAYF("\n" cLRD "[-] " cRST + "Hmm, looks like the target binary terminated before we could complete a\n" + " handshake with the injected code. Perhaps there is a horrible bug in the\n" + " fuzzer. Poke for troubleshooting tips.\n"); + + } else { + + SAYF("\n" cLRD "[-] " cRST + "Hmm, looks like the target binary terminated before we could complete a\n" + " handshake with the injected code. There are %s probable explanations:\n\n" + + "%s" + " - The current memory limit (%s) is too restrictive, causing an OOM\n" + " fault in the dynamic linker. This can be fixed with the -m option. A\n" + " simple way to confirm the diagnosis may be:\n\n" + +#ifdef RLIMIT_AS + " ( ulimit -Sv $[%llu << 10]; /path/to/fuzzed_app )\n\n" +#else + " ( ulimit -Sd $[%llu << 10]; /path/to/fuzzed_app )\n\n" +#endif /* ^RLIMIT_AS */ + + " Tip: you can use http://jwilk.net/software/recidivm to quickly\n" + " estimate the required amount of virtual memory for the binary.\n\n" + + " - Less likely, there is a horrible bug in the fuzzer. If other options\n" + " fail, poke for troubleshooting tips.\n", + getenv(DEFER_ENV_VAR) ? "three" : "two", + getenv(DEFER_ENV_VAR) ? + " - You are using deferred forkserver, but __AFL_INIT() is never\n" + " reached before the program terminates.\n\n" : "", + DMS(mem_limit << 20), mem_limit - 1); + + } + + FATAL("Fork server handshake failed"); + +} + + +/* Execute target application, monitoring for timeouts. Return status + information. The called program will update trace_bits[]. */ + +static u8 run_target(char** argv, u32 timeout) { + + static struct itimerval it; + static u32 prev_timed_out = 0; + static u64 exec_ms = 0; + + int status = 0; + u32 tb4; + + child_timed_out = 0; + + /* After this memset, trace_bits[] are effectively volatile, so we + must prevent any earlier operations from venturing into that + territory. */ + + memset(trace_bits, 0, MAP_SIZE); + MEM_BARRIER(); + + /* If we're running in "dumb" mode, we can't rely on the fork server + logic compiled into the target program, so we will just keep calling + execve(). There is a bit of code duplication between here and + init_forkserver(), but c'est la vie. */ + + if (dumb_mode == 1 || no_forkserver) { + + child_pid = fork(); + + if (child_pid < 0) PFATAL("fork() failed"); + + if (!child_pid) { + + struct rlimit r; + + if (mem_limit) { + + r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20; + +#ifdef RLIMIT_AS + + setrlimit(RLIMIT_AS, &r); /* Ignore errors */ + +#else + + setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ + +#endif /* ^RLIMIT_AS */ + + } + + r.rlim_max = r.rlim_cur = 0; + + setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + + /* Isolate the process and configure standard descriptors. If out_file is + specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ + + setsid(); + + dup2(dev_null_fd, 1); + dup2(dev_null_fd, 2); + + if (out_file) { + + dup2(dev_null_fd, 0); + + } else { + + dup2(out_fd, 0); + close(out_fd); + + } + + /* On Linux, would be faster to use O_CLOEXEC. Maybe TODO. */ + + close(dev_null_fd); + close(out_dir_fd); + close(dev_urandom_fd); + close(fileno(plot_file)); + + /* Set sane defaults for ASAN if nothing else specified. */ + + setenv("ASAN_OPTIONS", "abort_on_error=1:" + "detect_leaks=0:" + "symbolize=0:" + "allocator_may_return_null=1", 0); + + setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" + "symbolize=0:" + "msan_track_origins=0", 0); + + execv(target_path, argv); + + /* Use a distinctive bitmap value to tell the parent about execv() + falling through. */ + + *(u32*)trace_bits = EXEC_FAIL_SIG; + exit(0); + + } + + } else { + + s32 res; + + /* In non-dumb mode, we have the fork server up and running, so simply + tell it to have at it, and then read back PID. */ + + if ((res = write(fsrv_ctl_fd, &prev_timed_out, 4)) != 4) { + + if (stop_soon) return 0; + RPFATAL(res, "Unable to request new process from fork server (OOM?)"); + + } + + if ((res = read(fsrv_st_fd, &child_pid, 4)) != 4) { + + if (stop_soon) return 0; + RPFATAL(res, "Unable to request new process from fork server (OOM?)"); + + } + + if (child_pid <= 0) FATAL("Fork server is misbehaving (OOM?)"); + + } + + /* Configure timeout, as requested by user, then wait for child to terminate. */ + + it.it_value.tv_sec = (timeout / 1000); + it.it_value.tv_usec = (timeout % 1000) * 1000; + + setitimer(ITIMER_REAL, &it, NULL); + + /* The SIGALRM handler simply kills the child_pid and sets child_timed_out. */ + + if (dumb_mode == 1 || no_forkserver) { + + if (waitpid(child_pid, &status, 0) <= 0) PFATAL("waitpid() failed"); + + } else { + + s32 res; + + if ((res = read(fsrv_st_fd, &status, 4)) != 4) { + + if (stop_soon) return 0; + RPFATAL(res, "Unable to communicate with fork server (OOM?)"); + + } + + } + + if (!WIFSTOPPED(status)) child_pid = 0;//这行代码检查子进程的状态。如果子进程没有被停止(即没有收到停止信号),则将child_pid变量设置为0。这通常意味着子进程已经完成执行。 + + getitimer(ITIMER_REAL, &it);//这行代码获取当前的实时定时器(ITIMER_REAL)的剩余时间,并将其存储在it结构体中。 + exec_ms = (u64) timeout - (it.it_value.tv_sec * 1000 + + it.it_value.tv_usec / 1000); +//这行代码计算被测试程序的实际执行时间。它从预设的超时时间timeout中减去定时器剩余的时间(转换成毫秒)。这个值被存储在exec_ms中,代表执行时间,单位是毫秒。 + it.it_value.tv_sec = 0; + it.it_value.tv_usec = 0;//定时器置零 + + setitimer(ITIMER_REAL, &it, NULL);//设置实时定时器,使用上面设置的0值,这意味着定时器被禁用,不会再产生超时信号。 + + total_execs++; + + /* Any subsequent operations on trace_bits must not be moved by the + compiler below this point. Past this location, trace_bits[] behave + very normally and do not have to be treated as volatile. */ + + MEM_BARRIER();//这是一个内存屏障函数,确保前面的操作不会被编译器重排到后面的操作之后。这对于多线程程序中的内存访问顺序很重要。 + + tb4 = *(u32*)trace_bits;//这行代码将trace_bits(一个用于记录被测试程序执行路径的位图数组)的前4个字节的内容读取到一个无符号32位整数tb4中。这个值可能用于后续的分析,以确定被测试程序的执行路径是否产生了新的覆盖 + +#ifdef WORD_SIZE_64 + classify_counts((u64*)trace_bits); +#else + classify_counts((u32*)trace_bits); +#endif /* ^WORD_SIZE_64 */ +//这部分代码使用宏WORD_SIZE_64来确定系统是64位还是32位。根据系统的字长,它将trace_bits转换为相应的指针类型(u64*或u32*),并调用classify_counts函数。这个函数可能用于对trace_bits中的计数数据进行分类或简化。 + prev_timed_out = child_timed_out; + + /* Report outcome to caller. */ + + if (WIFSIGNALED(status) && !stop_soon) { +//这部分代码检查子进程是否因信号而终止。如果子进程因超时被杀死(SIGKILL),则返回FAULT_TMOUT。否则,返回FAULT_CRASH表示子进程崩溃。 + kill_signal = WTERMSIG(status); + + if (child_timed_out && kill_signal == SIGKILL) return FAULT_TMOUT; + + return FAULT_CRASH; + + } + + /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and + must use a special exit code. */ + + if (uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { + //对于使用地址sanitizer(ASAN)的程序,如果退出状态表明发生了内存错误(MSAN_ERROR),则返回FAULT_CRASH + kill_signal = 0; + return FAULT_CRASH; + } + + if ((dumb_mode == 1 || no_forkserver) && tb4 == EXEC_FAIL_SIG) + //如果运行在“dumb”模式或没有使用fork服务器,且tb4的值表明执行失败,则返回FAULT_ERROR。 + return FAULT_ERROR; + + /* It makes sense to account for the slowest units only if the testcase was run + under the user defined timeout. */ + if (!(timeout > exec_tmout) && (slowest_exec_ms < exec_ms)) { + //如果测试用例在用户定义的超时时间内运行,并且其执行时间是目前为止最慢的,则更新slowest_exec_ms。 + slowest_exec_ms = exec_ms; + } + + return FAULT_NONE; + +} + + +/* Write modified data to file for testing. If out_file is set, the old file + is unlinked and a new one is created. Otherwise, out_fd is rewound and + truncated. */ + +static void write_to_testcase(void* mem, u32 len) { + + s32 fd = out_fd; + + if (out_file) { +//如果指定了输出文件名(out_file),则删除旧文件并创建一个新文件。否则,将文件描述符的位置设置为文件开头。 + unlink(out_file); /* Ignore errors. */ + + fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); + + if (fd < 0) PFATAL("Unable to create '%s'", out_file); + + } else lseek(fd, 0, SEEK_SET); +//如果没有指定输出文件名,则截断文件到指定长度并重置文件位置。如果指定了输出文件名,则关闭文件描述符。 + ck_write(fd, mem, len, out_file); + + if (!out_file) { + + if (ftruncate(fd, len)) PFATAL("ftruncate() failed"); + lseek(fd, 0, SEEK_SET); + + } else close(fd); + +} + + +/* The same, but with an adjustable gap. Used for trimming. */ + +static void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { +//这个函数类似于write_to_testcase,但允许在文件中跳过一段数据(skip_at和skip_len)。 + s32 fd = out_fd; + u32 tail_len = len - skip_at - skip_len; + + if (out_file) { +//如果指定了输出文件名,则删除旧文件并创建一个新文件。否则,将文件描述符的位置设置为文件开头。 + unlink(out_file); /* Ignore errors. */ + + fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); + + if (fd < 0) PFATAL("Unable to create '%s'", out_file); + + } else lseek(fd, 0, SEEK_SET); + + if (skip_at) ck_write(fd, mem, skip_at, out_file); + + if (tail_len) ck_write(fd, mem + skip_at + skip_len, tail_len, out_file);//写入跳过部分之后的数据 + + if (!out_file) { +//如果没有指定输出文件名,则截断文件到指定长度并重置文件位置。如果指定了输出文件名,则关闭文件描述符。 + if (ftruncate(fd, len - skip_len)) PFATAL("ftruncate() failed"); + lseek(fd, 0, SEEK_SET); + + } else close(fd); + +} + + +static void show_stats(void); + +/* Calibrate a new test case. This is done when processing the input directory + to warn about flaky or otherwise problematic test cases early on; and when + new paths are discovered to detect variable behavior and so on. */ +//start_us, stop_us; + +//保存了一些旧的状态值,以便在函数执行完毕后恢复。 + +static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, + u32 handicap, u8 from_queue) { + + static u8 first_trace[MAP_SIZE]; + + u8 fault = 0, new_bits = 0, var_detected = 0, hnb = 0, + first_run = (q->exec_cksum == 0); + + u64 start_us, stop_us; + + s32 old_sc = stage_cur, old_sm = stage_max; + u32 use_tmout = exec_tmout; + u8* old_sn = stage_name; + + /* Be a bit more generous about timeouts when resuming sessions, or when + trying to calibrate already-added finds. This helps avoid trouble due + to intermittent latency. */ +//如果是在恢复会话或校准已经添加的测试用例时,会放宽超时限制。 + if (!from_queue || resuming_fuzz) + use_tmout = MAX(exec_tmout + CAL_TMOUT_ADD, + exec_tmout * CAL_TMOUT_PERC / 100); + + q->cal_failed++; +//设置当前阶段为“calibration”,并根据是否快速校准设置阶段最大值。 + stage_name = "calibration"; + stage_max = fast_cal ? 3 : CAL_CYCLES; + + /* Make sure the forkserver is up before we do anything, and let's not + count its spin-up time toward binary calibration. */ +//如果没有运行在“dumb”模式,并且没有使用fork服务器,那么初始化fork服务器。 + if (dumb_mode != 1 && !no_forkserver && !forksrv_pid) + init_forkserver(argv); + + if (q->exec_cksum) { +//如果队列条目已经有执行校验和,那么将第一次执行的trace bits复制到first_trace。 + memcpy(first_trace, trace_bits, MAP_SIZE); + hnb = has_new_bits(virgin_bits); + if (hnb > new_bits) new_bits = hnb; + + } + + start_us = get_cur_time_us();//计时 + + for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + + u32 cksum; + + if (!first_run && !(stage_cur % stats_update_freq)) show_stats(); +//如果不是第一次运行并且到了更新频率,显示统计信息。 + write_to_testcase(use_mem, q->len);//将测试用例数据写入文件。 + + fault = run_target(argv, use_tmout);//运行目标程序并获取执行结果。 + + /* stop_soon is set by the handler for Ctrl+C. When it's pressed, + we want to bail out quickly. */ + + if (stop_soon || fault != crash_mode) goto abort_calibration;//如果用户请求停止或者执行结果不是崩溃模式,则跳到校准中止。 + + if (!dumb_mode && !stage_cur && !count_bytes(trace_bits)) { + //如果不是“dumb”模式,并且是第一次校准,并且没有新的代码覆盖,则设置错误为FAULT_NOINST并跳到校准中止。 + fault = FAULT_NOINST; + goto abort_calibration; + } + + cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST);//计算当前trace bits的哈希值,并与队列条目的执行校验和比较。 + + if (q->exec_cksum != cksum) { +//如果有新的bits被设置,则更新new_bits。 + hnb = has_new_bits(virgin_bits); + if (hnb > new_bits) new_bits = hnb; + + if (q->exec_cksum) {//如果队列条目之前有执行校验和,则检查变量字节。 + + u32 i; + //对于每个不同的字节,将其标记为变量字节,并增加校准周期。 + for (i = 0; i < MAP_SIZE; i++) { + + if (!var_bytes[i] && first_trace[i] != trace_bits[i]) { + + var_bytes[i] = 1; + stage_max = CAL_CYCLES_LONG; + + } + + } + + var_detected = 1; + //如果队列条目之前没有执行校验和,则更新其执行校验和并复制当前trace bits。 + } else { + + q->exec_cksum = cksum; + memcpy(first_trace, trace_bits, MAP_SIZE); + + } + + } + + } + + stop_us = get_cur_time_us(); + + total_cal_us += stop_us - start_us;//更新总校准时间和周期。 + total_cal_cycles += stage_max; + + /* OK, let's collect some stats about the performance of this test case. + This is used for fuzzing air time calculations in calculate_score(). */ +//更新队列条目的执行时间、位图大小和校准失败计数。 + q->exec_us = (stop_us - start_us) / stage_max; + q->bitmap_size = count_bytes(trace_bits); + q->handicap = handicap; + q->cal_failed = 0; + + total_bitmap_size += q->bitmap_size;//更新总位图大小和条目数 + total_bitmap_entries++; + + update_bitmap_score(q); + + /* If this case didn't result in new output from the instrumentation, tell + parent. This is a non-critical problem, but something to warn the user + about. */ + + if (!dumb_mode && first_run && !fault && !new_bits) fault = FAULT_NOBITS; + +abort_calibration: +//如果有新的bits被设置并且队列条目之前没有新覆盖,则更新队列条目的新覆盖标志。 + if (new_bits == 2 && !q->has_new_cov) { + q->has_new_cov = 1; + queued_with_cov++; + } + + /* Mark variable paths. */ + + if (var_detected) { +//如果检测到变量行为,则标记队列条目。 + var_byte_count = count_bytes(var_bytes); + + if (!q->var_behavior) { + mark_as_variable(q); + queued_variable++; + } + + } +//恢复旧的状态值。 + stage_name = old_sn; + stage_cur = old_sc; + stage_max = old_sm; + + if (!first_run) show_stats();//如果校准中止,则跳到函数末尾。 + + return fault; + +} + + +/* Examine map coverage. Called once, for first test case. */ + +static void check_map_coverage(void) { +/* +这个函数检查映射覆盖率是否足够。如果映射中被设置的字节数少于100,则函数直接返回。 +然后,它检查映射的后半部分是否有任何被设置的位。如果没有,这意味着测试用例只触发了 +映射的前半部分,这可能意味着二进制文件需要重新编译以获得更好的覆盖率。在这种情况下 +,它会打印一条警告消息。 +*/ + u32 i; + + if (count_bytes(trace_bits) < 100) return; + + for (i = (1 << (MAP_SIZE_POW2 - 1)); i < MAP_SIZE; i++) + if (trace_bits[i]) return; + + WARNF("Recompile binary with newer version of afl to improve coverage!"); + +} + + +/* Perform dry run of all test cases to confirm that the app is working as + expected. This is done only for the initial inputs, and only once. */ + +static void perform_dry_run(char** argv) { + + struct queue_entry* q = queue; + u32 cal_failures = 0; + u8* skip_crashes = getenv("AFL_SKIP_CRASHES"); + + while (q) { + + u8* use_mem; + u8 res; + s32 fd; + + u8* fn = strrchr(q->fname, '/') + 1; +//打开并读取测试用例文件。 + ACTF("Attempting dry run with '%s'...", fn); + + fd = open(q->fname, O_RDONLY); + if (fd < 0) PFATAL("Unable to open '%s'", q->fname); + + use_mem = ck_alloc_nozero(q->len);////分配内存并读取测试用例数据。 + + if (read(fd, use_mem, q->len) != q->len) + FATAL("Short read from '%s'", q->fname); + + close(fd); + + res = calibrate_case(argv, q, use_mem, 0, 1);//调用calibrate_case函数来校准测试用例。 + ck_free(use_mem); + + if (stop_soon) return; + + if (res == crash_mode || res == FAULT_NOBITS) + SAYF(cGRA " len = %u, map size = %u, exec speed = %llu us\n" cRST, + q->len, q->bitmap_size, q->exec_us); + + switch (res) { + + case FAULT_NONE: + + if (q == queue) check_map_coverage(); + + if (crash_mode) FATAL("Test case '%s' does *NOT* crash", fn); + + break; + + case FAULT_TMOUT: + + if (timeout_given) { + + /* The -t nn+ syntax in the command line sets timeout_given to '2' and + instructs afl-fuzz to tolerate but skip queue entries that time + out. */ + + if (timeout_given > 1) { + WARNF("Test case results in a timeout (skipping)"); + q->cal_failed = CAL_CHANCES; + cal_failures++; + break; + } + + SAYF("\n" cLRD "[-] " cRST + "The program took more than %u ms to process one of the initial test cases.\n" + " Usually, the right thing to do is to relax the -t option - or to delete it\n" + " altogether and allow the fuzzer to auto-calibrate. That said, if you know\n" + " what you are doing and want to simply skip the unruly test cases, append\n" + " '+' at the end of the value passed to -t ('-t %u+').\n", exec_tmout, + exec_tmout); + + FATAL("Test case '%s' results in a timeout", fn); + + } else { + + SAYF("\n" cLRD "[-] " cRST + "The program took more than %u ms to process one of the initial test cases.\n" + " This is bad news; raising the limit with the -t option is possible, but\n" + " will probably make the fuzzing process extremely slow.\n\n" + + " If this test case is just a fluke, the other option is to just avoid it\n" + " altogether, and find one that is less of a CPU hog.\n", exec_tmout); + + FATAL("Test case '%s' results in a timeout", fn); + + } + + case FAULT_CRASH: + + if (crash_mode) break; + + if (skip_crashes) { + WARNF("Test case results in a crash (skipping)"); + q->cal_failed = CAL_CHANCES; + cal_failures++; + break; + } + + if (mem_limit) { + + SAYF("\n" cLRD "[-] " cRST + "Oops, the program crashed with one of the test cases provided. There are\n" + " several possible explanations:\n\n" + + " - The test case causes known crashes under normal working conditions. If\n" + " so, please remove it. The fuzzer should be seeded with interesting\n" + " inputs - but not ones that cause an outright crash.\n\n" + + " - The current memory limit (%s) is too low for this program, causing\n" + " it to die due to OOM when parsing valid files. To fix this, try\n" + " bumping it up with the -m setting in the command line. If in doubt,\n" + " try something along the lines of:\n\n" +/* +根据校准结果,执行不同的操作: + + 如果测试用例没有引起崩溃,并且不是在寻找崩溃的模式下运行,则检查映射覆盖率。 + 如果测试用例导致超时,根据timeout_given变量的值,可能跳过该测试用例或报告错误。 + 如果测试用例导致崩溃,根据crash_mode变量的值和环境变量AFL_SKIP_CRASHES,可能跳过该测试用例或报告错误。 + +*/ + + +#ifdef RLIMIT_AS + " ( ulimit -Sv $[%llu << 10]; /path/to/binary [...] for troubleshooting tips.\n", + DMS(mem_limit << 20), mem_limit - 1, doc_path); + + } else { + + SAYF("\n" cLRD "[-] " cRST + "Oops, the program crashed with one of the test cases provided. There are\n" + " several possible explanations:\n\n" + + " - The test case causes known crashes under normal working conditions. If\n" + " so, please remove it. The fuzzer should be seeded with interesting\n" + " inputs - but not ones that cause an outright crash.\n\n" + +#ifdef __APPLE__ + + " - On MacOS X, the semantics of fork() syscalls are non-standard and may\n" + " break afl-fuzz performance optimizations when running platform-specific\n" + " binaries. To fix this, set AFL_NO_FORKSRV=1 in the environment.\n\n" + +#endif /* __APPLE__ */ + + " - Least likely, there is a horrible bug in the fuzzer. If other options\n" + " fail, poke for troubleshooting tips.\n"); + + } + + FATAL("Test case '%s' results in a crash", fn); + + case FAULT_ERROR: + + FATAL("Unable to execute target application ('%s')", argv[0]); + + case FAULT_NOINST: + + FATAL("No instrumentation detected"); + + case FAULT_NOBITS: + + useless_at_start++; + + if (!in_bitmap && !shuffle_queue) + WARNF("No new instrumentation output, test case may be useless."); + + break; + + } + + if (q->var_behavior) WARNF("Instrumentation output varies across runs."); + + q = q->next; + + } + + if (cal_failures) { + + if (cal_failures == queued_paths) + FATAL("All test cases time out%s, giving up!", + skip_crashes ? " or crash" : ""); + + WARNF("Skipped %u test cases (%0.02f%%) due to timeouts%s.", cal_failures, + ((double)cal_failures) * 100 / queued_paths, + skip_crashes ? " or crashes" : ""); + + if (cal_failures * 5 > queued_paths) + WARNF(cLRD "High percentage of rejected test cases, check settings!"); + + } + + OKF("All test cases processed."); + +} + + +/* Helper function: link() if possible, copy otherwise. */ + +static void link_or_copy(u8* old_path, u8* new_path) { + + s32 i = link(old_path, new_path); + s32 sfd, dfd; + u8* tmp; + + if (!i) return; + + sfd = open(old_path, O_RDONLY); + if (sfd < 0) PFATAL("Unable to open '%s'", old_path); + + dfd = open(new_path, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (dfd < 0) PFATAL("Unable to create '%s'", new_path); + + tmp = ck_alloc(64 * 1024); + + while ((i = read(sfd, tmp, 64 * 1024)) > 0) + ck_write(dfd, tmp, i, new_path); + + if (i < 0) PFATAL("read() failed"); + + ck_free(tmp); + close(sfd); + close(dfd); + +} + + +static void nuke_resume_dir(void); + +/* Create hard links for input test cases in the output directory, choosing + good names and pivoting accordingly. */ + +static void pivot_inputs(void) { + + struct queue_entry* q = queue; + u32 id = 0; + + ACTF("Creating hard links for all input files..."); + + while (q) { + + u8 *nfn, *rsl = strrchr(q->fname, '/'); + u32 orig_id; + + if (!rsl) rsl = q->fname; else rsl++; + + /* If the original file name conforms to the syntax and the recorded + ID matches the one we'd assign, just use the original file name. + This is valuable for resuming fuzzing runs. */ + +#ifndef SIMPLE_FILES +# define CASE_PREFIX "id:" +#else +# define CASE_PREFIX "id_" +#endif /* ^!SIMPLE_FILES */ + + if (!strncmp(rsl, CASE_PREFIX, 3) && + sscanf(rsl + 3, "%06u", &orig_id) == 1 && orig_id == id) { + + u8* src_str; + u32 src_id; + + resuming_fuzz = 1; + nfn = alloc_printf("%s/queue/%s", out_dir, rsl); + + /* Since we're at it, let's also try to find parent and figure out the + appropriate depth for this entry. */ + + src_str = strchr(rsl + 3, ':'); + + if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) { + + struct queue_entry* s = queue; + while (src_id-- && s) s = s->next; + if (s) q->depth = s->depth + 1; + + if (max_depth < q->depth) max_depth = q->depth; + + } + + } else { + + /* No dice - invent a new name, capturing the original one as a + substring. */ + +#ifndef SIMPLE_FILES + + u8* use_name = strstr(rsl, ",orig:"); + + if (use_name) use_name += 6; else use_name = rsl; + nfn = alloc_printf("%s/queue/id:%06u,orig:%s", out_dir, id, use_name); + +#else + + nfn = alloc_printf("%s/queue/id_%06u", out_dir, id); + +#endif /* ^!SIMPLE_FILES */ + + } + + /* Pivot to the new queue entry. */ + + link_or_copy(q->fname, nfn); + ck_free(q->fname); + q->fname = nfn; + + /* Make sure that the passed_det value carries over, too. */ + + if (q->passed_det) mark_as_det_done(q); + + q = q->next; + id++; + + } + + if (in_place_resume) nuke_resume_dir(); + +} + + +#ifndef SIMPLE_FILES + +/* Construct a file name for a new test case, capturing the operation + that led to its discovery. Uses a static buffer. */ + +static u8* describe_op(u8 hnb) { + + static u8 ret[256]; + + if (syncing_party) { + + sprintf(ret, "sync:%s,src:%06u", syncing_party, syncing_case); + + } else { + + sprintf(ret, "src:%06u", current_entry); + + if (splicing_with >= 0) + sprintf(ret + strlen(ret), "+%06u", splicing_with); + + sprintf(ret + strlen(ret), ",op:%s", stage_short); + + if (stage_cur_byte >= 0) { + + sprintf(ret + strlen(ret), ",pos:%u", stage_cur_byte); + + if (stage_val_type != STAGE_VAL_NONE) + sprintf(ret + strlen(ret), ",val:%s%+d", + (stage_val_type == STAGE_VAL_BE) ? "be:" : "", + stage_cur_val); + + } else sprintf(ret + strlen(ret), ",rep:%u", stage_cur_val); + + } + + if (hnb == 2) strcat(ret, ",+cov"); + + return ret; + +} + +#endif /* !SIMPLE_FILES */ + + +/* Write a message accompanying the crash directory :-) */ + +static void write_crash_readme(void) { + + u8* fn = alloc_printf("%s/crashes/README.txt", out_dir); + s32 fd; + FILE* f; + + fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); + ck_free(fn); + + /* Do not die on errors here - that would be impolite. */ + + if (fd < 0) return; + + f = fdopen(fd, "w"); + + if (!f) { + close(fd); + return; + } + + fprintf(f, "Command line used to find this crash:\n\n" + + "%s\n\n" + + "If you can't reproduce a bug outside of afl-fuzz, be sure to set the same\n" + "memory limit. The limit used for this fuzzing session was %s.\n\n" + + "Need a tool to minimize test cases before investigating the crashes or sending\n" + "them to a vendor? Check out the afl-tmin that comes with the fuzzer!\n\n" + + "Found any cool bugs in open-source tools using afl-fuzz? If yes, please drop\n" + "me a mail at once the issues are fixed - I'd love to\n" + "add your finds to the gallery at:\n\n" + + " http://lcamtuf.coredump.cx/afl/\n\n" + + "Thanks :-)\n", + + orig_cmdline, DMS(mem_limit << 20)); /* ignore errors */ + + fclose(f); + +} + + +/* Check if the result of an execve() during routine fuzzing is interesting, + save or queue the input test case for further analysis if so. Returns 1 if + entry is saved, 0 otherwise. */ + +static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { + + u8 *fn = ""; + u8 hnb; + s32 fd; + u8 keeping = 0, res; + + if (fault == crash_mode) { + + /* Keep only if there are new bits in the map, add to queue for + future fuzzing, etc. */ + + if (!(hnb = has_new_bits(virgin_bits))) { + if (crash_mode) total_crashes++; + return 0; + } + +#ifndef SIMPLE_FILES + + fn = alloc_printf("%s/queue/id:%06u,%s", out_dir, queued_paths, + describe_op(hnb)); + +#else + + fn = alloc_printf("%s/queue/id_%06u", out_dir, queued_paths); + +#endif /* ^!SIMPLE_FILES */ + + add_to_queue(fn, len, 0); + + if (hnb == 2) { + queue_top->has_new_cov = 1; + queued_with_cov++; + } + + queue_top->exec_cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + + /* Try to calibrate inline; this also calls update_bitmap_score() when + successful. */ + + res = calibrate_case(argv, queue_top, mem, queue_cycle - 1, 0); + + if (res == FAULT_ERROR) + FATAL("Unable to execute target application"); + + fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) PFATAL("Unable to create '%s'", fn); + ck_write(fd, mem, len, fn); + close(fd); + + keeping = 1; + + } + + switch (fault) { + + case FAULT_TMOUT: + + /* Timeouts are not very interesting, but we're still obliged to keep + a handful of samples. We use the presence of new bits in the + hang-specific bitmap as a signal of uniqueness. In "dumb" mode, we + just keep everything. */ + + total_tmouts++; + + if (unique_hangs >= KEEP_UNIQUE_HANG) return keeping; + + if (!dumb_mode) { + +#ifdef WORD_SIZE_64 + simplify_trace((u64*)trace_bits); +#else + simplify_trace((u32*)trace_bits); +#endif /* ^WORD_SIZE_64 */ + + if (!has_new_bits(virgin_tmout)) return keeping; + + } + + unique_tmouts++; + + /* Before saving, we make sure that it's a genuine hang by re-running + the target with a more generous timeout (unless the default timeout + is already generous). */ + + if (exec_tmout < hang_tmout) { + + u8 new_fault; + write_to_testcase(mem, len); + new_fault = run_target(argv, hang_tmout); + + /* A corner case that one user reported bumping into: increasing the + timeout actually uncovers a crash. Make sure we don't discard it if + so. */ + + if (!stop_soon && new_fault == FAULT_CRASH) goto keep_as_crash; + + if (stop_soon || new_fault != FAULT_TMOUT) return keeping; + + } + +#ifndef SIMPLE_FILES + + fn = alloc_printf("%s/hangs/id:%06llu,%s", out_dir, + unique_hangs, describe_op(0)); + +#else + + fn = alloc_printf("%s/hangs/id_%06llu", out_dir, + unique_hangs); + +#endif /* ^!SIMPLE_FILES */ + + unique_hangs++; + + last_hang_time = get_cur_time(); + + break; + + case FAULT_CRASH: + +keep_as_crash: + + /* This is handled in a manner roughly similar to timeouts, + except for slightly different limits and no need to re-run test + cases. */ + + total_crashes++; + + if (unique_crashes >= KEEP_UNIQUE_CRASH) return keeping; + + if (!dumb_mode) { + +#ifdef WORD_SIZE_64 + simplify_trace((u64*)trace_bits); +#else + simplify_trace((u32*)trace_bits); +#endif /* ^WORD_SIZE_64 */ + + if (!has_new_bits(virgin_crash)) return keeping; + + } + + if (!unique_crashes) write_crash_readme(); + +#ifndef SIMPLE_FILES + + fn = alloc_printf("%s/crashes/id:%06llu,sig:%02u,%s", out_dir, + unique_crashes, kill_signal, describe_op(0)); + +#else + + fn = alloc_printf("%s/crashes/id_%06llu_%02u", out_dir, unique_crashes, + kill_signal); + +#endif /* ^!SIMPLE_FILES */ + + unique_crashes++; + + last_crash_time = get_cur_time(); + last_crash_execs = total_execs; + + break; + + case FAULT_ERROR: FATAL("Unable to execute target application"); + + default: return keeping; + + } + + /* If we're here, we apparently want to save the crash or hang + test case, too. */ + + fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) PFATAL("Unable to create '%s'", fn); + ck_write(fd, mem, len, fn); + close(fd); + + ck_free(fn); + + return keeping; + +} + + +/* When resuming, try to find the queue position to start from. This makes sense + only when resuming, and when we can find the original fuzzer_stats. */ + +static u32 find_start_position(void) { + + static u8 tmp[4096]; /* Ought to be enough for anybody. */ + + u8 *fn, *off; + s32 fd, i; + u32 ret; + + if (!resuming_fuzz) return 0; + + if (in_place_resume) fn = alloc_printf("%s/fuzzer_stats", out_dir); + else fn = alloc_printf("%s/../fuzzer_stats", in_dir); + + fd = open(fn, O_RDONLY); + ck_free(fn); + + if (fd < 0) return 0; + + i = read(fd, tmp, sizeof(tmp) - 1); (void)i; /* Ignore errors */ + close(fd); + + off = strstr(tmp, "cur_path : "); + if (!off) return 0; + + ret = atoi(off + 20); + if (ret >= queued_paths) ret = 0; + return ret; + +} + + +/* The same, but for timeouts. The idea is that when resuming sessions without + -t given, we don't want to keep auto-scaling the timeout over and over + again to prevent it from growing due to random flukes. */ + +static void find_timeout(void) { + + static u8 tmp[4096]; /* Ought to be enough for anybody. */ + + u8 *fn, *off; + s32 fd, i; + u32 ret; + + if (!resuming_fuzz) return; + + if (in_place_resume) fn = alloc_printf("%s/fuzzer_stats", out_dir); + else fn = alloc_printf("%s/../fuzzer_stats", in_dir); + + fd = open(fn, O_RDONLY); + ck_free(fn); + + if (fd < 0) return; + + i = read(fd, tmp, sizeof(tmp) - 1); (void)i; /* Ignore errors */ + close(fd); + + off = strstr(tmp, "exec_timeout : "); + if (!off) return; + + ret = atoi(off + 20); + if (ret <= 4) return; + + exec_tmout = ret; + timeout_given = 3; + +} + + +/* Update stats file for unattended monitoring. */ + +static void write_stats_file(double bitmap_cvg, double stability, double eps) { + + static double last_bcvg, last_stab, last_eps; + static struct rusage usage; + + u8* fn = alloc_printf("%s/fuzzer_stats", out_dir); + s32 fd; + FILE* f; + + fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, 0600); + + if (fd < 0) PFATAL("Unable to create '%s'", fn); + + ck_free(fn); + + f = fdopen(fd, "w"); + + if (!f) PFATAL("fdopen() failed"); + + /* Keep last values in case we're called from another context + where exec/sec stats and such are not readily available. */ + + if (!bitmap_cvg && !stability && !eps) { + bitmap_cvg = last_bcvg; + stability = last_stab; + eps = last_eps; + } else { + last_bcvg = bitmap_cvg; + last_stab = stability; + last_eps = eps; + } + + fprintf(f, "start_time : %llu\n" + "last_update : %llu\n" + "fuzzer_pid : %u\n" + "cycles_done : %llu\n" + "execs_done : %llu\n" + "execs_per_sec : %0.02f\n" + "paths_total : %u\n" + "paths_favored : %u\n" + "paths_found : %u\n" + "paths_imported : %u\n" + "max_depth : %u\n" + "cur_path : %u\n" /* Must match find_start_position() */ + "pending_favs : %u\n" + "pending_total : %u\n" + "variable_paths : %u\n" + "stability : %0.02f%%\n" + "bitmap_cvg : %0.02f%%\n" + "unique_crashes : %llu\n" + "unique_hangs : %llu\n" + "last_path : %llu\n" + "last_crash : %llu\n" + "last_hang : %llu\n" + "execs_since_crash : %llu\n" + "exec_timeout : %u\n" /* Must match find_timeout() */ + "afl_banner : %s\n" + "afl_version : " VERSION "\n" + "target_mode : %s%s%s%s%s%s%s\n" + "command_line : %s\n" + "slowest_exec_ms : %llu\n", + start_time / 1000, get_cur_time() / 1000, getpid(), + queue_cycle ? (queue_cycle - 1) : 0, total_execs, eps, + queued_paths, queued_favored, queued_discovered, queued_imported, + max_depth, current_entry, pending_favored, pending_not_fuzzed, + queued_variable, stability, bitmap_cvg, unique_crashes, + unique_hangs, last_path_time / 1000, last_crash_time / 1000, + last_hang_time / 1000, total_execs - last_crash_execs, + exec_tmout, use_banner, + qemu_mode ? "qemu " : "", dumb_mode ? " dumb " : "", + no_forkserver ? "no_forksrv " : "", crash_mode ? "crash " : "", + persistent_mode ? "persistent " : "", deferred_mode ? "deferred " : "", + (qemu_mode || dumb_mode || no_forkserver || crash_mode || + persistent_mode || deferred_mode) ? "" : "default", + orig_cmdline, slowest_exec_ms); + /* ignore errors */ + + /* Get rss value from the children + We must have killed the forkserver process and called waitpid + before calling getrusage */ + if (getrusage(RUSAGE_CHILDREN, &usage)) { + WARNF("getrusage failed"); + } else if (usage.ru_maxrss == 0) { + fprintf(f, "peak_rss_mb : not available while afl is running\n"); + } else { +#ifdef __APPLE__ + fprintf(f, "peak_rss_mb : %zu\n", usage.ru_maxrss >> 20); +#else + fprintf(f, "peak_rss_mb : %zu\n", usage.ru_maxrss >> 10); +#endif /* ^__APPLE__ */ + } + + fclose(f); + +} + + +/* Update the plot file if there is a reason to. */ + +static void maybe_update_plot_file(double bitmap_cvg, double eps) { + + static u32 prev_qp, prev_pf, prev_pnf, prev_ce, prev_md; + static u64 prev_qc, prev_uc, prev_uh; + + if (prev_qp == queued_paths && prev_pf == pending_favored && + prev_pnf == pending_not_fuzzed && prev_ce == current_entry && + prev_qc == queue_cycle && prev_uc == unique_crashes && + prev_uh == unique_hangs && prev_md == max_depth) return; + + prev_qp = queued_paths; + prev_pf = pending_favored; + prev_pnf = pending_not_fuzzed; + prev_ce = current_entry; + prev_qc = queue_cycle; + prev_uc = unique_crashes; + prev_uh = unique_hangs; + prev_md = max_depth; + + /* Fields in the file: + + unix_time, cycles_done, cur_path, paths_total, paths_not_fuzzed, + favored_not_fuzzed, unique_crashes, unique_hangs, max_depth, + execs_per_sec */ + + fprintf(plot_file, + "%llu, %llu, %u, %u, %u, %u, %0.02f%%, %llu, %llu, %u, %0.02f\n", + get_cur_time() / 1000, queue_cycle - 1, current_entry, queued_paths, + pending_not_fuzzed, pending_favored, bitmap_cvg, unique_crashes, + unique_hangs, max_depth, eps); /* ignore errors */ + + fflush(plot_file); + +} + + + +/* A helper function for maybe_delete_out_dir(), deleting all prefixed + files in a directory. */ + +static u8 delete_files(u8* path, u8* prefix) { + + DIR* d; + struct dirent* d_ent; + + d = opendir(path); + + if (!d) return 0; + + while ((d_ent = readdir(d))) { + + if (d_ent->d_name[0] != '.' && (!prefix || + !strncmp(d_ent->d_name, prefix, strlen(prefix)))) { + + u8* fname = alloc_printf("%s/%s", path, d_ent->d_name); + if (unlink(fname)) PFATAL("Unable to delete '%s'", fname); + ck_free(fname); + + } + + } + + closedir(d); + + return !!rmdir(path); + +} + + +/* Get the number of runnable processes, with some simple smoothing. */ + +static double get_runnable_processes(void) { + + static double res; + +#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) + + /* I don't see any portable sysctl or so that would quickly give us the + number of runnable processes; the 1-minute load average can be a + semi-decent approximation, though. */ + + if (getloadavg(&res, 1) != 1) return 0; + +#else + + /* On Linux, /proc/stat is probably the best way; load averages are + computed in funny ways and sometimes don't reflect extremely short-lived + processes well. */ + + FILE* f = fopen("/proc/stat", "r"); + u8 tmp[1024]; + u32 val = 0; + + if (!f) return 0; + + while (fgets(tmp, sizeof(tmp), f)) { + + if (!strncmp(tmp, "procs_running ", 14) || + !strncmp(tmp, "procs_blocked ", 14)) val += atoi(tmp + 14); + + } + + fclose(f); + + if (!res) { + + res = val; + + } else { + + res = res * (1.0 - 1.0 / AVG_SMOOTHING) + + ((double)val) * (1.0 / AVG_SMOOTHING); + + } + +#endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ + + return res; + +} + + +/* Delete the temporary directory used for in-place session resume. */ + +static void nuke_resume_dir(void) { + + u8* fn; + + fn = alloc_printf("%s/_resume/.state/deterministic_done", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/_resume/.state/auto_extras", out_dir); + if (delete_files(fn, "auto_")) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/_resume/.state/redundant_edges", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/_resume/.state/variable_behavior", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/_resume/.state", out_dir); + if (rmdir(fn) && errno != ENOENT) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/_resume", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + return; + +dir_cleanup_failed: + + FATAL("_resume directory cleanup failed"); + +} + + +/* Delete fuzzer output directory if we recognize it as ours, if the fuzzer + is not currently running, and if the last run time isn't too great. */ + +static void maybe_delete_out_dir(void) { + + FILE* f; + u8 *fn = alloc_printf("%s/fuzzer_stats", out_dir); + + /* See if the output directory is locked. If yes, bail out. If not, + create a lock that will persist for the lifetime of the process + (this requires leaving the descriptor open).*/ + + out_dir_fd = open(out_dir, O_RDONLY); + if (out_dir_fd < 0) PFATAL("Unable to open '%s'", out_dir); + +#ifndef __sun + + if (flock(out_dir_fd, LOCK_EX | LOCK_NB) && errno == EWOULDBLOCK) { + + SAYF("\n" cLRD "[-] " cRST + "Looks like the job output directory is being actively used by another\n" + " instance of afl-fuzz. You will need to choose a different %s\n" + " or stop the other process first.\n", + sync_id ? "fuzzer ID" : "output location"); + + FATAL("Directory '%s' is in use", out_dir); + + } + +#endif /* !__sun */ + + f = fopen(fn, "r"); + + if (f) { + + u64 start_time, last_update; + + if (fscanf(f, "start_time : %llu\n" + "last_update : %llu\n", &start_time, &last_update) != 2) + FATAL("Malformed data in '%s'", fn); + + fclose(f); + + /* Let's see how much work is at stake. */ + + if (!in_place_resume && last_update - start_time > OUTPUT_GRACE * 60) { + + SAYF("\n" cLRD "[-] " cRST + "The job output directory already exists and contains the results of more\n" + " than %u minutes worth of fuzzing. To avoid data loss, afl-fuzz will *NOT*\n" + " automatically delete this data for you.\n\n" + + " If you wish to start a new session, remove or rename the directory manually,\n" + " or specify a different output location for this job. To resume the old\n" + " session, put '-' as the input directory in the command line ('-i -') and\n" + " try again.\n", OUTPUT_GRACE); + + FATAL("At-risk data found in '%s'", out_dir); + + } + + } + + ck_free(fn); + + /* The idea for in-place resume is pretty simple: we temporarily move the old + queue/ to a new location that gets deleted once import to the new queue/ + is finished. If _resume/ already exists, the current queue/ may be + incomplete due to an earlier abort, so we want to use the old _resume/ + dir instead, and we let rename() fail silently. */ + + if (in_place_resume) { + + u8* orig_q = alloc_printf("%s/queue", out_dir); + + in_dir = alloc_printf("%s/_resume", out_dir); + + rename(orig_q, in_dir); /* Ignore errors */ + + OKF("Output directory exists, will attempt session resume."); + + ck_free(orig_q); + + } else { + + OKF("Output directory exists but deemed OK to reuse."); + + } + + ACTF("Deleting old session data..."); + + /* Okay, let's get the ball rolling! First, we need to get rid of the entries + in /.synced/.../id:*, if any are present. */ + + if (!in_place_resume) { + + fn = alloc_printf("%s/.synced", out_dir); + if (delete_files(fn, NULL)) goto dir_cleanup_failed; + ck_free(fn); + + } + + /* Next, we need to clean up /queue/.state/ subdirectories: */ + + fn = alloc_printf("%s/queue/.state/deterministic_done", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/queue/.state/auto_extras", out_dir); + if (delete_files(fn, "auto_")) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/queue/.state/redundant_edges", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/queue/.state/variable_behavior", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + /* Then, get rid of the .state subdirectory itself (should be empty by now) + and everything matching /queue/id:*. */ + + fn = alloc_printf("%s/queue/.state", out_dir); + if (rmdir(fn) && errno != ENOENT) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/queue", out_dir); + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + /* All right, let's do /crashes/id:* and /hangs/id:*. */ + + if (!in_place_resume) { + + fn = alloc_printf("%s/crashes/README.txt", out_dir); + unlink(fn); /* Ignore errors */ + ck_free(fn); + + } + + fn = alloc_printf("%s/crashes", out_dir); + + /* Make backup of the crashes directory if it's not empty and if we're + doing in-place resume. */ + + if (in_place_resume && rmdir(fn)) { + + time_t cur_t = time(0); + struct tm* t = localtime(&cur_t); + +#ifndef SIMPLE_FILES + + u8* nfn = alloc_printf("%s.%04u-%02u-%02u-%02u:%02u:%02u", fn, + t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, + t->tm_hour, t->tm_min, t->tm_sec); + +#else + + u8* nfn = alloc_printf("%s_%04u%02u%02u%02u%02u%02u", fn, + t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, + t->tm_hour, t->tm_min, t->tm_sec); + +#endif /* ^!SIMPLE_FILES */ + + rename(fn, nfn); /* Ignore errors. */ + ck_free(nfn); + + } + + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/hangs", out_dir); + + /* Backup hangs, too. */ + + if (in_place_resume && rmdir(fn)) { + + time_t cur_t = time(0); + struct tm* t = localtime(&cur_t); + +#ifndef SIMPLE_FILES + + u8* nfn = alloc_printf("%s.%04u-%02u-%02u-%02u:%02u:%02u", fn, + t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, + t->tm_hour, t->tm_min, t->tm_sec); + +#else + + u8* nfn = alloc_printf("%s_%04u%02u%02u%02u%02u%02u", fn, + t->tm_year + 1900, t->tm_mon + 1, t->tm_mday, + t->tm_hour, t->tm_min, t->tm_sec); + +#endif /* ^!SIMPLE_FILES */ + + rename(fn, nfn); /* Ignore errors. */ + ck_free(nfn); + + } + + if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; + ck_free(fn); + + /* And now, for some finishing touches. */ + + fn = alloc_printf("%s/.cur_input", out_dir); + if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; + ck_free(fn); + + fn = alloc_printf("%s/fuzz_bitmap", out_dir); + if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; + ck_free(fn); + + if (!in_place_resume) { + fn = alloc_printf("%s/fuzzer_stats", out_dir); + if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; + ck_free(fn); + } + + fn = alloc_printf("%s/plot_data", out_dir); + if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; + ck_free(fn); + + OKF("Output dir cleanup successful."); + + /* Wow... is that all? If yes, celebrate! */ + + return; + +dir_cleanup_failed: + + SAYF("\n" cLRD "[-] " cRST + "Whoops, the fuzzer tried to reuse your output directory, but bumped into\n" + " some files that shouldn't be there or that couldn't be removed - so it\n" + " decided to abort! This happened while processing this path:\n\n" + + " %s\n\n" + " Please examine and manually delete the files, or specify a different\n" + " output location for the tool.\n", fn); + + FATAL("Output directory cleanup failed"); + +} + + +static void check_term_size(void); + + +/* A spiffy retro stats screen! This is called every stats_update_freq + execve() calls, plus in several other circumstances. */ + +static void show_stats(void) { + + static u64 last_stats_ms, last_plot_ms, last_ms, last_execs; + static double avg_exec; + double t_byte_ratio, stab_ratio; + + u64 cur_ms; + u32 t_bytes, t_bits; + + u32 banner_len, banner_pad; + u8 tmp[256]; + + cur_ms = get_cur_time(); + + /* If not enough time has passed since last UI update, bail out. */ + + if (cur_ms - last_ms < 1000 / UI_TARGET_HZ) return; + + /* Check if we're past the 10 minute mark. */ + + if (cur_ms - start_time > 10 * 60 * 1000) run_over10m = 1; + + /* Calculate smoothed exec speed stats. */ + + if (!last_execs) { + + avg_exec = ((double)total_execs) * 1000 / (cur_ms - start_time); + + } else { + + double cur_avg = ((double)(total_execs - last_execs)) * 1000 / + (cur_ms - last_ms); + + /* If there is a dramatic (5x+) jump in speed, reset the indicator + more quickly. */ + + if (cur_avg * 5 < avg_exec || cur_avg / 5 > avg_exec) + avg_exec = cur_avg; + + avg_exec = avg_exec * (1.0 - 1.0 / AVG_SMOOTHING) + + cur_avg * (1.0 / AVG_SMOOTHING); + + } + + last_ms = cur_ms; + last_execs = total_execs; + + /* Tell the callers when to contact us (as measured in execs). */ + + stats_update_freq = avg_exec / (UI_TARGET_HZ * 10); + if (!stats_update_freq) stats_update_freq = 1; + + /* Do some bitmap stats. */ + + t_bytes = count_non_255_bytes(virgin_bits); + t_byte_ratio = ((double)t_bytes * 100) / MAP_SIZE; + + if (t_bytes) + stab_ratio = 100 - ((double)var_byte_count) * 100 / t_bytes; + else + stab_ratio = 100; + + /* Roughly every minute, update fuzzer stats and save auto tokens. */ + + if (cur_ms - last_stats_ms > STATS_UPDATE_SEC * 1000) { + + last_stats_ms = cur_ms; + write_stats_file(t_byte_ratio, stab_ratio, avg_exec); + save_auto(); + write_bitmap(); + + } + + /* Every now and then, write plot data. */ + + if (cur_ms - last_plot_ms > PLOT_UPDATE_SEC * 1000) { + + last_plot_ms = cur_ms; + maybe_update_plot_file(t_byte_ratio, avg_exec); + + } + + /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ + + if (!dumb_mode && cycles_wo_finds > 100 && !pending_not_fuzzed && + getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 2; + + if (total_crashes && getenv("AFL_BENCH_UNTIL_CRASH")) stop_soon = 2; + + /* If we're not on TTY, bail out. */ + + if (not_on_tty) return; + + /* Compute some mildly useful bitmap stats. */ + + t_bits = (MAP_SIZE << 3) - count_bits(virgin_bits); + + /* Now, for the visuals... */ + + if (clear_screen) { + + SAYF(TERM_CLEAR CURSOR_HIDE); + clear_screen = 0; + + check_term_size(); + + } + + SAYF(TERM_HOME); + + if (term_too_small) { + + SAYF(cBRI "Your terminal is too small to display the UI.\n" + "Please resize terminal window to at least 80x25.\n" cRST); + + return; + + } + + /* Let's start by drawing a centered banner. */ + + banner_len = (crash_mode ? 24 : 22) + strlen(VERSION) + strlen(use_banner); + banner_pad = (80 - banner_len) / 2; + memset(tmp, ' ', banner_pad); + + sprintf(tmp + banner_pad, "%s " cLCY VERSION cLGN + " (%s)", crash_mode ? cPIN "peruvian were-rabbit" : + cYEL "american fuzzy lop", use_banner); + + SAYF("\n%s\n\n", tmp); + + /* "Handy" shortcuts for drawing boxes... */ + +#define bSTG bSTART cGRA +#define bH2 bH bH +#define bH5 bH2 bH2 bH +#define bH10 bH5 bH5 +#define bH20 bH10 bH10 +#define bH30 bH20 bH10 +#define SP5 " " +#define SP10 SP5 SP5 +#define SP20 SP10 SP10 + + /* Lord, forgive me this. */ + + SAYF(SET_G1 bSTG bLT bH bSTOP cCYA " process timing " bSTG bH30 bH5 bH2 bHB + bH bSTOP cCYA " overall results " bSTG bH5 bRT "\n"); + + if (dumb_mode) { + + strcpy(tmp, cRST); + + } else { + + u64 min_wo_finds = (cur_ms - last_path_time) / 1000 / 60; + + /* First queue cycle: don't stop now! */ + if (queue_cycle == 1 || min_wo_finds < 15) strcpy(tmp, cMGN); else + + /* Subsequent cycles, but we're still making finds. */ + if (cycles_wo_finds < 25 || min_wo_finds < 30) strcpy(tmp, cYEL); else + + /* No finds for a long time and no test cases to try. */ + if (cycles_wo_finds > 100 && !pending_not_fuzzed && min_wo_finds > 120) + strcpy(tmp, cLGN); + + /* Default: cautiously OK to stop? */ + else strcpy(tmp, cLBL); + + } + + SAYF(bV bSTOP " run time : " cRST "%-34s " bSTG bV bSTOP + " cycles done : %s%-5s " bSTG bV "\n", + DTD(cur_ms, start_time), tmp, DI(queue_cycle - 1)); + + /* We want to warn people about not seeing new paths after a full cycle, + except when resuming fuzzing or running in non-instrumented mode. */ + + if (!dumb_mode && (last_path_time || resuming_fuzz || queue_cycle == 1 || + in_bitmap || crash_mode)) { + + SAYF(bV bSTOP " last new path : " cRST "%-34s ", + DTD(cur_ms, last_path_time)); + + } else { + + if (dumb_mode) + + SAYF(bV bSTOP " last new path : " cPIN "n/a" cRST + " (non-instrumented mode) "); + + else + + SAYF(bV bSTOP " last new path : " cRST "none yet " cLRD + "(odd, check syntax!) "); + + } + + SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n", + DI(queued_paths)); + + /* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH + limit with a '+' appended to the count. */ + + sprintf(tmp, "%s%s", DI(unique_crashes), + (unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); + + SAYF(bV bSTOP " last uniq crash : " cRST "%-34s " bSTG bV bSTOP + " uniq crashes : %s%-6s " bSTG bV "\n", + DTD(cur_ms, last_crash_time), unique_crashes ? cLRD : cRST, + tmp); + + sprintf(tmp, "%s%s", DI(unique_hangs), + (unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); + + SAYF(bV bSTOP " last uniq hang : " cRST "%-34s " bSTG bV bSTOP + " uniq hangs : " cRST "%-6s " bSTG bV "\n", + DTD(cur_ms, last_hang_time), tmp); + + SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH20 bHB bH bSTOP cCYA + " map coverage " bSTG bH bHT bH20 bH2 bH bVL "\n"); + + /* This gets funny because we want to print several variable-length variables + together, but then cram them into a fixed-width field - so we need to + put them in a temporary buffer first. */ + + sprintf(tmp, "%s%s (%0.02f%%)", DI(current_entry), + queue_cur->favored ? "" : "*", + ((double)current_entry * 100) / queued_paths); + + SAYF(bV bSTOP " now processing : " cRST "%-17s " bSTG bV bSTOP, tmp); + + sprintf(tmp, "%0.02f%% / %0.02f%%", ((double)queue_cur->bitmap_size) * + 100 / MAP_SIZE, t_byte_ratio); + + SAYF(" map density : %s%-21s " bSTG bV "\n", t_byte_ratio > 70 ? cLRD : + ((t_bytes < 200 && !dumb_mode) ? cPIN : cRST), tmp); + + sprintf(tmp, "%s (%0.02f%%)", DI(cur_skipped_paths), + ((double)cur_skipped_paths * 100) / queued_paths); + + SAYF(bV bSTOP " paths timed out : " cRST "%-17s " bSTG bV, tmp); + + sprintf(tmp, "%0.02f bits/tuple", + t_bytes ? (((double)t_bits) / t_bytes) : 0); + + SAYF(bSTOP " count coverage : " cRST "%-21s " bSTG bV "\n", tmp); + + SAYF(bVR bH bSTOP cCYA " stage progress " bSTG bH20 bX bH bSTOP cCYA + " findings in depth " bSTG bH20 bVL "\n"); + + sprintf(tmp, "%s (%0.02f%%)", DI(queued_favored), + ((double)queued_favored) * 100 / queued_paths); + + /* Yeah... it's still going on... halp? */ + + SAYF(bV bSTOP " now trying : " cRST "%-21s " bSTG bV bSTOP + " favored paths : " cRST "%-22s " bSTG bV "\n", stage_name, tmp); + + if (!stage_max) { + + sprintf(tmp, "%s/-", DI(stage_cur)); + + } else { + + sprintf(tmp, "%s/%s (%0.02f%%)", DI(stage_cur), DI(stage_max), + ((double)stage_cur) * 100 / stage_max); + + } + + SAYF(bV bSTOP " stage execs : " cRST "%-21s " bSTG bV bSTOP, tmp); + + sprintf(tmp, "%s (%0.02f%%)", DI(queued_with_cov), + ((double)queued_with_cov) * 100 / queued_paths); + + SAYF(" new edges on : " cRST "%-22s " bSTG bV "\n", tmp); + + sprintf(tmp, "%s (%s%s unique)", DI(total_crashes), DI(unique_crashes), + (unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); + + if (crash_mode) { + + SAYF(bV bSTOP " total execs : " cRST "%-21s " bSTG bV bSTOP + " new crashes : %s%-22s " bSTG bV "\n", DI(total_execs), + unique_crashes ? cLRD : cRST, tmp); + + } else { + + SAYF(bV bSTOP " total execs : " cRST "%-21s " bSTG bV bSTOP + " total crashes : %s%-22s " bSTG bV "\n", DI(total_execs), + unique_crashes ? cLRD : cRST, tmp); + + } + + /* Show a warning about slow execution. */ + + if (avg_exec < 100) { + + sprintf(tmp, "%s/sec (%s)", DF(avg_exec), avg_exec < 20 ? + "zzzz..." : "slow!"); + + SAYF(bV bSTOP " exec speed : " cLRD "%-21s ", tmp); + + } else { + + sprintf(tmp, "%s/sec", DF(avg_exec)); + SAYF(bV bSTOP " exec speed : " cRST "%-21s ", tmp); + + } + + sprintf(tmp, "%s (%s%s unique)", DI(total_tmouts), DI(unique_tmouts), + (unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : ""); + + SAYF (bSTG bV bSTOP " total tmouts : " cRST "%-22s " bSTG bV "\n", tmp); + + /* Aaaalmost there... hold on! */ + + SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bH bHT bH10 + bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bH bVL "\n"); + + if (skip_deterministic) { + + strcpy(tmp, "n/a, n/a, n/a"); + + } else { + + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + DI(stage_finds[STAGE_FLIP1]), DI(stage_cycles[STAGE_FLIP1]), + DI(stage_finds[STAGE_FLIP2]), DI(stage_cycles[STAGE_FLIP2]), + DI(stage_finds[STAGE_FLIP4]), DI(stage_cycles[STAGE_FLIP4])); + + } + + SAYF(bV bSTOP " bit flips : " cRST "%-37s " bSTG bV bSTOP " levels : " + cRST "%-10s " bSTG bV "\n", tmp, DI(max_depth)); + + if (!skip_deterministic) + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + DI(stage_finds[STAGE_FLIP8]), DI(stage_cycles[STAGE_FLIP8]), + DI(stage_finds[STAGE_FLIP16]), DI(stage_cycles[STAGE_FLIP16]), + DI(stage_finds[STAGE_FLIP32]), DI(stage_cycles[STAGE_FLIP32])); + + SAYF(bV bSTOP " byte flips : " cRST "%-37s " bSTG bV bSTOP " pending : " + cRST "%-10s " bSTG bV "\n", tmp, DI(pending_not_fuzzed)); + + if (!skip_deterministic) + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + DI(stage_finds[STAGE_ARITH8]), DI(stage_cycles[STAGE_ARITH8]), + DI(stage_finds[STAGE_ARITH16]), DI(stage_cycles[STAGE_ARITH16]), + DI(stage_finds[STAGE_ARITH32]), DI(stage_cycles[STAGE_ARITH32])); + + SAYF(bV bSTOP " arithmetics : " cRST "%-37s " bSTG bV bSTOP " pend fav : " + cRST "%-10s " bSTG bV "\n", tmp, DI(pending_favored)); + + if (!skip_deterministic) + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + DI(stage_finds[STAGE_INTEREST8]), DI(stage_cycles[STAGE_INTEREST8]), + DI(stage_finds[STAGE_INTEREST16]), DI(stage_cycles[STAGE_INTEREST16]), + DI(stage_finds[STAGE_INTEREST32]), DI(stage_cycles[STAGE_INTEREST32])); + + SAYF(bV bSTOP " known ints : " cRST "%-37s " bSTG bV bSTOP " own finds : " + cRST "%-10s " bSTG bV "\n", tmp, DI(queued_discovered)); + + if (!skip_deterministic) + sprintf(tmp, "%s/%s, %s/%s, %s/%s", + DI(stage_finds[STAGE_EXTRAS_UO]), DI(stage_cycles[STAGE_EXTRAS_UO]), + DI(stage_finds[STAGE_EXTRAS_UI]), DI(stage_cycles[STAGE_EXTRAS_UI]), + DI(stage_finds[STAGE_EXTRAS_AO]), DI(stage_cycles[STAGE_EXTRAS_AO])); + + SAYF(bV bSTOP " dictionary : " cRST "%-37s " bSTG bV bSTOP + " imported : " cRST "%-10s " bSTG bV "\n", tmp, + sync_id ? DI(queued_imported) : (u8*)"n/a"); + + sprintf(tmp, "%s/%s, %s/%s", + DI(stage_finds[STAGE_HAVOC]), DI(stage_cycles[STAGE_HAVOC]), + DI(stage_finds[STAGE_SPLICE]), DI(stage_cycles[STAGE_SPLICE])); + + SAYF(bV bSTOP " havoc : " cRST "%-37s " bSTG bV bSTOP, tmp); + + if (t_bytes) sprintf(tmp, "%0.02f%%", stab_ratio); + else strcpy(tmp, "n/a"); + + SAYF(" stability : %s%-10s " bSTG bV "\n", (stab_ratio < 85 && var_byte_count > 40) + ? cLRD : ((queued_variable && (!persistent_mode || var_byte_count > 20)) + ? cMGN : cRST), tmp); + + if (!bytes_trim_out) { + + sprintf(tmp, "n/a, "); + + } else { + + sprintf(tmp, "%0.02f%%/%s, ", + ((double)(bytes_trim_in - bytes_trim_out)) * 100 / bytes_trim_in, + DI(trim_execs)); + + } + + if (!blocks_eff_total) { + + u8 tmp2[128]; + + sprintf(tmp2, "n/a"); + strcat(tmp, tmp2); + + } else { + + u8 tmp2[128]; + + sprintf(tmp2, "%0.02f%%", + ((double)(blocks_eff_total - blocks_eff_select)) * 100 / + blocks_eff_total); + + strcat(tmp, tmp2); + + } + + SAYF(bV bSTOP " trim : " cRST "%-37s " bSTG bVR bH20 bH2 bH2 bRB "\n" + bLB bH30 bH20 bH2 bH bRB bSTOP cRST RESET_G1, tmp); + + /* Provide some CPU utilization stats. */ + + if (cpu_core_count) { + + double cur_runnable = get_runnable_processes(); + u32 cur_utilization = cur_runnable * 100 / cpu_core_count; + + u8* cpu_color = cCYA; + + /* If we could still run one or more processes, use green. */ + + if (cpu_core_count > 1 && cur_runnable + 1 <= cpu_core_count) + cpu_color = cLGN; + + /* If we're clearly oversubscribed, use red. */ + + if (!no_cpu_meter_red && cur_utilization >= 150) cpu_color = cLRD; + +#ifdef HAVE_AFFINITY + + if (cpu_aff >= 0) { + + SAYF(SP10 cGRA "[cpu%03u:%s%3u%%" cGRA "]\r" cRST, + MIN(cpu_aff, 999), cpu_color, + MIN(cur_utilization, 999)); + + } else { + + SAYF(SP10 cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST, + cpu_color, MIN(cur_utilization, 999)); + + } + +#else + + SAYF(SP10 cGRA " [cpu:%s%3u%%" cGRA "]\r" cRST, + cpu_color, MIN(cur_utilization, 999)); + +#endif /* ^HAVE_AFFINITY */ + + } else SAYF("\r"); + + /* Hallelujah! */ + + fflush(0); + +} + + +/* 在处理输入目录后显示初始化统计信息 */ +static void show_init_stats(void) { + + struct queue_entry* q = queue; // 队列的当前元素 + u32 min_bits = 0, max_bits = 0; // 最小和最大位图大小 + u64 min_us = 0, max_us = 0; // 最小和最大执行时间(微秒) + u64 avg_us = 0; // 平均执行时间 + u32 max_len = 0; // 最大测试用例长度 + + // 如果有校准周期,计算平均执行时间 + if (total_cal_cycles) avg_us = total_cal_us / total_cal_cycles; + + // 遍历队列,找到最小和最大位图大小、执行时间和测试用例长度 + while (q) { + + if (!min_us || q->exec_us < min_us) min_us = q->exec_us; + if (q->exec_us > max_us) max_us = q->exec_us; + + if (!min_bits || q->bitmap_size < min_bits) min_bits = q->bitmap_size; + if (q->bitmap_size > max_bits) max_bits = q->bitmap_size; + + if (q->len > max_len) max_len = q->len; + + q = q->next; // 移动到下一个队列元素 + + } + + SAYF("\n"); + + // 如果平均执行时间较长,给出警告并调整havoc_div的值 + if (avg_us > (qemu_mode ? 50000 : 10000)) + WARNF(cLRD "The target binary is pretty slow! See %s/perf_tips.txt.", + doc_path); + + // 如果平均执行时间超过特定阈值,调整havoc_div的值 + if (avg_us > 50000) havoc_div = 10; /* 0-19 execs/sec */ + else if (avg_us > 20000) havoc_div = 5; /* 20-49 execs/sec */ + else if (avg_us > 10000) havoc_div = 2; /* 50-100 execs/sec */ + + // 如果不是从会话中恢复,给出一些警告 + if (!resuming_fuzz) { + + if (max_len > 50 * 1024) + WARNF(cLRD "Some test cases are huge (%s) - see %s/perf_tips.txt!", + DMS(max_len), doc_path); + else if (max_len > 10 * 1024) + WARNF("Some test cases are big (%s) - see %s/perf_tips.txt.", + DMS(max_len), doc_path); + + if (useless_at_start && !in_bitmap) + WARNF(cLRD "Some test cases look useless. Consider using a smaller set."); + + if (queued_paths > 100) + WARNF(cLRD "You probably have far too many input files! Consider trimming down."); + else if (queued_paths > 20) + WARNF("You have lots of input files; try starting small."); + + } + + // 显示统计信息 + OKF("Here are some useful stats:\n\n" + + cGRA " Test case count : " cRST "%u favored, %u variable, %u total\n" + cGRA " Bitmap range : " cRST "%u to %u bits (average: %0.02f bits)\n" + cGRA " Exec timing : " cRST "%s to %s us (average: %s us)\n", + queued_favored, queued_variable, queued_paths, min_bits, max_bits, + ((double)total_bitmap_size) / (total_bitmap_entries ? total_bitmap_entries : 1), + DI(min_us), DI(max_us), DI(avg_us)); + + // 如果没有指定超时时间,计算一个合适的超时时间 + if (!timeout_given) { + + /* Figure out the appropriate timeout. The basic idea is: 5x average or + 1x max, rounded up to EXEC_TM_ROUND ms and capped at 1 second. */ + + if (avg_us > 50000) exec_tmout = avg_us * 2 / 1000; + else if (avg_us > 10000) exec_tmout = avg_us * 3 / 1000; + else exec_tmout = avg_us * 5 / 1000; + + exec_tmout = MAX(exec_tmout, max_us / 1000); + exec_tmout = (exec_tmout + EXEC_TM_ROUND) / EXEC_TM_ROUND * EXEC_TM_ROUND; + + if (exec_tmout > EXEC_TIMEOUT) exec_tmout = EXEC_TIMEOUT; + + ACTF("No -t option specified, so I'll use exec timeout of %u ms.", + exec_tmout); + + timeout_given = 1; + + } else if (timeout_given == 3) { + + ACTF("Applying timeout settings from resumed session (%u ms).", exec_tmout); + + } + + /* In dumb mode, re-running every timing out test case with a generous time + limit is very expensive, so let's select a more conservative default. */ + + if (dumb_mode && !getenv("AFL_HANG_TMOUT")) + hang_tmout = MIN(EXEC_TIMEOUT, exec_tmout * 2 + 100); + + OKF("All set and ready to roll!"); + +} + +/* 找到大于或等于val的最小的2的幂次方(假设val小于2^31) */ +static u32 next_p2(u32 val) { + + u32 ret = 1; + while (val > ret) ret <<= 1; + return ret; + +} + + + +// 对输入案例进行修剪,尝试移除部分输入数据,看是否会影响程序的执行路径。 +static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { + static u8 tmp[64]; // 临时缓冲区 + static u8 clean_trace[MAP_SIZE]; // 用于存储清理后的执行路径 + + u8 needs_write = 0, fault = 0; // 标记是否需要写入和是否出现故障 + u32 trim_exec = 0; // 修剪执行次数 + u32 remove_len; // 要移除的长度 + u32 len_p2; // 长度的下一个2的幂次 + + // 如果输入长度小于5,直接返回0,不进行修剪 + if (q->len < 5) return 0; + + stage_name = tmp; // 设置当前阶段名称 + bytes_trim_in += q->len; // 更新修剪输入的总字节数 + + // 选择初始块长度,从大步长开始 + len_p2 = next_p2(q->len); // 获取q->len的下一个2的幂次 + + remove_len = MAX(len_p2 / TRIM_START_STEPS, TRIM_MIN_BYTES); // 计算移除长度 + + // 继续修剪,直到步数过高或步长过小 + while (remove_len >= MAX(len_p2 / TRIM_END_STEPS, TRIM_MIN_BYTES)) { + u32 remove_pos = remove_len; // 移除位置 + + // 格式化修剪信息 + sprintf(tmp, "trim %s/%s", DI(remove_len), DI(remove_len)); + + stage_cur = 0; // 当前阶段 + stage_max = q->len / remove_len; // 最大阶段数 + + while (remove_pos < q->len) { // 循环移除每个位置的数据 + u32 trim_avail = MIN(remove_len, q->len - remove_pos); // 可修剪的可用长度 + u32 cksum; // 校验和 + + // 写入带有间隔的输入数据 + write_with_gap(in_buf, q->len, remove_pos, trim_avail); + + fault = run_target(argv, exec_tmout); // 运行目标程序 + trim_execs++; // 更新修剪执行次数 + + // 如果出现错误或停止请求,跳转到修剪中止 + if (stop_soon || fault == FAULT_ERROR) goto abort_trimming; + + // 计算执行路径的校验和 + cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + + // 如果删除数据没有影响执行路径,将其永久移除 + if (cksum == q->exec_cksum) { + u32 move_tail = q->len - remove_pos - trim_avail; // 需要移动的尾部长度 + + q->len -= trim_avail; // 更新长度 + len_p2 = next_p2(q->len); // 更新下一个2的幂次 + + // 移动数据 + memmove(in_buf + remove_pos, in_buf + remove_pos + trim_avail, move_tail); + + // 如果需要,保存一个干净的执行路径 + if (!needs_write) { + needs_write = 1; + memcpy(clean_trace, trace_bits, MAP_SIZE); // 复制执行路径 + } + } else { + remove_pos += remove_len; // 否则,移动到下一个位置 + } + + // 定期更新屏幕显示 + if (!(trim_exec++ % stats_update_freq)) show_stats(); + stage_cur++; // 更新当前阶段 + } + + remove_len >>= 1; // 减少移除长度 + } + + // 如果对in_buf进行了修改,需要更新磁盘上的测试用例 + if (needs_write) { + s32 fd; // 文件描述符 + + // 删除旧的测试用例文件 + unlink(q->fname); // 忽略错误 + + // 创建新的测试用例文件 + fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) PFATAL("Unable to create '%s'", q->fname); // 错误处理 + + // 写入新的测试用例数据 + ck_write(fd, in_buf, q->len, q->fname); + close(fd); // 关闭文件描述符 + + // 更新执行路径和分数 + memcpy(trace_bits, clean_trace, MAP_SIZE); + update_bitmap_score(q); + } + +abort_trimming: // 修剪中止标签 + bytes_trim_out += q->len; // 更新修剪输出的总字节数 + return fault; // 返回故障状态 +} + +// 写入修改后的测试用例,运行程序,处理结果。处理错误条件,如果需要中止,则返回1。 +// 这是fuzz_one()的辅助函数。 +EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) { + u8 fault; // 故障状态 + + // 如果存在后处理函数 + if (post_handler) { + // 调用后处理函数 + out_buf = post_handler(out_buf, &len); + if (!out_buf || !len) return 0; // 如果返回为空或长度为0,则返回0 + } + + // 写入测试用例 + write_to_testcase(out_buf, len); + + fault = run_target(argv, exec_tmout); // 运行目标程序 + + // 如果需要停止,则返回1 + if (stop_soon) return 1; + + // 如果出现超时故障 + if (fault == FAULT_TMOUT) { + // 如果连续超时次数超过限制,则跳过当前路径 + if (subseq_tmouts++ > TMOUT_LIMIT) { + cur_skipped_paths++; + return 1; + } + } else { + subseq_tmouts = 0; // 重置连续超时次数 + } + + // 用户可以通过SIGUSR1信号请求放弃当前输入 + if (skip_requested) { + skip_requested = 0; // 重置跳过请求 + cur_skipped_paths++; // 增加跳过路径数 + return 1; // 返回1 + } + + // 处理故障,更新发现的队列 + queued_discovered += save_if_interesting(argv, out_buf, len, fault); + + // 定期更新统计信息 + if (!(stage_cur % stats_update_freq) || stage_cur + 1 == stage_max) + show_stats(); + + return 0; // 返回0,表示继续执行 +} + +/* 辅助函数,用于在模糊测试中的块操作选择随机块长度。 + 只要max_len大于0,就不会返回零 */ + +static u32 choose_block_len(u32 limit) { + + u32 min_value, max_value; + u32 rlim = MIN(queue_cycle, 3); // 限制随机数生成的范围 + + if (!run_over10m) rlim = 1; // 如果没有超过10M的运行限制,则设置rlim为1 + + // 根据随机数选择不同的块长度范围 + switch (UR(rlim)) { + case 0: + min_value = 1; // 最小长度设置为1 + max_value = HAVOC_BLK_SMALL; // 最大长度设置为小值 + break; + case 1: + min_value = HAVOC_BLK_SMALL; // 最小长度设置为小值 + max_value = HAVOC_BLK_MEDIUM; // 最大长度设置为中等值 + break; + default: + if (UR(10)) { + min_value = HAVOC_BLK_MEDIUM; // 随机选择中等或大长度 + max_value = HAVOC_BLK_LARGE; + } else { + min_value = HAVOC_BLK_LARGE; // 随机选择大或超大长度 + max_value = HAVOC_BLK_XL; + } + } + + // 如果最小值大于限制,则设置最小值为1 + if (min_value >= limit) min_value = 1; + + // 返回一个在指定范围内的随机块长度 + return min_value + UR(MIN(max_value, limit) - min_value + 1); +} + +/* 计算案例的期望分数,以调整havoc模糊测试的长度。 + 这是一个辅助函数,用于fuzz_one()。也许这些常数中的一些应该 + 进入config.h文件中 */ + +static u32 calculate_score(struct queue_entry* q) { + + u32 avg_exec_us = total_cal_us / total_cal_cycles; // 计算平均执行时间 + u32 avg_bitmap_size = total_bitmap_size / total_bitmap_entries; // 计算平均位图大小 + u32 perf_score = 100; // 初始化性能分数 + + /* 根据此路径的执行速度与全局平均值相比,调整分数。 + 乘数范围从0.1x到3x。快速输入的成本较低,因此给予更多的运行时间。 */ + + if (q->exec_us * 0.1 > avg_exec_us) perf_score = 10; + else if (q->exec_us * 0.25 > avg_exec_us) perf_score = 25; + else if (q->exec_us * 0.5 > avg_exec_us) perf_score = 50; + else if (q->exec_us * 0.75 > avg_exec_us) perf_score = 75; + else if (q->exec_us * 4 < avg_exec_us) perf_score = 300; + else if (q->exec_us * 3 < avg_exec_us) perf_score = 200; + else if (q->exec_us * 2 < avg_exec_us) perf_score = 150; + + /* 根据位图大小调整分数。工作理论是更好的覆盖率转化为更好的目标。 + 乘数从0.25x到3x。 */ + + if (q->bitmap_size * 0.3 > avg_bitmap_size) perf_score *= 3; + else if (q->bitmap_size * 0.5 > avg_bitmap_size) perf_score *= 2; + else if (q->bitmap_size * 0.75 > avg_bitmap_size) perf_score *= 1.5; + else if (q->bitmap_size * 3 < avg_bitmap_size) perf_score *= 0.25; + else if (q->bitmap_size * 2 < avg_bitmap_size) perf_score *= 0.5; + else if (q->bitmap_size * 1.5 < avg_bitmap_size) perf_score *= 0.75; + + /* 根据handicap调整分数。Handicap与我们了解此路径的时间成正比。 + 后来者允许运行更长时间,直到它们赶上其他路径。 */ + + if (q->handicap >= 4) { + perf_score *= 4; // 如果handicap大于等于4,则乘以4 + q->handicap -= 4; // 减少handicap值 + } else if (q->handicap) { + perf_score *= 2; // 如果handicap大于0,则乘以2 + q->handicap--; // 减少handicap值 + } + + /* 根据输入深度进行最终调整,假设模糊测试更深层的测试用例 + 更有可能发现传统模糊测试无法发现的问题。 */ + + switch (q->depth) { + case 0 ... 3: break; // 如果深度在0到3之间,不调整分数 + case 4 ... 7: perf_score *= 2; break; // 如果深度在4到7之间,乘以2 + case 8 ... 13: perf_score *= 3; break; // 如果深度在8到13之间,乘以3 + case 14 ... 25: perf_score *= 4; break; // 如果深度在14到25之间,乘以4 + default: perf_score *= 5; // 默认情况下,乘以5 + } + + /* 确保我们不超过限制。 */ + + if (perf_score > HAVOC_MAX_MULT * 100) perf_score = HAVOC_MAX_MULT * 100; // 如果分数超过最大限制,则设置为最大限制 + + return perf_score; // 返回计算出的分数 +} + + +/* Helper function to see if a particular change (xor_val = old ^ new) could + be a product of deterministic bit flips with the lengths and stepovers + attempted by afl-fuzz. This is used to avoid dupes in some of the + deterministic fuzzing operations that follow bit flips. We also + return 1 if xor_val is zero, which implies that the old and attempted new + values are identical and the exec would be a waste of time. */ + +// 检测一个值是否可能是通过位翻转操作得到的。 +static u8 could_be_bitflip(u32 xor_val) { + u32 sh = 0; // 用于记录位移的变量 + + // 如果xor_val为0,表示没有位被翻转,返回1。 + if (!xor_val) return 1; + + // 将xor_val左移,直到最低位为1,记录移动的位数。 + while (!(xor_val & 1)) { sh++; xor_val >>= 1; } + + // 如果xor_val是1、3或15,表示只有1、2或4位被翻转,返回1。 + if (xor_val == 1 || xor_val == 3 || xor_val == 15) return 1; + + // 如果sh不是8的倍数,那么8位、16位或32位的模式不可能通过位移得到,返回0。 + if (sh & 7) return 0; + + // 如果xor_val是0xff、0xffff或0xffffffff,表示8位、16位或32位的所有位都被翻转,返回1。 + if (xor_val == 0xff || xor_val == 0xffff || xor_val == 0xffffffff) + return 1; + + // 如果以上条件都不满足,返回0。 + return 0; +} + +// 检测一个值是否可能是通过算术操作从另一个值得到的。 +static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { + u32 i, ov = 0, nv = 0, diffs = 0; // 用于循环和比较的变量 + + // 如果old_val和new_val相同,返回1。 + if (old_val == new_val) return 1; + + // 检查每个字节是否有差异,并尝试通过单字节的调整来生成new_val。 + for (i = 0; i < blen; i++) { + u8 a = old_val >> (8 * i), // 获取old_val的第i个字节 + b = new_val >> (8 * i); // 获取new_val的第i个字节 + + if (a != b) { diffs++; ov = a; nv = b; } // 如果字节不同,增加差异计数 + } + + // 如果只有一个字节不同,并且差异在可接受的范围内,返回1。 + if (diffs == 1) { + if ((u8)(ov - nv) <= ARITH_MAX || + (u8)(nv - ov) <= ARITH_MAX) return 1; + } + + // 如果blen为1,表示只有单字节,返回0。 + if (blen == 1) return 0; + + // 检查每两个字节是否有差异,并尝试通过双字节的调整来生成new_val。 + diffs = 0; + for (i = 0; i < blen / 2; i++) { + u16 a = old_val >> (16 * i), // 获取old_val的第i个双字节 + b = new_val >> (16 * i); // 获取new_val的第i个双字节 + + if (a != b) { diffs++; ov = a; nv = b; } // 如果双字节不同,增加差异计数 + } + + // 如果只有一个双字节不同,并且差异在可接受的范围内,返回1。 + if (diffs == 1) { + if ((u16)(ov - nv) <= ARITH_MAX || + (u16)(nv - ov) <= ARITH_MAX) return 1; + + // 尝试交换字节顺序后再次检查 + ov = SWAP16(ov); nv = SWAP16(nv); + if ((u16)(ov - nv) <= ARITH_MAX || + (u16)(nv - ov) <= ARITH_MAX) return 1; + } + + // 如果blen为4,表示有四个字节,检查整个四字节的差异。 + if (blen == 4) { + if ((u32)(old_val - new_val) <= ARITH_MAX || + (u32)(new_val - old_val) <= ARITH_MAX) return 1; + + // 尝试交换字节顺序后再次检查 + new_val = SWAP32(new_val); + old_val = SWAP32(old_val); + if ((u32)(old_val - new_val) <= ARITH_MAX || + (u32)(new_val - old_val) <= ARITH_MAX) return 1; + } + + // 如果以上条件都不满足,返回0。 + return 0; +} + +// 检测一个值是否可能是通过插入特定的整数得到的,考虑到之前已经插入过的值。 +static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { + u32 i, j; + + // 如果old_val和new_val相同,返回1。 + if (old_val == new_val) return 1; + + // 检查是否可以通过在old_val中插入一个字节的值来得到new_val。 + for (i = 0; i < blen; i++) { + for (j = 0; j < sizeof(interesting_8); j++) { + u32 tval = (old_val & ~(0xff << (i * 8))) | // 清除old_val的第i个字节 + (((u8)interesting_8[j]) << (i * 8)); // 插入新的字节值 + + if (new_val == tval) return 1; // 如果得到的值与new_val相同,返回1 + } + } + + // 如果blen为2并且check_le为0,表示不需要检查小端字节序,返回0。 + if (blen == 2 && !check_le) return 0; + + // 检查是否可以通过在old_val中插入一个双字节的值来得到new_val。 + for (i = 0; i < blen - 1; i++) { + for (j = 0; j < sizeof(interesting_16) / 2; j++) { + u32 tval = (old_val & ~(0xffff << (i * 8))) | // 清除old_val的第i个双字节 + (((u16)interesting_16[j]) << (i * 8)); // 插入新的双字节值 + + if (new_val == tval) return 1; // 如果得到的值与new_val相同,返回1 + + // 如果blen大于2,尝试交换字节顺序后再次检查 + if (blen > 2) { + tval = (old_val & ~(0xffff << (i * 8))) | + (SWAP16(interesting_16[j]) << (i * 8)); + if (new_val == tval) return 1; // 如果得到的值与new_val相同,返回1 + } + } + } + + // 如果blen为4并且check_le为1,表示需要检查大端字节序。 + if (blen == 4 && check_le) { + // 检查是否可以通过插入一个四字节的值来得到new_val(只考虑小端)。 + for (j = 0; j < sizeof(interesting_32) / 4; j++) + if (new_val == (u32)interesting_32[j]) return 1; + } + + // 如果以上条件都不满足,返回0。 + return 0; +} + + +/* Take the current entry from the queue, fuzz it for a while. This + function is a tad too long... returns 0 if fuzzed successfully, 1 if + skipped or bailed out. */ + +static u8 fuzz_one(char** argv) { + + // 定义局部变量,用于存储输入数据长度、文件描述符、临时数据长度等。 + s32 len, fd, temp_len, i, j; + // 分配指针,用于存储输入缓冲区、输出缓冲区、原始输入数据等。 + u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; + // 定义变量,用于记录混沌队列中的路径数量、原始命中次数和新的命中次数。 + u64 havoc_queued, orig_hit_cnt, new_hit_cnt; + // 定义变量,用于记录拼接周期、性能得分、原始性能得分、先前校验和、效应器计数。 + u32 splice_cycle = 0, perf_score = 100, orig_perf, prev_cksum, eff_cnt = 1; + + // 定义返回值、确定性测试标志。 + u8 ret_val = 1, doing_det = 0; + + // 定义一个数组,用于存储自动收集的额外数据,以及一个计数器。 + u8 a_collect[MAX_AUTO_EXTRA]; + u32 a_len = 0; + +#ifdef IGNORE_FINDS + // 如果定义了IGNORE_FINDS宏,跳过不在初始数据集中的条目。 + if (queue_cur->depth > 1) return 1; + +#else + // 如果有待处理的优选输入且不在IGNORE_FINDS模式。 + if (pending_favored) { + + // 如果队列中有新的优选输入,可能跳过已模糊测试的或非优选的情况。 + if ((queue_cur->was_fuzzed || !queue_cur->favored) && + UR(100) < SKIP_TO_NEW_PROB) return 1; + + } else if (!dumb_mode && !queue_cur->favored && queued_paths > 10) { + + // 否则,对于非优选情况,也可能跳过,但概率较低。 + // 对于已经模糊测试的输入,跳过的概率更高;对于从未模糊测试的输入,概率更低。 + + if (queue_cycle > 1 && !queue_cur->was_fuzzed) { + + // 如果是队列中的第二轮且当前输入未被模糊测试过,根据概率跳过。 + if (UR(100) < SKIP_NFAV_NEW_PROB) return 1; + + } else { + + // 对于已经模糊测试过的输入,根据概率跳过。 + if (UR(100) < SKIP_NFAV_OLD_PROB) return 1; + + } + + } +#endif /* ^IGNORE_FINDS */ + +// 如果当前环境不是终端(tty),则打印模糊测试的进度信息。 +if (not_on_tty) { + ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", + current_entry, queued_paths, unique_crashes); + fflush(stdout); +} + +// 打开当前测试用例文件并将其映射到内存中。 +fd = open(queue_cur->fname, O_RDONLY); + +// 如果打开文件失败,则打印错误信息并终止程序。 +if (fd < 0) PFATAL("Unable to open '%s'", queue_cur->fname); + +// 获取文件长度。 +len = queue_cur->len; + +// 将文件内容映射到内存中的in_buf变量。 +orig_in = in_buf = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + +// 如果映射失败,则打印错误信息并终止程序。 +if (orig_in == MAP_FAILED) PFATAL("Unable to mmap '%s'", queue_cur->fname); + +// 关闭文件描述符。 +close(fd); + +// 分配内存用于输出缓冲区,这里使用ck_alloc_nozero来分配非零内存。 +out_buf = ck_alloc_nozero(len); + +// 初始化连续超时计数器。 +subseq_tmouts = 0; + +// 设置当前深度。 +cur_depth = queue_cur->depth; + +/******************************************* +* CALIBRATION (only if failed earlier on) * +*******************************************/ + +// 如果当前测试用例之前校准失败,则尝试重新校准。 +if (queue_cur->cal_failed) { + + u8 res = FAULT_TMOUT; + + // 如果校准失败次数小于允许的最大次数,则尝试重新校准。 + if (queue_cur->cal_failed < CAL_CHANCES) { + + // 重置exec_cksum,以便重新执行测试用例。 + queue_cur->exec_cksum = 0; + + // 执行校准函数。 + res = calibrate_case(argv, queue_cur, in_buf, queue_cycle - 1, 0); + + // 如果校准失败,则终止程序。 + if (res == FAULT_ERROR) + FATAL("Unable to execute target application"); + + } + + // 如果需要停止或者校准结果不是预期的崩溃模式,则跳过当前测试用例。 + if (stop_soon || res != crash_mode) { + cur_skipped_paths++; + goto abandon_entry; + } + +} + +/************ +* TRIMMING * +************/ + +// 如果没有启用dumb_mode并且当前测试用例尚未修剪,则执行修剪操作。 +if (!dumb_mode && !queue_cur->trim_done) { + + u8 res = trim_case(argv, queue_cur, in_buf); + + // 如果修剪失败,则终止程序。 + if (res == FAULT_ERROR) + FATAL("Unable to execute target application"); + + // 如果需要停止,则跳过当前测试用例。 + if (stop_soon) { + cur_skipped_paths++; + goto abandon_entry; + } + + // 标记为已修剪,不再尝试修剪。 + queue_cur->trim_done = 1; + + // 更新文件长度。 + if (len != queue_cur->len) len = queue_cur->len; + +} + +// 将输入缓冲区的内容复制到输出缓冲区。 +memcpy(out_buf, in_buf, len); + +/********************* +* PERFORMANCE SCORE * +*********************/ + +// 计算性能得分。 +orig_perf = perf_score = calculate_score(queue_cur); + +// 如果启用了-d选项,或者已经对当前测试用例执行过确定性模糊测试,或者它已经通过了早期的确定性测试,则跳过确定性测试阶段。 +if (skip_deterministic || queue_cur->was_fuzzed || queue_cur->passed_det) + goto havoc_stage; + +// 如果执行路径校验和将当前测试用例排除在当前主实例的范围之外,则跳过确定性测试。 +if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) + goto havoc_stage; + +// 标记为正在执行确定性测试。 +doing_det = 1; + +/********************************************* +* SIMPLE BITFLIP (+dictionary construction) * +********************************************/ + +// 定义一个宏,用于翻转位。 +#define FLIP_BIT(_ar, _b) do { \ + u8* _arf = (u8*)(_ar); \ + u32 _bf = (_b); \ + _arf[(_bf) >> 3] ^= (128 >> ((_bf) & 7)); \ + } while (0) + +// 执行简单的位翻转测试。 +stage_short = "flip1"; +stage_max = len << 3; +stage_name = "bitflip 1/1"; + +stage_val_type = STAGE_VAL_NONE; + +// 初始化原始命中计数器。 +orig_hit_cnt = queued_paths + unique_crashes; + +// 保存之前的校验和。 +prev_cksum = queue_cur->exec_cksum; + +// 遍历每个位并执行位翻转测试。 +for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + + // 计算当前位所在的字节。 + stage_cur_byte = stage_cur >> 3; + + // 翻转当前位。 + FLIP_BIT(out_buf, stage_cur); + + // 执行模糊测试。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + // 恢复原始位状态。 + FLIP_BIT(out_buf, stage_cur); + + // 在翻转最低有效位时,执行额外的检测以识别可能的语法标记。 + if (!dumb_mode && (stage_cur & 7) == 7) { + + // 计算新的校验和。 + u32 cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + + // 如果到达文件末尾并且我们仍在收集字符串,则获取最终字符并强制输出。 + if (stage_cur == stage_max - 1 && cksum == prev_cksum) { + + if (a_len < MAX_AUTO_EXTRA) a_collect[a_len] = out_buf[stage_cur >> 3]; + a_len++; + + if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) + maybe_add_auto(a_collect, a_len); + + } else if (cksum != prev_cksum) { + + // 否则,如果校验和已更改,则查看是否有值得收集的内容,并在是的情况下收集。 + if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) + maybe_add_auto(a_collect, a_len); + + a_len = 0; + prev_cksum = cksum; + + } + + // 继续收集字符串,但只有在位翻转实际上产生了影响时,我们才不希望无操作标记。 + + if (cksum != queue_cur->exec_cksum) { + + if (a_len < MAX_AUTO_EXTRA) a_collect[a_len] = out_buf[stage_cur >> 3]; + a_len++; + + } + + } + +} +// 初始化新的命中计数,这是待处理路径数和唯一崩溃数的总和。 +new_hit_cnt = queued_paths + unique_crashes; + +// 更新STAGE_FLIP1阶段的发现计数和周期数。 +stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; // 发现计数增加新的命中数减去原始的命中数。 +stage_cycles[STAGE_FLIP1] += stage_max; // 增加STAGE_FLIP1的最大周期数。 + +/* 两个行走的位。 */ + +// 设置当前阶段的名称和简称。 +stage_name = "bitflip 2/1"; +stage_short = "flip2"; +// 计算STAGE_FLIP1阶段的最大值,即输入数据长度的8倍减1。 +stage_max = (len << 3) - 1; + +// 将新的命中计数赋值给原始命中计数,以便下一次迭代使用。 +orig_hit_cnt = new_hit_cnt; + +// 循环遍历STAGE_FLIP1阶段的最大值。 +for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + + // 计算当前位操作的字节索引。 + stage_cur_byte = stage_cur >> 3; + + // 翻转输出缓冲区中当前位置和下一个位置的位。 + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); + + // 如果common_fuzz_stuff函数返回失败,跳转到abandon_entry标签处。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + // 恢复输出缓冲区中当前位置和下一个位置的位到原始状态。 + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); + +} + +// 计算新的命中次数,这是当前队列中的路径数加上唯一的崩溃次数。 +new_hit_cnt = queued_paths + unique_crashes; + +// 更新FLIP2阶段的发现次数和周期数。 +stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_FLIP2] += stage_max; + +// 定义FLIP4阶段的名称和简称。 +stage_name = "bitflip 4/1"; +stage_short = "flip4"; +// 计算FLIP4阶段的最大值,这是输入长度的三倍减去3。 +stage_max = (len << 3) - 3; + +// 将新的命中次数保存为原始命中次数,以便在下一个阶段使用。 +orig_hit_cnt = new_hit_cnt; + +// 循环,对每个可能的位位置进行操作。 +for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + // 计算当前操作的字节位置。 + stage_cur_byte = stage_cur >> 3; + + // 翻转当前位置及其后三个位置的位。 + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); + FLIP_BIT(out_buf, stage_cur + 2); + FLIP_BIT(out_buf, stage_cur + 3); + + // 如果common_fuzz_stuff函数返回真,则跳转到abandon_entry标签。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + // 恢复原始位状态。 + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); + FLIP_BIT(out_buf, stage_cur + 2); + FLIP_BIT(out_buf, stage_cur + 3); +} + +// 更新FLIP4阶段的发现次数和周期数。 +new_hit_cnt = queued_paths + unique_crashes; +stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_FLIP4] += stage_max; + +// 定义一些宏,用于计算effector map中的位置和长度。 +#define EFF_APOS(_p) ((_p) >> EFF_MAP_SCALE2) +#define EFF_REM(_x) ((_x) & ((1 << EFF_MAP_SCALE2) - 1)) +#define EFF_ALEN(_l) (EFF_APOS(_l) + !!EFF_REM(_l)) +#define EFF_SPAN_ALEN(_p, _l) (EFF_APOS((_p) + (_l) - 1) - EFF_APOS(_p) + 1) + +// 初始化下一个步骤的effector map,并标记第一个和最后一个字节为活跃的。 +eff_map = ck_alloc(EFF_ALEN(len)); +eff_map[0] = 1; + +// 如果最后一个字节的位置不等于0,则标记它为活跃的,并增加eff_cnt计数器。 +if (EFF_APOS(len - 1) != 0) { + eff_map[EFF_APOS(len - 1)] = 1; + eff_cnt++; +} + +// 定义FLIP8阶段的名称和简称。 +stage_name = "bitflip 8/8"; +stage_short = "flip8"; +// 设置FLIP8阶段的最大值为输入长度。 +stage_max = len; + +// 将新的命中次数保存为原始命中次数,以便在下一个阶段使用。 +orig_hit_cnt = new_hit_cnt; + +// 循环,对每个字节进行操作。 +for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + // 计算当前操作的字节位置。 + stage_cur_byte = stage_cur; + + // 翻转当前字节的所有位。 + out_buf[stage_cur] ^= 0xFF; + + // 如果common_fuzz_stuff函数返回真,则跳转到abandon_entry标签。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + // 如果当前字节在effector map中未被标记,则进行进一步的检查。 + if (!eff_map[EFF_APOS(stage_cur)]) { + u32 cksum; + + // 如果处于dumb模式或文件非常短,则不进行checksum计算。 + if (!dumb_mode && len >= EFF_MIN_LEN) + cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + else + cksum = ~queue_cur->exec_cksum; + + // 如果checksum与预期不符,则标记该字节为活跃的,并增加eff_cnt计数器。 + if (cksum != queue_cur->exec_cksum) { + eff_map[EFF_APOS(stage_cur)] = 1; + eff_cnt++; + } + } + + // 恢复原始字节状态。 + out_buf[stage_cur] ^= 0xFF; +} + +/* 如果效应器(effector)映射的密度超过EFF_MAX_PERC指定的百分比, + 则标记整个映射为值得fuzzing(模糊测试),因为我们不会节省太多时间。 */ + +if (eff_cnt != EFF_ALEN(len) && + eff_cnt * 100 / EFF_ALEN(len) > EFF_MAX_PERC) { + + // 如果超过阈值,则将整个效应器映射标记为1(即,所有位都值得测试) + memset(eff_map, 1, EFF_ALEN(len)); + + // 更新被选中进行模糊测试的块的数量 + blocks_eff_select += EFF_ALEN(len); + +} else { + + // 如果没有超过阈值,则只增加实际有效应器的计数 + blocks_eff_select += eff_cnt; + +} + +// 更新总共被考虑进行模糊测试的块的数量 +blocks_eff_total += EFF_ALEN(len); + +// 更新在当前阶段发现的新问题(如路径或崩溃)的数量 +new_hit_cnt = queued_paths + unique_crashes; + +// 更新当前阶段(STAGE_FLIP8)的发现和周期计数 +stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_FLIP8] += stage_max; + +/* 处理两个行走的字节。 */ + +// 如果长度小于2,则跳过位翻转 +if (len < 2) goto skip_bitflip; + +// 设置当前阶段的名称和简称 +stage_name = "bitflip 16/8"; +stage_short = "flip16"; +stage_cur = 0; // 当前阶段的当前进度 +stage_max = len - 1; // 当前阶段的最大进度 + +// 记录原始的命中计数 +orig_hit_cnt = new_hit_cnt; + +// 遍历输入数据,每次处理两个字节 +for (i = 0; i < len - 1; i++) { + + // 检查效应器映射,如果当前和下一个字节都不是效应器,则跳过 + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { + stage_max--; + continue; + } + + // 设置当前处理的字节位置 + stage_cur_byte = i; + + // 翻转当前两个字节的所有位 + *(u16*)(out_buf + i) ^= 0xFFFF; + + // 执行模糊测试的常见操作,如果失败则跳转到abandon_entry + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + // 恢复原始数据 + *(u16*)(out_buf + i) ^= 0xFFFF; + +} + +// 更新新发现的问题数量和周期计数 +new_hit_cnt = queued_paths + unique_crashes; +stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_FLIP16] += stage_max; + +// 如果长度小于4,则跳过四字节位翻转 +if (len < 4) goto skip_bitflip; + +/* 处理四个行走的字节。 */ + +// 设置当前阶段的名称和简称 +stage_name = "bitflip 32/8"; +stage_short = "flip32"; +stage_cur = 0; +stage_max = len - 3; + +// 记录原始的命中计数 +orig_hit_cnt = new_hit_cnt; + +// 遍历输入数据,每次处理四个字节 +for (i = 0; i < len - 3; i++) { + + // 检查效应器映射,如果当前和接下来三个字节都不是效应器,则跳过 + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && + !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { + stage_max--; + continue; + } + + // 设置当前处理的字节位置 + stage_cur_byte = i; + + // 翻转当前四个字节的所有位 + *(u32*)(out_buf + i) ^= 0xFFFFFFFF; + + // 执行模糊测试的常见操作,如果失败则跳转到abandon_entry + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + // 恢复原始数据 + *(u32*)(out_buf + i) ^= 0xFFFFFFFF; + +} + +// 更新新发现的问题数量和周期计数 +new_hit_cnt = queued_paths + unique_crashes; +stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_FLIP32] += stage_max; +// 跳过算术操作的标签 +skip_bitflip: + +// 如果设置了no_arith标志,则跳过算术操作 +if (no_arith) goto skip_arith; + +/************************** + * ARITHMETIC INC/DEC * + *************************/ + +// 8位算术操作 +stage_name = "arith 8/8"; +stage_short = "arith8"; +stage_cur = 0; // 当前阶段的当前值 +stage_max = 2 * len * ARITH_MAX; // 最大可能的值 + +stage_val_type = STAGE_VAL_LE; // 值的类型,这里设置为小端 + +orig_hit_cnt = new_hit_cnt; // 原始的命中次数 + +// 对输入缓冲区中的每个字节进行操作 +for (i = 0; i < len; i++) { + u8 orig = out_buf[i]; // 原始字节值 + + // 如果当前位置不在影响映射中,则跳过 + if (!eff_map[EFF_APOS(i)]) { + stage_max -= 2 * ARITH_MAX; + continue; + } + + stage_cur_byte = i; // 当前处理的字节位置 + + // 对每个可能的增量进行操作 + for (j = 1; j <= ARITH_MAX; j++) { + u8 r = orig ^ (orig + j); // 计算增加j后的值 + + // 如果结果不可能是位翻转的结果,则进行算术操作 + if (!could_be_bitflip(r)) { + stage_cur_val = j; + out_buf[i] = orig + j; // 应用增加操作 + + // 如果公共模糊测试函数返回成功,则跳转到abandon_entry标签 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; + + r = orig ^ (orig - j); // 计算减少j后的值 + + // 如果结果不可能是位翻转的结果,则进行算术操作 + if (!could_be_bitflip(r)) { + stage_cur_val = -j; + out_buf[i] = orig - j; // 应用减少操作 + + // 如果公共模糊测试函数返回成功,则跳转到abandon_entry标签 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; + + out_buf[i] = orig; // 恢复原始值 + } +} + +// 更新命中次数和阶段统计信息 +new_hit_cnt = queued_paths + unique_crashes; +stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_ARITH8] += stage_max; + +// 16位算术操作,包括小端和大端 +if (len < 2) goto skip_arith; + +stage_name = "arith 16/8"; +stage_short = "arith16"; +stage_cur = 0; +stage_max = 4 * (len - 1) * ARITH_MAX; + +orig_hit_cnt = new_hit_cnt; + +// 对输入缓冲区中每两个字节进行操作 +for (i = 0; i < len - 1; i++) { + u16 orig = *(u16*)(out_buf + i); // 原始的16位值 + + // 如果当前位置和下一个位置都不在影响映射中,则跳过 + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { + stage_max -= 4 * ARITH_MAX; + continue; + } + + stage_cur_byte = i; + + // 对每个可能的增量进行操作 + for (j = 1; j <= ARITH_MAX; j++) { + u16 r1 = orig ^ (orig + j), // 小端增加 + r2 = orig ^ (orig - j), // 小端减少 + r3 = orig ^ SWAP16(SWAP16(orig) + j), // 大端增加 + r4 = orig ^ SWAP16(SWAP16(orig) - j); // 大端减少 + + // 尝试小端增加和减少操作 + stage_val_type = STAGE_VAL_LE; + + if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) { + stage_cur_val = j; + *(u16*)(out_buf + i) = orig + j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; + + if ((orig & 0xff) < j && !could_be_bitflip(r2)) { + stage_cur_val = -j; + *(u16*)(out_buf + i) = orig - j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; + + // 尝试大端增加和减少操作 + stage_val_type = STAGE_VAL_BE; + + if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) { + stage_cur_val = j; + *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) + j); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; + + if ((orig >> 8) < j && !could_be_bitflip(r4)) { + stage_cur_val = -j; + *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) - j); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; + + *(u16*)(out_buf + i) = orig; // 恢复原始值 + } +} + +// 更新命中次数和阶段统计信息 +new_hit_cnt = queued_paths + unique_crashes; +stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_ARITH16] += stage_max; + +// 32位算术操作,包括小端和大端 +if (len < 4) goto skip_arith; + +stage_name = "arith 32/8"; +stage_short = "arith32"; +stage_cur = 0; +stage_max = 4 * (len - 3) * ARITH_MAX; + +orig_hit_cnt = new_hit_cnt; + +// 对输入缓冲区中每四个字节进行操作 +for (i = 0; i < len - 3; i++) { + u32 orig = *(u32*)(out_buf + i); // 原始的32位值 + + // 如果当前位置和接下来的三个位置都不在影响映射中,则跳过 + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && + !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { + stage_max -= 4 * ARITH_MAX; + continue; + } + + stage_cur_byte = i; + + // 对每个可能的增量进行操作 + for (j = 1; j <= ARITH_MAX; j++) { + u32 r1 = orig ^ (orig + j), // 小端增加 + r2 = orig ^ (orig - j), // 小端减少 + r3 = orig ^ SWAP32(SWAP32(orig) + j), // 大端增加 + r4 = orig ^ SWAP32(SWAP32(orig) - j); // 大端减少 + + // 尝试小端增加和减少操作 + stage_val_type = STAGE_VAL_LE; + + if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) { + stage_cur_val = j; + *(u32*)(out_buf + i) = orig + j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; + + if ((orig & 0xffff) < j && !could_be_bitflip(r2)) { + stage_cur_val = -j; + *(u32*)(out_buf + i) = orig - j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; + + // 尝试大端增加和减少操作 + stage_val_type = STAGE_VAL_BE; + + if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) { + stage_cur_val = j; + *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) + j); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; + + // 如果原始值的大端格式的低16位小于增量j,并且结果不可能是位翻转的结果 + if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) { + // 设置当前阶段的值为负的增量j + stage_cur_val = -j; + // 对当前的32位值进行大端格式的减法操作,并更新输出缓冲区 + *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) - j); + + // 执行公共的模糊测试操作,如果测试中断,则跳转到abandon_entry标签 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + // 如果测试没有中断,增加当前阶段的计数器 + stage_cur++; + } else { + // 如果操作不可能产生新的命中,减少最大阶段计数 + stage_max--; + } + + // 恢复原始的32位值,以便下一次迭代使用 + *(u32*)(out_buf + i) = orig; + + } + + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_ARITH32] += stage_max; + +// 如果设置了跳过算术处理的标志,则跳到下一个阶段。 +skip_arith: + +/********************** + * INTERESTING VALUES * +**********************/ + +// 设置当前阶段的名称和简称。 +stage_name = "interest 8/8"; +stage_short = "int8"; +stage_cur = 0; // 初始化当前阶段的计数器。 +stage_max = len * sizeof(interesting_8); // 最大次数为输入数据长度与有趣8位整数数组大小的乘积。 + +stage_val_type = STAGE_VAL_LE; // 设置阶段值类型为小端。 + +orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 + +// 设置8位整数。 +for (i = 0; i < len; i++) { + u8 orig = out_buf[i]; // 保存原始字节。 + + // 如果当前位置在效应器映射中没有设置,则跳过。 + if (!eff_map[EFF_APOS(i)]) { + stage_max -= sizeof(interesting_8); + continue; + } + + stage_cur_byte = i; // 设置当前处理的字节位置。 + + // 遍历有趣的8位整数数组。 + for (j = 0; j < sizeof(interesting_8); j++) { + // 如果该值可能是位翻转或算术操作的结果,则跳过。 + if (could_be_bitflip(orig ^ (u8)interesting_8[j]) || + could_be_arith(orig, (u8)interesting_8[j], 1)) { + stage_max--; + continue; + } + + stage_cur_val = interesting_8[j]; // 设置当前阶段的值。 + out_buf[i] = interesting_8[j]; // 设置有趣的值。 + + // 执行模糊测试操作,如果需要则放弃当前输入。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + out_buf[i] = orig; // 恢复原始值。 + stage_cur++; // 增加当前阶段的计数器。 + } +} + +// 更新新的命中次数。 +new_hit_cnt = queued_paths + unique_crashes; + +// 记录在当前阶段发现的新问题数量和周期计数。 +stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_INTEREST8] += stage_max; + +// 如果设置了不进行算术处理或输入数据长度小于2,则跳过16位整数的处理。 +if (no_arith || len < 2) goto skip_interest; + +// 设置当前阶段的名称和简称。 +stage_name = "interest 16/8"; +stage_short = "int16"; +stage_cur = 0; // 初始化当前阶段的计数器。 +stage_max = 2 * (len - 1) * (sizeof(interesting_16) >> 1); // 最大次数为输入数据长度减1与有趣16位整数数组大小的乘积。 + +orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 + +// 设置16位整数,包括小端和大端。 +for (i = 0; i < len - 1; i++) { + u16 orig = *(u16*)(out_buf + i); // 保存原始的16位整数。 + + // 如果当前位置和下一位在效应器映射中没有设置,则跳过。 + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { + stage_max -= sizeof(interesting_16); + continue; + } + + stage_cur_byte = i; // 设置当前处理的字节位置。 + + // 遍历有趣的16位整数数组。 + for (j = 0; j < sizeof(interesting_16) / 2; j++) { + stage_cur_val = interesting_16[j]; // 设置当前阶段的值。 + + // 如果该值不可能是位翻转、算术操作或单字节有趣值插入的结果,则进行处理。 + if (!could_be_bitflip(orig ^ (u16)interesting_16[j]) && + !could_be_arith(orig, (u16)interesting_16[j], 2) && + !could_be_interest(orig, (u16)interesting_16[j], 2, 0)) { + stage_val_type = STAGE_VAL_LE; // 设置阶段值类型为小端。 + + *(u16*)(out_buf + i) = interesting_16[j]; // 设置有趣的值。 + + // 执行模糊测试操作,如果需要则放弃当前输入。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; // 增加当前阶段的计数器。 + } else { + stage_max--; // 减少最大次数。 + } + + // 对于大端情况也进行相同的处理。 + if ((u16)interesting_16[j] != SWAP16(interesting_16[j]) && + !could_be_bitflip(orig ^ SWAP16(interesting_16[j])) && + !could_be_arith(orig, SWAP16(interesting_16[j]), 2) && + !could_be_interest(orig, SWAP16(interesting_16[j]), 2, 1)) { + stage_val_type = STAGE_VAL_BE; // 设置阶段值类型为大端。 + + *(u16*)(out_buf + i) = SWAP16(interesting_16[j]); // 设置有趣的值。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else { + stage_max--; + } + } + + *(u16*)(out_buf + i) = orig; // 恢复原始值。 +} + +// 更新新的命中次数。 +new_hit_cnt = queued_paths + unique_crashes; + +// 记录在当前阶段发现的新问题数量和周期计数。 +stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_INTEREST16] += stage_max; + +// 如果输入数据长度小于4,则跳过32位整数的处理。 +if (len < 4) goto skip_interest; + +// 设置当前阶段的名称和简称。 +stage_name = "interest 32/8"; +stage_short = "int32"; +stage_cur = 0; // 初始化当前阶段的计数器。 +stage_max = 2 * (len - 3) * (sizeof(interesting_32) >> 2); // 最大次数为输入数据长度减3与有趣32位整数数组大小的乘积。 + +orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 + +// 设置32位整数,包括小端和大端。 +for (i = 0; i < len - 3; i++) { + u32 orig = *(u32*)(out_buf + i); // 保存原始的32位整数。 + + // 如果当前位置和接下来三位在效应器映射中没有设置,则跳过。 + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && + !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { + stage_max -= sizeof(interesting_32) >> 1; + continue; + } + + stage_cur_byte = i; // 设置当前处理的字节位置。 + + // 遍历有趣的32位整数数组。 + for (j = 0; j < sizeof(interesting_32) / 4; j++) { + stage_cur_val = interesting_32[j]; // 设置当前阶段的值。 + + // 如果该值不可能是位翻转、算术操作或词有趣值插入的结果,则进行处理。 + if (!could_be_bitflip(orig ^ (u32)interesting_32[j]) && + !could_be_arith(orig, interesting_32[j], 4) && + !could_be_interest(orig, interesting_32[j], 4, 0)) { + stage_val_type = STAGE_VAL_LE; // 设置阶段值类型为小端。 + + *(u32*)(out_buf + i) = interesting_32[j]; // 设置有趣的值。 + + // 执行模糊测试操作,如果需要则放弃当前输入。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; // 增加当前阶段的计数器。 + } else stage_max--; // 减少最大次数。 + + // 对于大端情况也进行相同的处理。 + if ((u32)interesting_32[j] != SWAP32(interesting_32[j]) && + !could_be_bitflip(orig ^ SWAP32(interesting_32[j])) && + !could_be_arith(orig, SWAP32(interesting_32[j]), 4) && + !could_be_interest(orig, SWAP32(interesting_32[j]), 4, 1)) { + +// 设置阶段值类型为大端。 + stage_val_type = STAGE_VAL_BE; + *(u32*)(out_buf + i) = SWAP32(interesting_32[j]); + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + } +// 恢复原始的32位整数值。 +*(u32*)(out_buf + i) = orig; + +// 完成对当前输入数据的所有有趣值设置后,更新新的命中次数。 +new_hit_cnt = queued_paths + unique_crashes; + +// 记录在当前阶段发现的新问题数量和周期计数。 +stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_INTEREST32] += stage_max; + +// 如果没有用户定义的额外数据,则跳过此段代码。 +skip_interest: + +/******************** + * DICTIONARY STUFF * + ********************/ +if (!extras_cnt) goto skip_user_extras; + +// 使用用户提供的额外数据进行覆盖操作。 +stage_name = "user extras (over)"; +stage_short = "ext_UO"; +stage_cur = 0; // 初始化当前阶段的计数器。 +stage_max = extras_cnt * len; // 最大次数为额外数据的数量乘以输入数据的长度。 + +stage_val_type = STAGE_VAL_NONE; // 设置阶段值类型为无。 + +orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 + +// 对输入数据的每个字节位置进行操作。 +for (i = 0; i < len; i++) { + u32 last_len = 0; + stage_cur_byte = i; // 设置当前处理的字节位置。 + + // 遍历每个额外数据。 + for (j = 0; j < extras_cnt; j++) { + // 如果额外数据的数量大于最大确定性额外数据,或者没有足够的空间插入数据, + // 或者该数据已经存在于输出缓冲区中,或者有效性映射显示该位置不适合插入,则跳过此额外数据。 + if ((extras_cnt > MAX_DET_EXTRAS && UR(extras_cnt) >= MAX_DET_EXTRAS) || + extras[j].len > len - i || + !memcmp(extras[j].data, out_buf + i, extras[j].len) || + !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, extras[j].len))) { + stage_max--; + continue; + } + + last_len = extras[j].len; + memcpy(out_buf + i, extras[j].data, last_len); // 将额外数据复制到输出缓冲区的当前位置。 + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; // 对修改后的输出缓冲区执行通用模糊测试操作。 + + stage_cur++; // 增加当前阶段的计数器。 + } + + // 恢复所有被覆盖的内存。 + memcpy(out_buf + i, in_buf + i, last_len); +} + +// 更新新的命中次数。 +new_hit_cnt = queued_paths + unique_crashes; + +// 记录在当前阶段发现的新问题数量和周期计数。 +stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_EXTRAS_UO] += stage_max; + +// 用户提供的额外数据进行插入操作。 +stage_name = "user extras (insert)"; +stage_short = "ext_UI"; +stage_cur = 0; // 初始化当前阶段的计数器。 +stage_max = extras_cnt * (len + 1); // 最大次数为额外数据的数量乘以(输入数据的长度 + 1)。 + +orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 + +// 分配临时缓冲区,大小为输入数据的长度加上最大字典文件的大小。 +ex_tmp = ck_alloc(len + MAX_DICT_FILE); + +// 遍历输入数据的每个位置以及末尾。 +for (i = 0; i <= len; i++) { + stage_cur_byte = i; // 设置当前处理的字节位置。 + + // 遍历每个额外数据。 + for (j = 0; j < extras_cnt; j++) { + if (len + extras[j].len > MAX_FILE) { + stage_max--; + continue; + } + + // 插入额外数据。 + memcpy(ex_tmp + i, extras[j].data, extras[j].len); + + // 复制原始数据的剩余部分。 + memcpy(ex_tmp + i + extras[j].len, out_buf + i, len - i); + + if (common_fuzz_stuff(argv, ex_tmp, len + extras[j].len)) { + ck_free(ex_tmp); + goto abandon_entry; + } + + stage_cur++; // 增加当前阶段的计数器。 + } + + // 复制原始数据的当前部分。 + ex_tmp[i] = out_buf[i]; +} + +// 释放临时缓冲区。 +ck_free(ex_tmp); + +// 更新新的命中次数。 +new_hit_cnt = queued_paths + unique_crashes; + +// 记录在当前阶段发现的新问题数量和周期计数。 +stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_EXTRAS_UI] += stage_max; +// 如果没有用户提供的额外数据,则跳过处理。 +skip_user_extras: +if (!a_extras_cnt) goto skip_extras; + +// 设置当前阶段的名称和简短名称。 +stage_name = "auto extras (over)"; +stage_short = "ext_AO"; +// 初始化当前阶段的计数器和最大值,最大值是额外数据的数量乘以输入数据的长度。 +stage_cur = 0; +stage_max = MIN(a_extras_cnt, USE_AUTO_EXTRAS) * len; + +// 设置阶段值类型为无。 +stage_val_type = STAGE_VAL_NONE; + +// 记录原始的命中次数。 +orig_hit_cnt = new_hit_cnt; + +// 遍历输入数据的每个字节位置。 +for (i = 0; i < len; i++) { + u32 last_len = 0; + + // 设置当前处理的字节位置。 + stage_cur_byte = i; + + // 遍历每个额外数据。 + for (j = 0; j < MIN(a_extras_cnt, USE_AUTO_EXTRAS); j++) { + // 如果额外数据的大小超过了剩余长度,或者该数据已经存在于输出缓冲区中, + // 或者有效性映射显示该位置不适合插入,则跳过此额外数据。 + if (a_extras[j].len > len - i || + !memcmp(a_extras[j].data, out_buf + i, a_extras[j].len) || + !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, a_extras[j].len))) { + stage_max--; + continue; + } + + // 记录额外数据的长度,并将其复制到输出缓冲区的当前位置。 + last_len = a_extras[j].len; + memcpy(out_buf + i, a_extras[j].data, last_len); + + // 对修改后的输出缓冲区执行通用模糊测试操作,如果需要则放弃当前输入。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + // 增加当前阶段的计数器。 + stage_cur++; + } + + // 恢复所有被覆盖的内存。 + memcpy(out_buf + i, in_buf + i, last_len); +} + +// 更新新的命中次数。 +new_hit_cnt = queued_paths + unique_crashes; + +// 记录在当前阶段发现的新问题数量和周期计数。 +stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_EXTRAS_AO] += stage_max; + +// 跳过额外数据的处理。 +skip_extras: + +// 如果我们到达这里而没有跳转到havoc_stage或abandon_entry, +// 则我们已经完成了确定性的步骤,并可以在.state目录中标记为完成。 +if (!queue_cur->passed_det) mark_as_det_done(queue_cur); + +//**************** +//* RANDOM HAVOC * +//**************** + +// 到达随机混沌(havoc)阶段。 +havoc_stage: +stage_cur_byte = -1; + +// 如果当前是拼接周期,则生成不同的描述。 +if (!splice_cycle) { + // 设置混沌阶段的名称和简短名称。 + stage_name = "havoc"; + stage_short = "havoc"; + // 计算混沌阶段的最大运行次数,基于性能得分和一些常数。 + stage_max = (doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) * + perf_score / havoc_div / 100; +} else { + // 如果是拼接周期,设置特定的名称和最大运行次数。 + static u8 tmp[32]; + perf_score = orig_perf; + sprintf(tmp, "splice %u", splice_cycle); + stage_name = tmp; + stage_short = "splice"; + stage_max = SPLICE_HAVOC * perf_score / havoc_div / 100; +} + +// 确保最大运行次数不低于最小值。 +if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN; + +// 设置临时长度为输入数据的长度。 +temp_len = len; + +// 记录原始的命中次数。 +orig_hit_cnt = queued_paths + unique_crashes; + +// 记录当前队列中的路径数量。 +havoc_queued = queued_paths; + +/* + 我们基本上执行几千次运行(取决于perf_score),在这些运行中我们获取输入文件并进行随机的叠加修改。 +*/ +for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + // 随机选择一个叠加因子,范围从1到2^(HAVOC_STACK_POW2)。 + u32 use_stacking = 1 << (1 + UR(HAVOC_STACK_POW2)); + + // 将当前阶段的值设置为所选的叠加因子。 + stage_cur_val = use_stacking; + + // 根据叠加因子重复多次修改操作。 + for (i = 0; i < use_stacking; i++) { + // 随机选择一个操作,如果存在额外的数据,则选项会更多。 + switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { + /* + 在某个位置翻转单个位。这是一项基本的位操作,可以用来测试程序对位错误的敏感性。 + */ + case 0: + FLIP_BIT(out_buf, UR(temp_len << 3)); + break; + + /* + 将某个字节设置为一个有趣的值。这些值通常是那些在程序逻辑中具有特殊意义的值,比如0, 1, -1等。 + */ + case 1: + out_buf[UR(temp_len)] = interesting_8[UR(sizeof(interesting_8))]; + break; + + /* + 将某个字(word)设置为一个有趣的值,并随机选择字节序。 + 字节序的选择可以帮助测试程序对不同字节序的处理能力。 + */ + case 2: + if (temp_len < 2) break; + + if (UR(2)) { + *(u16*)(out_buf + UR(temp_len - 1)) = interesting_16[UR(sizeof(interesting_16) >> 1)]; + } else { + *(u16*)(out_buf + UR(temp_len - 1)) = SWAP16(interesting_16[UR(sizeof(interesting_16) >> 1)]); + } + break; + + /* + 将某个双字(dword)设置为一个有趣的值,并随机选择字节序。 + 类似于字操作,但是针对更大的数据单元。 + */ + case 3: + if (temp_len < 4) break; + + if (UR(2)) { + *(u32*)(out_buf + UR(temp_len - 3)) = interesting_32[UR(sizeof(interesting_32) >> 2)]; + } else { + *(u32*)(out_buf + UR(temp_len - 3)) = SWAP32(interesting_32[UR(sizeof(interesting_32) >> 2)]); + } + break; + + /* + 从某个字节随机减去一个值。这是一种简单的算术操作,可以用来测试程序的健壮性。 + */ + case 4: + out_buf[UR(temp_len)] -= 1 + UR(ARITH_MAX); + break; + + /* + 向某个字节随机添加一个值。 + */ + case 5: + out_buf[UR(temp_len)] += 1 + UR(ARITH_MAX); + break; + + /* + 从一个词(word)随机减去一个值,并随机选择字节序。 + */ + case 6: + if (temp_len < 2) break; + + if (UR(2)) { + u32 pos = UR(temp_len - 1); + *(u16*)(out_buf + pos) -= 1 + UR(ARITH_MAX); + } else { + u32 pos = UR(temp_len - 1); + u16 num = 1 + UR(ARITH_MAX); + *(u16*)(out_buf + pos) = SWAP16(SWAP16(*(u16*)(out_buf + pos)) - num); + } + break; + + /* + 向一个词(word)随机添加一个值,并随机选择字节序。 + */ + case 7: + if (temp_len < 2) break; + + if (UR(2)) { + u32 pos = UR(temp_len - 1); + *(u16*)(out_buf + pos) += 1 + UR(ARITH_MAX); + } else { + u32 pos = UR(temp_len - 1); + u16 num = 1 + UR(ARITH_MAX); + *(u16*)(out_buf + pos) = SWAP16(SWAP16(*(u16*)(out_buf + pos)) + num); + } + break; + + /* + 从一个双字(dword)随机减去一个值,并随机选择字节序。 + */ + case 8: + if (temp_len < 4) break; + + if (UR(2)) { + u32 pos = UR(temp_len - 3); + *(u32*)(out_buf + pos) -= 1 + UR(ARITH_MAX); + } else { + u32 pos = UR(temp_len - 3); + u32 num = 1 + UR(ARITH_MAX); + *(u32*)(out_buf + pos) = SWAP32(SWAP32(*(u32*)(out_buf + pos)) - num); + } + break; +// case 9: 开始处理第9种情况,即随机增加一个双字节(dword),可以是随机字节序。 +case 9: + /* 如果临时数据长度小于4字节,则无法进行操作,因此跳出。 */ + if (temp_len < 4) break; + + // 以50%的概率选择是增加一个双字节还是进行字节序交换后增加。 + if (UR(2)) { + u32 pos = UR(temp_len - 3); + // 直接在指定位置增加一个随机值,范围从1到ARITH_MAX。 + *(u32*)(out_buf + pos) += 1 + UR(ARITH_MAX); + } else { + u32 pos = UR(temp_len - 3); + u32 num = 1 + UR(ARITH_MAX); + // 先进行字节序交换,然后增加一个随机值,最后再进行字节序交换。 + *(u32*)(out_buf + pos) = + SWAP32(SWAP32(*(u32*)(out_buf + pos)) + num); + } + break; + +// case 10: 开始处理第10种情况,即随机设置一个字节为随机值。 +case 10: + /* 随机选择一个字节,然后使用XOR操作将其设置为1到255之间的随机值,以避免无操作(no-op)。 */ + out_buf[UR(temp_len)] ^= 1 + UR(255); + break; + +// case 11和case 12: 开始处理删除字节的操作。 +case 11 ... 12: { + /* 删除字节。我们使得这个操作比插入(下一个选项)更有可能,以希望保持文件的合理大小。 */ + u32 del_from, del_len; + + // 如果临时数据长度小于2字节,则无法进行删除操作,因此跳出。 + if (temp_len < 2) break; + + /* 不要删除太多数据。 */ + del_len = choose_block_len(temp_len - 1); + del_from = UR(temp_len - del_len + 1); + + // 将删除位置之后的数据向前移动。 + memmove(out_buf + del_from, out_buf + del_from + del_len, + temp_len - del_from - del_len); + + temp_len -= del_len; // 更新临时数据长度。 + break; +} + +// case 13: 开始处理插入或克隆字节的操作。 +case 13: + if (temp_len + HAVOC_BLK_XL < MAX_FILE) { + /* 克隆字节(75%概率)或插入一个常数块(25%概率)。 */ + u8 actually_clone = UR(4); + u32 clone_from, clone_to, clone_len; + u8* new_buf; + + if (actually_clone) { + clone_len = choose_block_len(temp_len); + clone_from = UR(temp_len - clone_len + 1); + } else { + clone_len = choose_block_len(HAVOC_BLK_XL); + clone_from = 0; + } + + clone_to = UR(temp_len); + + new_buf = ck_alloc_nozero(temp_len + clone_len); + + /* 头部 */ + memcpy(new_buf, out_buf, clone_to); + + /* 插入部分 */ + if (actually_clone) + memcpy(new_buf + clone_to, out_buf + clone_from, clone_len); + else + memset(new_buf + clone_to, + UR(2) ? UR(256) : out_buf[UR(temp_len)], clone_len); + + /* 尾部 */ + memcpy(new_buf + clone_to + clone_len, out_buf + clone_to, + temp_len - clone_to); + + ck_free(out_buf); + out_buf = new_buf; + temp_len += clone_len; // 更新临时数据长度。 + } + break; + +// case 14: 开始处理用随机选择的数据块或固定数据覆盖字节的操作。 +case 14: { + u32 copy_from, copy_to, copy_len; + + if (temp_len < 2) break; + + copy_len = choose_block_len(temp_len - 1); + + copy_from = UR(temp_len - copy_len + 1); + copy_to = UR(temp_len - copy_len + 1); + + if (UR(4)) { + if (copy_from != copy_to) + memmove(out_buf + copy_to, out_buf + copy_from, copy_len); + } else { + memset(out_buf + copy_to, + UR(2) ? UR(256) : out_buf[UR(temp_len)], copy_len); + } + break; +} + +/* 只有当字典中有额外数据时,才能选择值15和16。 */ + +// case 15: 开始处理用额外数据覆盖字节的操作。 +case 15: { + if (!extras_cnt || (a_extras_cnt && UR(2))) { + /* 没有用户指定的额外数据,或者随机数倾向于使用自动检测到的数据。 */ + u32 use_extra = UR(a_extras_cnt); + u32 extra_len = a_extras[use_extra].len; + u32 insert_at; + + if (extra_len > temp_len) break; + + insert_at = UR(temp_len - extra_len + 1); + memcpy(out_buf + insert_at, a_extras[use_extra].data, extra_len); + } else { + /* 没有自动检测到的额外数据,或者随机数倾向于使用字典中的数据。 */ + u32 use_extra = UR(extras_cnt); + u32 extra_len = extras[use_extra].len; + u32 insert_at; + + if (extra_len > temp_len) break; + + insert_at = UR(temp_len - extra_len + 1); + memcpy(out_buf + insert_at, extras[use_extra].data, extra_len); + } + break; +} + +// case 16: 开始处理插入额外数据的操作。 +case 16: { + u32 use_extra, extra_len, insert_at = UR(temp_len + 1); + u8* new_buf; + + if (!extras_cnt || (a_extras_cnt && UR(2))) { + use_extra = UR(a_extras_cnt); + extra_len = a_extras[use_extra].len; + + if (temp_len + extra_len >= MAX_FILE) break; + + new_buf = ck_alloc_nozero(temp_len + extra_len); + + /* 头部 */ + memcpy(new_buf, out_buf, insert_at); + + /* 插入部分 */ + memcpy(new_buf + insert_at, a_extras[use_extra].data, extra_len); + } else { + use_extra = UR(extras_cnt); + extra_len = extras[use_extra].len; + + if (temp_len + extra_len >= MAX_FILE) break; + + new_buf = ck_alloc_nozero(temp_len + extra_len); + + /* 头部 */ + memcpy(new_buf, out_buf, insert_at); + + /* 插入部分 */ + memcpy(new_buf + insert_at, extras[use_extra].data, extra_len); + } + + /* 尾部 */ + memcpy(new_buf + insert_at + extra_len, out_buf + insert_at, + temp_len - insert_at); + + ck_free(out_buf); + out_buf = new_buf; + temp_len += extra_len; // 更新临时数据长度。 + break; + } + } + } + } +} +// 检查通用模糊测试函数是否指示我们应该放弃当前的输入。 +// 如果common_fuzz_stuff函数返回真(非零值),则跳转到标签abandon_entry。 +if (common_fuzz_stuff(argv, out_buf, temp_len)) + goto abandon_entry; + +// 如果out_buf在之前的处理中被破坏了,我们需要将其恢复到原始大小和形状。 +// 如果临时长度temp_len小于原始长度len,我们需要重新分配out_buf的大小为len。 +if (temp_len < len) + out_buf = ck_realloc(out_buf, len); +// 将temp_len设置回原始长度len。 +temp_len = len; +// 将原始输入数据in_buf复制回out_buf,以恢复其原始内容。 +memcpy(out_buf, in_buf, len); + +// 如果我们发现了新的问题或崩溃,我们应该在限制范围内继续运行更长时间。 +if (queued_paths != havoc_queued) { + // 如果性能得分perf_score小于或等于最大乘数HAVOC_MAX_MULT乘以100, + // 我们将当前阶段的最大尝试次数stage_max翻倍,并将性能得分perf_score翻倍。 + if (perf_score <= HAVOC_MAX_MULT * 100) { + stage_max *= 2; + perf_score *= 2; + } + // 更新havoc_queued为当前的queued_paths值。 + havoc_queued = queued_paths; +} + +// 计算新的发现数量,包括新加入队列的路径数queued_paths和独特的崩溃数unique_crashes。 +new_hit_cnt = queued_paths + unique_crashes; + +// 如果当前不是拼接周期splice_cycle,则更新HAVOC阶段的发现和周期计数。 +if (!splice_cycle) { + stage_finds[STAGE_HAVOC] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_HAVOC] += stage_max; +} else { + // 如果当前是拼接周期,则更新SPLICE阶段的发现和周期计数。 + stage_finds[STAGE_SPLICE] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_SPLICE] += stage_max; +} + +// 如果没有定义IGNORE_FINDS宏,则执行以下代码。 +#ifndef IGNORE_FINDS + + /************ + * SPLICING * + ************/ + + /* 这是一种最后的手段策略,当一轮完整的测试没有发现任何问题时触发。 + 它获取当前的输入文件,随机选择另一个输入,并在某个偏移量处将它们拼接在一起, + 然后依赖havoc代码来变异这个新拼接的数据块。*/ + + +retry_splicing: + +// 如果启用了拼接,并且拼接周期小于最大拼接周期数,并且队列中有多个测试用例,且当前测试用例长度大于1,则尝试拼接操作。 +if (use_splicing && splice_cycle++ < SPLICE_CYCLES && + queued_paths > 1 && queue_cur->len > 1) { + + struct queue_entry* target; // 指向目标队列条目的指针 + u32 tid, split_at; // 目标ID和分割点 + u8* new_buf; // 新的缓冲区 + s32 f_diff, l_diff; // 第一个和最后一个不同字节的位置 + + /* 首先,如果我们对in_buf进行了havoc操作的修改,我们需要清理它... */ + + // 如果in_buf不是原始输入缓冲区,释放它并将in_buf重置为原始输入缓冲区 + if (in_buf != orig_in) { + ck_free(in_buf); + in_buf = orig_in; + len = queue_cur->len; + } + + /* 随机选择一个队列条目并定位到它。不要与自己拼接。 */ + + // 随机选择一个目标ID,确保它不是当前条目 + do { tid = UR(queued_paths); } while (tid == current_entry); + + splicing_with = tid; // 记录当前拼接的目标ID + target = queue; // 初始化目标指向队列头部 + + // 定位到目标队列条目 + while (tid >= 100) { target = target->next_100; tid -= 100; } + while (tid--) target = target->next; + + /* 确保目标有合理的长度。 */ + + // 确保目标条目长度足够,并且不是当前条目 + while (target && (target->len < 2 || target == queue_cur)) { + target = target->next; + splicing_with++; + } + + // 如果没有合适的目标,重试拼接 + if (!target) goto retry_splicing; + + /* 将测试用例读入新缓冲区。 */ + + // 打开目标文件 + fd = open(target->fname, O_RDONLY); + + // 如果打开失败,输出错误信息并退出 + if (fd < 0) PFATAL("Unable to open '%s'", target->fname); + + // 分配新缓冲区 + new_buf = ck_alloc_nozero(target->len); + + // 读取目标文件内容到新缓冲区 + ck_read(fd, new_buf, target->len, target->fname); + + // 关闭文件描述符 + close(fd); + + /* 寻找合适的拼接位置,在第一个和最后一个不同字节之间。如果差异只是单个字节或很少几个字节,则放弃。 */ + + // 定位两个缓冲区中的差异 + locate_diffs(in_buf, new_buf, MIN(len, target->len), &f_diff, &l_diff); + + // 如果没有合适的差异或者差异太小,释放新缓冲区并重试拼接 + if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) { + ck_free(new_buf); + goto retry_splicing; + } + + /* 在第一个和最后一个不同字节之间选择一个位置进行分割。 */ + + // 选择分割点 + split_at = f_diff + UR(l_diff - f_diff); + + /* 执行拼接操作。 */ + + // 更新长度为目标长度 + len = target->len; + // 将分割点之前的数据复制到新缓冲区 + memcpy(new_buf, in_buf, split_at); + // 更新输入缓冲区为新缓冲区 + in_buf = new_buf; + + // 释放旧的输出缓冲区 + ck_free(out_buf); + // 分配新的输出缓冲区 + out_buf = ck_alloc_nozero(len); + // 将新缓冲区内容复制到输出缓冲区 + memcpy(out_buf, in_buf, len); + + // 跳转到havoc阶段 + goto havoc_stage; + +} + +#endif /* !IGNORE_FINDS */ + +// 设置返回值为0 +ret_val = 0; + +// 放弃当前条目 +abandon_entry: + +// 重置拼接目标ID +splicing_with = -1; + + /* 如果我们通过了校准周期并且之前没有见过这个条目,更新待处理未测试计数。 */ + + // 如果没有停止信号,当前条目没有校准失败,且之前未被测试过 + if (!stop_soon && !queue_cur->cal_failed && !queue_cur->was_fuzzed) { + // 标记当前条目为已测试 + queue_cur->was_fuzzed = 1; + // 减少待处理未测试计数 + pending_not_fuzzed--; + // 如果当前条目是优选的,减少优选计数 + if (queue_cur->favored) pending_favored--; + } + + // 取消映射原始输入缓冲区 + munmap(orig_in, queue_cur->len); + + // 如果in_buf不是原始输入缓冲区,释放它 + if (in_buf != orig_in) ck_free(in_buf); + // 释放输出缓冲区 + ck_free(out_buf); + // 释放效果映射缓冲区 + ck_free(eff_map); + + // 返回结果 + return ret_val; + +#undef FLIP_BIT + +} +/* 从其他模糊测试器中获取有趣的测试用例。 */ + +// 这个函数用于在分布式模糊测试环境中,从其他模糊测试器中同步测试用例。 +static void sync_fuzzers(char** argv) { + + DIR* sd; // 指向同步目录的目录流 + struct dirent* sd_ent; // 目录流中的当前条目 + u32 sync_cnt = 0; // 同步的模糊测试器数量 + + // 打开同步目录 + sd = opendir(sync_dir); + if (!sd) PFATAL("Unable to open '%s'", sync_dir); + + // 重置阶段最大值和当前值,以及当前深度 + stage_max = stage_cur = 0; + cur_depth = 0; + + /* 查看同步目录中为每个其他模糊测试器创建的条目。 */ + + // 遍历同步目录中的每个条目 + while ((sd_ent = readdir(sd))) { + + static u8 stage_tmp[128]; // 临时阶段名称 + + DIR* qd; // 指向队列目录的目录流 + struct dirent* qd_ent; // 队列目录中的当前条目 + u8 *qd_path, *qd_synced_path; // 队列目录和同步目录的路径 + u32 min_accept = 0, next_min_accept; // 最小接受的测试用例ID和下一个最小接受的测试用例ID + + s32 id_fd; // 用于存储最后看到的测试用例ID的文件的文件描述符 + + /* 跳过隐藏文件和我们自己的输出目录。 */ + + // 如果条目是隐藏文件或与我们自己的同步ID相同,则跳过 + if (sd_ent->d_name[0] == '.' || !strcmp(sync_id, sd_ent->d_name)) continue; + + /* 跳过任何没有queue/子目录的东西。 */ + + // 构造队列目录的路径 + qd_path = alloc_printf("%s/%s/queue", sync_dir, sd_ent->d_name); + + // 打开队列目录 + if (!(qd = opendir(qd_path))) { + ck_free(qd_path); + continue; + } + + /* 检索最后看到的测试用例的ID。 */ + + // 构造同步目录中用于存储最后看到的测试用例ID的文件的路径 + qd_synced_path = alloc_printf("%s/.synced/%s", out_dir, sd_ent->d_name); + + // 打开或创建用于存储最后看到的测试用例ID的文件 + id_fd = open(qd_synced_path, O_RDWR | O_CREAT, 0600); + + // 如果打开文件失败,则输出错误信息并退出 + if (id_fd < 0) PFATAL("Unable to create '%s'", qd_synced_path); + + // 如果文件中已经有数据,则读取最小接受的测试用例ID + if (read(id_fd, &min_accept, sizeof(u32)) > 0) + lseek(id_fd, 0, SEEK_SET); + + // 更新下一个最小接受的测试用例ID + next_min_accept = min_accept; + + /* 显示统计信息 */ + + // 设置阶段名称和当前阶段值 + sprintf(stage_tmp, "sync %u", ++sync_cnt); + stage_name = stage_tmp; + stage_cur = 0; + stage_max = 0; + + /* 对于这个模糊测试器排队的每个文件,解析ID并查看我们是否之前已经看过它; + 如果没有,执行测试用例。 */ + + // 遍历队列目录中的每个条目 + while ((qd_ent = readdir(qd))) { + + u8* path; // 文件的路径 + s32 fd; // 文件描述符 + struct stat st; // 文件状态 + + // 如果条目是隐藏文件或测试用例ID小于最小接受的测试用例ID,则跳过 + if (qd_ent->d_name[0] == '.' || + sscanf(qd_ent->d_name, CASE_PREFIX "%06u", &syncing_case) != 1 || + syncing_case < min_accept) continue; + + /* 好的,听起来像是一个新测试用例。让我们试试它。 */ + + // 如果测试用例ID大于或等于下一个最小接受的测试用例ID + if (syncing_case >= next_min_accept) + next_min_accept = syncing_case + 1; + + // 构造文件的路径 + path = alloc_printf("%s/%s", qd_path, qd_ent->d_name); + + /* 允许在其他模糊测试器正在恢复等情况下失败... */ + + // 打开文件 + fd = open(path, O_RDONLY); + + // 如果打开文件失败,则释放路径内存并继续 + if (fd < 0) { + ck_free(path); + continue; + } + + // 获取文件状态 + if (fstat(fd, &st)) PFATAL("fstat() failed"); + + /* 忽略大小为零或过大的文件。 */ + + // 如果文件大小在允许范围内 + if (st.st_size && st.st_size <= MAX_FILE) { + + u8 fault; // 故障标志 + u8* mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); // 将文件内容映射到内存 + + // 如果映射失败,则输出错误信息并退出 + if (mem == MAP_FAILED) PFATAL("Unable to mmap '%s'", path); + + /* 看看会发生什么。我们依赖save_if_interesting()来捕获主要 + 错误并保存测试用例。 */ + + // 将测试用例写入测试用例缓冲区 + write_to_testcase(mem, st.st_size); + + // 运行目标程序并获取故障标志 + fault = run_target(argv, exec_tmout); + + // 如果收到停止信号,则返回 + if (stop_soon) return; + + // 设置当前正在同步的模糊测试器的名称 + syncing_party = sd_ent->d_name; + // 将测试用例添加到队列中 + queued_imported += save_if_interesting(argv, mem, st.st_size, fault); + // 重置当前正在同步的模糊测试器的名称 + + // 取消内存映射并释放内存 + munmap(mem, st.st_size); + + // 如果需要,则显示统计信息 + if (!(stage_cur++ % stats_update_freq)) show_stats(); + + } + + // 释放路径内存并关闭文件描述符 + ck_free(path); + close(fd); + + } + + // 将下一个最小接受的测试用例ID写入文件 + ck_write(id_fd, &next_min_accept, sizeof(u32), qd_synced_path); + + // 关闭文件描述符 + close(id_fd); + // 关闭队列目录流 + closedir(qd); + // 释放队列目录路径内存 + ck_free(qd_path); + // 释放同步目录路径内存 + ck_free(qd_synced_path); + + } + + // 关闭同步目录流 + closedir(sd); + +} + +/* 处理停止信号(Ctrl-C等)。 */ + +// 这个函数用于处理停止信号,例如用户按下Ctrl-C。 +static void handle_stop_sig(int sig) { + + // 设置停止标志 + stop_soon = 1; + + // 如果子进程存在,则杀死它 + if (child_pid > 0) kill(child_pid, SIGKILL); + // 如果fork服务器进程存在,则杀死它 + if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); + +} + +/* 处理跳过请求(SIGUSR1)。 */ + +// 这个函数用于处理跳过请求信号。 +static void handle_skipreq(int sig) { + + // 设置跳过请求标志 + skip_requested = 1; + +} + +/* 处理超时(SIGALRM)。 */ + +// 这个函数用于处理超时信号。 +static void handle_timeout(int sig) { + + // 如果子进程存在,则标记它为超时并杀死它 + if (child_pid > 0) { + + child_timed_out = 1; + kill(child_pid, SIGKILL); + + } else if (child_pid == -1 && forksrv_pid > 0) { + + // 如果子进程不存在但fork服务器进程存在,则标记它为超时并杀死它 + child_timed_out = 1; + kill(forksrv_pid, SIGKILL); + + } + +} + + +// 检查目标二进制文件是否存在、是否可执行等属性的函数 +void check_binary(u8* fname) { + + u8* env_path = 0; // 环境变量PATH + struct stat st; // 文件状态结构体 + + s32 fd; // 文件描述符 + u8* f_data; // 文件数据 + u32 f_len = 0; // 文件长度 + + ACTF("Validating target binary..."); // 动作提示:验证目标二进制文件 + + // 如果文件名中包含路径分隔符'/'或者环境变量PATH未设置,则直接使用文件名 + if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { + + target_path = ck_strdup(fname); // 复制文件名 + // 检查文件是否存在、是否为普通文件、是否可执行、文件长度是否至少为4字节 + if (stat(target_path, &st) || !S_ISREG(st.st_mode) || + !(st.st_mode & 0111) || (f_len = st.st_size) < 4) + FATAL("Program '%s' not found or not executable", fname); // 如果检查失败,输出错误信息并退出 + + } else { + + // 如果环境变量PATH已设置,则遍历PATH中的每个目录 + while (env_path) { + + u8 *cur_elem, *delim = strchr(env_path, ':'); // 查找路径分隔符':' + + if (delim) { + // 如果找到分隔符,则复制当前目录到新分配的内存 + cur_elem = ck_alloc(delim - env_path + 1); + memcpy(cur_elem, env_path, delim - env_path); + delim++; + } else cur_elem = ck_strdup(env_path); // 如果没有分隔符,复制剩余的路径 + + env_path = delim; // 更新env_path指针 + + if (cur_elem[0]) + target_path = alloc_printf("%s/%s", cur_elem, fname); // 构造完整的文件路径 + else + target_path = ck_strdup(fname); // 如果当前目录为空,则直接使用文件名 + + ck_free(cur_elem); // 释放临时内存 + + // 如果找到文件并且文件属性符合要求,则跳出循环 + if (!stat(target_path, &st) && S_ISREG(st.st_mode) && + (st.st_mode & 0111) && (f_len = st.st_size) >= 4) break; + + ck_free(target_path); // 释放之前分配的内存 + target_path = 0; // 重置target_path + + } + + if (!target_path) FATAL("Program '%s' not found or not executable", fname); // 如果未找到文件,输出错误信息并退出 + + } + + // 如果环境变量AFL_SKIP_BIN_CHECK被设置,则跳过后续检查 + if (getenv("AFL_SKIP_BIN_CHECK")) return; + + /* 检查用户是否犯了一些明显的错误,比如将二进制文件放在/tmp或/var/tmp目录下 */ + if ((!strncmp(target_path, "/tmp/", 5) && !strchr(target_path + 5, '/')) || + (!strncmp(target_path, "/var/tmp/", 9) && !strchr(target_path + 9, '/'))) + FATAL("Please don't keep binaries in /tmp or /var/tmp"); + + // 打开目标文件 + fd = open(target_path, O_RDONLY); + if (fd < 0) PFATAL("Unable to open '%s'", target_path); // 如果打开失败,输出错误信息 + + // 将文件内容映射到内存 + f_data = mmap(0, f_len, PROT_READ, MAP_PRIVATE, fd, 0); + if (f_data == MAP_FAILED) PFATAL("Unable to mmap file '%s'", target_path); // 如果映射失败,输出错误信息 + + close(fd); // 关闭文件描述符 + + // 检查文件是否为脚本文件 + if (f_data[0] == '#' && f_data[1] == '!') { + // 如果是脚本文件,输出错误信息并退出 + SAYF("\n" cLRD "[-] " cRST "Oops, the target binary looks like a shell script..."); + FATAL("Program '%s' is a shell script", target_path); + } + +#ifndef __APPLE__ + // 检查文件是否为ELF格式 + if (f_data[0] != 0x7f || memcmp(f_data + 1, "ELF", 3)) + FATAL("Program '%s' is not an ELF binary", target_path); +#else + // 在苹果系统上,检查文件是否为Mach-O格式 + if (f_data[0] != 0xCF || f_data[1] != 0xFA || f_data[2] != 0xED) + FATAL("Program '%s' is not a 64-bit Mach-O binary", target_path); +#endif /* ^!__APPLE__ */ + + // 如果没有使用QEMU模式且没有使用dumb模式,检查文件是否被AFL插桩 + if (!qemu_mode && !dumb_mode && + !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { + // 如果没有插桩,输出错误信息并退出 + SAYF("\n" cLRD "[-] " cRST "Looks like the target binary is not instrumented!..."); + FATAL("No instrumentation detected"); + } + + if (qemu_mode && + memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { + // 如果在QEMU模式下检测到插桩,输出错误信息并退出 + SAYF("\n" cLRD "[-] " cRST "This program appears to be instrumented with afl-gcc..."); + FATAL("Instrumentation found in -Q mode"); + } + + // 检查文件是否使用了AddressSanitizer + if (memmem(f_data, f_len, "libasan.so", 10) || + memmem(f_data, f_len, "__msan_init", 11)) uses_asan = 1; + + /* 检测二进制文件中的持久模式和延迟初始化签名 */ + if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) { + OKF(cPIN "Persistent mode binary detected."); + setenv(PERSIST_ENV_VAR, "1", 1); + persistent_mode = 1; + } else if (getenv("AFL_PERSISTENT")) { + WARNF("AFL_PERSISTENT is no longer supported and may misbehave!"); + } + + if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { + OKF(cPIN "Deferred forkserver binary detected."); + setenv(DEFER_ENV_VAR, "1", 1); + deferred_mode = 1; + } else if (getenv("AFL_DEFER_FORKSRV")) { + WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!"); + } + + if (munmap(f_data, f_len)) PFATAL("unmap() failed"); // 取消内存映射 + +} + +// 修剪并可能为运行创建一个横幅 +static void fix_up_banner(u8* name) { + // 如果没有设置横幅,则根据同步ID或文件名来设置 + if (!use_banner) { + if (sync_id) { + use_banner = sync_id; + } else { + u8* trim = strrchr(name, '/'); // 查找文件名中的路径分隔符 + if (!trim) use_banner = name; else use_banner = trim + 1; + } + } + + // 如果横幅字符串过长,则截断它 + if (strlen(use_banner) > 40) { + u8* tmp = ck_alloc(44); + sprintf(tmp, "%.40s...", use_banner); + use_banner = tmp; + } +} + +// 检查是否在TTY上运行 +static void check_if_tty(void) { + struct winsize ws; // 窗口大小结构体 + + // 如果设置了环境变量AFL_NO_UI,则禁用UI + if (getenv("AFL_NO_UI")) { + OKF("Disabling the UI because AFL_NO_UI is set."); + not_on_tty = 1; + return; + } + + // 如果无法获取窗口大小,则认为不在TTY上运行 + if (ioctl(1, TIOCGWINSZ, &ws)) { + + if (errno == ENOTTY) { + OKF("Looks like we're not running on a tty, so I'll be a bit less verbose."); + not_on_tty = 1; + } + + return; + } + +} + + +/* 在终端尺寸变化后检查终端尺寸。 */ + +// 这个函数检查终端的尺寸,以确保它不是太小,从而无法适当地显示程序的输出。 +static void check_term_size(void) { + + struct winsize ws; // winsize结构体用于存储终端的尺寸信息 + + term_too_small = 0; // 假设终端不是太小 + + // 使用ioctl系统调用来获取终端的尺寸信息 + if (ioctl(1, TIOCGWINSZ, &ws)) return; // 如果ioctl调用失败,则返回 + + // 如果窗口尺寸的行数或列数为0,或者小于某个阈值,则认为终端太小 + if (ws.ws_row == 0 && ws.ws_col == 0) return; // 如果行数和列数都为0,则返回 + if (ws.ws_row < 25 || ws.ws_col < 80) term_too_small = 1; // 设置终端太小的标志 + +} + +/* 显示使用提示。 */ + +// 这个函数在用户请求帮助或者使用了错误的命令行参数时显示程序的使用提示。 +static void usage(u8* argv0) { + + // 使用SAYF宏来格式化并输出使用提示信息 + SAYF("\n%s [ options ] -- /path/to/fuzzed_app [ ... ]\n\n" + + "Required parameters:\n\n" + + " -i dir - input directory with test cases\n" + " -o dir - output directory for fuzzer findings\n\n" + + "Execution control settings:\n\n" + + " -f file - location read by the fuzzed program (stdin)\n" + " -t msec - timeout for each run (auto-scaled, 50-%u ms)\n" + " -m megs - memory limit for child process (%u MB)\n" + " -Q - use binary-only instrumentation (QEMU mode)\n\n" + + "Fuzzing behavior settings:\n\n" + + " -d - quick & dirty mode (skips deterministic steps)\n" + " -n - fuzz without instrumentation (dumb mode)\n" + " -x dir - optional fuzzer dictionary (see README)\n\n" + + "Other stuff:\n\n" + + " -T text - text banner to show on the screen\n" + " -M / -S id - distributed mode (see parallel_fuzzing.txt)\n" + " -C - crash exploration mode (the peruvian rabbit thing)\n" + " -V - show version number and exit\n\n" + " -b cpu_id - bind the fuzzing process to the specified CPU core\n\n" + + "For additional tips, please consult %s/README.\n\n", + + argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); // 使用宏替换标记来插入特定的值 + + // 显示使用提示后退出程序 + exit(1); + +} + + +/* Prepare output directories and fds. */ + +/* 准备输出目录和文件描述符。 */ + +EXP_ST void setup_dirs_fds(void) { + u8* tmp; // 临时字符串指针 + s32 fd; // 文件描述符 + + ACTF("Setting up output directories..."); // 动作提示:设置输出目录 + + // 如果设置了同步ID,尝试创建同步目录,如果失败且不是因为已存在,则输出错误信息并终止 + if (sync_id && mkdir(sync_dir, 0700) && errno != EEXIST) + PFATAL("Unable to create '%s'", sync_dir); + + // 尝试创建输出目录,如果失败且不是因为已存在,则输出错误信息并终止 + if (mkdir(out_dir, 0700)) { + if (errno != EEXIST) PFATAL("Unable to create '%s'", out_dir); + + maybe_delete_out_dir(); // 可能删除已存在的输出目录 + } else { + if (in_place_resume) + FATAL("Resume attempted but old output directory not found"); // 如果尝试在地恢复,但未找到旧的输出目录,则终止 + + out_dir_fd = open(out_dir, O_RDONLY); // 打开输出目录 + +#ifndef __sun + // 如果无法锁定输出目录,则输出错误信息并终止 + if (out_dir_fd < 0 || flock(out_dir_fd, LOCK_EX | LOCK_NB)) + PFATAL("Unable to flock() output directory."); +#endif /* !__sun */ + } + + // 创建队列目录,用于存放起始和发现的路径 + tmp = alloc_printf("%s/queue", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + // 创建队列元数据的顶级目录,用于会话恢复等任务 + tmp = alloc_printf("%s/queue/.state/", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + // 创建目录,用于标记已经过确定性测试的队列条目 + tmp = alloc_printf("%s/queue/.state/deterministic_done/", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + // 创建目录,用于存放自动选择的字典条目 + tmp = alloc_printf("%s/queue/.state/auto_extras/", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + // 创建目录,用于标记当前认为多余的路径集 + tmp = alloc_printf("%s/queue/.state/redundant_edges/", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + // 创建目录,用于标记显示变量行为的路径集 + tmp = alloc_printf("%s/queue/.state/variable_behavior/", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + // 如果设置了同步ID,创建同步目录,用于跟踪合作的模糊测试器 + if (sync_id) { + tmp = alloc_printf("%s/.synced/", out_dir); + if (mkdir(tmp, 0700) && (!in_place_resume || errno != EEXIST)) + PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + } + + // 创建目录,用于存放所有记录的崩溃 + tmp = alloc_printf("%s/crashes", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + // 创建目录,用于存放所有记录的挂起 + tmp = alloc_printf("%s/hangs", out_dir); + if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + // 创建一般有用的文件描述符 + dev_null_fd = open("/dev/null", O_RDWR); // 打开null设备文件描述符 + if (dev_null_fd < 0) PFATAL("Unable to open /dev/null"); + + dev_urandom_fd = open("/dev/urandom", O_RDONLY); // 打开随机设备文件描述符 + if (dev_urandom_fd < 0) PFATAL("Unable to open /dev/urandom"); + + // 创建Gnuplot输出文件 + tmp = alloc_printf("%s/plot_data", out_dir); + fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600); // 打开或创建plot_data文件 + if (fd < 0) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + + plot_file = fdopen(fd, "w"); // 将文件描述符与FILE*关联 + if (!plot_file) PFATAL("fdopen() failed"); // 如果失败,则输出错误信息并终止 + + // 写入Gnuplot输出文件的标题行 + fprintf(plot_file, "# unix_time, cycles_done, cur_path, paths_total, " + "pending_total, pending_favs, map_size, unique_crashes, " + "unique_hangs, max_depth, execs_per_sec\n"); + /* ignore errors */ +} + +/* 如果没有使用-f选项,则设置模糊测试数据的输出文件。 */ + +EXP_ST void setup_stdio_file(void) { + u8* fn = alloc_printf("%s/.cur_input", out_dir); // 构造当前输入文件的路径 + + unlink(fn); // 删除已存在的当前输入文件,忽略错误 + + out_fd = open(fn, O_RDWR | O_CREAT | O_EXCL, 0600); // 打开或创建当前输入文件 + + if (out_fd < 0) PFATAL("Unable to create '%s'", fn); // 如果失败,则输出错误信息并终止 + + ck_free(fn); // 释放路径字符串 +} + + +/* 确保核心转储(core dumps)不会发送到外部程序。 */ + +static void check_crash_handling(void) { + +#ifdef __APPLE__ + + /* 在Mac OS X上,似乎没有简单的C API可以查询已加载的守护进程状态,我也不愿意在没有测试环境的情况下 + 做一些更复杂的操作,比如通过Mach端口禁用崩溃报告。因此,目前我们用一种不太优雅的方式来检查崩溃报告。 */ + + // 尝试执行系统命令来检查是否有崩溃报告被配置为发送到外部程序 + if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return; + + // 如果系统配置了发送崩溃通知到外部程序,输出警告信息 + SAYF("\n" cLRD "[-] " cRST + "Whoops, your system is configured to forward crash notifications to an\n" + " external crash reporting utility. This will cause issues due to the\n" + " extended delay between the fuzzed binary malfunctioning and this fact\n" + " being relayed to the fuzzer via the standard waitpid() API.\n\n" + " To avoid having crashes misinterpreted as timeouts, please run the\n" + " following commands:\n\n" + + " SL=/System/Library; PL=com.apple.ReportCrash\n" + " launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n" + " sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n"); + + // 如果没有设置环境变量来忽略缺失的崩溃报告,则终止程序 + if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) + FATAL("Crash reporter detected"); + +#else + + /* 这是Linux特定的代码,我不认为*BSD上有等效的设置,所以我们暂时可以忽略这个问题。 */ + + // 打开核心转储模式文件 + s32 fd = open("/proc/sys/kernel/core_pattern", O_RDONLY); + u8 fchar; + + // 如果打开文件失败,则直接返回 + if (fd < 0) return; + + // 输出动作信息:正在检查核心转储模式 + ACTF("Checking core_pattern..."); + + // 读取核心转储模式文件的第一个字符 + if (read(fd, &fchar, 1) == 1 && fchar == '|') { + + // 如果第一个字符是管道符号(|),说明系统配置了将核心转储发送到外部程序 + SAYF("\n" cLRD "[-] " cRST + "Hmm, your system is configured to send core dump notifications to an\n" + " external utility. This will cause issues: there will be an extended delay\n" + " between stumbling upon a crash and having this information relayed to the\n" + " fuzzer via the standard waitpid() API.\n\n" + + " To avoid having crashes misinterpreted as timeouts, please log in as root\n" + " and temporarily modify /proc/sys/kernel/core_pattern, like so:\n\n" + + " echo core >/proc/sys/kernel/core_pattern\n"); + + // 如果没有设置环境变量来忽略缺失的崩溃报告,则终止程序 + if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) + FATAL("Pipe at the beginning of 'core_pattern'"); + } + + // 关闭核心转储模式文件 + close(fd); + +#endif /* ^__APPLE__ */ +} + + +/* 检查CPU调速器(scaling governor)。 */ + +static void check_cpu_governor(void) { + + FILE* f; // 文件指针 + u8 tmp[128]; // 临时缓冲区 + u64 min = 0, max = 0; // 最小和最大CPU频率 + + // 如果设置了环境变量AFL_SKIP_CPUFREQ,则跳过此检查 + if (getenv("AFL_SKIP_CPUFREQ")) return; + + // 尝试打开CPU调速器配置文件 + f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor", "r"); + if (!f) return; // 如果打开失败,则跳过此检查 + + ACTF("Checking CPU scaling governor..."); // 输出动作信息 + + // 读取CPU调速器配置 + if (!fgets(tmp, 128, f)) PFATAL("fgets() failed"); // 如果读取失败,则输出错误信息并终止 + + fclose(f); // 关闭文件 + + // 如果CPU调速器设置为performance,则不需要调整 + if (!strncmp(tmp, "perf", 4)) return; + + // 尝试打开最小CPU频率配置文件 + f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", "r"); + + if (f) { + if (fscanf(f, "%llu", &min) != 1) min = 0; // 读取最小频率 + fclose(f); + } + + // 尝试打开最大CPU频率配置文件 + f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", "r"); + + if (f) { + if (fscanf(f, "%llu", &max) != 1) max = 0; // 读取最大频率 + fclose(f); + } + + // 如果最小和最大频率相同,则不需要调整 + if (min == max) return; + + // 输出警告信息,提示用户调整CPU调速器设置 + SAYF("\n" cLRD "[-] " cRST + "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n" + " between %llu and %llu MHz. Unfortunately, the scaling algorithm in the\n" + " kernel is imperfect and can miss the short-lived processes spawned by\n" + " afl-fuzz. To keep things moving, run these commands as root:\n\n" + + " cd /sys/devices/system/cpu\n" + " echo performance | tee cpu*/cpufreq/scaling_governor\n\n" + + " You can later go back to the original state by replacing 'performance' with\n" + " 'ondemand'. If you don't want to change the settings, set AFL_SKIP_CPUFREQ\n" + " to make afl-fuzz skip this check - but expect some performance drop.\n", + min / 1024, max / 1024); + + FATAL("Suboptimal CPU scaling governor"); // 如果CPU调速器设置不合理,则终止程序 +} + +/* 计算逻辑CPU核心数。 */ + +static void get_core_count(void) { + + u32 cur_runnable = 0; // 当前可运行的任务数 + +#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) + + size_t s = sizeof(cpu_core_count); // 核心数的大小 + + /* 在*BSD系统上,我们可以使用sysctl来获取CPU数量。 */ + +#ifdef __APPLE__ + + // 在Mac OS X上获取逻辑CPU核心数 + if (sysctlbyname("hw.logicalcpu", &cpu_core_count, &s, NULL, 0) < 0) + return; + +#else + + int s_name[2] = { CTL_HW, HW_NCPU }; // sysctl的名称 + + // 在其他*BSD系统上获取逻辑CPU核心数 + if (sysctl(s_name, 2, &cpu_core_count, &s, NULL, 0) < 0) return; + +#endif /* ^__APPLE__ */ + +#else + +#ifdef HAVE_AFFINITY + + // 如果支持CPU亲和性,则使用sysconf获取逻辑CPU核心数 + cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN); + +#else + + FILE* f = fopen("/proc/stat", "r"); // 尝试打开/proc/stat文件 + u8 tmp[1024]; // 临时缓冲区 + + if (!f) return; // 如果打开失败,则跳过此检查 + + // 读取/proc/stat文件,计算逻辑CPU核心数 + while (fgets(tmp, sizeof(tmp), f)) + if (!strncmp(tmp, "cpu", 3) && isdigit(tmp[3])) cpu_core_count++; + + fclose(f); // 关闭文件 + +#endif /* ^HAVE_AFFINITY */ + +#endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ + + // 如果成功获取逻辑CPU核心数 + if (cpu_core_count > 0) { + + cur_runnable = (u32)get_runnable_processes(); // 获取当前可运行的任务数 + +#if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) + + // 添加当前进程,因为1分钟平均值尚未包括它 + cur_runnable++; + +#endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ + + // 输出CPU核心数和当前可运行的任务数 + OKF("You have %u CPU core%s and %u runnable tasks (utilization: %0.0f%%).", + cpu_core_count, cpu_core_count > 1 ? "s" : "", + cur_runnable, cur_runnable * 100.0 / cpu_core_count); + + if (cpu_core_count > 1) { + + // 如果当前可运行的任务数超过CPU核心数的1.5倍,则输出警告信息 + if (cur_runnable > cpu_core_count * 1.5) { + + WARNF("System under apparent load, performance may be spotty."); + + } else if (cur_runnable + 1 <= cpu_core_count) { + + // 如果当前可运行的任务数加1小于或等于CPU核心数,则输出提示信息 + OKF("Try parallel jobs - see %s/parallel_fuzzing.txt.", doc_path); + + } + + } + + } else { + + cpu_core_count = 0; // 如果无法获取逻辑CPU核心数,则设置为0 + WARNF("Unable to figure out the number of CPU cores."); // 输出警告信息 + } + +} + +/* 验证并修正使用-S时的out_dir和sync_dir。 */ + +static void fix_up_sync(void) { + + u8* x = sync_id; // 同步ID + + if (dumb_mode) + FATAL("-S / -M and -n are mutually exclusive"); // 如果同时使用-S/-M和-n,则终止程序 + + if (skip_deterministic) { + + if (force_deterministic) + FATAL("use -S instead of -M -d"); // 如果同时使用-M -d和-S,则终止程序 + else + FATAL("-S already implies -d"); // 如果使用-S,则隐含-d,不需要再次指定 + } + + // 检查同步ID是否只包含字母数字、下划线或破折号 + while (*x) { + + if (!isalnum(*x) && *x != '_' && *x != '-') + FATAL("Non-alphanumeric fuzzer ID specified via -S or -M"); + + x++; + + } + + // 如果同步ID太长,则终止程序 + if (strlen(sync_id) > 32) FATAL("Fuzzer ID too long"); + + // 构造同步目录路径 + x = alloc_printf("%s/%s", out_dir, sync_id); + + sync_dir = out_dir; // 设置同步目录 + out_dir = x; // 设置输出目录 + + if (!force_deterministic) { + skip_deterministic = 1; // 跳过确定性测试 + use_splicing = 1; // 使用拼接技术 + } + +} + +/* 处理屏幕大小变化(SIGWINCH)。 */ + +static void handle_resize(int sig) { + clear_screen = 1; // 设置清除屏幕的标志 +} + +/* 检查ASAN选项。 */ + +static void check_asan_opts(void) { + u8* x = getenv("ASAN_OPTIONS"); // 获取ASAN_OPTIONS环境变量 + + if (x) { + + // 如果ASAN_OPTIONS没有设置abort_on_error=1,则终止程序 + if (!strstr(x, "abort_on_error=1")) + FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!"); + + // 如果ASAN_OPTIONS没有设置symbolize=0,则终止程序 + if (!strstr(x, "symbolize=0")) + FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!"); + + } + + x = getenv("MSAN_OPTIONS"); // 获取MSAN_OPTIONS环境 + + + if (x) { + // 如果MSAN_OPTIONS环境变量被设置了,检查是否包含了特定的exit_code值 + if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) + FATAL("Custom MSAN_OPTIONS set without exit_code=" + STRINGIFY(MSAN_ERROR) " - please fix!"); + + // 检查MSAN_OPTIONS是否设置了symbolize=0,这通常用于防止asan_symbolize.py运行 + if (!strstr(x, "symbolize=0")) + FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!"); + } +} + +/* 检测命令行参数中的'@@'符号并替换为文件路径。 */ + +EXP_ST void detect_file_args(char** argv) { + u32 i = 0; // 初始化索引变量 + u8* cwd = getcwd(NULL, 0); // 获取当前工作目录 + + // 如果无法获取当前工作目录,输出错误信息并终止程序 + if (!cwd) PFATAL("getcwd() failed"); + + // 遍历命令行参数 + while (argv[i]) { + u8* aa_loc = strstr(argv[i], "@@"); // 查找参数中的'@@'符号 + + // 如果找到了'@@'符号 + if (aa_loc) { + u8 *aa_subst, *n_arg; + + /* 如果还没有指定输出文件名,则使用一个安全的默认值。 */ + if (!out_file) + out_file = alloc_printf("%s/.cur_input", out_dir); // 使用默认输出文件名 + + /* 确保我们总是使用完全合格的路径。 */ + if (out_file[0] == '/') + aa_subst = out_file; // 如果out_file是绝对路径,则直接使用 + else + aa_subst = alloc_printf("%s/%s", cwd, out_file); // 否则,构造绝对路径 + + /* 构造替换后的argv值。 */ + *aa_loc = 0; // 临时终止字符串以构造新值 + n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2); // 构造新参数值 + argv[i] = n_arg; // 更新argv + *aa_loc = '@'; // 恢复'@@'符号 + + if (out_file[0] != '/') ck_free(aa_subst); // 如果out_file不是绝对路径,则释放构造的绝对路径 + + } + + i++; // 移动到下一个参数 + } + + free(cwd); // 释放当前工作目录字符串 +} + + +/* 设置信号处理器。Solaris上的libc比较复杂,因为它在中断的read()调用时不会恢复, + 当你调用siginterrupt()时会设置SA_RESETHAND,并且会做一些不必要的事情。 */ + +EXP_ST void setup_signal_handlers(void) { + + struct sigaction sa; // 定义信号动作结构体 + + // 初始化信号动作结构体 + sa.sa_handler = NULL; // 没有指定信号处理函数 + sa.sa_flags = SA_RESTART; // 设置信号处理时自动重启被中断的系统调用 + sa.sa_sigaction = NULL; // 没有指定信号的特定处理函数 + + sigemptyset(&sa.sa_mask); // 清空信号集 + + /* 各种表示“停止”的信号。 */ + + // 设置信号处理函数为handle_stop_sig + sa.sa_handler = handle_stop_sig; + sigaction(SIGHUP, &sa, NULL); // 对SIGHUP信号进行设置 + sigaction(SIGINT, &sa, NULL); // 对SIGINT信号进行设置 + sigaction(SIGTERM, &sa, NULL); // 对SIGTERM信号进行设置 + + /* 执行超时通知。 */ + + // 设置信号处理函数为handle_timeout + sa.sa_handler = handle_timeout; + sigaction(SIGALRM, &sa, NULL); // 对SIGALRM信号进行设置 + + /* 窗口大小改变通知 */ + + // 设置信号处理函数为handle_resize + sa.sa_handler = handle_resize; + sigaction(SIGWINCH, &sa, NULL); // 对SIGWINCH信号进行设置 + + /* SIGUSR1: 跳过条目 */ + + // 设置信号处理函数为handle_skipreq + sa.sa_handler = handle_skipreq; + sigaction(SIGUSR1, &sa, NULL); // 对SIGUSR1信号进行设置 + + /* 我们不关心的信号。 */ + + // 设置信号处理函数为SIG_IGN,忽略这些信号 + sa.sa_handler = SIG_IGN; + sigaction(SIGTSTP, &sa, NULL); // 对SIGTSTP信号进行设置 + sigaction(SIGPIPE, &sa, NULL); // 对SIGPIPE信号进行设置 +} + +/* 为QEMU重写argv。 */ + +static char** get_qemu_argv(u8* own_loc, char** argv, int argc) { + + char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); // 分配新的argv数组 + u8 *tmp, *cp, *rsl, *own_copy; + + /* 针对QEMU稳定性问题的工作区。 */ + + setenv("QEMU_LOG", "nochain", 1); // 设置环境变量QEMU_LOG + + // 将原始argv的参数复制到新数组中,从第三个参数开始 + memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); + + new_argv[2] = target_path; // 设置目标路径 + new_argv[1] = "--"; // 设置参数分隔符 + + /* 现在我们需要找到QEMU二进制文件并放入argv[0]。 */ + + tmp = getenv("AFL_PATH"); // 获取环境变量AFL_PATH + + if (tmp) { + + cp = alloc_printf("%s/afl-qemu-trace", tmp); // 构造QEMU路径 + + if (access(cp, X_OK)) // 检查文件是否存在且可执行 + FATAL("Unable to find '%s'", tmp); // 如果找不到,输出错误信息并终止 + + target_path = new_argv[0] = cp; // 设置目标路径和argv[0] + return new_argv; // 返回新的argv数组 + + } + + own_copy = ck_strdup(own_loc); // 复制原始位置信息 + rsl = strrchr(own_copy, '/'); // 查找路径分隔符 + + if (rsl) { + + *rsl = 0; // 将路径分隔符替换为字符串结束符 + + cp = alloc_printf("%s/afl-qemu-trace", own_copy); // 构造QEMU路径 + ck_free(own_copy); // 释放原始位置信息 + + if (!access(cp, X_OK)) { // 检查文件是否存在且可执行 + + target_path = new_argv[0] = cp; // 设置目标路径和argv[0] + return new_argv; // 返回新的argv数组 + + } + + } else ck_free(own_copy); // 如果没有找到路径分隔符,释放原始位置信息 + + if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { // 检查默认路径下的QEMU是否存在且可执行 + + target_path = new_argv[0] = ck_strdup(BIN_PATH "/afl-qemu-trace"); // 设置目标路径和argv[0] + return new_argv; // 返回新的argv数组 + + } + + SAYF("\n" cLRD "[-] " cRST // 输出错误信息 + "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be built\n" + " separately by following the instructions in qemu_mode/README.qemu. If you\n" + " already have the binary installed, you may need to specify AFL_PATH in the\n" + " environment.\n\n" + " Of course, even without QEMU, afl-fuzz can still work with binaries that are\n" + " instrumented at compile time with afl-gcc. It is also possible to use it as a\n" + " traditional \"dumb\" fuzzer by specifying '-n' in the command line.\n"); + + FATAL("Failed to locate 'afl-qemu-trace'."); // 输出错误信息并终止 +} + +/* 保存当前命令行参数。 */ + +static void save_cmdline(u32 argc, char** argv) { + + u32 len = 1, i; // 初始化长度变量 + u8* buf; // 定义缓冲区指针 + + // 计算命令行参数的总长度 + for (i = 0; i < argc; i++) + len += strlen(argv[i]) + 1; + + buf = orig_cmdline = ck_alloc(len); // 分配缓冲区 + + // 将命令行参数复制到缓冲区 + for (i = 0; i < argc; i++) { + + u32 l = strlen(argv[i]); + + memcpy(buf, argv[i], l); + buf += l; + + if (i != argc - 1) *(buf++) = ' '; // 在参数之间添加空格 + + } + + *buf = 0; // 设置字符串结束符 +} + + +#ifndef AFL_LIB + +/* Main entry point */ + +int main(int argc, char** argv) { + + // 定义了一些变量,用于存储命令行参数和状态 + s32 opt; + u64 prev_queued = 0; + u32 sync_interval_cnt = 0, seek_to; + u8 *extras_dir = 0; + u8 mem_limit_given = 0; + u8 exit_1 = !!getenv("AFL_BENCH_JUST_ONE"); + char** use_argv; + + // 定义时间相关的结构体 + struct timeval tv; + struct timezone tz; + + // 打印欢迎信息和版本号 + SAYF(cCYA "afl-fuzz " cBRI VERSION cRST " by \n"); + + // 设置文档路径 + doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; + + // 获取当前时间,用于随机数种子 + gettimeofday(&tv, &tz); + srandom(tv.tv_sec ^ tv.tv_usec ^ getpid()); + + // 解析命令行参数 + while ((opt = getopt(argc, argv, "+i:o:f:m:b:t:T:dnCB:S:M:x:QV")) > 0) { + switch (opt) { + // 处理不同的命令行选项 + case 'i': /* input dir */ + // 设置输入目录 + if (in_dir) FATAL("Multiple -i options not supported"); + in_dir = optarg; + if (!strcmp(in_dir, "-")) in_place_resume = 1; + break; + + case 'o': /* output dir */ + // 设置输出目录 + if (out_dir) FATAL("Multiple -o options not supported"); + out_dir = optarg; + break; + + case 'M': { /* master sync ID */ + // 设置主同步ID + u8* c; + if (sync_id) FATAL("Multiple -S or -M options not supported"); + sync_id = ck_strdup(optarg); + if ((c = strchr(sync_id, ':'))) { + *c = 0; + if (sscanf(c + 1, "%u/%u", &master_id, &master_max) != 2 || + !master_id || !master_max || master_id > master_max || + master_max > 1000000) FATAL("Bogus master ID passed to -M"); + } + force_deterministic = 1; + } + break; + + case 'S': + // 设置同步ID + if (sync_id) FATAL("Multiple -S or -M options not supported"); + sync_id = ck_strdup(optarg); + break; + + case 'f': /* target file */ + // 设置目标文件 + if (out_file) FATAL("Multiple -f options not supported"); + out_file = optarg; + break; + + case 'x': /* dictionary */ + // 设置额外的字典目录 + if (extras_dir) FATAL("Multiple -x options not supported"); + extras_dir = optarg; + break; + + case 't': { /* timeout */ + // 设置超时时间 + u8 suffix = 0; + if (timeout_given) FATAL("Multiple -t options not supported"); + if (sscanf(optarg, "%u%c", &exec_tmout, &suffix) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -t"); + if (exec_tmout < 5) FATAL("Dangerously low value of -t"); + if (suffix == '+') timeout_given = 2; else timeout_given = 1; + break; + } + + case 'm': { /* mem limit */ + // 设置内存限制 + u8 suffix = 'M'; + if (mem_limit_given) FATAL("Multiple -m options not supported"); + mem_limit_given = 1; + if (!strcmp(optarg, "none")) { + mem_limit = 0; + break; + } + if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -m"); + switch (suffix) { + case 'T': mem_limit *= 1024 * 1024; break; + case 'G': mem_limit *= 1024; break; + case 'k': mem_limit /= 1024; break; + case 'M': break; + default: FATAL("Unsupported suffix or bad syntax for -m"); + } + if (mem_limit < 5) FATAL("Dangerously low value of -m"); + if (sizeof(rlim_t) == 4 && mem_limit > 2000) + FATAL("Value of -m out of range on 32-bit systems"); + } + break; + + case 'b': { /* bind CPU core */ + // 绑定CPU核心 + if (cpu_to_bind_given) FATAL("Multiple -b options not supported"); + cpu_to_bind_given = 1; + if (sscanf(optarg, "%u", &cpu_to_bind) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -b"); + break; + } + + case 'd': /* skip deterministic */ + // 跳过确定性测试 + if (skip_deterministic) FATAL("Multiple -d options not supported"); + skip_deterministic = 1; + use_splicing = 1; + break; + + case 'B': /* load bitmap */ + // 加载比特图 + if (in_bitmap) FATAL("Multiple -B options not supported"); + in_bitmap = optarg; + read_bitmap(in_bitmap); + break; + + case 'C': /* crash mode */ + // 设置为崩溃模式 + if (crash_mode) FATAL("Multiple -C options not supported"); + crash_mode = FAULT_CRASH; + break; + + case 'n': /* dumb mode */ + // 设置为简单模式 + if (dumb_mode) FATAL("Multiple -n options not supported"); + if (getenv("AFL_DUMB_FORKSRV")) dumb_mode = 2; else dumb_mode = 1; + break; + + case 'T': /* banner */ + // 设置横幅 + if (use_banner) FATAL("Multiple -T options not supported"); + use_banner = optarg; + break; + + case 'Q': /* QEMU mode */ + // 设置为QEMU模式 + if (qemu_mode) FATAL("Multiple -Q options not supported"); + qemu_mode = 1; + if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU; + break; + + case 'V': /* Show version number */ + // 显示版本号并退出 + exit(0); + + default: + // 默认行为:显示使用说明 + usage(argv[0]); + } + } + + // 检查必要的参数是否已设置 + if (optind == argc || !in_dir || !out_dir) usage(argv[0]); + + // 设置信号处理程序 + setup_signal_handlers(); + check_asan_opts(); + + // 如果设置了同步ID,修正同步设置 + if (sync_id) fix_up_sync(); + + // 输入和输出目录不能相同 + if (!strcmp(in_dir, out_dir)) + FATAL("Input and output directories can't be the same"); + + // 在简单模式下,检查互斥选项 + if (dumb_mode) { + if (crash_mode) FATAL("-C and -n are mutually exclusive"); + if (qemu_mode) FATAL("-Q and -n are mutually exclusive"); + } + + // 读取环境变量设置 + if (getenv("AFL_NO_FORKSRV")) no_forkserver = 1; + if (getenv("AFL_NO_CPU_RED")) no_cpu_meter_red = 1; + if (getenv("AFL_NO_ARITH")) no_arith = 1; + if (getenv("AFL_SHUFFLE_QUEUE")) shuffle_queue = 1; + if (getenv("AFL_FAST_CAL")) fast_cal = 1; + + // 设置挂起超时时间 + if (getenv("AFL_HANG_TMOUT")) { + hang_tmout = atoi(getenv("AFL_HANG_TMOUT")); + if (!hang_tmout) FATAL("Invalid value of AFL_HANG_TMOUT"); + } + + // 检查互斥的环境变量设置 + if (dumb_mode == 2 && no_forkserver) + FATAL("AFL_DUMB_FORKSRV and AFL_NO_FORKSRV are mutually exclusive"); + + // 设置预加载库 + if (getenv("AFL_PRELOAD")) { + setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); + setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); + } + +// 如果设置了环境变量AFL_LD_PRELOAD,则输出错误信息并终止程序。 +if (getenv("AFL_LD_PRELOAD")) + FATAL("Use AFL_PRELOAD instead of AFL_LD_PRELOAD"); + +// 保存命令行参数,以便后续使用。 +save_cmdline(argc, argv); + +// 修复banner信息,这通常是为了显示程序的版本号或其他信息。 +fix_up_banner(argv[optind]); + +// 检查当前是否是TTY环境,这可能影响程序的输出方式。 +check_if_tty(); + +// 获取CPU核心数,这有助于后续的并行处理。 +get_core_count(); + +#ifdef HAVE_AFFINITY +// 如果支持CPU亲和性设置,则将程序绑定到一个空闲的CPU核心上。 +bind_to_free_cpu(); +#endif /* HAVE_AFFINITY */ + +// 检查崩溃处理设置,确保程序在崩溃时能够正确处理。 +check_crash_handling(); +check_cpu_governor(); + +// 设置后续操作,这可能包括日志文件的设置等。 +setup_post(); +setup_shm(); +init_count_class16(); + +// 设置目录和文件描述符,为后续的文件操作做准备。 +setup_dirs_fds(); +read_testcases(); +load_auto(); + +// 调整输入,这可能涉及到对测试用例的预处理。 +pivot_inputs(); + +// 如果指定了extras目录,则加载额外的测试用例。 +if (extras_dir) load_extras(extras_dir); + +// 如果没有给定超时时间,则自动寻找一个合适的超时时间。 +if (!timeout_given) find_timeout(); + +// 检测文件参数,这可能涉及到对命令行参数的处理。 +detect_file_args(argv + optind + 1); + +// 如果没有指定输出文件,则设置标准输出文件。 +if (!out_file) setup_stdio_file(); + +// 检查二进制文件,这可能涉及到对目标程序的验证。 +check_binary(argv[optind]); + +// 获取当前时间,用于后续的时间统计。 +start_time = get_cur_time(); + +// 如果启用了QEMU模式,则获取QEMU的命令行参数,否则使用原始参数。 +if (qemu_mode) + use_argv = get_qemu_argv(argv[0], argv + optind, argc - optind); +else + use_argv = argv + optind; + +// 执行一次干运行,以检查程序的行为。 +perform_dry_run(use_argv); + +// 修剪队列,移除无效或重复的测试用例。 +cull_queue(); + +// 显示初始化统计信息。 +show_init_stats(); + +// 寻找开始位置,这可能涉及到对测试用例的排序或选择。 +seek_to = find_start_position(); + +// 写入统计文件,保存当前的状态。 +write_stats_file(0, 0, 0); +save_auto(); + +// 如果程序即将停止,则跳转到停止处理部分。 +if (stop_soon) goto stop_fuzzing; + +// 如果不是在TTY环境下,则等待一段时间再开始测试。 +if (!not_on_tty) { + sleep(4); + start_time += 4000; + if (stop_soon) goto stop_fuzzing; +} + +// 主循环开始,这里会不断执行模糊测试,直到程序停止。 +while (1) { + u8 skipped_fuzz; + + // 修剪队列,移除无效或重复的测试用例。 + cull_queue(); + + // 如果队列中没有当前的测试用例,则进入下一个循环周期。 + if (!queue_cur) { + queue_cycle++; + current_entry = 0; + cur_skipped_paths = 0; + queue_cur = queue; + + // 如果需要seek到特定位置,则移动队列指针。 + while (seek_to) { + current_entry++; + seek_to--; + queue_cur = queue_cur->next; + } + + // 显示统计信息。 + show_stats(); + + // 如果不是在TTY环境下,则输出当前的循环周期。 + if (not_on_tty) { + ACTF("Entering queue cycle %llu.", queue_cycle); + fflush(stdout); + } + + // 如果在当前循环周期中没有新的发现,则尝试重组策略。 + if (queued_paths == prev_queued) { + if (use_splicing) cycles_wo_finds++; else use_splicing = 1; + } else cycles_wo_finds = 0; + + // 更新之前的队列路径数。 + prev_queued = queued_paths; + + // 如果设置了同步ID并且是第一个循环周期,并且设置了AFL_IMPORT_FIRST环境变量,则同步模糊测试者。 + if (sync_id && queue_cycle == 1 && getenv("AFL_IMPORT_FIRST")) + sync_fuzzers(use_argv); + } + + // 执行一次模糊测试。 + skipped_fuzz = fuzz_one(use_argv); + + // 如果程序没有停止并且设置了同步ID并且没有跳过模糊测试,则尝试同步模糊测试者。 + if (!stop_soon && sync_id && !skipped_fuzz) { + if (!(sync_interval_cnt++ % SYNC_INTERVAL)) + sync_fuzzers(use_argv); + } + + // 如果程序即将退出并且设置了exit_1,则设置停止标志。 + if (!stop_soon && exit_1) stop_soon = 2; + + // 如果程序即将停止,则跳出循环。 + if (stop_soon) break; + + // 移动到下一个测试用例。 + queue_cur = queue_cur->next; + current_entry++; +} + +// 如果队列中还有测试用例,则显示统计信息。 +if (queue_cur) show_stats(); + +// 如果程序是被程序性地停止的,那么杀死forkserver和当前的运行者。 +// 如果是手动停止的,那么这部分由信号处理程序完成。 +if (stop_soon == 2) { + if (child_pid > 0) kill(child_pid, SIGKILL); + if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); +} +// 现在我们已经杀死了forkserver,我们可以等待它以便获取资源使用统计信息。 +if (waitpid(forksrv_pid, NULL, 0) <= 0) { + WARNF("error waitpid\n"); +} + +// 写入bitmap,保存当前的测试覆盖情况。 +write_bitmap(); +// 写入统计文件,保存最终的状态。 +write_stats_file(0, 0, 0); +// 保存自动保存的信息。 +save_auto(); + +// 跳转到停止模糊测试的处理部分。 +stop_fuzzing: + +// 输出结束信息,显示测试是被程序性地停止还是被用户停止。 +SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted %s +++\n" cRST, + stop_soon == 2 ? "programmatically" : "by user"); + +// 如果运行超过30分钟但仍然在第一个循环周期,输出警告信息。 +if (queue_cycle == 1 && get_cur_time() - start_time > 30 * 60 * 1000) { + SAYF("\n" cYEL "[!] " cRST + "Stopped during the first cycle, results may be incomplete.\n" + " (For info on resuming, see %s/README.)\n", doc_path); +} + +// 关闭绘图文件,销毁队列和额外的测试用例,释放内存。 +fclose(plot_file); +destroy_queue(); +destroy_extras(); +ck_free(target_path); +ck_free(sync_id); + +// 生成报告。 +alloc_report(); + +// 输出结束信息,表示测试完成。 +OKF("We're done here. Have a nice day!\n"); + +// 退出程序。 +exit(0); +} +#endif /* !AFL_LIB */ diff --git a/商硕/afl-gcc.c b/商硕/afl-gcc.c new file mode 100644 index 0000000..20de974 --- /dev/null +++ b/商硕/afl-gcc.c @@ -0,0 +1,357 @@ +/* + Copyright 2013 Google LLC All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +// 这部分是版权声明和许可证信息,说明这个文件是在Apache License 2.0下发布的。 + +/* + american fuzzy lop - wrapper for GCC and clang + ---------------------------------------------- + + Written and maintained by Michal Zalewski + + This program is a drop-in replacement for GCC or clang. The most common way + of using it is to pass the path to afl-gcc or afl-clang via CC when invoking + ./configure. + + (Of course, use CXX and point it to afl-g++ / afl-clang++ for C++ code.) + + The wrapper needs to know the path to afl-as (renamed to 'as'). The default + is /usr/local/lib/afl/. A convenient way to specify alternative directories + would be to set AFL_PATH. + + If AFL_HARDEN is set, the wrapper will compile the target app with various + hardening options that may help detect memory management issues more + reliably. You can also specify AFL_USE_ASAN to enable ASAN. + + If you want to call a non-default compiler as a next step of the chain, + specify its location via AFL_CC or AFL_CXX. + +*/ +// 这部分是注释,提供了关于这个程序的概述和使用说明。 +#define AFL_MAIN + +#include "config.h" +#include "types.h" +#include "debug.h" +#include "alloc-inl.h" + +#include +#include +#include +#include + +// 这些是包含的头文件,其中一些是AFL自己的头文件,其他的是C标准库的头文件 + +static u8* as_path; /* Path to the AFL 'as' wrapper */ +static u8** cc_params; /* Parameters passed to the real CC */ +static u32 cc_par_cnt = 1; /* Param count, including argv0 */ +static u8 be_quiet, /* Quiet mode */ + clang_mode; /* Invoked as afl-clang*? */ + + +// 这些是全局变量声明。`as_path`存储AFL汇编器的路径,`cc_params`存储传递给实际编译器的参数,`cc_par_cnt`是参数计数器,`be_quiet`用于控制 +// 是否静默模式,`clang_mode`指示是否以`afl-clang`或`afl-clang++`模式调用。 + +/* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived + from argv[0]. If that fails, abort. */ + +static void find_as(u8* argv0) { +// 这个函数尝试在AFL_PATH环境变量指定的路径或从argv[0]派生的路径中找到AFL的“假”GNU汇编器。如果找不到,程序将终止。 + u8 *afl_path = getenv("AFL_PATH"); + u8 *slash, *tmp; + + if (afl_path) { + + tmp = alloc_printf("%s/as", afl_path); + + if (!access(tmp, X_OK)) { + as_path = afl_path; + ck_free(tmp); + return; + } + + ck_free(tmp); + + } + + slash = strrchr(argv0, '/'); + + if (slash) { + + u8 *dir; + + *slash = 0; + dir = ck_strdup(argv0); + *slash = '/'; + + tmp = alloc_printf("%s/afl-as", dir); + + if (!access(tmp, X_OK)) { + as_path = dir; + ck_free(tmp); + return; + } + + ck_free(tmp); + ck_free(dir); + + } + + if (!access(AFL_PATH "/as", X_OK)) { + as_path = AFL_PATH; + return; + } + + FATAL("Unable to find AFL wrapper binary for 'as'. Please set AFL_PATH"); + +} + + +/* Copy argv to cc_params, making the necessary edits. */ + +static void edit_params(u32 argc, char** argv) { + //定义了一个函数edit_params,它接受两个参数:argc是参数的数量,argv是参数的数组。 + + u8 fortify_set = 0, asan_set = 0;//声明两个变量fortify_set和asan_set,用于跟踪是否已经设置了FORTIFY_SOURCE和address sanitizer(ASan)标志 + u8 *name;//用于存储程序的名称 + +#if defined(__FreeBSD__) && defined(__x86_64__) + u8 m32_set = 0; +#endif + + cc_params = ck_alloc((argc + 128) * sizeof(u8*));//分配内存以存储修改后的参数列表,大小为argc + 128个u8*类型的指针。 + + name = strrchr(argv[0], '/');//找到argv[0](程序的路径)中最后一个'/'字符,这通常用于获取程序的名称。 + if (!name) name = argv[0]; else name++;//如果name为NULL(即argv[0]中没有'/'),则name指向argv[0]的开始。否则,name向前移动一个字符,跳过'/'。 + + if (!strncmp(name, "afl-clang", 9)) { + + clang_mode = 1;//检查程序名称是否以"afl-clang"开头,如果是,设置clang_mode标志为1 + + setenv(CLANG_ENV_VAR, "1", 1);//设置环境变量CLANG_ENV_VAR为"1",这可能用于通知其他部分的AFL工具链正在使用Clang。 + + if (!strcmp(name, "afl-clang++")) { + u8* alt_cxx = getenv("AFL_CXX"); + cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++";//如果AFL_CXX设置,将其值作为第一个参数;否则,使用"clang++"。 + } else { + u8* alt_cc = getenv("AFL_CC"); + cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";//否则尝试获取环境变量AFL_CC的值。 + } + + } else { + + /* With GCJ and Eclipse installed, you can actually compile Java! The + instrumentation will work (amazingly). Alas, unhandled exceptions do + not call abort(), so afl-fuzz would need to be modified to equate + non-zero exit codes with crash conditions when working with Java + binaries. Meh. */ + +#ifdef __APPLE__ + //在Apple系统上,根据程序名称设置不同的编译器。如果AFL_CXX、AFL_GCJ或AFL_CC环境变量设置,使用它们的值;否则,使用默认的编译器名称 + if (!strcmp(name, "afl-g++")) cc_params[0] = getenv("AFL_CXX"); + else if (!strcmp(name, "afl-gcj")) cc_params[0] = getenv("AFL_GCJ"); + else cc_params[0] = getenv("AFL_CC"); + + if (!cc_params[0]) { + //输出错误信息,指出在MacOS X上需要设置AFL_CC或AFL_CXX环境变量。 + SAYF("\n" cLRD "[-] " cRST + "On Apple systems, 'gcc' is usually just a wrapper for clang. Please use the\n" + " 'afl-clang' utility instead of 'afl-gcc'. If you really have GCC installed,\n" + " set AFL_CC or AFL_CXX to specify the correct path to that compiler.\n"); + + FATAL("AFL_CC or AFL_CXX required on MacOS X"); + + } + +#else + //对于非Apple系统,根据程序名称设置不同的编译器。如果相应的环境变量设置,使用它们的值;否则,使用默认的编译器名称。 + if (!strcmp(name, "afl-g++")) { + u8* alt_cxx = getenv("AFL_CXX"); + cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++"; + } else if (!strcmp(name, "afl-gcj")) { + u8* alt_cc = getenv("AFL_GCJ"); + cc_params[0] = alt_cc ? alt_cc : (u8*)"gcj"; + } else { + u8* alt_cc = getenv("AFL_CC"); + cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc"; + } + +#endif /* __APPLE__ */ + + } + + while (--argc) { + u8* cur = *(++argv); + + if (!strncmp(cur, "-B", 2)) {//如果当前参数以"-B"开头,输出警告信息,并跳过后续参数(如果当前参数后面紧跟着的是编译器的路径)。 + + if (!be_quiet) WARNF("-B is already set, overriding");//如果程序不在静默模式,输出警告信息。 + + if (!cur[2] && argc > 1) { argc--; argv++; }//如果-B后面紧跟着的是编译器的路径,跳过这个路径。 + continue; + + } + + if (!strcmp(cur, "-integrated-as")) continue;//如果参数是"-integrated-as",跳过它。 + + if (!strcmp(cur, "-pipe")) continue;//如果参数是"-pipe",跳过它。 + +#if defined(__FreeBSD__) && defined(__x86_64__) + if (!strcmp(cur, "-m32")) m32_set = 1; +#endif + + if (!strcmp(cur, "-fsanitize=address") || + !strcmp(cur, "-fsanitize=memory")) asan_set = 1;//如果参数是"-fsanitize=address"或"-fsanitize=memory",设置asan_set标志。 + + if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;//如果参数包含"FORTIFY_SOURCE",设置fortify_set标志。 + + cc_params[cc_par_cnt++] = cur; + + } + + cc_params[cc_par_cnt++] = "-B"; + cc_params[cc_par_cnt++] = as_path; + //向参数列表中添加"-B"和AFL汇编器的路径。 + + + if (clang_mode) + cc_params[cc_par_cnt++] = "-no-integrated-as";//如果clang_mode标志设置,向参数列表中添加`"-no-integrated-as" + + if (getenv("AFL_HARDEN")) { + + cc_params[cc_par_cnt++] = "-fstack-protector-all"; + + if (!fortify_set) + cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2"; + + } + + if (asan_set) {//检查是否设置了asan_set标志。 + + /* Pass this on to afl-as to adjust map density. */ + + setenv("AFL_USE_ASAN", "1", 1);//如果设置,设置环境变量AFL_USE_ASAN为"1" + + } else if (getenv("AFL_USE_ASAN")) {//如果asan_set标志未设置,但设置了环境变量AFL_USE_ASAN。 + + if (getenv("AFL_USE_MSAN")) + FATAL("ASAN and MSAN are mutually exclusive");//如果同时设置了AFL_USE_MSAN,输出错误信息并终止程序。 + + if (getenv("AFL_HARDEN")) + FATAL("ASAN and AFL_HARDEN are mutually exclusive");//如果同时设置了AFL_HARDEN,输出错误信息并终止程序。 + + cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; + cc_params[cc_par_cnt++] = "-fsanitize=address";//向参数列表中添加"-U_FORTIFY_SOURCE"和"-fsanitize=address"。 + + } else if (getenv("AFL_USE_MSAN")) { + + if (getenv("AFL_USE_ASAN")) + FATAL("ASAN and MSAN are mutually exclusive");//如果同时设置了AFL_USE_ASAN,输出错误信息并终止程序。 + + if (getenv("AFL_HARDEN")) + FATAL("MSAN and AFL_HARDEN are mutually exclusive");//如果同时设置了AFL_HARDEN,输出错误信息并终止程序。 + + cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; + cc_params[cc_par_cnt++] = "-fsanitize=memory";//向参数列表中添加"-U_FORTIFY_SOURCE"和"-fsanitize=memory"。 + + + } + + if (!getenv("AFL_DONT_OPTIMIZE")) {//检查是否设置了环境变量AFL_DONT_OPTIMIZE。 + +#if defined(__FreeBSD__) && defined(__x86_64__) + + /* On 64-bit FreeBSD systems, clang -g -m32 is broken, but -m32 itself + works OK. This has nothing to do with us, but let's avoid triggering + that bug. */ + + if (!clang_mode || !m32_set) + cc_params[cc_par_cnt++] = "-g";//如果不是Clang模式或没有设置m32_set标志,向参数列表中添加"-g"。 + +#else + + cc_params[cc_par_cnt++] = "-g"; + +#endif//结束#if defined(__FreeBSD__) && defined(__x86_64__)条件编译块。 + + cc_params[cc_par_cnt++] = "-O3"; + cc_params[cc_par_cnt++] = "-funroll-loops";//向参数列表中添加"-O3"和"-funroll-loops",这些是优化选项。 + + /* Two indicators that you're building for fuzzing; one of them is + AFL-specific, the other is shared with libfuzzer. */ + + cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1"; + cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1"; + //向参数列表中添加两个宏定义,这些宏定义指示编译器代码将用于模糊测试。 + + } + + if (getenv("AFL_NO_BUILTIN")) { + + cc_params[cc_par_cnt++] = "-fno-builtin-strcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strncmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-memcmp"; + cc_params[cc_par_cnt++] = "-fno-builtin-strstr"; + cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr"; + //如果设置,向参数列表中添加一系列"-fno-builtin-*"选项,这些选项禁用编译器的内置函数。 + } + + cc_params[cc_par_cnt] = NULL; + +} + + +/* Main entry point */ +//最后是函数结束语,结束函数定义。 +int main(int argc, char** argv) { + + if (isatty(2) && !getenv("AFL_QUIET")) { + + SAYF(cCYA "afl-cc " cBRI VERSION cRST " by \n"); + + } else be_quiet = 1; + + if (argc < 2) { + + SAYF("\n" + "This is a helper application for afl-fuzz. It serves as a drop-in replacement\n" + "for gcc or clang, letting you recompile third-party code with the required\n" + "runtime instrumentation. A common use pattern would be one of the following:\n\n" + + " CC=%s/afl-gcc ./configure\n" + " CXX=%s/afl-g++ ./configure\n\n" + + "You can specify custom next-stage toolchain via AFL_CC, AFL_CXX, and AFL_AS.\n" + "Setting AFL_HARDEN enables hardening optimizations in the compiled code.\n\n", + BIN_PATH, BIN_PATH); + + exit(1); + + } + + find_as(argv[0]); + + edit_params(argc, argv); + + execvp(cc_params[0], (char**)cc_params); + + FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]); + + return 0; + +} -- 2.34.1 From 59f47a5e69cf27c2e23f1202c7c0e606da7d4ed3 Mon Sep 17 00:00:00 2001 From: dongloong <1909842837@qq.com> Date: Mon, 21 Oct 2024 21:05:10 +0800 Subject: [PATCH 4/6] =?UTF-8?q?=E5=95=86=E7=A1=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- afl-fuzz.c | 4899 ++++++++++++++++++++++++++-------------------------- afl-gcc.c | 85 +- 2 files changed, 2482 insertions(+), 2502 deletions(-) diff --git a/afl-fuzz.c b/afl-fuzz.c index 7fd40d8..3d4a5a7 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -67,7 +67,6 @@ #include #include -/*检查编译环境是否定义了__APPLE__、__FreeBSD__或__OpenBSD__宏,这些宏分别代表苹果的macOS系统、FreeBSD操作系统和OpenBSD操作系统*/ #if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) # include #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ @@ -75,7 +74,6 @@ /* For systems that have sched_setaffinity; right now just Linux, but one can hope... */ -/*检查是否定义了__linux__宏,这个宏通常在编译Linux系统下的代码时被编译器定义*/ #ifdef __linux__ # define HAVE_AFFINITY 1 #endif /* __linux__ */ @@ -83,8 +81,6 @@ /* A toggle to export some variables when building as a library. Not very useful for the general public. */ -/*如果代码中定义了AFL_LIB宏,那么EXP_ST宏被定义为一个空的宏,可以作为布尔标志使用。 - 如果代码中没有定义AFL_LIB宏,那么EXP_ST宏被定义为static,用于限制作用域。*/ #ifdef AFL_LIB # define EXP_ST #else @@ -95,211 +91,211 @@ really makes no sense to haul them around as function parameters. */ -EXP_ST u8 *in_dir, /* 包含测试用例的输入目录 */ - *out_file, /* 要模糊测试的文件(如果有的话) */ - *out_dir, /* 工作和输出目录 */ - *sync_dir, /* 同步目录 */ - *sync_id, /* 模糊测试器标识符 */ - *use_banner, /* 显示横幅 */ - *in_bitmap, /* 输入位图 */ - *doc_path, /* 文档目录的路径 */ - *target_path, /* 目标二进制文件路径 */ - *orig_cmdline; /* 原始命令行 */ - -EXP_ST u32 exec_tmout = EXEC_TIMEOUT; /* 可配置的执行超时 (ms) */ -static u32 hang_tmout = EXEC_TIMEOUT; /* 用于挂起的超时时间 (ms) */ - -EXP_ST u64 mem_limit = MEM_LIMIT; /* 子进程的内存限制 (MB) */ - -EXP_ST u32 cpu_to_bind = 0; /* 待绑定的空闲CPU核id */ - -static u32 stats_update_freq = 1; /* 统计更新频率 (执行次数)*/ - -EXP_ST u8 skip_deterministic, /* 跳过确定性阶段? */ - force_deterministic, /* 强制执行确定性阶段? */ - use_splicing, /* 重组输入文件? */ - dumb_mode, /* 在非插桩模式下运行? */ - score_changed, /* 收藏项的评分改变了? */ - kill_signal, /* 导致子进程退出的信号 */ - resuming_fuzz, /* 恢复旧的模糊测试工作? */ - timeout_given, /* 给出了特定的超时时间? */ - cpu_to_bind_given, /* 指定了cpu_to_bind? */ - not_on_tty, /* 标准输出不是tty */ - term_too_small, /* 终端尺寸太小 */ - uses_asan, /* 目标使用ASAN? */ - no_forkserver, /* 禁用forkserver? */ - crash_mode, /* 崩溃模式!耶! */ - in_place_resume, /* 尝试就地恢复? */ - auto_changed, /* 自动生成的令牌改变了? */ - no_cpu_meter_red, /* 状态屏幕上的风水 */ - no_arith, /* 跳过大多数算术操作 */ - shuffle_queue, /* 打乱输入队列? */ - bitmap_changed = 1, /* 更新位图的时间? */ - qemu_mode, /* 在QEMU模式下运行? */ - skip_requested, /* 通过SIGUSR1跳过请求 */ - run_over10m, /* 运行时间超过10分钟? */ - persistent_mode, /* 在持久模式下运行? */ - deferred_mode, /* 延迟forkserver模式? */ - fast_cal; /* 尝试更快地校准? */ - -static s32 out_fd, /* 用于out_file的持久文件描述符 */ - dev_urandom_fd = -1, /* 用于/dev/urandom的持久文件描述符 */ - dev_null_fd = -1, /* 用于/dev/null的持久文件描述符 */ - fsrv_ctl_fd, /* fork服务器控制管道(写入) */ - fsrv_st_fd; /* fork服务器状态管道(读取) */ - -static s32 forksrv_pid, /* fork服务器的进程ID */ - child_pid = -1, /* 被模糊测试的程序的进程ID */ - out_dir_fd = -1; /* 锁定文件的文件描述符 */ - -EXP_ST u8* trace_bits; /* 与插桩位图共享的共享内存 */ - -EXP_ST u8 virgin_bits[MAP_SIZE], /* 尚未被模糊测试触及的区域 */ - virgin_tmout[MAP_SIZE], /* 我们在超时中尚未见过的位 */ - virgin_crash[MAP_SIZE]; /* 我们在崩溃中尚未见过的位 */ - -static u8 var_bytes[MAP_SIZE]; /* 看起来是可变的字节 */ - -static s32 shm_id; /* 共享内存区域的ID */ - -static volatile u8 stop_soon, /* Ctrl-C 被按下了吗? */ - clear_screen = 1, /* 窗口被调整大小了吗? */ - child_timed_out; /* 被追踪的进程超时了吗? */ - -EXP_ST u32 queued_paths, /* 排队的测试用例总数 */ - queued_variable, /* 具有可变行为的测试用例 */ - queued_at_start, /* 初始输入的总数 */ - queued_discovered, /* 在此运行期间发现的项目 */ - queued_imported, /* 通过-S导入的项目 */ - queued_favored, /* 被认为有利的路径 */ - queued_with_cov, /* 有新的覆盖字节的路径 */ - pending_not_fuzzed, /* 已排队但尚未完成 */ - pending_favored, /* 等待中的优先路径 */ - cur_skipped_paths, /* 当前周期中放弃的输入 */ - cur_depth, /* 当前路径深度 */ - max_depth, /* 最大路径深度 */ - useless_at_start, /* 无用的起始路径数量 */ - var_byte_count, /* 具有可变行为的位图字节 */ - current_entry, /* 当前队列条目ID */ - havoc_div = 1; /* 对havoc的循环计数除数 */ - -EXP_ST u64 total_crashes, /* 崩溃总数 */ - unique_crashes, /* 具有唯一签名的崩溃 */ - total_tmouts, /* 超时总数 */ - unique_tmouts, /* 具有唯一签名的超时 */ - unique_hangs, /* 具有唯一签名的挂起 */ - total_execs, /* 总的execve()调用次数 */ - slowest_exec_ms, /* 最慢的测试用例非挂起时间(ms) */ - start_time, /* Unix开始时间(ms) */ - last_path_time, /* 最近路径的时间(ms) */ - last_crash_time, /* 最近崩溃的时间(ms) */ - last_hang_time, /* 最近挂起的时间(ms) */ - last_crash_execs, /* 上次崩溃时的执行计数器 */ - queue_cycle, /* 队列循环计数器 */ - cycles_wo_finds, /* 没有发现新路径的周期数 */ - trim_execs, /* 用于修剪输入文件的执行次数 */ - bytes_trim_in, /* 进入修剪器的字节 */ - bytes_trim_out, /* 从修剪器出来的字节 */ - blocks_eff_total, /* 受效应器映射影响的块 */ - blocks_eff_select; /* 被选为可模糊化的块 */ - -static u32 subseq_tmouts; /* 连续超时的次数 */ - -static u8 *stage_name = "init", /* 当前模糊测试阶段的名称 */ - *stage_short, /* 简短的阶段名称 */ - *syncing_party; /* 当前正在同步的... */ - -static s32 stage_cur, stage_max; /* 阶段进度 */ -static s32 splicing_with = -1; /* 与哪个测试用例混合? */ - -static u32 master_id, master_max; /* 主实例工作分割 */ - -static u32 syncing_case; /* 与案例#...同步 */ - -static s32 stage_cur_byte, /* 当前阶段操作的字节偏移量 */ - stage_cur_val; /* 用于阶段操作的值 */ - -static u8 stage_val_type; /* 值类型(STAGE_VAL_*) */ - -static u64 stage_finds[32], /* 每个模糊测试阶段发现的模式 */ - stage_cycles[32]; /* 每个模糊测试阶段的执行次数 */ - -static u32 rand_cnt; /* 随机数计数器 */ - -static u64 total_cal_us, /* 总校准时间(微秒) */ - total_cal_cycles; /* 总校准周期 */ - -static u64 total_bitmap_size, /* 所有位图的总位数 */ - total_bitmap_entries; /* 计算的位图数量 */ - -static s32 cpu_core_count; /* CPU核心数 */ +EXP_ST u8 *in_dir, /* Input directory with test cases */ + *out_file, /* File to fuzz, if any */ + *out_dir, /* Working & output directory */ + *sync_dir, /* Synchronization directory */ + *sync_id, /* Fuzzer ID */ + *use_banner, /* Display banner */ + *in_bitmap, /* Input bitmap */ + *doc_path, /* Path to documentation dir */ + *target_path, /* Path to target binary */ + *orig_cmdline; /* Original command line */ + +EXP_ST u32 exec_tmout = EXEC_TIMEOUT; /* Configurable exec timeout (ms) */ +static u32 hang_tmout = EXEC_TIMEOUT; /* Timeout used for hang det (ms) */ + +EXP_ST u64 mem_limit = MEM_LIMIT; /* Memory cap for child (MB) */ + +EXP_ST u32 cpu_to_bind = 0; /* id of free CPU core to bind */ + +static u32 stats_update_freq = 1; /* Stats update frequency (execs) */ + +EXP_ST u8 skip_deterministic, /* Skip deterministic stages? */ + force_deterministic, /* Force deterministic stages? */ + use_splicing, /* Recombine input files? */ + dumb_mode, /* Run in non-instrumented mode? */ + score_changed, /* Scoring for favorites changed? */ + kill_signal, /* Signal that killed the child */ + resuming_fuzz, /* Resuming an older fuzzing job? */ + timeout_given, /* Specific timeout given? */ + cpu_to_bind_given, /* Specified cpu_to_bind given? */ + not_on_tty, /* stdout is not a tty */ + term_too_small, /* terminal dimensions too small */ + uses_asan, /* Target uses ASAN? */ + no_forkserver, /* Disable forkserver? */ + crash_mode, /* Crash mode! Yeah! */ + in_place_resume, /* Attempt in-place resume? */ + auto_changed, /* Auto-generated tokens changed? */ + no_cpu_meter_red, /* Feng shui on the status screen */ + no_arith, /* Skip most arithmetic ops */ + shuffle_queue, /* Shuffle input queue? */ + bitmap_changed = 1, /* Time to update bitmap? */ + qemu_mode, /* Running in QEMU mode? */ + skip_requested, /* Skip request, via SIGUSR1 */ + run_over10m, /* Run time over 10 minutes? */ + persistent_mode, /* Running in persistent mode? */ + deferred_mode, /* Deferred forkserver mode? */ + fast_cal; /* Try to calibrate faster? */ + +static s32 out_fd, /* Persistent fd for out_file */ + dev_urandom_fd = -1, /* Persistent fd for /dev/urandom */ + dev_null_fd = -1, /* Persistent fd for /dev/null */ + fsrv_ctl_fd, /* Fork server control pipe (write) */ + fsrv_st_fd; /* Fork server status pipe (read) */ + +static s32 forksrv_pid, /* PID of the fork server */ + child_pid = -1, /* PID of the fuzzed program */ + out_dir_fd = -1; /* FD of the lock file */ + +EXP_ST u8* trace_bits; /* SHM with instrumentation bitmap */ + +EXP_ST u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */ + virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */ + virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */ + +static u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */ + +static s32 shm_id; /* ID of the SHM region */ + +static volatile u8 stop_soon, /* Ctrl-C pressed? */ + clear_screen = 1, /* Window resized? */ + child_timed_out; /* Traced process timed out? */ + +EXP_ST u32 queued_paths, /* Total number of queued testcases */ + queued_variable, /* Testcases with variable behavior */ + queued_at_start, /* Total number of initial inputs */ + queued_discovered, /* Items discovered during this run */ + queued_imported, /* Items imported via -S */ + queued_favored, /* Paths deemed favorable */ + queued_with_cov, /* Paths with new coverage bytes */ + pending_not_fuzzed, /* Queued but not done yet */ + pending_favored, /* Pending favored paths */ + cur_skipped_paths, /* Abandoned inputs in cur cycle */ + cur_depth, /* Current path depth */ + max_depth, /* Max path depth */ + useless_at_start, /* Number of useless starting paths */ + var_byte_count, /* Bitmap bytes with var behavior */ + current_entry, /* Current queue entry ID */ + havoc_div = 1; /* Cycle count divisor for havoc */ + +EXP_ST u64 total_crashes, /* Total number of crashes */ + unique_crashes, /* Crashes with unique signatures */ + total_tmouts, /* Total number of timeouts */ + unique_tmouts, /* Timeouts with unique signatures */ + unique_hangs, /* Hangs with unique signatures */ + total_execs, /* Total execve() calls */ + slowest_exec_ms, /* Slowest testcase non hang in ms */ + start_time, /* Unix start time (ms) */ + last_path_time, /* Time for most recent path (ms) */ + last_crash_time, /* Time for most recent crash (ms) */ + last_hang_time, /* Time for most recent hang (ms) */ + last_crash_execs, /* Exec counter at last crash */ + queue_cycle, /* Queue round counter */ + cycles_wo_finds, /* Cycles without any new paths */ + trim_execs, /* Execs done to trim input files */ + bytes_trim_in, /* Bytes coming into the trimmer */ + bytes_trim_out, /* Bytes coming outa the trimmer */ + blocks_eff_total, /* Blocks subject to effector maps */ + blocks_eff_select; /* Blocks selected as fuzzable */ + +static u32 subseq_tmouts; /* Number of timeouts in a row */ + +static u8 *stage_name = "init", /* Name of the current fuzz stage */ + *stage_short, /* Short stage name */ + *syncing_party; /* Currently syncing with... */ + +static s32 stage_cur, stage_max; /* Stage progression */ +static s32 splicing_with = -1; /* Splicing with which test case? */ + +static u32 master_id, master_max; /* Master instance job splitting */ + +static u32 syncing_case; /* Syncing with case #... */ + +static s32 stage_cur_byte, /* Byte offset of current stage op */ + stage_cur_val; /* Value used for stage op */ + +static u8 stage_val_type; /* Value type (STAGE_VAL_*) */ + +static u64 stage_finds[32], /* Patterns found per fuzz stage */ + stage_cycles[32]; /* Execs per fuzz stage */ + +static u32 rand_cnt; /* Random number counter */ + +static u64 total_cal_us, /* Total calibration time (us) */ + total_cal_cycles; /* Total calibration cycles */ + +static u64 total_bitmap_size, /* Total bit count for all bitmaps */ + total_bitmap_entries; /* Number of bitmaps counted */ + +static s32 cpu_core_count; /* CPU core count */ #ifdef HAVE_AFFINITY -static s32 cpu_aff = -1; /* 选择的CPU核心 */ +static s32 cpu_aff = -1; /* Selected CPU core */ #endif /* HAVE_AFFINITY */ -static FILE* plot_file; /* Gnuplot输出文件 */ +static FILE* plot_file; /* Gnuplot output file */ struct queue_entry { - - u8* fname; /* 测试用例的文件名 */ - u32 len; /* 输入长度 */ - u8 cal_failed, /* 校准失败? */ - trim_done, /* 修剪完成? */ - was_fuzzed, /* 之前进行过模糊测试吗? */ - passed_det, /* 通过了确定性阶段吗? */ - has_new_cov, /* 触发了新的代码覆盖吗? */ - var_behavior, /* 表现出可变行为吗? */ - favored, /* 当前是否被优先考虑? */ - fs_redundant; /* 在文件系统中被标记为冗余了吗? */ + u8* fname; /* File name for the test case */ + u32 len; /* Input length */ + + u8 cal_failed, /* Calibration failed? */ + trim_done, /* Trimmed? */ + was_fuzzed, /* Had any fuzzing done yet? */ + passed_det, /* Deterministic stages passed? */ + has_new_cov, /* Triggers new coverage? */ + var_behavior, /* Variable behavior? */ + favored, /* Currently favored? */ + fs_redundant; /* Marked as redundant in the fs? */ - u32 bitmap_size, /* 位图中设置的位数 */ - exec_cksum; /* 执行轨迹的校验和 */ + u32 bitmap_size, /* Number of bits set in bitmap */ + exec_cksum; /* Checksum of the execution trace */ - u64 exec_us, /* 执行时间(微秒) */ - handicap, /* 在队列中的落后周期数 */ - depth; /* 路径深度 */ + u64 exec_us, /* Execution time (us) */ + handicap, /* Number of queue cycles behind */ + depth; /* Path depth */ - u8* trace_mini; /* 如果保留,执行轨迹的字节 */ - u32 tc_ref; /* 执行轨迹字节的引用计数 */ + u8* trace_mini; /* Trace bytes, if kept */ + u32 tc_ref; /* Trace bytes ref count */ - struct queue_entry *next, /* 下一个元素,如果有的话 */ - *next_100; /* 100个元素之后的元素 */ + struct queue_entry *next, /* Next element, if any */ + *next_100; /* 100 elements ahead */ }; -static struct queue_entry *queue, /* 模糊测试队列(链表) */ - *queue_cur, /* 队列中的当前偏移量 */ - *queue_top, /* 列表的顶部 */ - *q_prev100; /* 上一个100个标记 */ +static struct queue_entry *queue, /* Fuzzing queue (linked list) */ + *queue_cur, /* Current offset within the queue */ + *queue_top, /* Top of the list */ + *q_prev100; /* Previous 100 marker */ static struct queue_entry* - top_rated[MAP_SIZE]; /* 位图字节的顶级条目 */ + top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ struct extra_data { - u8* data; /* 词典令牌数据 */ - u32 len; /* 词典令牌长度 */ - u32 hit_cnt; /* 在语料库中的使用次数 */ + u8* data; /* Dictionary token data */ + u32 len; /* Dictionary token length */ + u32 hit_cnt; /* Use count in the corpus */ }; -static struct extra_data* extras; /* 用于模糊测试的额外令牌 */ -static u32 extras_cnt; /* 读取的令牌总数 */ +static struct extra_data* extras; /* Extra tokens to fuzz with */ +static u32 extras_cnt; /* Total number of tokens read */ -static struct extra_data* a_extras; /* 自动选择的额外令牌 */ -static u32 a_extras_cnt; /* 可用的令牌总数 */ +static struct extra_data* a_extras; /* Automatically selected extras */ +static u32 a_extras_cnt; /* Total number of tokens available */ static u8* (*post_handler)(u8* buf, u32* len); -/* 根据config.h中的设置interesting的值 */ +/* Interesting values, as per config.h */ static s8 interesting_8[] = { INTERESTING_8 }; static s16 interesting_16[] = { INTERESTING_8, INTERESTING_16 }; static s32 interesting_32[] = { INTERESTING_8, INTERESTING_16, INTERESTING_32 }; -/* 模糊测试阶段 */ +/* Fuzzing stages */ enum { /* 00 */ STAGE_FLIP1, @@ -321,7 +317,7 @@ enum { /* 16 */ STAGE_SPLICE }; -/*阶段值类型 */ +/* Stage value types */ enum { /* 00 */ STAGE_VAL_NONE, @@ -329,7 +325,7 @@ enum { /* 02 */ STAGE_VAL_BE }; -/* 执行状态故障代码 */ +/* Execution status fault codes */ enum { /* 00 */ FAULT_NONE, @@ -341,7 +337,7 @@ enum { }; -/* 获取毫秒级的Unix时间戳 */ +/* Get unix time in milliseconds */ static u64 get_cur_time(void) { @@ -355,7 +351,7 @@ static u64 get_cur_time(void) { } -/* 获取微秒级的Unix时间戳 */ +/* Get unix time in microseconds */ static u64 get_cur_time_us(void) { @@ -369,7 +365,8 @@ static u64 get_cur_time_us(void) { } -/* 生成一个随机数(从0到限值减1)。这可能存在轻微的偏差。 */ +/* Generate a random number (from 0 to limit - 1). This may + have slight bias. */ static inline u32 UR(u32 limit) { @@ -389,7 +386,7 @@ static inline u32 UR(u32 limit) { } -/* 洗牌一个指针数组。可能会有轻微的偏差。 */ +/* Shuffle an array of pointers. Might be slightly biased. */ static void shuffle_ptrs(void** ptrs, u32 cnt) { @@ -409,7 +406,8 @@ static void shuffle_ptrs(void** ptrs, u32 cnt) { #ifdef HAVE_AFFINITY -/* 构建绑定到特定核心的进程列表。如果找不到任何东西,返回-1。假设cpu上限为4k。 */ +/* Build a list of processes bound to specific cores. Returns -1 if nothing + can be found. Assumes an upper bound of 4k CPUs. */ static void bind_to_free_cpu(void) { @@ -440,13 +438,15 @@ static void bind_to_free_cpu(void) { ACTF("Checking CPU core loadout..."); - /* 引入一些抖动,以防多个AFL任务在同一时间做同一件事情... */ + /* Introduce some jitter, in case multiple AFL tasks are doing the same + thing at the same time... */ usleep(R(1000) * 250); - /* 扫描所有 /proc//status 条目,检查 Cpus_allowed_list。 - 使用 cpu_used[] 标记所有绑定到特定 CPU 的进程。 - 这在某些特殊的绑定设置中可能会失败,但在几乎所有现实世界的用例中都足够好。 */ + /* Scan all /proc//status entries, checking for Cpus_allowed_list. + Flag all processes bound to a specific CPU using cpu_used[]. This will + fail for some exotic binding setups, but is likely good enough in almost + all real-world use cases. */ while ((de = readdir(d))) { @@ -468,7 +468,7 @@ static void bind_to_free_cpu(void) { u32 hval; - /* 没有VmSize的进程可能是内核任务。 */ + /* Processes without VmSize are probably kernel tasks. */ if (!strncmp(tmp, "VmSize:\t", 8)) has_vmsize = 1; @@ -535,7 +535,8 @@ static void bind_to_free_cpu(void) { #ifndef IGNORE_FINDS -/* 辅助函数用于比较缓冲区;返回第一个和最后一个不同的偏移量。我们用这个来找到合理的地点来拼接两个文件。 */ +/* Helper function to compare buffers; returns first and last differing offset. We + use this to find reasonable locations for splicing two files. */ static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) { @@ -564,8 +565,9 @@ static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) { #endif /* !IGNORE_FINDS */ -/*描述整数。使用12个循环的静态缓冲区来存储返回值。 -对于我们合理预期会看到的所有的整数,返回的值应该是五个字符或更少。 */ +/* Describe integer. Uses 12 cyclic static buffers for return values. The value + returned should be five characters or less for all the integers we reasonably + expect to see. */ static u8* DI(u64 val) { @@ -621,7 +623,8 @@ static u8* DI(u64 val) { } -/* 描述浮点数。与上面的类似,只是使用单个静态缓冲区。 */ +/* Describe float. Similar to the above, except with a single + static buffer. */ static u8* DF(double val) { @@ -642,7 +645,7 @@ static u8* DF(double val) { } -/* 将整数描述为内存大小。*/ +/* Describe integer as memory size. */ static u8* DMS(u64 val) { @@ -693,7 +696,7 @@ static u8* DMS(u64 val) { } -/* 描述时间增量。返回一个静态缓冲区,长度不超过34个字符。 */ +/* Describe time delta. Returns one static buffer, 34 chars of less. */ static u8* DTD(u64 cur_ms, u64 event_ms) { @@ -716,7 +719,9 @@ static u8* DTD(u64 cur_ms, u64 event_ms) { } -/* 标记特定队列条目的确定性检查为已完成。我们使用.state文件来避免在恢复中断的扫描时重复进行确定性模糊测试。 */ +/* Mark deterministic checks as done for a particular queue entry. We use the + .state file to avoid repeating deterministic fuzzing when resuming aborted + scans. */ static void mark_as_det_done(struct queue_entry* q) { @@ -736,7 +741,8 @@ static void mark_as_det_done(struct queue_entry* q) { } -/* 标记为变量。如果可能的话,创建符号链接以便于检查文件。 */ +/* Mark as variable. Create symlinks if possible to make it easier to examine + the files. */ static void mark_as_variable(struct queue_entry* q) { @@ -761,7 +767,8 @@ static void mark_as_variable(struct queue_entry* q) { } -/* 标记/取消标记为冗余(仅边)。这并不用于恢复状态,但可能对后处理数据集有用。 */ +/* Mark / unmark as redundant (edge-only). This is not used for restoring state, + but may be useful for post-processing datasets. */ static void mark_as_redundant(struct queue_entry* q, u8 state) { @@ -792,7 +799,7 @@ static void mark_as_redundant(struct queue_entry* q, u8 state) { } -/* 向队列追加新的测试用例。 */ +/* Append new test case to the queue. */ static void add_to_queue(u8* fname, u32 len, u8 passed_det) { @@ -817,7 +824,7 @@ static void add_to_queue(u8* fname, u32 len, u8 passed_det) { cycles_wo_finds = 0; - /* 为每100个元素(索引0,100等)设置next_100指针,以允许更快的迭代。 */ + /* Set next_100 pointer for every 100th element (index 0, 100, etc) to allow faster iteration. */ if ((queued_paths - 1) % 100 == 0 && queued_paths > 1) { q_prev100->next_100 = q; @@ -830,7 +837,7 @@ static void add_to_queue(u8* fname, u32 len, u8 passed_det) { } -/* 销毁整个队列。 */ +/* Destroy the entire queue. */ EXP_ST void destroy_queue(void) { @@ -849,8 +856,9 @@ EXP_ST void destroy_queue(void) { } -/* 将位图写入文件。位图主要用于秘密的 -B 选项,以便在不重新发现所有 - 其他内容的情况下,将单独的模糊测试会话集中在某个特定的有趣输入上。*/ +/* Write bitmap to file. The bitmap is useful mostly for the secret + -B option, to focus a separate fuzzing session on a particular + interesting input without rediscovering all the others. */ EXP_ST void write_bitmap(void) { @@ -873,7 +881,7 @@ EXP_ST void write_bitmap(void) { } -/* 从文件中读取位图。这是-B选项。 */ +/* Read bitmap from file. This is for the -B option again. */ EXP_ST void read_bitmap(u8* fname) { @@ -888,11 +896,13 @@ EXP_ST void read_bitmap(u8* fname) { } -/* 检查当前的执行路径是否带来了新的内容。 -更新virgin bits以反映发现的内容。如果唯一的变化是某个特定元组的命中次数,则返回1;如果看到了新的元组,则返回2。 -更新映射,因此后续调用总是返回0。 +/* Check if the current execution path brings anything new to the table. + Update virgin bits to reflect the finds. Returns 1 if the only change is + the hit-count for a particular tuple; 2 if there are new tuples seen. + Updates the map, so subsequent calls will always return 0. -这个函数在每次对相当大的缓冲区执行exec()之后被调用,所以它需要快速。我们在32位和64位版本中都这样做。 */ + This function is called after every exec() on a fairly large buffer, so + it needs to be fast. We do this in 32-bit and 64-bit flavors. */ static inline u8 has_new_bits(u8* virgin_map) { @@ -916,7 +926,9 @@ static inline u8 has_new_bits(u8* virgin_map) { while (i--) { - /* 针对(*current & *virgin)== 0进行优化——即,当前位图中没有未从virgin map中清除的位——因为这种情况几乎总是会出现。 */ + /* Optimize for (*current & *virgin) == 0 - i.e., no bits in current bitmap + that have not been already cleared from the virgin map - since this will + almost always be the case. */ if (unlikely(*current) && unlikely(*current & *virgin)) { @@ -925,7 +937,8 @@ static inline u8 has_new_bits(u8* virgin_map) { u8* cur = (u8*)current; u8* vir = (u8*)virgin; - /* 看起来我们还没有找到任何新的字节;检查current[]中的任何非零字节是否在virgin[]中是未被触碰的。*/ + /* Looks like we have not found any new bytes yet; see if any non-zero + bytes in current[] are pristine in virgin[]. */ #ifdef WORD_SIZE_64 @@ -961,7 +974,8 @@ static inline u8 has_new_bits(u8* virgin_map) { } -/* 计算提供的位图中设置的位数。它每秒多次用于状态屏幕,不需要太快。 */ +/* Count the number of bits set in the provided bitmap. Used for the status + screen several times every second, does not have to be fast. */ static u32 count_bits(u8* mem) { @@ -973,7 +987,8 @@ static u32 count_bits(u8* mem) { u32 v = *(ptr++); - /* 这个函数被调用在相反的,virgin bitmap上;针对稀疏数据进行优化。 */ + /* This gets called on the inverse, virgin bitmap; optimize for sparse + data. */ if (v == 0xffffffff) { ret += 32; @@ -993,7 +1008,9 @@ static u32 count_bits(u8* mem) { #define FF(_b) (0xff << ((_b) << 3)) -/* 计算位图中设置的字节数。调用相对不频繁,主要用于更新状态屏幕或校准和检查确认的新路径。 */ +/* Count the number of bytes set in the bitmap. Called fairly sporadically, + mostly to update the status screen or calibrate and examine confirmed + new paths. */ static u32 count_bytes(u8* mem) { @@ -1018,7 +1035,8 @@ static u32 count_bytes(u8* mem) { } -/* 计算位图中非255字节的数量。仅用于状态屏幕,每秒大约有几调用。*/ +/* Count the number of non-255 bytes set in the bitmap. Used strictly for the + status screen, several calls per second or so. */ static u32 count_non_255_bytes(u8* mem) { @@ -1030,7 +1048,8 @@ static u32 count_non_255_bytes(u8* mem) { u32 v = *(ptr++); - /* 这个函数是在virgin bitmap上调用的,因此要针对最可能的情况进行优化。 */ + /* This is called on the virgin bitmap, so optimize for the most likely + case. */ if (v == 0xffffffff) continue; if ((v & FF(0)) != FF(0)) ret++; @@ -1045,8 +1064,10 @@ static u32 count_non_255_bytes(u8* mem) { } -/* 通过消除命中次数信息,并根据元组是否被命中,用0x80或0x01替换, -来破坏性地简化跟踪信息。在每次新的崩溃或超时时被调用,应该足够快。 */ +/* Destructively simplify trace by eliminating hit count information + and replacing it with 0x80 or 0x01 depending on whether the tuple + is hit or not. Called on every new crash or timeout, should be + reasonably fast. */ static const u8 simplify_lookup[256] = { @@ -1063,7 +1084,7 @@ static void simplify_trace(u64* mem) { while (i--) { - /* 优化稀疏位图 */ + /* Optimize for sparse bitmaps. */ if (unlikely(*mem)) { @@ -1094,7 +1115,7 @@ static void simplify_trace(u32* mem) { while (i--) { - /* 优化稀疏位图 */ + /* Optimize for sparse bitmaps. */ if (unlikely(*mem)) { @@ -1115,7 +1136,9 @@ static void simplify_trace(u32* mem) { #endif /* ^WORD_SIZE_64 */ -/* 破坏性地对跟踪中的执行计数进行分类。这用作任何新获得的跟踪的预处理步骤。每次执行时都会被调用,必须快速。 */ +/* Destructively classify execution counts in a trace. This is used as a + preprocessing step for any newly acquired traces. Called on every exec, + must be fast. */ static const u8 count_class_lookup8[256] = { @@ -1155,7 +1178,7 @@ static inline void classify_counts(u64* mem) { while (i--) { - /* 优化稀疏位图 */ + /* Optimize for sparse bitmaps. */ if (unlikely(*mem)) { @@ -1182,7 +1205,7 @@ static inline void classify_counts(u32* mem) { while (i--) { - /* 优化稀疏位图 */ + /* Optimize for sparse bitmaps. */ if (unlikely(*mem)) { @@ -1202,7 +1225,7 @@ static inline void classify_counts(u32* mem) { #endif /* ^WORD_SIZE_64 */ -/* 摆脱共享内存(atexit处理程序) */ +/* Get rid of shared memory (atexit handler). */ static void remove_shm(void) { @@ -1211,7 +1234,9 @@ static void remove_shm(void) { } -/* 将跟踪字节压缩到更小的位图中。我们实际上在这里只是丢弃了计数信息。这个函数只在一些新路径上偶尔被调用。 */ +/* Compact trace bytes into a smaller bitmap. We effectively just drop the + count information here. This is called only sporadically, for some + new paths. */ static void minimize_bits(u8* dst, u8* src) { @@ -1227,21 +1252,23 @@ static void minimize_bits(u8* dst, u8* src) { } -/* 当我们遇到一个新的路径时,我们会调用这个函数来查看这个路径是否看起来比现有的任何路径都更“favorable”。 -“favorable”的目的是拥有一个最小的路径集合,这些路径触发了迄今为止在位图中看到的所有位, -并专注于对这些路径进行模糊测试,而牺牲其他路径。 +/* When we bump into a new path, we call this to see if the path appears + more "favorable" than any of the existing ones. The purpose of the + "favorables" is to have a minimal set of paths that trigger all the bits + seen in the bitmap so far, and focus on fuzzing them at the expense of + the rest. -这个过程的第一步是为位图中的每个字节维护一个top_rated[]条目列表。如果之前没有竞争者, -或者竞争者具有更有利的速度x大小因子,我们就赢得了那个位置。 - -对于trace_bits[]中设置的每个字节,看看是否有之前的获胜者,以及它与我们的比较情况。 */ + The first step of the process is to maintain a list of top_rated[] entries + for every byte in the bitmap. We win that slot if there is no previous + contender, or if the contender has a more favorable speed x size factor. */ static void update_bitmap_score(struct queue_entry* q) { u32 i; u64 fav_factor = q->exec_us * q->len; - /* 对于trace_bits[]中设置的每个字节,看看是否有之前的获胜者,以及它与我们的比较情况。 */ + /* For every byte set in trace_bits[], see if there is a previous winner, + and how it compares to us. */ for (i = 0; i < MAP_SIZE; i++) @@ -1249,11 +1276,12 @@ static void update_bitmap_score(struct queue_entry* q) { if (top_rated[i]) { - /* 执行速度更快或更小的测试用例是受青睐的。*/ + /* Faster-executing or smaller test cases are favored. */ if (fav_factor > top_rated[i]->exec_us * top_rated[i]->len) continue; - /* 看来我们要赢了。为之前的获胜者减少引用计数,如果需要的话,丢弃它的trace_bits[]。 */ + /* Looks like we're going to win. Decrease ref count for the + previous winner, discard its trace_bits[] if necessary. */ if (!--top_rated[i]->tc_ref) { ck_free(top_rated[i]->trace_mini); @@ -1262,7 +1290,7 @@ static void update_bitmap_score(struct queue_entry* q) { } - /* 将自己插入为新的获胜者。 */ + /* Insert ourselves as the new winner. */ top_rated[i] = q; q->tc_ref++; @@ -1279,9 +1307,11 @@ static void update_bitmap_score(struct queue_entry* q) { } -/* -上述机制的第二部分是一个例程,它遍历top_rated[]条目,然后依次获取之前未见过的字节(temp_v)的获胜者, -并将它们标记为受青睐的,至少直到下一次运行。在所有的模糊测试步骤中,受青睐的条目会被给予更多的测试时间。*/ +/* The second part of the mechanism discussed above is a routine that + goes over top_rated[] entries, and then sequentially grabs winners for + previously-unseen bytes (temp_v) and marks them as favored, at least + until the next run. The favored entries are given more air time during + all fuzzing steps. */ static void cull_queue(void) { @@ -1305,14 +1335,15 @@ static void cull_queue(void) { q = q->next; } - /* 让我们看看位图中是否有未在temp_v中捕获的内容。如果有,并且它在top_rated[]中有竞争者,那么我们就使用它。 */ + /* Let's see if anything in the bitmap isn't captured in temp_v. + If yes, and if it has a top_rated[] contender, let's use it. */ for (i = 0; i < MAP_SIZE; i++) if (top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) { u32 j = MAP_SIZE >> 3; - /* 从temp_v中删除属于当前条目的所有位。 */ + /* Remove all bits belonging to the current entry from temp_v. */ while (j--) if (top_rated[i]->trace_mini[j]) @@ -1335,7 +1366,7 @@ static void cull_queue(void) { } -/* 配置共享内存和virgin_bits。这在启动时被调用。 */ +/* Configure shared memory and virgin_bits. This is called at startup. */ EXP_ST void setup_shm(void) { @@ -1354,8 +1385,10 @@ EXP_ST void setup_shm(void) { shm_str = alloc_printf("%d", shm_id); - /* 如果有人要求我们在dump模式下对插桩的二进制文件进行模糊测试,我们不希望他们检测到插桩, - 因为我们不会发送fork服务器命令。这应该在以后被更好的自动检测所取代,对吗? */ + /* If somebody is asking us to fuzz instrumented binaries in dumb mode, + we don't want them to detect instrumentation, since we won't be sending + fork server commands. This should be replaced with better auto-detection + later on, perhaps? */ if (!dumb_mode) setenv(SHM_ENV_VAR, shm_str, 1); @@ -1368,7 +1401,7 @@ EXP_ST void setup_shm(void) { } -/* 加载后处理器(如果可用) */ +/* Load postprocessor, if available. */ static void setup_post(void) { @@ -1386,7 +1419,7 @@ static void setup_post(void) { post_handler = dlsym(dh, "afl_postprocess"); if (!post_handler) FATAL("Symbol 'afl_postprocess' not found."); - /* 做一个快速测试。现在分段故障比以后好=) */ + /* Do a quick test. It's better to segfault now than later =) */ post_handler("hello", &tlen); @@ -1395,7 +1428,8 @@ static void setup_post(void) { } -/* 从输入目录读取所有测试用例,然后将它们排队进行测试。在启动时调用。*/ +/* Read all testcases from the input directory, then queue them for testing. + Called at startup. */ static void read_testcases(void) { @@ -1404,14 +1438,16 @@ static void read_testcases(void) { u32 i; u8* fn; - /* 自动检测非原位恢复尝试。 */ + /* Auto-detect non-in-place resumption attempts. */ fn = alloc_printf("%s/queue", in_dir); if (!access(fn, F_OK)) in_dir = fn; else ck_free(fn); ACTF("Scanning '%s'...", in_dir); - /* 我们使用 scandir() + alphasort() 而不是 readdir(),因为如果不这样,测试用例的排序会有些随机,并且难以控制。 */ + /* We use scandir() + alphasort() rather than readdir() because otherwise, + the ordering of test cases would vary somewhat randomly and would be + difficult to control. */ nl_cnt = scandir(in_dir, &nl, NULL, alphasort); @@ -1450,7 +1486,7 @@ static void read_testcases(void) { if (lstat(fn, &st) || access(fn, R_OK)) PFATAL("Unable to access '%s'", fn); - /* 这也照顾.和. . */ + /* This also takes care of . and .. */ if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn, "/README.testcases")) { @@ -1464,8 +1500,10 @@ static void read_testcases(void) { FATAL("Test case '%s' is too big (%s, limit is %s)", fn, DMS(st.st_size), DMS(MAX_FILE)); - /* 检查元数据,以确定是否已经完成了这项条目的确定性模糊测试。 - 我们不想在恢复中断的扫描时重复进行确定性模糊测试,因为这样做毫无意义,而且可能非常耗时。 */ + /* Check for metadata that indicates that deterministic fuzzing + is complete for this entry. We don't want to repeat deterministic + fuzzing when resuming aborted scans, because it would be pointless + and probably very time-consuming. */ if (!access(dfn, F_OK)) passed_det = 1; ck_free(dfn); @@ -1494,7 +1532,7 @@ static void read_testcases(void) { } -/* load_extras的辅助函数 */ +/* Helper function for load_extras. */ static int compare_extras_len(const void* p1, const void* p2) { struct extra_data *e1 = (struct extra_data*)p1, @@ -1511,7 +1549,7 @@ static int compare_extras_use_d(const void* p1, const void* p2) { } -/* 从文件中读取额外内容,按大小排序。 */ +/* Read extras from a file, sort by size. */ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, u32 dict_level) { @@ -1532,7 +1570,7 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, cur_line++; - /* 修剪左右 */ + /* Trim on left and right. */ while (isspace(*lptr)) lptr++; @@ -1541,11 +1579,11 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, rptr++; *rptr = 0; - /* 跳过空行和注释 */ + /* Skip empty lines and comments. */ if (!*lptr || *lptr == '#') continue; - /* 所有其他行必须以‘ " ’结尾,我们可以使用它。 */ + /* All other lines must end with '"', which we can consume. */ rptr--; @@ -1554,11 +1592,11 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, *rptr = 0; - /* 跳过字母数字和破折号(标签) */ + /* Skip alphanumerics and dashes (label). */ while (isalnum(*lptr) || *lptr == '_') lptr++; - /* 如果后面跟着@number,解析它 */ + /* If @number follows, parse that. */ if (*lptr == '@') { @@ -1568,11 +1606,11 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, } - /* 跳过空格和=号 */ + /* Skip whitespace and = signs. */ while (isspace(*lptr) || *lptr == '=') lptr++; - /* 消费开放‘ " ’ 。 */ + /* Consume opening '"'. */ if (*lptr != '"') FATAL("Malformed name=\"keyword\" pair in line %u.", cur_line); @@ -1581,7 +1619,8 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, if (!*lptr) FATAL("Empty keyword in line %u.", cur_line); - /* 好的,我们来分配内存并在 "..." 之间复制数据,同时处理 \xNN 转义、\ 和 "*/ + /* Okay, let's allocate memory and copy data between "...", handling + \xNN escaping, \\, and \". */ extras = ck_realloc_block(extras, (extras_cnt + 1) * sizeof(struct extra_data)); @@ -1647,7 +1686,7 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, } -/* 从extras目录中读取extras,并按大小排序。 */ +/* Read extras from the extras directory and sort them by size. */ static void load_extras(u8* dir) { @@ -1656,7 +1695,7 @@ static void load_extras(u8* dir) { u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0; u8* x; - /* 如果名称以@结尾,则提取level并继续 */ + /* If the name ends with @, extract level and continue. */ if ((x = strchr(dir, '@'))) { @@ -1691,7 +1730,7 @@ static void load_extras(u8* dir) { if (lstat(fn, &st) || access(fn, R_OK)) PFATAL("Unable to access '%s'", fn); - /* 这也照顾.和. . */ + /* This also takes care of . and .. */ if (!S_ISREG(st.st_mode) || !st.st_size) { ck_free(fn); @@ -1749,7 +1788,7 @@ check_and_sort: -/* maybe_add_auto()的辅助函数 */ +/* Helper function for maybe_add_auto() */ static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) { @@ -1759,24 +1798,24 @@ static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) { } -/* 也许可以加上自动附加功能 */ +/* Maybe add automatic extra. */ static void maybe_add_auto(u8* mem, u32 len) { u32 i; - /* 允许用户指定他们不需要自动字典 */ + /* Allow users to specify that they don't want auto dictionaries. */ if (!MAX_AUTO_EXTRAS || !USE_AUTO_EXTRAS) return; - /* 跳过相同字节的运行 */ + /* Skip runs of identical bytes. */ for (i = 1; i < len; i++) if (mem[0] ^ mem[i]) break; if (i == len) return; - /* 拒绝内置有趣的值 */ + /* Reject builtin interesting values. */ if (len == 2) { @@ -1798,7 +1837,9 @@ static void maybe_add_auto(u8* mem, u32 len) { } - /* 拒绝任何与现有额外内容匹配的条目。进行不区分大小写的匹配。我们通过利用extras[]按大小排序的事实来优化这个过程。 */ + /* Reject anything that matches existing extras. Do a case-insensitive + match. We optimize by exploiting the fact that extras[] are sorted + by size. */ for (i = 0; i < extras_cnt; i++) if (extras[i].len >= len) break; @@ -1806,7 +1847,8 @@ static void maybe_add_auto(u8* mem, u32 len) { for (; i < extras_cnt && extras[i].len == len; i++) if (!memcmp_nocase(extras[i].data, mem, len)) return; - /* 最后但同样重要的是,检查 a_extras[] 中是否有匹配项。没有保证特定的排序顺序。 */ + /* Last but not least, check a_extras[] for matches. There are no + guarantees of a particular sort order. */ auto_changed = 1; @@ -1821,8 +1863,9 @@ static void maybe_add_auto(u8* mem, u32 len) { } - /* 在这一点上,看起来我们正在处理一个新的条目。所以,如果有空间的话, - 让我们把它追加上去。否则,让我们从列表的下半部分随机驱逐其他某个条目。 */ + /* At this point, looks like we're dealing with a new entry. So, let's + append it if we have room. Otherwise, let's randomly evict some other + entry from the bottom half of the list. */ if (a_extras_cnt < MAX_AUTO_EXTRAS) { @@ -1848,12 +1891,12 @@ static void maybe_add_auto(u8* mem, u32 len) { sort_a_extras: - /* 首先,按使用次数降序对所有自动附加项进行排序 */ + /* First, sort all auto extras by use count, descending order. */ qsort(a_extras, a_extras_cnt, sizeof(struct extra_data), compare_extras_use_d); - /* 然后,按大小对最上面的USE_AUTO_EXTRAS条目进行排序 */ + /* Then, sort the top USE_AUTO_EXTRAS entries by size. */ qsort(a_extras, MIN(USE_AUTO_EXTRAS, a_extras_cnt), sizeof(struct extra_data), compare_extras_len); @@ -1861,7 +1904,7 @@ sort_a_extras: } -/* 保存自动生成的附加内容 */ +/* Save automatically generated extras. */ static void save_auto(void) { @@ -1889,7 +1932,7 @@ static void save_auto(void) { } -/* 加载自动生成的附加内容 */ +/* Load automatically generated extras. */ static void load_auto(void) { @@ -1911,7 +1954,8 @@ static void load_auto(void) { } - /* 我们多读了一个字节,以低成本检测过长的标记(并跳过它们) */ + /* We read one byte more to cheaply detect tokens that are too + long (and skip them). */ len = read(fd, tmp, MAX_AUTO_EXTRA + 1); @@ -1931,7 +1975,7 @@ static void load_auto(void) { } -/* 销毁额外的数据 */ +/* Destroy extras. */ static void destroy_extras(void) { @@ -1950,12 +1994,13 @@ static void destroy_extras(void) { } -/* 启动fork服务器(仅在插桩模式下)。这个想法在这里有解释: +/* Spin up fork server (instrumented mode only). The idea is explained here: -http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html + http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html -本质上,插桩允许我们跳过execve(),只需持续克隆一个已停止的子进程。 -因此,我们只需要执行一次,然后通过管道发送命令。这部分逻辑的另一部分在afl-as.h中。 */ + In essence, the instrumentation allows us to skip execve(), and just keep + cloning a stopped child. So, we just execute once, and then send commands + through a pipe. The other part of this logic is in afl-as.h. */ EXP_ST void init_forkserver(char** argv) { @@ -1976,12 +2021,13 @@ EXP_ST void init_forkserver(char** argv) { struct rlimit r; - /* 在OpenBSD上,默认的文件描述符(fd)限制对于root用户设置为软限制128。让我们尝试修复这个问题... */ + /* Umpf. On OpenBSD, the default fd limit for root users is set to + soft 128. Let's try to fix that... */ if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) { r.rlim_cur = FORKSRV_FD + 2; - setrlimit(RLIMIT_NOFILE, &r); /* 忽略错误 */ + setrlimit(RLIMIT_NOFILE, &r); /* Ignore errors */ } @@ -1991,12 +2037,13 @@ EXP_ST void init_forkserver(char** argv) { #ifdef RLIMIT_AS - setrlimit(RLIMIT_AS, &r); /* 忽略错误 */ + setrlimit(RLIMIT_AS, &r); /* Ignore errors */ #else - /* 这考虑到了OpenBSD,它没有RLIMIT_AS,但根据可靠来源, - RLIMIT_DATA涵盖了匿名映射——因此我们应该能够很好地防止内存溢出(OOM)错误。 */ + /* This takes care of OpenBSD, which doesn't have RLIMIT_AS, but + according to reliable sources, RLIMIT_DATA covers anonymous + maps - so we should be getting good protection against OOM bugs. */ setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ @@ -2005,13 +2052,15 @@ EXP_ST void init_forkserver(char** argv) { } - /* 转储核心(core dumping)是缓慢的,如果在转储完成之前发送了SIGKILL信号,可能会导致异常。 */ + /* Dumping cores is slow and can lead to anomalies if SIGKILL is delivered + before the dump is complete. */ r.rlim_max = r.rlim_cur = 0; setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ - /* 隔离进程并配置标准描述符。如果指定了out_file,那么stdin就是/dev/null;否则,会克隆out_fd。*/ + /* Isolate the process and configure standard descriptors. If out_file is + specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ setsid(); @@ -2029,7 +2078,7 @@ EXP_ST void init_forkserver(char** argv) { } - /* 建立控制和状态管道,关闭不需要的原始文件。 */ + /* Set up control and status pipes, close the unneeded original fds. */ if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed"); if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed"); @@ -2044,19 +2093,20 @@ EXP_ST void init_forkserver(char** argv) { close(dev_urandom_fd); close(fileno(plot_file)); - /* 这应该会稍微提高性能,因为它阻止了链接器在fork()之后进行额外的工作。 */ + /* This should improve performance a bit, since it stops the linker from + doing extra work post-fork(). */ if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); - /* 如果没有其他指定,则为ASAN设置相同的默认值。 */ + /* Set sane defaults for ASAN if nothing else specified. */ setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" "symbolize=0:" "allocator_may_return_null=1", 0); - /* MSAN(MemorySanitizer)有点棘手,因为目前它不支持abort_on_error=1这个选项。 - 因此,我们用一种非常hacky(即临时、不正规)的方式来实现这一点。 */ + /* MSAN is tricky, because it doesn't support abort_on_error=1 at this + point. So, we do this in a very hacky way. */ setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" "symbolize=0:" @@ -2066,14 +2116,15 @@ EXP_ST void init_forkserver(char** argv) { execv(target_path, argv); - /* 使用一个独特的位图签名来告诉父进程execv()调用已经成功执行。*/ + /* Use a distinctive bitmap signature to tell the parent about execv() + falling through. */ *(u32*)trace_bits = EXEC_FAIL_SIG; exit(0); } - /* 关闭不需要的端点 */ + /* Close the unneeded endpoints. */ close(ctl_pipe[0]); close(st_pipe[1]); @@ -2081,7 +2132,7 @@ EXP_ST void init_forkserver(char** argv) { fsrv_ctl_fd = ctl_pipe[1]; fsrv_st_fd = st_pipe[0]; - /* 等待分叉服务器启动,但不要等待太久 */ + /* Wait for the fork server to come up, but don't wait too long. */ it.it_value.tv_sec = ((exec_tmout * FORK_WAIT_MULT) / 1000); it.it_value.tv_usec = ((exec_tmout * FORK_WAIT_MULT) % 1000) * 1000; @@ -2095,7 +2146,8 @@ EXP_ST void init_forkserver(char** argv) { setitimer(ITIMER_REAL, &it, NULL); - /* 如果我们从服务器收到了一个四字节的'hello'消息,那么一切就绪。否则,尝试弄清楚出了什么问题。 */ + /* If we have a four-byte "hello" message from the server, we're all set. + Otherwise, try to figure out what went wrong. */ if (rlen == 4) { OKF("All right - fork server is up."); @@ -2232,7 +2284,8 @@ EXP_ST void init_forkserver(char** argv) { } -/* 执行目标应用程序,监控超时情况。返回状态信息。被调用的程序将更新trace_bits[] */ +/* Execute target application, monitoring for timeouts. Return status + information. The called program will update trace_bits[]. */ static u8 run_target(char** argv, u32 timeout) { @@ -2245,13 +2298,17 @@ static u8 run_target(char** argv, u32 timeout) { child_timed_out = 0; - /* 在这次memset之后,trace_bits[]实际上变成了易失性的,因此我们必须阻止任何早期操作进入该领域。 */ + /* After this memset, trace_bits[] are effectively volatile, so we + must prevent any earlier operations from venturing into that + territory. */ memset(trace_bits, 0, MAP_SIZE); MEM_BARRIER(); - /* 如果我们在‘dump’模式下运行,我们不能依赖于目标程序中编译的fork服务器逻辑,所以我们将不断调用execve()。 - 这里的代码和init_forkserver()之间有一些重复,但这就是生活。 */ + /* If we're running in "dumb" mode, we can't rely on the fork server + logic compiled into the target program, so we will just keep calling + execve(). There is a bit of code duplication between here and + init_forkserver(), but c'est la vie. */ if (dumb_mode == 1 || no_forkserver) { @@ -2269,11 +2326,11 @@ static u8 run_target(char** argv, u32 timeout) { #ifdef RLIMIT_AS - setrlimit(RLIMIT_AS, &r); /* 忽略错误 */ + setrlimit(RLIMIT_AS, &r); /* Ignore errors */ #else - setrlimit(RLIMIT_DATA, &r); /* 忽略错误 */ + setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ #endif /* ^RLIMIT_AS */ @@ -2281,9 +2338,10 @@ static u8 run_target(char** argv, u32 timeout) { r.rlim_max = r.rlim_cur = 0; - setrlimit(RLIMIT_CORE, &r); /* 忽略错误 */ + setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ - /* 隔离进程并配置标准描述符。如果指定了out_file,那么stdin就是/dev/null;否则,将克隆out_fd。 */ + /* Isolate the process and configure standard descriptors. If out_file is + specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ setsid(); @@ -2301,14 +2359,14 @@ static u8 run_target(char** argv, u32 timeout) { } - /* 在Linux上,使用O_CLOEXEC会更快。也许TODO */ + /* On Linux, would be faster to use O_CLOEXEC. Maybe TODO. */ close(dev_null_fd); close(out_dir_fd); close(dev_urandom_fd); close(fileno(plot_file)); - /* 如果没有其他指定,则为ASAN设置相同的默认值 */ + /* Set sane defaults for ASAN if nothing else specified. */ setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" @@ -2321,7 +2379,8 @@ static u8 run_target(char** argv, u32 timeout) { execv(target_path, argv); - /* 使用一个独特的位图值来告知父进程execv()调用已经顺利执行 */ + /* Use a distinctive bitmap value to tell the parent about execv() + falling through. */ *(u32*)trace_bits = EXEC_FAIL_SIG; exit(0); @@ -2332,7 +2391,8 @@ static u8 run_target(char** argv, u32 timeout) { s32 res; - /* 在non-dump模式下,我们的fork服务器正在运行,所以只需告诉它开始执行,然后读取返回的PID。 */ + /* In non-dumb mode, we have the fork server up and running, so simply + tell it to have at it, and then read back PID. */ if ((res = write(fsrv_ctl_fd, &prev_timed_out, 4)) != 4) { @@ -2352,14 +2412,14 @@ static u8 run_target(char** argv, u32 timeout) { } - /* 根据用户的要求配置超时,然后等待子进程终止 */ + /* Configure timeout, as requested by user, then wait for child to terminate. */ it.it_value.tv_sec = (timeout / 1000); it.it_value.tv_usec = (timeout % 1000) * 1000; setitimer(ITIMER_REAL, &it, NULL); - /* SIGALRM处理程序只是终止child_pid并设置child_timed_out */ + /* The SIGALRM handler simply kills the child_pid and sets child_timed_out. */ if (dumb_mode == 1 || no_forkserver) { @@ -2378,38 +2438,39 @@ static u8 run_target(char** argv, u32 timeout) { } - if (!WIFSTOPPED(status)) child_pid = 0; + if (!WIFSTOPPED(status)) child_pid = 0;//这行代码检查子进程的状态。如果子进程没有被停止(即没有收到停止信号),则将child_pid变量设置为0。这通常意味着子进程已经完成执行。 - getitimer(ITIMER_REAL, &it); + getitimer(ITIMER_REAL, &it);//这行代码获取当前的实时定时器(ITIMER_REAL)的剩余时间,并将其存储在it结构体中。 exec_ms = (u64) timeout - (it.it_value.tv_sec * 1000 + it.it_value.tv_usec / 1000); - +//这行代码计算被测试程序的实际执行时间。它从预设的超时时间timeout中减去定时器剩余的时间(转换成毫秒)。这个值被存储在exec_ms中,代表执行时间,单位是毫秒。 it.it_value.tv_sec = 0; - it.it_value.tv_usec = 0; + it.it_value.tv_usec = 0;//定时器置零 - setitimer(ITIMER_REAL, &it, NULL); + setitimer(ITIMER_REAL, &it, NULL);//设置实时定时器,使用上面设置的0值,这意味着定时器被禁用,不会再产生超时信号。 total_execs++; - /* 编译器不能将对trace_bits的任何后续操作移动到这一点以下。 - 在这个位置之后,trace_bits[]表现得非常正常,不需要被当作易失性的处理。 */ + /* Any subsequent operations on trace_bits must not be moved by the + compiler below this point. Past this location, trace_bits[] behave + very normally and do not have to be treated as volatile. */ - MEM_BARRIER(); + MEM_BARRIER();//这是一个内存屏障函数,确保前面的操作不会被编译器重排到后面的操作之后。这对于多线程程序中的内存访问顺序很重要。 - tb4 = *(u32*)trace_bits; + tb4 = *(u32*)trace_bits;//这行代码将trace_bits(一个用于记录被测试程序执行路径的位图数组)的前4个字节的内容读取到一个无符号32位整数tb4中。这个值可能用于后续的分析,以确定被测试程序的执行路径是否产生了新的覆盖 #ifdef WORD_SIZE_64 classify_counts((u64*)trace_bits); #else classify_counts((u32*)trace_bits); #endif /* ^WORD_SIZE_64 */ - +//这部分代码使用宏WORD_SIZE_64来确定系统是64位还是32位。根据系统的字长,它将trace_bits转换为相应的指针类型(u64*或u32*),并调用classify_counts函数。这个函数可能用于对trace_bits中的计数数据进行分类或简化。 prev_timed_out = child_timed_out; - /* 向调用者报告结果 */ + /* Report outcome to caller. */ if (WIFSIGNALED(status) && !stop_soon) { - +//这部分代码检查子进程是否因信号而终止。如果子进程因超时被杀死(SIGKILL),则返回FAULT_TMOUT。否则,返回FAULT_CRASH表示子进程崩溃。 kill_signal = WTERMSIG(status); if (child_timed_out && kill_signal == SIGKILL) return FAULT_TMOUT; @@ -2418,18 +2479,23 @@ static u8 run_target(char** argv, u32 timeout) { } - /* 这是针对MSAN的一个有点恶劣的hack,因为MSAN不支持abort_on_error,必须使用一个特殊的退出代码。 */ + /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and + must use a special exit code. */ if (uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { + //对于使用地址sanitizer(ASAN)的程序,如果退出状态表明发生了内存错误(MSAN_ERROR),则返回FAULT_CRASH kill_signal = 0; return FAULT_CRASH; } if ((dumb_mode == 1 || no_forkserver) && tb4 == EXEC_FAIL_SIG) + //如果运行在“dumb”模式或没有使用fork服务器,且tb4的值表明执行失败,则返回FAULT_ERROR。 return FAULT_ERROR; - /* 只有在测试用例在用户定义的超时下运行时,才有必要只考虑最慢的单元 */ + /* It makes sense to account for the slowest units only if the testcase was run + under the user defined timeout. */ if (!(timeout > exec_tmout) && (slowest_exec_ms < exec_ms)) { + //如果测试用例在用户定义的超时时间内运行,并且其执行时间是目前为止最慢的,则更新slowest_exec_ms。 slowest_exec_ms = exec_ms; } @@ -2438,14 +2504,16 @@ static u8 run_target(char** argv, u32 timeout) { } -/* 将修改后的数据写入文件以进行测试。如果设置了out_file,旧文件将被解除链接,并创建一个新的文件。否则,out_fd将被回卷并截断。 */ +/* Write modified data to file for testing. If out_file is set, the old file + is unlinked and a new one is created. Otherwise, out_fd is rewound and + truncated. */ static void write_to_testcase(void* mem, u32 len) { s32 fd = out_fd; if (out_file) { - +//如果指定了输出文件名(out_file),则删除旧文件并创建一个新文件。否则,将文件描述符的位置设置为文件开头。 unlink(out_file); /* Ignore errors. */ fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); @@ -2453,7 +2521,7 @@ static void write_to_testcase(void* mem, u32 len) { if (fd < 0) PFATAL("Unable to create '%s'", out_file); } else lseek(fd, 0, SEEK_SET); - +//如果没有指定输出文件名,则截断文件到指定长度并重置文件位置。如果指定了输出文件名,则关闭文件描述符。 ck_write(fd, mem, len, out_file); if (!out_file) { @@ -2466,15 +2534,15 @@ static void write_to_testcase(void* mem, u32 len) { } -/* 相同的,但有一个可调节的间隙。用于修剪。 */ +/* The same, but with an adjustable gap. Used for trimming. */ static void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { - +//这个函数类似于write_to_testcase,但允许在文件中跳过一段数据(skip_at和skip_len)。 s32 fd = out_fd; u32 tail_len = len - skip_at - skip_len; if (out_file) { - +//如果指定了输出文件名,则删除旧文件并创建一个新文件。否则,将文件描述符的位置设置为文件开头。 unlink(out_file); /* Ignore errors. */ fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); @@ -2485,10 +2553,10 @@ static void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { if (skip_at) ck_write(fd, mem, skip_at, out_file); - if (tail_len) ck_write(fd, mem + skip_at + skip_len, tail_len, out_file); + if (tail_len) ck_write(fd, mem + skip_at + skip_len, tail_len, out_file);//写入跳过部分之后的数据 if (!out_file) { - +//如果没有指定输出文件名,则截断文件到指定长度并重置文件位置。如果指定了输出文件名,则关闭文件描述符。 if (ftruncate(fd, len - skip_len)) PFATAL("ftruncate() failed"); lseek(fd, 0, SEEK_SET); @@ -2499,8 +2567,12 @@ static void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { static void show_stats(void); -/* 校准一个新的测试用例。这在处理输入目录时完成,目的是为了提早警告 -关于不稳定或其他有问题的测试用例;以及在发现新路径时,用于检测可变行为等。 */ +/* Calibrate a new test case. This is done when processing the input directory + to warn about flaky or otherwise problematic test cases early on; and when + new paths are discovered to detect variable behavior and so on. */ +//start_us, stop_us; + +//保存了一些旧的状态值,以便在函数执行完毕后恢复。 static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, u32 handicap, u8 from_queue) { @@ -2516,63 +2588,67 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, u32 use_tmout = exec_tmout; u8* old_sn = stage_name; - /* 在恢复会话或尝试校准已经添加的发现时,对超时更加宽容一些。 - 这有助于避免由于间歇性延迟引起的问题。 */ - + /* Be a bit more generous about timeouts when resuming sessions, or when + trying to calibrate already-added finds. This helps avoid trouble due + to intermittent latency. */ +//如果是在恢复会话或校准已经添加的测试用例时,会放宽超时限制。 if (!from_queue || resuming_fuzz) use_tmout = MAX(exec_tmout + CAL_TMOUT_ADD, exec_tmout * CAL_TMOUT_PERC / 100); q->cal_failed++; - +//设置当前阶段为“calibration”,并根据是否快速校准设置阶段最大值。 stage_name = "calibration"; stage_max = fast_cal ? 3 : CAL_CYCLES; - /* 在我们做任何事情之前,确保fork服务器已经启动,并且我们不将其启动时间计入二进制校准。 */ - + /* Make sure the forkserver is up before we do anything, and let's not + count its spin-up time toward binary calibration. */ +//如果没有运行在“dumb”模式,并且没有使用fork服务器,那么初始化fork服务器。 if (dumb_mode != 1 && !no_forkserver && !forksrv_pid) init_forkserver(argv); if (q->exec_cksum) { - +//如果队列条目已经有执行校验和,那么将第一次执行的trace bits复制到first_trace。 memcpy(first_trace, trace_bits, MAP_SIZE); hnb = has_new_bits(virgin_bits); if (hnb > new_bits) new_bits = hnb; } - start_us = get_cur_time_us(); + start_us = get_cur_time_us();//计时 for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { u32 cksum; if (!first_run && !(stage_cur % stats_update_freq)) show_stats(); +//如果不是第一次运行并且到了更新频率,显示统计信息。 + write_to_testcase(use_mem, q->len);//将测试用例数据写入文件。 - write_to_testcase(use_mem, q->len); - - fault = run_target(argv, use_tmout); + fault = run_target(argv, use_tmout);//运行目标程序并获取执行结果。 - /* 如果按下Ctrl+C,stop_soon会被设置,我们希望快速退出。 */ + /* stop_soon is set by the handler for Ctrl+C. When it's pressed, + we want to bail out quickly. */ - if (stop_soon || fault != crash_mode) goto abort_calibration; + if (stop_soon || fault != crash_mode) goto abort_calibration;//如果用户请求停止或者执行结果不是崩溃模式,则跳到校准中止。 if (!dumb_mode && !stage_cur && !count_bytes(trace_bits)) { + //如果不是“dumb”模式,并且是第一次校准,并且没有新的代码覆盖,则设置错误为FAULT_NOINST并跳到校准中止。 fault = FAULT_NOINST; goto abort_calibration; } - cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST);//计算当前trace bits的哈希值,并与队列条目的执行校验和比较。 if (q->exec_cksum != cksum) { - +//如果有新的bits被设置,则更新new_bits。 hnb = has_new_bits(virgin_bits); if (hnb > new_bits) new_bits = hnb; - if (q->exec_cksum) { + if (q->exec_cksum) {//如果队列条目之前有执行校验和,则检查变量字节。 u32 i; - + //对于每个不同的字节,将其标记为变量字节,并增加校准周期。 for (i = 0; i < MAP_SIZE; i++) { if (!var_bytes[i] && first_trace[i] != trace_bits[i]) { @@ -2585,7 +2661,7 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, } var_detected = 1; - + //如果队列条目之前没有执行校验和,则更新其执行校验和并复制当前trace bits。 } else { q->exec_cksum = cksum; @@ -2599,38 +2675,39 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, stop_us = get_cur_time_us(); - total_cal_us += stop_us - start_us; + total_cal_us += stop_us - start_us;//更新总校准时间和周期。 total_cal_cycles += stage_max; - /* 好的,我们来收集一些关于这个测试用例性能的统计数据。 - 这将用于在calculate_score()中计算模糊测试的时间。 */ - + /* OK, let's collect some stats about the performance of this test case. + This is used for fuzzing air time calculations in calculate_score(). */ +//更新队列条目的执行时间、位图大小和校准失败计数。 q->exec_us = (stop_us - start_us) / stage_max; q->bitmap_size = count_bytes(trace_bits); q->handicap = handicap; q->cal_failed = 0; - total_bitmap_size += q->bitmap_size; + total_bitmap_size += q->bitmap_size;//更新总位图大小和条目数 total_bitmap_entries++; update_bitmap_score(q); - /* 如果这个案例没有产生新的来自插桩的输出,告诉父进程。 - 这是一个非关键性问题,但值得警告用户。 */ + /* If this case didn't result in new output from the instrumentation, tell + parent. This is a non-critical problem, but something to warn the user + about. */ if (!dumb_mode && first_run && !fault && !new_bits) fault = FAULT_NOBITS; abort_calibration: - +//如果有新的bits被设置并且队列条目之前没有新覆盖,则更新队列条目的新覆盖标志。 if (new_bits == 2 && !q->has_new_cov) { q->has_new_cov = 1; queued_with_cov++; } - /* 标记可变路径。 */ + /* Mark variable paths. */ if (var_detected) { - +//如果检测到变量行为,则标记队列条目。 var_byte_count = count_bytes(var_bytes); if (!q->var_behavior) { @@ -2639,22 +2716,27 @@ abort_calibration: } } - +//恢复旧的状态值。 stage_name = old_sn; stage_cur = old_sc; stage_max = old_sm; - if (!first_run) show_stats(); + if (!first_run) show_stats();//如果校准中止,则跳到函数末尾。 return fault; } -/* 检查地图覆盖率。为第一个测试用例调用一次。 */ +/* Examine map coverage. Called once, for first test case. */ static void check_map_coverage(void) { - +/* +这个函数检查映射覆盖率是否足够。如果映射中被设置的字节数少于100,则函数直接返回。 +然后,它检查映射的后半部分是否有任何被设置的位。如果没有,这意味着测试用例只触发了 +映射的前半部分,这可能意味着二进制文件需要重新编译以获得更好的覆盖率。在这种情况下 +,它会打印一条警告消息。 +*/ u32 i; if (count_bytes(trace_bits) < 100) return; @@ -2667,7 +2749,8 @@ static void check_map_coverage(void) { } -/* 对所有测试用例执行一次不实际执行的预运行,以确认应用程序按预期工作。这只针对初始输入进行,并且只执行一次。 */ +/* Perform dry run of all test cases to confirm that the app is working as + expected. This is done only for the initial inputs, and only once. */ static void perform_dry_run(char** argv) { @@ -2682,20 +2765,20 @@ static void perform_dry_run(char** argv) { s32 fd; u8* fn = strrchr(q->fname, '/') + 1; - +//打开并读取测试用例文件。 ACTF("Attempting dry run with '%s'...", fn); fd = open(q->fname, O_RDONLY); if (fd < 0) PFATAL("Unable to open '%s'", q->fname); - use_mem = ck_alloc_nozero(q->len); + use_mem = ck_alloc_nozero(q->len);////分配内存并读取测试用例数据。 if (read(fd, use_mem, q->len) != q->len) FATAL("Short read from '%s'", q->fname); close(fd); - res = calibrate_case(argv, q, use_mem, 0, 1); + res = calibrate_case(argv, q, use_mem, 0, 1);//调用calibrate_case函数来校准测试用例。 ck_free(use_mem); if (stop_soon) return; @@ -2718,7 +2801,9 @@ static void perform_dry_run(char** argv) { if (timeout_given) { - /* 命令行中的 -t nn+ 语法将 timeout_given 设置为 '2',并且指示 afl-fuzz 容忍但跳过超时的队列条目。 */ + /* The -t nn+ syntax in the command line sets timeout_given to '2' and + instructs afl-fuzz to tolerate but skip queue entries that time + out. */ if (timeout_given > 1) { WARNF("Test case results in a timeout (skipping)"); @@ -2776,6 +2861,15 @@ static void perform_dry_run(char** argv) { " it to die due to OOM when parsing valid files. To fix this, try\n" " bumping it up with the -m setting in the command line. If in doubt,\n" " try something along the lines of:\n\n" +/* +根据校准结果,执行不同的操作: + + 如果测试用例没有引起崩溃,并且不是在寻找崩溃的模式下运行,则检查映射覆盖率。 + 如果测试用例导致超时,根据timeout_given变量的值,可能跳过该测试用例或报告错误。 + 如果测试用例导致崩溃,根据crash_mode变量的值和环境变量AFL_SKIP_CRASHES,可能跳过该测试用例或报告错误。 + +*/ + #ifdef RLIMIT_AS " ( ulimit -Sv $[%llu << 10]; /path/to/binary [...] fname; else rsl++; - /* 如果原始文件名符合语法,并且记录的ID与我们要分配的ID匹配,就直接使用原始文件名。这对于恢复模糊测试运行非常有价值。 */ + /* If the original file name conforms to the syntax and the recorded + ID matches the one we'd assign, just use the original file name. + This is valuable for resuming fuzzing runs. */ #ifndef SIMPLE_FILES # define CASE_PREFIX "id:" @@ -2934,7 +3031,8 @@ static void pivot_inputs(void) { resuming_fuzz = 1; nfn = alloc_printf("%s/queue/%s", out_dir, rsl); - /* 既然我们已经在做了,让我们也尝试找到父项,并确定这个条目的适当深度。 */ + /* Since we're at it, let's also try to find parent and figure out the + appropriate depth for this entry. */ src_str = strchr(rsl + 3, ':'); @@ -2950,7 +3048,8 @@ static void pivot_inputs(void) { } else { - /* 没有成功 - 创建一个新名字,并将原始名字作为子字符串包含在内。 */ + /* No dice - invent a new name, capturing the original one as a + substring. */ #ifndef SIMPLE_FILES @@ -2967,13 +3066,13 @@ static void pivot_inputs(void) { } - /* 转向新的队列条目。 */ + /* Pivot to the new queue entry. */ link_or_copy(q->fname, nfn); ck_free(q->fname); q->fname = nfn; - /* 确保passd_det值也被传递。 */ + /* Make sure that the passed_det value carries over, too. */ if (q->passed_det) mark_as_det_done(q); @@ -2989,7 +3088,8 @@ static void pivot_inputs(void) { #ifndef SIMPLE_FILES -/* 为新测试用例构造一个包含导致其被发现的操作的文件名。使用一个静态缓冲区。 */ +/* Construct a file name for a new test case, capturing the operation + that led to its discovery. Uses a static buffer. */ static u8* describe_op(u8 hnb) { @@ -3030,7 +3130,7 @@ static u8* describe_op(u8 hnb) { #endif /* !SIMPLE_FILES */ -/* 为崩溃目录写一个伴随消息:-) */ +/* Write a message accompanying the crash directory :-) */ static void write_crash_readme(void) { @@ -3041,7 +3141,7 @@ static void write_crash_readme(void) { fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); ck_free(fn); - /* 不要死于错误——那是不礼貌的 */ + /* Do not die on errors here - that would be impolite. */ if (fd < 0) return; @@ -3077,8 +3177,9 @@ static void write_crash_readme(void) { } -/* 检查在常规模糊测试期间的execve()结果是否有趣,如果有趣,则保存 -或将输入测试用例排队以进行进一步分析。如果条目被保存,则返回1,否则返回0。 */ +/* Check if the result of an execve() during routine fuzzing is interesting, + save or queue the input test case for further analysis if so. Returns 1 if + entry is saved, 0 otherwise. */ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { @@ -3089,7 +3190,8 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { if (fault == crash_mode) { - /* 仅当映射中有新的位时才保留,将其添加到队列中以供将来的模糊测试等。 */ + /* Keep only if there are new bits in the map, add to queue for + future fuzzing, etc. */ if (!(hnb = has_new_bits(virgin_bits))) { if (crash_mode) total_crashes++; @@ -3116,7 +3218,8 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { queue_top->exec_cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - /* 尝试进行内联校准;成功时也会调用update_bitmap_score()。 */ + /* Try to calibrate inline; this also calls update_bitmap_score() when + successful. */ res = calibrate_case(argv, queue_top, mem, queue_cycle - 1, 0); @@ -3136,8 +3239,10 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { case FAULT_TMOUT: - /* 超时并不是很有趣的情况,但我们仍然需要保留一些样本。我们使用在特定挂起的 - 位图中出现的新位作为独特性的信号。在“哑”模式下,我们只是保留所有内容。 */ + /* Timeouts are not very interesting, but we're still obliged to keep + a handful of samples. We use the presence of new bits in the + hang-specific bitmap as a signal of uniqueness. In "dumb" mode, we + just keep everything. */ total_tmouts++; @@ -3157,7 +3262,9 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { unique_tmouts++; - /* 在保存之前,我们通过使用更宽裕的超时时间重新运行目标程序来确保这是一个真正的挂起(除非默认的超时时间已经足够宽裕)。*/ + /* Before saving, we make sure that it's a genuine hang by re-running + the target with a more generous timeout (unless the default timeout + is already generous). */ if (exec_tmout < hang_tmout) { @@ -3165,7 +3272,9 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { write_to_testcase(mem, len); new_fault = run_target(argv, hang_tmout); - /* 一个用户报告的特殊情况:增加超时时间实际上揭示了一个崩溃。确保如果出现这种情况,我们不会丢弃它。 */ + /* A corner case that one user reported bumping into: increasing the + timeout actually uncovers a crash. Make sure we don't discard it if + so. */ if (!stop_soon && new_fault == FAULT_CRASH) goto keep_as_crash; @@ -3195,7 +3304,9 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { keep_as_crash: - /* 这与处理超时的方式大致相似,只是限制略有不同,并且不需要重新运行测试用例。 */ + /* This is handled in a manner roughly similar to timeouts, + except for slightly different limits and no need to re-run test + cases. */ total_crashes++; @@ -3240,7 +3351,8 @@ keep_as_crash: } - /* 如果我们在这里,显然我们也想要保存崩溃或挂起的测试用例。 */ + /* If we're here, we apparently want to save the crash or hang + test case, too. */ fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); if (fd < 0) PFATAL("Unable to create '%s'", fn); @@ -3254,11 +3366,12 @@ keep_as_crash: } -/* 在恢复时,尝试找到开始的队列位置。这只在恢复时有意义,并且当我们能找到原始的fuzzer_stats时。 */ +/* When resuming, try to find the queue position to start from. This makes sense + only when resuming, and when we can find the original fuzzer_stats. */ static u32 find_start_position(void) { - static u8 tmp[4096]; /* 对任何人来说都足够了 */ + static u8 tmp[4096]; /* Ought to be enough for anybody. */ u8 *fn, *off; s32 fd, i; @@ -3287,11 +3400,13 @@ static u32 find_start_position(void) { } -/* 同样,但针对超时情况。想法是在没有给定-t参数的情况下恢复会话时,我们不想一遍又一遍地自动调整超时时间,以防止它因为随机的异常而不断增长。 */ +/* The same, but for timeouts. The idea is that when resuming sessions without + -t given, we don't want to keep auto-scaling the timeout over and over + again to prevent it from growing due to random flukes. */ static void find_timeout(void) { - static u8 tmp[4096]; /* 对任何人来说都足够了 */ + static u8 tmp[4096]; /* Ought to be enough for anybody. */ u8 *fn, *off; s32 fd, i; @@ -3322,7 +3437,7 @@ static void find_timeout(void) { } -/* 更新无人值守监控的统计文件 */ +/* Update stats file for unattended monitoring. */ static void write_stats_file(double bitmap_cvg, double stability, double eps) { @@ -3343,7 +3458,8 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { if (!f) PFATAL("fdopen() failed"); - /* 保留最后的值,以防我们被调用到另一个上下文中,那里每秒执行次数的统计数据等并不立即可用。 */ + /* Keep last values in case we're called from another context + where exec/sec stats and such are not readily available. */ if (!bitmap_cvg && !stability && !eps) { bitmap_cvg = last_bcvg; @@ -3366,7 +3482,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { "paths_found : %u\n" "paths_imported : %u\n" "max_depth : %u\n" - "cur_path : %u\n" /* 必须匹配find_start_position() */ + "cur_path : %u\n" /* Must match find_start_position() */ "pending_favs : %u\n" "pending_total : %u\n" "variable_paths : %u\n" @@ -3378,7 +3494,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { "last_crash : %llu\n" "last_hang : %llu\n" "execs_since_crash : %llu\n" - "exec_timeout : %u\n" /* 必须匹配find_timeout() */ + "exec_timeout : %u\n" /* Must match find_timeout() */ "afl_banner : %s\n" "afl_version : " VERSION "\n" "target_mode : %s%s%s%s%s%s%s\n" @@ -3400,7 +3516,9 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { orig_cmdline, slowest_exec_ms); /* ignore errors */ - /* 从子进程中获取rss值。在调用getrusage之前,我们必须已经杀死了fork服务器进程并调用了waitpid。 */ + /* Get rss value from the children + We must have killed the forkserver process and called waitpid + before calling getrusage */ if (getrusage(RUSAGE_CHILDREN, &usage)) { WARNF("getrusage failed"); } else if (usage.ru_maxrss == 0) { @@ -3418,7 +3536,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { } -/* 如果有必要,请更新情节文件。 */ +/* Update the plot file if there is a reason to. */ static void maybe_update_plot_file(double bitmap_cvg, double eps) { @@ -3439,7 +3557,7 @@ static void maybe_update_plot_file(double bitmap_cvg, double eps) { prev_uh = unique_hangs; prev_md = max_depth; - /* 文件中的字段包括:: + /* Fields in the file: unix_time, cycles_done, cur_path, paths_total, paths_not_fuzzed, favored_not_fuzzed, unique_crashes, unique_hangs, max_depth, @@ -3457,7 +3575,8 @@ static void maybe_update_plot_file(double bitmap_cvg, double eps) { -/* maybe_delete_out_dir()的辅助函数,用于删除目录中所有具有特定前缀的文件 */ +/* A helper function for maybe_delete_out_dir(), deleting all prefixed + files in a directory. */ static u8 delete_files(u8* path, u8* prefix) { @@ -3488,7 +3607,7 @@ static u8 delete_files(u8* path, u8* prefix) { } -/* 通过一些简单的平滑,获得可运行进程的数量。 */ +/* Get the number of runnable processes, with some simple smoothing. */ static double get_runnable_processes(void) { @@ -3496,13 +3615,17 @@ static double get_runnable_processes(void) { #if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) - /*我没有看到任何可移植的sysctl命令或其他工具可以快速给出可运行进程的数量;不过,1分钟负载平均值可以作为一个半像样的近似值。 */ + /* I don't see any portable sysctl or so that would quickly give us the + number of runnable processes; the 1-minute load average can be a + semi-decent approximation, though. */ if (getloadavg(&res, 1) != 1) return 0; #else - /* 在Linux上,/proc/stat可能是最佳方式;负载平均值的计算方式有些奇特,有时不能很好地反映非常短暂的进程。 */ + /* On Linux, /proc/stat is probably the best way; load averages are + computed in funny ways and sometimes don't reflect extremely short-lived + processes well. */ FILE* f = fopen("/proc/stat", "r"); u8 tmp[1024]; @@ -3537,7 +3660,7 @@ static double get_runnable_processes(void) { } -/* 删除用于就地恢复会话的临时目录。*/ +/* Delete the temporary directory used for in-place session resume. */ static void nuke_resume_dir(void) { @@ -3576,14 +3699,17 @@ dir_cleanup_failed: } -/* 如果识别输出目录为我们的,并且fuzzer当前没有在运行,以及上次运行时间不是很长,就删除fuzzer的输出目录。 */ +/* Delete fuzzer output directory if we recognize it as ours, if the fuzzer + is not currently running, and if the last run time isn't too great. */ static void maybe_delete_out_dir(void) { FILE* f; u8 *fn = alloc_printf("%s/fuzzer_stats", out_dir); - /* 检查输出目录是否被锁定。如果是,就退出。如果不是,创建一个在进程生命周期内持续存在的锁(这需要保持描述符打开)。*/ + /* See if the output directory is locked. If yes, bail out. If not, + create a lock that will persist for the lifetime of the process + (this requires leaving the descriptor open).*/ out_dir_fd = open(out_dir, O_RDONLY); if (out_dir_fd < 0) PFATAL("Unable to open '%s'", out_dir); @@ -3616,7 +3742,7 @@ static void maybe_delete_out_dir(void) { fclose(f); - /* 让我们看看有多少工作要做 */ + /* Let's see how much work is at stake. */ if (!in_place_resume && last_update - start_time > OUTPUT_GRACE * 60) { @@ -3638,9 +3764,11 @@ static void maybe_delete_out_dir(void) { ck_free(fn); - /* 就地恢复的想法非常简单:我们暂时将旧的queue/移动到一个新位置, - 一旦导入到新queue/完成,这个新位置就会被删除。如果_resume/已经存在, - 当前的queue/可能因为之前的中断而不完整,所以我们想使用旧的_resume/目录,我们让rename()默默失败。 */ + /* The idea for in-place resume is pretty simple: we temporarily move the old + queue/ to a new location that gets deleted once import to the new queue/ + is finished. If _resume/ already exists, the current queue/ may be + incomplete due to an earlier abort, so we want to use the old _resume/ + dir instead, and we let rename() fail silently. */ if (in_place_resume) { @@ -3662,7 +3790,8 @@ static void maybe_delete_out_dir(void) { ACTF("Deleting old session data..."); - /* 好的,让我们开始吧!首先,如果存在,我们需要清除/.synced/.../id:*中的条目。 */ + /* Okay, let's get the ball rolling! First, we need to get rid of the entries + in /.synced/.../id:*, if any are present. */ if (!in_place_resume) { @@ -3672,7 +3801,7 @@ static void maybe_delete_out_dir(void) { } - /* 接下来,我们需要清理 /queue/.state/ 子目录: */ + /* Next, we need to clean up /queue/.state/ subdirectories: */ fn = alloc_printf("%s/queue/.state/deterministic_done", out_dir); if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; @@ -3690,7 +3819,8 @@ static void maybe_delete_out_dir(void) { if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; ck_free(fn); - /* 然后,删除 .state 子目录本身(现在应该已经为空),以及所有匹配 /queue/id:* 的内容。 */ + /* Then, get rid of the .state subdirectory itself (should be empty by now) + and everything matching /queue/id:*. */ fn = alloc_printf("%s/queue/.state", out_dir); if (rmdir(fn) && errno != ENOENT) goto dir_cleanup_failed; @@ -3700,7 +3830,7 @@ static void maybe_delete_out_dir(void) { if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; ck_free(fn); - /* 好的,让我们处理 /crashes/id:* 和 /hangs/id:* */ + /* All right, let's do /crashes/id:* and /hangs/id:*. */ if (!in_place_resume) { @@ -3712,7 +3842,8 @@ static void maybe_delete_out_dir(void) { fn = alloc_printf("%s/crashes", out_dir); - /* 如果在进行就地恢复,并且crashes目录不为空,则备份该目录。 */ + /* Make backup of the crashes directory if it's not empty and if we're + doing in-place resume. */ if (in_place_resume && rmdir(fn)) { @@ -3743,7 +3874,7 @@ static void maybe_delete_out_dir(void) { fn = alloc_printf("%s/hangs", out_dir); - /* 备份也挂起了 */ + /* Backup hangs, too. */ if (in_place_resume && rmdir(fn)) { @@ -3772,7 +3903,7 @@ static void maybe_delete_out_dir(void) { if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; ck_free(fn); - /* 现在,做一些收尾工作 */ + /* And now, for some finishing touches. */ fn = alloc_printf("%s/.cur_input", out_dir); if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; @@ -3794,7 +3925,7 @@ static void maybe_delete_out_dir(void) { OKF("Output dir cleanup successful."); - /* 哇……就这些吗?如果是,那就庆祝吧! */ + /* Wow... is that all? If yes, celebrate! */ return; @@ -3817,7 +3948,8 @@ dir_cleanup_failed: static void check_term_size(void); -/* 一个时髦的复古统计屏幕!这在每stats_update_freq次execve()调用时被调用,以及在其他几种情况下。 */ +/* A spiffy retro stats screen! This is called every stats_update_freq + execve() calls, plus in several other circumstances. */ static void show_stats(void) { @@ -3833,15 +3965,15 @@ static void show_stats(void) { cur_ms = get_cur_time(); - /* 如果上次UI更新后没有经过足够的时间,就退出。 */ + /* If not enough time has passed since last UI update, bail out. */ if (cur_ms - last_ms < 1000 / UI_TARGET_HZ) return; - /* 检查我们是否过了10分钟。 */ + /* Check if we're past the 10 minute mark. */ if (cur_ms - start_time > 10 * 60 * 1000) run_over10m = 1; - /* 计算平滑执行速度统计。 */ + /* Calculate smoothed exec speed stats. */ if (!last_execs) { @@ -3852,7 +3984,8 @@ static void show_stats(void) { double cur_avg = ((double)(total_execs - last_execs)) * 1000 / (cur_ms - last_ms); - /* 如果速度有显著(超过5倍)的提升,那么更快速地重置指示器。 */ + /* If there is a dramatic (5x+) jump in speed, reset the indicator + more quickly. */ if (cur_avg * 5 < avg_exec || cur_avg / 5 > avg_exec) avg_exec = cur_avg; @@ -3865,12 +3998,12 @@ static void show_stats(void) { last_ms = cur_ms; last_execs = total_execs; - /* 告诉来电者何时与我们联系(以高管为衡量标准) */ + /* Tell the callers when to contact us (as measured in execs). */ stats_update_freq = avg_exec / (UI_TARGET_HZ * 10); if (!stats_update_freq) stats_update_freq = 1; - /* 做一些位图统计 */ + /* Do some bitmap stats. */ t_bytes = count_non_255_bytes(virgin_bits); t_byte_ratio = ((double)t_bytes * 100) / MAP_SIZE; @@ -3880,7 +4013,7 @@ static void show_stats(void) { else stab_ratio = 100; - /* 大约每分钟更新fuzzer统计数据并保存自动标记。 */ + /* Roughly every minute, update fuzzer stats and save auto tokens. */ if (cur_ms - last_stats_ms > STATS_UPDATE_SEC * 1000) { @@ -3891,7 +4024,7 @@ static void show_stats(void) { } - /* 每隔一段时间,写一些情节数据。 */ + /* Every now and then, write plot data. */ if (cur_ms - last_plot_ms > PLOT_UPDATE_SEC * 1000) { @@ -3900,22 +4033,22 @@ static void show_stats(void) { } - /* 尊重AFL_EXIT_WHEN_DONE和AFL_BENCH_UNTIL_CRASH。 */ + /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ if (!dumb_mode && cycles_wo_finds > 100 && !pending_not_fuzzed && getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 2; if (total_crashes && getenv("AFL_BENCH_UNTIL_CRASH")) stop_soon = 2; - /* 如果我们不在TTY(终端)上,就退出。 */ + /* If we're not on TTY, bail out. */ if (not_on_tty) return; - /* 计算一些稍微有用的位图统计。 */ + /* Compute some mildly useful bitmap stats. */ t_bits = (MAP_SIZE << 3) - count_bits(virgin_bits); - /* 现在,对于视觉效果… */ + /* Now, for the visuals... */ if (clear_screen) { @@ -3937,7 +4070,7 @@ static void show_stats(void) { } - /* 让我们从绘制居中横幅开始。*/ + /* Let's start by drawing a centered banner. */ banner_len = (crash_mode ? 24 : 22) + strlen(VERSION) + strlen(use_banner); banner_pad = (80 - banner_len) / 2; @@ -3949,7 +4082,7 @@ static void show_stats(void) { SAYF("\n%s\n\n", tmp); - /* "Handy" 快捷键绘制框… */ + /* "Handy" shortcuts for drawing boxes... */ #define bSTG bSTART cGRA #define bH2 bH bH @@ -3974,17 +4107,17 @@ static void show_stats(void) { u64 min_wo_finds = (cur_ms - last_path_time) / 1000 / 60; - /* 第一个排队周期:现在不要停下来! */ + /* First queue cycle: don't stop now! */ if (queue_cycle == 1 || min_wo_finds < 15) strcpy(tmp, cMGN); else - /* 在后续的测试周期中,但我们仍在发现新问题。 */ + /* Subsequent cycles, but we're still making finds. */ if (cycles_wo_finds < 25 || min_wo_finds < 30) strcpy(tmp, cYEL); else - /* 很长一段时间没有发现,也没有测试用例可以尝试。 */ + /* No finds for a long time and no test cases to try. */ if (cycles_wo_finds > 100 && !pending_not_fuzzed && min_wo_finds > 120) strcpy(tmp, cLGN); - /* 默认情况:谨慎地询问是否可以停止? */ + /* Default: cautiously OK to stop? */ else strcpy(tmp, cLBL); } @@ -3993,7 +4126,8 @@ static void show_stats(void) { " cycles done : %s%-5s " bSTG bV "\n", DTD(cur_ms, start_time), tmp, DI(queue_cycle - 1)); - /* 我们想要警告人们,在完成一个完整周期后没有看到新路径的情况,除非是在恢复模糊测试或在非插桩模式下运行。 */ + /* We want to warn people about not seeing new paths after a full cycle, + except when resuming fuzzing or running in non-instrumented mode. */ if (!dumb_mode && (last_path_time || resuming_fuzz || queue_cycle == 1 || in_bitmap || crash_mode)) { @@ -4018,7 +4152,8 @@ static void show_stats(void) { SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n", DI(queued_paths)); - /* 如果在发现崩溃时用红色高亮显示,并在超过KEEP_UNIQUE_CRASH限制时,在计数后追加一个'+'符号来表示。*/ + /* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH + limit with a '+' appended to the count. */ sprintf(tmp, "%s%s", DI(unique_crashes), (unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); @@ -4038,8 +4173,9 @@ static void show_stats(void) { SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH20 bHB bH bSTOP cCYA " map coverage " bSTG bH bHT bH20 bH2 bH bVL "\n"); - /* 这有点有趣,因为我们想要一起打印几个可变长度的变量,但随后又想将它们 - 塞进一个固定宽度的字段——所以我们需要先将它们放入一个临时缓冲区。*/ + /* This gets funny because we want to print several variable-length variables + together, but then cram them into a fixed-width field - so we need to + put them in a temporary buffer first. */ sprintf(tmp, "%s%s (%0.02f%%)", DI(current_entry), queue_cur->favored ? "" : "*", @@ -4069,7 +4205,7 @@ static void show_stats(void) { sprintf(tmp, "%s (%0.02f%%)", DI(queued_favored), ((double)queued_favored) * 100 / queued_paths); - /* 是的……它还在继续……帮忙? */ + /* Yeah... it's still going on... halp? */ SAYF(bV bSTOP " now trying : " cRST "%-21s " bSTG bV bSTOP " favored paths : " cRST "%-22s " bSTG bV "\n", stage_name, tmp); @@ -4109,7 +4245,7 @@ static void show_stats(void) { } - /* 显示关于缓慢执行的警告。 */ + /* Show a warning about slow execution. */ if (avg_exec < 100) { @@ -4130,7 +4266,7 @@ static void show_stats(void) { SAYF (bSTG bV bSTOP " total tmouts : " cRST "%-22s " bSTG bV "\n", tmp); - /* Aaaalmost那里……坚持住! */ + /* Aaaalmost there... hold on! */ SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bH bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bH bVL "\n"); @@ -4235,7 +4371,7 @@ static void show_stats(void) { SAYF(bV bSTOP " trim : " cRST "%-37s " bSTG bVR bH20 bH2 bH2 bRB "\n" bLB bH30 bH20 bH2 bH bRB bSTOP cRST RESET_G1, tmp); - /* 提供一些CPU利用率统计信息。 */ + /* Provide some CPU utilization stats. */ if (cpu_core_count) { @@ -4244,12 +4380,12 @@ static void show_stats(void) { u8* cpu_color = cCYA; - /* 如果我们仍然可以运行一个或多个进程,则使用绿色。 */ + /* If we could still run one or more processes, use green. */ if (cpu_core_count > 1 && cur_runnable + 1 <= cpu_core_count) cpu_color = cLGN; - /* 如果我们明显超额认购,就用红色。 */ + /* If we're clearly oversubscribed, use red. */ if (!no_cpu_meter_red && cur_utilization >= 150) cpu_color = cLRD; @@ -4284,45 +4420,46 @@ static void show_stats(void) { } -/* 在处理完输入目录后显示快速统计信息,以及一堆警告。一些校准内容也 -最终放在这里,连同几个硬编码的常数。也许最终会清理一下。 */ - +/* 在处理输入目录后显示初始化统计信息 */ static void show_init_stats(void) { - struct queue_entry* q = queue; - u32 min_bits = 0, max_bits = 0; - u64 min_us = 0, max_us = 0; - u64 avg_us = 0; - u32 max_len = 0; + struct queue_entry* q = queue; // 队列的当前元素 + u32 min_bits = 0, max_bits = 0; // 最小和最大位图大小 + u64 min_us = 0, max_us = 0; // 最小和最大执行时间(微秒) + u64 avg_us = 0; // 平均执行时间 + u32 max_len = 0; // 最大测试用例长度 + // 如果有校准周期,计算平均执行时间 if (total_cal_cycles) avg_us = total_cal_us / total_cal_cycles; + // 遍历队列,找到最小和最大位图大小、执行时间和测试用例长度 while (q) { - + if (!min_us || q->exec_us < min_us) min_us = q->exec_us; if (q->exec_us > max_us) max_us = q->exec_us; - + if (!min_bits || q->bitmap_size < min_bits) min_bits = q->bitmap_size; if (q->bitmap_size > max_bits) max_bits = q->bitmap_size; - + if (q->len > max_len) max_len = q->len; - - q = q->next; - + + q = q->next; // 移动到下一个队列元素 + } SAYF("\n"); + // 如果平均执行时间较长,给出警告并调整havoc_div的值 if (avg_us > (qemu_mode ? 50000 : 10000)) WARNF(cLRD "The target binary is pretty slow! See %s/perf_tips.txt.", doc_path); - /* 让我们继续使用慢二进制代码。 */ - + // 如果平均执行时间超过特定阈值,调整havoc_div的值 if (avg_us > 50000) havoc_div = 10; /* 0-19 execs/sec */ else if (avg_us > 20000) havoc_div = 5; /* 20-49 execs/sec */ else if (avg_us > 10000) havoc_div = 2; /* 50-100 execs/sec */ + // 如果不是从会话中恢复,给出一些警告 if (!resuming_fuzz) { if (max_len > 50 * 1024) @@ -4342,6 +4479,7 @@ static void show_init_stats(void) { } + // 显示统计信息 OKF("Here are some useful stats:\n\n" cGRA " Test case count : " cRST "%u favored, %u variable, %u total\n" @@ -4351,21 +4489,21 @@ static void show_init_stats(void) { ((double)total_bitmap_size) / (total_bitmap_entries ? total_bitmap_entries : 1), DI(min_us), DI(max_us), DI(avg_us)); + // 如果没有指定超时时间,计算一个合适的超时时间 if (!timeout_given) { - /* 确定合适的超时时间。基本思路是:5倍的平均值或者1倍的最大值,四舍五入到EXEC_TM_ROUND毫秒,并限制在1秒内。 - -如果程序运行缓慢,乘数会降低到2倍或3倍,因为随机调度抖动不太可能有任何影响,而且我们的耐心正在逐渐减少=) */ - + /* Figure out the appropriate timeout. The basic idea is: 5x average or + 1x max, rounded up to EXEC_TM_ROUND ms and capped at 1 second. */ + if (avg_us > 50000) exec_tmout = avg_us * 2 / 1000; else if (avg_us > 10000) exec_tmout = avg_us * 3 / 1000; else exec_tmout = avg_us * 5 / 1000; - + exec_tmout = MAX(exec_tmout, max_us / 1000); exec_tmout = (exec_tmout + EXEC_TM_ROUND) / EXEC_TM_ROUND * EXEC_TM_ROUND; - + if (exec_tmout > EXEC_TIMEOUT) exec_tmout = EXEC_TIMEOUT; - + ACTF("No -t option specified, so I'll use exec timeout of %u ms.", exec_tmout); @@ -4377,8 +4515,9 @@ static void show_init_stats(void) { } - /* 在dump模式下,用宽裕的时间限制重新运行每个超时的测试用例代价很高,因此我们选择一个更保守的默认值。 */ - + /* In dumb mode, re-running every timing out test case with a generous time + limit is very expensive, so let's select a more conservative default. */ + if (dumb_mode && !getenv("AFL_HANG_TMOUT")) hang_tmout = MIN(EXEC_TIMEOUT, exec_tmout * 2 + 100); @@ -4386,10 +4525,7 @@ static void show_init_stats(void) { } - -/* 求大于等于val的2的第一次幂(假设val小于 - 2^31). */ - +/* 找到大于或等于val的最小的2的幂次方(假设val小于2^31) */ static u32 next_p2(u32 val) { u32 ret = 1; @@ -4399,224 +4535,203 @@ static u32 next_p2(u32 val) { } -/* 在进行确定性检查时,修剪所有新的测试用例以节省周期。修剪器使用二的幂次方增加 -量,范围在文件大小的1/16到1/1024之间,以保持这个阶段简短而高效。 */ +// 对输入案例进行修剪,尝试移除部分输入数据,看是否会影响程序的执行路径。 static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { + static u8 tmp[64]; // 临时缓冲区 + static u8 clean_trace[MAP_SIZE]; // 用于存储清理后的执行路径 - static u8 tmp[64]; - static u8 clean_trace[MAP_SIZE]; - - u8 needs_write = 0, fault = 0; - u32 trim_exec = 0; - u32 remove_len; - u32 len_p2; - - /* 尽管在检测到可变行为时,修剪器的效用会降低,但它仍然会有一定程度的作用,因此我们不对此进行检查。 */ + u8 needs_write = 0, fault = 0; // 标记是否需要写入和是否出现故障 + u32 trim_exec = 0; // 修剪执行次数 + u32 remove_len; // 要移除的长度 + u32 len_p2; // 长度的下一个2的幂次 + // 如果输入长度小于5,直接返回0,不进行修剪 if (q->len < 5) return 0; - stage_name = tmp; - bytes_trim_in += q->len; - - /* 选择初始块len,从较大的步骤开始。*/ - - len_p2 = next_p2(q->len); + stage_name = tmp; // 设置当前阶段名称 + bytes_trim_in += q->len; // 更新修剪输入的总字节数 - remove_len = MAX(len_p2 / TRIM_START_STEPS, TRIM_MIN_BYTES); + // 选择初始块长度,从大步长开始 + len_p2 = next_p2(q->len); // 获取q->len的下一个2的幂次 - /* 继续进行,直到步骤数变得过高或步长变得过小。 */ + remove_len = MAX(len_p2 / TRIM_START_STEPS, TRIM_MIN_BYTES); // 计算移除长度 + // 继续修剪,直到步数过高或步长过小 while (remove_len >= MAX(len_p2 / TRIM_END_STEPS, TRIM_MIN_BYTES)) { + u32 remove_pos = remove_len; // 移除位置 - u32 remove_pos = remove_len; - + // 格式化修剪信息 sprintf(tmp, "trim %s/%s", DI(remove_len), DI(remove_len)); - stage_cur = 0; - stage_max = q->len / remove_len; - - while (remove_pos < q->len) { + stage_cur = 0; // 当前阶段 + stage_max = q->len / remove_len; // 最大阶段数 - u32 trim_avail = MIN(remove_len, q->len - remove_pos); - u32 cksum; + while (remove_pos < q->len) { // 循环移除每个位置的数据 + u32 trim_avail = MIN(remove_len, q->len - remove_pos); // 可修剪的可用长度 + u32 cksum; // 校验和 + // 写入带有间隔的输入数据 write_with_gap(in_buf, q->len, remove_pos, trim_avail); - fault = run_target(argv, exec_tmout); - trim_execs++; + fault = run_target(argv, exec_tmout); // 运行目标程序 + trim_execs++; // 更新修剪执行次数 + // 如果出现错误或停止请求,跳转到修剪中止 if (stop_soon || fault == FAULT_ERROR) goto abort_trimming; - /* 请注意,我们在这里不跟踪崩溃或挂起;也许做? */ - + // 计算执行路径的校验和 cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - /* 如果删除对跟踪没有影响,使其成为永久性的。这对于变量路径输入来说并不 - 完美,但我们只是在尽力而为,所以如果我们偶尔出现假阴性,也不是什么大问题。 */ - + // 如果删除数据没有影响执行路径,将其永久移除 if (cksum == q->exec_cksum) { + u32 move_tail = q->len - remove_pos - trim_avail; // 需要移动的尾部长度 - u32 move_tail = q->len - remove_pos - trim_avail; + q->len -= trim_avail; // 更新长度 + len_p2 = next_p2(q->len); // 更新下一个2的幂次 - q->len -= trim_avail; - len_p2 = next_p2(q->len); - - memmove(in_buf + remove_pos, in_buf + remove_pos + trim_avail, - move_tail); - - /* 让我们保存一个干净的跟踪信息,在我们完成修剪工作后,update_bitmap_score函数将会需要它。*/ + // 移动数据 + memmove(in_buf + remove_pos, in_buf + remove_pos + trim_avail, move_tail); + // 如果需要,保存一个干净的执行路径 if (!needs_write) { - needs_write = 1; - memcpy(clean_trace, trace_bits, MAP_SIZE); - + memcpy(clean_trace, trace_bits, MAP_SIZE); // 复制执行路径 } + } else { + remove_pos += remove_len; // 否则,移动到下一个位置 + } - } else remove_pos += remove_len; - - /* 因为这可能很慢,所以要时不时地更新屏幕。 */ - + // 定期更新屏幕显示 if (!(trim_exec++ % stats_update_freq)) show_stats(); - stage_cur++; - + stage_cur++; // 更新当前阶段 } - remove_len >>= 1; - + remove_len >>= 1; // 减少移除长度 } - /* 如果我们对in_buf做了更改,我们还需要更新磁盘上的测试用例版本。 */ - + // 如果对in_buf进行了修改,需要更新磁盘上的测试用例 if (needs_write) { + s32 fd; // 文件描述符 - s32 fd; - - unlink(q->fname); /* ignore errors */ + // 删除旧的测试用例文件 + unlink(q->fname); // 忽略错误 + // 创建新的测试用例文件 fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (fd < 0) PFATAL("Unable to create '%s'", q->fname); // 错误处理 - if (fd < 0) PFATAL("Unable to create '%s'", q->fname); - + // 写入新的测试用例数据 ck_write(fd, in_buf, q->len, q->fname); - close(fd); + close(fd); // 关闭文件描述符 + // 更新执行路径和分数 memcpy(trace_bits, clean_trace, MAP_SIZE); update_bitmap_score(q); - } -abort_trimming: - - bytes_trim_out += q->len; - return fault; - +abort_trimming: // 修剪中止标签 + bytes_trim_out += q->len; // 更新修剪输出的总字节数 + return fault; // 返回故障状态 } - -/* 写入一个修改后的测试用例,运行程序,处理结果。处理错误条件,如果到 -了该退出的时候则返回1。这是fuzz_one()的辅助函数。 */ - +// 写入修改后的测试用例,运行程序,处理结果。处理错误条件,如果需要中止,则返回1。 +// 这是fuzz_one()的辅助函数。 EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) { + u8 fault; // 故障状态 - u8 fault; - + // 如果存在后处理函数 if (post_handler) { - + // 调用后处理函数 out_buf = post_handler(out_buf, &len); - if (!out_buf || !len) return 0; - + if (!out_buf || !len) return 0; // 如果返回为空或长度为0,则返回0 } + // 写入测试用例 write_to_testcase(out_buf, len); - fault = run_target(argv, exec_tmout); + fault = run_target(argv, exec_tmout); // 运行目标程序 + // 如果需要停止,则返回1 if (stop_soon) return 1; + // 如果出现超时故障 if (fault == FAULT_TMOUT) { - + // 如果连续超时次数超过限制,则跳过当前路径 if (subseq_tmouts++ > TMOUT_LIMIT) { cur_skipped_paths++; return 1; } + } else { + subseq_tmouts = 0; // 重置连续超时次数 + } - } else subseq_tmouts = 0; - - /* 用户可以通过发送SIGUSR1信号来请求放弃当前的输入。 */ - + // 用户可以通过SIGUSR1信号请求放弃当前输入 if (skip_requested) { - - skip_requested = 0; - cur_skipped_paths++; - return 1; - + skip_requested = 0; // 重置跳过请求 + cur_skipped_paths++; // 增加跳过路径数 + return 1; // 返回1 } - /* 这将为我们处理FAULT_ERROR: */ - + // 处理故障,更新发现的队列 queued_discovered += save_if_interesting(argv, out_buf, len, fault); + // 定期更新统计信息 if (!(stage_cur % stats_update_freq) || stage_cur + 1 == stage_max) show_stats(); - return 0; - + return 0; // 返回0,表示继续执行 } - -/* 在fuzz_one()中用于选择块操作的随机块长度的辅助函数。只要最大长度max_len大于0,就不会返回零。 */ +/* 辅助函数,用于在模糊测试中的块操作选择随机块长度。 + 只要max_len大于0,就不会返回零 */ static u32 choose_block_len(u32 limit) { u32 min_value, max_value; - u32 rlim = MIN(queue_cycle, 3); + u32 rlim = MIN(queue_cycle, 3); // 限制随机数生成的范围 - if (!run_over10m) rlim = 1; + if (!run_over10m) rlim = 1; // 如果没有超过10M的运行限制,则设置rlim为1 + // 根据随机数选择不同的块长度范围 switch (UR(rlim)) { - - case 0: min_value = 1; - max_value = HAVOC_BLK_SMALL; - break; - - case 1: min_value = HAVOC_BLK_SMALL; - max_value = HAVOC_BLK_MEDIUM; - break; - + case 0: + min_value = 1; // 最小长度设置为1 + max_value = HAVOC_BLK_SMALL; // 最大长度设置为小值 + break; + case 1: + min_value = HAVOC_BLK_SMALL; // 最小长度设置为小值 + max_value = HAVOC_BLK_MEDIUM; // 最大长度设置为中等值 + break; default: - - if (UR(10)) { - - min_value = HAVOC_BLK_MEDIUM; - max_value = HAVOC_BLK_LARGE; - - } else { - - min_value = HAVOC_BLK_LARGE; - max_value = HAVOC_BLK_XL; - - } - + if (UR(10)) { + min_value = HAVOC_BLK_MEDIUM; // 随机选择中等或大长度 + max_value = HAVOC_BLK_LARGE; + } else { + min_value = HAVOC_BLK_LARGE; // 随机选择大或超大长度 + max_value = HAVOC_BLK_XL; + } } + // 如果最小值大于限制,则设置最小值为1 if (min_value >= limit) min_value = 1; + // 返回一个在指定范围内的随机块长度 return min_value + UR(MIN(max_value, limit) - min_value + 1); - } - -/* 计算案例的期望分数,以调整havoc模糊测试的长度。这是fuzz_one()的辅助函数。也许这些常数中的一些应该放入config.h中。*/ +/* 计算案例的期望分数,以调整havoc模糊测试的长度。 + 这是一个辅助函数,用于fuzz_one()。也许这些常数中的一些应该 + 进入config.h文件中 */ static u32 calculate_score(struct queue_entry* q) { - u32 avg_exec_us = total_cal_us / total_cal_cycles; - u32 avg_bitmap_size = total_bitmap_size / total_bitmap_entries; - u32 perf_score = 100; + u32 avg_exec_us = total_cal_us / total_cal_cycles; // 计算平均执行时间 + u32 avg_bitmap_size = total_bitmap_size / total_bitmap_entries; // 计算平均位图大小 + u32 perf_score = 100; // 初始化性能分数 - /* 根据此路径的执行速度与全局平均速度的比较,调整分数。乘数范围从0.1x到3x。快速输入的模糊测试成本较低,因此我们给予它们更多的测试时间。 */ + /* 根据此路径的执行速度与全局平均值相比,调整分数。 + 乘数范围从0.1x到3x。快速输入的成本较低,因此给予更多的运行时间。 */ if (q->exec_us * 0.1 > avg_exec_us) perf_score = 10; else if (q->exec_us * 0.25 > avg_exec_us) perf_score = 25; @@ -4626,7 +4741,8 @@ static u32 calculate_score(struct queue_entry* q) { else if (q->exec_us * 3 < avg_exec_us) perf_score = 200; else if (q->exec_us * 2 < avg_exec_us) perf_score = 150; - /* 根据位图大小调整分数。工作理论是更好的覆盖率转化为更好的目标。乘数从0.25x到3x。 */ + /* 根据位图大小调整分数。工作理论是更好的覆盖率转化为更好的目标。 + 乘数从0.25x到3x。 */ if (q->bitmap_size * 0.3 > avg_bitmap_size) perf_score *= 3; else if (q->bitmap_size * 0.5 > avg_bitmap_size) perf_score *= 2; @@ -4635,218 +4751,173 @@ static u32 calculate_score(struct queue_entry* q) { else if (q->bitmap_size * 2 < avg_bitmap_size) perf_score *= 0.5; else if (q->bitmap_size * 1.5 < avg_bitmap_size) perf_score *= 0.75; - /* 根据handicap(障碍)调整分数。Handicap与我们在游戏中了解这条路径的时间成比例。后来者被允许运行更长时间,直到它们赶上其他路径。 */ + /* 根据handicap调整分数。Handicap与我们了解此路径的时间成正比。 + 后来者允许运行更长时间,直到它们赶上其他路径。 */ if (q->handicap >= 4) { - - perf_score *= 4; - q->handicap -= 4; - + perf_score *= 4; // 如果handicap大于等于4,则乘以4 + q->handicap -= 4; // 减少handicap值 } else if (q->handicap) { - - perf_score *= 2; - q->handicap--; - + perf_score *= 2; // 如果handicap大于0,则乘以2 + q->handicap--; // 减少handicap值 } - /* 基于输入深度的最终调整,假设模糊测试更深层的测试用例更有可能揭示传统模糊测试工具无法发现的问题。 */ + /* 根据输入深度进行最终调整,假设模糊测试更深层的测试用例 + 更有可能发现传统模糊测试无法发现的问题。 */ switch (q->depth) { - - case 0 ... 3: break; - case 4 ... 7: perf_score *= 2; break; - case 8 ... 13: perf_score *= 3; break; - case 14 ... 25: perf_score *= 4; break; - default: perf_score *= 5; - + case 0 ... 3: break; // 如果深度在0到3之间,不调整分数 + case 4 ... 7: perf_score *= 2; break; // 如果深度在4到7之间,乘以2 + case 8 ... 13: perf_score *= 3; break; // 如果深度在8到13之间,乘以3 + case 14 ... 25: perf_score *= 4; break; // 如果深度在14到25之间,乘以4 + default: perf_score *= 5; // 默认情况下,乘以5 } - /* 确保我们不超过极限 */ - - if (perf_score > HAVOC_MAX_MULT * 100) perf_score = HAVOC_MAX_MULT * 100; + /* 确保我们不超过限制。 */ - return perf_score; + if (perf_score > HAVOC_MAX_MULT * 100) perf_score = HAVOC_MAX_MULT * 100; // 如果分数超过最大限制,则设置为最大限制 + return perf_score; // 返回计算出的分数 } -/* 辅助函数,用于检查特定的变化(xor_val = old ^ new)是否可能是由afl-fuzz尝试的长度 -和步长确定性位翻转产生的结果。这用于避免在一些跟随位翻转的确定性模糊测试操作中的重复 -项。如果xor_val为零,我们也返回1,这意味着旧值和尝试的新值是相同的,执行将是一种时间 -浪费。*/ +/* Helper function to see if a particular change (xor_val = old ^ new) could + be a product of deterministic bit flips with the lengths and stepovers + attempted by afl-fuzz. This is used to avoid dupes in some of the + deterministic fuzzing operations that follow bit flips. We also + return 1 if xor_val is zero, which implies that the old and attempted new + values are identical and the exec would be a waste of time. */ +// 检测一个值是否可能是通过位翻转操作得到的。 static u8 could_be_bitflip(u32 xor_val) { + u32 sh = 0; // 用于记录位移的变量 - u32 sh = 0; - + // 如果xor_val为0,表示没有位被翻转,返回1。 if (!xor_val) return 1; - /* 左移直到第一个位设置 */ - + // 将xor_val左移,直到最低位为1,记录移动的位数。 while (!(xor_val & 1)) { sh++; xor_val >>= 1; } - /* 1-、2-和4-bit模式在任何地方都是可以的。 */ - + // 如果xor_val是1、3或15,表示只有1、2或4位被翻转,返回1。 if (xor_val == 1 || xor_val == 3 || xor_val == 15) return 1; - /* 8-,、16-、和 32-bit模式只有当位移因子能被8整除时,模式才有效,因为这是这些操作的步长。 */ - + // 如果sh不是8的倍数,那么8位、16位或32位的模式不可能通过位移得到,返回0。 if (sh & 7) return 0; + // 如果xor_val是0xff、0xffff或0xffffffff,表示8位、16位或32位的所有位都被翻转,返回1。 if (xor_val == 0xff || xor_val == 0xffff || xor_val == 0xffffffff) return 1; + // 如果以上条件都不满足,返回0。 return 0; - } - -/* 辅助函数,用于检查是否可以通过算术操作达到某个特定值。用于类似的目的。 */ - +// 检测一个值是否可能是通过算术操作从另一个值得到的。 static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { + u32 i, ov = 0, nv = 0, diffs = 0; // 用于循环和比较的变量 - u32 i, ov = 0, nv = 0, diffs = 0; - + // 如果old_val和new_val相同,返回1。 if (old_val == new_val) return 1; - /* 看看对任何字节进行一个字节的调整是否会产生此结果。 */ - + // 检查每个字节是否有差异,并尝试通过单字节的调整来生成new_val。 for (i = 0; i < blen; i++) { + u8 a = old_val >> (8 * i), // 获取old_val的第i个字节 + b = new_val >> (8 * i); // 获取new_val的第i个字节 - u8 a = old_val >> (8 * i), - b = new_val >> (8 * i); - - if (a != b) { diffs++; ov = a; nv = b; } - + if (a != b) { diffs++; ov = a; nv = b; } // 如果字节不同,增加差异计数 } - /* 如果只有一个字节不同并且值在范围内,则返回1。*/ - + // 如果只有一个字节不同,并且差异在可接受的范围内,返回1。 if (diffs == 1) { - if ((u8)(ov - nv) <= ARITH_MAX || (u8)(nv - ov) <= ARITH_MAX) return 1; - } + // 如果blen为1,表示只有单字节,返回0。 if (blen == 1) return 0; - /* 看看对任何字节进行两个字节的调整是否会产生此结果。 */ - + // 检查每两个字节是否有差异,并尝试通过双字节的调整来生成new_val。 diffs = 0; - for (i = 0; i < blen / 2; i++) { + u16 a = old_val >> (16 * i), // 获取old_val的第i个双字节 + b = new_val >> (16 * i); // 获取new_val的第i个双字节 - u16 a = old_val >> (16 * i), - b = new_val >> (16 * i); - - if (a != b) { diffs++; ov = a; nv = b; } - + if (a != b) { diffs++; ov = a; nv = b; } // 如果双字节不同,增加差异计数 } - /* 如果只有一个字不同且值在范围内,则返回1。 */ - + // 如果只有一个双字节不同,并且差异在可接受的范围内,返回1。 if (diffs == 1) { - if ((u16)(ov - nv) <= ARITH_MAX || (u16)(nv - ov) <= ARITH_MAX) return 1; + // 尝试交换字节顺序后再次检查 ov = SWAP16(ov); nv = SWAP16(nv); - if ((u16)(ov - nv) <= ARITH_MAX || (u16)(nv - ov) <= ARITH_MAX) return 1; - } - /* 最后,让我们对dwords做同样的事情。 */ - + // 如果blen为4,表示有四个字节,检查整个四字节的差异。 if (blen == 4) { - if ((u32)(old_val - new_val) <= ARITH_MAX || (u32)(new_val - old_val) <= ARITH_MAX) return 1; + // 尝试交换字节顺序后再次检查 new_val = SWAP32(new_val); old_val = SWAP32(old_val); - if ((u32)(old_val - new_val) <= ARITH_MAX || (u32)(new_val - old_val) <= ARITH_MAX) return 1; - } + // 如果以上条件都不满足,返回0。 return 0; - } - -/* 最后但同样重要的是,一个类似的辅助函数,用于检查在给定较短blen的插入操作后, -插入一个有趣的整数是否是多余的。最后一个参数(check_le)如果设置,意味着调用者 -已经为当前blen执行了LE(小端)插入,并希望查看传入的新值中的BE(大端)变体是否是唯一的。 */ - +// 检测一个值是否可能是通过插入特定的整数得到的,考虑到之前已经插入过的值。 static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { - u32 i, j; + // 如果old_val和new_val相同,返回1。 if (old_val == new_val) return 1; - /* See if one-byte insertions from interesting_8 over old_val could - produce new_val. */ - + // 检查是否可以通过在old_val中插入一个字节的值来得到new_val。 for (i = 0; i < blen; i++) { - for (j = 0; j < sizeof(interesting_8); j++) { + u32 tval = (old_val & ~(0xff << (i * 8))) | // 清除old_val的第i个字节 + (((u8)interesting_8[j]) << (i * 8)); // 插入新的字节值 - u32 tval = (old_val & ~(0xff << (i * 8))) | - (((u8)interesting_8[j]) << (i * 8)); - - if (new_val == tval) return 1; - + if (new_val == tval) return 1; // 如果得到的值与new_val相同,返回1 } - } - /* Bail out unless we're also asked to examine two-byte LE insertions - as a preparation for BE attempts. */ - + // 如果blen为2并且check_le为0,表示不需要检查小端字节序,返回0。 if (blen == 2 && !check_le) return 0; - /* See if two-byte insertions over old_val could give us new_val. */ - + // 检查是否可以通过在old_val中插入一个双字节的值来得到new_val。 for (i = 0; i < blen - 1; i++) { - for (j = 0; j < sizeof(interesting_16) / 2; j++) { + u32 tval = (old_val & ~(0xffff << (i * 8))) | // 清除old_val的第i个双字节 + (((u16)interesting_16[j]) << (i * 8)); // 插入新的双字节值 - u32 tval = (old_val & ~(0xffff << (i * 8))) | - (((u16)interesting_16[j]) << (i * 8)); - - if (new_val == tval) return 1; - - /* Continue here only if blen > 2. */ + if (new_val == tval) return 1; // 如果得到的值与new_val相同,返回1 + // 如果blen大于2,尝试交换字节顺序后再次检查 if (blen > 2) { - tval = (old_val & ~(0xffff << (i * 8))) | (SWAP16(interesting_16[j]) << (i * 8)); - - if (new_val == tval) return 1; - + if (new_val == tval) return 1; // 如果得到的值与new_val相同,返回1 } - } - } + // 如果blen为4并且check_le为1,表示需要检查大端字节序。 if (blen == 4 && check_le) { - - /* See if four-byte insertions could produce the same result - (LE only). */ - + // 检查是否可以通过插入一个四字节的值来得到new_val(只考虑小端)。 for (j = 0; j < sizeof(interesting_32) / 4; j++) if (new_val == (u32)interesting_32[j]) return 1; - } + // 如果以上条件都不满足,返回0。 return 0; - } @@ -4856,737 +4927,716 @@ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { static u8 fuzz_one(char** argv) { + // 定义局部变量,用于存储输入数据长度、文件描述符、临时数据长度等。 s32 len, fd, temp_len, i, j; + // 分配指针,用于存储输入缓冲区、输出缓冲区、原始输入数据等。 u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; + // 定义变量,用于记录混沌队列中的路径数量、原始命中次数和新的命中次数。 u64 havoc_queued, orig_hit_cnt, new_hit_cnt; + // 定义变量,用于记录拼接周期、性能得分、原始性能得分、先前校验和、效应器计数。 u32 splice_cycle = 0, perf_score = 100, orig_perf, prev_cksum, eff_cnt = 1; + // 定义返回值、确定性测试标志。 u8 ret_val = 1, doing_det = 0; + // 定义一个数组,用于存储自动收集的额外数据,以及一个计数器。 u8 a_collect[MAX_AUTO_EXTRA]; u32 a_len = 0; #ifdef IGNORE_FINDS - - /* In IGNORE_FINDS mode, skip any entries that weren't in the - initial data set. */ - + // 如果定义了IGNORE_FINDS宏,跳过不在初始数据集中的条目。 if (queue_cur->depth > 1) return 1; #else - + // 如果有待处理的优选输入且不在IGNORE_FINDS模式。 if (pending_favored) { - /* If we have any favored, non-fuzzed new arrivals in the queue, - possibly skip to them at the expense of already-fuzzed or non-favored - cases. */ - + // 如果队列中有新的优选输入,可能跳过已模糊测试的或非优选的情况。 if ((queue_cur->was_fuzzed || !queue_cur->favored) && UR(100) < SKIP_TO_NEW_PROB) return 1; } else if (!dumb_mode && !queue_cur->favored && queued_paths > 10) { - /* Otherwise, still possibly skip non-favored cases, albeit less often. - The odds of skipping stuff are higher for already-fuzzed inputs and - lower for never-fuzzed entries. */ + // 否则,对于非优选情况,也可能跳过,但概率较低。 + // 对于已经模糊测试的输入,跳过的概率更高;对于从未模糊测试的输入,概率更低。 if (queue_cycle > 1 && !queue_cur->was_fuzzed) { + // 如果是队列中的第二轮且当前输入未被模糊测试过,根据概率跳过。 if (UR(100) < SKIP_NFAV_NEW_PROB) return 1; } else { + // 对于已经模糊测试过的输入,根据概率跳过。 if (UR(100) < SKIP_NFAV_OLD_PROB) return 1; } } - #endif /* ^IGNORE_FINDS */ - if (not_on_tty) { +// 如果当前环境不是终端(tty),则打印模糊测试的进度信息。 +if (not_on_tty) { ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", current_entry, queued_paths, unique_crashes); fflush(stdout); - } - - /* Map the test case into memory. */ - - fd = open(queue_cur->fname, O_RDONLY); +} - if (fd < 0) PFATAL("Unable to open '%s'", queue_cur->fname); +// 打开当前测试用例文件并将其映射到内存中。 +fd = open(queue_cur->fname, O_RDONLY); - len = queue_cur->len; +// 如果打开文件失败,则打印错误信息并终止程序。 +if (fd < 0) PFATAL("Unable to open '%s'", queue_cur->fname); - orig_in = in_buf = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); +// 获取文件长度。 +len = queue_cur->len; - if (orig_in == MAP_FAILED) PFATAL("Unable to mmap '%s'", queue_cur->fname); +// 将文件内容映射到内存中的in_buf变量。 +orig_in = in_buf = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); - close(fd); +// 如果映射失败,则打印错误信息并终止程序。 +if (orig_in == MAP_FAILED) PFATAL("Unable to mmap '%s'", queue_cur->fname); - /* We could mmap() out_buf as MAP_PRIVATE, but we end up clobbering every - single byte anyway, so it wouldn't give us any performance or memory usage - benefits. */ +// 关闭文件描述符。 +close(fd); - out_buf = ck_alloc_nozero(len); +// 分配内存用于输出缓冲区,这里使用ck_alloc_nozero来分配非零内存。 +out_buf = ck_alloc_nozero(len); - subseq_tmouts = 0; +// 初始化连续超时计数器。 +subseq_tmouts = 0; - cur_depth = queue_cur->depth; +// 设置当前深度。 +cur_depth = queue_cur->depth; - /******************************************* - * CALIBRATION (only if failed earlier on) * - *******************************************/ +/******************************************* +* CALIBRATION (only if failed earlier on) * +*******************************************/ - if (queue_cur->cal_failed) { +// 如果当前测试用例之前校准失败,则尝试重新校准。 +if (queue_cur->cal_failed) { u8 res = FAULT_TMOUT; + // 如果校准失败次数小于允许的最大次数,则尝试重新校准。 if (queue_cur->cal_failed < CAL_CHANCES) { - /* Reset exec_cksum to tell calibrate_case to re-execute the testcase - avoiding the usage of an invalid trace_bits. - For more info: https://github.com/AFLplusplus/AFLplusplus/pull/425 */ + // 重置exec_cksum,以便重新执行测试用例。 + queue_cur->exec_cksum = 0; - queue_cur->exec_cksum = 0; + // 执行校准函数。 + res = calibrate_case(argv, queue_cur, in_buf, queue_cycle - 1, 0); - res = calibrate_case(argv, queue_cur, in_buf, queue_cycle - 1, 0); - - if (res == FAULT_ERROR) - FATAL("Unable to execute target application"); + // 如果校准失败,则终止程序。 + if (res == FAULT_ERROR) + FATAL("Unable to execute target application"); } + // 如果需要停止或者校准结果不是预期的崩溃模式,则跳过当前测试用例。 if (stop_soon || res != crash_mode) { - cur_skipped_paths++; - goto abandon_entry; + cur_skipped_paths++; + goto abandon_entry; } - } +} - /************ - * TRIMMING * - ************/ +/************ +* TRIMMING * +************/ - if (!dumb_mode && !queue_cur->trim_done) { +// 如果没有启用dumb_mode并且当前测试用例尚未修剪,则执行修剪操作。 +if (!dumb_mode && !queue_cur->trim_done) { u8 res = trim_case(argv, queue_cur, in_buf); + // 如果修剪失败,则终止程序。 if (res == FAULT_ERROR) - FATAL("Unable to execute target application"); + FATAL("Unable to execute target application"); + // 如果需要停止,则跳过当前测试用例。 if (stop_soon) { - cur_skipped_paths++; - goto abandon_entry; + cur_skipped_paths++; + goto abandon_entry; } - /* Don't retry trimming, even if it failed. */ - + // 标记为已修剪,不再尝试修剪。 queue_cur->trim_done = 1; + // 更新文件长度。 if (len != queue_cur->len) len = queue_cur->len; - } - - memcpy(out_buf, in_buf, len); +} - /********************* - * PERFORMANCE SCORE * - *********************/ +// 将输入缓冲区的内容复制到输出缓冲区。 +memcpy(out_buf, in_buf, len); - orig_perf = perf_score = calculate_score(queue_cur); +/********************* +* PERFORMANCE SCORE * +*********************/ - /* Skip right away if -d is given, if we have done deterministic fuzzing on - this entry ourselves (was_fuzzed), or if it has gone through deterministic - testing in earlier, resumed runs (passed_det). */ +// 计算性能得分。 +orig_perf = perf_score = calculate_score(queue_cur); - if (skip_deterministic || queue_cur->was_fuzzed || queue_cur->passed_det) +// 如果启用了-d选项,或者已经对当前测试用例执行过确定性模糊测试,或者它已经通过了早期的确定性测试,则跳过确定性测试阶段。 +if (skip_deterministic || queue_cur->was_fuzzed || queue_cur->passed_det) goto havoc_stage; - /* Skip deterministic fuzzing if exec path checksum puts this out of scope - for this master instance. */ - - if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) +// 如果执行路径校验和将当前测试用例排除在当前主实例的范围之外,则跳过确定性测试。 +if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) goto havoc_stage; - doing_det = 1; +// 标记为正在执行确定性测试。 +doing_det = 1; - /********************************************* - * SIMPLE BITFLIP (+dictionary construction) * - *********************************************/ +/********************************************* +* SIMPLE BITFLIP (+dictionary construction) * +********************************************/ +// 定义一个宏,用于翻转位。 #define FLIP_BIT(_ar, _b) do { \ u8* _arf = (u8*)(_ar); \ u32 _bf = (_b); \ _arf[(_bf) >> 3] ^= (128 >> ((_bf) & 7)); \ } while (0) - /* Single walking bit. */ +// 执行简单的位翻转测试。 +stage_short = "flip1"; +stage_max = len << 3; +stage_name = "bitflip 1/1"; - stage_short = "flip1"; - stage_max = len << 3; - stage_name = "bitflip 1/1"; +stage_val_type = STAGE_VAL_NONE; - stage_val_type = STAGE_VAL_NONE; +// 初始化原始命中计数器。 +orig_hit_cnt = queued_paths + unique_crashes; - orig_hit_cnt = queued_paths + unique_crashes; +// 保存之前的校验和。 +prev_cksum = queue_cur->exec_cksum; - prev_cksum = queue_cur->exec_cksum; - - for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { +// 遍历每个位并执行位翻转测试。 +for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + // 计算当前位所在的字节。 stage_cur_byte = stage_cur >> 3; + // 翻转当前位。 FLIP_BIT(out_buf, stage_cur); + // 执行模糊测试。 if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + // 恢复原始位状态。 FLIP_BIT(out_buf, stage_cur); - /* While flipping the least significant bit in every byte, pull of an extra - trick to detect possible syntax tokens. In essence, the idea is that if - you have a binary blob like this: + // 在翻转最低有效位时,执行额外的检测以识别可能的语法标记。 + if (!dumb_mode && (stage_cur & 7) == 7) { - xxxxxxxxIHDRxxxxxxxx + // 计算新的校验和。 + u32 cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - ...and changing the leading and trailing bytes causes variable or no - changes in program flow, but touching any character in the "IHDR" string - always produces the same, distinctive path, it's highly likely that - "IHDR" is an atomically-checked magic value of special significance to - the fuzzed format. + // 如果到达文件末尾并且我们仍在收集字符串,则获取最终字符并强制输出。 + if (stage_cur == stage_max - 1 && cksum == prev_cksum) { - We do this here, rather than as a separate stage, because it's a nice - way to keep the operation approximately "free" (i.e., no extra execs). - - Empirically, performing the check when flipping the least significant bit - is advantageous, compared to doing it at the time of more disruptive - changes, where the program flow may be affected in more violent ways. + if (a_len < MAX_AUTO_EXTRA) a_collect[a_len] = out_buf[stage_cur >> 3]; + a_len++; - The caveat is that we won't generate dictionaries in the -d mode or -S - mode - but that's probably a fair trade-off. + if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) + maybe_add_auto(a_collect, a_len); - This won't work particularly well with paths that exhibit variable - behavior, but fails gracefully, so we'll carry out the checks anyway. + } else if (cksum != prev_cksum) { - */ + // 否则,如果校验和已更改,则查看是否有值得收集的内容,并在是的情况下收集。 + if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) + maybe_add_auto(a_collect, a_len); - if (!dumb_mode && (stage_cur & 7) == 7) { + a_len = 0; + prev_cksum = cksum; - u32 cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + } - if (stage_cur == stage_max - 1 && cksum == prev_cksum) { + // 继续收集字符串,但只有在位翻转实际上产生了影响时,我们才不希望无操作标记。 - /* If at end of file and we are still collecting a string, grab the - final character and force output. */ + if (cksum != queue_cur->exec_cksum) { - if (a_len < MAX_AUTO_EXTRA) a_collect[a_len] = out_buf[stage_cur >> 3]; - a_len++; + if (a_len < MAX_AUTO_EXTRA) a_collect[a_len] = out_buf[stage_cur >> 3]; + a_len++; - if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) - maybe_add_auto(a_collect, a_len); + } - } else if (cksum != prev_cksum) { + } - /* Otherwise, if the checksum has changed, see if we have something - worthwhile queued up, and collect that if the answer is yes. */ +} +// 初始化新的命中计数,这是待处理路径数和唯一崩溃数的总和。 +new_hit_cnt = queued_paths + unique_crashes; - if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) - maybe_add_auto(a_collect, a_len); +// 更新STAGE_FLIP1阶段的发现计数和周期数。 +stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; // 发现计数增加新的命中数减去原始的命中数。 +stage_cycles[STAGE_FLIP1] += stage_max; // 增加STAGE_FLIP1的最大周期数。 - a_len = 0; - prev_cksum = cksum; +/* 两个行走的位。 */ - } +// 设置当前阶段的名称和简称。 +stage_name = "bitflip 2/1"; +stage_short = "flip2"; +// 计算STAGE_FLIP1阶段的最大值,即输入数据长度的8倍减1。 +stage_max = (len << 3) - 1; - /* Continue collecting string, but only if the bit flip actually made - any difference - we don't want no-op tokens. */ +// 将新的命中计数赋值给原始命中计数,以便下一次迭代使用。 +orig_hit_cnt = new_hit_cnt; - if (cksum != queue_cur->exec_cksum) { +// 循环遍历STAGE_FLIP1阶段的最大值。 +for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { - if (a_len < MAX_AUTO_EXTRA) a_collect[a_len] = out_buf[stage_cur >> 3]; - a_len++; + // 计算当前位操作的字节索引。 + stage_cur_byte = stage_cur >> 3; - } + // 翻转输出缓冲区中当前位置和下一个位置的位。 + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); - } + // 如果common_fuzz_stuff函数返回失败,跳转到abandon_entry标签处。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - } + // 恢复输出缓冲区中当前位置和下一个位置的位到原始状态。 + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); - new_hit_cnt = queued_paths + unique_crashes; +} - stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_FLIP1] += stage_max; +// 计算新的命中次数,这是当前队列中的路径数加上唯一的崩溃次数。 +new_hit_cnt = queued_paths + unique_crashes; + +// 更新FLIP2阶段的发现次数和周期数。 +stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_FLIP2] += stage_max; + +// 定义FLIP4阶段的名称和简称。 +stage_name = "bitflip 4/1"; +stage_short = "flip4"; +// 计算FLIP4阶段的最大值,这是输入长度的三倍减去3。 +stage_max = (len << 3) - 3; + +// 将新的命中次数保存为原始命中次数,以便在下一个阶段使用。 +orig_hit_cnt = new_hit_cnt; + +// 循环,对每个可能的位位置进行操作。 +for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + // 计算当前操作的字节位置。 + stage_cur_byte = stage_cur >> 3; + + // 翻转当前位置及其后三个位置的位。 + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); + FLIP_BIT(out_buf, stage_cur + 2); + FLIP_BIT(out_buf, stage_cur + 3); + + // 如果common_fuzz_stuff函数返回真,则跳转到abandon_entry标签。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + // 恢复原始位状态。 + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); + FLIP_BIT(out_buf, stage_cur + 2); + FLIP_BIT(out_buf, stage_cur + 3); +} - /* Two walking bits. */ +// 更新FLIP4阶段的发现次数和周期数。 +new_hit_cnt = queued_paths + unique_crashes; +stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_FLIP4] += stage_max; - stage_name = "bitflip 2/1"; - stage_short = "flip2"; - stage_max = (len << 3) - 1; +// 定义一些宏,用于计算effector map中的位置和长度。 +#define EFF_APOS(_p) ((_p) >> EFF_MAP_SCALE2) +#define EFF_REM(_x) ((_x) & ((1 << EFF_MAP_SCALE2) - 1)) +#define EFF_ALEN(_l) (EFF_APOS(_l) + !!EFF_REM(_l)) +#define EFF_SPAN_ALEN(_p, _l) (EFF_APOS((_p) + (_l) - 1) - EFF_APOS(_p) + 1) - orig_hit_cnt = new_hit_cnt; +// 初始化下一个步骤的effector map,并标记第一个和最后一个字节为活跃的。 +eff_map = ck_alloc(EFF_ALEN(len)); +eff_map[0] = 1; - for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { +// 如果最后一个字节的位置不等于0,则标记它为活跃的,并增加eff_cnt计数器。 +if (EFF_APOS(len - 1) != 0) { + eff_map[EFF_APOS(len - 1)] = 1; + eff_cnt++; +} - stage_cur_byte = stage_cur >> 3; +// 定义FLIP8阶段的名称和简称。 +stage_name = "bitflip 8/8"; +stage_short = "flip8"; +// 设置FLIP8阶段的最大值为输入长度。 +stage_max = len; - FLIP_BIT(out_buf, stage_cur); - FLIP_BIT(out_buf, stage_cur + 1); +// 将新的命中次数保存为原始命中次数,以便在下一个阶段使用。 +orig_hit_cnt = new_hit_cnt; - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; +// 循环,对每个字节进行操作。 +for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + // 计算当前操作的字节位置。 + stage_cur_byte = stage_cur; - FLIP_BIT(out_buf, stage_cur); - FLIP_BIT(out_buf, stage_cur + 1); + // 翻转当前字节的所有位。 + out_buf[stage_cur] ^= 0xFF; - } + // 如果common_fuzz_stuff函数返回真,则跳转到abandon_entry标签。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - new_hit_cnt = queued_paths + unique_crashes; + // 如果当前字节在effector map中未被标记,则进行进一步的检查。 + if (!eff_map[EFF_APOS(stage_cur)]) { + u32 cksum; - stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_FLIP2] += stage_max; + // 如果处于dumb模式或文件非常短,则不进行checksum计算。 + if (!dumb_mode && len >= EFF_MIN_LEN) + cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + else + cksum = ~queue_cur->exec_cksum; - /* Four walking bits. */ + // 如果checksum与预期不符,则标记该字节为活跃的,并增加eff_cnt计数器。 + if (cksum != queue_cur->exec_cksum) { + eff_map[EFF_APOS(stage_cur)] = 1; + eff_cnt++; + } + } - stage_name = "bitflip 4/1"; - stage_short = "flip4"; - stage_max = (len << 3) - 3; + // 恢复原始字节状态。 + out_buf[stage_cur] ^= 0xFF; +} - orig_hit_cnt = new_hit_cnt; +/* 如果效应器(effector)映射的密度超过EFF_MAX_PERC指定的百分比, + 则标记整个映射为值得fuzzing(模糊测试),因为我们不会节省太多时间。 */ - for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { +if (eff_cnt != EFF_ALEN(len) && + eff_cnt * 100 / EFF_ALEN(len) > EFF_MAX_PERC) { - stage_cur_byte = stage_cur >> 3; + // 如果超过阈值,则将整个效应器映射标记为1(即,所有位都值得测试) + memset(eff_map, 1, EFF_ALEN(len)); - FLIP_BIT(out_buf, stage_cur); - FLIP_BIT(out_buf, stage_cur + 1); - FLIP_BIT(out_buf, stage_cur + 2); - FLIP_BIT(out_buf, stage_cur + 3); + // 更新被选中进行模糊测试的块的数量 + blocks_eff_select += EFF_ALEN(len); - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; +} else { - FLIP_BIT(out_buf, stage_cur); - FLIP_BIT(out_buf, stage_cur + 1); - FLIP_BIT(out_buf, stage_cur + 2); - FLIP_BIT(out_buf, stage_cur + 3); + // 如果没有超过阈值,则只增加实际有效应器的计数 + blocks_eff_select += eff_cnt; - } +} - new_hit_cnt = queued_paths + unique_crashes; +// 更新总共被考虑进行模糊测试的块的数量 +blocks_eff_total += EFF_ALEN(len); - stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_FLIP4] += stage_max; +// 更新在当前阶段发现的新问题(如路径或崩溃)的数量 +new_hit_cnt = queued_paths + unique_crashes; - /* Effector map setup. These macros calculate: +// 更新当前阶段(STAGE_FLIP8)的发现和周期计数 +stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_FLIP8] += stage_max; - EFF_APOS - position of a particular file offset in the map. - EFF_ALEN - length of a map with a particular number of bytes. - EFF_SPAN_ALEN - map span for a sequence of bytes. +/* 处理两个行走的字节。 */ - */ +// 如果长度小于2,则跳过位翻转 +if (len < 2) goto skip_bitflip; -#define EFF_APOS(_p) ((_p) >> EFF_MAP_SCALE2) -#define EFF_REM(_x) ((_x) & ((1 << EFF_MAP_SCALE2) - 1)) -#define EFF_ALEN(_l) (EFF_APOS(_l) + !!EFF_REM(_l)) -#define EFF_SPAN_ALEN(_p, _l) (EFF_APOS((_p) + (_l) - 1) - EFF_APOS(_p) + 1) +// 设置当前阶段的名称和简称 +stage_name = "bitflip 16/8"; +stage_short = "flip16"; +stage_cur = 0; // 当前阶段的当前进度 +stage_max = len - 1; // 当前阶段的最大进度 - /* Initialize effector map for the next step (see comments below). Always - flag first and last byte as doing something. */ +// 记录原始的命中计数 +orig_hit_cnt = new_hit_cnt; - eff_map = ck_alloc(EFF_ALEN(len)); - eff_map[0] = 1; +// 遍历输入数据,每次处理两个字节 +for (i = 0; i < len - 1; i++) { - if (EFF_APOS(len - 1) != 0) { - eff_map[EFF_APOS(len - 1)] = 1; - eff_cnt++; + // 检查效应器映射,如果当前和下一个字节都不是效应器,则跳过 + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { + stage_max--; + continue; } - /* Walking byte. */ + // 设置当前处理的字节位置 + stage_cur_byte = i; - stage_name = "bitflip 8/8"; - stage_short = "flip8"; - stage_max = len; + // 翻转当前两个字节的所有位 + *(u16*)(out_buf + i) ^= 0xFFFF; - orig_hit_cnt = new_hit_cnt; + // 执行模糊测试的常见操作,如果失败则跳转到abandon_entry + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; - for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + // 恢复原始数据 + *(u16*)(out_buf + i) ^= 0xFFFF; - stage_cur_byte = stage_cur; +} - out_buf[stage_cur] ^= 0xFF; +// 更新新发现的问题数量和周期计数 +new_hit_cnt = queued_paths + unique_crashes; +stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_FLIP16] += stage_max; - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; +// 如果长度小于4,则跳过四字节位翻转 +if (len < 4) goto skip_bitflip; - /* We also use this stage to pull off a simple trick: we identify - bytes that seem to have no effect on the current execution path - even when fully flipped - and we skip them during more expensive - deterministic stages, such as arithmetics or known ints. */ +/* 处理四个行走的字节。 */ - if (!eff_map[EFF_APOS(stage_cur)]) { +// 设置当前阶段的名称和简称 +stage_name = "bitflip 32/8"; +stage_short = "flip32"; +stage_cur = 0; +stage_max = len - 3; - u32 cksum; +// 记录原始的命中计数 +orig_hit_cnt = new_hit_cnt; - /* If in dumb mode or if the file is very short, just flag everything - without wasting time on checksums. */ - - if (!dumb_mode && len >= EFF_MIN_LEN) - cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - else - cksum = ~queue_cur->exec_cksum; - - if (cksum != queue_cur->exec_cksum) { - eff_map[EFF_APOS(stage_cur)] = 1; - eff_cnt++; - } - - } - - out_buf[stage_cur] ^= 0xFF; +// 遍历输入数据,每次处理四个字节 +for (i = 0; i < len - 3; i++) { + // 检查效应器映射,如果当前和接下来三个字节都不是效应器,则跳过 + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && + !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { + stage_max--; + continue; } - /* If the effector map is more than EFF_MAX_PERC dense, just flag the - whole thing as worth fuzzing, since we wouldn't be saving much time - anyway. */ - - if (eff_cnt != EFF_ALEN(len) && - eff_cnt * 100 / EFF_ALEN(len) > EFF_MAX_PERC) { + // 设置当前处理的字节位置 + stage_cur_byte = i; - memset(eff_map, 1, EFF_ALEN(len)); + // 翻转当前四个字节的所有位 + *(u32*)(out_buf + i) ^= 0xFFFFFFFF; - blocks_eff_select += EFF_ALEN(len); - - } else { - - blocks_eff_select += eff_cnt; - - } - - blocks_eff_total += EFF_ALEN(len); - - new_hit_cnt = queued_paths + unique_crashes; + // 执行模糊测试的常见操作,如果失败则跳转到abandon_entry + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; - stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_FLIP8] += stage_max; + // 恢复原始数据 + *(u32*)(out_buf + i) ^= 0xFFFFFFFF; - /* Two walking bytes. */ - - if (len < 2) goto skip_bitflip; +} - stage_name = "bitflip 16/8"; - stage_short = "flip16"; - stage_cur = 0; - stage_max = len - 1; +// 更新新发现的问题数量和周期计数 +new_hit_cnt = queued_paths + unique_crashes; +stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_FLIP32] += stage_max; +// 跳过算术操作的标签 +skip_bitflip: - orig_hit_cnt = new_hit_cnt; +// 如果设置了no_arith标志,则跳过算术操作 +if (no_arith) goto skip_arith; - for (i = 0; i < len - 1; i++) { +/************************** + * ARITHMETIC INC/DEC * + *************************/ - /* Let's consult the effector map... */ +// 8位算术操作 +stage_name = "arith 8/8"; +stage_short = "arith8"; +stage_cur = 0; // 当前阶段的当前值 +stage_max = 2 * len * ARITH_MAX; // 最大可能的值 - if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { - stage_max--; - continue; - } +stage_val_type = STAGE_VAL_LE; // 值的类型,这里设置为小端 - stage_cur_byte = i; - - *(u16*)(out_buf + i) ^= 0xFFFF; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - *(u16*)(out_buf + i) ^= 0xFFFF; +orig_hit_cnt = new_hit_cnt; // 原始的命中次数 +// 对输入缓冲区中的每个字节进行操作 +for (i = 0; i < len; i++) { + u8 orig = out_buf[i]; // 原始字节值 + // 如果当前位置不在影响映射中,则跳过 + if (!eff_map[EFF_APOS(i)]) { + stage_max -= 2 * ARITH_MAX; + continue; } - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_FLIP16] += stage_max; - - if (len < 4) goto skip_bitflip; - - /* Four walking bytes. */ + stage_cur_byte = i; // 当前处理的字节位置 - stage_name = "bitflip 32/8"; - stage_short = "flip32"; - stage_cur = 0; - stage_max = len - 3; + // 对每个可能的增量进行操作 + for (j = 1; j <= ARITH_MAX; j++) { + u8 r = orig ^ (orig + j); // 计算增加j后的值 - orig_hit_cnt = new_hit_cnt; + // 如果结果不可能是位翻转的结果,则进行算术操作 + if (!could_be_bitflip(r)) { + stage_cur_val = j; + out_buf[i] = orig + j; // 应用增加操作 - for (i = 0; i < len - 3; i++) { - - /* Let's consult the effector map... */ - if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && - !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { - stage_max--; - continue; - } - - stage_cur_byte = i; + // 如果公共模糊测试函数返回成功,则跳转到abandon_entry标签 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; - *(u32*)(out_buf + i) ^= 0xFFFFFFFF; + r = orig ^ (orig - j); // 计算减少j后的值 - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; + // 如果结果不可能是位翻转的结果,则进行算术操作 + if (!could_be_bitflip(r)) { + stage_cur_val = -j; + out_buf[i] = orig - j; // 应用减少操作 - *(u32*)(out_buf + i) ^= 0xFFFFFFFF; + // 如果公共模糊测试函数返回成功,则跳转到abandon_entry标签 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; + out_buf[i] = orig; // 恢复原始值 } +} - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_FLIP32] += stage_max; - -skip_bitflip: - - if (no_arith) goto skip_arith; - - /********************** - * ARITHMETIC INC/DEC * - **********************/ - - /* 8-bit arithmetics. */ - - stage_name = "arith 8/8"; - stage_short = "arith8"; - stage_cur = 0; - stage_max = 2 * len * ARITH_MAX; - - stage_val_type = STAGE_VAL_LE; - - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len; i++) { - - u8 orig = out_buf[i]; - - /* Let's consult the effector map... */ - - if (!eff_map[EFF_APOS(i)]) { - stage_max -= 2 * ARITH_MAX; - continue; - } - - stage_cur_byte = i; - - for (j = 1; j <= ARITH_MAX; j++) { - - u8 r = orig ^ (orig + j); - - /* Do arithmetic operations only if the result couldn't be a product - of a bitflip. */ - - if (!could_be_bitflip(r)) { - - stage_cur_val = j; - out_buf[i] = orig + j; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - r = orig ^ (orig - j); +// 更新命中次数和阶段统计信息 +new_hit_cnt = queued_paths + unique_crashes; +stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_ARITH8] += stage_max; - if (!could_be_bitflip(r)) { +// 16位算术操作,包括小端和大端 +if (len < 2) goto skip_arith; - stage_cur_val = -j; - out_buf[i] = orig - j; +stage_name = "arith 16/8"; +stage_short = "arith16"; +stage_cur = 0; +stage_max = 4 * (len - 1) * ARITH_MAX; - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; +orig_hit_cnt = new_hit_cnt; - } else stage_max--; - - out_buf[i] = orig; - - } +// 对输入缓冲区中每两个字节进行操作 +for (i = 0; i < len - 1; i++) { + u16 orig = *(u16*)(out_buf + i); // 原始的16位值 + // 如果当前位置和下一个位置都不在影响映射中,则跳过 + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { + stage_max -= 4 * ARITH_MAX; + continue; } - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_ARITH8] += stage_max; - - /* 16-bit arithmetics, both endians. */ - - if (len < 2) goto skip_arith; - - stage_name = "arith 16/8"; - stage_short = "arith16"; - stage_cur = 0; - stage_max = 4 * (len - 1) * ARITH_MAX; - - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len - 1; i++) { - - u16 orig = *(u16*)(out_buf + i); - - /* Let's consult the effector map... */ - - if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { - stage_max -= 4 * ARITH_MAX; - continue; - } - - stage_cur_byte = i; - - for (j = 1; j <= ARITH_MAX; j++) { - - u16 r1 = orig ^ (orig + j), - r2 = orig ^ (orig - j), - r3 = orig ^ SWAP16(SWAP16(orig) + j), - r4 = orig ^ SWAP16(SWAP16(orig) - j); - - /* Try little endian addition and subtraction first. Do it only - if the operation would affect more than one byte (hence the - & 0xff overflow checks) and if it couldn't be a product of - a bitflip. */ - - stage_val_type = STAGE_VAL_LE; - - if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) { + stage_cur_byte = i; - stage_cur_val = j; - *(u16*)(out_buf + i) = orig + j; + // 对每个可能的增量进行操作 + for (j = 1; j <= ARITH_MAX; j++) { + u16 r1 = orig ^ (orig + j), // 小端增加 + r2 = orig ^ (orig - j), // 小端减少 + r3 = orig ^ SWAP16(SWAP16(orig) + j), // 大端增加 + r4 = orig ^ SWAP16(SWAP16(orig) - j); // 大端减少 - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; + // 尝试小端增加和减少操作 + stage_val_type = STAGE_VAL_LE; - if ((orig & 0xff) < j && !could_be_bitflip(r2)) { + if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) { + stage_cur_val = j; + *(u16*)(out_buf + i) = orig + j; - stage_cur_val = -j; - *(u16*)(out_buf + i) = orig - j; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - /* Big endian comes next. Same deal. */ - - stage_val_type = STAGE_VAL_BE; - - - if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) { - - stage_cur_val = j; - *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) + j); - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; - } else stage_max--; + if ((orig & 0xff) < j && !could_be_bitflip(r2)) { + stage_cur_val = -j; + *(u16*)(out_buf + i) = orig - j; - if ((orig >> 8) < j && !could_be_bitflip(r4)) { + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; - stage_cur_val = -j; - *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) - j); + // 尝试大端增加和减少操作 + stage_val_type = STAGE_VAL_BE; - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; + if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) { + stage_cur_val = j; + *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) + j); - } else stage_max--; + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; - *(u16*)(out_buf + i) = orig; + if ((orig >> 8) < j && !could_be_bitflip(r4)) { + stage_cur_val = -j; + *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) - j); - } + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; + *(u16*)(out_buf + i) = orig; // 恢复原始值 } +} - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_ARITH16] += stage_max; - - /* 32-bit arithmetics, both endians. */ - - if (len < 4) goto skip_arith; - - stage_name = "arith 32/8"; - stage_short = "arith32"; - stage_cur = 0; - stage_max = 4 * (len - 3) * ARITH_MAX; - - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len - 3; i++) { - - u32 orig = *(u32*)(out_buf + i); - - /* Let's consult the effector map... */ - - if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && - !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { - stage_max -= 4 * ARITH_MAX; - continue; - } - - stage_cur_byte = i; - - for (j = 1; j <= ARITH_MAX; j++) { - - u32 r1 = orig ^ (orig + j), - r2 = orig ^ (orig - j), - r3 = orig ^ SWAP32(SWAP32(orig) + j), - r4 = orig ^ SWAP32(SWAP32(orig) - j); - - /* Little endian first. Same deal as with 16-bit: we only want to - try if the operation would have effect on more than two bytes. */ +// 更新命中次数和阶段统计信息 +new_hit_cnt = queued_paths + unique_crashes; +stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_ARITH16] += stage_max; - stage_val_type = STAGE_VAL_LE; +// 32位算术操作,包括小端和大端 +if (len < 4) goto skip_arith; - if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) { +stage_name = "arith 32/8"; +stage_short = "arith32"; +stage_cur = 0; +stage_max = 4 * (len - 3) * ARITH_MAX; - stage_cur_val = j; - *(u32*)(out_buf + i) = orig + j; +orig_hit_cnt = new_hit_cnt; - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; +// 对输入缓冲区中每四个字节进行操作 +for (i = 0; i < len - 3; i++) { + u32 orig = *(u32*)(out_buf + i); // 原始的32位值 - } else stage_max--; + // 如果当前位置和接下来的三个位置都不在影响映射中,则跳过 + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && + !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { + stage_max -= 4 * ARITH_MAX; + continue; + } - if ((orig & 0xffff) < j && !could_be_bitflip(r2)) { + stage_cur_byte = i; - stage_cur_val = -j; - *(u32*)(out_buf + i) = orig - j; + // 对每个可能的增量进行操作 + for (j = 1; j <= ARITH_MAX; j++) { + u32 r1 = orig ^ (orig + j), // 小端增加 + r2 = orig ^ (orig - j), // 小端减少 + r3 = orig ^ SWAP32(SWAP32(orig) + j), // 大端增加 + r4 = orig ^ SWAP32(SWAP32(orig) - j); // 大端减少 - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; + // 尝试小端增加和减少操作 + stage_val_type = STAGE_VAL_LE; - } else stage_max--; + if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) { + stage_cur_val = j; + *(u32*)(out_buf + i) = orig + j; - /* Big endian next. */ + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; - stage_val_type = STAGE_VAL_BE; + if ((orig & 0xffff) < j && !could_be_bitflip(r2)) { + stage_cur_val = -j; + *(u32*)(out_buf + i) = orig - j; - if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) { + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; - stage_cur_val = j; - *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) + j); + // 尝试大端增加和减少操作 + stage_val_type = STAGE_VAL_BE; - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; + if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) { + stage_cur_val = j; + *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) + j); - } else stage_max--; + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else stage_max--; + // 如果原始值的大端格式的低16位小于增量j,并且结果不可能是位翻转的结果 if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) { - + // 设置当前阶段的值为负的增量j stage_cur_val = -j; + // 对当前的32位值进行大端格式的减法操作,并更新输出缓冲区 *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) - j); + // 执行公共的模糊测试操作,如果测试中断,则跳转到abandon_entry标签 if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + // 如果测试没有中断,增加当前阶段的计数器 stage_cur++; + } else { + // 如果操作不可能产生新的命中,减少最大阶段计数 + stage_max--; + } - } else stage_max--; - + // 恢复原始的32位值,以便下一次迭代使用 *(u32*)(out_buf + i) = orig; } @@ -5598,183 +5648,178 @@ skip_bitflip: stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; stage_cycles[STAGE_ARITH32] += stage_max; +// 如果设置了跳过算术处理的标志,则跳到下一个阶段。 skip_arith: - /********************** - * INTERESTING VALUES * - **********************/ - - stage_name = "interest 8/8"; - stage_short = "int8"; - stage_cur = 0; - stage_max = len * sizeof(interesting_8); - - stage_val_type = STAGE_VAL_LE; - - orig_hit_cnt = new_hit_cnt; +/********************** + * INTERESTING VALUES * +**********************/ - /* Setting 8-bit integers. */ +// 设置当前阶段的名称和简称。 +stage_name = "interest 8/8"; +stage_short = "int8"; +stage_cur = 0; // 初始化当前阶段的计数器。 +stage_max = len * sizeof(interesting_8); // 最大次数为输入数据长度与有趣8位整数数组大小的乘积。 - for (i = 0; i < len; i++) { +stage_val_type = STAGE_VAL_LE; // 设置阶段值类型为小端。 - u8 orig = out_buf[i]; +orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 - /* Let's consult the effector map... */ +// 设置8位整数。 +for (i = 0; i < len; i++) { + u8 orig = out_buf[i]; // 保存原始字节。 + // 如果当前位置在效应器映射中没有设置,则跳过。 if (!eff_map[EFF_APOS(i)]) { - stage_max -= sizeof(interesting_8); - continue; + stage_max -= sizeof(interesting_8); + continue; } - stage_cur_byte = i; + stage_cur_byte = i; // 设置当前处理的字节位置。 + // 遍历有趣的8位整数数组。 for (j = 0; j < sizeof(interesting_8); j++) { + // 如果该值可能是位翻转或算术操作的结果,则跳过。 + if (could_be_bitflip(orig ^ (u8)interesting_8[j]) || + could_be_arith(orig, (u8)interesting_8[j], 1)) { + stage_max--; + continue; + } - /* Skip if the value could be a product of bitflips or arithmetics. */ - - if (could_be_bitflip(orig ^ (u8)interesting_8[j]) || - could_be_arith(orig, (u8)interesting_8[j], 1)) { - stage_max--; - continue; - } - - stage_cur_val = interesting_8[j]; - out_buf[i] = interesting_8[j]; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur_val = interesting_8[j]; // 设置当前阶段的值。 + out_buf[i] = interesting_8[j]; // 设置有趣的值。 - out_buf[i] = orig; - stage_cur++; + // 执行模糊测试操作,如果需要则放弃当前输入。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + out_buf[i] = orig; // 恢复原始值。 + stage_cur++; // 增加当前阶段的计数器。 } +} - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_INTEREST8] += stage_max; - - /* Setting 16-bit integers, both endians. */ - - if (no_arith || len < 2) goto skip_interest; +// 更新新的命中次数。 +new_hit_cnt = queued_paths + unique_crashes; - stage_name = "interest 16/8"; - stage_short = "int16"; - stage_cur = 0; - stage_max = 2 * (len - 1) * (sizeof(interesting_16) >> 1); +// 记录在当前阶段发现的新问题数量和周期计数。 +stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_INTEREST8] += stage_max; - orig_hit_cnt = new_hit_cnt; +// 如果设置了不进行算术处理或输入数据长度小于2,则跳过16位整数的处理。 +if (no_arith || len < 2) goto skip_interest; - for (i = 0; i < len - 1; i++) { +// 设置当前阶段的名称和简称。 +stage_name = "interest 16/8"; +stage_short = "int16"; +stage_cur = 0; // 初始化当前阶段的计数器。 +stage_max = 2 * (len - 1) * (sizeof(interesting_16) >> 1); // 最大次数为输入数据长度减1与有趣16位整数数组大小的乘积。 - u16 orig = *(u16*)(out_buf + i); +orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 - /* Let's consult the effector map... */ +// 设置16位整数,包括小端和大端。 +for (i = 0; i < len - 1; i++) { + u16 orig = *(u16*)(out_buf + i); // 保存原始的16位整数。 + // 如果当前位置和下一位在效应器映射中没有设置,则跳过。 if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { - stage_max -= sizeof(interesting_16); - continue; + stage_max -= sizeof(interesting_16); + continue; } - stage_cur_byte = i; + stage_cur_byte = i; // 设置当前处理的字节位置。 + // 遍历有趣的16位整数数组。 for (j = 0; j < sizeof(interesting_16) / 2; j++) { + stage_cur_val = interesting_16[j]; // 设置当前阶段的值。 - stage_cur_val = interesting_16[j]; + // 如果该值不可能是位翻转、算术操作或单字节有趣值插入的结果,则进行处理。 + if (!could_be_bitflip(orig ^ (u16)interesting_16[j]) && + !could_be_arith(orig, (u16)interesting_16[j], 2) && + !could_be_interest(orig, (u16)interesting_16[j], 2, 0)) { + stage_val_type = STAGE_VAL_LE; // 设置阶段值类型为小端。 - /* Skip if this could be a product of a bitflip, arithmetics, - or single-byte interesting value insertion. */ + *(u16*)(out_buf + i) = interesting_16[j]; // 设置有趣的值。 - if (!could_be_bitflip(orig ^ (u16)interesting_16[j]) && - !could_be_arith(orig, (u16)interesting_16[j], 2) && - !could_be_interest(orig, (u16)interesting_16[j], 2, 0)) { - - stage_val_type = STAGE_VAL_LE; - - *(u16*)(out_buf + i) = interesting_16[j]; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - if ((u16)interesting_16[j] != SWAP16(interesting_16[j]) && - !could_be_bitflip(orig ^ SWAP16(interesting_16[j])) && - !could_be_arith(orig, SWAP16(interesting_16[j]), 2) && - !could_be_interest(orig, SWAP16(interesting_16[j]), 2, 1)) { - - stage_val_type = STAGE_VAL_BE; - - *(u16*)(out_buf + i) = SWAP16(interesting_16[j]); - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; + // 执行模糊测试操作,如果需要则放弃当前输入。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; // 增加当前阶段的计数器。 + } else { + stage_max--; // 减少最大次数。 + } - } else stage_max--; + // 对于大端情况也进行相同的处理。 + if ((u16)interesting_16[j] != SWAP16(interesting_16[j]) && + !could_be_bitflip(orig ^ SWAP16(interesting_16[j])) && + !could_be_arith(orig, SWAP16(interesting_16[j]), 2) && + !could_be_interest(orig, SWAP16(interesting_16[j]), 2, 1)) { + stage_val_type = STAGE_VAL_BE; // 设置阶段值类型为大端。 + *(u16*)(out_buf + i) = SWAP16(interesting_16[j]); // 设置有趣的值。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + } else { + stage_max--; + } } - *(u16*)(out_buf + i) = orig; - - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_INTEREST16] += stage_max; - - if (len < 4) goto skip_interest; + *(u16*)(out_buf + i) = orig; // 恢复原始值。 +} - /* Setting 32-bit integers, both endians. */ +// 更新新的命中次数。 +new_hit_cnt = queued_paths + unique_crashes; - stage_name = "interest 32/8"; - stage_short = "int32"; - stage_cur = 0; - stage_max = 2 * (len - 3) * (sizeof(interesting_32) >> 2); +// 记录在当前阶段发现的新问题数量和周期计数。 +stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_INTEREST16] += stage_max; - orig_hit_cnt = new_hit_cnt; +// 如果输入数据长度小于4,则跳过32位整数的处理。 +if (len < 4) goto skip_interest; - for (i = 0; i < len - 3; i++) { +// 设置当前阶段的名称和简称。 +stage_name = "interest 32/8"; +stage_short = "int32"; +stage_cur = 0; // 初始化当前阶段的计数器。 +stage_max = 2 * (len - 3) * (sizeof(interesting_32) >> 2); // 最大次数为输入数据长度减3与有趣32位整数数组大小的乘积。 - u32 orig = *(u32*)(out_buf + i); +orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 - /* Let's consult the effector map... */ +// 设置32位整数,包括小端和大端。 +for (i = 0; i < len - 3; i++) { + u32 orig = *(u32*)(out_buf + i); // 保存原始的32位整数。 + // 如果当前位置和接下来三位在效应器映射中没有设置,则跳过。 if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { - stage_max -= sizeof(interesting_32) >> 1; - continue; + stage_max -= sizeof(interesting_32) >> 1; + continue; } - stage_cur_byte = i; + stage_cur_byte = i; // 设置当前处理的字节位置。 + // 遍历有趣的32位整数数组。 for (j = 0; j < sizeof(interesting_32) / 4; j++) { + stage_cur_val = interesting_32[j]; // 设置当前阶段的值。 - stage_cur_val = interesting_32[j]; - - /* Skip if this could be a product of a bitflip, arithmetics, - or word interesting value insertion. */ + // 如果该值不可能是位翻转、算术操作或词有趣值插入的结果,则进行处理。 + if (!could_be_bitflip(orig ^ (u32)interesting_32[j]) && + !could_be_arith(orig, interesting_32[j], 4) && + !could_be_interest(orig, interesting_32[j], 4, 0)) { + stage_val_type = STAGE_VAL_LE; // 设置阶段值类型为小端。 - if (!could_be_bitflip(orig ^ (u32)interesting_32[j]) && - !could_be_arith(orig, interesting_32[j], 4) && - !could_be_interest(orig, interesting_32[j], 4, 0)) { + *(u32*)(out_buf + i) = interesting_32[j]; // 设置有趣的值。 - stage_val_type = STAGE_VAL_LE; + // 执行模糊测试操作,如果需要则放弃当前输入。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; // 增加当前阶段的计数器。 + } else stage_max--; // 减少最大次数。 - *(u32*)(out_buf + i) = interesting_32[j]; - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - - } else stage_max--; - - if ((u32)interesting_32[j] != SWAP32(interesting_32[j]) && - !could_be_bitflip(orig ^ SWAP32(interesting_32[j])) && - !could_be_arith(orig, SWAP32(interesting_32[j]), 4) && - !could_be_interest(orig, SWAP32(interesting_32[j]), 4, 1)) { + // 对于大端情况也进行相同的处理。 + if ((u32)interesting_32[j] != SWAP32(interesting_32[j]) && + !could_be_bitflip(orig ^ SWAP32(interesting_32[j])) && + !could_be_arith(orig, SWAP32(interesting_32[j]), 4) && + !could_be_interest(orig, SWAP32(interesting_32[j]), 4, 1)) { +// 设置阶段值类型为大端。 stage_val_type = STAGE_VAL_BE; - *(u32*)(out_buf + i) = SWAP32(interesting_32[j]); if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; stage_cur++; @@ -5782,930 +5827,909 @@ skip_arith: } else stage_max--; } +// 恢复原始的32位整数值。 +*(u32*)(out_buf + i) = orig; - *(u32*)(out_buf + i) = orig; - - } +// 完成对当前输入数据的所有有趣值设置后,更新新的命中次数。 +new_hit_cnt = queued_paths + unique_crashes; - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_INTEREST32] += stage_max; +// 记录在当前阶段发现的新问题数量和周期计数。 +stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_INTEREST32] += stage_max; +// 如果没有用户定义的额外数据,则跳过此段代码。 skip_interest: - /******************** - * DICTIONARY STUFF * - ********************/ - - if (!extras_cnt) goto skip_user_extras; - - /* Overwrite with user-supplied extras. */ - - stage_name = "user extras (over)"; - stage_short = "ext_UO"; - stage_cur = 0; - stage_max = extras_cnt * len; +/******************** + * DICTIONARY STUFF * + ********************/ +if (!extras_cnt) goto skip_user_extras; - stage_val_type = STAGE_VAL_NONE; +// 使用用户提供的额外数据进行覆盖操作。 +stage_name = "user extras (over)"; +stage_short = "ext_UO"; +stage_cur = 0; // 初始化当前阶段的计数器。 +stage_max = extras_cnt * len; // 最大次数为额外数据的数量乘以输入数据的长度。 - orig_hit_cnt = new_hit_cnt; +stage_val_type = STAGE_VAL_NONE; // 设置阶段值类型为无。 - for (i = 0; i < len; i++) { +orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 +// 对输入数据的每个字节位置进行操作。 +for (i = 0; i < len; i++) { u32 last_len = 0; + stage_cur_byte = i; // 设置当前处理的字节位置。 - stage_cur_byte = i; - - /* Extras are sorted by size, from smallest to largest. This means - that we don't have to worry about restoring the buffer in - between writes at a particular offset determined by the outer - loop. */ - + // 遍历每个额外数据。 for (j = 0; j < extras_cnt; j++) { + // 如果额外数据的数量大于最大确定性额外数据,或者没有足够的空间插入数据, + // 或者该数据已经存在于输出缓冲区中,或者有效性映射显示该位置不适合插入,则跳过此额外数据。 + if ((extras_cnt > MAX_DET_EXTRAS && UR(extras_cnt) >= MAX_DET_EXTRAS) || + extras[j].len > len - i || + !memcmp(extras[j].data, out_buf + i, extras[j].len) || + !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, extras[j].len))) { + stage_max--; + continue; + } - /* Skip extras probabilistically if extras_cnt > MAX_DET_EXTRAS. Also - skip them if there's no room to insert the payload, if the token - is redundant, or if its entire span has no bytes set in the effector - map. */ - - if ((extras_cnt > MAX_DET_EXTRAS && UR(extras_cnt) >= MAX_DET_EXTRAS) || - extras[j].len > len - i || - !memcmp(extras[j].data, out_buf + i, extras[j].len) || - !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, extras[j].len))) { - - stage_max--; - continue; - - } - - last_len = extras[j].len; - memcpy(out_buf + i, extras[j].data, last_len); - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + last_len = extras[j].len; + memcpy(out_buf + i, extras[j].data, last_len); // 将额外数据复制到输出缓冲区的当前位置。 - stage_cur++; + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; // 对修改后的输出缓冲区执行通用模糊测试操作。 + stage_cur++; // 增加当前阶段的计数器。 } - /* Restore all the clobbered memory. */ + // 恢复所有被覆盖的内存。 memcpy(out_buf + i, in_buf + i, last_len); +} - } - - new_hit_cnt = queued_paths + unique_crashes; - - stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_EXTRAS_UO] += stage_max; - - /* Insertion of user-supplied extras. */ +// 更新新的命中次数。 +new_hit_cnt = queued_paths + unique_crashes; - stage_name = "user extras (insert)"; - stage_short = "ext_UI"; - stage_cur = 0; - stage_max = extras_cnt * (len + 1); +// 记录在当前阶段发现的新问题数量和周期计数。 +stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_EXTRAS_UO] += stage_max; - orig_hit_cnt = new_hit_cnt; +// 用户提供的额外数据进行插入操作。 +stage_name = "user extras (insert)"; +stage_short = "ext_UI"; +stage_cur = 0; // 初始化当前阶段的计数器。 +stage_max = extras_cnt * (len + 1); // 最大次数为额外数据的数量乘以(输入数据的长度 + 1)。 - ex_tmp = ck_alloc(len + MAX_DICT_FILE); +orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 - for (i = 0; i <= len; i++) { +// 分配临时缓冲区,大小为输入数据的长度加上最大字典文件的大小。 +ex_tmp = ck_alloc(len + MAX_DICT_FILE); - stage_cur_byte = i; +// 遍历输入数据的每个位置以及末尾。 +for (i = 0; i <= len; i++) { + stage_cur_byte = i; // 设置当前处理的字节位置。 + // 遍历每个额外数据。 for (j = 0; j < extras_cnt; j++) { + if (len + extras[j].len > MAX_FILE) { + stage_max--; + continue; + } - if (len + extras[j].len > MAX_FILE) { - stage_max--; - continue; - } - - /* Insert token */ - memcpy(ex_tmp + i, extras[j].data, extras[j].len); + // 插入额外数据。 + memcpy(ex_tmp + i, extras[j].data, extras[j].len); - /* Copy tail */ - memcpy(ex_tmp + i + extras[j].len, out_buf + i, len - i); + // 复制原始数据的剩余部分。 + memcpy(ex_tmp + i + extras[j].len, out_buf + i, len - i); - if (common_fuzz_stuff(argv, ex_tmp, len + extras[j].len)) { - ck_free(ex_tmp); - goto abandon_entry; - } - - stage_cur++; + if (common_fuzz_stuff(argv, ex_tmp, len + extras[j].len)) { + ck_free(ex_tmp); + goto abandon_entry; + } + stage_cur++; // 增加当前阶段的计数器。 } - /* Copy head */ + // 复制原始数据的当前部分。 ex_tmp[i] = out_buf[i]; +} - } - - ck_free(ex_tmp); - - new_hit_cnt = queued_paths + unique_crashes; +// 释放临时缓冲区。 +ck_free(ex_tmp); - stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_EXTRAS_UI] += stage_max; +// 更新新的命中次数。 +new_hit_cnt = queued_paths + unique_crashes; +// 记录在当前阶段发现的新问题数量和周期计数。 +stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_EXTRAS_UI] += stage_max; +// 如果没有用户提供的额外数据,则跳过处理。 skip_user_extras: +if (!a_extras_cnt) goto skip_extras; - if (!a_extras_cnt) goto skip_extras; - - stage_name = "auto extras (over)"; - stage_short = "ext_AO"; - stage_cur = 0; - stage_max = MIN(a_extras_cnt, USE_AUTO_EXTRAS) * len; +// 设置当前阶段的名称和简短名称。 +stage_name = "auto extras (over)"; +stage_short = "ext_AO"; +// 初始化当前阶段的计数器和最大值,最大值是额外数据的数量乘以输入数据的长度。 +stage_cur = 0; +stage_max = MIN(a_extras_cnt, USE_AUTO_EXTRAS) * len; - stage_val_type = STAGE_VAL_NONE; +// 设置阶段值类型为无。 +stage_val_type = STAGE_VAL_NONE; - orig_hit_cnt = new_hit_cnt; - - for (i = 0; i < len; i++) { +// 记录原始的命中次数。 +orig_hit_cnt = new_hit_cnt; +// 遍历输入数据的每个字节位置。 +for (i = 0; i < len; i++) { u32 last_len = 0; + // 设置当前处理的字节位置。 stage_cur_byte = i; + // 遍历每个额外数据。 for (j = 0; j < MIN(a_extras_cnt, USE_AUTO_EXTRAS); j++) { + // 如果额外数据的大小超过了剩余长度,或者该数据已经存在于输出缓冲区中, + // 或者有效性映射显示该位置不适合插入,则跳过此额外数据。 + if (a_extras[j].len > len - i || + !memcmp(a_extras[j].data, out_buf + i, a_extras[j].len) || + !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, a_extras[j].len))) { + stage_max--; + continue; + } - /* See the comment in the earlier code; extras are sorted by size. */ - - if (a_extras[j].len > len - i || - !memcmp(a_extras[j].data, out_buf + i, a_extras[j].len) || - !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, a_extras[j].len))) { - - stage_max--; - continue; - - } - - last_len = a_extras[j].len; - memcpy(out_buf + i, a_extras[j].data, last_len); - - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + // 记录额外数据的长度,并将其复制到输出缓冲区的当前位置。 + last_len = a_extras[j].len; + memcpy(out_buf + i, a_extras[j].data, last_len); - stage_cur++; + // 对修改后的输出缓冲区执行通用模糊测试操作,如果需要则放弃当前输入。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + // 增加当前阶段的计数器。 + stage_cur++; } - /* Restore all the clobbered memory. */ + // 恢复所有被覆盖的内存。 memcpy(out_buf + i, in_buf + i, last_len); +} - } - - new_hit_cnt = queued_paths + unique_crashes; +// 更新新的命中次数。 +new_hit_cnt = queued_paths + unique_crashes; - stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; - stage_cycles[STAGE_EXTRAS_AO] += stage_max; +// 记录在当前阶段发现的新问题数量和周期计数。 +stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; +stage_cycles[STAGE_EXTRAS_AO] += stage_max; +// 跳过额外数据的处理。 skip_extras: - /* If we made this to here without jumping to havoc_stage or abandon_entry, - we're properly done with deterministic steps and can mark it as such - in the .state/ directory. */ +// 如果我们到达这里而没有跳转到havoc_stage或abandon_entry, +// 则我们已经完成了确定性的步骤,并可以在.state目录中标记为完成。 +if (!queue_cur->passed_det) mark_as_det_done(queue_cur); - if (!queue_cur->passed_det) mark_as_det_done(queue_cur); - - /**************** - * RANDOM HAVOC * - ****************/ +//**************** +//* RANDOM HAVOC * +//**************** +// 到达随机混沌(havoc)阶段。 havoc_stage: +stage_cur_byte = -1; - stage_cur_byte = -1; - - /* The havoc stage mutation code is also invoked when splicing files; if the - splice_cycle variable is set, generate different descriptions and such. */ - - if (!splice_cycle) { - +// 如果当前是拼接周期,则生成不同的描述。 +if (!splice_cycle) { + // 设置混沌阶段的名称和简短名称。 stage_name = "havoc"; stage_short = "havoc"; + // 计算混沌阶段的最大运行次数,基于性能得分和一些常数。 stage_max = (doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) * perf_score / havoc_div / 100; - - } else { - +} else { + // 如果是拼接周期,设置特定的名称和最大运行次数。 static u8 tmp[32]; - perf_score = orig_perf; - sprintf(tmp, "splice %u", splice_cycle); stage_name = tmp; stage_short = "splice"; stage_max = SPLICE_HAVOC * perf_score / havoc_div / 100; +} - } - - if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN; - - temp_len = len; - - orig_hit_cnt = queued_paths + unique_crashes; +// 确保最大运行次数不低于最小值。 +if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN; - havoc_queued = queued_paths; +// 设置临时长度为输入数据的长度。 +temp_len = len; - /* We essentially just do several thousand runs (depending on perf_score) - where we take the input file and make random stacked tweaks. */ +// 记录原始的命中次数。 +orig_hit_cnt = queued_paths + unique_crashes; - for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { +// 记录当前队列中的路径数量。 +havoc_queued = queued_paths; +/* + 我们基本上执行几千次运行(取决于perf_score),在这些运行中我们获取输入文件并进行随机的叠加修改。 +*/ +for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + // 随机选择一个叠加因子,范围从1到2^(HAVOC_STACK_POW2)。 u32 use_stacking = 1 << (1 + UR(HAVOC_STACK_POW2)); + // 将当前阶段的值设置为所选的叠加因子。 stage_cur_val = use_stacking; - - for (i = 0; i < use_stacking; i++) { - - switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { - - case 0: - - /* Flip a single bit somewhere. Spooky! */ - - FLIP_BIT(out_buf, UR(temp_len << 3)); - break; - - case 1: - - /* Set byte to interesting value. */ - - out_buf[UR(temp_len)] = interesting_8[UR(sizeof(interesting_8))]; - break; - - case 2: - - /* Set word to interesting value, randomly choosing endian. */ - - if (temp_len < 2) break; - - if (UR(2)) { - - *(u16*)(out_buf + UR(temp_len - 1)) = - interesting_16[UR(sizeof(interesting_16) >> 1)]; - - } else { - - *(u16*)(out_buf + UR(temp_len - 1)) = SWAP16( - interesting_16[UR(sizeof(interesting_16) >> 1)]); - - } - - break; - - case 3: - - /* Set dword to interesting value, randomly choosing endian. */ - - if (temp_len < 4) break; - - if (UR(2)) { - - *(u32*)(out_buf + UR(temp_len - 3)) = - interesting_32[UR(sizeof(interesting_32) >> 2)]; - - } else { - - *(u32*)(out_buf + UR(temp_len - 3)) = SWAP32( - interesting_32[UR(sizeof(interesting_32) >> 2)]); - - } - - break; - - case 4: - - /* Randomly subtract from byte. */ - - out_buf[UR(temp_len)] -= 1 + UR(ARITH_MAX); - break; - - case 5: - - /* Randomly add to byte. */ - - out_buf[UR(temp_len)] += 1 + UR(ARITH_MAX); - break; - - case 6: - - /* Randomly subtract from word, random endian. */ - - if (temp_len < 2) break; - - if (UR(2)) { - - u32 pos = UR(temp_len - 1); - - *(u16*)(out_buf + pos) -= 1 + UR(ARITH_MAX); - - } else { - - u32 pos = UR(temp_len - 1); - u16 num = 1 + UR(ARITH_MAX); - - *(u16*)(out_buf + pos) = - SWAP16(SWAP16(*(u16*)(out_buf + pos)) - num); - - } - - break; - - case 7: - - /* Randomly add to word, random endian. */ - if (temp_len < 2) break; - - if (UR(2)) { - - u32 pos = UR(temp_len - 1); - - *(u16*)(out_buf + pos) += 1 + UR(ARITH_MAX); - - } else { - - u32 pos = UR(temp_len - 1); - u16 num = 1 + UR(ARITH_MAX); - - *(u16*)(out_buf + pos) = - SWAP16(SWAP16(*(u16*)(out_buf + pos)) + num); - - } - - break; - - case 8: - - /* Randomly subtract from dword, random endian. */ - - if (temp_len < 4) break; - - if (UR(2)) { - - u32 pos = UR(temp_len - 3); - - *(u32*)(out_buf + pos) -= 1 + UR(ARITH_MAX); - - } else { - - u32 pos = UR(temp_len - 3); - u32 num = 1 + UR(ARITH_MAX); - - *(u32*)(out_buf + pos) = - SWAP32(SWAP32(*(u32*)(out_buf + pos)) - num); - - } - - break; - - case 9: - - /* Randomly add to dword, random endian. */ - - if (temp_len < 4) break; - - if (UR(2)) { - - u32 pos = UR(temp_len - 3); - - *(u32*)(out_buf + pos) += 1 + UR(ARITH_MAX); - - } else { - - u32 pos = UR(temp_len - 3); - u32 num = 1 + UR(ARITH_MAX); - - *(u32*)(out_buf + pos) = - SWAP32(SWAP32(*(u32*)(out_buf + pos)) + num); - - } - - break; - - case 10: - - /* Just set a random byte to a random value. Because, - why not. We use XOR with 1-255 to eliminate the - possibility of a no-op. */ - - out_buf[UR(temp_len)] ^= 1 + UR(255); - break; - - case 11 ... 12: { - - /* Delete bytes. We're making this a bit more likely - than insertion (the next option) in hopes of keeping - files reasonably small. */ - - u32 del_from, del_len; - - if (temp_len < 2) break; - - /* Don't delete too much. */ - - del_len = choose_block_len(temp_len - 1); - - del_from = UR(temp_len - del_len + 1); - - memmove(out_buf + del_from, out_buf + del_from + del_len, - temp_len - del_from - del_len); - - temp_len -= del_len; - - break; - - } - - case 13: - - if (temp_len + HAVOC_BLK_XL < MAX_FILE) { - - /* Clone bytes (75%) or insert a block of constant bytes (25%). */ - - u8 actually_clone = UR(4); - u32 clone_from, clone_to, clone_len; - u8* new_buf; - - if (actually_clone) { - - clone_len = choose_block_len(temp_len); - clone_from = UR(temp_len - clone_len + 1); - - } else { - - clone_len = choose_block_len(HAVOC_BLK_XL); - clone_from = 0; - - } - - clone_to = UR(temp_len); - - new_buf = ck_alloc_nozero(temp_len + clone_len); - - /* Head */ - - memcpy(new_buf, out_buf, clone_to); - - /* Inserted part */ - - if (actually_clone) - memcpy(new_buf + clone_to, out_buf + clone_from, clone_len); - else - memset(new_buf + clone_to, - UR(2) ? UR(256) : out_buf[UR(temp_len)], clone_len); - - /* Tail */ - memcpy(new_buf + clone_to + clone_len, out_buf + clone_to, - temp_len - clone_to); - - ck_free(out_buf); - out_buf = new_buf; - temp_len += clone_len; - - } - - break; - - case 14: { - - /* Overwrite bytes with a randomly selected chunk (75%) or fixed - bytes (25%). */ - - u32 copy_from, copy_to, copy_len; - - if (temp_len < 2) break; - - copy_len = choose_block_len(temp_len - 1); - - copy_from = UR(temp_len - copy_len + 1); - copy_to = UR(temp_len - copy_len + 1); - - if (UR(4)) { - - if (copy_from != copy_to) - memmove(out_buf + copy_to, out_buf + copy_from, copy_len); - - } else memset(out_buf + copy_to, - UR(2) ? UR(256) : out_buf[UR(temp_len)], copy_len); - - break; - - } - - /* Values 15 and 16 can be selected only if there are any extras - present in the dictionaries. */ + // 根据叠加因子重复多次修改操作。 + for (i = 0; i < use_stacking; i++) { + // 随机选择一个操作,如果存在额外的数据,则选项会更多。 + switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { + /* + 在某个位置翻转单个位。这是一项基本的位操作,可以用来测试程序对位错误的敏感性。 + */ + case 0: + FLIP_BIT(out_buf, UR(temp_len << 3)); + break; + + /* + 将某个字节设置为一个有趣的值。这些值通常是那些在程序逻辑中具有特殊意义的值,比如0, 1, -1等。 + */ + case 1: + out_buf[UR(temp_len)] = interesting_8[UR(sizeof(interesting_8))]; + break; + + /* + 将某个字(word)设置为一个有趣的值,并随机选择字节序。 + 字节序的选择可以帮助测试程序对不同字节序的处理能力。 + */ + case 2: + if (temp_len < 2) break; + + if (UR(2)) { + *(u16*)(out_buf + UR(temp_len - 1)) = interesting_16[UR(sizeof(interesting_16) >> 1)]; + } else { + *(u16*)(out_buf + UR(temp_len - 1)) = SWAP16(interesting_16[UR(sizeof(interesting_16) >> 1)]); + } + break; + + /* + 将某个双字(dword)设置为一个有趣的值,并随机选择字节序。 + 类似于字操作,但是针对更大的数据单元。 + */ + case 3: + if (temp_len < 4) break; + + if (UR(2)) { + *(u32*)(out_buf + UR(temp_len - 3)) = interesting_32[UR(sizeof(interesting_32) >> 2)]; + } else { + *(u32*)(out_buf + UR(temp_len - 3)) = SWAP32(interesting_32[UR(sizeof(interesting_32) >> 2)]); + } + break; + + /* + 从某个字节随机减去一个值。这是一种简单的算术操作,可以用来测试程序的健壮性。 + */ + case 4: + out_buf[UR(temp_len)] -= 1 + UR(ARITH_MAX); + break; + + /* + 向某个字节随机添加一个值。 + */ + case 5: + out_buf[UR(temp_len)] += 1 + UR(ARITH_MAX); + break; + + /* + 从一个词(word)随机减去一个值,并随机选择字节序。 + */ + case 6: + if (temp_len < 2) break; + + if (UR(2)) { + u32 pos = UR(temp_len - 1); + *(u16*)(out_buf + pos) -= 1 + UR(ARITH_MAX); + } else { + u32 pos = UR(temp_len - 1); + u16 num = 1 + UR(ARITH_MAX); + *(u16*)(out_buf + pos) = SWAP16(SWAP16(*(u16*)(out_buf + pos)) - num); + } + break; + + /* + 向一个词(word)随机添加一个值,并随机选择字节序。 + */ + case 7: + if (temp_len < 2) break; + + if (UR(2)) { + u32 pos = UR(temp_len - 1); + *(u16*)(out_buf + pos) += 1 + UR(ARITH_MAX); + } else { + u32 pos = UR(temp_len - 1); + u16 num = 1 + UR(ARITH_MAX); + *(u16*)(out_buf + pos) = SWAP16(SWAP16(*(u16*)(out_buf + pos)) + num); + } + break; + + /* + 从一个双字(dword)随机减去一个值,并随机选择字节序。 + */ + case 8: + if (temp_len < 4) break; + + if (UR(2)) { + u32 pos = UR(temp_len - 3); + *(u32*)(out_buf + pos) -= 1 + UR(ARITH_MAX); + } else { + u32 pos = UR(temp_len - 3); + u32 num = 1 + UR(ARITH_MAX); + *(u32*)(out_buf + pos) = SWAP32(SWAP32(*(u32*)(out_buf + pos)) - num); + } + break; +// case 9: 开始处理第9种情况,即随机增加一个双字节(dword),可以是随机字节序。 +case 9: + /* 如果临时数据长度小于4字节,则无法进行操作,因此跳出。 */ + if (temp_len < 4) break; + + // 以50%的概率选择是增加一个双字节还是进行字节序交换后增加。 + if (UR(2)) { + u32 pos = UR(temp_len - 3); + // 直接在指定位置增加一个随机值,范围从1到ARITH_MAX。 + *(u32*)(out_buf + pos) += 1 + UR(ARITH_MAX); + } else { + u32 pos = UR(temp_len - 3); + u32 num = 1 + UR(ARITH_MAX); + // 先进行字节序交换,然后增加一个随机值,最后再进行字节序交换。 + *(u32*)(out_buf + pos) = + SWAP32(SWAP32(*(u32*)(out_buf + pos)) + num); + } + break; - case 15: { +// case 10: 开始处理第10种情况,即随机设置一个字节为随机值。 +case 10: + /* 随机选择一个字节,然后使用XOR操作将其设置为1到255之间的随机值,以避免无操作(no-op)。 */ + out_buf[UR(temp_len)] ^= 1 + UR(255); + break; - /* Overwrite bytes with an extra. */ +// case 11和case 12: 开始处理删除字节的操作。 +case 11 ... 12: { + /* 删除字节。我们使得这个操作比插入(下一个选项)更有可能,以希望保持文件的合理大小。 */ + u32 del_from, del_len; - if (!extras_cnt || (a_extras_cnt && UR(2))) { + // 如果临时数据长度小于2字节,则无法进行删除操作,因此跳出。 + if (temp_len < 2) break; - /* No user-specified extras or odds in our favor. Let's use an - auto-detected one. */ + /* 不要删除太多数据。 */ + del_len = choose_block_len(temp_len - 1); + del_from = UR(temp_len - del_len + 1); - u32 use_extra = UR(a_extras_cnt); - u32 extra_len = a_extras[use_extra].len; - u32 insert_at; + // 将删除位置之后的数据向前移动。 + memmove(out_buf + del_from, out_buf + del_from + del_len, + temp_len - del_from - del_len); - if (extra_len > temp_len) break; + temp_len -= del_len; // 更新临时数据长度。 + break; +} - insert_at = UR(temp_len - extra_len + 1); - memcpy(out_buf + insert_at, a_extras[use_extra].data, extra_len); +// case 13: 开始处理插入或克隆字节的操作。 +case 13: + if (temp_len + HAVOC_BLK_XL < MAX_FILE) { + /* 克隆字节(75%概率)或插入一个常数块(25%概率)。 */ + u8 actually_clone = UR(4); + u32 clone_from, clone_to, clone_len; + u8* new_buf; + + if (actually_clone) { + clone_len = choose_block_len(temp_len); + clone_from = UR(temp_len - clone_len + 1); + } else { + clone_len = choose_block_len(HAVOC_BLK_XL); + clone_from = 0; + } - } else { + clone_to = UR(temp_len); - /* No auto extras or odds in our favor. Use the dictionary. */ + new_buf = ck_alloc_nozero(temp_len + clone_len); - u32 use_extra = UR(extras_cnt); - u32 extra_len = extras[use_extra].len; - u32 insert_at; + /* 头部 */ + memcpy(new_buf, out_buf, clone_to); - if (extra_len > temp_len) break; + /* 插入部分 */ + if (actually_clone) + memcpy(new_buf + clone_to, out_buf + clone_from, clone_len); + else + memset(new_buf + clone_to, + UR(2) ? UR(256) : out_buf[UR(temp_len)], clone_len); - insert_at = UR(temp_len - extra_len + 1); - memcpy(out_buf + insert_at, extras[use_extra].data, extra_len); + /* 尾部 */ + memcpy(new_buf + clone_to + clone_len, out_buf + clone_to, + temp_len - clone_to); - } + ck_free(out_buf); + out_buf = new_buf; + temp_len += clone_len; // 更新临时数据长度。 + } + break; - break; +// case 14: 开始处理用随机选择的数据块或固定数据覆盖字节的操作。 +case 14: { + u32 copy_from, copy_to, copy_len; - } + if (temp_len < 2) break; - case 16: { + copy_len = choose_block_len(temp_len - 1); - u32 use_extra, extra_len, insert_at = UR(temp_len + 1); - u8* new_buf; + copy_from = UR(temp_len - copy_len + 1); + copy_to = UR(temp_len - copy_len + 1); - /* Insert an extra. Do the same dice-rolling stuff as for the - previous case. */ + if (UR(4)) { + if (copy_from != copy_to) + memmove(out_buf + copy_to, out_buf + copy_from, copy_len); + } else { + memset(out_buf + copy_to, + UR(2) ? UR(256) : out_buf[UR(temp_len)], copy_len); + } + break; +} - if (!extras_cnt || (a_extras_cnt && UR(2))) { +/* 只有当字典中有额外数据时,才能选择值15和16。 */ - use_extra = UR(a_extras_cnt); - extra_len = a_extras[use_extra].len; +// case 15: 开始处理用额外数据覆盖字节的操作。 +case 15: { + if (!extras_cnt || (a_extras_cnt && UR(2))) { + /* 没有用户指定的额外数据,或者随机数倾向于使用自动检测到的数据。 */ + u32 use_extra = UR(a_extras_cnt); + u32 extra_len = a_extras[use_extra].len; + u32 insert_at; - if (temp_len + extra_len >= MAX_FILE) break; + if (extra_len > temp_len) break; - new_buf = ck_alloc_nozero(temp_len + extra_len); + insert_at = UR(temp_len - extra_len + 1); + memcpy(out_buf + insert_at, a_extras[use_extra].data, extra_len); + } else { + /* 没有自动检测到的额外数据,或者随机数倾向于使用字典中的数据。 */ + u32 use_extra = UR(extras_cnt); + u32 extra_len = extras[use_extra].len; + u32 insert_at; - /* Head */ - memcpy(new_buf, out_buf, insert_at); + if (extra_len > temp_len) break; - /* Inserted part */ - memcpy(new_buf + insert_at, a_extras[use_extra].data, extra_len); + insert_at = UR(temp_len - extra_len + 1); + memcpy(out_buf + insert_at, extras[use_extra].data, extra_len); + } + break; +} - } else { +// case 16: 开始处理插入额外数据的操作。 +case 16: { + u32 use_extra, extra_len, insert_at = UR(temp_len + 1); + u8* new_buf; - use_extra = UR(extras_cnt); - extra_len = extras[use_extra].len; + if (!extras_cnt || (a_extras_cnt && UR(2))) { + use_extra = UR(a_extras_cnt); + extra_len = a_extras[use_extra].len; - if (temp_len + extra_len >= MAX_FILE) break; + if (temp_len + extra_len >= MAX_FILE) break; - new_buf = ck_alloc_nozero(temp_len + extra_len); + new_buf = ck_alloc_nozero(temp_len + extra_len); - /* Head */ - memcpy(new_buf, out_buf, insert_at); + /* 头部 */ + memcpy(new_buf, out_buf, insert_at); - /* Inserted part */ - memcpy(new_buf + insert_at, extras[use_extra].data, extra_len); + /* 插入部分 */ + memcpy(new_buf + insert_at, a_extras[use_extra].data, extra_len); + } else { + use_extra = UR(extras_cnt); + extra_len = extras[use_extra].len; - } + if (temp_len + extra_len >= MAX_FILE) break; - /* Tail */ - memcpy(new_buf + insert_at + extra_len, out_buf + insert_at, - temp_len - insert_at); + new_buf = ck_alloc_nozero(temp_len + extra_len); - ck_free(out_buf); - out_buf = new_buf; - temp_len += extra_len; + /* 头部 */ + memcpy(new_buf, out_buf, insert_at); - break; + /* 插入部分 */ + memcpy(new_buf + insert_at, extras[use_extra].data, extra_len); + } - } + /* 尾部 */ + memcpy(new_buf + insert_at + extra_len, out_buf + insert_at, + temp_len - insert_at); + ck_free(out_buf); + out_buf = new_buf; + temp_len += extra_len; // 更新临时数据长度。 + break; + } } - } - - if (common_fuzz_stuff(argv, out_buf, temp_len)) - goto abandon_entry; - - /* out_buf might have been mangled a bit, so let's restore it to its - original size and shape. */ - - if (temp_len < len) out_buf = ck_realloc(out_buf, len); - temp_len = len; - memcpy(out_buf, in_buf, len); - - /* If we're finding new stuff, let's run for a bit longer, limits - permitting. */ - - if (queued_paths != havoc_queued) { - - if (perf_score <= HAVOC_MAX_MULT * 100) { + } +} +// 检查通用模糊测试函数是否指示我们应该放弃当前的输入。 +// 如果common_fuzz_stuff函数返回真(非零值),则跳转到标签abandon_entry。 +if (common_fuzz_stuff(argv, out_buf, temp_len)) + goto abandon_entry; + +// 如果out_buf在之前的处理中被破坏了,我们需要将其恢复到原始大小和形状。 +// 如果临时长度temp_len小于原始长度len,我们需要重新分配out_buf的大小为len。 +if (temp_len < len) + out_buf = ck_realloc(out_buf, len); +// 将temp_len设置回原始长度len。 +temp_len = len; +// 将原始输入数据in_buf复制回out_buf,以恢复其原始内容。 +memcpy(out_buf, in_buf, len); + +// 如果我们发现了新的问题或崩溃,我们应该在限制范围内继续运行更长时间。 +if (queued_paths != havoc_queued) { + // 如果性能得分perf_score小于或等于最大乘数HAVOC_MAX_MULT乘以100, + // 我们将当前阶段的最大尝试次数stage_max翻倍,并将性能得分perf_score翻倍。 + if (perf_score <= HAVOC_MAX_MULT * 100) { stage_max *= 2; perf_score *= 2; - } - - havoc_queued = queued_paths; - } + // 更新havoc_queued为当前的queued_paths值。 + havoc_queued = queued_paths; +} - } - - new_hit_cnt = queued_paths + unique_crashes; +// 计算新的发现数量,包括新加入队列的路径数queued_paths和独特的崩溃数unique_crashes。 +new_hit_cnt = queued_paths + unique_crashes; - if (!splice_cycle) { +// 如果当前不是拼接周期splice_cycle,则更新HAVOC阶段的发现和周期计数。 +if (!splice_cycle) { stage_finds[STAGE_HAVOC] += new_hit_cnt - orig_hit_cnt; stage_cycles[STAGE_HAVOC] += stage_max; - } else { +} else { + // 如果当前是拼接周期,则更新SPLICE阶段的发现和周期计数。 stage_finds[STAGE_SPLICE] += new_hit_cnt - orig_hit_cnt; stage_cycles[STAGE_SPLICE] += stage_max; - } +} +// 如果没有定义IGNORE_FINDS宏,则执行以下代码。 #ifndef IGNORE_FINDS /************ * SPLICING * ************/ - /* This is a last-resort strategy triggered by a full round with no findings. - It takes the current input file, randomly selects another input, and - splices them together at some offset, then relies on the havoc - code to mutate that blob. */ + /* 这是一种最后的手段策略,当一轮完整的测试没有发现任何问题时触发。 + 它获取当前的输入文件,随机选择另一个输入,并在某个偏移量处将它们拼接在一起, + 然后依赖havoc代码来变异这个新拼接的数据块。*/ + retry_splicing: - if (use_splicing && splice_cycle++ < SPLICE_CYCLES && - queued_paths > 1 && queue_cur->len > 1) { +// 如果启用了拼接,并且拼接周期小于最大拼接周期数,并且队列中有多个测试用例,且当前测试用例长度大于1,则尝试拼接操作。 +if (use_splicing && splice_cycle++ < SPLICE_CYCLES && + queued_paths > 1 && queue_cur->len > 1) { - struct queue_entry* target; - u32 tid, split_at; - u8* new_buf; - s32 f_diff, l_diff; + struct queue_entry* target; // 指向目标队列条目的指针 + u32 tid, split_at; // 目标ID和分割点 + u8* new_buf; // 新的缓冲区 + s32 f_diff, l_diff; // 第一个和最后一个不同字节的位置 - /* First of all, if we've modified in_buf for havoc, let's clean that - up... */ + /* 首先,如果我们对in_buf进行了havoc操作的修改,我们需要清理它... */ - if (in_buf != orig_in) { - ck_free(in_buf); - in_buf = orig_in; - len = queue_cur->len; - } + // 如果in_buf不是原始输入缓冲区,释放它并将in_buf重置为原始输入缓冲区 + if (in_buf != orig_in) { + ck_free(in_buf); + in_buf = orig_in; + len = queue_cur->len; + } - /* Pick a random queue entry and seek to it. Don't splice with yourself. */ + /* 随机选择一个队列条目并定位到它。不要与自己拼接。 */ - do { tid = UR(queued_paths); } while (tid == current_entry); + // 随机选择一个目标ID,确保它不是当前条目 + do { tid = UR(queued_paths); } while (tid == current_entry); - splicing_with = tid; - target = queue; + splicing_with = tid; // 记录当前拼接的目标ID + target = queue; // 初始化目标指向队列头部 - while (tid >= 100) { target = target->next_100; tid -= 100; } - while (tid--) target = target->next; + // 定位到目标队列条目 + while (tid >= 100) { target = target->next_100; tid -= 100; } + while (tid--) target = target->next; - /* Make sure that the target has a reasonable length. */ + /* 确保目标有合理的长度。 */ - while (target && (target->len < 2 || target == queue_cur)) { - target = target->next; - splicing_with++; - } + // 确保目标条目长度足够,并且不是当前条目 + while (target && (target->len < 2 || target == queue_cur)) { + target = target->next; + splicing_with++; + } - if (!target) goto retry_splicing; + // 如果没有合适的目标,重试拼接 + if (!target) goto retry_splicing; - /* Read the testcase into a new buffer. */ + /* 将测试用例读入新缓冲区。 */ - fd = open(target->fname, O_RDONLY); + // 打开目标文件 + fd = open(target->fname, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", target->fname); + // 如果打开失败,输出错误信息并退出 + if (fd < 0) PFATAL("Unable to open '%s'", target->fname); - new_buf = ck_alloc_nozero(target->len); + // 分配新缓冲区 + new_buf = ck_alloc_nozero(target->len); - ck_read(fd, new_buf, target->len, target->fname); + // 读取目标文件内容到新缓冲区 + ck_read(fd, new_buf, target->len, target->fname); - close(fd); + // 关闭文件描述符 + close(fd); - /* Find a suitable splicing location, somewhere between the first and - the last differing byte. Bail out if the difference is just a single - byte or so. */ + /* 寻找合适的拼接位置,在第一个和最后一个不同字节之间。如果差异只是单个字节或很少几个字节,则放弃。 */ - locate_diffs(in_buf, new_buf, MIN(len, target->len), &f_diff, &l_diff); + // 定位两个缓冲区中的差异 + locate_diffs(in_buf, new_buf, MIN(len, target->len), &f_diff, &l_diff); - if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) { - ck_free(new_buf); - goto retry_splicing; - } + // 如果没有合适的差异或者差异太小,释放新缓冲区并重试拼接 + if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) { + ck_free(new_buf); + goto retry_splicing; + } - /* Split somewhere between the first and last differing byte. */ + /* 在第一个和最后一个不同字节之间选择一个位置进行分割。 */ - split_at = f_diff + UR(l_diff - f_diff); + // 选择分割点 + split_at = f_diff + UR(l_diff - f_diff); - /* Do the thing. */ + /* 执行拼接操作。 */ - len = target->len; - memcpy(new_buf, in_buf, split_at); - in_buf = new_buf; + // 更新长度为目标长度 + len = target->len; + // 将分割点之前的数据复制到新缓冲区 + memcpy(new_buf, in_buf, split_at); + // 更新输入缓冲区为新缓冲区 + in_buf = new_buf; - ck_free(out_buf); - out_buf = ck_alloc_nozero(len); - memcpy(out_buf, in_buf, len); + // 释放旧的输出缓冲区 + ck_free(out_buf); + // 分配新的输出缓冲区 + out_buf = ck_alloc_nozero(len); + // 将新缓冲区内容复制到输出缓冲区 + memcpy(out_buf, in_buf, len); - goto havoc_stage; + // 跳转到havoc阶段 + goto havoc_stage; - } +} #endif /* !IGNORE_FINDS */ - ret_val = 0; +// 设置返回值为0 +ret_val = 0; +// 放弃当前条目 abandon_entry: - splicing_with = -1; +// 重置拼接目标ID +splicing_with = -1; - /* Update pending_not_fuzzed count if we made it through the calibration - cycle and have not seen this entry before. */ + /* 如果我们通过了校准周期并且之前没有见过这个条目,更新待处理未测试计数。 */ + // 如果没有停止信号,当前条目没有校准失败,且之前未被测试过 if (!stop_soon && !queue_cur->cal_failed && !queue_cur->was_fuzzed) { + // 标记当前条目为已测试 queue_cur->was_fuzzed = 1; + // 减少待处理未测试计数 pending_not_fuzzed--; + // 如果当前条目是优选的,减少优选计数 if (queue_cur->favored) pending_favored--; } + // 取消映射原始输入缓冲区 munmap(orig_in, queue_cur->len); + // 如果in_buf不是原始输入缓冲区,释放它 if (in_buf != orig_in) ck_free(in_buf); + // 释放输出缓冲区 ck_free(out_buf); + // 释放效果映射缓冲区 ck_free(eff_map); + // 返回结果 return ret_val; #undef FLIP_BIT } +/* 从其他模糊测试器中获取有趣的测试用例。 */ - -/* Grab interesting test cases from other fuzzers. */ - +// 这个函数用于在分布式模糊测试环境中,从其他模糊测试器中同步测试用例。 static void sync_fuzzers(char** argv) { - DIR* sd; - struct dirent* sd_ent; - u32 sync_cnt = 0; + DIR* sd; // 指向同步目录的目录流 + struct dirent* sd_ent; // 目录流中的当前条目 + u32 sync_cnt = 0; // 同步的模糊测试器数量 + // 打开同步目录 sd = opendir(sync_dir); if (!sd) PFATAL("Unable to open '%s'", sync_dir); + // 重置阶段最大值和当前值,以及当前深度 stage_max = stage_cur = 0; cur_depth = 0; - /* Look at the entries created for every other fuzzer in the sync directory. */ + /* 查看同步目录中为每个其他模糊测试器创建的条目。 */ + // 遍历同步目录中的每个条目 while ((sd_ent = readdir(sd))) { - static u8 stage_tmp[128]; + static u8 stage_tmp[128]; // 临时阶段名称 - DIR* qd; - struct dirent* qd_ent; - u8 *qd_path, *qd_synced_path; - u32 min_accept = 0, next_min_accept; + DIR* qd; // 指向队列目录的目录流 + struct dirent* qd_ent; // 队列目录中的当前条目 + u8 *qd_path, *qd_synced_path; // 队列目录和同步目录的路径 + u32 min_accept = 0, next_min_accept; // 最小接受的测试用例ID和下一个最小接受的测试用例ID - s32 id_fd; + s32 id_fd; // 用于存储最后看到的测试用例ID的文件的文件描述符 - /* Skip dot files and our own output directory. */ + /* 跳过隐藏文件和我们自己的输出目录。 */ + // 如果条目是隐藏文件或与我们自己的同步ID相同,则跳过 if (sd_ent->d_name[0] == '.' || !strcmp(sync_id, sd_ent->d_name)) continue; - /* Skip anything that doesn't have a queue/ subdirectory. */ + /* 跳过任何没有queue/子目录的东西。 */ + // 构造队列目录的路径 qd_path = alloc_printf("%s/%s/queue", sync_dir, sd_ent->d_name); + // 打开队列目录 if (!(qd = opendir(qd_path))) { ck_free(qd_path); continue; } - /* Retrieve the ID of the last seen test case. */ + /* 检索最后看到的测试用例的ID。 */ + // 构造同步目录中用于存储最后看到的测试用例ID的文件的路径 qd_synced_path = alloc_printf("%s/.synced/%s", out_dir, sd_ent->d_name); + // 打开或创建用于存储最后看到的测试用例ID的文件 id_fd = open(qd_synced_path, O_RDWR | O_CREAT, 0600); + // 如果打开文件失败,则输出错误信息并退出 if (id_fd < 0) PFATAL("Unable to create '%s'", qd_synced_path); + // 如果文件中已经有数据,则读取最小接受的测试用例ID if (read(id_fd, &min_accept, sizeof(u32)) > 0) lseek(id_fd, 0, SEEK_SET); + // 更新下一个最小接受的测试用例ID next_min_accept = min_accept; - /* Show stats */ + /* 显示统计信息 */ + // 设置阶段名称和当前阶段值 sprintf(stage_tmp, "sync %u", ++sync_cnt); stage_name = stage_tmp; stage_cur = 0; stage_max = 0; - /* For every file queued by this fuzzer, parse ID and see if we have looked at - it before; exec a test case if not. */ + /* 对于这个模糊测试器排队的每个文件,解析ID并查看我们是否之前已经看过它; + 如果没有,执行测试用例。 */ + // 遍历队列目录中的每个条目 while ((qd_ent = readdir(qd))) { - u8* path; - s32 fd; - struct stat st; + u8* path; // 文件的路径 + s32 fd; // 文件描述符 + struct stat st; // 文件状态 + // 如果条目是隐藏文件或测试用例ID小于最小接受的测试用例ID,则跳过 if (qd_ent->d_name[0] == '.' || sscanf(qd_ent->d_name, CASE_PREFIX "%06u", &syncing_case) != 1 || syncing_case < min_accept) continue; - /* OK, sounds like a new one. Let's give it a try. */ + /* 好的,听起来像是一个新测试用例。让我们试试它。 */ + // 如果测试用例ID大于或等于下一个最小接受的测试用例ID if (syncing_case >= next_min_accept) next_min_accept = syncing_case + 1; + // 构造文件的路径 path = alloc_printf("%s/%s", qd_path, qd_ent->d_name); - /* Allow this to fail in case the other fuzzer is resuming or so... */ + /* 允许在其他模糊测试器正在恢复等情况下失败... */ + // 打开文件 fd = open(path, O_RDONLY); + // 如果打开文件失败,则释放路径内存并继续 if (fd < 0) { ck_free(path); continue; } + // 获取文件状态 if (fstat(fd, &st)) PFATAL("fstat() failed"); - /* Ignore zero-sized or oversized files. */ + /* 忽略大小为零或过大的文件。 */ + // 如果文件大小在允许范围内 if (st.st_size && st.st_size <= MAX_FILE) { - u8 fault; - u8* mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); + u8 fault; // 故障标志 + u8* mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); // 将文件内容映射到内存 + // 如果映射失败,则输出错误信息并退出 if (mem == MAP_FAILED) PFATAL("Unable to mmap '%s'", path); - /* See what happens. We rely on save_if_interesting() to catch major - errors and save the test case. */ + /* 看看会发生什么。我们依赖save_if_interesting()来捕获主要 + 错误并保存测试用例。 */ + // 将测试用例写入测试用例缓冲区 write_to_testcase(mem, st.st_size); + // 运行目标程序并获取故障标志 fault = run_target(argv, exec_tmout); + // 如果收到停止信号,则返回 if (stop_soon) return; + // 设置当前正在同步的模糊测试器的名称 syncing_party = sd_ent->d_name; + // 将测试用例添加到队列中 queued_imported += save_if_interesting(argv, mem, st.st_size, fault); - syncing_party = 0; + // 重置当前正在同步的模糊测试器的名称 + // 取消内存映射并释放内存 munmap(mem, st.st_size); + // 如果需要,则显示统计信息 if (!(stage_cur++ % stats_update_freq)) show_stats(); } + // 释放路径内存并关闭文件描述符 ck_free(path); close(fd); } + // 将下一个最小接受的测试用例ID写入文件 ck_write(id_fd, &next_min_accept, sizeof(u32), qd_synced_path); + // 关闭文件描述符 close(id_fd); + // 关闭队列目录流 closedir(qd); + // 释放队列目录路径内存 ck_free(qd_path); + // 释放同步目录路径内存 ck_free(qd_synced_path); } + // 关闭同步目录流 closedir(sd); } +/* 处理停止信号(Ctrl-C等)。 */ -/* Handle stop signal (Ctrl-C, etc). */ - +// 这个函数用于处理停止信号,例如用户按下Ctrl-C。 static void handle_stop_sig(int sig) { + // 设置停止标志 stop_soon = 1; + // 如果子进程存在,则杀死它 if (child_pid > 0) kill(child_pid, SIGKILL); + // 如果fork服务器进程存在,则杀死它 if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); } +/* 处理跳过请求(SIGUSR1)。 */ -/* Handle skip request (SIGUSR1). */ - +// 这个函数用于处理跳过请求信号。 static void handle_skipreq(int sig) { + // 设置跳过请求标志 skip_requested = 1; } -/* Handle timeout (SIGALRM). */ +/* 处理超时(SIGALRM)。 */ +// 这个函数用于处理超时信号。 static void handle_timeout(int sig) { + // 如果子进程存在,则标记它为超时并杀死它 if (child_pid > 0) { child_timed_out = 1; @@ -6713,6 +6737,7 @@ static void handle_timeout(int sig) { } else if (child_pid == -1 && forksrv_pid > 0) { + // 如果子进程不存在但fork服务器进程存在,则标记它为超时并杀死它 child_timed_out = 1; kill(forksrv_pid, SIGKILL); @@ -6721,217 +6746,170 @@ static void handle_timeout(int sig) { } -/* Do a PATH search and find target binary to see that it exists and - isn't a shell script - a common and painful mistake. We also check for - a valid ELF header and for evidence of AFL instrumentation. */ +// 检查目标二进制文件是否存在、是否可执行等属性的函数 +void check_binary(u8* fname) { -EXP_ST void check_binary(u8* fname) { + u8* env_path = 0; // 环境变量PATH + struct stat st; // 文件状态结构体 - u8* env_path = 0; - struct stat st; - - s32 fd; - u8* f_data; - u32 f_len = 0; + s32 fd; // 文件描述符 + u8* f_data; // 文件数据 + u32 f_len = 0; // 文件长度 - ACTF("Validating target binary..."); + ACTF("Validating target binary..."); // 动作提示:验证目标二进制文件 + // 如果文件名中包含路径分隔符'/'或者环境变量PATH未设置,则直接使用文件名 if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { - target_path = ck_strdup(fname); + target_path = ck_strdup(fname); // 复制文件名 + // 检查文件是否存在、是否为普通文件、是否可执行、文件长度是否至少为4字节 if (stat(target_path, &st) || !S_ISREG(st.st_mode) || !(st.st_mode & 0111) || (f_len = st.st_size) < 4) - FATAL("Program '%s' not found or not executable", fname); + FATAL("Program '%s' not found or not executable", fname); // 如果检查失败,输出错误信息并退出 } else { + // 如果环境变量PATH已设置,则遍历PATH中的每个目录 while (env_path) { - u8 *cur_elem, *delim = strchr(env_path, ':'); + u8 *cur_elem, *delim = strchr(env_path, ':'); // 查找路径分隔符':' if (delim) { - + // 如果找到分隔符,则复制当前目录到新分配的内存 cur_elem = ck_alloc(delim - env_path + 1); memcpy(cur_elem, env_path, delim - env_path); delim++; + } else cur_elem = ck_strdup(env_path); // 如果没有分隔符,复制剩余的路径 - } else cur_elem = ck_strdup(env_path); - - env_path = delim; + env_path = delim; // 更新env_path指针 if (cur_elem[0]) - target_path = alloc_printf("%s/%s", cur_elem, fname); + target_path = alloc_printf("%s/%s", cur_elem, fname); // 构造完整的文件路径 else - target_path = ck_strdup(fname); + target_path = ck_strdup(fname); // 如果当前目录为空,则直接使用文件名 - ck_free(cur_elem); + ck_free(cur_elem); // 释放临时内存 + // 如果找到文件并且文件属性符合要求,则跳出循环 if (!stat(target_path, &st) && S_ISREG(st.st_mode) && (st.st_mode & 0111) && (f_len = st.st_size) >= 4) break; - ck_free(target_path); - target_path = 0; + ck_free(target_path); // 释放之前分配的内存 + target_path = 0; // 重置target_path } - if (!target_path) FATAL("Program '%s' not found or not executable", fname); + if (!target_path) FATAL("Program '%s' not found or not executable", fname); // 如果未找到文件,输出错误信息并退出 } + // 如果环境变量AFL_SKIP_BIN_CHECK被设置,则跳过后续检查 if (getenv("AFL_SKIP_BIN_CHECK")) return; - /* Check for blatant user errors. */ - + /* 检查用户是否犯了一些明显的错误,比如将二进制文件放在/tmp或/var/tmp目录下 */ if ((!strncmp(target_path, "/tmp/", 5) && !strchr(target_path + 5, '/')) || (!strncmp(target_path, "/var/tmp/", 9) && !strchr(target_path + 9, '/'))) FATAL("Please don't keep binaries in /tmp or /var/tmp"); + // 打开目标文件 fd = open(target_path, O_RDONLY); + if (fd < 0) PFATAL("Unable to open '%s'", target_path); // 如果打开失败,输出错误信息 - if (fd < 0) PFATAL("Unable to open '%s'", target_path); - + // 将文件内容映射到内存 f_data = mmap(0, f_len, PROT_READ, MAP_PRIVATE, fd, 0); + if (f_data == MAP_FAILED) PFATAL("Unable to mmap file '%s'", target_path); // 如果映射失败,输出错误信息 - if (f_data == MAP_FAILED) PFATAL("Unable to mmap file '%s'", target_path); - - close(fd); + close(fd); // 关闭文件描述符 + // 检查文件是否为脚本文件 if (f_data[0] == '#' && f_data[1] == '!') { - - SAYF("\n" cLRD "[-] " cRST - "Oops, the target binary looks like a shell script. Some build systems will\n" - " sometimes generate shell stubs for dynamically linked programs; try static\n" - " library mode (./configure --disable-shared) if that's the case.\n\n" - - " Another possible cause is that you are actually trying to use a shell\n" - " wrapper around the fuzzed component. Invoking shell can slow down the\n" - " fuzzing process by a factor of 20x or more; it's best to write the wrapper\n" - " in a compiled language instead.\n"); - + // 如果是脚本文件,输出错误信息并退出 + SAYF("\n" cLRD "[-] " cRST "Oops, the target binary looks like a shell script..."); FATAL("Program '%s' is a shell script", target_path); - } #ifndef __APPLE__ - + // 检查文件是否为ELF格式 if (f_data[0] != 0x7f || memcmp(f_data + 1, "ELF", 3)) FATAL("Program '%s' is not an ELF binary", target_path); - #else - + // 在苹果系统上,检查文件是否为Mach-O格式 if (f_data[0] != 0xCF || f_data[1] != 0xFA || f_data[2] != 0xED) FATAL("Program '%s' is not a 64-bit Mach-O binary", target_path); - #endif /* ^!__APPLE__ */ + // 如果没有使用QEMU模式且没有使用dumb模式,检查文件是否被AFL插桩 if (!qemu_mode && !dumb_mode && !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { - - SAYF("\n" cLRD "[-] " cRST - "Looks like the target binary is not instrumented! The fuzzer depends on\n" - " compile-time instrumentation to isolate interesting test cases while\n" - " mutating the input data. For more information, and for tips on how to\n" - " instrument binaries, please see %s/README.\n\n" - - " When source code is not available, you may be able to leverage QEMU\n" - " mode support. Consult the README for tips on how to enable this.\n" - - " (It is also possible to use afl-fuzz as a traditional, \"dumb\" fuzzer.\n" - " For that, you can use the -n option - but expect much worse results.)\n", - doc_path); - + // 如果没有插桩,输出错误信息并退出 + SAYF("\n" cLRD "[-] " cRST "Looks like the target binary is not instrumented!..."); FATAL("No instrumentation detected"); - } if (qemu_mode && memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { - - SAYF("\n" cLRD "[-] " cRST - "This program appears to be instrumented with afl-gcc, but is being run in\n" - " QEMU mode (-Q). This is probably not what you want - this setup will be\n" - " slow and offer no practical benefits.\n"); - + // 如果在QEMU模式下检测到插桩,输出错误信息并退出 + SAYF("\n" cLRD "[-] " cRST "This program appears to be instrumented with afl-gcc..."); FATAL("Instrumentation found in -Q mode"); - } + // 检查文件是否使用了AddressSanitizer if (memmem(f_data, f_len, "libasan.so", 10) || memmem(f_data, f_len, "__msan_init", 11)) uses_asan = 1; - /* Detect persistent & deferred init signatures in the binary. */ - + /* 检测二进制文件中的持久模式和延迟初始化签名 */ if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) { - OKF(cPIN "Persistent mode binary detected."); setenv(PERSIST_ENV_VAR, "1", 1); persistent_mode = 1; - } else if (getenv("AFL_PERSISTENT")) { - WARNF("AFL_PERSISTENT is no longer supported and may misbehave!"); - } if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { - OKF(cPIN "Deferred forkserver binary detected."); setenv(DEFER_ENV_VAR, "1", 1); deferred_mode = 1; - } else if (getenv("AFL_DEFER_FORKSRV")) { - WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!"); - } - if (munmap(f_data, f_len)) PFATAL("unmap() failed"); + if (munmap(f_data, f_len)) PFATAL("unmap() failed"); // 取消内存映射 } - -/* Trim and possibly create a banner for the run. */ - +// 修剪并可能为运行创建一个横幅 static void fix_up_banner(u8* name) { - + // 如果没有设置横幅,则根据同步ID或文件名来设置 if (!use_banner) { - if (sync_id) { - use_banner = sync_id; - } else { - - u8* trim = strrchr(name, '/'); + u8* trim = strrchr(name, '/'); // 查找文件名中的路径分隔符 if (!trim) use_banner = name; else use_banner = trim + 1; - } - } + // 如果横幅字符串过长,则截断它 if (strlen(use_banner) > 40) { - u8* tmp = ck_alloc(44); sprintf(tmp, "%.40s...", use_banner); use_banner = tmp; - } - } - -/* Check if we're on TTY. */ - +// 检查是否在TTY上运行 static void check_if_tty(void) { + struct winsize ws; // 窗口大小结构体 - struct winsize ws; - + // 如果设置了环境变量AFL_NO_UI,则禁用UI if (getenv("AFL_NO_UI")) { OKF("Disabling the UI because AFL_NO_UI is set."); not_on_tty = 1; return; } + // 如果无法获取窗口大小,则认为不在TTY上运行 if (ioctl(1, TIOCGWINSZ, &ws)) { if (errno == ENOTTY) { @@ -6945,27 +6923,30 @@ static void check_if_tty(void) { } -/* Check terminal dimensions after resize. */ +/* 在终端尺寸变化后检查终端尺寸。 */ +// 这个函数检查终端的尺寸,以确保它不是太小,从而无法适当地显示程序的输出。 static void check_term_size(void) { - struct winsize ws; + struct winsize ws; // winsize结构体用于存储终端的尺寸信息 - term_too_small = 0; + term_too_small = 0; // 假设终端不是太小 - if (ioctl(1, TIOCGWINSZ, &ws)) return; + // 使用ioctl系统调用来获取终端的尺寸信息 + if (ioctl(1, TIOCGWINSZ, &ws)) return; // 如果ioctl调用失败,则返回 - if (ws.ws_row == 0 && ws.ws_col == 0) return; - if (ws.ws_row < 25 || ws.ws_col < 80) term_too_small = 1; + // 如果窗口尺寸的行数或列数为0,或者小于某个阈值,则认为终端太小 + if (ws.ws_row == 0 && ws.ws_col == 0) return; // 如果行数和列数都为0,则返回 + if (ws.ws_row < 25 || ws.ws_col < 80) term_too_small = 1; // 设置终端太小的标志 } +/* 显示使用提示。 */ - -/* Display usage hints. */ - +// 这个函数在用户请求帮助或者使用了错误的命令行参数时显示程序的使用提示。 static void usage(u8* argv0) { + // 使用SAYF宏来格式化并输出使用提示信息 SAYF("\n%s [ options ] -- /path/to/fuzzed_app [ ... ]\n\n" "Required parameters:\n\n" @@ -6978,8 +6959,8 @@ static void usage(u8* argv0) { " -f file - location read by the fuzzed program (stdin)\n" " -t msec - timeout for each run (auto-scaled, 50-%u ms)\n" " -m megs - memory limit for child process (%u MB)\n" - " -Q - use binary-only instrumentation (QEMU mode)\n\n" - + " -Q - use binary-only instrumentation (QEMU mode)\n\n" + "Fuzzing behavior settings:\n\n" " -d - quick & dirty mode (skips deterministic steps)\n" @@ -6996,8 +6977,9 @@ static void usage(u8* argv0) { "For additional tips, please consult %s/README.\n\n", - argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); + argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); // 使用宏替换标记来插入特定的值 + // 显示使用提示后退出程序 exit(1); } @@ -7005,158 +6987,135 @@ static void usage(u8* argv0) { /* Prepare output directories and fds. */ -EXP_ST void setup_dirs_fds(void) { +/* 准备输出目录和文件描述符。 */ - u8* tmp; - s32 fd; +EXP_ST void setup_dirs_fds(void) { + u8* tmp; // 临时字符串指针 + s32 fd; // 文件描述符 - ACTF("Setting up output directories..."); + ACTF("Setting up output directories..."); // 动作提示:设置输出目录 + // 如果设置了同步ID,尝试创建同步目录,如果失败且不是因为已存在,则输出错误信息并终止 if (sync_id && mkdir(sync_dir, 0700) && errno != EEXIST) PFATAL("Unable to create '%s'", sync_dir); + // 尝试创建输出目录,如果失败且不是因为已存在,则输出错误信息并终止 if (mkdir(out_dir, 0700)) { - if (errno != EEXIST) PFATAL("Unable to create '%s'", out_dir); - maybe_delete_out_dir(); - + maybe_delete_out_dir(); // 可能删除已存在的输出目录 } else { - if (in_place_resume) - FATAL("Resume attempted but old output directory not found"); + FATAL("Resume attempted but old output directory not found"); // 如果尝试在地恢复,但未找到旧的输出目录,则终止 - out_dir_fd = open(out_dir, O_RDONLY); + out_dir_fd = open(out_dir, O_RDONLY); // 打开输出目录 #ifndef __sun - + // 如果无法锁定输出目录,则输出错误信息并终止 if (out_dir_fd < 0 || flock(out_dir_fd, LOCK_EX | LOCK_NB)) PFATAL("Unable to flock() output directory."); - #endif /* !__sun */ - } - /* Queue directory for any starting & discovered paths. */ - + // 创建队列目录,用于存放起始和发现的路径 tmp = alloc_printf("%s/queue", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - /* Top-level directory for queue metadata used for session - resume and related tasks. */ - + // 创建队列元数据的顶级目录,用于会话恢复等任务 tmp = alloc_printf("%s/queue/.state/", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - /* Directory for flagging queue entries that went through - deterministic fuzzing in the past. */ - + // 创建目录,用于标记已经过确定性测试的队列条目 tmp = alloc_printf("%s/queue/.state/deterministic_done/", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - /* Directory with the auto-selected dictionary entries. */ - + // 创建目录,用于存放自动选择的字典条目 tmp = alloc_printf("%s/queue/.state/auto_extras/", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - /* The set of paths currently deemed redundant. */ - + // 创建目录,用于标记当前认为多余的路径集 tmp = alloc_printf("%s/queue/.state/redundant_edges/", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - /* The set of paths showing variable behavior. */ - + // 创建目录,用于标记显示变量行为的路径集 tmp = alloc_printf("%s/queue/.state/variable_behavior/", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - /* Sync directory for keeping track of cooperating fuzzers. */ - + // 如果设置了同步ID,创建同步目录,用于跟踪合作的模糊测试器 if (sync_id) { - tmp = alloc_printf("%s/.synced/", out_dir); - if (mkdir(tmp, 0700) && (!in_place_resume || errno != EEXIST)) PFATAL("Unable to create '%s'", tmp); - ck_free(tmp); - } - /* All recorded crashes. */ - + // 创建目录,用于存放所有记录的崩溃 tmp = alloc_printf("%s/crashes", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - /* All recorded hangs. */ - + // 创建目录,用于存放所有记录的挂起 tmp = alloc_printf("%s/hangs", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - /* Generally useful file descriptors. */ - - dev_null_fd = open("/dev/null", O_RDWR); + // 创建一般有用的文件描述符 + dev_null_fd = open("/dev/null", O_RDWR); // 打开null设备文件描述符 if (dev_null_fd < 0) PFATAL("Unable to open /dev/null"); - dev_urandom_fd = open("/dev/urandom", O_RDONLY); + dev_urandom_fd = open("/dev/urandom", O_RDONLY); // 打开随机设备文件描述符 if (dev_urandom_fd < 0) PFATAL("Unable to open /dev/urandom"); - /* Gnuplot output file. */ - + // 创建Gnuplot输出文件 tmp = alloc_printf("%s/plot_data", out_dir); - fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600); + fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600); // 打开或创建plot_data文件 if (fd < 0) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - plot_file = fdopen(fd, "w"); - if (!plot_file) PFATAL("fdopen() failed"); + plot_file = fdopen(fd, "w"); // 将文件描述符与FILE*关联 + if (!plot_file) PFATAL("fdopen() failed"); // 如果失败,则输出错误信息并终止 + // 写入Gnuplot输出文件的标题行 fprintf(plot_file, "# unix_time, cycles_done, cur_path, paths_total, " "pending_total, pending_favs, map_size, unique_crashes, " "unique_hangs, max_depth, execs_per_sec\n"); /* ignore errors */ - } - -/* Setup the output file for fuzzed data, if not using -f. */ +/* 如果没有使用-f选项,则设置模糊测试数据的输出文件。 */ EXP_ST void setup_stdio_file(void) { + u8* fn = alloc_printf("%s/.cur_input", out_dir); // 构造当前输入文件的路径 - u8* fn = alloc_printf("%s/.cur_input", out_dir); - - unlink(fn); /* Ignore errors */ + unlink(fn); // 删除已存在的当前输入文件,忽略错误 - out_fd = open(fn, O_RDWR | O_CREAT | O_EXCL, 0600); + out_fd = open(fn, O_RDWR | O_CREAT | O_EXCL, 0600); // 打开或创建当前输入文件 - if (out_fd < 0) PFATAL("Unable to create '%s'", fn); - - ck_free(fn); + if (out_fd < 0) PFATAL("Unable to create '%s'", fn); // 如果失败,则输出错误信息并终止 + ck_free(fn); // 释放路径字符串 } -/* Make sure that core dumps don't go to a program. */ +/* 确保核心转储(core dumps)不会发送到外部程序。 */ static void check_crash_handling(void) { #ifdef __APPLE__ - /* Yuck! There appears to be no simple C API to query for the state of - loaded daemons on MacOS X, and I'm a bit hesitant to do something - more sophisticated, such as disabling crash reporting via Mach ports, - until I get a box to test the code. So, for now, we check for crash - reporting the awful way. */ - + /* 在Mac OS X上,似乎没有简单的C API可以查询已加载的守护进程状态,我也不愿意在没有测试环境的情况下 + 做一些更复杂的操作,比如通过Mach端口禁用崩溃报告。因此,目前我们用一种不太优雅的方式来检查崩溃报告。 */ + + // 尝试执行系统命令来检查是否有崩溃报告被配置为发送到外部程序 if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return; + // 如果系统配置了发送崩溃通知到外部程序,输出警告信息 SAYF("\n" cLRD "[-] " cRST "Whoops, your system is configured to forward crash notifications to an\n" " external crash reporting utility. This will cause issues due to the\n" @@ -7169,23 +7128,28 @@ static void check_crash_handling(void) { " launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n" " sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n"); + // 如果没有设置环境变量来忽略缺失的崩溃报告,则终止程序 if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) FATAL("Crash reporter detected"); #else - /* This is Linux specific, but I don't think there's anything equivalent on - *BSD, so we can just let it slide for now. */ + /* 这是Linux特定的代码,我不认为*BSD上有等效的设置,所以我们暂时可以忽略这个问题。 */ + // 打开核心转储模式文件 s32 fd = open("/proc/sys/kernel/core_pattern", O_RDONLY); u8 fchar; + // 如果打开文件失败,则直接返回 if (fd < 0) return; + // 输出动作信息:正在检查核心转储模式 ACTF("Checking core_pattern..."); + // 读取核心转储模式文件的第一个字符 if (read(fd, &fchar, 1) == 1 && fchar == '|') { + // 如果第一个字符是管道符号(|),说明系统配置了将核心转储发送到外部程序 SAYF("\n" cLRD "[-] " cRST "Hmm, your system is configured to send core dump notifications to an\n" " external utility. This will cause issues: there will be an extended delay\n" @@ -7197,55 +7161,63 @@ static void check_crash_handling(void) { " echo core >/proc/sys/kernel/core_pattern\n"); + // 如果没有设置环境变量来忽略缺失的崩溃报告,则终止程序 if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) FATAL("Pipe at the beginning of 'core_pattern'"); - } + // 关闭核心转储模式文件 close(fd); #endif /* ^__APPLE__ */ - } -/* Check CPU governor. */ +/* 检查CPU调速器(scaling governor)。 */ static void check_cpu_governor(void) { - FILE* f; - u8 tmp[128]; - u64 min = 0, max = 0; + FILE* f; // 文件指针 + u8 tmp[128]; // 临时缓冲区 + u64 min = 0, max = 0; // 最小和最大CPU频率 + // 如果设置了环境变量AFL_SKIP_CPUFREQ,则跳过此检查 if (getenv("AFL_SKIP_CPUFREQ")) return; + // 尝试打开CPU调速器配置文件 f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor", "r"); - if (!f) return; + if (!f) return; // 如果打开失败,则跳过此检查 - ACTF("Checking CPU scaling governor..."); + ACTF("Checking CPU scaling governor..."); // 输出动作信息 - if (!fgets(tmp, 128, f)) PFATAL("fgets() failed"); + // 读取CPU调速器配置 + if (!fgets(tmp, 128, f)) PFATAL("fgets() failed"); // 如果读取失败,则输出错误信息并终止 - fclose(f); + fclose(f); // 关闭文件 + // 如果CPU调速器设置为performance,则不需要调整 if (!strncmp(tmp, "perf", 4)) return; + // 尝试打开最小CPU频率配置文件 f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", "r"); if (f) { - if (fscanf(f, "%llu", &min) != 1) min = 0; + if (fscanf(f, "%llu", &min) != 1) min = 0; // 读取最小频率 fclose(f); } + // 尝试打开最大CPU频率配置文件 f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", "r"); if (f) { - if (fscanf(f, "%llu", &max) != 1) max = 0; + if (fscanf(f, "%llu", &max) != 1) max = 0; // 读取最大频率 fclose(f); } + // 如果最小和最大频率相同,则不需要调整 if (min == max) return; + // 输出警告信息,提示用户调整CPU调速器设置 SAYF("\n" cLRD "[-] " cRST "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n" " between %llu and %llu MHz. Unfortunately, the scaling algorithm in the\n" @@ -7260,32 +7232,32 @@ static void check_cpu_governor(void) { " to make afl-fuzz skip this check - but expect some performance drop.\n", min / 1024, max / 1024); - FATAL("Suboptimal CPU scaling governor"); - + FATAL("Suboptimal CPU scaling governor"); // 如果CPU调速器设置不合理,则终止程序 } - -/* Count the number of logical CPU cores. */ +/* 计算逻辑CPU核心数。 */ static void get_core_count(void) { - u32 cur_runnable = 0; + u32 cur_runnable = 0; // 当前可运行的任务数 #if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) - size_t s = sizeof(cpu_core_count); + size_t s = sizeof(cpu_core_count); // 核心数的大小 - /* On *BSD systems, we can just use a sysctl to get the number of CPUs. */ + /* 在*BSD系统上,我们可以使用sysctl来获取CPU数量。 */ #ifdef __APPLE__ + // 在Mac OS X上获取逻辑CPU核心数 if (sysctlbyname("hw.logicalcpu", &cpu_core_count, &s, NULL, 0) < 0) return; #else - int s_name[2] = { CTL_HW, HW_NCPU }; + int s_name[2] = { CTL_HW, HW_NCPU }; // sysctl的名称 + // 在其他*BSD系统上获取逻辑CPU核心数 if (sysctl(s_name, 2, &cpu_core_count, &s, NULL, 0) < 0) return; #endif /* ^__APPLE__ */ @@ -7294,48 +7266,53 @@ static void get_core_count(void) { #ifdef HAVE_AFFINITY + // 如果支持CPU亲和性,则使用sysconf获取逻辑CPU核心数 cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN); #else - FILE* f = fopen("/proc/stat", "r"); - u8 tmp[1024]; + FILE* f = fopen("/proc/stat", "r"); // 尝试打开/proc/stat文件 + u8 tmp[1024]; // 临时缓冲区 - if (!f) return; + if (!f) return; // 如果打开失败,则跳过此检查 + // 读取/proc/stat文件,计算逻辑CPU核心数 while (fgets(tmp, sizeof(tmp), f)) if (!strncmp(tmp, "cpu", 3) && isdigit(tmp[3])) cpu_core_count++; - fclose(f); + fclose(f); // 关闭文件 #endif /* ^HAVE_AFFINITY */ #endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ + // 如果成功获取逻辑CPU核心数 if (cpu_core_count > 0) { - cur_runnable = (u32)get_runnable_processes(); + cur_runnable = (u32)get_runnable_processes(); // 获取当前可运行的任务数 #if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) - /* Add ourselves, since the 1-minute average doesn't include that yet. */ - + // 添加当前进程,因为1分钟平均值尚未包括它 cur_runnable++; #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ + // 输出CPU核心数和当前可运行的任务数 OKF("You have %u CPU core%s and %u runnable tasks (utilization: %0.0f%%).", cpu_core_count, cpu_core_count > 1 ? "s" : "", cur_runnable, cur_runnable * 100.0 / cpu_core_count); if (cpu_core_count > 1) { + // 如果当前可运行的任务数超过CPU核心数的1.5倍,则输出警告信息 if (cur_runnable > cpu_core_count * 1.5) { WARNF("System under apparent load, performance may be spotty."); } else if (cur_runnable + 1 <= cpu_core_count) { + // 如果当前可运行的任务数加1小于或等于CPU核心数,则输出提示信息 OKF("Try parallel jobs - see %s/parallel_fuzzing.txt.", doc_path); } @@ -7344,32 +7321,30 @@ static void get_core_count(void) { } else { - cpu_core_count = 0; - WARNF("Unable to figure out the number of CPU cores."); - + cpu_core_count = 0; // 如果无法获取逻辑CPU核心数,则设置为0 + WARNF("Unable to figure out the number of CPU cores."); // 输出警告信息 } } - -/* Validate and fix up out_dir and sync_dir when using -S. */ +/* 验证并修正使用-S时的out_dir和sync_dir。 */ static void fix_up_sync(void) { - u8* x = sync_id; + u8* x = sync_id; // 同步ID if (dumb_mode) - FATAL("-S / -M and -n are mutually exclusive"); + FATAL("-S / -M and -n are mutually exclusive"); // 如果同时使用-S/-M和-n,则终止程序 if (skip_deterministic) { if (force_deterministic) - FATAL("use -S instead of -M -d"); + FATAL("use -S instead of -M -d"); // 如果同时使用-M -d和-S,则终止程序 else - FATAL("-S already implies -d"); - + FATAL("-S already implies -d"); // 如果使用-S,则隐含-d,不需要再次指定 } + // 检查同步ID是否只包含字母数字、下划线或破折号 while (*x) { if (!isalnum(*x) && *x != '_' && *x != '-') @@ -7379,236 +7354,237 @@ static void fix_up_sync(void) { } + // 如果同步ID太长,则终止程序 if (strlen(sync_id) > 32) FATAL("Fuzzer ID too long"); + // 构造同步目录路径 x = alloc_printf("%s/%s", out_dir, sync_id); - sync_dir = out_dir; - out_dir = x; + sync_dir = out_dir; // 设置同步目录 + out_dir = x; // 设置输出目录 if (!force_deterministic) { - skip_deterministic = 1; - use_splicing = 1; + skip_deterministic = 1; // 跳过确定性测试 + use_splicing = 1; // 使用拼接技术 } } - -/* Handle screen resize (SIGWINCH). */ +/* 处理屏幕大小变化(SIGWINCH)。 */ static void handle_resize(int sig) { - clear_screen = 1; + clear_screen = 1; // 设置清除屏幕的标志 } - -/* Check ASAN options. */ +/* 检查ASAN选项。 */ static void check_asan_opts(void) { - u8* x = getenv("ASAN_OPTIONS"); + u8* x = getenv("ASAN_OPTIONS"); // 获取ASAN_OPTIONS环境变量 if (x) { + // 如果ASAN_OPTIONS没有设置abort_on_error=1,则终止程序 if (!strstr(x, "abort_on_error=1")) FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!"); + // 如果ASAN_OPTIONS没有设置symbolize=0,则终止程序 if (!strstr(x, "symbolize=0")) FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!"); } - x = getenv("MSAN_OPTIONS"); + x = getenv("MSAN_OPTIONS"); // 获取MSAN_OPTIONS环境 - if (x) { + if (x) { + // 如果MSAN_OPTIONS环境变量被设置了,检查是否包含了特定的exit_code值 if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) FATAL("Custom MSAN_OPTIONS set without exit_code=" STRINGIFY(MSAN_ERROR) " - please fix!"); + // 检查MSAN_OPTIONS是否设置了symbolize=0,这通常用于防止asan_symbolize.py运行 if (!strstr(x, "symbolize=0")) FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!"); - } - } - -/* Detect @@ in args. */ +/* 检测命令行参数中的'@@'符号并替换为文件路径。 */ EXP_ST void detect_file_args(char** argv) { + u32 i = 0; // 初始化索引变量 + u8* cwd = getcwd(NULL, 0); // 获取当前工作目录 - u32 i = 0; - u8* cwd = getcwd(NULL, 0); - + // 如果无法获取当前工作目录,输出错误信息并终止程序 if (!cwd) PFATAL("getcwd() failed"); + // 遍历命令行参数 while (argv[i]) { + u8* aa_loc = strstr(argv[i], "@@"); // 查找参数中的'@@'符号 - u8* aa_loc = strstr(argv[i], "@@"); - + // 如果找到了'@@'符号 if (aa_loc) { - u8 *aa_subst, *n_arg; - /* If we don't have a file name chosen yet, use a safe default. */ - + /* 如果还没有指定输出文件名,则使用一个安全的默认值。 */ if (!out_file) - out_file = alloc_printf("%s/.cur_input", out_dir); - - /* Be sure that we're always using fully-qualified paths. */ + out_file = alloc_printf("%s/.cur_input", out_dir); // 使用默认输出文件名 - if (out_file[0] == '/') aa_subst = out_file; - else aa_subst = alloc_printf("%s/%s", cwd, out_file); + /* 确保我们总是使用完全合格的路径。 */ + if (out_file[0] == '/') + aa_subst = out_file; // 如果out_file是绝对路径,则直接使用 + else + aa_subst = alloc_printf("%s/%s", cwd, out_file); // 否则,构造绝对路径 - /* Construct a replacement argv value. */ + /* 构造替换后的argv值。 */ + *aa_loc = 0; // 临时终止字符串以构造新值 + n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2); // 构造新参数值 + argv[i] = n_arg; // 更新argv + *aa_loc = '@'; // 恢复'@@'符号 - *aa_loc = 0; - n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2); - argv[i] = n_arg; - *aa_loc = '@'; - - if (out_file[0] != '/') ck_free(aa_subst); + if (out_file[0] != '/') ck_free(aa_subst); // 如果out_file不是绝对路径,则释放构造的绝对路径 } - i++; - + i++; // 移动到下一个参数 } - free(cwd); /* not tracked */ - + free(cwd); // 释放当前工作目录字符串 } -/* Set up signal handlers. More complicated that needs to be, because libc on - Solaris doesn't resume interrupted reads(), sets SA_RESETHAND when you call - siginterrupt(), and does other unnecessary things. */ +/* 设置信号处理器。Solaris上的libc比较复杂,因为它在中断的read()调用时不会恢复, + 当你调用siginterrupt()时会设置SA_RESETHAND,并且会做一些不必要的事情。 */ EXP_ST void setup_signal_handlers(void) { - struct sigaction sa; + struct sigaction sa; // 定义信号动作结构体 - sa.sa_handler = NULL; - sa.sa_flags = SA_RESTART; - sa.sa_sigaction = NULL; + // 初始化信号动作结构体 + sa.sa_handler = NULL; // 没有指定信号处理函数 + sa.sa_flags = SA_RESTART; // 设置信号处理时自动重启被中断的系统调用 + sa.sa_sigaction = NULL; // 没有指定信号的特定处理函数 - sigemptyset(&sa.sa_mask); + sigemptyset(&sa.sa_mask); // 清空信号集 - /* Various ways of saying "stop". */ + /* 各种表示“停止”的信号。 */ + // 设置信号处理函数为handle_stop_sig sa.sa_handler = handle_stop_sig; - sigaction(SIGHUP, &sa, NULL); - sigaction(SIGINT, &sa, NULL); - sigaction(SIGTERM, &sa, NULL); + sigaction(SIGHUP, &sa, NULL); // 对SIGHUP信号进行设置 + sigaction(SIGINT, &sa, NULL); // 对SIGINT信号进行设置 + sigaction(SIGTERM, &sa, NULL); // 对SIGTERM信号进行设置 - /* Exec timeout notifications. */ + /* 执行超时通知。 */ + // 设置信号处理函数为handle_timeout sa.sa_handler = handle_timeout; - sigaction(SIGALRM, &sa, NULL); + sigaction(SIGALRM, &sa, NULL); // 对SIGALRM信号进行设置 - /* Window resize */ + /* 窗口大小改变通知 */ + // 设置信号处理函数为handle_resize sa.sa_handler = handle_resize; - sigaction(SIGWINCH, &sa, NULL); + sigaction(SIGWINCH, &sa, NULL); // 对SIGWINCH信号进行设置 - /* SIGUSR1: skip entry */ + /* SIGUSR1: 跳过条目 */ + // 设置信号处理函数为handle_skipreq sa.sa_handler = handle_skipreq; - sigaction(SIGUSR1, &sa, NULL); + sigaction(SIGUSR1, &sa, NULL); // 对SIGUSR1信号进行设置 - /* Things we don't care about. */ + /* 我们不关心的信号。 */ + // 设置信号处理函数为SIG_IGN,忽略这些信号 sa.sa_handler = SIG_IGN; - sigaction(SIGTSTP, &sa, NULL); - sigaction(SIGPIPE, &sa, NULL); - + sigaction(SIGTSTP, &sa, NULL); // 对SIGTSTP信号进行设置 + sigaction(SIGPIPE, &sa, NULL); // 对SIGPIPE信号进行设置 } - -/* Rewrite argv for QEMU. */ +/* 为QEMU重写argv。 */ static char** get_qemu_argv(u8* own_loc, char** argv, int argc) { - char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); + char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); // 分配新的argv数组 u8 *tmp, *cp, *rsl, *own_copy; - /* Workaround for a QEMU stability glitch. */ + /* 针对QEMU稳定性问题的工作区。 */ - setenv("QEMU_LOG", "nochain", 1); + setenv("QEMU_LOG", "nochain", 1); // 设置环境变量QEMU_LOG + // 将原始argv的参数复制到新数组中,从第三个参数开始 memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); - new_argv[2] = target_path; - new_argv[1] = "--"; + new_argv[2] = target_path; // 设置目标路径 + new_argv[1] = "--"; // 设置参数分隔符 - /* Now we need to actually find the QEMU binary to put in argv[0]. */ + /* 现在我们需要找到QEMU二进制文件并放入argv[0]。 */ - tmp = getenv("AFL_PATH"); + tmp = getenv("AFL_PATH"); // 获取环境变量AFL_PATH if (tmp) { - cp = alloc_printf("%s/afl-qemu-trace", tmp); + cp = alloc_printf("%s/afl-qemu-trace", tmp); // 构造QEMU路径 - if (access(cp, X_OK)) - FATAL("Unable to find '%s'", tmp); + if (access(cp, X_OK)) // 检查文件是否存在且可执行 + FATAL("Unable to find '%s'", tmp); // 如果找不到,输出错误信息并终止 - target_path = new_argv[0] = cp; - return new_argv; + target_path = new_argv[0] = cp; // 设置目标路径和argv[0] + return new_argv; // 返回新的argv数组 } - own_copy = ck_strdup(own_loc); - rsl = strrchr(own_copy, '/'); + own_copy = ck_strdup(own_loc); // 复制原始位置信息 + rsl = strrchr(own_copy, '/'); // 查找路径分隔符 if (rsl) { - *rsl = 0; + *rsl = 0; // 将路径分隔符替换为字符串结束符 - cp = alloc_printf("%s/afl-qemu-trace", own_copy); - ck_free(own_copy); + cp = alloc_printf("%s/afl-qemu-trace", own_copy); // 构造QEMU路径 + ck_free(own_copy); // 释放原始位置信息 - if (!access(cp, X_OK)) { + if (!access(cp, X_OK)) { // 检查文件是否存在且可执行 - target_path = new_argv[0] = cp; - return new_argv; + target_path = new_argv[0] = cp; // 设置目标路径和argv[0] + return new_argv; // 返回新的argv数组 } - } else ck_free(own_copy); + } else ck_free(own_copy); // 如果没有找到路径分隔符,释放原始位置信息 - if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { + if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { // 检查默认路径下的QEMU是否存在且可执行 - target_path = new_argv[0] = ck_strdup(BIN_PATH "/afl-qemu-trace"); - return new_argv; + target_path = new_argv[0] = ck_strdup(BIN_PATH "/afl-qemu-trace"); // 设置目标路径和argv[0] + return new_argv; // 返回新的argv数组 } - SAYF("\n" cLRD "[-] " cRST + SAYF("\n" cLRD "[-] " cRST // 输出错误信息 "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be built\n" " separately by following the instructions in qemu_mode/README.qemu. If you\n" " already have the binary installed, you may need to specify AFL_PATH in the\n" " environment.\n\n" - " Of course, even without QEMU, afl-fuzz can still work with binaries that are\n" " instrumented at compile time with afl-gcc. It is also possible to use it as a\n" " traditional \"dumb\" fuzzer by specifying '-n' in the command line.\n"); - FATAL("Failed to locate 'afl-qemu-trace'."); - + FATAL("Failed to locate 'afl-qemu-trace'."); // 输出错误信息并终止 } - -/* Make a copy of the current command line. */ +/* 保存当前命令行参数。 */ static void save_cmdline(u32 argc, char** argv) { - u32 len = 1, i; - u8* buf; + u32 len = 1, i; // 初始化长度变量 + u8* buf; // 定义缓冲区指针 + // 计算命令行参数的总长度 for (i = 0; i < argc; i++) len += strlen(argv[i]) + 1; - buf = orig_cmdline = ck_alloc(len); + buf = orig_cmdline = ck_alloc(len); // 分配缓冲区 + // 将命令行参数复制到缓冲区 for (i = 0; i < argc; i++) { u32 l = strlen(argv[i]); @@ -7616,12 +7592,11 @@ static void save_cmdline(u32 argc, char** argv) { memcpy(buf, argv[i], l); buf += l; - if (i != argc - 1) *(buf++) = ' '; + if (i != argc - 1) *(buf++) = ' '; // 在参数之间添加空格 } - *buf = 0; - + *buf = 0; // 设置字符串结束符 } @@ -7631,6 +7606,7 @@ static void save_cmdline(u32 argc, char** argv) { int main(int argc, char** argv) { + // 定义了一些变量,用于存储命令行参数和状态 s32 opt; u64 prev_queued = 0; u32 sync_interval_cnt = 0, seek_to; @@ -7639,413 +7615,406 @@ int main(int argc, char** argv) { u8 exit_1 = !!getenv("AFL_BENCH_JUST_ONE"); char** use_argv; + // 定义时间相关的结构体 struct timeval tv; struct timezone tz; + // 打印欢迎信息和版本号 SAYF(cCYA "afl-fuzz " cBRI VERSION cRST " by \n"); + // 设置文档路径 doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; + // 获取当前时间,用于随机数种子 gettimeofday(&tv, &tz); srandom(tv.tv_sec ^ tv.tv_usec ^ getpid()); - while ((opt = getopt(argc, argv, "+i:o:f:m:b:t:T:dnCB:S:M:x:QV")) > 0) - + // 解析命令行参数 + while ((opt = getopt(argc, argv, "+i:o:f:m:b:t:T:dnCB:S:M:x:QV")) > 0) { switch (opt) { - + // 处理不同的命令行选项 case 'i': /* input dir */ - + // 设置输入目录 if (in_dir) FATAL("Multiple -i options not supported"); in_dir = optarg; - if (!strcmp(in_dir, "-")) in_place_resume = 1; - break; case 'o': /* output dir */ - + // 设置输出目录 if (out_dir) FATAL("Multiple -o options not supported"); out_dir = optarg; break; case 'M': { /* master sync ID */ - - u8* c; - - if (sync_id) FATAL("Multiple -S or -M options not supported"); - sync_id = ck_strdup(optarg); - - if ((c = strchr(sync_id, ':'))) { - - *c = 0; - - if (sscanf(c + 1, "%u/%u", &master_id, &master_max) != 2 || - !master_id || !master_max || master_id > master_max || - master_max > 1000000) FATAL("Bogus master ID passed to -M"); - - } - - force_deterministic = 1; - + // 设置主同步ID + u8* c; + if (sync_id) FATAL("Multiple -S or -M options not supported"); + sync_id = ck_strdup(optarg); + if ((c = strchr(sync_id, ':'))) { + *c = 0; + if (sscanf(c + 1, "%u/%u", &master_id, &master_max) != 2 || + !master_id || !master_max || master_id > master_max || + master_max > 1000000) FATAL("Bogus master ID passed to -M"); } - + force_deterministic = 1; + } break; case 'S': - + // 设置同步ID if (sync_id) FATAL("Multiple -S or -M options not supported"); sync_id = ck_strdup(optarg); break; case 'f': /* target file */ - + // 设置目标文件 if (out_file) FATAL("Multiple -f options not supported"); out_file = optarg; break; case 'x': /* dictionary */ - + // 设置额外的字典目录 if (extras_dir) FATAL("Multiple -x options not supported"); extras_dir = optarg; break; case 't': { /* timeout */ - - u8 suffix = 0; - - if (timeout_given) FATAL("Multiple -t options not supported"); - - if (sscanf(optarg, "%u%c", &exec_tmout, &suffix) < 1 || - optarg[0] == '-') FATAL("Bad syntax used for -t"); - - if (exec_tmout < 5) FATAL("Dangerously low value of -t"); - - if (suffix == '+') timeout_given = 2; else timeout_given = 1; - - break; - + // 设置超时时间 + u8 suffix = 0; + if (timeout_given) FATAL("Multiple -t options not supported"); + if (sscanf(optarg, "%u%c", &exec_tmout, &suffix) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -t"); + if (exec_tmout < 5) FATAL("Dangerously low value of -t"); + if (suffix == '+') timeout_given = 2; else timeout_given = 1; + break; } case 'm': { /* mem limit */ - - u8 suffix = 'M'; - - if (mem_limit_given) FATAL("Multiple -m options not supported"); - mem_limit_given = 1; - - if (!strcmp(optarg, "none")) { - - mem_limit = 0; - break; - - } - - if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || - optarg[0] == '-') FATAL("Bad syntax used for -m"); - - switch (suffix) { - - case 'T': mem_limit *= 1024 * 1024; break; - case 'G': mem_limit *= 1024; break; - case 'k': mem_limit /= 1024; break; - case 'M': break; - - default: FATAL("Unsupported suffix or bad syntax for -m"); - - } - - if (mem_limit < 5) FATAL("Dangerously low value of -m"); - - if (sizeof(rlim_t) == 4 && mem_limit > 2000) - FATAL("Value of -m out of range on 32-bit systems"); - + // 设置内存限制 + u8 suffix = 'M'; + if (mem_limit_given) FATAL("Multiple -m options not supported"); + mem_limit_given = 1; + if (!strcmp(optarg, "none")) { + mem_limit = 0; + break; } - + if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -m"); + switch (suffix) { + case 'T': mem_limit *= 1024 * 1024; break; + case 'G': mem_limit *= 1024; break; + case 'k': mem_limit /= 1024; break; + case 'M': break; + default: FATAL("Unsupported suffix or bad syntax for -m"); + } + if (mem_limit < 5) FATAL("Dangerously low value of -m"); + if (sizeof(rlim_t) == 4 && mem_limit > 2000) + FATAL("Value of -m out of range on 32-bit systems"); + } break; case 'b': { /* bind CPU core */ - - if (cpu_to_bind_given) FATAL("Multiple -b options not supported"); - cpu_to_bind_given = 1; - - if (sscanf(optarg, "%u", &cpu_to_bind) < 1 || - optarg[0] == '-') FATAL("Bad syntax used for -b"); - - break; - + // 绑定CPU核心 + if (cpu_to_bind_given) FATAL("Multiple -b options not supported"); + cpu_to_bind_given = 1; + if (sscanf(optarg, "%u", &cpu_to_bind) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -b"); + break; } case 'd': /* skip deterministic */ - + // 跳过确定性测试 if (skip_deterministic) FATAL("Multiple -d options not supported"); skip_deterministic = 1; use_splicing = 1; break; case 'B': /* load bitmap */ - - /* This is a secret undocumented option! It is useful if you find - an interesting test case during a normal fuzzing process, and want - to mutate it without rediscovering any of the test cases already - found during an earlier run. - - To use this mode, you need to point -B to the fuzz_bitmap produced - by an earlier run for the exact same binary... and that's it. - - I only used this once or twice to get variants of a particular - file, so I'm not making this an official setting. */ - + // 加载比特图 if (in_bitmap) FATAL("Multiple -B options not supported"); - in_bitmap = optarg; read_bitmap(in_bitmap); break; case 'C': /* crash mode */ - + // 设置为崩溃模式 if (crash_mode) FATAL("Multiple -C options not supported"); crash_mode = FAULT_CRASH; break; case 'n': /* dumb mode */ - + // 设置为简单模式 if (dumb_mode) FATAL("Multiple -n options not supported"); if (getenv("AFL_DUMB_FORKSRV")) dumb_mode = 2; else dumb_mode = 1; - break; case 'T': /* banner */ - + // 设置横幅 if (use_banner) FATAL("Multiple -T options not supported"); use_banner = optarg; break; case 'Q': /* QEMU mode */ - + // 设置为QEMU模式 if (qemu_mode) FATAL("Multiple -Q options not supported"); qemu_mode = 1; - if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU; - break; case 'V': /* Show version number */ - - /* Version number has been printed already, just quit. */ + // 显示版本号并退出 exit(0); default: - + // 默认行为:显示使用说明 usage(argv[0]); - } + } + // 检查必要的参数是否已设置 if (optind == argc || !in_dir || !out_dir) usage(argv[0]); + // 设置信号处理程序 setup_signal_handlers(); check_asan_opts(); + // 如果设置了同步ID,修正同步设置 if (sync_id) fix_up_sync(); + // 输入和输出目录不能相同 if (!strcmp(in_dir, out_dir)) FATAL("Input and output directories can't be the same"); + // 在简单模式下,检查互斥选项 if (dumb_mode) { - if (crash_mode) FATAL("-C and -n are mutually exclusive"); if (qemu_mode) FATAL("-Q and -n are mutually exclusive"); - } + // 读取环境变量设置 if (getenv("AFL_NO_FORKSRV")) no_forkserver = 1; if (getenv("AFL_NO_CPU_RED")) no_cpu_meter_red = 1; if (getenv("AFL_NO_ARITH")) no_arith = 1; if (getenv("AFL_SHUFFLE_QUEUE")) shuffle_queue = 1; if (getenv("AFL_FAST_CAL")) fast_cal = 1; + // 设置挂起超时时间 if (getenv("AFL_HANG_TMOUT")) { hang_tmout = atoi(getenv("AFL_HANG_TMOUT")); if (!hang_tmout) FATAL("Invalid value of AFL_HANG_TMOUT"); } + // 检查互斥的环境变量设置 if (dumb_mode == 2 && no_forkserver) FATAL("AFL_DUMB_FORKSRV and AFL_NO_FORKSRV are mutually exclusive"); + // 设置预加载库 if (getenv("AFL_PRELOAD")) { setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); } - if (getenv("AFL_LD_PRELOAD")) +// 如果设置了环境变量AFL_LD_PRELOAD,则输出错误信息并终止程序。 +if (getenv("AFL_LD_PRELOAD")) FATAL("Use AFL_PRELOAD instead of AFL_LD_PRELOAD"); - save_cmdline(argc, argv); +// 保存命令行参数,以便后续使用。 +save_cmdline(argc, argv); - fix_up_banner(argv[optind]); +// 修复banner信息,这通常是为了显示程序的版本号或其他信息。 +fix_up_banner(argv[optind]); - check_if_tty(); +// 检查当前是否是TTY环境,这可能影响程序的输出方式。 +check_if_tty(); - get_core_count(); +// 获取CPU核心数,这有助于后续的并行处理。 +get_core_count(); #ifdef HAVE_AFFINITY - bind_to_free_cpu(); +// 如果支持CPU亲和性设置,则将程序绑定到一个空闲的CPU核心上。 +bind_to_free_cpu(); #endif /* HAVE_AFFINITY */ - check_crash_handling(); - check_cpu_governor(); +// 检查崩溃处理设置,确保程序在崩溃时能够正确处理。 +check_crash_handling(); +check_cpu_governor(); - setup_post(); - setup_shm(); - init_count_class16(); +// 设置后续操作,这可能包括日志文件的设置等。 +setup_post(); +setup_shm(); +init_count_class16(); - setup_dirs_fds(); - read_testcases(); - load_auto(); +// 设置目录和文件描述符,为后续的文件操作做准备。 +setup_dirs_fds(); +read_testcases(); +load_auto(); - pivot_inputs(); +// 调整输入,这可能涉及到对测试用例的预处理。 +pivot_inputs(); - if (extras_dir) load_extras(extras_dir); +// 如果指定了extras目录,则加载额外的测试用例。 +if (extras_dir) load_extras(extras_dir); - if (!timeout_given) find_timeout(); +// 如果没有给定超时时间,则自动寻找一个合适的超时时间。 +if (!timeout_given) find_timeout(); - detect_file_args(argv + optind + 1); +// 检测文件参数,这可能涉及到对命令行参数的处理。 +detect_file_args(argv + optind + 1); - if (!out_file) setup_stdio_file(); +// 如果没有指定输出文件,则设置标准输出文件。 +if (!out_file) setup_stdio_file(); - check_binary(argv[optind]); +// 检查二进制文件,这可能涉及到对目标程序的验证。 +check_binary(argv[optind]); - start_time = get_cur_time(); +// 获取当前时间,用于后续的时间统计。 +start_time = get_cur_time(); - if (qemu_mode) +// 如果启用了QEMU模式,则获取QEMU的命令行参数,否则使用原始参数。 +if (qemu_mode) use_argv = get_qemu_argv(argv[0], argv + optind, argc - optind); - else +else use_argv = argv + optind; - perform_dry_run(use_argv); +// 执行一次干运行,以检查程序的行为。 +perform_dry_run(use_argv); - cull_queue(); +// 修剪队列,移除无效或重复的测试用例。 +cull_queue(); - show_init_stats(); +// 显示初始化统计信息。 +show_init_stats(); - seek_to = find_start_position(); +// 寻找开始位置,这可能涉及到对测试用例的排序或选择。 +seek_to = find_start_position(); - write_stats_file(0, 0, 0); - save_auto(); +// 写入统计文件,保存当前的状态。 +write_stats_file(0, 0, 0); +save_auto(); - if (stop_soon) goto stop_fuzzing; +// 如果程序即将停止,则跳转到停止处理部分。 +if (stop_soon) goto stop_fuzzing; - /* Woop woop woop */ - - if (!not_on_tty) { +// 如果不是在TTY环境下,则等待一段时间再开始测试。 +if (!not_on_tty) { sleep(4); start_time += 4000; if (stop_soon) goto stop_fuzzing; - } - - while (1) { +} +// 主循环开始,这里会不断执行模糊测试,直到程序停止。 +while (1) { u8 skipped_fuzz; + // 修剪队列,移除无效或重复的测试用例。 cull_queue(); + // 如果队列中没有当前的测试用例,则进入下一个循环周期。 if (!queue_cur) { + queue_cycle++; + current_entry = 0; + cur_skipped_paths = 0; + queue_cur = queue; + + // 如果需要seek到特定位置,则移动队列指针。 + while (seek_to) { + current_entry++; + seek_to--; + queue_cur = queue_cur->next; + } - queue_cycle++; - current_entry = 0; - cur_skipped_paths = 0; - queue_cur = queue; - - while (seek_to) { - current_entry++; - seek_to--; - queue_cur = queue_cur->next; - } - - show_stats(); - - if (not_on_tty) { - ACTF("Entering queue cycle %llu.", queue_cycle); - fflush(stdout); - } - - /* If we had a full queue cycle with no new finds, try - recombination strategies next. */ - - if (queued_paths == prev_queued) { - - if (use_splicing) cycles_wo_finds++; else use_splicing = 1; + // 显示统计信息。 + show_stats(); - } else cycles_wo_finds = 0; + // 如果不是在TTY环境下,则输出当前的循环周期。 + if (not_on_tty) { + ACTF("Entering queue cycle %llu.", queue_cycle); + fflush(stdout); + } - prev_queued = queued_paths; + // 如果在当前循环周期中没有新的发现,则尝试重组策略。 + if (queued_paths == prev_queued) { + if (use_splicing) cycles_wo_finds++; else use_splicing = 1; + } else cycles_wo_finds = 0; - if (sync_id && queue_cycle == 1 && getenv("AFL_IMPORT_FIRST")) - sync_fuzzers(use_argv); + // 更新之前的队列路径数。 + prev_queued = queued_paths; + // 如果设置了同步ID并且是第一个循环周期,并且设置了AFL_IMPORT_FIRST环境变量,则同步模糊测试者。 + if (sync_id && queue_cycle == 1 && getenv("AFL_IMPORT_FIRST")) + sync_fuzzers(use_argv); } + // 执行一次模糊测试。 skipped_fuzz = fuzz_one(use_argv); + // 如果程序没有停止并且设置了同步ID并且没有跳过模糊测试,则尝试同步模糊测试者。 if (!stop_soon && sync_id && !skipped_fuzz) { - - if (!(sync_interval_cnt++ % SYNC_INTERVAL)) - sync_fuzzers(use_argv); - + if (!(sync_interval_cnt++ % SYNC_INTERVAL)) + sync_fuzzers(use_argv); } + // 如果程序即将退出并且设置了exit_1,则设置停止标志。 if (!stop_soon && exit_1) stop_soon = 2; + // 如果程序即将停止,则跳出循环。 if (stop_soon) break; + // 移动到下一个测试用例。 queue_cur = queue_cur->next; current_entry++; +} - } - - if (queue_cur) show_stats(); +// 如果队列中还有测试用例,则显示统计信息。 +if (queue_cur) show_stats(); - /* If we stopped programmatically, we kill the forkserver and the current runner. - If we stopped manually, this is done by the signal handler. */ - if (stop_soon == 2) { - if (child_pid > 0) kill(child_pid, SIGKILL); - if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); - } - /* Now that we've killed the forkserver, we wait for it to be able to get rusage stats. */ - if (waitpid(forksrv_pid, NULL, 0) <= 0) { +// 如果程序是被程序性地停止的,那么杀死forkserver和当前的运行者。 +// 如果是手动停止的,那么这部分由信号处理程序完成。 +if (stop_soon == 2) { + if (child_pid > 0) kill(child_pid, SIGKILL); + if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); +} +// 现在我们已经杀死了forkserver,我们可以等待它以便获取资源使用统计信息。 +if (waitpid(forksrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); - } +} - write_bitmap(); - write_stats_file(0, 0, 0); - save_auto(); +// 写入bitmap,保存当前的测试覆盖情况。 +write_bitmap(); +// 写入统计文件,保存最终的状态。 +write_stats_file(0, 0, 0); +// 保存自动保存的信息。 +save_auto(); +// 跳转到停止模糊测试的处理部分。 stop_fuzzing: - SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted %s +++\n" cRST, - stop_soon == 2 ? "programmatically" : "by user"); - - /* Running for more than 30 minutes but still doing first cycle? */ - - if (queue_cycle == 1 && get_cur_time() - start_time > 30 * 60 * 1000) { +// 输出结束信息,显示测试是被程序性地停止还是被用户停止。 +SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted %s +++\n" cRST, + stop_soon == 2 ? "programmatically" : "by user"); +// 如果运行超过30分钟但仍然在第一个循环周期,输出警告信息。 +if (queue_cycle == 1 && get_cur_time() - start_time > 30 * 60 * 1000) { SAYF("\n" cYEL "[!] " cRST - "Stopped during the first cycle, results may be incomplete.\n" - " (For info on resuming, see %s/README.)\n", doc_path); - - } - - fclose(plot_file); - destroy_queue(); - destroy_extras(); - ck_free(target_path); - ck_free(sync_id); + "Stopped during the first cycle, results may be incomplete.\n" + " (For info on resuming, see %s/README.)\n", doc_path); +} - alloc_report(); +// 关闭绘图文件,销毁队列和额外的测试用例,释放内存。 +fclose(plot_file); +destroy_queue(); +destroy_extras(); +ck_free(target_path); +ck_free(sync_id); - OKF("We're done here. Have a nice day!\n"); +// 生成报告。 +alloc_report(); - exit(0); +// 输出结束信息,表示测试完成。 +OKF("We're done here. Have a nice day!\n"); +// 退出程序。 +exit(0); } - #endif /* !AFL_LIB */ diff --git a/afl-gcc.c b/afl-gcc.c index f0e4d85..20de974 100644 --- a/afl-gcc.c +++ b/afl-gcc.c @@ -14,6 +14,8 @@ limitations under the License. */ +// 这部分是版权声明和许可证信息,说明这个文件是在Apache License 2.0下发布的。 + /* american fuzzy lop - wrapper for GCC and clang ---------------------------------------------- @@ -38,7 +40,7 @@ specify its location via AFL_CC or AFL_CXX. */ - +// 这部分是注释,提供了关于这个程序的概述和使用说明。 #define AFL_MAIN #include "config.h" @@ -51,6 +53,8 @@ #include #include +// 这些是包含的头文件,其中一些是AFL自己的头文件,其他的是C标准库的头文件 + static u8* as_path; /* Path to the AFL 'as' wrapper */ static u8** cc_params; /* Parameters passed to the real CC */ static u32 cc_par_cnt = 1; /* Param count, including argv0 */ @@ -58,11 +62,14 @@ static u8 be_quiet, /* Quiet mode */ clang_mode; /* Invoked as afl-clang*? */ +// 这些是全局变量声明。`as_path`存储AFL汇编器的路径,`cc_params`存储传递给实际编译器的参数,`cc_par_cnt`是参数计数器,`be_quiet`用于控制 +// 是否静默模式,`clang_mode`指示是否以`afl-clang`或`afl-clang++`模式调用。 + /* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived from argv[0]. If that fails, abort. */ static void find_as(u8* argv0) { - +// 这个函数尝试在AFL_PATH环境变量指定的路径或从argv[0]派生的路径中找到AFL的“假”GNU汇编器。如果找不到,程序将终止。 u8 *afl_path = getenv("AFL_PATH"); u8 *slash, *tmp; @@ -116,31 +123,32 @@ static void find_as(u8* argv0) { /* Copy argv to cc_params, making the necessary edits. */ static void edit_params(u32 argc, char** argv) { + //定义了一个函数edit_params,它接受两个参数:argc是参数的数量,argv是参数的数组。 - u8 fortify_set = 0, asan_set = 0; - u8 *name; + u8 fortify_set = 0, asan_set = 0;//声明两个变量fortify_set和asan_set,用于跟踪是否已经设置了FORTIFY_SOURCE和address sanitizer(ASan)标志 + u8 *name;//用于存储程序的名称 #if defined(__FreeBSD__) && defined(__x86_64__) u8 m32_set = 0; #endif - cc_params = ck_alloc((argc + 128) * sizeof(u8*)); + cc_params = ck_alloc((argc + 128) * sizeof(u8*));//分配内存以存储修改后的参数列表,大小为argc + 128个u8*类型的指针。 - name = strrchr(argv[0], '/'); - if (!name) name = argv[0]; else name++; + name = strrchr(argv[0], '/');//找到argv[0](程序的路径)中最后一个'/'字符,这通常用于获取程序的名称。 + if (!name) name = argv[0]; else name++;//如果name为NULL(即argv[0]中没有'/'),则name指向argv[0]的开始。否则,name向前移动一个字符,跳过'/'。 if (!strncmp(name, "afl-clang", 9)) { - clang_mode = 1; + clang_mode = 1;//检查程序名称是否以"afl-clang"开头,如果是,设置clang_mode标志为1 - setenv(CLANG_ENV_VAR, "1", 1); + setenv(CLANG_ENV_VAR, "1", 1);//设置环境变量CLANG_ENV_VAR为"1",这可能用于通知其他部分的AFL工具链正在使用Clang。 if (!strcmp(name, "afl-clang++")) { u8* alt_cxx = getenv("AFL_CXX"); - cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++"; + cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++";//如果AFL_CXX设置,将其值作为第一个参数;否则,使用"clang++"。 } else { u8* alt_cc = getenv("AFL_CC"); - cc_params[0] = alt_cc ? alt_cc : (u8*)"clang"; + cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";//否则尝试获取环境变量AFL_CC的值。 } } else { @@ -152,13 +160,13 @@ static void edit_params(u32 argc, char** argv) { binaries. Meh. */ #ifdef __APPLE__ - + //在Apple系统上,根据程序名称设置不同的编译器。如果AFL_CXX、AFL_GCJ或AFL_CC环境变量设置,使用它们的值;否则,使用默认的编译器名称 if (!strcmp(name, "afl-g++")) cc_params[0] = getenv("AFL_CXX"); else if (!strcmp(name, "afl-gcj")) cc_params[0] = getenv("AFL_GCJ"); else cc_params[0] = getenv("AFL_CC"); if (!cc_params[0]) { - + //输出错误信息,指出在MacOS X上需要设置AFL_CC或AFL_CXX环境变量。 SAYF("\n" cLRD "[-] " cRST "On Apple systems, 'gcc' is usually just a wrapper for clang. Please use the\n" " 'afl-clang' utility instead of 'afl-gcc'. If you really have GCC installed,\n" @@ -169,7 +177,7 @@ static void edit_params(u32 argc, char** argv) { } #else - + //对于非Apple系统,根据程序名称设置不同的编译器。如果相应的环境变量设置,使用它们的值;否则,使用默认的编译器名称。 if (!strcmp(name, "afl-g++")) { u8* alt_cxx = getenv("AFL_CXX"); cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++"; @@ -188,27 +196,27 @@ static void edit_params(u32 argc, char** argv) { while (--argc) { u8* cur = *(++argv); - if (!strncmp(cur, "-B", 2)) { + if (!strncmp(cur, "-B", 2)) {//如果当前参数以"-B"开头,输出警告信息,并跳过后续参数(如果当前参数后面紧跟着的是编译器的路径)。 - if (!be_quiet) WARNF("-B is already set, overriding"); + if (!be_quiet) WARNF("-B is already set, overriding");//如果程序不在静默模式,输出警告信息。 - if (!cur[2] && argc > 1) { argc--; argv++; } + if (!cur[2] && argc > 1) { argc--; argv++; }//如果-B后面紧跟着的是编译器的路径,跳过这个路径。 continue; } - if (!strcmp(cur, "-integrated-as")) continue; + if (!strcmp(cur, "-integrated-as")) continue;//如果参数是"-integrated-as",跳过它。 - if (!strcmp(cur, "-pipe")) continue; + if (!strcmp(cur, "-pipe")) continue;//如果参数是"-pipe",跳过它。 #if defined(__FreeBSD__) && defined(__x86_64__) if (!strcmp(cur, "-m32")) m32_set = 1; #endif if (!strcmp(cur, "-fsanitize=address") || - !strcmp(cur, "-fsanitize=memory")) asan_set = 1; + !strcmp(cur, "-fsanitize=memory")) asan_set = 1;//如果参数是"-fsanitize=address"或"-fsanitize=memory",设置asan_set标志。 - if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1; + if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;//如果参数包含"FORTIFY_SOURCE",设置fortify_set标志。 cc_params[cc_par_cnt++] = cur; @@ -216,9 +224,11 @@ static void edit_params(u32 argc, char** argv) { cc_params[cc_par_cnt++] = "-B"; cc_params[cc_par_cnt++] = as_path; + //向参数列表中添加"-B"和AFL汇编器的路径。 + if (clang_mode) - cc_params[cc_par_cnt++] = "-no-integrated-as"; + cc_params[cc_par_cnt++] = "-no-integrated-as";//如果clang_mode标志设置,向参数列表中添加`"-no-integrated-as" if (getenv("AFL_HARDEN")) { @@ -229,38 +239,38 @@ static void edit_params(u32 argc, char** argv) { } - if (asan_set) { + if (asan_set) {//检查是否设置了asan_set标志。 /* Pass this on to afl-as to adjust map density. */ - setenv("AFL_USE_ASAN", "1", 1); + setenv("AFL_USE_ASAN", "1", 1);//如果设置,设置环境变量AFL_USE_ASAN为"1" - } else if (getenv("AFL_USE_ASAN")) { + } else if (getenv("AFL_USE_ASAN")) {//如果asan_set标志未设置,但设置了环境变量AFL_USE_ASAN。 if (getenv("AFL_USE_MSAN")) - FATAL("ASAN and MSAN are mutually exclusive"); + FATAL("ASAN and MSAN are mutually exclusive");//如果同时设置了AFL_USE_MSAN,输出错误信息并终止程序。 if (getenv("AFL_HARDEN")) - FATAL("ASAN and AFL_HARDEN are mutually exclusive"); + FATAL("ASAN and AFL_HARDEN are mutually exclusive");//如果同时设置了AFL_HARDEN,输出错误信息并终止程序。 cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; - cc_params[cc_par_cnt++] = "-fsanitize=address"; + cc_params[cc_par_cnt++] = "-fsanitize=address";//向参数列表中添加"-U_FORTIFY_SOURCE"和"-fsanitize=address"。 } else if (getenv("AFL_USE_MSAN")) { if (getenv("AFL_USE_ASAN")) - FATAL("ASAN and MSAN are mutually exclusive"); + FATAL("ASAN and MSAN are mutually exclusive");//如果同时设置了AFL_USE_ASAN,输出错误信息并终止程序。 if (getenv("AFL_HARDEN")) - FATAL("MSAN and AFL_HARDEN are mutually exclusive"); + FATAL("MSAN and AFL_HARDEN are mutually exclusive");//如果同时设置了AFL_HARDEN,输出错误信息并终止程序。 cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE"; - cc_params[cc_par_cnt++] = "-fsanitize=memory"; + cc_params[cc_par_cnt++] = "-fsanitize=memory";//向参数列表中添加"-U_FORTIFY_SOURCE"和"-fsanitize=memory"。 } - if (!getenv("AFL_DONT_OPTIMIZE")) { + if (!getenv("AFL_DONT_OPTIMIZE")) {//检查是否设置了环境变量AFL_DONT_OPTIMIZE。 #if defined(__FreeBSD__) && defined(__x86_64__) @@ -269,22 +279,23 @@ static void edit_params(u32 argc, char** argv) { that bug. */ if (!clang_mode || !m32_set) - cc_params[cc_par_cnt++] = "-g"; + cc_params[cc_par_cnt++] = "-g";//如果不是Clang模式或没有设置m32_set标志,向参数列表中添加"-g"。 #else cc_params[cc_par_cnt++] = "-g"; -#endif +#endif//结束#if defined(__FreeBSD__) && defined(__x86_64__)条件编译块。 cc_params[cc_par_cnt++] = "-O3"; - cc_params[cc_par_cnt++] = "-funroll-loops"; + cc_params[cc_par_cnt++] = "-funroll-loops";//向参数列表中添加"-O3"和"-funroll-loops",这些是优化选项。 /* Two indicators that you're building for fuzzing; one of them is AFL-specific, the other is shared with libfuzzer. */ cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1"; cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1"; + //向参数列表中添加两个宏定义,这些宏定义指示编译器代码将用于模糊测试。 } @@ -297,7 +308,7 @@ static void edit_params(u32 argc, char** argv) { cc_params[cc_par_cnt++] = "-fno-builtin-memcmp"; cc_params[cc_par_cnt++] = "-fno-builtin-strstr"; cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr"; - + //如果设置,向参数列表中添加一系列"-fno-builtin-*"选项,这些选项禁用编译器的内置函数。 } cc_params[cc_par_cnt] = NULL; @@ -306,7 +317,7 @@ static void edit_params(u32 argc, char** argv) { /* Main entry point */ - +//最后是函数结束语,结束函数定义。 int main(int argc, char** argv) { if (isatty(2) && !getenv("AFL_QUIET")) { -- 2.34.1 From 6705d8e2435ee3b8109640c2ef312125a8b8b29a Mon Sep 17 00:00:00 2001 From: dongloong <1909842837@qq.com> Date: Mon, 21 Oct 2024 21:37:39 +0800 Subject: [PATCH 5/6] =?UTF-8?q?=E5=88=98=E6=98=8A=E5=86=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- afl-fuzz.c | 4899 ++++++++++++++++++++++++++-------------------------- 1 file changed, 2465 insertions(+), 2434 deletions(-) diff --git a/afl-fuzz.c b/afl-fuzz.c index 3d4a5a7..7fd40d8 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -67,6 +67,7 @@ #include #include +/*检查编译环境是否定义了__APPLE__、__FreeBSD__或__OpenBSD__宏,这些宏分别代表苹果的macOS系统、FreeBSD操作系统和OpenBSD操作系统*/ #if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) # include #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ @@ -74,6 +75,7 @@ /* For systems that have sched_setaffinity; right now just Linux, but one can hope... */ +/*检查是否定义了__linux__宏,这个宏通常在编译Linux系统下的代码时被编译器定义*/ #ifdef __linux__ # define HAVE_AFFINITY 1 #endif /* __linux__ */ @@ -81,6 +83,8 @@ /* A toggle to export some variables when building as a library. Not very useful for the general public. */ +/*如果代码中定义了AFL_LIB宏,那么EXP_ST宏被定义为一个空的宏,可以作为布尔标志使用。 + 如果代码中没有定义AFL_LIB宏,那么EXP_ST宏被定义为static,用于限制作用域。*/ #ifdef AFL_LIB # define EXP_ST #else @@ -91,211 +95,211 @@ really makes no sense to haul them around as function parameters. */ -EXP_ST u8 *in_dir, /* Input directory with test cases */ - *out_file, /* File to fuzz, if any */ - *out_dir, /* Working & output directory */ - *sync_dir, /* Synchronization directory */ - *sync_id, /* Fuzzer ID */ - *use_banner, /* Display banner */ - *in_bitmap, /* Input bitmap */ - *doc_path, /* Path to documentation dir */ - *target_path, /* Path to target binary */ - *orig_cmdline; /* Original command line */ - -EXP_ST u32 exec_tmout = EXEC_TIMEOUT; /* Configurable exec timeout (ms) */ -static u32 hang_tmout = EXEC_TIMEOUT; /* Timeout used for hang det (ms) */ - -EXP_ST u64 mem_limit = MEM_LIMIT; /* Memory cap for child (MB) */ - -EXP_ST u32 cpu_to_bind = 0; /* id of free CPU core to bind */ - -static u32 stats_update_freq = 1; /* Stats update frequency (execs) */ - -EXP_ST u8 skip_deterministic, /* Skip deterministic stages? */ - force_deterministic, /* Force deterministic stages? */ - use_splicing, /* Recombine input files? */ - dumb_mode, /* Run in non-instrumented mode? */ - score_changed, /* Scoring for favorites changed? */ - kill_signal, /* Signal that killed the child */ - resuming_fuzz, /* Resuming an older fuzzing job? */ - timeout_given, /* Specific timeout given? */ - cpu_to_bind_given, /* Specified cpu_to_bind given? */ - not_on_tty, /* stdout is not a tty */ - term_too_small, /* terminal dimensions too small */ - uses_asan, /* Target uses ASAN? */ - no_forkserver, /* Disable forkserver? */ - crash_mode, /* Crash mode! Yeah! */ - in_place_resume, /* Attempt in-place resume? */ - auto_changed, /* Auto-generated tokens changed? */ - no_cpu_meter_red, /* Feng shui on the status screen */ - no_arith, /* Skip most arithmetic ops */ - shuffle_queue, /* Shuffle input queue? */ - bitmap_changed = 1, /* Time to update bitmap? */ - qemu_mode, /* Running in QEMU mode? */ - skip_requested, /* Skip request, via SIGUSR1 */ - run_over10m, /* Run time over 10 minutes? */ - persistent_mode, /* Running in persistent mode? */ - deferred_mode, /* Deferred forkserver mode? */ - fast_cal; /* Try to calibrate faster? */ - -static s32 out_fd, /* Persistent fd for out_file */ - dev_urandom_fd = -1, /* Persistent fd for /dev/urandom */ - dev_null_fd = -1, /* Persistent fd for /dev/null */ - fsrv_ctl_fd, /* Fork server control pipe (write) */ - fsrv_st_fd; /* Fork server status pipe (read) */ - -static s32 forksrv_pid, /* PID of the fork server */ - child_pid = -1, /* PID of the fuzzed program */ - out_dir_fd = -1; /* FD of the lock file */ - -EXP_ST u8* trace_bits; /* SHM with instrumentation bitmap */ - -EXP_ST u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */ - virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */ - virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */ - -static u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */ - -static s32 shm_id; /* ID of the SHM region */ - -static volatile u8 stop_soon, /* Ctrl-C pressed? */ - clear_screen = 1, /* Window resized? */ - child_timed_out; /* Traced process timed out? */ - -EXP_ST u32 queued_paths, /* Total number of queued testcases */ - queued_variable, /* Testcases with variable behavior */ - queued_at_start, /* Total number of initial inputs */ - queued_discovered, /* Items discovered during this run */ - queued_imported, /* Items imported via -S */ - queued_favored, /* Paths deemed favorable */ - queued_with_cov, /* Paths with new coverage bytes */ - pending_not_fuzzed, /* Queued but not done yet */ - pending_favored, /* Pending favored paths */ - cur_skipped_paths, /* Abandoned inputs in cur cycle */ - cur_depth, /* Current path depth */ - max_depth, /* Max path depth */ - useless_at_start, /* Number of useless starting paths */ - var_byte_count, /* Bitmap bytes with var behavior */ - current_entry, /* Current queue entry ID */ - havoc_div = 1; /* Cycle count divisor for havoc */ - -EXP_ST u64 total_crashes, /* Total number of crashes */ - unique_crashes, /* Crashes with unique signatures */ - total_tmouts, /* Total number of timeouts */ - unique_tmouts, /* Timeouts with unique signatures */ - unique_hangs, /* Hangs with unique signatures */ - total_execs, /* Total execve() calls */ - slowest_exec_ms, /* Slowest testcase non hang in ms */ - start_time, /* Unix start time (ms) */ - last_path_time, /* Time for most recent path (ms) */ - last_crash_time, /* Time for most recent crash (ms) */ - last_hang_time, /* Time for most recent hang (ms) */ - last_crash_execs, /* Exec counter at last crash */ - queue_cycle, /* Queue round counter */ - cycles_wo_finds, /* Cycles without any new paths */ - trim_execs, /* Execs done to trim input files */ - bytes_trim_in, /* Bytes coming into the trimmer */ - bytes_trim_out, /* Bytes coming outa the trimmer */ - blocks_eff_total, /* Blocks subject to effector maps */ - blocks_eff_select; /* Blocks selected as fuzzable */ - -static u32 subseq_tmouts; /* Number of timeouts in a row */ - -static u8 *stage_name = "init", /* Name of the current fuzz stage */ - *stage_short, /* Short stage name */ - *syncing_party; /* Currently syncing with... */ - -static s32 stage_cur, stage_max; /* Stage progression */ -static s32 splicing_with = -1; /* Splicing with which test case? */ - -static u32 master_id, master_max; /* Master instance job splitting */ - -static u32 syncing_case; /* Syncing with case #... */ - -static s32 stage_cur_byte, /* Byte offset of current stage op */ - stage_cur_val; /* Value used for stage op */ - -static u8 stage_val_type; /* Value type (STAGE_VAL_*) */ - -static u64 stage_finds[32], /* Patterns found per fuzz stage */ - stage_cycles[32]; /* Execs per fuzz stage */ - -static u32 rand_cnt; /* Random number counter */ - -static u64 total_cal_us, /* Total calibration time (us) */ - total_cal_cycles; /* Total calibration cycles */ - -static u64 total_bitmap_size, /* Total bit count for all bitmaps */ - total_bitmap_entries; /* Number of bitmaps counted */ - -static s32 cpu_core_count; /* CPU core count */ +EXP_ST u8 *in_dir, /* 包含测试用例的输入目录 */ + *out_file, /* 要模糊测试的文件(如果有的话) */ + *out_dir, /* 工作和输出目录 */ + *sync_dir, /* 同步目录 */ + *sync_id, /* 模糊测试器标识符 */ + *use_banner, /* 显示横幅 */ + *in_bitmap, /* 输入位图 */ + *doc_path, /* 文档目录的路径 */ + *target_path, /* 目标二进制文件路径 */ + *orig_cmdline; /* 原始命令行 */ + +EXP_ST u32 exec_tmout = EXEC_TIMEOUT; /* 可配置的执行超时 (ms) */ +static u32 hang_tmout = EXEC_TIMEOUT; /* 用于挂起的超时时间 (ms) */ + +EXP_ST u64 mem_limit = MEM_LIMIT; /* 子进程的内存限制 (MB) */ + +EXP_ST u32 cpu_to_bind = 0; /* 待绑定的空闲CPU核id */ + +static u32 stats_update_freq = 1; /* 统计更新频率 (执行次数)*/ + +EXP_ST u8 skip_deterministic, /* 跳过确定性阶段? */ + force_deterministic, /* 强制执行确定性阶段? */ + use_splicing, /* 重组输入文件? */ + dumb_mode, /* 在非插桩模式下运行? */ + score_changed, /* 收藏项的评分改变了? */ + kill_signal, /* 导致子进程退出的信号 */ + resuming_fuzz, /* 恢复旧的模糊测试工作? */ + timeout_given, /* 给出了特定的超时时间? */ + cpu_to_bind_given, /* 指定了cpu_to_bind? */ + not_on_tty, /* 标准输出不是tty */ + term_too_small, /* 终端尺寸太小 */ + uses_asan, /* 目标使用ASAN? */ + no_forkserver, /* 禁用forkserver? */ + crash_mode, /* 崩溃模式!耶! */ + in_place_resume, /* 尝试就地恢复? */ + auto_changed, /* 自动生成的令牌改变了? */ + no_cpu_meter_red, /* 状态屏幕上的风水 */ + no_arith, /* 跳过大多数算术操作 */ + shuffle_queue, /* 打乱输入队列? */ + bitmap_changed = 1, /* 更新位图的时间? */ + qemu_mode, /* 在QEMU模式下运行? */ + skip_requested, /* 通过SIGUSR1跳过请求 */ + run_over10m, /* 运行时间超过10分钟? */ + persistent_mode, /* 在持久模式下运行? */ + deferred_mode, /* 延迟forkserver模式? */ + fast_cal; /* 尝试更快地校准? */ + +static s32 out_fd, /* 用于out_file的持久文件描述符 */ + dev_urandom_fd = -1, /* 用于/dev/urandom的持久文件描述符 */ + dev_null_fd = -1, /* 用于/dev/null的持久文件描述符 */ + fsrv_ctl_fd, /* fork服务器控制管道(写入) */ + fsrv_st_fd; /* fork服务器状态管道(读取) */ + +static s32 forksrv_pid, /* fork服务器的进程ID */ + child_pid = -1, /* 被模糊测试的程序的进程ID */ + out_dir_fd = -1; /* 锁定文件的文件描述符 */ + +EXP_ST u8* trace_bits; /* 与插桩位图共享的共享内存 */ + +EXP_ST u8 virgin_bits[MAP_SIZE], /* 尚未被模糊测试触及的区域 */ + virgin_tmout[MAP_SIZE], /* 我们在超时中尚未见过的位 */ + virgin_crash[MAP_SIZE]; /* 我们在崩溃中尚未见过的位 */ + +static u8 var_bytes[MAP_SIZE]; /* 看起来是可变的字节 */ + +static s32 shm_id; /* 共享内存区域的ID */ + +static volatile u8 stop_soon, /* Ctrl-C 被按下了吗? */ + clear_screen = 1, /* 窗口被调整大小了吗? */ + child_timed_out; /* 被追踪的进程超时了吗? */ + +EXP_ST u32 queued_paths, /* 排队的测试用例总数 */ + queued_variable, /* 具有可变行为的测试用例 */ + queued_at_start, /* 初始输入的总数 */ + queued_discovered, /* 在此运行期间发现的项目 */ + queued_imported, /* 通过-S导入的项目 */ + queued_favored, /* 被认为有利的路径 */ + queued_with_cov, /* 有新的覆盖字节的路径 */ + pending_not_fuzzed, /* 已排队但尚未完成 */ + pending_favored, /* 等待中的优先路径 */ + cur_skipped_paths, /* 当前周期中放弃的输入 */ + cur_depth, /* 当前路径深度 */ + max_depth, /* 最大路径深度 */ + useless_at_start, /* 无用的起始路径数量 */ + var_byte_count, /* 具有可变行为的位图字节 */ + current_entry, /* 当前队列条目ID */ + havoc_div = 1; /* 对havoc的循环计数除数 */ + +EXP_ST u64 total_crashes, /* 崩溃总数 */ + unique_crashes, /* 具有唯一签名的崩溃 */ + total_tmouts, /* 超时总数 */ + unique_tmouts, /* 具有唯一签名的超时 */ + unique_hangs, /* 具有唯一签名的挂起 */ + total_execs, /* 总的execve()调用次数 */ + slowest_exec_ms, /* 最慢的测试用例非挂起时间(ms) */ + start_time, /* Unix开始时间(ms) */ + last_path_time, /* 最近路径的时间(ms) */ + last_crash_time, /* 最近崩溃的时间(ms) */ + last_hang_time, /* 最近挂起的时间(ms) */ + last_crash_execs, /* 上次崩溃时的执行计数器 */ + queue_cycle, /* 队列循环计数器 */ + cycles_wo_finds, /* 没有发现新路径的周期数 */ + trim_execs, /* 用于修剪输入文件的执行次数 */ + bytes_trim_in, /* 进入修剪器的字节 */ + bytes_trim_out, /* 从修剪器出来的字节 */ + blocks_eff_total, /* 受效应器映射影响的块 */ + blocks_eff_select; /* 被选为可模糊化的块 */ + +static u32 subseq_tmouts; /* 连续超时的次数 */ + +static u8 *stage_name = "init", /* 当前模糊测试阶段的名称 */ + *stage_short, /* 简短的阶段名称 */ + *syncing_party; /* 当前正在同步的... */ + +static s32 stage_cur, stage_max; /* 阶段进度 */ +static s32 splicing_with = -1; /* 与哪个测试用例混合? */ + +static u32 master_id, master_max; /* 主实例工作分割 */ + +static u32 syncing_case; /* 与案例#...同步 */ + +static s32 stage_cur_byte, /* 当前阶段操作的字节偏移量 */ + stage_cur_val; /* 用于阶段操作的值 */ + +static u8 stage_val_type; /* 值类型(STAGE_VAL_*) */ + +static u64 stage_finds[32], /* 每个模糊测试阶段发现的模式 */ + stage_cycles[32]; /* 每个模糊测试阶段的执行次数 */ + +static u32 rand_cnt; /* 随机数计数器 */ + +static u64 total_cal_us, /* 总校准时间(微秒) */ + total_cal_cycles; /* 总校准周期 */ + +static u64 total_bitmap_size, /* 所有位图的总位数 */ + total_bitmap_entries; /* 计算的位图数量 */ + +static s32 cpu_core_count; /* CPU核心数 */ #ifdef HAVE_AFFINITY -static s32 cpu_aff = -1; /* Selected CPU core */ +static s32 cpu_aff = -1; /* 选择的CPU核心 */ #endif /* HAVE_AFFINITY */ -static FILE* plot_file; /* Gnuplot output file */ +static FILE* plot_file; /* Gnuplot输出文件 */ struct queue_entry { + + u8* fname; /* 测试用例的文件名 */ + u32 len; /* 输入长度 */ - u8* fname; /* File name for the test case */ - u32 len; /* Input length */ - - u8 cal_failed, /* Calibration failed? */ - trim_done, /* Trimmed? */ - was_fuzzed, /* Had any fuzzing done yet? */ - passed_det, /* Deterministic stages passed? */ - has_new_cov, /* Triggers new coverage? */ - var_behavior, /* Variable behavior? */ - favored, /* Currently favored? */ - fs_redundant; /* Marked as redundant in the fs? */ + u8 cal_failed, /* 校准失败? */ + trim_done, /* 修剪完成? */ + was_fuzzed, /* 之前进行过模糊测试吗? */ + passed_det, /* 通过了确定性阶段吗? */ + has_new_cov, /* 触发了新的代码覆盖吗? */ + var_behavior, /* 表现出可变行为吗? */ + favored, /* 当前是否被优先考虑? */ + fs_redundant; /* 在文件系统中被标记为冗余了吗? */ - u32 bitmap_size, /* Number of bits set in bitmap */ - exec_cksum; /* Checksum of the execution trace */ + u32 bitmap_size, /* 位图中设置的位数 */ + exec_cksum; /* 执行轨迹的校验和 */ - u64 exec_us, /* Execution time (us) */ - handicap, /* Number of queue cycles behind */ - depth; /* Path depth */ + u64 exec_us, /* 执行时间(微秒) */ + handicap, /* 在队列中的落后周期数 */ + depth; /* 路径深度 */ - u8* trace_mini; /* Trace bytes, if kept */ - u32 tc_ref; /* Trace bytes ref count */ + u8* trace_mini; /* 如果保留,执行轨迹的字节 */ + u32 tc_ref; /* 执行轨迹字节的引用计数 */ - struct queue_entry *next, /* Next element, if any */ - *next_100; /* 100 elements ahead */ + struct queue_entry *next, /* 下一个元素,如果有的话 */ + *next_100; /* 100个元素之后的元素 */ }; -static struct queue_entry *queue, /* Fuzzing queue (linked list) */ - *queue_cur, /* Current offset within the queue */ - *queue_top, /* Top of the list */ - *q_prev100; /* Previous 100 marker */ +static struct queue_entry *queue, /* 模糊测试队列(链表) */ + *queue_cur, /* 队列中的当前偏移量 */ + *queue_top, /* 列表的顶部 */ + *q_prev100; /* 上一个100个标记 */ static struct queue_entry* - top_rated[MAP_SIZE]; /* Top entries for bitmap bytes */ + top_rated[MAP_SIZE]; /* 位图字节的顶级条目 */ struct extra_data { - u8* data; /* Dictionary token data */ - u32 len; /* Dictionary token length */ - u32 hit_cnt; /* Use count in the corpus */ + u8* data; /* 词典令牌数据 */ + u32 len; /* 词典令牌长度 */ + u32 hit_cnt; /* 在语料库中的使用次数 */ }; -static struct extra_data* extras; /* Extra tokens to fuzz with */ -static u32 extras_cnt; /* Total number of tokens read */ +static struct extra_data* extras; /* 用于模糊测试的额外令牌 */ +static u32 extras_cnt; /* 读取的令牌总数 */ -static struct extra_data* a_extras; /* Automatically selected extras */ -static u32 a_extras_cnt; /* Total number of tokens available */ +static struct extra_data* a_extras; /* 自动选择的额外令牌 */ +static u32 a_extras_cnt; /* 可用的令牌总数 */ static u8* (*post_handler)(u8* buf, u32* len); -/* Interesting values, as per config.h */ +/* 根据config.h中的设置interesting的值 */ static s8 interesting_8[] = { INTERESTING_8 }; static s16 interesting_16[] = { INTERESTING_8, INTERESTING_16 }; static s32 interesting_32[] = { INTERESTING_8, INTERESTING_16, INTERESTING_32 }; -/* Fuzzing stages */ +/* 模糊测试阶段 */ enum { /* 00 */ STAGE_FLIP1, @@ -317,7 +321,7 @@ enum { /* 16 */ STAGE_SPLICE }; -/* Stage value types */ +/*阶段值类型 */ enum { /* 00 */ STAGE_VAL_NONE, @@ -325,7 +329,7 @@ enum { /* 02 */ STAGE_VAL_BE }; -/* Execution status fault codes */ +/* 执行状态故障代码 */ enum { /* 00 */ FAULT_NONE, @@ -337,7 +341,7 @@ enum { }; -/* Get unix time in milliseconds */ +/* 获取毫秒级的Unix时间戳 */ static u64 get_cur_time(void) { @@ -351,7 +355,7 @@ static u64 get_cur_time(void) { } -/* Get unix time in microseconds */ +/* 获取微秒级的Unix时间戳 */ static u64 get_cur_time_us(void) { @@ -365,8 +369,7 @@ static u64 get_cur_time_us(void) { } -/* Generate a random number (from 0 to limit - 1). This may - have slight bias. */ +/* 生成一个随机数(从0到限值减1)。这可能存在轻微的偏差。 */ static inline u32 UR(u32 limit) { @@ -386,7 +389,7 @@ static inline u32 UR(u32 limit) { } -/* Shuffle an array of pointers. Might be slightly biased. */ +/* 洗牌一个指针数组。可能会有轻微的偏差。 */ static void shuffle_ptrs(void** ptrs, u32 cnt) { @@ -406,8 +409,7 @@ static void shuffle_ptrs(void** ptrs, u32 cnt) { #ifdef HAVE_AFFINITY -/* Build a list of processes bound to specific cores. Returns -1 if nothing - can be found. Assumes an upper bound of 4k CPUs. */ +/* 构建绑定到特定核心的进程列表。如果找不到任何东西,返回-1。假设cpu上限为4k。 */ static void bind_to_free_cpu(void) { @@ -438,15 +440,13 @@ static void bind_to_free_cpu(void) { ACTF("Checking CPU core loadout..."); - /* Introduce some jitter, in case multiple AFL tasks are doing the same - thing at the same time... */ + /* 引入一些抖动,以防多个AFL任务在同一时间做同一件事情... */ usleep(R(1000) * 250); - /* Scan all /proc//status entries, checking for Cpus_allowed_list. - Flag all processes bound to a specific CPU using cpu_used[]. This will - fail for some exotic binding setups, but is likely good enough in almost - all real-world use cases. */ + /* 扫描所有 /proc//status 条目,检查 Cpus_allowed_list。 + 使用 cpu_used[] 标记所有绑定到特定 CPU 的进程。 + 这在某些特殊的绑定设置中可能会失败,但在几乎所有现实世界的用例中都足够好。 */ while ((de = readdir(d))) { @@ -468,7 +468,7 @@ static void bind_to_free_cpu(void) { u32 hval; - /* Processes without VmSize are probably kernel tasks. */ + /* 没有VmSize的进程可能是内核任务。 */ if (!strncmp(tmp, "VmSize:\t", 8)) has_vmsize = 1; @@ -535,8 +535,7 @@ static void bind_to_free_cpu(void) { #ifndef IGNORE_FINDS -/* Helper function to compare buffers; returns first and last differing offset. We - use this to find reasonable locations for splicing two files. */ +/* 辅助函数用于比较缓冲区;返回第一个和最后一个不同的偏移量。我们用这个来找到合理的地点来拼接两个文件。 */ static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) { @@ -565,9 +564,8 @@ static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* last) { #endif /* !IGNORE_FINDS */ -/* Describe integer. Uses 12 cyclic static buffers for return values. The value - returned should be five characters or less for all the integers we reasonably - expect to see. */ +/*描述整数。使用12个循环的静态缓冲区来存储返回值。 +对于我们合理预期会看到的所有的整数,返回的值应该是五个字符或更少。 */ static u8* DI(u64 val) { @@ -623,8 +621,7 @@ static u8* DI(u64 val) { } -/* Describe float. Similar to the above, except with a single - static buffer. */ +/* 描述浮点数。与上面的类似,只是使用单个静态缓冲区。 */ static u8* DF(double val) { @@ -645,7 +642,7 @@ static u8* DF(double val) { } -/* Describe integer as memory size. */ +/* 将整数描述为内存大小。*/ static u8* DMS(u64 val) { @@ -696,7 +693,7 @@ static u8* DMS(u64 val) { } -/* Describe time delta. Returns one static buffer, 34 chars of less. */ +/* 描述时间增量。返回一个静态缓冲区,长度不超过34个字符。 */ static u8* DTD(u64 cur_ms, u64 event_ms) { @@ -719,9 +716,7 @@ static u8* DTD(u64 cur_ms, u64 event_ms) { } -/* Mark deterministic checks as done for a particular queue entry. We use the - .state file to avoid repeating deterministic fuzzing when resuming aborted - scans. */ +/* 标记特定队列条目的确定性检查为已完成。我们使用.state文件来避免在恢复中断的扫描时重复进行确定性模糊测试。 */ static void mark_as_det_done(struct queue_entry* q) { @@ -741,8 +736,7 @@ static void mark_as_det_done(struct queue_entry* q) { } -/* Mark as variable. Create symlinks if possible to make it easier to examine - the files. */ +/* 标记为变量。如果可能的话,创建符号链接以便于检查文件。 */ static void mark_as_variable(struct queue_entry* q) { @@ -767,8 +761,7 @@ static void mark_as_variable(struct queue_entry* q) { } -/* Mark / unmark as redundant (edge-only). This is not used for restoring state, - but may be useful for post-processing datasets. */ +/* 标记/取消标记为冗余(仅边)。这并不用于恢复状态,但可能对后处理数据集有用。 */ static void mark_as_redundant(struct queue_entry* q, u8 state) { @@ -799,7 +792,7 @@ static void mark_as_redundant(struct queue_entry* q, u8 state) { } -/* Append new test case to the queue. */ +/* 向队列追加新的测试用例。 */ static void add_to_queue(u8* fname, u32 len, u8 passed_det) { @@ -824,7 +817,7 @@ static void add_to_queue(u8* fname, u32 len, u8 passed_det) { cycles_wo_finds = 0; - /* Set next_100 pointer for every 100th element (index 0, 100, etc) to allow faster iteration. */ + /* 为每100个元素(索引0,100等)设置next_100指针,以允许更快的迭代。 */ if ((queued_paths - 1) % 100 == 0 && queued_paths > 1) { q_prev100->next_100 = q; @@ -837,7 +830,7 @@ static void add_to_queue(u8* fname, u32 len, u8 passed_det) { } -/* Destroy the entire queue. */ +/* 销毁整个队列。 */ EXP_ST void destroy_queue(void) { @@ -856,9 +849,8 @@ EXP_ST void destroy_queue(void) { } -/* Write bitmap to file. The bitmap is useful mostly for the secret - -B option, to focus a separate fuzzing session on a particular - interesting input without rediscovering all the others. */ +/* 将位图写入文件。位图主要用于秘密的 -B 选项,以便在不重新发现所有 + 其他内容的情况下,将单独的模糊测试会话集中在某个特定的有趣输入上。*/ EXP_ST void write_bitmap(void) { @@ -881,7 +873,7 @@ EXP_ST void write_bitmap(void) { } -/* Read bitmap from file. This is for the -B option again. */ +/* 从文件中读取位图。这是-B选项。 */ EXP_ST void read_bitmap(u8* fname) { @@ -896,13 +888,11 @@ EXP_ST void read_bitmap(u8* fname) { } -/* Check if the current execution path brings anything new to the table. - Update virgin bits to reflect the finds. Returns 1 if the only change is - the hit-count for a particular tuple; 2 if there are new tuples seen. - Updates the map, so subsequent calls will always return 0. +/* 检查当前的执行路径是否带来了新的内容。 +更新virgin bits以反映发现的内容。如果唯一的变化是某个特定元组的命中次数,则返回1;如果看到了新的元组,则返回2。 +更新映射,因此后续调用总是返回0。 - This function is called after every exec() on a fairly large buffer, so - it needs to be fast. We do this in 32-bit and 64-bit flavors. */ +这个函数在每次对相当大的缓冲区执行exec()之后被调用,所以它需要快速。我们在32位和64位版本中都这样做。 */ static inline u8 has_new_bits(u8* virgin_map) { @@ -926,9 +916,7 @@ static inline u8 has_new_bits(u8* virgin_map) { while (i--) { - /* Optimize for (*current & *virgin) == 0 - i.e., no bits in current bitmap - that have not been already cleared from the virgin map - since this will - almost always be the case. */ + /* 针对(*current & *virgin)== 0进行优化——即,当前位图中没有未从virgin map中清除的位——因为这种情况几乎总是会出现。 */ if (unlikely(*current) && unlikely(*current & *virgin)) { @@ -937,8 +925,7 @@ static inline u8 has_new_bits(u8* virgin_map) { u8* cur = (u8*)current; u8* vir = (u8*)virgin; - /* Looks like we have not found any new bytes yet; see if any non-zero - bytes in current[] are pristine in virgin[]. */ + /* 看起来我们还没有找到任何新的字节;检查current[]中的任何非零字节是否在virgin[]中是未被触碰的。*/ #ifdef WORD_SIZE_64 @@ -974,8 +961,7 @@ static inline u8 has_new_bits(u8* virgin_map) { } -/* Count the number of bits set in the provided bitmap. Used for the status - screen several times every second, does not have to be fast. */ +/* 计算提供的位图中设置的位数。它每秒多次用于状态屏幕,不需要太快。 */ static u32 count_bits(u8* mem) { @@ -987,8 +973,7 @@ static u32 count_bits(u8* mem) { u32 v = *(ptr++); - /* This gets called on the inverse, virgin bitmap; optimize for sparse - data. */ + /* 这个函数被调用在相反的,virgin bitmap上;针对稀疏数据进行优化。 */ if (v == 0xffffffff) { ret += 32; @@ -1008,9 +993,7 @@ static u32 count_bits(u8* mem) { #define FF(_b) (0xff << ((_b) << 3)) -/* Count the number of bytes set in the bitmap. Called fairly sporadically, - mostly to update the status screen or calibrate and examine confirmed - new paths. */ +/* 计算位图中设置的字节数。调用相对不频繁,主要用于更新状态屏幕或校准和检查确认的新路径。 */ static u32 count_bytes(u8* mem) { @@ -1035,8 +1018,7 @@ static u32 count_bytes(u8* mem) { } -/* Count the number of non-255 bytes set in the bitmap. Used strictly for the - status screen, several calls per second or so. */ +/* 计算位图中非255字节的数量。仅用于状态屏幕,每秒大约有几调用。*/ static u32 count_non_255_bytes(u8* mem) { @@ -1048,8 +1030,7 @@ static u32 count_non_255_bytes(u8* mem) { u32 v = *(ptr++); - /* This is called on the virgin bitmap, so optimize for the most likely - case. */ + /* 这个函数是在virgin bitmap上调用的,因此要针对最可能的情况进行优化。 */ if (v == 0xffffffff) continue; if ((v & FF(0)) != FF(0)) ret++; @@ -1064,10 +1045,8 @@ static u32 count_non_255_bytes(u8* mem) { } -/* Destructively simplify trace by eliminating hit count information - and replacing it with 0x80 or 0x01 depending on whether the tuple - is hit or not. Called on every new crash or timeout, should be - reasonably fast. */ +/* 通过消除命中次数信息,并根据元组是否被命中,用0x80或0x01替换, +来破坏性地简化跟踪信息。在每次新的崩溃或超时时被调用,应该足够快。 */ static const u8 simplify_lookup[256] = { @@ -1084,7 +1063,7 @@ static void simplify_trace(u64* mem) { while (i--) { - /* Optimize for sparse bitmaps. */ + /* 优化稀疏位图 */ if (unlikely(*mem)) { @@ -1115,7 +1094,7 @@ static void simplify_trace(u32* mem) { while (i--) { - /* Optimize for sparse bitmaps. */ + /* 优化稀疏位图 */ if (unlikely(*mem)) { @@ -1136,9 +1115,7 @@ static void simplify_trace(u32* mem) { #endif /* ^WORD_SIZE_64 */ -/* Destructively classify execution counts in a trace. This is used as a - preprocessing step for any newly acquired traces. Called on every exec, - must be fast. */ +/* 破坏性地对跟踪中的执行计数进行分类。这用作任何新获得的跟踪的预处理步骤。每次执行时都会被调用,必须快速。 */ static const u8 count_class_lookup8[256] = { @@ -1178,7 +1155,7 @@ static inline void classify_counts(u64* mem) { while (i--) { - /* Optimize for sparse bitmaps. */ + /* 优化稀疏位图 */ if (unlikely(*mem)) { @@ -1205,7 +1182,7 @@ static inline void classify_counts(u32* mem) { while (i--) { - /* Optimize for sparse bitmaps. */ + /* 优化稀疏位图 */ if (unlikely(*mem)) { @@ -1225,7 +1202,7 @@ static inline void classify_counts(u32* mem) { #endif /* ^WORD_SIZE_64 */ -/* Get rid of shared memory (atexit handler). */ +/* 摆脱共享内存(atexit处理程序) */ static void remove_shm(void) { @@ -1234,9 +1211,7 @@ static void remove_shm(void) { } -/* Compact trace bytes into a smaller bitmap. We effectively just drop the - count information here. This is called only sporadically, for some - new paths. */ +/* 将跟踪字节压缩到更小的位图中。我们实际上在这里只是丢弃了计数信息。这个函数只在一些新路径上偶尔被调用。 */ static void minimize_bits(u8* dst, u8* src) { @@ -1252,23 +1227,21 @@ static void minimize_bits(u8* dst, u8* src) { } -/* When we bump into a new path, we call this to see if the path appears - more "favorable" than any of the existing ones. The purpose of the - "favorables" is to have a minimal set of paths that trigger all the bits - seen in the bitmap so far, and focus on fuzzing them at the expense of - the rest. +/* 当我们遇到一个新的路径时,我们会调用这个函数来查看这个路径是否看起来比现有的任何路径都更“favorable”。 +“favorable”的目的是拥有一个最小的路径集合,这些路径触发了迄今为止在位图中看到的所有位, +并专注于对这些路径进行模糊测试,而牺牲其他路径。 - The first step of the process is to maintain a list of top_rated[] entries - for every byte in the bitmap. We win that slot if there is no previous - contender, or if the contender has a more favorable speed x size factor. */ +这个过程的第一步是为位图中的每个字节维护一个top_rated[]条目列表。如果之前没有竞争者, +或者竞争者具有更有利的速度x大小因子,我们就赢得了那个位置。 + +对于trace_bits[]中设置的每个字节,看看是否有之前的获胜者,以及它与我们的比较情况。 */ static void update_bitmap_score(struct queue_entry* q) { u32 i; u64 fav_factor = q->exec_us * q->len; - /* For every byte set in trace_bits[], see if there is a previous winner, - and how it compares to us. */ + /* 对于trace_bits[]中设置的每个字节,看看是否有之前的获胜者,以及它与我们的比较情况。 */ for (i = 0; i < MAP_SIZE; i++) @@ -1276,12 +1249,11 @@ static void update_bitmap_score(struct queue_entry* q) { if (top_rated[i]) { - /* Faster-executing or smaller test cases are favored. */ + /* 执行速度更快或更小的测试用例是受青睐的。*/ if (fav_factor > top_rated[i]->exec_us * top_rated[i]->len) continue; - /* Looks like we're going to win. Decrease ref count for the - previous winner, discard its trace_bits[] if necessary. */ + /* 看来我们要赢了。为之前的获胜者减少引用计数,如果需要的话,丢弃它的trace_bits[]。 */ if (!--top_rated[i]->tc_ref) { ck_free(top_rated[i]->trace_mini); @@ -1290,7 +1262,7 @@ static void update_bitmap_score(struct queue_entry* q) { } - /* Insert ourselves as the new winner. */ + /* 将自己插入为新的获胜者。 */ top_rated[i] = q; q->tc_ref++; @@ -1307,11 +1279,9 @@ static void update_bitmap_score(struct queue_entry* q) { } -/* The second part of the mechanism discussed above is a routine that - goes over top_rated[] entries, and then sequentially grabs winners for - previously-unseen bytes (temp_v) and marks them as favored, at least - until the next run. The favored entries are given more air time during - all fuzzing steps. */ +/* +上述机制的第二部分是一个例程,它遍历top_rated[]条目,然后依次获取之前未见过的字节(temp_v)的获胜者, +并将它们标记为受青睐的,至少直到下一次运行。在所有的模糊测试步骤中,受青睐的条目会被给予更多的测试时间。*/ static void cull_queue(void) { @@ -1335,15 +1305,14 @@ static void cull_queue(void) { q = q->next; } - /* Let's see if anything in the bitmap isn't captured in temp_v. - If yes, and if it has a top_rated[] contender, let's use it. */ + /* 让我们看看位图中是否有未在temp_v中捕获的内容。如果有,并且它在top_rated[]中有竞争者,那么我们就使用它。 */ for (i = 0; i < MAP_SIZE; i++) if (top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) { u32 j = MAP_SIZE >> 3; - /* Remove all bits belonging to the current entry from temp_v. */ + /* 从temp_v中删除属于当前条目的所有位。 */ while (j--) if (top_rated[i]->trace_mini[j]) @@ -1366,7 +1335,7 @@ static void cull_queue(void) { } -/* Configure shared memory and virgin_bits. This is called at startup. */ +/* 配置共享内存和virgin_bits。这在启动时被调用。 */ EXP_ST void setup_shm(void) { @@ -1385,10 +1354,8 @@ EXP_ST void setup_shm(void) { shm_str = alloc_printf("%d", shm_id); - /* If somebody is asking us to fuzz instrumented binaries in dumb mode, - we don't want them to detect instrumentation, since we won't be sending - fork server commands. This should be replaced with better auto-detection - later on, perhaps? */ + /* 如果有人要求我们在dump模式下对插桩的二进制文件进行模糊测试,我们不希望他们检测到插桩, + 因为我们不会发送fork服务器命令。这应该在以后被更好的自动检测所取代,对吗? */ if (!dumb_mode) setenv(SHM_ENV_VAR, shm_str, 1); @@ -1401,7 +1368,7 @@ EXP_ST void setup_shm(void) { } -/* Load postprocessor, if available. */ +/* 加载后处理器(如果可用) */ static void setup_post(void) { @@ -1419,7 +1386,7 @@ static void setup_post(void) { post_handler = dlsym(dh, "afl_postprocess"); if (!post_handler) FATAL("Symbol 'afl_postprocess' not found."); - /* Do a quick test. It's better to segfault now than later =) */ + /* 做一个快速测试。现在分段故障比以后好=) */ post_handler("hello", &tlen); @@ -1428,8 +1395,7 @@ static void setup_post(void) { } -/* Read all testcases from the input directory, then queue them for testing. - Called at startup. */ +/* 从输入目录读取所有测试用例,然后将它们排队进行测试。在启动时调用。*/ static void read_testcases(void) { @@ -1438,16 +1404,14 @@ static void read_testcases(void) { u32 i; u8* fn; - /* Auto-detect non-in-place resumption attempts. */ + /* 自动检测非原位恢复尝试。 */ fn = alloc_printf("%s/queue", in_dir); if (!access(fn, F_OK)) in_dir = fn; else ck_free(fn); ACTF("Scanning '%s'...", in_dir); - /* We use scandir() + alphasort() rather than readdir() because otherwise, - the ordering of test cases would vary somewhat randomly and would be - difficult to control. */ + /* 我们使用 scandir() + alphasort() 而不是 readdir(),因为如果不这样,测试用例的排序会有些随机,并且难以控制。 */ nl_cnt = scandir(in_dir, &nl, NULL, alphasort); @@ -1486,7 +1450,7 @@ static void read_testcases(void) { if (lstat(fn, &st) || access(fn, R_OK)) PFATAL("Unable to access '%s'", fn); - /* This also takes care of . and .. */ + /* 这也照顾.和. . */ if (!S_ISREG(st.st_mode) || !st.st_size || strstr(fn, "/README.testcases")) { @@ -1500,10 +1464,8 @@ static void read_testcases(void) { FATAL("Test case '%s' is too big (%s, limit is %s)", fn, DMS(st.st_size), DMS(MAX_FILE)); - /* Check for metadata that indicates that deterministic fuzzing - is complete for this entry. We don't want to repeat deterministic - fuzzing when resuming aborted scans, because it would be pointless - and probably very time-consuming. */ + /* 检查元数据,以确定是否已经完成了这项条目的确定性模糊测试。 + 我们不想在恢复中断的扫描时重复进行确定性模糊测试,因为这样做毫无意义,而且可能非常耗时。 */ if (!access(dfn, F_OK)) passed_det = 1; ck_free(dfn); @@ -1532,7 +1494,7 @@ static void read_testcases(void) { } -/* Helper function for load_extras. */ +/* load_extras的辅助函数 */ static int compare_extras_len(const void* p1, const void* p2) { struct extra_data *e1 = (struct extra_data*)p1, @@ -1549,7 +1511,7 @@ static int compare_extras_use_d(const void* p1, const void* p2) { } -/* Read extras from a file, sort by size. */ +/* 从文件中读取额外内容,按大小排序。 */ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, u32 dict_level) { @@ -1570,7 +1532,7 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, cur_line++; - /* Trim on left and right. */ + /* 修剪左右 */ while (isspace(*lptr)) lptr++; @@ -1579,11 +1541,11 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, rptr++; *rptr = 0; - /* Skip empty lines and comments. */ + /* 跳过空行和注释 */ if (!*lptr || *lptr == '#') continue; - /* All other lines must end with '"', which we can consume. */ + /* 所有其他行必须以‘ " ’结尾,我们可以使用它。 */ rptr--; @@ -1592,11 +1554,11 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, *rptr = 0; - /* Skip alphanumerics and dashes (label). */ + /* 跳过字母数字和破折号(标签) */ while (isalnum(*lptr) || *lptr == '_') lptr++; - /* If @number follows, parse that. */ + /* 如果后面跟着@number,解析它 */ if (*lptr == '@') { @@ -1606,11 +1568,11 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, } - /* Skip whitespace and = signs. */ + /* 跳过空格和=号 */ while (isspace(*lptr) || *lptr == '=') lptr++; - /* Consume opening '"'. */ + /* 消费开放‘ " ’ 。 */ if (*lptr != '"') FATAL("Malformed name=\"keyword\" pair in line %u.", cur_line); @@ -1619,8 +1581,7 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, if (!*lptr) FATAL("Empty keyword in line %u.", cur_line); - /* Okay, let's allocate memory and copy data between "...", handling - \xNN escaping, \\, and \". */ + /* 好的,我们来分配内存并在 "..." 之间复制数据,同时处理 \xNN 转义、\ 和 "*/ extras = ck_realloc_block(extras, (extras_cnt + 1) * sizeof(struct extra_data)); @@ -1686,7 +1647,7 @@ static void load_extras_file(u8* fname, u32* min_len, u32* max_len, } -/* Read extras from the extras directory and sort them by size. */ +/* 从extras目录中读取extras,并按大小排序。 */ static void load_extras(u8* dir) { @@ -1695,7 +1656,7 @@ static void load_extras(u8* dir) { u32 min_len = MAX_DICT_FILE, max_len = 0, dict_level = 0; u8* x; - /* If the name ends with @, extract level and continue. */ + /* 如果名称以@结尾,则提取level并继续 */ if ((x = strchr(dir, '@'))) { @@ -1730,7 +1691,7 @@ static void load_extras(u8* dir) { if (lstat(fn, &st) || access(fn, R_OK)) PFATAL("Unable to access '%s'", fn); - /* This also takes care of . and .. */ + /* 这也照顾.和. . */ if (!S_ISREG(st.st_mode) || !st.st_size) { ck_free(fn); @@ -1788,7 +1749,7 @@ check_and_sort: -/* Helper function for maybe_add_auto() */ +/* maybe_add_auto()的辅助函数 */ static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) { @@ -1798,24 +1759,24 @@ static inline u8 memcmp_nocase(u8* m1, u8* m2, u32 len) { } -/* Maybe add automatic extra. */ +/* 也许可以加上自动附加功能 */ static void maybe_add_auto(u8* mem, u32 len) { u32 i; - /* Allow users to specify that they don't want auto dictionaries. */ + /* 允许用户指定他们不需要自动字典 */ if (!MAX_AUTO_EXTRAS || !USE_AUTO_EXTRAS) return; - /* Skip runs of identical bytes. */ + /* 跳过相同字节的运行 */ for (i = 1; i < len; i++) if (mem[0] ^ mem[i]) break; if (i == len) return; - /* Reject builtin interesting values. */ + /* 拒绝内置有趣的值 */ if (len == 2) { @@ -1837,9 +1798,7 @@ static void maybe_add_auto(u8* mem, u32 len) { } - /* Reject anything that matches existing extras. Do a case-insensitive - match. We optimize by exploiting the fact that extras[] are sorted - by size. */ + /* 拒绝任何与现有额外内容匹配的条目。进行不区分大小写的匹配。我们通过利用extras[]按大小排序的事实来优化这个过程。 */ for (i = 0; i < extras_cnt; i++) if (extras[i].len >= len) break; @@ -1847,8 +1806,7 @@ static void maybe_add_auto(u8* mem, u32 len) { for (; i < extras_cnt && extras[i].len == len; i++) if (!memcmp_nocase(extras[i].data, mem, len)) return; - /* Last but not least, check a_extras[] for matches. There are no - guarantees of a particular sort order. */ + /* 最后但同样重要的是,检查 a_extras[] 中是否有匹配项。没有保证特定的排序顺序。 */ auto_changed = 1; @@ -1863,9 +1821,8 @@ static void maybe_add_auto(u8* mem, u32 len) { } - /* At this point, looks like we're dealing with a new entry. So, let's - append it if we have room. Otherwise, let's randomly evict some other - entry from the bottom half of the list. */ + /* 在这一点上,看起来我们正在处理一个新的条目。所以,如果有空间的话, + 让我们把它追加上去。否则,让我们从列表的下半部分随机驱逐其他某个条目。 */ if (a_extras_cnt < MAX_AUTO_EXTRAS) { @@ -1891,12 +1848,12 @@ static void maybe_add_auto(u8* mem, u32 len) { sort_a_extras: - /* First, sort all auto extras by use count, descending order. */ + /* 首先,按使用次数降序对所有自动附加项进行排序 */ qsort(a_extras, a_extras_cnt, sizeof(struct extra_data), compare_extras_use_d); - /* Then, sort the top USE_AUTO_EXTRAS entries by size. */ + /* 然后,按大小对最上面的USE_AUTO_EXTRAS条目进行排序 */ qsort(a_extras, MIN(USE_AUTO_EXTRAS, a_extras_cnt), sizeof(struct extra_data), compare_extras_len); @@ -1904,7 +1861,7 @@ sort_a_extras: } -/* Save automatically generated extras. */ +/* 保存自动生成的附加内容 */ static void save_auto(void) { @@ -1932,7 +1889,7 @@ static void save_auto(void) { } -/* Load automatically generated extras. */ +/* 加载自动生成的附加内容 */ static void load_auto(void) { @@ -1954,8 +1911,7 @@ static void load_auto(void) { } - /* We read one byte more to cheaply detect tokens that are too - long (and skip them). */ + /* 我们多读了一个字节,以低成本检测过长的标记(并跳过它们) */ len = read(fd, tmp, MAX_AUTO_EXTRA + 1); @@ -1975,7 +1931,7 @@ static void load_auto(void) { } -/* Destroy extras. */ +/* 销毁额外的数据 */ static void destroy_extras(void) { @@ -1994,13 +1950,12 @@ static void destroy_extras(void) { } -/* Spin up fork server (instrumented mode only). The idea is explained here: +/* 启动fork服务器(仅在插桩模式下)。这个想法在这里有解释: - http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html +http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html - In essence, the instrumentation allows us to skip execve(), and just keep - cloning a stopped child. So, we just execute once, and then send commands - through a pipe. The other part of this logic is in afl-as.h. */ +本质上,插桩允许我们跳过execve(),只需持续克隆一个已停止的子进程。 +因此,我们只需要执行一次,然后通过管道发送命令。这部分逻辑的另一部分在afl-as.h中。 */ EXP_ST void init_forkserver(char** argv) { @@ -2021,13 +1976,12 @@ EXP_ST void init_forkserver(char** argv) { struct rlimit r; - /* Umpf. On OpenBSD, the default fd limit for root users is set to - soft 128. Let's try to fix that... */ + /* 在OpenBSD上,默认的文件描述符(fd)限制对于root用户设置为软限制128。让我们尝试修复这个问题... */ if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) { r.rlim_cur = FORKSRV_FD + 2; - setrlimit(RLIMIT_NOFILE, &r); /* Ignore errors */ + setrlimit(RLIMIT_NOFILE, &r); /* 忽略错误 */ } @@ -2037,13 +1991,12 @@ EXP_ST void init_forkserver(char** argv) { #ifdef RLIMIT_AS - setrlimit(RLIMIT_AS, &r); /* Ignore errors */ + setrlimit(RLIMIT_AS, &r); /* 忽略错误 */ #else - /* This takes care of OpenBSD, which doesn't have RLIMIT_AS, but - according to reliable sources, RLIMIT_DATA covers anonymous - maps - so we should be getting good protection against OOM bugs. */ + /* 这考虑到了OpenBSD,它没有RLIMIT_AS,但根据可靠来源, + RLIMIT_DATA涵盖了匿名映射——因此我们应该能够很好地防止内存溢出(OOM)错误。 */ setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ @@ -2052,15 +2005,13 @@ EXP_ST void init_forkserver(char** argv) { } - /* Dumping cores is slow and can lead to anomalies if SIGKILL is delivered - before the dump is complete. */ + /* 转储核心(core dumping)是缓慢的,如果在转储完成之前发送了SIGKILL信号,可能会导致异常。 */ r.rlim_max = r.rlim_cur = 0; setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ - /* Isolate the process and configure standard descriptors. If out_file is - specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ + /* 隔离进程并配置标准描述符。如果指定了out_file,那么stdin就是/dev/null;否则,会克隆out_fd。*/ setsid(); @@ -2078,7 +2029,7 @@ EXP_ST void init_forkserver(char** argv) { } - /* Set up control and status pipes, close the unneeded original fds. */ + /* 建立控制和状态管道,关闭不需要的原始文件。 */ if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed"); if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed"); @@ -2093,20 +2044,19 @@ EXP_ST void init_forkserver(char** argv) { close(dev_urandom_fd); close(fileno(plot_file)); - /* This should improve performance a bit, since it stops the linker from - doing extra work post-fork(). */ + /* 这应该会稍微提高性能,因为它阻止了链接器在fork()之后进行额外的工作。 */ if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0); - /* Set sane defaults for ASAN if nothing else specified. */ + /* 如果没有其他指定,则为ASAN设置相同的默认值。 */ setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" "symbolize=0:" "allocator_may_return_null=1", 0); - /* MSAN is tricky, because it doesn't support abort_on_error=1 at this - point. So, we do this in a very hacky way. */ + /* MSAN(MemorySanitizer)有点棘手,因为目前它不支持abort_on_error=1这个选项。 + 因此,我们用一种非常hacky(即临时、不正规)的方式来实现这一点。 */ setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":" "symbolize=0:" @@ -2116,15 +2066,14 @@ EXP_ST void init_forkserver(char** argv) { execv(target_path, argv); - /* Use a distinctive bitmap signature to tell the parent about execv() - falling through. */ + /* 使用一个独特的位图签名来告诉父进程execv()调用已经成功执行。*/ *(u32*)trace_bits = EXEC_FAIL_SIG; exit(0); } - /* Close the unneeded endpoints. */ + /* 关闭不需要的端点 */ close(ctl_pipe[0]); close(st_pipe[1]); @@ -2132,7 +2081,7 @@ EXP_ST void init_forkserver(char** argv) { fsrv_ctl_fd = ctl_pipe[1]; fsrv_st_fd = st_pipe[0]; - /* Wait for the fork server to come up, but don't wait too long. */ + /* 等待分叉服务器启动,但不要等待太久 */ it.it_value.tv_sec = ((exec_tmout * FORK_WAIT_MULT) / 1000); it.it_value.tv_usec = ((exec_tmout * FORK_WAIT_MULT) % 1000) * 1000; @@ -2146,8 +2095,7 @@ EXP_ST void init_forkserver(char** argv) { setitimer(ITIMER_REAL, &it, NULL); - /* If we have a four-byte "hello" message from the server, we're all set. - Otherwise, try to figure out what went wrong. */ + /* 如果我们从服务器收到了一个四字节的'hello'消息,那么一切就绪。否则,尝试弄清楚出了什么问题。 */ if (rlen == 4) { OKF("All right - fork server is up."); @@ -2284,8 +2232,7 @@ EXP_ST void init_forkserver(char** argv) { } -/* Execute target application, monitoring for timeouts. Return status - information. The called program will update trace_bits[]. */ +/* 执行目标应用程序,监控超时情况。返回状态信息。被调用的程序将更新trace_bits[] */ static u8 run_target(char** argv, u32 timeout) { @@ -2298,17 +2245,13 @@ static u8 run_target(char** argv, u32 timeout) { child_timed_out = 0; - /* After this memset, trace_bits[] are effectively volatile, so we - must prevent any earlier operations from venturing into that - territory. */ + /* 在这次memset之后,trace_bits[]实际上变成了易失性的,因此我们必须阻止任何早期操作进入该领域。 */ memset(trace_bits, 0, MAP_SIZE); MEM_BARRIER(); - /* If we're running in "dumb" mode, we can't rely on the fork server - logic compiled into the target program, so we will just keep calling - execve(). There is a bit of code duplication between here and - init_forkserver(), but c'est la vie. */ + /* 如果我们在‘dump’模式下运行,我们不能依赖于目标程序中编译的fork服务器逻辑,所以我们将不断调用execve()。 + 这里的代码和init_forkserver()之间有一些重复,但这就是生活。 */ if (dumb_mode == 1 || no_forkserver) { @@ -2326,11 +2269,11 @@ static u8 run_target(char** argv, u32 timeout) { #ifdef RLIMIT_AS - setrlimit(RLIMIT_AS, &r); /* Ignore errors */ + setrlimit(RLIMIT_AS, &r); /* 忽略错误 */ #else - setrlimit(RLIMIT_DATA, &r); /* Ignore errors */ + setrlimit(RLIMIT_DATA, &r); /* 忽略错误 */ #endif /* ^RLIMIT_AS */ @@ -2338,10 +2281,9 @@ static u8 run_target(char** argv, u32 timeout) { r.rlim_max = r.rlim_cur = 0; - setrlimit(RLIMIT_CORE, &r); /* Ignore errors */ + setrlimit(RLIMIT_CORE, &r); /* 忽略错误 */ - /* Isolate the process and configure standard descriptors. If out_file is - specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */ + /* 隔离进程并配置标准描述符。如果指定了out_file,那么stdin就是/dev/null;否则,将克隆out_fd。 */ setsid(); @@ -2359,14 +2301,14 @@ static u8 run_target(char** argv, u32 timeout) { } - /* On Linux, would be faster to use O_CLOEXEC. Maybe TODO. */ + /* 在Linux上,使用O_CLOEXEC会更快。也许TODO */ close(dev_null_fd); close(out_dir_fd); close(dev_urandom_fd); close(fileno(plot_file)); - /* Set sane defaults for ASAN if nothing else specified. */ + /* 如果没有其他指定,则为ASAN设置相同的默认值 */ setenv("ASAN_OPTIONS", "abort_on_error=1:" "detect_leaks=0:" @@ -2379,8 +2321,7 @@ static u8 run_target(char** argv, u32 timeout) { execv(target_path, argv); - /* Use a distinctive bitmap value to tell the parent about execv() - falling through. */ + /* 使用一个独特的位图值来告知父进程execv()调用已经顺利执行 */ *(u32*)trace_bits = EXEC_FAIL_SIG; exit(0); @@ -2391,8 +2332,7 @@ static u8 run_target(char** argv, u32 timeout) { s32 res; - /* In non-dumb mode, we have the fork server up and running, so simply - tell it to have at it, and then read back PID. */ + /* 在non-dump模式下,我们的fork服务器正在运行,所以只需告诉它开始执行,然后读取返回的PID。 */ if ((res = write(fsrv_ctl_fd, &prev_timed_out, 4)) != 4) { @@ -2412,14 +2352,14 @@ static u8 run_target(char** argv, u32 timeout) { } - /* Configure timeout, as requested by user, then wait for child to terminate. */ + /* 根据用户的要求配置超时,然后等待子进程终止 */ it.it_value.tv_sec = (timeout / 1000); it.it_value.tv_usec = (timeout % 1000) * 1000; setitimer(ITIMER_REAL, &it, NULL); - /* The SIGALRM handler simply kills the child_pid and sets child_timed_out. */ + /* SIGALRM处理程序只是终止child_pid并设置child_timed_out */ if (dumb_mode == 1 || no_forkserver) { @@ -2438,39 +2378,38 @@ static u8 run_target(char** argv, u32 timeout) { } - if (!WIFSTOPPED(status)) child_pid = 0;//这行代码检查子进程的状态。如果子进程没有被停止(即没有收到停止信号),则将child_pid变量设置为0。这通常意味着子进程已经完成执行。 + if (!WIFSTOPPED(status)) child_pid = 0; - getitimer(ITIMER_REAL, &it);//这行代码获取当前的实时定时器(ITIMER_REAL)的剩余时间,并将其存储在it结构体中。 + getitimer(ITIMER_REAL, &it); exec_ms = (u64) timeout - (it.it_value.tv_sec * 1000 + it.it_value.tv_usec / 1000); -//这行代码计算被测试程序的实际执行时间。它从预设的超时时间timeout中减去定时器剩余的时间(转换成毫秒)。这个值被存储在exec_ms中,代表执行时间,单位是毫秒。 + it.it_value.tv_sec = 0; - it.it_value.tv_usec = 0;//定时器置零 + it.it_value.tv_usec = 0; - setitimer(ITIMER_REAL, &it, NULL);//设置实时定时器,使用上面设置的0值,这意味着定时器被禁用,不会再产生超时信号。 + setitimer(ITIMER_REAL, &it, NULL); total_execs++; - /* Any subsequent operations on trace_bits must not be moved by the - compiler below this point. Past this location, trace_bits[] behave - very normally and do not have to be treated as volatile. */ + /* 编译器不能将对trace_bits的任何后续操作移动到这一点以下。 + 在这个位置之后,trace_bits[]表现得非常正常,不需要被当作易失性的处理。 */ - MEM_BARRIER();//这是一个内存屏障函数,确保前面的操作不会被编译器重排到后面的操作之后。这对于多线程程序中的内存访问顺序很重要。 + MEM_BARRIER(); - tb4 = *(u32*)trace_bits;//这行代码将trace_bits(一个用于记录被测试程序执行路径的位图数组)的前4个字节的内容读取到一个无符号32位整数tb4中。这个值可能用于后续的分析,以确定被测试程序的执行路径是否产生了新的覆盖 + tb4 = *(u32*)trace_bits; #ifdef WORD_SIZE_64 classify_counts((u64*)trace_bits); #else classify_counts((u32*)trace_bits); #endif /* ^WORD_SIZE_64 */ -//这部分代码使用宏WORD_SIZE_64来确定系统是64位还是32位。根据系统的字长,它将trace_bits转换为相应的指针类型(u64*或u32*),并调用classify_counts函数。这个函数可能用于对trace_bits中的计数数据进行分类或简化。 + prev_timed_out = child_timed_out; - /* Report outcome to caller. */ + /* 向调用者报告结果 */ if (WIFSIGNALED(status) && !stop_soon) { -//这部分代码检查子进程是否因信号而终止。如果子进程因超时被杀死(SIGKILL),则返回FAULT_TMOUT。否则,返回FAULT_CRASH表示子进程崩溃。 + kill_signal = WTERMSIG(status); if (child_timed_out && kill_signal == SIGKILL) return FAULT_TMOUT; @@ -2479,23 +2418,18 @@ static u8 run_target(char** argv, u32 timeout) { } - /* A somewhat nasty hack for MSAN, which doesn't support abort_on_error and - must use a special exit code. */ + /* 这是针对MSAN的一个有点恶劣的hack,因为MSAN不支持abort_on_error,必须使用一个特殊的退出代码。 */ if (uses_asan && WEXITSTATUS(status) == MSAN_ERROR) { - //对于使用地址sanitizer(ASAN)的程序,如果退出状态表明发生了内存错误(MSAN_ERROR),则返回FAULT_CRASH kill_signal = 0; return FAULT_CRASH; } if ((dumb_mode == 1 || no_forkserver) && tb4 == EXEC_FAIL_SIG) - //如果运行在“dumb”模式或没有使用fork服务器,且tb4的值表明执行失败,则返回FAULT_ERROR。 return FAULT_ERROR; - /* It makes sense to account for the slowest units only if the testcase was run - under the user defined timeout. */ + /* 只有在测试用例在用户定义的超时下运行时,才有必要只考虑最慢的单元 */ if (!(timeout > exec_tmout) && (slowest_exec_ms < exec_ms)) { - //如果测试用例在用户定义的超时时间内运行,并且其执行时间是目前为止最慢的,则更新slowest_exec_ms。 slowest_exec_ms = exec_ms; } @@ -2504,16 +2438,14 @@ static u8 run_target(char** argv, u32 timeout) { } -/* Write modified data to file for testing. If out_file is set, the old file - is unlinked and a new one is created. Otherwise, out_fd is rewound and - truncated. */ +/* 将修改后的数据写入文件以进行测试。如果设置了out_file,旧文件将被解除链接,并创建一个新的文件。否则,out_fd将被回卷并截断。 */ static void write_to_testcase(void* mem, u32 len) { s32 fd = out_fd; if (out_file) { -//如果指定了输出文件名(out_file),则删除旧文件并创建一个新文件。否则,将文件描述符的位置设置为文件开头。 + unlink(out_file); /* Ignore errors. */ fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); @@ -2521,7 +2453,7 @@ static void write_to_testcase(void* mem, u32 len) { if (fd < 0) PFATAL("Unable to create '%s'", out_file); } else lseek(fd, 0, SEEK_SET); -//如果没有指定输出文件名,则截断文件到指定长度并重置文件位置。如果指定了输出文件名,则关闭文件描述符。 + ck_write(fd, mem, len, out_file); if (!out_file) { @@ -2534,15 +2466,15 @@ static void write_to_testcase(void* mem, u32 len) { } -/* The same, but with an adjustable gap. Used for trimming. */ +/* 相同的,但有一个可调节的间隙。用于修剪。 */ static void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { -//这个函数类似于write_to_testcase,但允许在文件中跳过一段数据(skip_at和skip_len)。 + s32 fd = out_fd; u32 tail_len = len - skip_at - skip_len; if (out_file) { -//如果指定了输出文件名,则删除旧文件并创建一个新文件。否则,将文件描述符的位置设置为文件开头。 + unlink(out_file); /* Ignore errors. */ fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600); @@ -2553,10 +2485,10 @@ static void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { if (skip_at) ck_write(fd, mem, skip_at, out_file); - if (tail_len) ck_write(fd, mem + skip_at + skip_len, tail_len, out_file);//写入跳过部分之后的数据 + if (tail_len) ck_write(fd, mem + skip_at + skip_len, tail_len, out_file); if (!out_file) { -//如果没有指定输出文件名,则截断文件到指定长度并重置文件位置。如果指定了输出文件名,则关闭文件描述符。 + if (ftruncate(fd, len - skip_len)) PFATAL("ftruncate() failed"); lseek(fd, 0, SEEK_SET); @@ -2567,12 +2499,8 @@ static void write_with_gap(void* mem, u32 len, u32 skip_at, u32 skip_len) { static void show_stats(void); -/* Calibrate a new test case. This is done when processing the input directory - to warn about flaky or otherwise problematic test cases early on; and when - new paths are discovered to detect variable behavior and so on. */ -//start_us, stop_us; - -//保存了一些旧的状态值,以便在函数执行完毕后恢复。 +/* 校准一个新的测试用例。这在处理输入目录时完成,目的是为了提早警告 +关于不稳定或其他有问题的测试用例;以及在发现新路径时,用于检测可变行为等。 */ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, u32 handicap, u8 from_queue) { @@ -2588,67 +2516,63 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, u32 use_tmout = exec_tmout; u8* old_sn = stage_name; - /* Be a bit more generous about timeouts when resuming sessions, or when - trying to calibrate already-added finds. This helps avoid trouble due - to intermittent latency. */ -//如果是在恢复会话或校准已经添加的测试用例时,会放宽超时限制。 + /* 在恢复会话或尝试校准已经添加的发现时,对超时更加宽容一些。 + 这有助于避免由于间歇性延迟引起的问题。 */ + if (!from_queue || resuming_fuzz) use_tmout = MAX(exec_tmout + CAL_TMOUT_ADD, exec_tmout * CAL_TMOUT_PERC / 100); q->cal_failed++; -//设置当前阶段为“calibration”,并根据是否快速校准设置阶段最大值。 + stage_name = "calibration"; stage_max = fast_cal ? 3 : CAL_CYCLES; - /* Make sure the forkserver is up before we do anything, and let's not - count its spin-up time toward binary calibration. */ -//如果没有运行在“dumb”模式,并且没有使用fork服务器,那么初始化fork服务器。 + /* 在我们做任何事情之前,确保fork服务器已经启动,并且我们不将其启动时间计入二进制校准。 */ + if (dumb_mode != 1 && !no_forkserver && !forksrv_pid) init_forkserver(argv); if (q->exec_cksum) { -//如果队列条目已经有执行校验和,那么将第一次执行的trace bits复制到first_trace。 + memcpy(first_trace, trace_bits, MAP_SIZE); hnb = has_new_bits(virgin_bits); if (hnb > new_bits) new_bits = hnb; } - start_us = get_cur_time_us();//计时 + start_us = get_cur_time_us(); for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { u32 cksum; if (!first_run && !(stage_cur % stats_update_freq)) show_stats(); -//如果不是第一次运行并且到了更新频率,显示统计信息。 - write_to_testcase(use_mem, q->len);//将测试用例数据写入文件。 - fault = run_target(argv, use_tmout);//运行目标程序并获取执行结果。 + write_to_testcase(use_mem, q->len); + + fault = run_target(argv, use_tmout); - /* stop_soon is set by the handler for Ctrl+C. When it's pressed, - we want to bail out quickly. */ + /* 如果按下Ctrl+C,stop_soon会被设置,我们希望快速退出。 */ - if (stop_soon || fault != crash_mode) goto abort_calibration;//如果用户请求停止或者执行结果不是崩溃模式,则跳到校准中止。 + if (stop_soon || fault != crash_mode) goto abort_calibration; if (!dumb_mode && !stage_cur && !count_bytes(trace_bits)) { - //如果不是“dumb”模式,并且是第一次校准,并且没有新的代码覆盖,则设置错误为FAULT_NOINST并跳到校准中止。 fault = FAULT_NOINST; goto abort_calibration; } - cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST);//计算当前trace bits的哈希值,并与队列条目的执行校验和比较。 + cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); if (q->exec_cksum != cksum) { -//如果有新的bits被设置,则更新new_bits。 + hnb = has_new_bits(virgin_bits); if (hnb > new_bits) new_bits = hnb; - if (q->exec_cksum) {//如果队列条目之前有执行校验和,则检查变量字节。 + if (q->exec_cksum) { u32 i; - //对于每个不同的字节,将其标记为变量字节,并增加校准周期。 + for (i = 0; i < MAP_SIZE; i++) { if (!var_bytes[i] && first_trace[i] != trace_bits[i]) { @@ -2661,7 +2585,7 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, } var_detected = 1; - //如果队列条目之前没有执行校验和,则更新其执行校验和并复制当前trace bits。 + } else { q->exec_cksum = cksum; @@ -2675,39 +2599,38 @@ static u8 calibrate_case(char** argv, struct queue_entry* q, u8* use_mem, stop_us = get_cur_time_us(); - total_cal_us += stop_us - start_us;//更新总校准时间和周期。 + total_cal_us += stop_us - start_us; total_cal_cycles += stage_max; - /* OK, let's collect some stats about the performance of this test case. - This is used for fuzzing air time calculations in calculate_score(). */ -//更新队列条目的执行时间、位图大小和校准失败计数。 + /* 好的,我们来收集一些关于这个测试用例性能的统计数据。 + 这将用于在calculate_score()中计算模糊测试的时间。 */ + q->exec_us = (stop_us - start_us) / stage_max; q->bitmap_size = count_bytes(trace_bits); q->handicap = handicap; q->cal_failed = 0; - total_bitmap_size += q->bitmap_size;//更新总位图大小和条目数 + total_bitmap_size += q->bitmap_size; total_bitmap_entries++; update_bitmap_score(q); - /* If this case didn't result in new output from the instrumentation, tell - parent. This is a non-critical problem, but something to warn the user - about. */ + /* 如果这个案例没有产生新的来自插桩的输出,告诉父进程。 + 这是一个非关键性问题,但值得警告用户。 */ if (!dumb_mode && first_run && !fault && !new_bits) fault = FAULT_NOBITS; abort_calibration: -//如果有新的bits被设置并且队列条目之前没有新覆盖,则更新队列条目的新覆盖标志。 + if (new_bits == 2 && !q->has_new_cov) { q->has_new_cov = 1; queued_with_cov++; } - /* Mark variable paths. */ + /* 标记可变路径。 */ if (var_detected) { -//如果检测到变量行为,则标记队列条目。 + var_byte_count = count_bytes(var_bytes); if (!q->var_behavior) { @@ -2716,27 +2639,22 @@ abort_calibration: } } -//恢复旧的状态值。 + stage_name = old_sn; stage_cur = old_sc; stage_max = old_sm; - if (!first_run) show_stats();//如果校准中止,则跳到函数末尾。 + if (!first_run) show_stats(); return fault; } -/* Examine map coverage. Called once, for first test case. */ +/* 检查地图覆盖率。为第一个测试用例调用一次。 */ static void check_map_coverage(void) { -/* -这个函数检查映射覆盖率是否足够。如果映射中被设置的字节数少于100,则函数直接返回。 -然后,它检查映射的后半部分是否有任何被设置的位。如果没有,这意味着测试用例只触发了 -映射的前半部分,这可能意味着二进制文件需要重新编译以获得更好的覆盖率。在这种情况下 -,它会打印一条警告消息。 -*/ + u32 i; if (count_bytes(trace_bits) < 100) return; @@ -2749,8 +2667,7 @@ static void check_map_coverage(void) { } -/* Perform dry run of all test cases to confirm that the app is working as - expected. This is done only for the initial inputs, and only once. */ +/* 对所有测试用例执行一次不实际执行的预运行,以确认应用程序按预期工作。这只针对初始输入进行,并且只执行一次。 */ static void perform_dry_run(char** argv) { @@ -2765,20 +2682,20 @@ static void perform_dry_run(char** argv) { s32 fd; u8* fn = strrchr(q->fname, '/') + 1; -//打开并读取测试用例文件。 + ACTF("Attempting dry run with '%s'...", fn); fd = open(q->fname, O_RDONLY); if (fd < 0) PFATAL("Unable to open '%s'", q->fname); - use_mem = ck_alloc_nozero(q->len);////分配内存并读取测试用例数据。 + use_mem = ck_alloc_nozero(q->len); if (read(fd, use_mem, q->len) != q->len) FATAL("Short read from '%s'", q->fname); close(fd); - res = calibrate_case(argv, q, use_mem, 0, 1);//调用calibrate_case函数来校准测试用例。 + res = calibrate_case(argv, q, use_mem, 0, 1); ck_free(use_mem); if (stop_soon) return; @@ -2801,9 +2718,7 @@ static void perform_dry_run(char** argv) { if (timeout_given) { - /* The -t nn+ syntax in the command line sets timeout_given to '2' and - instructs afl-fuzz to tolerate but skip queue entries that time - out. */ + /* 命令行中的 -t nn+ 语法将 timeout_given 设置为 '2',并且指示 afl-fuzz 容忍但跳过超时的队列条目。 */ if (timeout_given > 1) { WARNF("Test case results in a timeout (skipping)"); @@ -2861,15 +2776,6 @@ static void perform_dry_run(char** argv) { " it to die due to OOM when parsing valid files. To fix this, try\n" " bumping it up with the -m setting in the command line. If in doubt,\n" " try something along the lines of:\n\n" -/* -根据校准结果,执行不同的操作: - - 如果测试用例没有引起崩溃,并且不是在寻找崩溃的模式下运行,则检查映射覆盖率。 - 如果测试用例导致超时,根据timeout_given变量的值,可能跳过该测试用例或报告错误。 - 如果测试用例导致崩溃,根据crash_mode变量的值和环境变量AFL_SKIP_CRASHES,可能跳过该测试用例或报告错误。 - -*/ - #ifdef RLIMIT_AS " ( ulimit -Sv $[%llu << 10]; /path/to/binary [...] fname; else rsl++; - /* If the original file name conforms to the syntax and the recorded - ID matches the one we'd assign, just use the original file name. - This is valuable for resuming fuzzing runs. */ + /* 如果原始文件名符合语法,并且记录的ID与我们要分配的ID匹配,就直接使用原始文件名。这对于恢复模糊测试运行非常有价值。 */ #ifndef SIMPLE_FILES # define CASE_PREFIX "id:" @@ -3031,8 +2934,7 @@ static void pivot_inputs(void) { resuming_fuzz = 1; nfn = alloc_printf("%s/queue/%s", out_dir, rsl); - /* Since we're at it, let's also try to find parent and figure out the - appropriate depth for this entry. */ + /* 既然我们已经在做了,让我们也尝试找到父项,并确定这个条目的适当深度。 */ src_str = strchr(rsl + 3, ':'); @@ -3048,8 +2950,7 @@ static void pivot_inputs(void) { } else { - /* No dice - invent a new name, capturing the original one as a - substring. */ + /* 没有成功 - 创建一个新名字,并将原始名字作为子字符串包含在内。 */ #ifndef SIMPLE_FILES @@ -3066,13 +2967,13 @@ static void pivot_inputs(void) { } - /* Pivot to the new queue entry. */ + /* 转向新的队列条目。 */ link_or_copy(q->fname, nfn); ck_free(q->fname); q->fname = nfn; - /* Make sure that the passed_det value carries over, too. */ + /* 确保passd_det值也被传递。 */ if (q->passed_det) mark_as_det_done(q); @@ -3088,8 +2989,7 @@ static void pivot_inputs(void) { #ifndef SIMPLE_FILES -/* Construct a file name for a new test case, capturing the operation - that led to its discovery. Uses a static buffer. */ +/* 为新测试用例构造一个包含导致其被发现的操作的文件名。使用一个静态缓冲区。 */ static u8* describe_op(u8 hnb) { @@ -3130,7 +3030,7 @@ static u8* describe_op(u8 hnb) { #endif /* !SIMPLE_FILES */ -/* Write a message accompanying the crash directory :-) */ +/* 为崩溃目录写一个伴随消息:-) */ static void write_crash_readme(void) { @@ -3141,7 +3041,7 @@ static void write_crash_readme(void) { fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); ck_free(fn); - /* Do not die on errors here - that would be impolite. */ + /* 不要死于错误——那是不礼貌的 */ if (fd < 0) return; @@ -3177,9 +3077,8 @@ static void write_crash_readme(void) { } -/* Check if the result of an execve() during routine fuzzing is interesting, - save or queue the input test case for further analysis if so. Returns 1 if - entry is saved, 0 otherwise. */ +/* 检查在常规模糊测试期间的execve()结果是否有趣,如果有趣,则保存 +或将输入测试用例排队以进行进一步分析。如果条目被保存,则返回1,否则返回0。 */ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { @@ -3190,8 +3089,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { if (fault == crash_mode) { - /* Keep only if there are new bits in the map, add to queue for - future fuzzing, etc. */ + /* 仅当映射中有新的位时才保留,将其添加到队列中以供将来的模糊测试等。 */ if (!(hnb = has_new_bits(virgin_bits))) { if (crash_mode) total_crashes++; @@ -3218,8 +3116,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { queue_top->exec_cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - /* Try to calibrate inline; this also calls update_bitmap_score() when - successful. */ + /* 尝试进行内联校准;成功时也会调用update_bitmap_score()。 */ res = calibrate_case(argv, queue_top, mem, queue_cycle - 1, 0); @@ -3239,10 +3136,8 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { case FAULT_TMOUT: - /* Timeouts are not very interesting, but we're still obliged to keep - a handful of samples. We use the presence of new bits in the - hang-specific bitmap as a signal of uniqueness. In "dumb" mode, we - just keep everything. */ + /* 超时并不是很有趣的情况,但我们仍然需要保留一些样本。我们使用在特定挂起的 + 位图中出现的新位作为独特性的信号。在“哑”模式下,我们只是保留所有内容。 */ total_tmouts++; @@ -3262,9 +3157,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { unique_tmouts++; - /* Before saving, we make sure that it's a genuine hang by re-running - the target with a more generous timeout (unless the default timeout - is already generous). */ + /* 在保存之前,我们通过使用更宽裕的超时时间重新运行目标程序来确保这是一个真正的挂起(除非默认的超时时间已经足够宽裕)。*/ if (exec_tmout < hang_tmout) { @@ -3272,9 +3165,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { write_to_testcase(mem, len); new_fault = run_target(argv, hang_tmout); - /* A corner case that one user reported bumping into: increasing the - timeout actually uncovers a crash. Make sure we don't discard it if - so. */ + /* 一个用户报告的特殊情况:增加超时时间实际上揭示了一个崩溃。确保如果出现这种情况,我们不会丢弃它。 */ if (!stop_soon && new_fault == FAULT_CRASH) goto keep_as_crash; @@ -3304,9 +3195,7 @@ static u8 save_if_interesting(char** argv, void* mem, u32 len, u8 fault) { keep_as_crash: - /* This is handled in a manner roughly similar to timeouts, - except for slightly different limits and no need to re-run test - cases. */ + /* 这与处理超时的方式大致相似,只是限制略有不同,并且不需要重新运行测试用例。 */ total_crashes++; @@ -3351,8 +3240,7 @@ keep_as_crash: } - /* If we're here, we apparently want to save the crash or hang - test case, too. */ + /* 如果我们在这里,显然我们也想要保存崩溃或挂起的测试用例。 */ fd = open(fn, O_WRONLY | O_CREAT | O_EXCL, 0600); if (fd < 0) PFATAL("Unable to create '%s'", fn); @@ -3366,12 +3254,11 @@ keep_as_crash: } -/* When resuming, try to find the queue position to start from. This makes sense - only when resuming, and when we can find the original fuzzer_stats. */ +/* 在恢复时,尝试找到开始的队列位置。这只在恢复时有意义,并且当我们能找到原始的fuzzer_stats时。 */ static u32 find_start_position(void) { - static u8 tmp[4096]; /* Ought to be enough for anybody. */ + static u8 tmp[4096]; /* 对任何人来说都足够了 */ u8 *fn, *off; s32 fd, i; @@ -3400,13 +3287,11 @@ static u32 find_start_position(void) { } -/* The same, but for timeouts. The idea is that when resuming sessions without - -t given, we don't want to keep auto-scaling the timeout over and over - again to prevent it from growing due to random flukes. */ +/* 同样,但针对超时情况。想法是在没有给定-t参数的情况下恢复会话时,我们不想一遍又一遍地自动调整超时时间,以防止它因为随机的异常而不断增长。 */ static void find_timeout(void) { - static u8 tmp[4096]; /* Ought to be enough for anybody. */ + static u8 tmp[4096]; /* 对任何人来说都足够了 */ u8 *fn, *off; s32 fd, i; @@ -3437,7 +3322,7 @@ static void find_timeout(void) { } -/* Update stats file for unattended monitoring. */ +/* 更新无人值守监控的统计文件 */ static void write_stats_file(double bitmap_cvg, double stability, double eps) { @@ -3458,8 +3343,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { if (!f) PFATAL("fdopen() failed"); - /* Keep last values in case we're called from another context - where exec/sec stats and such are not readily available. */ + /* 保留最后的值,以防我们被调用到另一个上下文中,那里每秒执行次数的统计数据等并不立即可用。 */ if (!bitmap_cvg && !stability && !eps) { bitmap_cvg = last_bcvg; @@ -3482,7 +3366,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { "paths_found : %u\n" "paths_imported : %u\n" "max_depth : %u\n" - "cur_path : %u\n" /* Must match find_start_position() */ + "cur_path : %u\n" /* 必须匹配find_start_position() */ "pending_favs : %u\n" "pending_total : %u\n" "variable_paths : %u\n" @@ -3494,7 +3378,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { "last_crash : %llu\n" "last_hang : %llu\n" "execs_since_crash : %llu\n" - "exec_timeout : %u\n" /* Must match find_timeout() */ + "exec_timeout : %u\n" /* 必须匹配find_timeout() */ "afl_banner : %s\n" "afl_version : " VERSION "\n" "target_mode : %s%s%s%s%s%s%s\n" @@ -3516,9 +3400,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { orig_cmdline, slowest_exec_ms); /* ignore errors */ - /* Get rss value from the children - We must have killed the forkserver process and called waitpid - before calling getrusage */ + /* 从子进程中获取rss值。在调用getrusage之前,我们必须已经杀死了fork服务器进程并调用了waitpid。 */ if (getrusage(RUSAGE_CHILDREN, &usage)) { WARNF("getrusage failed"); } else if (usage.ru_maxrss == 0) { @@ -3536,7 +3418,7 @@ static void write_stats_file(double bitmap_cvg, double stability, double eps) { } -/* Update the plot file if there is a reason to. */ +/* 如果有必要,请更新情节文件。 */ static void maybe_update_plot_file(double bitmap_cvg, double eps) { @@ -3557,7 +3439,7 @@ static void maybe_update_plot_file(double bitmap_cvg, double eps) { prev_uh = unique_hangs; prev_md = max_depth; - /* Fields in the file: + /* 文件中的字段包括:: unix_time, cycles_done, cur_path, paths_total, paths_not_fuzzed, favored_not_fuzzed, unique_crashes, unique_hangs, max_depth, @@ -3575,8 +3457,7 @@ static void maybe_update_plot_file(double bitmap_cvg, double eps) { -/* A helper function for maybe_delete_out_dir(), deleting all prefixed - files in a directory. */ +/* maybe_delete_out_dir()的辅助函数,用于删除目录中所有具有特定前缀的文件 */ static u8 delete_files(u8* path, u8* prefix) { @@ -3607,7 +3488,7 @@ static u8 delete_files(u8* path, u8* prefix) { } -/* Get the number of runnable processes, with some simple smoothing. */ +/* 通过一些简单的平滑,获得可运行进程的数量。 */ static double get_runnable_processes(void) { @@ -3615,17 +3496,13 @@ static double get_runnable_processes(void) { #if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) - /* I don't see any portable sysctl or so that would quickly give us the - number of runnable processes; the 1-minute load average can be a - semi-decent approximation, though. */ + /*我没有看到任何可移植的sysctl命令或其他工具可以快速给出可运行进程的数量;不过,1分钟负载平均值可以作为一个半像样的近似值。 */ if (getloadavg(&res, 1) != 1) return 0; #else - /* On Linux, /proc/stat is probably the best way; load averages are - computed in funny ways and sometimes don't reflect extremely short-lived - processes well. */ + /* 在Linux上,/proc/stat可能是最佳方式;负载平均值的计算方式有些奇特,有时不能很好地反映非常短暂的进程。 */ FILE* f = fopen("/proc/stat", "r"); u8 tmp[1024]; @@ -3660,7 +3537,7 @@ static double get_runnable_processes(void) { } -/* Delete the temporary directory used for in-place session resume. */ +/* 删除用于就地恢复会话的临时目录。*/ static void nuke_resume_dir(void) { @@ -3699,17 +3576,14 @@ dir_cleanup_failed: } -/* Delete fuzzer output directory if we recognize it as ours, if the fuzzer - is not currently running, and if the last run time isn't too great. */ +/* 如果识别输出目录为我们的,并且fuzzer当前没有在运行,以及上次运行时间不是很长,就删除fuzzer的输出目录。 */ static void maybe_delete_out_dir(void) { FILE* f; u8 *fn = alloc_printf("%s/fuzzer_stats", out_dir); - /* See if the output directory is locked. If yes, bail out. If not, - create a lock that will persist for the lifetime of the process - (this requires leaving the descriptor open).*/ + /* 检查输出目录是否被锁定。如果是,就退出。如果不是,创建一个在进程生命周期内持续存在的锁(这需要保持描述符打开)。*/ out_dir_fd = open(out_dir, O_RDONLY); if (out_dir_fd < 0) PFATAL("Unable to open '%s'", out_dir); @@ -3742,7 +3616,7 @@ static void maybe_delete_out_dir(void) { fclose(f); - /* Let's see how much work is at stake. */ + /* 让我们看看有多少工作要做 */ if (!in_place_resume && last_update - start_time > OUTPUT_GRACE * 60) { @@ -3764,11 +3638,9 @@ static void maybe_delete_out_dir(void) { ck_free(fn); - /* The idea for in-place resume is pretty simple: we temporarily move the old - queue/ to a new location that gets deleted once import to the new queue/ - is finished. If _resume/ already exists, the current queue/ may be - incomplete due to an earlier abort, so we want to use the old _resume/ - dir instead, and we let rename() fail silently. */ + /* 就地恢复的想法非常简单:我们暂时将旧的queue/移动到一个新位置, + 一旦导入到新queue/完成,这个新位置就会被删除。如果_resume/已经存在, + 当前的queue/可能因为之前的中断而不完整,所以我们想使用旧的_resume/目录,我们让rename()默默失败。 */ if (in_place_resume) { @@ -3790,8 +3662,7 @@ static void maybe_delete_out_dir(void) { ACTF("Deleting old session data..."); - /* Okay, let's get the ball rolling! First, we need to get rid of the entries - in /.synced/.../id:*, if any are present. */ + /* 好的,让我们开始吧!首先,如果存在,我们需要清除/.synced/.../id:*中的条目。 */ if (!in_place_resume) { @@ -3801,7 +3672,7 @@ static void maybe_delete_out_dir(void) { } - /* Next, we need to clean up /queue/.state/ subdirectories: */ + /* 接下来,我们需要清理 /queue/.state/ 子目录: */ fn = alloc_printf("%s/queue/.state/deterministic_done", out_dir); if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; @@ -3819,8 +3690,7 @@ static void maybe_delete_out_dir(void) { if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; ck_free(fn); - /* Then, get rid of the .state subdirectory itself (should be empty by now) - and everything matching /queue/id:*. */ + /* 然后,删除 .state 子目录本身(现在应该已经为空),以及所有匹配 /queue/id:* 的内容。 */ fn = alloc_printf("%s/queue/.state", out_dir); if (rmdir(fn) && errno != ENOENT) goto dir_cleanup_failed; @@ -3830,7 +3700,7 @@ static void maybe_delete_out_dir(void) { if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; ck_free(fn); - /* All right, let's do /crashes/id:* and /hangs/id:*. */ + /* 好的,让我们处理 /crashes/id:* 和 /hangs/id:* */ if (!in_place_resume) { @@ -3842,8 +3712,7 @@ static void maybe_delete_out_dir(void) { fn = alloc_printf("%s/crashes", out_dir); - /* Make backup of the crashes directory if it's not empty and if we're - doing in-place resume. */ + /* 如果在进行就地恢复,并且crashes目录不为空,则备份该目录。 */ if (in_place_resume && rmdir(fn)) { @@ -3874,7 +3743,7 @@ static void maybe_delete_out_dir(void) { fn = alloc_printf("%s/hangs", out_dir); - /* Backup hangs, too. */ + /* 备份也挂起了 */ if (in_place_resume && rmdir(fn)) { @@ -3903,7 +3772,7 @@ static void maybe_delete_out_dir(void) { if (delete_files(fn, CASE_PREFIX)) goto dir_cleanup_failed; ck_free(fn); - /* And now, for some finishing touches. */ + /* 现在,做一些收尾工作 */ fn = alloc_printf("%s/.cur_input", out_dir); if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed; @@ -3925,7 +3794,7 @@ static void maybe_delete_out_dir(void) { OKF("Output dir cleanup successful."); - /* Wow... is that all? If yes, celebrate! */ + /* 哇……就这些吗?如果是,那就庆祝吧! */ return; @@ -3948,8 +3817,7 @@ dir_cleanup_failed: static void check_term_size(void); -/* A spiffy retro stats screen! This is called every stats_update_freq - execve() calls, plus in several other circumstances. */ +/* 一个时髦的复古统计屏幕!这在每stats_update_freq次execve()调用时被调用,以及在其他几种情况下。 */ static void show_stats(void) { @@ -3965,15 +3833,15 @@ static void show_stats(void) { cur_ms = get_cur_time(); - /* If not enough time has passed since last UI update, bail out. */ + /* 如果上次UI更新后没有经过足够的时间,就退出。 */ if (cur_ms - last_ms < 1000 / UI_TARGET_HZ) return; - /* Check if we're past the 10 minute mark. */ + /* 检查我们是否过了10分钟。 */ if (cur_ms - start_time > 10 * 60 * 1000) run_over10m = 1; - /* Calculate smoothed exec speed stats. */ + /* 计算平滑执行速度统计。 */ if (!last_execs) { @@ -3984,8 +3852,7 @@ static void show_stats(void) { double cur_avg = ((double)(total_execs - last_execs)) * 1000 / (cur_ms - last_ms); - /* If there is a dramatic (5x+) jump in speed, reset the indicator - more quickly. */ + /* 如果速度有显著(超过5倍)的提升,那么更快速地重置指示器。 */ if (cur_avg * 5 < avg_exec || cur_avg / 5 > avg_exec) avg_exec = cur_avg; @@ -3998,12 +3865,12 @@ static void show_stats(void) { last_ms = cur_ms; last_execs = total_execs; - /* Tell the callers when to contact us (as measured in execs). */ + /* 告诉来电者何时与我们联系(以高管为衡量标准) */ stats_update_freq = avg_exec / (UI_TARGET_HZ * 10); if (!stats_update_freq) stats_update_freq = 1; - /* Do some bitmap stats. */ + /* 做一些位图统计 */ t_bytes = count_non_255_bytes(virgin_bits); t_byte_ratio = ((double)t_bytes * 100) / MAP_SIZE; @@ -4013,7 +3880,7 @@ static void show_stats(void) { else stab_ratio = 100; - /* Roughly every minute, update fuzzer stats and save auto tokens. */ + /* 大约每分钟更新fuzzer统计数据并保存自动标记。 */ if (cur_ms - last_stats_ms > STATS_UPDATE_SEC * 1000) { @@ -4024,7 +3891,7 @@ static void show_stats(void) { } - /* Every now and then, write plot data. */ + /* 每隔一段时间,写一些情节数据。 */ if (cur_ms - last_plot_ms > PLOT_UPDATE_SEC * 1000) { @@ -4033,22 +3900,22 @@ static void show_stats(void) { } - /* Honor AFL_EXIT_WHEN_DONE and AFL_BENCH_UNTIL_CRASH. */ + /* 尊重AFL_EXIT_WHEN_DONE和AFL_BENCH_UNTIL_CRASH。 */ if (!dumb_mode && cycles_wo_finds > 100 && !pending_not_fuzzed && getenv("AFL_EXIT_WHEN_DONE")) stop_soon = 2; if (total_crashes && getenv("AFL_BENCH_UNTIL_CRASH")) stop_soon = 2; - /* If we're not on TTY, bail out. */ + /* 如果我们不在TTY(终端)上,就退出。 */ if (not_on_tty) return; - /* Compute some mildly useful bitmap stats. */ + /* 计算一些稍微有用的位图统计。 */ t_bits = (MAP_SIZE << 3) - count_bits(virgin_bits); - /* Now, for the visuals... */ + /* 现在,对于视觉效果… */ if (clear_screen) { @@ -4070,7 +3937,7 @@ static void show_stats(void) { } - /* Let's start by drawing a centered banner. */ + /* 让我们从绘制居中横幅开始。*/ banner_len = (crash_mode ? 24 : 22) + strlen(VERSION) + strlen(use_banner); banner_pad = (80 - banner_len) / 2; @@ -4082,7 +3949,7 @@ static void show_stats(void) { SAYF("\n%s\n\n", tmp); - /* "Handy" shortcuts for drawing boxes... */ + /* "Handy" 快捷键绘制框… */ #define bSTG bSTART cGRA #define bH2 bH bH @@ -4107,17 +3974,17 @@ static void show_stats(void) { u64 min_wo_finds = (cur_ms - last_path_time) / 1000 / 60; - /* First queue cycle: don't stop now! */ + /* 第一个排队周期:现在不要停下来! */ if (queue_cycle == 1 || min_wo_finds < 15) strcpy(tmp, cMGN); else - /* Subsequent cycles, but we're still making finds. */ + /* 在后续的测试周期中,但我们仍在发现新问题。 */ if (cycles_wo_finds < 25 || min_wo_finds < 30) strcpy(tmp, cYEL); else - /* No finds for a long time and no test cases to try. */ + /* 很长一段时间没有发现,也没有测试用例可以尝试。 */ if (cycles_wo_finds > 100 && !pending_not_fuzzed && min_wo_finds > 120) strcpy(tmp, cLGN); - /* Default: cautiously OK to stop? */ + /* 默认情况:谨慎地询问是否可以停止? */ else strcpy(tmp, cLBL); } @@ -4126,8 +3993,7 @@ static void show_stats(void) { " cycles done : %s%-5s " bSTG bV "\n", DTD(cur_ms, start_time), tmp, DI(queue_cycle - 1)); - /* We want to warn people about not seeing new paths after a full cycle, - except when resuming fuzzing or running in non-instrumented mode. */ + /* 我们想要警告人们,在完成一个完整周期后没有看到新路径的情况,除非是在恢复模糊测试或在非插桩模式下运行。 */ if (!dumb_mode && (last_path_time || resuming_fuzz || queue_cycle == 1 || in_bitmap || crash_mode)) { @@ -4152,8 +4018,7 @@ static void show_stats(void) { SAYF(bSTG bV bSTOP " total paths : " cRST "%-5s " bSTG bV "\n", DI(queued_paths)); - /* Highlight crashes in red if found, denote going over the KEEP_UNIQUE_CRASH - limit with a '+' appended to the count. */ + /* 如果在发现崩溃时用红色高亮显示,并在超过KEEP_UNIQUE_CRASH限制时,在计数后追加一个'+'符号来表示。*/ sprintf(tmp, "%s%s", DI(unique_crashes), (unique_crashes >= KEEP_UNIQUE_CRASH) ? "+" : ""); @@ -4173,9 +4038,8 @@ static void show_stats(void) { SAYF(bVR bH bSTOP cCYA " cycle progress " bSTG bH20 bHB bH bSTOP cCYA " map coverage " bSTG bH bHT bH20 bH2 bH bVL "\n"); - /* This gets funny because we want to print several variable-length variables - together, but then cram them into a fixed-width field - so we need to - put them in a temporary buffer first. */ + /* 这有点有趣,因为我们想要一起打印几个可变长度的变量,但随后又想将它们 + 塞进一个固定宽度的字段——所以我们需要先将它们放入一个临时缓冲区。*/ sprintf(tmp, "%s%s (%0.02f%%)", DI(current_entry), queue_cur->favored ? "" : "*", @@ -4205,7 +4069,7 @@ static void show_stats(void) { sprintf(tmp, "%s (%0.02f%%)", DI(queued_favored), ((double)queued_favored) * 100 / queued_paths); - /* Yeah... it's still going on... halp? */ + /* 是的……它还在继续……帮忙? */ SAYF(bV bSTOP " now trying : " cRST "%-21s " bSTG bV bSTOP " favored paths : " cRST "%-22s " bSTG bV "\n", stage_name, tmp); @@ -4245,7 +4109,7 @@ static void show_stats(void) { } - /* Show a warning about slow execution. */ + /* 显示关于缓慢执行的警告。 */ if (avg_exec < 100) { @@ -4266,7 +4130,7 @@ static void show_stats(void) { SAYF (bSTG bV bSTOP " total tmouts : " cRST "%-22s " bSTG bV "\n", tmp); - /* Aaaalmost there... hold on! */ + /* Aaaalmost那里……坚持住! */ SAYF(bVR bH cCYA bSTOP " fuzzing strategy yields " bSTG bH10 bH bHT bH10 bH5 bHB bH bSTOP cCYA " path geometry " bSTG bH5 bH2 bH bVL "\n"); @@ -4371,7 +4235,7 @@ static void show_stats(void) { SAYF(bV bSTOP " trim : " cRST "%-37s " bSTG bVR bH20 bH2 bH2 bRB "\n" bLB bH30 bH20 bH2 bH bRB bSTOP cRST RESET_G1, tmp); - /* Provide some CPU utilization stats. */ + /* 提供一些CPU利用率统计信息。 */ if (cpu_core_count) { @@ -4380,12 +4244,12 @@ static void show_stats(void) { u8* cpu_color = cCYA; - /* If we could still run one or more processes, use green. */ + /* 如果我们仍然可以运行一个或多个进程,则使用绿色。 */ if (cpu_core_count > 1 && cur_runnable + 1 <= cpu_core_count) cpu_color = cLGN; - /* If we're clearly oversubscribed, use red. */ + /* 如果我们明显超额认购,就用红色。 */ if (!no_cpu_meter_red && cur_utilization >= 150) cpu_color = cLRD; @@ -4420,46 +4284,45 @@ static void show_stats(void) { } -/* 在处理输入目录后显示初始化统计信息 */ +/* 在处理完输入目录后显示快速统计信息,以及一堆警告。一些校准内容也 +最终放在这里,连同几个硬编码的常数。也许最终会清理一下。 */ + static void show_init_stats(void) { - struct queue_entry* q = queue; // 队列的当前元素 - u32 min_bits = 0, max_bits = 0; // 最小和最大位图大小 - u64 min_us = 0, max_us = 0; // 最小和最大执行时间(微秒) - u64 avg_us = 0; // 平均执行时间 - u32 max_len = 0; // 最大测试用例长度 + struct queue_entry* q = queue; + u32 min_bits = 0, max_bits = 0; + u64 min_us = 0, max_us = 0; + u64 avg_us = 0; + u32 max_len = 0; - // 如果有校准周期,计算平均执行时间 if (total_cal_cycles) avg_us = total_cal_us / total_cal_cycles; - // 遍历队列,找到最小和最大位图大小、执行时间和测试用例长度 while (q) { - + if (!min_us || q->exec_us < min_us) min_us = q->exec_us; if (q->exec_us > max_us) max_us = q->exec_us; - + if (!min_bits || q->bitmap_size < min_bits) min_bits = q->bitmap_size; if (q->bitmap_size > max_bits) max_bits = q->bitmap_size; - + if (q->len > max_len) max_len = q->len; - - q = q->next; // 移动到下一个队列元素 - + + q = q->next; + } SAYF("\n"); - // 如果平均执行时间较长,给出警告并调整havoc_div的值 if (avg_us > (qemu_mode ? 50000 : 10000)) WARNF(cLRD "The target binary is pretty slow! See %s/perf_tips.txt.", doc_path); - // 如果平均执行时间超过特定阈值,调整havoc_div的值 + /* 让我们继续使用慢二进制代码。 */ + if (avg_us > 50000) havoc_div = 10; /* 0-19 execs/sec */ else if (avg_us > 20000) havoc_div = 5; /* 20-49 execs/sec */ else if (avg_us > 10000) havoc_div = 2; /* 50-100 execs/sec */ - // 如果不是从会话中恢复,给出一些警告 if (!resuming_fuzz) { if (max_len > 50 * 1024) @@ -4479,7 +4342,6 @@ static void show_init_stats(void) { } - // 显示统计信息 OKF("Here are some useful stats:\n\n" cGRA " Test case count : " cRST "%u favored, %u variable, %u total\n" @@ -4489,21 +4351,21 @@ static void show_init_stats(void) { ((double)total_bitmap_size) / (total_bitmap_entries ? total_bitmap_entries : 1), DI(min_us), DI(max_us), DI(avg_us)); - // 如果没有指定超时时间,计算一个合适的超时时间 if (!timeout_given) { - /* Figure out the appropriate timeout. The basic idea is: 5x average or - 1x max, rounded up to EXEC_TM_ROUND ms and capped at 1 second. */ - + /* 确定合适的超时时间。基本思路是:5倍的平均值或者1倍的最大值,四舍五入到EXEC_TM_ROUND毫秒,并限制在1秒内。 + +如果程序运行缓慢,乘数会降低到2倍或3倍,因为随机调度抖动不太可能有任何影响,而且我们的耐心正在逐渐减少=) */ + if (avg_us > 50000) exec_tmout = avg_us * 2 / 1000; else if (avg_us > 10000) exec_tmout = avg_us * 3 / 1000; else exec_tmout = avg_us * 5 / 1000; - + exec_tmout = MAX(exec_tmout, max_us / 1000); exec_tmout = (exec_tmout + EXEC_TM_ROUND) / EXEC_TM_ROUND * EXEC_TM_ROUND; - + if (exec_tmout > EXEC_TIMEOUT) exec_tmout = EXEC_TIMEOUT; - + ACTF("No -t option specified, so I'll use exec timeout of %u ms.", exec_tmout); @@ -4515,9 +4377,8 @@ static void show_init_stats(void) { } - /* In dumb mode, re-running every timing out test case with a generous time - limit is very expensive, so let's select a more conservative default. */ - + /* 在dump模式下,用宽裕的时间限制重新运行每个超时的测试用例代价很高,因此我们选择一个更保守的默认值。 */ + if (dumb_mode && !getenv("AFL_HANG_TMOUT")) hang_tmout = MIN(EXEC_TIMEOUT, exec_tmout * 2 + 100); @@ -4525,7 +4386,10 @@ static void show_init_stats(void) { } -/* 找到大于或等于val的最小的2的幂次方(假设val小于2^31) */ + +/* 求大于等于val的2的第一次幂(假设val小于 + 2^31). */ + static u32 next_p2(u32 val) { u32 ret = 1; @@ -4535,203 +4399,224 @@ static u32 next_p2(u32 val) { } +/* 在进行确定性检查时,修剪所有新的测试用例以节省周期。修剪器使用二的幂次方增加 +量,范围在文件大小的1/16到1/1024之间,以保持这个阶段简短而高效。 */ -// 对输入案例进行修剪,尝试移除部分输入数据,看是否会影响程序的执行路径。 static u8 trim_case(char** argv, struct queue_entry* q, u8* in_buf) { - static u8 tmp[64]; // 临时缓冲区 - static u8 clean_trace[MAP_SIZE]; // 用于存储清理后的执行路径 - u8 needs_write = 0, fault = 0; // 标记是否需要写入和是否出现故障 - u32 trim_exec = 0; // 修剪执行次数 - u32 remove_len; // 要移除的长度 - u32 len_p2; // 长度的下一个2的幂次 + static u8 tmp[64]; + static u8 clean_trace[MAP_SIZE]; + + u8 needs_write = 0, fault = 0; + u32 trim_exec = 0; + u32 remove_len; + u32 len_p2; + + /* 尽管在检测到可变行为时,修剪器的效用会降低,但它仍然会有一定程度的作用,因此我们不对此进行检查。 */ - // 如果输入长度小于5,直接返回0,不进行修剪 if (q->len < 5) return 0; - stage_name = tmp; // 设置当前阶段名称 - bytes_trim_in += q->len; // 更新修剪输入的总字节数 + stage_name = tmp; + bytes_trim_in += q->len; + + /* 选择初始块len,从较大的步骤开始。*/ + + len_p2 = next_p2(q->len); - // 选择初始块长度,从大步长开始 - len_p2 = next_p2(q->len); // 获取q->len的下一个2的幂次 + remove_len = MAX(len_p2 / TRIM_START_STEPS, TRIM_MIN_BYTES); - remove_len = MAX(len_p2 / TRIM_START_STEPS, TRIM_MIN_BYTES); // 计算移除长度 + /* 继续进行,直到步骤数变得过高或步长变得过小。 */ - // 继续修剪,直到步数过高或步长过小 while (remove_len >= MAX(len_p2 / TRIM_END_STEPS, TRIM_MIN_BYTES)) { - u32 remove_pos = remove_len; // 移除位置 - // 格式化修剪信息 + u32 remove_pos = remove_len; + sprintf(tmp, "trim %s/%s", DI(remove_len), DI(remove_len)); - stage_cur = 0; // 当前阶段 - stage_max = q->len / remove_len; // 最大阶段数 + stage_cur = 0; + stage_max = q->len / remove_len; + + while (remove_pos < q->len) { - while (remove_pos < q->len) { // 循环移除每个位置的数据 - u32 trim_avail = MIN(remove_len, q->len - remove_pos); // 可修剪的可用长度 - u32 cksum; // 校验和 + u32 trim_avail = MIN(remove_len, q->len - remove_pos); + u32 cksum; - // 写入带有间隔的输入数据 write_with_gap(in_buf, q->len, remove_pos, trim_avail); - fault = run_target(argv, exec_tmout); // 运行目标程序 - trim_execs++; // 更新修剪执行次数 + fault = run_target(argv, exec_tmout); + trim_execs++; - // 如果出现错误或停止请求,跳转到修剪中止 if (stop_soon || fault == FAULT_ERROR) goto abort_trimming; - // 计算执行路径的校验和 + /* 请注意,我们在这里不跟踪崩溃或挂起;也许做? */ + cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - // 如果删除数据没有影响执行路径,将其永久移除 + /* 如果删除对跟踪没有影响,使其成为永久性的。这对于变量路径输入来说并不 + 完美,但我们只是在尽力而为,所以如果我们偶尔出现假阴性,也不是什么大问题。 */ + if (cksum == q->exec_cksum) { - u32 move_tail = q->len - remove_pos - trim_avail; // 需要移动的尾部长度 - q->len -= trim_avail; // 更新长度 - len_p2 = next_p2(q->len); // 更新下一个2的幂次 + u32 move_tail = q->len - remove_pos - trim_avail; - // 移动数据 - memmove(in_buf + remove_pos, in_buf + remove_pos + trim_avail, move_tail); + q->len -= trim_avail; + len_p2 = next_p2(q->len); + + memmove(in_buf + remove_pos, in_buf + remove_pos + trim_avail, + move_tail); + + /* 让我们保存一个干净的跟踪信息,在我们完成修剪工作后,update_bitmap_score函数将会需要它。*/ - // 如果需要,保存一个干净的执行路径 if (!needs_write) { + needs_write = 1; - memcpy(clean_trace, trace_bits, MAP_SIZE); // 复制执行路径 + memcpy(clean_trace, trace_bits, MAP_SIZE); + } - } else { - remove_pos += remove_len; // 否则,移动到下一个位置 - } - // 定期更新屏幕显示 + } else remove_pos += remove_len; + + /* 因为这可能很慢,所以要时不时地更新屏幕。 */ + if (!(trim_exec++ % stats_update_freq)) show_stats(); - stage_cur++; // 更新当前阶段 + stage_cur++; + } - remove_len >>= 1; // 减少移除长度 + remove_len >>= 1; + } - // 如果对in_buf进行了修改,需要更新磁盘上的测试用例 + /* 如果我们对in_buf做了更改,我们还需要更新磁盘上的测试用例版本。 */ + if (needs_write) { - s32 fd; // 文件描述符 - // 删除旧的测试用例文件 - unlink(q->fname); // 忽略错误 + s32 fd; + + unlink(q->fname); /* ignore errors */ - // 创建新的测试用例文件 fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, 0600); - if (fd < 0) PFATAL("Unable to create '%s'", q->fname); // 错误处理 - // 写入新的测试用例数据 + if (fd < 0) PFATAL("Unable to create '%s'", q->fname); + ck_write(fd, in_buf, q->len, q->fname); - close(fd); // 关闭文件描述符 + close(fd); - // 更新执行路径和分数 memcpy(trace_bits, clean_trace, MAP_SIZE); update_bitmap_score(q); + } -abort_trimming: // 修剪中止标签 - bytes_trim_out += q->len; // 更新修剪输出的总字节数 - return fault; // 返回故障状态 +abort_trimming: + + bytes_trim_out += q->len; + return fault; + } -// 写入修改后的测试用例,运行程序,处理结果。处理错误条件,如果需要中止,则返回1。 -// 这是fuzz_one()的辅助函数。 + +/* 写入一个修改后的测试用例,运行程序,处理结果。处理错误条件,如果到 +了该退出的时候则返回1。这是fuzz_one()的辅助函数。 */ + EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) { - u8 fault; // 故障状态 - // 如果存在后处理函数 + u8 fault; + if (post_handler) { - // 调用后处理函数 + out_buf = post_handler(out_buf, &len); - if (!out_buf || !len) return 0; // 如果返回为空或长度为0,则返回0 + if (!out_buf || !len) return 0; + } - // 写入测试用例 write_to_testcase(out_buf, len); - fault = run_target(argv, exec_tmout); // 运行目标程序 + fault = run_target(argv, exec_tmout); - // 如果需要停止,则返回1 if (stop_soon) return 1; - // 如果出现超时故障 if (fault == FAULT_TMOUT) { - // 如果连续超时次数超过限制,则跳过当前路径 + if (subseq_tmouts++ > TMOUT_LIMIT) { cur_skipped_paths++; return 1; } - } else { - subseq_tmouts = 0; // 重置连续超时次数 - } - // 用户可以通过SIGUSR1信号请求放弃当前输入 + } else subseq_tmouts = 0; + + /* 用户可以通过发送SIGUSR1信号来请求放弃当前的输入。 */ + if (skip_requested) { - skip_requested = 0; // 重置跳过请求 - cur_skipped_paths++; // 增加跳过路径数 - return 1; // 返回1 + + skip_requested = 0; + cur_skipped_paths++; + return 1; + } - // 处理故障,更新发现的队列 + /* 这将为我们处理FAULT_ERROR: */ + queued_discovered += save_if_interesting(argv, out_buf, len, fault); - // 定期更新统计信息 if (!(stage_cur % stats_update_freq) || stage_cur + 1 == stage_max) show_stats(); - return 0; // 返回0,表示继续执行 + return 0; + } -/* 辅助函数,用于在模糊测试中的块操作选择随机块长度。 - 只要max_len大于0,就不会返回零 */ + +/* 在fuzz_one()中用于选择块操作的随机块长度的辅助函数。只要最大长度max_len大于0,就不会返回零。 */ static u32 choose_block_len(u32 limit) { u32 min_value, max_value; - u32 rlim = MIN(queue_cycle, 3); // 限制随机数生成的范围 + u32 rlim = MIN(queue_cycle, 3); - if (!run_over10m) rlim = 1; // 如果没有超过10M的运行限制,则设置rlim为1 + if (!run_over10m) rlim = 1; - // 根据随机数选择不同的块长度范围 switch (UR(rlim)) { - case 0: - min_value = 1; // 最小长度设置为1 - max_value = HAVOC_BLK_SMALL; // 最大长度设置为小值 - break; - case 1: - min_value = HAVOC_BLK_SMALL; // 最小长度设置为小值 - max_value = HAVOC_BLK_MEDIUM; // 最大长度设置为中等值 - break; + + case 0: min_value = 1; + max_value = HAVOC_BLK_SMALL; + break; + + case 1: min_value = HAVOC_BLK_SMALL; + max_value = HAVOC_BLK_MEDIUM; + break; + default: - if (UR(10)) { - min_value = HAVOC_BLK_MEDIUM; // 随机选择中等或大长度 - max_value = HAVOC_BLK_LARGE; - } else { - min_value = HAVOC_BLK_LARGE; // 随机选择大或超大长度 - max_value = HAVOC_BLK_XL; - } + + if (UR(10)) { + + min_value = HAVOC_BLK_MEDIUM; + max_value = HAVOC_BLK_LARGE; + + } else { + + min_value = HAVOC_BLK_LARGE; + max_value = HAVOC_BLK_XL; + + } + } - // 如果最小值大于限制,则设置最小值为1 if (min_value >= limit) min_value = 1; - // 返回一个在指定范围内的随机块长度 return min_value + UR(MIN(max_value, limit) - min_value + 1); + } -/* 计算案例的期望分数,以调整havoc模糊测试的长度。 - 这是一个辅助函数,用于fuzz_one()。也许这些常数中的一些应该 - 进入config.h文件中 */ + +/* 计算案例的期望分数,以调整havoc模糊测试的长度。这是fuzz_one()的辅助函数。也许这些常数中的一些应该放入config.h中。*/ static u32 calculate_score(struct queue_entry* q) { - u32 avg_exec_us = total_cal_us / total_cal_cycles; // 计算平均执行时间 - u32 avg_bitmap_size = total_bitmap_size / total_bitmap_entries; // 计算平均位图大小 - u32 perf_score = 100; // 初始化性能分数 + u32 avg_exec_us = total_cal_us / total_cal_cycles; + u32 avg_bitmap_size = total_bitmap_size / total_bitmap_entries; + u32 perf_score = 100; - /* 根据此路径的执行速度与全局平均值相比,调整分数。 - 乘数范围从0.1x到3x。快速输入的成本较低,因此给予更多的运行时间。 */ + /* 根据此路径的执行速度与全局平均速度的比较,调整分数。乘数范围从0.1x到3x。快速输入的模糊测试成本较低,因此我们给予它们更多的测试时间。 */ if (q->exec_us * 0.1 > avg_exec_us) perf_score = 10; else if (q->exec_us * 0.25 > avg_exec_us) perf_score = 25; @@ -4741,8 +4626,7 @@ static u32 calculate_score(struct queue_entry* q) { else if (q->exec_us * 3 < avg_exec_us) perf_score = 200; else if (q->exec_us * 2 < avg_exec_us) perf_score = 150; - /* 根据位图大小调整分数。工作理论是更好的覆盖率转化为更好的目标。 - 乘数从0.25x到3x。 */ + /* 根据位图大小调整分数。工作理论是更好的覆盖率转化为更好的目标。乘数从0.25x到3x。 */ if (q->bitmap_size * 0.3 > avg_bitmap_size) perf_score *= 3; else if (q->bitmap_size * 0.5 > avg_bitmap_size) perf_score *= 2; @@ -4751,173 +4635,218 @@ static u32 calculate_score(struct queue_entry* q) { else if (q->bitmap_size * 2 < avg_bitmap_size) perf_score *= 0.5; else if (q->bitmap_size * 1.5 < avg_bitmap_size) perf_score *= 0.75; - /* 根据handicap调整分数。Handicap与我们了解此路径的时间成正比。 - 后来者允许运行更长时间,直到它们赶上其他路径。 */ + /* 根据handicap(障碍)调整分数。Handicap与我们在游戏中了解这条路径的时间成比例。后来者被允许运行更长时间,直到它们赶上其他路径。 */ if (q->handicap >= 4) { - perf_score *= 4; // 如果handicap大于等于4,则乘以4 - q->handicap -= 4; // 减少handicap值 + + perf_score *= 4; + q->handicap -= 4; + } else if (q->handicap) { - perf_score *= 2; // 如果handicap大于0,则乘以2 - q->handicap--; // 减少handicap值 + + perf_score *= 2; + q->handicap--; + } - /* 根据输入深度进行最终调整,假设模糊测试更深层的测试用例 - 更有可能发现传统模糊测试无法发现的问题。 */ + /* 基于输入深度的最终调整,假设模糊测试更深层的测试用例更有可能揭示传统模糊测试工具无法发现的问题。 */ switch (q->depth) { - case 0 ... 3: break; // 如果深度在0到3之间,不调整分数 - case 4 ... 7: perf_score *= 2; break; // 如果深度在4到7之间,乘以2 - case 8 ... 13: perf_score *= 3; break; // 如果深度在8到13之间,乘以3 - case 14 ... 25: perf_score *= 4; break; // 如果深度在14到25之间,乘以4 - default: perf_score *= 5; // 默认情况下,乘以5 + + case 0 ... 3: break; + case 4 ... 7: perf_score *= 2; break; + case 8 ... 13: perf_score *= 3; break; + case 14 ... 25: perf_score *= 4; break; + default: perf_score *= 5; + } - /* 确保我们不超过限制。 */ + /* 确保我们不超过极限 */ + + if (perf_score > HAVOC_MAX_MULT * 100) perf_score = HAVOC_MAX_MULT * 100; - if (perf_score > HAVOC_MAX_MULT * 100) perf_score = HAVOC_MAX_MULT * 100; // 如果分数超过最大限制,则设置为最大限制 + return perf_score; - return perf_score; // 返回计算出的分数 } -/* Helper function to see if a particular change (xor_val = old ^ new) could - be a product of deterministic bit flips with the lengths and stepovers - attempted by afl-fuzz. This is used to avoid dupes in some of the - deterministic fuzzing operations that follow bit flips. We also - return 1 if xor_val is zero, which implies that the old and attempted new - values are identical and the exec would be a waste of time. */ +/* 辅助函数,用于检查特定的变化(xor_val = old ^ new)是否可能是由afl-fuzz尝试的长度 +和步长确定性位翻转产生的结果。这用于避免在一些跟随位翻转的确定性模糊测试操作中的重复 +项。如果xor_val为零,我们也返回1,这意味着旧值和尝试的新值是相同的,执行将是一种时间 +浪费。*/ -// 检测一个值是否可能是通过位翻转操作得到的。 static u8 could_be_bitflip(u32 xor_val) { - u32 sh = 0; // 用于记录位移的变量 - // 如果xor_val为0,表示没有位被翻转,返回1。 + u32 sh = 0; + if (!xor_val) return 1; - // 将xor_val左移,直到最低位为1,记录移动的位数。 + /* 左移直到第一个位设置 */ + while (!(xor_val & 1)) { sh++; xor_val >>= 1; } - // 如果xor_val是1、3或15,表示只有1、2或4位被翻转,返回1。 + /* 1-、2-和4-bit模式在任何地方都是可以的。 */ + if (xor_val == 1 || xor_val == 3 || xor_val == 15) return 1; - // 如果sh不是8的倍数,那么8位、16位或32位的模式不可能通过位移得到,返回0。 + /* 8-,、16-、和 32-bit模式只有当位移因子能被8整除时,模式才有效,因为这是这些操作的步长。 */ + if (sh & 7) return 0; - // 如果xor_val是0xff、0xffff或0xffffffff,表示8位、16位或32位的所有位都被翻转,返回1。 if (xor_val == 0xff || xor_val == 0xffff || xor_val == 0xffffffff) return 1; - // 如果以上条件都不满足,返回0。 return 0; + } -// 检测一个值是否可能是通过算术操作从另一个值得到的。 + +/* 辅助函数,用于检查是否可以通过算术操作达到某个特定值。用于类似的目的。 */ + static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) { - u32 i, ov = 0, nv = 0, diffs = 0; // 用于循环和比较的变量 - // 如果old_val和new_val相同,返回1。 + u32 i, ov = 0, nv = 0, diffs = 0; + if (old_val == new_val) return 1; - // 检查每个字节是否有差异,并尝试通过单字节的调整来生成new_val。 + /* 看看对任何字节进行一个字节的调整是否会产生此结果。 */ + for (i = 0; i < blen; i++) { - u8 a = old_val >> (8 * i), // 获取old_val的第i个字节 - b = new_val >> (8 * i); // 获取new_val的第i个字节 - if (a != b) { diffs++; ov = a; nv = b; } // 如果字节不同,增加差异计数 + u8 a = old_val >> (8 * i), + b = new_val >> (8 * i); + + if (a != b) { diffs++; ov = a; nv = b; } + } - // 如果只有一个字节不同,并且差异在可接受的范围内,返回1。 + /* 如果只有一个字节不同并且值在范围内,则返回1。*/ + if (diffs == 1) { + if ((u8)(ov - nv) <= ARITH_MAX || (u8)(nv - ov) <= ARITH_MAX) return 1; + } - // 如果blen为1,表示只有单字节,返回0。 if (blen == 1) return 0; - // 检查每两个字节是否有差异,并尝试通过双字节的调整来生成new_val。 + /* 看看对任何字节进行两个字节的调整是否会产生此结果。 */ + diffs = 0; + for (i = 0; i < blen / 2; i++) { - u16 a = old_val >> (16 * i), // 获取old_val的第i个双字节 - b = new_val >> (16 * i); // 获取new_val的第i个双字节 - if (a != b) { diffs++; ov = a; nv = b; } // 如果双字节不同,增加差异计数 + u16 a = old_val >> (16 * i), + b = new_val >> (16 * i); + + if (a != b) { diffs++; ov = a; nv = b; } + } - // 如果只有一个双字节不同,并且差异在可接受的范围内,返回1。 + /* 如果只有一个字不同且值在范围内,则返回1。 */ + if (diffs == 1) { + if ((u16)(ov - nv) <= ARITH_MAX || (u16)(nv - ov) <= ARITH_MAX) return 1; - // 尝试交换字节顺序后再次检查 ov = SWAP16(ov); nv = SWAP16(nv); + if ((u16)(ov - nv) <= ARITH_MAX || (u16)(nv - ov) <= ARITH_MAX) return 1; + } - // 如果blen为4,表示有四个字节,检查整个四字节的差异。 + /* 最后,让我们对dwords做同样的事情。 */ + if (blen == 4) { + if ((u32)(old_val - new_val) <= ARITH_MAX || (u32)(new_val - old_val) <= ARITH_MAX) return 1; - // 尝试交换字节顺序后再次检查 new_val = SWAP32(new_val); old_val = SWAP32(old_val); + if ((u32)(old_val - new_val) <= ARITH_MAX || (u32)(new_val - old_val) <= ARITH_MAX) return 1; + } - // 如果以上条件都不满足,返回0。 return 0; + } -// 检测一个值是否可能是通过插入特定的整数得到的,考虑到之前已经插入过的值。 + +/* 最后但同样重要的是,一个类似的辅助函数,用于检查在给定较短blen的插入操作后, +插入一个有趣的整数是否是多余的。最后一个参数(check_le)如果设置,意味着调用者 +已经为当前blen执行了LE(小端)插入,并希望查看传入的新值中的BE(大端)变体是否是唯一的。 */ + static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { + u32 i, j; - // 如果old_val和new_val相同,返回1。 if (old_val == new_val) return 1; - // 检查是否可以通过在old_val中插入一个字节的值来得到new_val。 + /* See if one-byte insertions from interesting_8 over old_val could + produce new_val. */ + for (i = 0; i < blen; i++) { + for (j = 0; j < sizeof(interesting_8); j++) { - u32 tval = (old_val & ~(0xff << (i * 8))) | // 清除old_val的第i个字节 - (((u8)interesting_8[j]) << (i * 8)); // 插入新的字节值 - if (new_val == tval) return 1; // 如果得到的值与new_val相同,返回1 + u32 tval = (old_val & ~(0xff << (i * 8))) | + (((u8)interesting_8[j]) << (i * 8)); + + if (new_val == tval) return 1; + } + } - // 如果blen为2并且check_le为0,表示不需要检查小端字节序,返回0。 + /* Bail out unless we're also asked to examine two-byte LE insertions + as a preparation for BE attempts. */ + if (blen == 2 && !check_le) return 0; - // 检查是否可以通过在old_val中插入一个双字节的值来得到new_val。 + /* See if two-byte insertions over old_val could give us new_val. */ + for (i = 0; i < blen - 1; i++) { + for (j = 0; j < sizeof(interesting_16) / 2; j++) { - u32 tval = (old_val & ~(0xffff << (i * 8))) | // 清除old_val的第i个双字节 - (((u16)interesting_16[j]) << (i * 8)); // 插入新的双字节值 - if (new_val == tval) return 1; // 如果得到的值与new_val相同,返回1 + u32 tval = (old_val & ~(0xffff << (i * 8))) | + (((u16)interesting_16[j]) << (i * 8)); + + if (new_val == tval) return 1; + + /* Continue here only if blen > 2. */ - // 如果blen大于2,尝试交换字节顺序后再次检查 if (blen > 2) { + tval = (old_val & ~(0xffff << (i * 8))) | (SWAP16(interesting_16[j]) << (i * 8)); - if (new_val == tval) return 1; // 如果得到的值与new_val相同,返回1 + + if (new_val == tval) return 1; + } + } + } - // 如果blen为4并且check_le为1,表示需要检查大端字节序。 if (blen == 4 && check_le) { - // 检查是否可以通过插入一个四字节的值来得到new_val(只考虑小端)。 + + /* See if four-byte insertions could produce the same result + (LE only). */ + for (j = 0; j < sizeof(interesting_32) / 4; j++) if (new_val == (u32)interesting_32[j]) return 1; + } - // 如果以上条件都不满足,返回0。 return 0; + } @@ -4927,716 +4856,737 @@ static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_le) { static u8 fuzz_one(char** argv) { - // 定义局部变量,用于存储输入数据长度、文件描述符、临时数据长度等。 s32 len, fd, temp_len, i, j; - // 分配指针,用于存储输入缓冲区、输出缓冲区、原始输入数据等。 u8 *in_buf, *out_buf, *orig_in, *ex_tmp, *eff_map = 0; - // 定义变量,用于记录混沌队列中的路径数量、原始命中次数和新的命中次数。 u64 havoc_queued, orig_hit_cnt, new_hit_cnt; - // 定义变量,用于记录拼接周期、性能得分、原始性能得分、先前校验和、效应器计数。 u32 splice_cycle = 0, perf_score = 100, orig_perf, prev_cksum, eff_cnt = 1; - // 定义返回值、确定性测试标志。 u8 ret_val = 1, doing_det = 0; - // 定义一个数组,用于存储自动收集的额外数据,以及一个计数器。 u8 a_collect[MAX_AUTO_EXTRA]; u32 a_len = 0; #ifdef IGNORE_FINDS - // 如果定义了IGNORE_FINDS宏,跳过不在初始数据集中的条目。 + + /* In IGNORE_FINDS mode, skip any entries that weren't in the + initial data set. */ + if (queue_cur->depth > 1) return 1; #else - // 如果有待处理的优选输入且不在IGNORE_FINDS模式。 + if (pending_favored) { - // 如果队列中有新的优选输入,可能跳过已模糊测试的或非优选的情况。 + /* If we have any favored, non-fuzzed new arrivals in the queue, + possibly skip to them at the expense of already-fuzzed or non-favored + cases. */ + if ((queue_cur->was_fuzzed || !queue_cur->favored) && UR(100) < SKIP_TO_NEW_PROB) return 1; } else if (!dumb_mode && !queue_cur->favored && queued_paths > 10) { - // 否则,对于非优选情况,也可能跳过,但概率较低。 - // 对于已经模糊测试的输入,跳过的概率更高;对于从未模糊测试的输入,概率更低。 + /* Otherwise, still possibly skip non-favored cases, albeit less often. + The odds of skipping stuff are higher for already-fuzzed inputs and + lower for never-fuzzed entries. */ if (queue_cycle > 1 && !queue_cur->was_fuzzed) { - // 如果是队列中的第二轮且当前输入未被模糊测试过,根据概率跳过。 if (UR(100) < SKIP_NFAV_NEW_PROB) return 1; } else { - // 对于已经模糊测试过的输入,根据概率跳过。 if (UR(100) < SKIP_NFAV_OLD_PROB) return 1; } } + #endif /* ^IGNORE_FINDS */ -// 如果当前环境不是终端(tty),则打印模糊测试的进度信息。 -if (not_on_tty) { + if (not_on_tty) { ACTF("Fuzzing test case #%u (%u total, %llu uniq crashes found)...", current_entry, queued_paths, unique_crashes); fflush(stdout); -} + } + + /* Map the test case into memory. */ + + fd = open(queue_cur->fname, O_RDONLY); -// 打开当前测试用例文件并将其映射到内存中。 -fd = open(queue_cur->fname, O_RDONLY); + if (fd < 0) PFATAL("Unable to open '%s'", queue_cur->fname); -// 如果打开文件失败,则打印错误信息并终止程序。 -if (fd < 0) PFATAL("Unable to open '%s'", queue_cur->fname); + len = queue_cur->len; -// 获取文件长度。 -len = queue_cur->len; + orig_in = in_buf = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); -// 将文件内容映射到内存中的in_buf变量。 -orig_in = in_buf = mmap(0, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + if (orig_in == MAP_FAILED) PFATAL("Unable to mmap '%s'", queue_cur->fname); -// 如果映射失败,则打印错误信息并终止程序。 -if (orig_in == MAP_FAILED) PFATAL("Unable to mmap '%s'", queue_cur->fname); + close(fd); -// 关闭文件描述符。 -close(fd); + /* We could mmap() out_buf as MAP_PRIVATE, but we end up clobbering every + single byte anyway, so it wouldn't give us any performance or memory usage + benefits. */ -// 分配内存用于输出缓冲区,这里使用ck_alloc_nozero来分配非零内存。 -out_buf = ck_alloc_nozero(len); + out_buf = ck_alloc_nozero(len); -// 初始化连续超时计数器。 -subseq_tmouts = 0; + subseq_tmouts = 0; -// 设置当前深度。 -cur_depth = queue_cur->depth; + cur_depth = queue_cur->depth; -/******************************************* -* CALIBRATION (only if failed earlier on) * -*******************************************/ + /******************************************* + * CALIBRATION (only if failed earlier on) * + *******************************************/ -// 如果当前测试用例之前校准失败,则尝试重新校准。 -if (queue_cur->cal_failed) { + if (queue_cur->cal_failed) { u8 res = FAULT_TMOUT; - // 如果校准失败次数小于允许的最大次数,则尝试重新校准。 if (queue_cur->cal_failed < CAL_CHANCES) { - // 重置exec_cksum,以便重新执行测试用例。 - queue_cur->exec_cksum = 0; + /* Reset exec_cksum to tell calibrate_case to re-execute the testcase + avoiding the usage of an invalid trace_bits. + For more info: https://github.com/AFLplusplus/AFLplusplus/pull/425 */ - // 执行校准函数。 - res = calibrate_case(argv, queue_cur, in_buf, queue_cycle - 1, 0); + queue_cur->exec_cksum = 0; - // 如果校准失败,则终止程序。 - if (res == FAULT_ERROR) - FATAL("Unable to execute target application"); + res = calibrate_case(argv, queue_cur, in_buf, queue_cycle - 1, 0); + + if (res == FAULT_ERROR) + FATAL("Unable to execute target application"); } - // 如果需要停止或者校准结果不是预期的崩溃模式,则跳过当前测试用例。 if (stop_soon || res != crash_mode) { - cur_skipped_paths++; - goto abandon_entry; + cur_skipped_paths++; + goto abandon_entry; } -} + } -/************ -* TRIMMING * -************/ + /************ + * TRIMMING * + ************/ -// 如果没有启用dumb_mode并且当前测试用例尚未修剪,则执行修剪操作。 -if (!dumb_mode && !queue_cur->trim_done) { + if (!dumb_mode && !queue_cur->trim_done) { u8 res = trim_case(argv, queue_cur, in_buf); - // 如果修剪失败,则终止程序。 if (res == FAULT_ERROR) - FATAL("Unable to execute target application"); + FATAL("Unable to execute target application"); - // 如果需要停止,则跳过当前测试用例。 if (stop_soon) { - cur_skipped_paths++; - goto abandon_entry; + cur_skipped_paths++; + goto abandon_entry; } - // 标记为已修剪,不再尝试修剪。 + /* Don't retry trimming, even if it failed. */ + queue_cur->trim_done = 1; - // 更新文件长度。 if (len != queue_cur->len) len = queue_cur->len; -} + } + + memcpy(out_buf, in_buf, len); -// 将输入缓冲区的内容复制到输出缓冲区。 -memcpy(out_buf, in_buf, len); + /********************* + * PERFORMANCE SCORE * + *********************/ -/********************* -* PERFORMANCE SCORE * -*********************/ + orig_perf = perf_score = calculate_score(queue_cur); -// 计算性能得分。 -orig_perf = perf_score = calculate_score(queue_cur); + /* Skip right away if -d is given, if we have done deterministic fuzzing on + this entry ourselves (was_fuzzed), or if it has gone through deterministic + testing in earlier, resumed runs (passed_det). */ -// 如果启用了-d选项,或者已经对当前测试用例执行过确定性模糊测试,或者它已经通过了早期的确定性测试,则跳过确定性测试阶段。 -if (skip_deterministic || queue_cur->was_fuzzed || queue_cur->passed_det) + if (skip_deterministic || queue_cur->was_fuzzed || queue_cur->passed_det) goto havoc_stage; -// 如果执行路径校验和将当前测试用例排除在当前主实例的范围之外,则跳过确定性测试。 -if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) + /* Skip deterministic fuzzing if exec path checksum puts this out of scope + for this master instance. */ + + if (master_max && (queue_cur->exec_cksum % master_max) != master_id - 1) goto havoc_stage; -// 标记为正在执行确定性测试。 -doing_det = 1; + doing_det = 1; -/********************************************* -* SIMPLE BITFLIP (+dictionary construction) * -********************************************/ + /********************************************* + * SIMPLE BITFLIP (+dictionary construction) * + *********************************************/ -// 定义一个宏,用于翻转位。 #define FLIP_BIT(_ar, _b) do { \ u8* _arf = (u8*)(_ar); \ u32 _bf = (_b); \ _arf[(_bf) >> 3] ^= (128 >> ((_bf) & 7)); \ } while (0) -// 执行简单的位翻转测试。 -stage_short = "flip1"; -stage_max = len << 3; -stage_name = "bitflip 1/1"; + /* Single walking bit. */ -stage_val_type = STAGE_VAL_NONE; + stage_short = "flip1"; + stage_max = len << 3; + stage_name = "bitflip 1/1"; -// 初始化原始命中计数器。 -orig_hit_cnt = queued_paths + unique_crashes; + stage_val_type = STAGE_VAL_NONE; -// 保存之前的校验和。 -prev_cksum = queue_cur->exec_cksum; + orig_hit_cnt = queued_paths + unique_crashes; -// 遍历每个位并执行位翻转测试。 -for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + prev_cksum = queue_cur->exec_cksum; + + for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { - // 计算当前位所在的字节。 stage_cur_byte = stage_cur >> 3; - // 翻转当前位。 FLIP_BIT(out_buf, stage_cur); - // 执行模糊测试。 if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - // 恢复原始位状态。 FLIP_BIT(out_buf, stage_cur); - // 在翻转最低有效位时,执行额外的检测以识别可能的语法标记。 - if (!dumb_mode && (stage_cur & 7) == 7) { + /* While flipping the least significant bit in every byte, pull of an extra + trick to detect possible syntax tokens. In essence, the idea is that if + you have a binary blob like this: - // 计算新的校验和。 - u32 cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + xxxxxxxxIHDRxxxxxxxx - // 如果到达文件末尾并且我们仍在收集字符串,则获取最终字符并强制输出。 - if (stage_cur == stage_max - 1 && cksum == prev_cksum) { + ...and changing the leading and trailing bytes causes variable or no + changes in program flow, but touching any character in the "IHDR" string + always produces the same, distinctive path, it's highly likely that + "IHDR" is an atomically-checked magic value of special significance to + the fuzzed format. - if (a_len < MAX_AUTO_EXTRA) a_collect[a_len] = out_buf[stage_cur >> 3]; - a_len++; + We do this here, rather than as a separate stage, because it's a nice + way to keep the operation approximately "free" (i.e., no extra execs). + + Empirically, performing the check when flipping the least significant bit + is advantageous, compared to doing it at the time of more disruptive + changes, where the program flow may be affected in more violent ways. - if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) - maybe_add_auto(a_collect, a_len); + The caveat is that we won't generate dictionaries in the -d mode or -S + mode - but that's probably a fair trade-off. - } else if (cksum != prev_cksum) { + This won't work particularly well with paths that exhibit variable + behavior, but fails gracefully, so we'll carry out the checks anyway. - // 否则,如果校验和已更改,则查看是否有值得收集的内容,并在是的情况下收集。 - if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) - maybe_add_auto(a_collect, a_len); + */ - a_len = 0; - prev_cksum = cksum; + if (!dumb_mode && (stage_cur & 7) == 7) { - } + u32 cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - // 继续收集字符串,但只有在位翻转实际上产生了影响时,我们才不希望无操作标记。 + if (stage_cur == stage_max - 1 && cksum == prev_cksum) { - if (cksum != queue_cur->exec_cksum) { + /* If at end of file and we are still collecting a string, grab the + final character and force output. */ - if (a_len < MAX_AUTO_EXTRA) a_collect[a_len] = out_buf[stage_cur >> 3]; - a_len++; + if (a_len < MAX_AUTO_EXTRA) a_collect[a_len] = out_buf[stage_cur >> 3]; + a_len++; - } + if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) + maybe_add_auto(a_collect, a_len); - } + } else if (cksum != prev_cksum) { -} -// 初始化新的命中计数,这是待处理路径数和唯一崩溃数的总和。 -new_hit_cnt = queued_paths + unique_crashes; + /* Otherwise, if the checksum has changed, see if we have something + worthwhile queued up, and collect that if the answer is yes. */ -// 更新STAGE_FLIP1阶段的发现计数和周期数。 -stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; // 发现计数增加新的命中数减去原始的命中数。 -stage_cycles[STAGE_FLIP1] += stage_max; // 增加STAGE_FLIP1的最大周期数。 + if (a_len >= MIN_AUTO_EXTRA && a_len <= MAX_AUTO_EXTRA) + maybe_add_auto(a_collect, a_len); -/* 两个行走的位。 */ + a_len = 0; + prev_cksum = cksum; -// 设置当前阶段的名称和简称。 -stage_name = "bitflip 2/1"; -stage_short = "flip2"; -// 计算STAGE_FLIP1阶段的最大值,即输入数据长度的8倍减1。 -stage_max = (len << 3) - 1; + } -// 将新的命中计数赋值给原始命中计数,以便下一次迭代使用。 -orig_hit_cnt = new_hit_cnt; + /* Continue collecting string, but only if the bit flip actually made + any difference - we don't want no-op tokens. */ -// 循环遍历STAGE_FLIP1阶段的最大值。 -for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { + if (cksum != queue_cur->exec_cksum) { - // 计算当前位操作的字节索引。 - stage_cur_byte = stage_cur >> 3; + if (a_len < MAX_AUTO_EXTRA) a_collect[a_len] = out_buf[stage_cur >> 3]; + a_len++; - // 翻转输出缓冲区中当前位置和下一个位置的位。 - FLIP_BIT(out_buf, stage_cur); - FLIP_BIT(out_buf, stage_cur + 1); + } - // 如果common_fuzz_stuff函数返回失败,跳转到abandon_entry标签处。 - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + } - // 恢复输出缓冲区中当前位置和下一个位置的位到原始状态。 - FLIP_BIT(out_buf, stage_cur); - FLIP_BIT(out_buf, stage_cur + 1); + } -} + new_hit_cnt = queued_paths + unique_crashes; -// 计算新的命中次数,这是当前队列中的路径数加上唯一的崩溃次数。 -new_hit_cnt = queued_paths + unique_crashes; - -// 更新FLIP2阶段的发现次数和周期数。 -stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; -stage_cycles[STAGE_FLIP2] += stage_max; - -// 定义FLIP4阶段的名称和简称。 -stage_name = "bitflip 4/1"; -stage_short = "flip4"; -// 计算FLIP4阶段的最大值,这是输入长度的三倍减去3。 -stage_max = (len << 3) - 3; - -// 将新的命中次数保存为原始命中次数,以便在下一个阶段使用。 -orig_hit_cnt = new_hit_cnt; - -// 循环,对每个可能的位位置进行操作。 -for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { - // 计算当前操作的字节位置。 - stage_cur_byte = stage_cur >> 3; - - // 翻转当前位置及其后三个位置的位。 - FLIP_BIT(out_buf, stage_cur); - FLIP_BIT(out_buf, stage_cur + 1); - FLIP_BIT(out_buf, stage_cur + 2); - FLIP_BIT(out_buf, stage_cur + 3); - - // 如果common_fuzz_stuff函数返回真,则跳转到abandon_entry标签。 - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - - // 恢复原始位状态。 - FLIP_BIT(out_buf, stage_cur); - FLIP_BIT(out_buf, stage_cur + 1); - FLIP_BIT(out_buf, stage_cur + 2); - FLIP_BIT(out_buf, stage_cur + 3); -} + stage_finds[STAGE_FLIP1] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_FLIP1] += stage_max; -// 更新FLIP4阶段的发现次数和周期数。 -new_hit_cnt = queued_paths + unique_crashes; -stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; -stage_cycles[STAGE_FLIP4] += stage_max; + /* Two walking bits. */ -// 定义一些宏,用于计算effector map中的位置和长度。 -#define EFF_APOS(_p) ((_p) >> EFF_MAP_SCALE2) -#define EFF_REM(_x) ((_x) & ((1 << EFF_MAP_SCALE2) - 1)) -#define EFF_ALEN(_l) (EFF_APOS(_l) + !!EFF_REM(_l)) -#define EFF_SPAN_ALEN(_p, _l) (EFF_APOS((_p) + (_l) - 1) - EFF_APOS(_p) + 1) + stage_name = "bitflip 2/1"; + stage_short = "flip2"; + stage_max = (len << 3) - 1; -// 初始化下一个步骤的effector map,并标记第一个和最后一个字节为活跃的。 -eff_map = ck_alloc(EFF_ALEN(len)); -eff_map[0] = 1; + orig_hit_cnt = new_hit_cnt; -// 如果最后一个字节的位置不等于0,则标记它为活跃的,并增加eff_cnt计数器。 -if (EFF_APOS(len - 1) != 0) { - eff_map[EFF_APOS(len - 1)] = 1; - eff_cnt++; -} + for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { -// 定义FLIP8阶段的名称和简称。 -stage_name = "bitflip 8/8"; -stage_short = "flip8"; -// 设置FLIP8阶段的最大值为输入长度。 -stage_max = len; + stage_cur_byte = stage_cur >> 3; -// 将新的命中次数保存为原始命中次数,以便在下一个阶段使用。 -orig_hit_cnt = new_hit_cnt; + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); -// 循环,对每个字节进行操作。 -for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { - // 计算当前操作的字节位置。 - stage_cur_byte = stage_cur; + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - // 翻转当前字节的所有位。 - out_buf[stage_cur] ^= 0xFF; + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); - // 如果common_fuzz_stuff函数返回真,则跳转到abandon_entry标签。 - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + } - // 如果当前字节在effector map中未被标记,则进行进一步的检查。 - if (!eff_map[EFF_APOS(stage_cur)]) { - u32 cksum; + new_hit_cnt = queued_paths + unique_crashes; - // 如果处于dumb模式或文件非常短,则不进行checksum计算。 - if (!dumb_mode && len >= EFF_MIN_LEN) - cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); - else - cksum = ~queue_cur->exec_cksum; + stage_finds[STAGE_FLIP2] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_FLIP2] += stage_max; - // 如果checksum与预期不符,则标记该字节为活跃的,并增加eff_cnt计数器。 - if (cksum != queue_cur->exec_cksum) { - eff_map[EFF_APOS(stage_cur)] = 1; - eff_cnt++; - } - } + /* Four walking bits. */ - // 恢复原始字节状态。 - out_buf[stage_cur] ^= 0xFF; -} + stage_name = "bitflip 4/1"; + stage_short = "flip4"; + stage_max = (len << 3) - 3; -/* 如果效应器(effector)映射的密度超过EFF_MAX_PERC指定的百分比, - 则标记整个映射为值得fuzzing(模糊测试),因为我们不会节省太多时间。 */ + orig_hit_cnt = new_hit_cnt; -if (eff_cnt != EFF_ALEN(len) && - eff_cnt * 100 / EFF_ALEN(len) > EFF_MAX_PERC) { + for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { - // 如果超过阈值,则将整个效应器映射标记为1(即,所有位都值得测试) - memset(eff_map, 1, EFF_ALEN(len)); + stage_cur_byte = stage_cur >> 3; - // 更新被选中进行模糊测试的块的数量 - blocks_eff_select += EFF_ALEN(len); + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); + FLIP_BIT(out_buf, stage_cur + 2); + FLIP_BIT(out_buf, stage_cur + 3); -} else { + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - // 如果没有超过阈值,则只增加实际有效应器的计数 - blocks_eff_select += eff_cnt; + FLIP_BIT(out_buf, stage_cur); + FLIP_BIT(out_buf, stage_cur + 1); + FLIP_BIT(out_buf, stage_cur + 2); + FLIP_BIT(out_buf, stage_cur + 3); -} + } -// 更新总共被考虑进行模糊测试的块的数量 -blocks_eff_total += EFF_ALEN(len); + new_hit_cnt = queued_paths + unique_crashes; -// 更新在当前阶段发现的新问题(如路径或崩溃)的数量 -new_hit_cnt = queued_paths + unique_crashes; + stage_finds[STAGE_FLIP4] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_FLIP4] += stage_max; -// 更新当前阶段(STAGE_FLIP8)的发现和周期计数 -stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; -stage_cycles[STAGE_FLIP8] += stage_max; + /* Effector map setup. These macros calculate: -/* 处理两个行走的字节。 */ + EFF_APOS - position of a particular file offset in the map. + EFF_ALEN - length of a map with a particular number of bytes. + EFF_SPAN_ALEN - map span for a sequence of bytes. -// 如果长度小于2,则跳过位翻转 -if (len < 2) goto skip_bitflip; + */ -// 设置当前阶段的名称和简称 -stage_name = "bitflip 16/8"; -stage_short = "flip16"; -stage_cur = 0; // 当前阶段的当前进度 -stage_max = len - 1; // 当前阶段的最大进度 +#define EFF_APOS(_p) ((_p) >> EFF_MAP_SCALE2) +#define EFF_REM(_x) ((_x) & ((1 << EFF_MAP_SCALE2) - 1)) +#define EFF_ALEN(_l) (EFF_APOS(_l) + !!EFF_REM(_l)) +#define EFF_SPAN_ALEN(_p, _l) (EFF_APOS((_p) + (_l) - 1) - EFF_APOS(_p) + 1) -// 记录原始的命中计数 -orig_hit_cnt = new_hit_cnt; + /* Initialize effector map for the next step (see comments below). Always + flag first and last byte as doing something. */ -// 遍历输入数据,每次处理两个字节 -for (i = 0; i < len - 1; i++) { + eff_map = ck_alloc(EFF_ALEN(len)); + eff_map[0] = 1; - // 检查效应器映射,如果当前和下一个字节都不是效应器,则跳过 - if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { - stage_max--; - continue; + if (EFF_APOS(len - 1) != 0) { + eff_map[EFF_APOS(len - 1)] = 1; + eff_cnt++; } - // 设置当前处理的字节位置 - stage_cur_byte = i; + /* Walking byte. */ - // 翻转当前两个字节的所有位 - *(u16*)(out_buf + i) ^= 0xFFFF; + stage_name = "bitflip 8/8"; + stage_short = "flip8"; + stage_max = len; - // 执行模糊测试的常见操作,如果失败则跳转到abandon_entry - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; + orig_hit_cnt = new_hit_cnt; - // 恢复原始数据 - *(u16*)(out_buf + i) ^= 0xFFFF; + for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { -} + stage_cur_byte = stage_cur; -// 更新新发现的问题数量和周期计数 -new_hit_cnt = queued_paths + unique_crashes; -stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; -stage_cycles[STAGE_FLIP16] += stage_max; + out_buf[stage_cur] ^= 0xFF; -// 如果长度小于4,则跳过四字节位翻转 -if (len < 4) goto skip_bitflip; + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; -/* 处理四个行走的字节。 */ + /* We also use this stage to pull off a simple trick: we identify + bytes that seem to have no effect on the current execution path + even when fully flipped - and we skip them during more expensive + deterministic stages, such as arithmetics or known ints. */ -// 设置当前阶段的名称和简称 -stage_name = "bitflip 32/8"; -stage_short = "flip32"; -stage_cur = 0; -stage_max = len - 3; + if (!eff_map[EFF_APOS(stage_cur)]) { -// 记录原始的命中计数 -orig_hit_cnt = new_hit_cnt; + u32 cksum; -// 遍历输入数据,每次处理四个字节 -for (i = 0; i < len - 3; i++) { + /* If in dumb mode or if the file is very short, just flag everything + without wasting time on checksums. */ + + if (!dumb_mode && len >= EFF_MIN_LEN) + cksum = hash32(trace_bits, MAP_SIZE, HASH_CONST); + else + cksum = ~queue_cur->exec_cksum; + + if (cksum != queue_cur->exec_cksum) { + eff_map[EFF_APOS(stage_cur)] = 1; + eff_cnt++; + } + + } + + out_buf[stage_cur] ^= 0xFF; - // 检查效应器映射,如果当前和接下来三个字节都不是效应器,则跳过 - if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && - !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { - stage_max--; - continue; } - // 设置当前处理的字节位置 - stage_cur_byte = i; + /* If the effector map is more than EFF_MAX_PERC dense, just flag the + whole thing as worth fuzzing, since we wouldn't be saving much time + anyway. */ - // 翻转当前四个字节的所有位 - *(u32*)(out_buf + i) ^= 0xFFFFFFFF; + if (eff_cnt != EFF_ALEN(len) && + eff_cnt * 100 / EFF_ALEN(len) > EFF_MAX_PERC) { - // 执行模糊测试的常见操作,如果失败则跳转到abandon_entry - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; + memset(eff_map, 1, EFF_ALEN(len)); - // 恢复原始数据 - *(u32*)(out_buf + i) ^= 0xFFFFFFFF; + blocks_eff_select += EFF_ALEN(len); -} + } else { -// 更新新发现的问题数量和周期计数 -new_hit_cnt = queued_paths + unique_crashes; -stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; -stage_cycles[STAGE_FLIP32] += stage_max; -// 跳过算术操作的标签 -skip_bitflip: + blocks_eff_select += eff_cnt; -// 如果设置了no_arith标志,则跳过算术操作 -if (no_arith) goto skip_arith; + } -/************************** - * ARITHMETIC INC/DEC * - *************************/ + blocks_eff_total += EFF_ALEN(len); -// 8位算术操作 -stage_name = "arith 8/8"; -stage_short = "arith8"; -stage_cur = 0; // 当前阶段的当前值 -stage_max = 2 * len * ARITH_MAX; // 最大可能的值 + new_hit_cnt = queued_paths + unique_crashes; -stage_val_type = STAGE_VAL_LE; // 值的类型,这里设置为小端 + stage_finds[STAGE_FLIP8] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_FLIP8] += stage_max; -orig_hit_cnt = new_hit_cnt; // 原始的命中次数 + /* Two walking bytes. */ -// 对输入缓冲区中的每个字节进行操作 -for (i = 0; i < len; i++) { - u8 orig = out_buf[i]; // 原始字节值 + if (len < 2) goto skip_bitflip; - // 如果当前位置不在影响映射中,则跳过 - if (!eff_map[EFF_APOS(i)]) { - stage_max -= 2 * ARITH_MAX; - continue; - } + stage_name = "bitflip 16/8"; + stage_short = "flip16"; + stage_cur = 0; + stage_max = len - 1; - stage_cur_byte = i; // 当前处理的字节位置 + orig_hit_cnt = new_hit_cnt; - // 对每个可能的增量进行操作 - for (j = 1; j <= ARITH_MAX; j++) { - u8 r = orig ^ (orig + j); // 计算增加j后的值 + for (i = 0; i < len - 1; i++) { - // 如果结果不可能是位翻转的结果,则进行算术操作 - if (!could_be_bitflip(r)) { - stage_cur_val = j; - out_buf[i] = orig + j; // 应用增加操作 + /* Let's consult the effector map... */ - // 如果公共模糊测试函数返回成功,则跳转到abandon_entry标签 - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - } else stage_max--; + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { + stage_max--; + continue; + } - r = orig ^ (orig - j); // 计算减少j后的值 + stage_cur_byte = i; - // 如果结果不可能是位翻转的结果,则进行算术操作 - if (!could_be_bitflip(r)) { - stage_cur_val = -j; - out_buf[i] = orig - j; // 应用减少操作 + *(u16*)(out_buf + i) ^= 0xFFFF; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + *(u16*)(out_buf + i) ^= 0xFFFF; - // 如果公共模糊测试函数返回成功,则跳转到abandon_entry标签 - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - } else stage_max--; - out_buf[i] = orig; // 恢复原始值 } -} -// 更新命中次数和阶段统计信息 -new_hit_cnt = queued_paths + unique_crashes; -stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; -stage_cycles[STAGE_ARITH8] += stage_max; + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_FLIP16] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_FLIP16] += stage_max; + + if (len < 4) goto skip_bitflip; + + /* Four walking bytes. */ + + stage_name = "bitflip 32/8"; + stage_short = "flip32"; + stage_cur = 0; + stage_max = len - 3; + + orig_hit_cnt = new_hit_cnt; -// 16位算术操作,包括小端和大端 -if (len < 2) goto skip_arith; + for (i = 0; i < len - 3; i++) { -stage_name = "arith 16/8"; -stage_short = "arith16"; -stage_cur = 0; -stage_max = 4 * (len - 1) * ARITH_MAX; + /* Let's consult the effector map... */ + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && + !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { + stage_max--; + continue; + } -orig_hit_cnt = new_hit_cnt; + stage_cur_byte = i; + + *(u32*)(out_buf + i) ^= 0xFFFFFFFF; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; -// 对输入缓冲区中每两个字节进行操作 -for (i = 0; i < len - 1; i++) { - u16 orig = *(u16*)(out_buf + i); // 原始的16位值 + *(u32*)(out_buf + i) ^= 0xFFFFFFFF; - // 如果当前位置和下一个位置都不在影响映射中,则跳过 - if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { - stage_max -= 4 * ARITH_MAX; - continue; } - stage_cur_byte = i; + new_hit_cnt = queued_paths + unique_crashes; - // 对每个可能的增量进行操作 - for (j = 1; j <= ARITH_MAX; j++) { - u16 r1 = orig ^ (orig + j), // 小端增加 - r2 = orig ^ (orig - j), // 小端减少 - r3 = orig ^ SWAP16(SWAP16(orig) + j), // 大端增加 - r4 = orig ^ SWAP16(SWAP16(orig) - j); // 大端减少 + stage_finds[STAGE_FLIP32] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_FLIP32] += stage_max; - // 尝试小端增加和减少操作 - stage_val_type = STAGE_VAL_LE; +skip_bitflip: - if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) { - stage_cur_val = j; - *(u16*)(out_buf + i) = orig + j; + if (no_arith) goto skip_arith; - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - } else stage_max--; + /********************** + * ARITHMETIC INC/DEC * + **********************/ - if ((orig & 0xff) < j && !could_be_bitflip(r2)) { - stage_cur_val = -j; - *(u16*)(out_buf + i) = orig - j; + /* 8-bit arithmetics. */ - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - } else stage_max--; + stage_name = "arith 8/8"; + stage_short = "arith8"; + stage_cur = 0; + stage_max = 2 * len * ARITH_MAX; - // 尝试大端增加和减少操作 - stage_val_type = STAGE_VAL_BE; + stage_val_type = STAGE_VAL_LE; - if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) { - stage_cur_val = j; - *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) + j); + orig_hit_cnt = new_hit_cnt; - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - } else stage_max--; + for (i = 0; i < len; i++) { - if ((orig >> 8) < j && !could_be_bitflip(r4)) { - stage_cur_val = -j; - *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) - j); + u8 orig = out_buf[i]; - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - } else stage_max--; + /* Let's consult the effector map... */ + + if (!eff_map[EFF_APOS(i)]) { + stage_max -= 2 * ARITH_MAX; + continue; + } + + stage_cur_byte = i; + + for (j = 1; j <= ARITH_MAX; j++) { + + u8 r = orig ^ (orig + j); + + /* Do arithmetic operations only if the result couldn't be a product + of a bitflip. */ + + if (!could_be_bitflip(r)) { + + stage_cur_val = j; + out_buf[i] = orig + j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + r = orig ^ (orig - j); + + if (!could_be_bitflip(r)) { + + stage_cur_val = -j; + out_buf[i] = orig - j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + out_buf[i] = orig; + + } - *(u16*)(out_buf + i) = orig; // 恢复原始值 } -} -// 更新命中次数和阶段统计信息 -new_hit_cnt = queued_paths + unique_crashes; -stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; -stage_cycles[STAGE_ARITH16] += stage_max; + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_ARITH8] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_ARITH8] += stage_max; + + /* 16-bit arithmetics, both endians. */ + + if (len < 2) goto skip_arith; + + stage_name = "arith 16/8"; + stage_short = "arith16"; + stage_cur = 0; + stage_max = 4 * (len - 1) * ARITH_MAX; + + orig_hit_cnt = new_hit_cnt; + + for (i = 0; i < len - 1; i++) { + + u16 orig = *(u16*)(out_buf + i); + + /* Let's consult the effector map... */ + + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { + stage_max -= 4 * ARITH_MAX; + continue; + } + + stage_cur_byte = i; + + for (j = 1; j <= ARITH_MAX; j++) { + + u16 r1 = orig ^ (orig + j), + r2 = orig ^ (orig - j), + r3 = orig ^ SWAP16(SWAP16(orig) + j), + r4 = orig ^ SWAP16(SWAP16(orig) - j); + + /* Try little endian addition and subtraction first. Do it only + if the operation would affect more than one byte (hence the + & 0xff overflow checks) and if it couldn't be a product of + a bitflip. */ + + stage_val_type = STAGE_VAL_LE; + + if ((orig & 0xff) + j > 0xff && !could_be_bitflip(r1)) { + + stage_cur_val = j; + *(u16*)(out_buf + i) = orig + j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + if ((orig & 0xff) < j && !could_be_bitflip(r2)) { + + stage_cur_val = -j; + *(u16*)(out_buf + i) = orig - j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + /* Big endian comes next. Same deal. */ + + stage_val_type = STAGE_VAL_BE; + + + if ((orig >> 8) + j > 0xff && !could_be_bitflip(r3)) { + + stage_cur_val = j; + *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) + j); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + if ((orig >> 8) < j && !could_be_bitflip(r4)) { + + stage_cur_val = -j; + *(u16*)(out_buf + i) = SWAP16(SWAP16(orig) - j); -// 32位算术操作,包括小端和大端 -if (len < 4) goto skip_arith; + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; -stage_name = "arith 32/8"; -stage_short = "arith32"; -stage_cur = 0; -stage_max = 4 * (len - 3) * ARITH_MAX; + } else stage_max--; -orig_hit_cnt = new_hit_cnt; + *(u16*)(out_buf + i) = orig; -// 对输入缓冲区中每四个字节进行操作 -for (i = 0; i < len - 3; i++) { - u32 orig = *(u32*)(out_buf + i); // 原始的32位值 + } - // 如果当前位置和接下来的三个位置都不在影响映射中,则跳过 - if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && - !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { - stage_max -= 4 * ARITH_MAX; - continue; } - stage_cur_byte = i; + new_hit_cnt = queued_paths + unique_crashes; - // 对每个可能的增量进行操作 - for (j = 1; j <= ARITH_MAX; j++) { - u32 r1 = orig ^ (orig + j), // 小端增加 - r2 = orig ^ (orig - j), // 小端减少 - r3 = orig ^ SWAP32(SWAP32(orig) + j), // 大端增加 - r4 = orig ^ SWAP32(SWAP32(orig) - j); // 大端减少 + stage_finds[STAGE_ARITH16] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_ARITH16] += stage_max; - // 尝试小端增加和减少操作 - stage_val_type = STAGE_VAL_LE; + /* 32-bit arithmetics, both endians. */ - if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) { - stage_cur_val = j; - *(u32*)(out_buf + i) = orig + j; + if (len < 4) goto skip_arith; - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - } else stage_max--; + stage_name = "arith 32/8"; + stage_short = "arith32"; + stage_cur = 0; + stage_max = 4 * (len - 3) * ARITH_MAX; - if ((orig & 0xffff) < j && !could_be_bitflip(r2)) { - stage_cur_val = -j; - *(u32*)(out_buf + i) = orig - j; + orig_hit_cnt = new_hit_cnt; - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - } else stage_max--; + for (i = 0; i < len - 3; i++) { - // 尝试大端增加和减少操作 - stage_val_type = STAGE_VAL_BE; + u32 orig = *(u32*)(out_buf + i); - if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) { - stage_cur_val = j; - *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) + j); + /* Let's consult the effector map... */ - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - } else stage_max--; + if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && + !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { + stage_max -= 4 * ARITH_MAX; + continue; + } + + stage_cur_byte = i; + + for (j = 1; j <= ARITH_MAX; j++) { + + u32 r1 = orig ^ (orig + j), + r2 = orig ^ (orig - j), + r3 = orig ^ SWAP32(SWAP32(orig) + j), + r4 = orig ^ SWAP32(SWAP32(orig) - j); + + /* Little endian first. Same deal as with 16-bit: we only want to + try if the operation would have effect on more than two bytes. */ + + stage_val_type = STAGE_VAL_LE; + + if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) { + + stage_cur_val = j; + *(u32*)(out_buf + i) = orig + j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + if ((orig & 0xffff) < j && !could_be_bitflip(r2)) { + + stage_cur_val = -j; + *(u32*)(out_buf + i) = orig - j; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + /* Big endian next. */ + + stage_val_type = STAGE_VAL_BE; + + if ((SWAP32(orig) & 0xffff) + j > 0xffff && !could_be_bitflip(r3)) { + + stage_cur_val = j; + *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) + j); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; - // 如果原始值的大端格式的低16位小于增量j,并且结果不可能是位翻转的结果 if ((SWAP32(orig) & 0xffff) < j && !could_be_bitflip(r4)) { - // 设置当前阶段的值为负的增量j + stage_cur_val = -j; - // 对当前的32位值进行大端格式的减法操作,并更新输出缓冲区 *(u32*)(out_buf + i) = SWAP32(SWAP32(orig) - j); - // 执行公共的模糊测试操作,如果测试中断,则跳转到abandon_entry标签 if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - // 如果测试没有中断,增加当前阶段的计数器 stage_cur++; - } else { - // 如果操作不可能产生新的命中,减少最大阶段计数 - stage_max--; - } - // 恢复原始的32位值,以便下一次迭代使用 + } else stage_max--; + *(u32*)(out_buf + i) = orig; } @@ -5648,178 +5598,183 @@ for (i = 0; i < len - 3; i++) { stage_finds[STAGE_ARITH32] += new_hit_cnt - orig_hit_cnt; stage_cycles[STAGE_ARITH32] += stage_max; -// 如果设置了跳过算术处理的标志,则跳到下一个阶段。 skip_arith: -/********************** - * INTERESTING VALUES * -**********************/ + /********************** + * INTERESTING VALUES * + **********************/ + + stage_name = "interest 8/8"; + stage_short = "int8"; + stage_cur = 0; + stage_max = len * sizeof(interesting_8); + + stage_val_type = STAGE_VAL_LE; + + orig_hit_cnt = new_hit_cnt; -// 设置当前阶段的名称和简称。 -stage_name = "interest 8/8"; -stage_short = "int8"; -stage_cur = 0; // 初始化当前阶段的计数器。 -stage_max = len * sizeof(interesting_8); // 最大次数为输入数据长度与有趣8位整数数组大小的乘积。 + /* Setting 8-bit integers. */ -stage_val_type = STAGE_VAL_LE; // 设置阶段值类型为小端。 + for (i = 0; i < len; i++) { -orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 + u8 orig = out_buf[i]; -// 设置8位整数。 -for (i = 0; i < len; i++) { - u8 orig = out_buf[i]; // 保存原始字节。 + /* Let's consult the effector map... */ - // 如果当前位置在效应器映射中没有设置,则跳过。 if (!eff_map[EFF_APOS(i)]) { - stage_max -= sizeof(interesting_8); - continue; + stage_max -= sizeof(interesting_8); + continue; } - stage_cur_byte = i; // 设置当前处理的字节位置。 + stage_cur_byte = i; - // 遍历有趣的8位整数数组。 for (j = 0; j < sizeof(interesting_8); j++) { - // 如果该值可能是位翻转或算术操作的结果,则跳过。 - if (could_be_bitflip(orig ^ (u8)interesting_8[j]) || - could_be_arith(orig, (u8)interesting_8[j], 1)) { - stage_max--; - continue; - } - stage_cur_val = interesting_8[j]; // 设置当前阶段的值。 - out_buf[i] = interesting_8[j]; // 设置有趣的值。 + /* Skip if the value could be a product of bitflips or arithmetics. */ - // 执行模糊测试操作,如果需要则放弃当前输入。 - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + if (could_be_bitflip(orig ^ (u8)interesting_8[j]) || + could_be_arith(orig, (u8)interesting_8[j], 1)) { + stage_max--; + continue; + } + + stage_cur_val = interesting_8[j]; + out_buf[i] = interesting_8[j]; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + out_buf[i] = orig; + stage_cur++; - out_buf[i] = orig; // 恢复原始值。 - stage_cur++; // 增加当前阶段的计数器。 } -} -// 更新新的命中次数。 -new_hit_cnt = queued_paths + unique_crashes; + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_INTEREST8] += stage_max; + + /* Setting 16-bit integers, both endians. */ -// 记录在当前阶段发现的新问题数量和周期计数。 -stage_finds[STAGE_INTEREST8] += new_hit_cnt - orig_hit_cnt; -stage_cycles[STAGE_INTEREST8] += stage_max; + if (no_arith || len < 2) goto skip_interest; -// 如果设置了不进行算术处理或输入数据长度小于2,则跳过16位整数的处理。 -if (no_arith || len < 2) goto skip_interest; + stage_name = "interest 16/8"; + stage_short = "int16"; + stage_cur = 0; + stage_max = 2 * (len - 1) * (sizeof(interesting_16) >> 1); -// 设置当前阶段的名称和简称。 -stage_name = "interest 16/8"; -stage_short = "int16"; -stage_cur = 0; // 初始化当前阶段的计数器。 -stage_max = 2 * (len - 1) * (sizeof(interesting_16) >> 1); // 最大次数为输入数据长度减1与有趣16位整数数组大小的乘积。 + orig_hit_cnt = new_hit_cnt; -orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 + for (i = 0; i < len - 1; i++) { -// 设置16位整数,包括小端和大端。 -for (i = 0; i < len - 1; i++) { - u16 orig = *(u16*)(out_buf + i); // 保存原始的16位整数。 + u16 orig = *(u16*)(out_buf + i); + + /* Let's consult the effector map... */ - // 如果当前位置和下一位在效应器映射中没有设置,则跳过。 if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)]) { - stage_max -= sizeof(interesting_16); - continue; + stage_max -= sizeof(interesting_16); + continue; } - stage_cur_byte = i; // 设置当前处理的字节位置。 + stage_cur_byte = i; - // 遍历有趣的16位整数数组。 for (j = 0; j < sizeof(interesting_16) / 2; j++) { - stage_cur_val = interesting_16[j]; // 设置当前阶段的值。 - // 如果该值不可能是位翻转、算术操作或单字节有趣值插入的结果,则进行处理。 - if (!could_be_bitflip(orig ^ (u16)interesting_16[j]) && - !could_be_arith(orig, (u16)interesting_16[j], 2) && - !could_be_interest(orig, (u16)interesting_16[j], 2, 0)) { - stage_val_type = STAGE_VAL_LE; // 设置阶段值类型为小端。 + stage_cur_val = interesting_16[j]; - *(u16*)(out_buf + i) = interesting_16[j]; // 设置有趣的值。 + /* Skip if this could be a product of a bitflip, arithmetics, + or single-byte interesting value insertion. */ - // 执行模糊测试操作,如果需要则放弃当前输入。 - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; // 增加当前阶段的计数器。 - } else { - stage_max--; // 减少最大次数。 - } + if (!could_be_bitflip(orig ^ (u16)interesting_16[j]) && + !could_be_arith(orig, (u16)interesting_16[j], 2) && + !could_be_interest(orig, (u16)interesting_16[j], 2, 0)) { - // 对于大端情况也进行相同的处理。 - if ((u16)interesting_16[j] != SWAP16(interesting_16[j]) && - !could_be_bitflip(orig ^ SWAP16(interesting_16[j])) && - !could_be_arith(orig, SWAP16(interesting_16[j]), 2) && - !could_be_interest(orig, SWAP16(interesting_16[j]), 2, 1)) { - stage_val_type = STAGE_VAL_BE; // 设置阶段值类型为大端。 + stage_val_type = STAGE_VAL_LE; + + *(u16*)(out_buf + i) = interesting_16[j]; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + if ((u16)interesting_16[j] != SWAP16(interesting_16[j]) && + !could_be_bitflip(orig ^ SWAP16(interesting_16[j])) && + !could_be_arith(orig, SWAP16(interesting_16[j]), 2) && + !could_be_interest(orig, SWAP16(interesting_16[j]), 2, 1)) { + + stage_val_type = STAGE_VAL_BE; + + *(u16*)(out_buf + i) = SWAP16(interesting_16[j]); + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; - *(u16*)(out_buf + i) = SWAP16(interesting_16[j]); // 设置有趣的值。 - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; - } else { - stage_max--; - } } - *(u16*)(out_buf + i) = orig; // 恢复原始值。 -} + *(u16*)(out_buf + i) = orig; + + } + + new_hit_cnt = queued_paths + unique_crashes; -// 更新新的命中次数。 -new_hit_cnt = queued_paths + unique_crashes; + stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_INTEREST16] += stage_max; -// 记录在当前阶段发现的新问题数量和周期计数。 -stage_finds[STAGE_INTEREST16] += new_hit_cnt - orig_hit_cnt; -stage_cycles[STAGE_INTEREST16] += stage_max; + if (len < 4) goto skip_interest; -// 如果输入数据长度小于4,则跳过32位整数的处理。 -if (len < 4) goto skip_interest; + /* Setting 32-bit integers, both endians. */ -// 设置当前阶段的名称和简称。 -stage_name = "interest 32/8"; -stage_short = "int32"; -stage_cur = 0; // 初始化当前阶段的计数器。 -stage_max = 2 * (len - 3) * (sizeof(interesting_32) >> 2); // 最大次数为输入数据长度减3与有趣32位整数数组大小的乘积。 + stage_name = "interest 32/8"; + stage_short = "int32"; + stage_cur = 0; + stage_max = 2 * (len - 3) * (sizeof(interesting_32) >> 2); -orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 + orig_hit_cnt = new_hit_cnt; -// 设置32位整数,包括小端和大端。 -for (i = 0; i < len - 3; i++) { - u32 orig = *(u32*)(out_buf + i); // 保存原始的32位整数。 + for (i = 0; i < len - 3; i++) { + + u32 orig = *(u32*)(out_buf + i); + + /* Let's consult the effector map... */ - // 如果当前位置和接下来三位在效应器映射中没有设置,则跳过。 if (!eff_map[EFF_APOS(i)] && !eff_map[EFF_APOS(i + 1)] && !eff_map[EFF_APOS(i + 2)] && !eff_map[EFF_APOS(i + 3)]) { - stage_max -= sizeof(interesting_32) >> 1; - continue; + stage_max -= sizeof(interesting_32) >> 1; + continue; } - stage_cur_byte = i; // 设置当前处理的字节位置。 + stage_cur_byte = i; - // 遍历有趣的32位整数数组。 for (j = 0; j < sizeof(interesting_32) / 4; j++) { - stage_cur_val = interesting_32[j]; // 设置当前阶段的值。 - // 如果该值不可能是位翻转、算术操作或词有趣值插入的结果,则进行处理。 - if (!could_be_bitflip(orig ^ (u32)interesting_32[j]) && - !could_be_arith(orig, interesting_32[j], 4) && - !could_be_interest(orig, interesting_32[j], 4, 0)) { - stage_val_type = STAGE_VAL_LE; // 设置阶段值类型为小端。 + stage_cur_val = interesting_32[j]; + + /* Skip if this could be a product of a bitflip, arithmetics, + or word interesting value insertion. */ - *(u32*)(out_buf + i) = interesting_32[j]; // 设置有趣的值。 + if (!could_be_bitflip(orig ^ (u32)interesting_32[j]) && + !could_be_arith(orig, interesting_32[j], 4) && + !could_be_interest(orig, interesting_32[j], 4, 0)) { - // 执行模糊测试操作,如果需要则放弃当前输入。 - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; - stage_cur++; // 增加当前阶段的计数器。 - } else stage_max--; // 减少最大次数。 + stage_val_type = STAGE_VAL_LE; - // 对于大端情况也进行相同的处理。 - if ((u32)interesting_32[j] != SWAP32(interesting_32[j]) && - !could_be_bitflip(orig ^ SWAP32(interesting_32[j])) && - !could_be_arith(orig, SWAP32(interesting_32[j]), 4) && - !could_be_interest(orig, SWAP32(interesting_32[j]), 4, 1)) { + *(u32*)(out_buf + i) = interesting_32[j]; + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + stage_cur++; + + } else stage_max--; + + if ((u32)interesting_32[j] != SWAP32(interesting_32[j]) && + !could_be_bitflip(orig ^ SWAP32(interesting_32[j])) && + !could_be_arith(orig, SWAP32(interesting_32[j]), 4) && + !could_be_interest(orig, SWAP32(interesting_32[j]), 4, 1)) { -// 设置阶段值类型为大端。 stage_val_type = STAGE_VAL_BE; + *(u32*)(out_buf + i) = SWAP32(interesting_32[j]); if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; stage_cur++; @@ -5827,909 +5782,930 @@ for (i = 0; i < len - 3; i++) { } else stage_max--; } -// 恢复原始的32位整数值。 -*(u32*)(out_buf + i) = orig; -// 完成对当前输入数据的所有有趣值设置后,更新新的命中次数。 -new_hit_cnt = queued_paths + unique_crashes; + *(u32*)(out_buf + i) = orig; + + } -// 记录在当前阶段发现的新问题数量和周期计数。 -stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; -stage_cycles[STAGE_INTEREST32] += stage_max; + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_INTEREST32] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_INTEREST32] += stage_max; -// 如果没有用户定义的额外数据,则跳过此段代码。 skip_interest: -/******************** - * DICTIONARY STUFF * - ********************/ -if (!extras_cnt) goto skip_user_extras; + /******************** + * DICTIONARY STUFF * + ********************/ + + if (!extras_cnt) goto skip_user_extras; + + /* Overwrite with user-supplied extras. */ + + stage_name = "user extras (over)"; + stage_short = "ext_UO"; + stage_cur = 0; + stage_max = extras_cnt * len; -// 使用用户提供的额外数据进行覆盖操作。 -stage_name = "user extras (over)"; -stage_short = "ext_UO"; -stage_cur = 0; // 初始化当前阶段的计数器。 -stage_max = extras_cnt * len; // 最大次数为额外数据的数量乘以输入数据的长度。 + stage_val_type = STAGE_VAL_NONE; -stage_val_type = STAGE_VAL_NONE; // 设置阶段值类型为无。 + orig_hit_cnt = new_hit_cnt; -orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 + for (i = 0; i < len; i++) { -// 对输入数据的每个字节位置进行操作。 -for (i = 0; i < len; i++) { u32 last_len = 0; - stage_cur_byte = i; // 设置当前处理的字节位置。 - // 遍历每个额外数据。 + stage_cur_byte = i; + + /* Extras are sorted by size, from smallest to largest. This means + that we don't have to worry about restoring the buffer in + between writes at a particular offset determined by the outer + loop. */ + for (j = 0; j < extras_cnt; j++) { - // 如果额外数据的数量大于最大确定性额外数据,或者没有足够的空间插入数据, - // 或者该数据已经存在于输出缓冲区中,或者有效性映射显示该位置不适合插入,则跳过此额外数据。 - if ((extras_cnt > MAX_DET_EXTRAS && UR(extras_cnt) >= MAX_DET_EXTRAS) || - extras[j].len > len - i || - !memcmp(extras[j].data, out_buf + i, extras[j].len) || - !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, extras[j].len))) { - stage_max--; - continue; - } - last_len = extras[j].len; - memcpy(out_buf + i, extras[j].data, last_len); // 将额外数据复制到输出缓冲区的当前位置。 + /* Skip extras probabilistically if extras_cnt > MAX_DET_EXTRAS. Also + skip them if there's no room to insert the payload, if the token + is redundant, or if its entire span has no bytes set in the effector + map. */ + + if ((extras_cnt > MAX_DET_EXTRAS && UR(extras_cnt) >= MAX_DET_EXTRAS) || + extras[j].len > len - i || + !memcmp(extras[j].data, out_buf + i, extras[j].len) || + !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, extras[j].len))) { + + stage_max--; + continue; + + } + + last_len = extras[j].len; + memcpy(out_buf + i, extras[j].data, last_len); - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; // 对修改后的输出缓冲区执行通用模糊测试操作。 + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + stage_cur++; - stage_cur++; // 增加当前阶段的计数器。 } - // 恢复所有被覆盖的内存。 + /* Restore all the clobbered memory. */ memcpy(out_buf + i, in_buf + i, last_len); -} -// 更新新的命中次数。 -new_hit_cnt = queued_paths + unique_crashes; + } + + new_hit_cnt = queued_paths + unique_crashes; + + stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_EXTRAS_UO] += stage_max; -// 记录在当前阶段发现的新问题数量和周期计数。 -stage_finds[STAGE_EXTRAS_UO] += new_hit_cnt - orig_hit_cnt; -stage_cycles[STAGE_EXTRAS_UO] += stage_max; + /* Insertion of user-supplied extras. */ -// 用户提供的额外数据进行插入操作。 -stage_name = "user extras (insert)"; -stage_short = "ext_UI"; -stage_cur = 0; // 初始化当前阶段的计数器。 -stage_max = extras_cnt * (len + 1); // 最大次数为额外数据的数量乘以(输入数据的长度 + 1)。 + stage_name = "user extras (insert)"; + stage_short = "ext_UI"; + stage_cur = 0; + stage_max = extras_cnt * (len + 1); -orig_hit_cnt = new_hit_cnt; // 记录原始的命中次数。 + orig_hit_cnt = new_hit_cnt; -// 分配临时缓冲区,大小为输入数据的长度加上最大字典文件的大小。 -ex_tmp = ck_alloc(len + MAX_DICT_FILE); + ex_tmp = ck_alloc(len + MAX_DICT_FILE); -// 遍历输入数据的每个位置以及末尾。 -for (i = 0; i <= len; i++) { - stage_cur_byte = i; // 设置当前处理的字节位置。 + for (i = 0; i <= len; i++) { + + stage_cur_byte = i; - // 遍历每个额外数据。 for (j = 0; j < extras_cnt; j++) { - if (len + extras[j].len > MAX_FILE) { - stage_max--; - continue; - } - // 插入额外数据。 - memcpy(ex_tmp + i, extras[j].data, extras[j].len); + if (len + extras[j].len > MAX_FILE) { + stage_max--; + continue; + } - // 复制原始数据的剩余部分。 - memcpy(ex_tmp + i + extras[j].len, out_buf + i, len - i); + /* Insert token */ + memcpy(ex_tmp + i, extras[j].data, extras[j].len); - if (common_fuzz_stuff(argv, ex_tmp, len + extras[j].len)) { - ck_free(ex_tmp); - goto abandon_entry; - } + /* Copy tail */ + memcpy(ex_tmp + i + extras[j].len, out_buf + i, len - i); + + if (common_fuzz_stuff(argv, ex_tmp, len + extras[j].len)) { + ck_free(ex_tmp); + goto abandon_entry; + } + + stage_cur++; - stage_cur++; // 增加当前阶段的计数器。 } - // 复制原始数据的当前部分。 + /* Copy head */ ex_tmp[i] = out_buf[i]; -} -// 释放临时缓冲区。 -ck_free(ex_tmp); + } + + ck_free(ex_tmp); + + new_hit_cnt = queued_paths + unique_crashes; -// 更新新的命中次数。 -new_hit_cnt = queued_paths + unique_crashes; + stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_EXTRAS_UI] += stage_max; -// 记录在当前阶段发现的新问题数量和周期计数。 -stage_finds[STAGE_EXTRAS_UI] += new_hit_cnt - orig_hit_cnt; -stage_cycles[STAGE_EXTRAS_UI] += stage_max; -// 如果没有用户提供的额外数据,则跳过处理。 skip_user_extras: -if (!a_extras_cnt) goto skip_extras; -// 设置当前阶段的名称和简短名称。 -stage_name = "auto extras (over)"; -stage_short = "ext_AO"; -// 初始化当前阶段的计数器和最大值,最大值是额外数据的数量乘以输入数据的长度。 -stage_cur = 0; -stage_max = MIN(a_extras_cnt, USE_AUTO_EXTRAS) * len; + if (!a_extras_cnt) goto skip_extras; + + stage_name = "auto extras (over)"; + stage_short = "ext_AO"; + stage_cur = 0; + stage_max = MIN(a_extras_cnt, USE_AUTO_EXTRAS) * len; -// 设置阶段值类型为无。 -stage_val_type = STAGE_VAL_NONE; + stage_val_type = STAGE_VAL_NONE; -// 记录原始的命中次数。 -orig_hit_cnt = new_hit_cnt; + orig_hit_cnt = new_hit_cnt; + + for (i = 0; i < len; i++) { -// 遍历输入数据的每个字节位置。 -for (i = 0; i < len; i++) { u32 last_len = 0; - // 设置当前处理的字节位置。 stage_cur_byte = i; - // 遍历每个额外数据。 for (j = 0; j < MIN(a_extras_cnt, USE_AUTO_EXTRAS); j++) { - // 如果额外数据的大小超过了剩余长度,或者该数据已经存在于输出缓冲区中, - // 或者有效性映射显示该位置不适合插入,则跳过此额外数据。 - if (a_extras[j].len > len - i || - !memcmp(a_extras[j].data, out_buf + i, a_extras[j].len) || - !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, a_extras[j].len))) { - stage_max--; - continue; - } - // 记录额外数据的长度,并将其复制到输出缓冲区的当前位置。 - last_len = a_extras[j].len; - memcpy(out_buf + i, a_extras[j].data, last_len); + /* See the comment in the earlier code; extras are sorted by size. */ - // 对修改后的输出缓冲区执行通用模糊测试操作,如果需要则放弃当前输入。 - if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + if (a_extras[j].len > len - i || + !memcmp(a_extras[j].data, out_buf + i, a_extras[j].len) || + !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, a_extras[j].len))) { + + stage_max--; + continue; + + } + + last_len = a_extras[j].len; + memcpy(out_buf + i, a_extras[j].data, last_len); + + if (common_fuzz_stuff(argv, out_buf, len)) goto abandon_entry; + + stage_cur++; - // 增加当前阶段的计数器。 - stage_cur++; } - // 恢复所有被覆盖的内存。 + /* Restore all the clobbered memory. */ memcpy(out_buf + i, in_buf + i, last_len); -} -// 更新新的命中次数。 -new_hit_cnt = queued_paths + unique_crashes; + } + + new_hit_cnt = queued_paths + unique_crashes; -// 记录在当前阶段发现的新问题数量和周期计数。 -stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; -stage_cycles[STAGE_EXTRAS_AO] += stage_max; + stage_finds[STAGE_EXTRAS_AO] += new_hit_cnt - orig_hit_cnt; + stage_cycles[STAGE_EXTRAS_AO] += stage_max; -// 跳过额外数据的处理。 skip_extras: -// 如果我们到达这里而没有跳转到havoc_stage或abandon_entry, -// 则我们已经完成了确定性的步骤,并可以在.state目录中标记为完成。 -if (!queue_cur->passed_det) mark_as_det_done(queue_cur); + /* If we made this to here without jumping to havoc_stage or abandon_entry, + we're properly done with deterministic steps and can mark it as such + in the .state/ directory. */ -//**************** -//* RANDOM HAVOC * -//**************** + if (!queue_cur->passed_det) mark_as_det_done(queue_cur); + + /**************** + * RANDOM HAVOC * + ****************/ -// 到达随机混沌(havoc)阶段。 havoc_stage: -stage_cur_byte = -1; -// 如果当前是拼接周期,则生成不同的描述。 -if (!splice_cycle) { - // 设置混沌阶段的名称和简短名称。 + stage_cur_byte = -1; + + /* The havoc stage mutation code is also invoked when splicing files; if the + splice_cycle variable is set, generate different descriptions and such. */ + + if (!splice_cycle) { + stage_name = "havoc"; stage_short = "havoc"; - // 计算混沌阶段的最大运行次数,基于性能得分和一些常数。 stage_max = (doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) * perf_score / havoc_div / 100; -} else { - // 如果是拼接周期,设置特定的名称和最大运行次数。 + + } else { + static u8 tmp[32]; + perf_score = orig_perf; + sprintf(tmp, "splice %u", splice_cycle); stage_name = tmp; stage_short = "splice"; stage_max = SPLICE_HAVOC * perf_score / havoc_div / 100; -} -// 确保最大运行次数不低于最小值。 -if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN; + } + + if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN; -// 设置临时长度为输入数据的长度。 -temp_len = len; + temp_len = len; -// 记录原始的命中次数。 -orig_hit_cnt = queued_paths + unique_crashes; + orig_hit_cnt = queued_paths + unique_crashes; -// 记录当前队列中的路径数量。 -havoc_queued = queued_paths; + havoc_queued = queued_paths; + + /* We essentially just do several thousand runs (depending on perf_score) + where we take the input file and make random stacked tweaks. */ + + for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { -/* - 我们基本上执行几千次运行(取决于perf_score),在这些运行中我们获取输入文件并进行随机的叠加修改。 -*/ -for (stage_cur = 0; stage_cur < stage_max; stage_cur++) { - // 随机选择一个叠加因子,范围从1到2^(HAVOC_STACK_POW2)。 u32 use_stacking = 1 << (1 + UR(HAVOC_STACK_POW2)); - // 将当前阶段的值设置为所选的叠加因子。 stage_cur_val = use_stacking; - - // 根据叠加因子重复多次修改操作。 + for (i = 0; i < use_stacking; i++) { - // 随机选择一个操作,如果存在额外的数据,则选项会更多。 - switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { - /* - 在某个位置翻转单个位。这是一项基本的位操作,可以用来测试程序对位错误的敏感性。 - */ - case 0: - FLIP_BIT(out_buf, UR(temp_len << 3)); - break; - - /* - 将某个字节设置为一个有趣的值。这些值通常是那些在程序逻辑中具有特殊意义的值,比如0, 1, -1等。 - */ - case 1: - out_buf[UR(temp_len)] = interesting_8[UR(sizeof(interesting_8))]; - break; - - /* - 将某个字(word)设置为一个有趣的值,并随机选择字节序。 - 字节序的选择可以帮助测试程序对不同字节序的处理能力。 - */ - case 2: - if (temp_len < 2) break; - - if (UR(2)) { - *(u16*)(out_buf + UR(temp_len - 1)) = interesting_16[UR(sizeof(interesting_16) >> 1)]; - } else { - *(u16*)(out_buf + UR(temp_len - 1)) = SWAP16(interesting_16[UR(sizeof(interesting_16) >> 1)]); - } - break; - - /* - 将某个双字(dword)设置为一个有趣的值,并随机选择字节序。 - 类似于字操作,但是针对更大的数据单元。 - */ - case 3: - if (temp_len < 4) break; - - if (UR(2)) { - *(u32*)(out_buf + UR(temp_len - 3)) = interesting_32[UR(sizeof(interesting_32) >> 2)]; - } else { - *(u32*)(out_buf + UR(temp_len - 3)) = SWAP32(interesting_32[UR(sizeof(interesting_32) >> 2)]); - } - break; - - /* - 从某个字节随机减去一个值。这是一种简单的算术操作,可以用来测试程序的健壮性。 - */ - case 4: - out_buf[UR(temp_len)] -= 1 + UR(ARITH_MAX); - break; - - /* - 向某个字节随机添加一个值。 - */ - case 5: - out_buf[UR(temp_len)] += 1 + UR(ARITH_MAX); - break; - - /* - 从一个词(word)随机减去一个值,并随机选择字节序。 - */ - case 6: - if (temp_len < 2) break; - - if (UR(2)) { - u32 pos = UR(temp_len - 1); - *(u16*)(out_buf + pos) -= 1 + UR(ARITH_MAX); - } else { - u32 pos = UR(temp_len - 1); - u16 num = 1 + UR(ARITH_MAX); - *(u16*)(out_buf + pos) = SWAP16(SWAP16(*(u16*)(out_buf + pos)) - num); - } - break; - - /* - 向一个词(word)随机添加一个值,并随机选择字节序。 - */ - case 7: - if (temp_len < 2) break; - - if (UR(2)) { - u32 pos = UR(temp_len - 1); - *(u16*)(out_buf + pos) += 1 + UR(ARITH_MAX); - } else { - u32 pos = UR(temp_len - 1); - u16 num = 1 + UR(ARITH_MAX); - *(u16*)(out_buf + pos) = SWAP16(SWAP16(*(u16*)(out_buf + pos)) + num); - } - break; - - /* - 从一个双字(dword)随机减去一个值,并随机选择字节序。 - */ - case 8: - if (temp_len < 4) break; - - if (UR(2)) { - u32 pos = UR(temp_len - 3); - *(u32*)(out_buf + pos) -= 1 + UR(ARITH_MAX); - } else { - u32 pos = UR(temp_len - 3); - u32 num = 1 + UR(ARITH_MAX); - *(u32*)(out_buf + pos) = SWAP32(SWAP32(*(u32*)(out_buf + pos)) - num); - } - break; -// case 9: 开始处理第9种情况,即随机增加一个双字节(dword),可以是随机字节序。 -case 9: - /* 如果临时数据长度小于4字节,则无法进行操作,因此跳出。 */ - if (temp_len < 4) break; - - // 以50%的概率选择是增加一个双字节还是进行字节序交换后增加。 - if (UR(2)) { - u32 pos = UR(temp_len - 3); - // 直接在指定位置增加一个随机值,范围从1到ARITH_MAX。 - *(u32*)(out_buf + pos) += 1 + UR(ARITH_MAX); - } else { - u32 pos = UR(temp_len - 3); - u32 num = 1 + UR(ARITH_MAX); - // 先进行字节序交换,然后增加一个随机值,最后再进行字节序交换。 - *(u32*)(out_buf + pos) = - SWAP32(SWAP32(*(u32*)(out_buf + pos)) + num); - } - break; -// case 10: 开始处理第10种情况,即随机设置一个字节为随机值。 -case 10: - /* 随机选择一个字节,然后使用XOR操作将其设置为1到255之间的随机值,以避免无操作(no-op)。 */ - out_buf[UR(temp_len)] ^= 1 + UR(255); - break; + switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { -// case 11和case 12: 开始处理删除字节的操作。 -case 11 ... 12: { - /* 删除字节。我们使得这个操作比插入(下一个选项)更有可能,以希望保持文件的合理大小。 */ - u32 del_from, del_len; + case 0: - // 如果临时数据长度小于2字节,则无法进行删除操作,因此跳出。 - if (temp_len < 2) break; + /* Flip a single bit somewhere. Spooky! */ - /* 不要删除太多数据。 */ - del_len = choose_block_len(temp_len - 1); - del_from = UR(temp_len - del_len + 1); + FLIP_BIT(out_buf, UR(temp_len << 3)); + break; - // 将删除位置之后的数据向前移动。 - memmove(out_buf + del_from, out_buf + del_from + del_len, - temp_len - del_from - del_len); + case 1: - temp_len -= del_len; // 更新临时数据长度。 - break; -} + /* Set byte to interesting value. */ -// case 13: 开始处理插入或克隆字节的操作。 -case 13: - if (temp_len + HAVOC_BLK_XL < MAX_FILE) { - /* 克隆字节(75%概率)或插入一个常数块(25%概率)。 */ - u8 actually_clone = UR(4); - u32 clone_from, clone_to, clone_len; - u8* new_buf; - - if (actually_clone) { - clone_len = choose_block_len(temp_len); - clone_from = UR(temp_len - clone_len + 1); - } else { - clone_len = choose_block_len(HAVOC_BLK_XL); - clone_from = 0; - } + out_buf[UR(temp_len)] = interesting_8[UR(sizeof(interesting_8))]; + break; - clone_to = UR(temp_len); + case 2: - new_buf = ck_alloc_nozero(temp_len + clone_len); + /* Set word to interesting value, randomly choosing endian. */ - /* 头部 */ - memcpy(new_buf, out_buf, clone_to); + if (temp_len < 2) break; - /* 插入部分 */ - if (actually_clone) - memcpy(new_buf + clone_to, out_buf + clone_from, clone_len); - else - memset(new_buf + clone_to, - UR(2) ? UR(256) : out_buf[UR(temp_len)], clone_len); + if (UR(2)) { - /* 尾部 */ - memcpy(new_buf + clone_to + clone_len, out_buf + clone_to, - temp_len - clone_to); + *(u16*)(out_buf + UR(temp_len - 1)) = + interesting_16[UR(sizeof(interesting_16) >> 1)]; - ck_free(out_buf); - out_buf = new_buf; - temp_len += clone_len; // 更新临时数据长度。 - } - break; + } else { -// case 14: 开始处理用随机选择的数据块或固定数据覆盖字节的操作。 -case 14: { - u32 copy_from, copy_to, copy_len; + *(u16*)(out_buf + UR(temp_len - 1)) = SWAP16( + interesting_16[UR(sizeof(interesting_16) >> 1)]); - if (temp_len < 2) break; + } - copy_len = choose_block_len(temp_len - 1); + break; - copy_from = UR(temp_len - copy_len + 1); - copy_to = UR(temp_len - copy_len + 1); + case 3: - if (UR(4)) { - if (copy_from != copy_to) - memmove(out_buf + copy_to, out_buf + copy_from, copy_len); - } else { - memset(out_buf + copy_to, - UR(2) ? UR(256) : out_buf[UR(temp_len)], copy_len); - } - break; -} + /* Set dword to interesting value, randomly choosing endian. */ -/* 只有当字典中有额外数据时,才能选择值15和16。 */ + if (temp_len < 4) break; -// case 15: 开始处理用额外数据覆盖字节的操作。 -case 15: { - if (!extras_cnt || (a_extras_cnt && UR(2))) { - /* 没有用户指定的额外数据,或者随机数倾向于使用自动检测到的数据。 */ - u32 use_extra = UR(a_extras_cnt); - u32 extra_len = a_extras[use_extra].len; - u32 insert_at; + if (UR(2)) { + + *(u32*)(out_buf + UR(temp_len - 3)) = + interesting_32[UR(sizeof(interesting_32) >> 2)]; - if (extra_len > temp_len) break; + } else { - insert_at = UR(temp_len - extra_len + 1); - memcpy(out_buf + insert_at, a_extras[use_extra].data, extra_len); - } else { - /* 没有自动检测到的额外数据,或者随机数倾向于使用字典中的数据。 */ - u32 use_extra = UR(extras_cnt); - u32 extra_len = extras[use_extra].len; - u32 insert_at; + *(u32*)(out_buf + UR(temp_len - 3)) = SWAP32( + interesting_32[UR(sizeof(interesting_32) >> 2)]); - if (extra_len > temp_len) break; + } - insert_at = UR(temp_len - extra_len + 1); - memcpy(out_buf + insert_at, extras[use_extra].data, extra_len); - } - break; -} + break; -// case 16: 开始处理插入额外数据的操作。 -case 16: { - u32 use_extra, extra_len, insert_at = UR(temp_len + 1); - u8* new_buf; + case 4: - if (!extras_cnt || (a_extras_cnt && UR(2))) { - use_extra = UR(a_extras_cnt); - extra_len = a_extras[use_extra].len; + /* Randomly subtract from byte. */ - if (temp_len + extra_len >= MAX_FILE) break; + out_buf[UR(temp_len)] -= 1 + UR(ARITH_MAX); + break; - new_buf = ck_alloc_nozero(temp_len + extra_len); + case 5: - /* 头部 */ - memcpy(new_buf, out_buf, insert_at); + /* Randomly add to byte. */ - /* 插入部分 */ - memcpy(new_buf + insert_at, a_extras[use_extra].data, extra_len); - } else { - use_extra = UR(extras_cnt); - extra_len = extras[use_extra].len; + out_buf[UR(temp_len)] += 1 + UR(ARITH_MAX); + break; - if (temp_len + extra_len >= MAX_FILE) break; + case 6: - new_buf = ck_alloc_nozero(temp_len + extra_len); + /* Randomly subtract from word, random endian. */ - /* 头部 */ - memcpy(new_buf, out_buf, insert_at); + if (temp_len < 2) break; - /* 插入部分 */ - memcpy(new_buf + insert_at, extras[use_extra].data, extra_len); - } + if (UR(2)) { - /* 尾部 */ - memcpy(new_buf + insert_at + extra_len, out_buf + insert_at, - temp_len - insert_at); + u32 pos = UR(temp_len - 1); + + *(u16*)(out_buf + pos) -= 1 + UR(ARITH_MAX); + + } else { + + u32 pos = UR(temp_len - 1); + u16 num = 1 + UR(ARITH_MAX); + + *(u16*)(out_buf + pos) = + SWAP16(SWAP16(*(u16*)(out_buf + pos)) - num); + + } + + break; + + case 7: + + /* Randomly add to word, random endian. */ + + if (temp_len < 2) break; + + if (UR(2)) { + + u32 pos = UR(temp_len - 1); + + *(u16*)(out_buf + pos) += 1 + UR(ARITH_MAX); + + } else { + + u32 pos = UR(temp_len - 1); + u16 num = 1 + UR(ARITH_MAX); + + *(u16*)(out_buf + pos) = + SWAP16(SWAP16(*(u16*)(out_buf + pos)) + num); + + } + + break; + + case 8: + + /* Randomly subtract from dword, random endian. */ + + if (temp_len < 4) break; + + if (UR(2)) { + + u32 pos = UR(temp_len - 3); + + *(u32*)(out_buf + pos) -= 1 + UR(ARITH_MAX); + + } else { + + u32 pos = UR(temp_len - 3); + u32 num = 1 + UR(ARITH_MAX); + + *(u32*)(out_buf + pos) = + SWAP32(SWAP32(*(u32*)(out_buf + pos)) - num); + + } + + break; + + case 9: + + /* Randomly add to dword, random endian. */ + + if (temp_len < 4) break; + + if (UR(2)) { + + u32 pos = UR(temp_len - 3); + + *(u32*)(out_buf + pos) += 1 + UR(ARITH_MAX); + + } else { + + u32 pos = UR(temp_len - 3); + u32 num = 1 + UR(ARITH_MAX); + + *(u32*)(out_buf + pos) = + SWAP32(SWAP32(*(u32*)(out_buf + pos)) + num); + + } + + break; + + case 10: + + /* Just set a random byte to a random value. Because, + why not. We use XOR with 1-255 to eliminate the + possibility of a no-op. */ + + out_buf[UR(temp_len)] ^= 1 + UR(255); + break; + + case 11 ... 12: { + + /* Delete bytes. We're making this a bit more likely + than insertion (the next option) in hopes of keeping + files reasonably small. */ + + u32 del_from, del_len; + + if (temp_len < 2) break; + + /* Don't delete too much. */ + + del_len = choose_block_len(temp_len - 1); + + del_from = UR(temp_len - del_len + 1); + + memmove(out_buf + del_from, out_buf + del_from + del_len, + temp_len - del_from - del_len); + + temp_len -= del_len; + + break; + + } + + case 13: + + if (temp_len + HAVOC_BLK_XL < MAX_FILE) { + + /* Clone bytes (75%) or insert a block of constant bytes (25%). */ + + u8 actually_clone = UR(4); + u32 clone_from, clone_to, clone_len; + u8* new_buf; + + if (actually_clone) { + + clone_len = choose_block_len(temp_len); + clone_from = UR(temp_len - clone_len + 1); + + } else { + + clone_len = choose_block_len(HAVOC_BLK_XL); + clone_from = 0; + + } + + clone_to = UR(temp_len); + + new_buf = ck_alloc_nozero(temp_len + clone_len); + + /* Head */ + + memcpy(new_buf, out_buf, clone_to); + + /* Inserted part */ + + if (actually_clone) + memcpy(new_buf + clone_to, out_buf + clone_from, clone_len); + else + memset(new_buf + clone_to, + UR(2) ? UR(256) : out_buf[UR(temp_len)], clone_len); + + /* Tail */ + memcpy(new_buf + clone_to + clone_len, out_buf + clone_to, + temp_len - clone_to); + + ck_free(out_buf); + out_buf = new_buf; + temp_len += clone_len; + + } + + break; + + case 14: { + + /* Overwrite bytes with a randomly selected chunk (75%) or fixed + bytes (25%). */ + + u32 copy_from, copy_to, copy_len; + + if (temp_len < 2) break; + + copy_len = choose_block_len(temp_len - 1); + + copy_from = UR(temp_len - copy_len + 1); + copy_to = UR(temp_len - copy_len + 1); + + if (UR(4)) { + + if (copy_from != copy_to) + memmove(out_buf + copy_to, out_buf + copy_from, copy_len); + + } else memset(out_buf + copy_to, + UR(2) ? UR(256) : out_buf[UR(temp_len)], copy_len); + + break; + + } + + /* Values 15 and 16 can be selected only if there are any extras + present in the dictionaries. */ + + case 15: { + + /* Overwrite bytes with an extra. */ + + if (!extras_cnt || (a_extras_cnt && UR(2))) { + + /* No user-specified extras or odds in our favor. Let's use an + auto-detected one. */ + + u32 use_extra = UR(a_extras_cnt); + u32 extra_len = a_extras[use_extra].len; + u32 insert_at; + + if (extra_len > temp_len) break; + + insert_at = UR(temp_len - extra_len + 1); + memcpy(out_buf + insert_at, a_extras[use_extra].data, extra_len); + + } else { + + /* No auto extras or odds in our favor. Use the dictionary. */ + + u32 use_extra = UR(extras_cnt); + u32 extra_len = extras[use_extra].len; + u32 insert_at; + + if (extra_len > temp_len) break; + + insert_at = UR(temp_len - extra_len + 1); + memcpy(out_buf + insert_at, extras[use_extra].data, extra_len); + + } + + break; + + } + + case 16: { + + u32 use_extra, extra_len, insert_at = UR(temp_len + 1); + u8* new_buf; + + /* Insert an extra. Do the same dice-rolling stuff as for the + previous case. */ + + if (!extras_cnt || (a_extras_cnt && UR(2))) { + + use_extra = UR(a_extras_cnt); + extra_len = a_extras[use_extra].len; + + if (temp_len + extra_len >= MAX_FILE) break; + + new_buf = ck_alloc_nozero(temp_len + extra_len); + + /* Head */ + memcpy(new_buf, out_buf, insert_at); + + /* Inserted part */ + memcpy(new_buf + insert_at, a_extras[use_extra].data, extra_len); + + } else { + + use_extra = UR(extras_cnt); + extra_len = extras[use_extra].len; + + if (temp_len + extra_len >= MAX_FILE) break; + + new_buf = ck_alloc_nozero(temp_len + extra_len); + + /* Head */ + memcpy(new_buf, out_buf, insert_at); + + /* Inserted part */ + memcpy(new_buf + insert_at, extras[use_extra].data, extra_len); + + } + + /* Tail */ + memcpy(new_buf + insert_at + extra_len, out_buf + insert_at, + temp_len - insert_at); + + ck_free(out_buf); + out_buf = new_buf; + temp_len += extra_len; + + break; + + } - ck_free(out_buf); - out_buf = new_buf; - temp_len += extra_len; // 更新临时数据长度。 - break; - } } + } - } -} -// 检查通用模糊测试函数是否指示我们应该放弃当前的输入。 -// 如果common_fuzz_stuff函数返回真(非零值),则跳转到标签abandon_entry。 -if (common_fuzz_stuff(argv, out_buf, temp_len)) - goto abandon_entry; - -// 如果out_buf在之前的处理中被破坏了,我们需要将其恢复到原始大小和形状。 -// 如果临时长度temp_len小于原始长度len,我们需要重新分配out_buf的大小为len。 -if (temp_len < len) - out_buf = ck_realloc(out_buf, len); -// 将temp_len设置回原始长度len。 -temp_len = len; -// 将原始输入数据in_buf复制回out_buf,以恢复其原始内容。 -memcpy(out_buf, in_buf, len); - -// 如果我们发现了新的问题或崩溃,我们应该在限制范围内继续运行更长时间。 -if (queued_paths != havoc_queued) { - // 如果性能得分perf_score小于或等于最大乘数HAVOC_MAX_MULT乘以100, - // 我们将当前阶段的最大尝试次数stage_max翻倍,并将性能得分perf_score翻倍。 - if (perf_score <= HAVOC_MAX_MULT * 100) { + + if (common_fuzz_stuff(argv, out_buf, temp_len)) + goto abandon_entry; + + /* out_buf might have been mangled a bit, so let's restore it to its + original size and shape. */ + + if (temp_len < len) out_buf = ck_realloc(out_buf, len); + temp_len = len; + memcpy(out_buf, in_buf, len); + + /* If we're finding new stuff, let's run for a bit longer, limits + permitting. */ + + if (queued_paths != havoc_queued) { + + if (perf_score <= HAVOC_MAX_MULT * 100) { stage_max *= 2; perf_score *= 2; + } + + havoc_queued = queued_paths; + } - // 更新havoc_queued为当前的queued_paths值。 - havoc_queued = queued_paths; -} -// 计算新的发现数量,包括新加入队列的路径数queued_paths和独特的崩溃数unique_crashes。 -new_hit_cnt = queued_paths + unique_crashes; + } + + new_hit_cnt = queued_paths + unique_crashes; -// 如果当前不是拼接周期splice_cycle,则更新HAVOC阶段的发现和周期计数。 -if (!splice_cycle) { + if (!splice_cycle) { stage_finds[STAGE_HAVOC] += new_hit_cnt - orig_hit_cnt; stage_cycles[STAGE_HAVOC] += stage_max; -} else { - // 如果当前是拼接周期,则更新SPLICE阶段的发现和周期计数。 + } else { stage_finds[STAGE_SPLICE] += new_hit_cnt - orig_hit_cnt; stage_cycles[STAGE_SPLICE] += stage_max; -} + } -// 如果没有定义IGNORE_FINDS宏,则执行以下代码。 #ifndef IGNORE_FINDS /************ * SPLICING * ************/ - /* 这是一种最后的手段策略,当一轮完整的测试没有发现任何问题时触发。 - 它获取当前的输入文件,随机选择另一个输入,并在某个偏移量处将它们拼接在一起, - 然后依赖havoc代码来变异这个新拼接的数据块。*/ - + /* This is a last-resort strategy triggered by a full round with no findings. + It takes the current input file, randomly selects another input, and + splices them together at some offset, then relies on the havoc + code to mutate that blob. */ retry_splicing: -// 如果启用了拼接,并且拼接周期小于最大拼接周期数,并且队列中有多个测试用例,且当前测试用例长度大于1,则尝试拼接操作。 -if (use_splicing && splice_cycle++ < SPLICE_CYCLES && - queued_paths > 1 && queue_cur->len > 1) { + if (use_splicing && splice_cycle++ < SPLICE_CYCLES && + queued_paths > 1 && queue_cur->len > 1) { - struct queue_entry* target; // 指向目标队列条目的指针 - u32 tid, split_at; // 目标ID和分割点 - u8* new_buf; // 新的缓冲区 - s32 f_diff, l_diff; // 第一个和最后一个不同字节的位置 + struct queue_entry* target; + u32 tid, split_at; + u8* new_buf; + s32 f_diff, l_diff; - /* 首先,如果我们对in_buf进行了havoc操作的修改,我们需要清理它... */ + /* First of all, if we've modified in_buf for havoc, let's clean that + up... */ - // 如果in_buf不是原始输入缓冲区,释放它并将in_buf重置为原始输入缓冲区 - if (in_buf != orig_in) { - ck_free(in_buf); - in_buf = orig_in; - len = queue_cur->len; - } + if (in_buf != orig_in) { + ck_free(in_buf); + in_buf = orig_in; + len = queue_cur->len; + } - /* 随机选择一个队列条目并定位到它。不要与自己拼接。 */ + /* Pick a random queue entry and seek to it. Don't splice with yourself. */ - // 随机选择一个目标ID,确保它不是当前条目 - do { tid = UR(queued_paths); } while (tid == current_entry); + do { tid = UR(queued_paths); } while (tid == current_entry); - splicing_with = tid; // 记录当前拼接的目标ID - target = queue; // 初始化目标指向队列头部 + splicing_with = tid; + target = queue; - // 定位到目标队列条目 - while (tid >= 100) { target = target->next_100; tid -= 100; } - while (tid--) target = target->next; + while (tid >= 100) { target = target->next_100; tid -= 100; } + while (tid--) target = target->next; - /* 确保目标有合理的长度。 */ + /* Make sure that the target has a reasonable length. */ - // 确保目标条目长度足够,并且不是当前条目 - while (target && (target->len < 2 || target == queue_cur)) { - target = target->next; - splicing_with++; - } + while (target && (target->len < 2 || target == queue_cur)) { + target = target->next; + splicing_with++; + } - // 如果没有合适的目标,重试拼接 - if (!target) goto retry_splicing; + if (!target) goto retry_splicing; - /* 将测试用例读入新缓冲区。 */ + /* Read the testcase into a new buffer. */ - // 打开目标文件 - fd = open(target->fname, O_RDONLY); + fd = open(target->fname, O_RDONLY); - // 如果打开失败,输出错误信息并退出 - if (fd < 0) PFATAL("Unable to open '%s'", target->fname); + if (fd < 0) PFATAL("Unable to open '%s'", target->fname); - // 分配新缓冲区 - new_buf = ck_alloc_nozero(target->len); + new_buf = ck_alloc_nozero(target->len); - // 读取目标文件内容到新缓冲区 - ck_read(fd, new_buf, target->len, target->fname); + ck_read(fd, new_buf, target->len, target->fname); - // 关闭文件描述符 - close(fd); + close(fd); - /* 寻找合适的拼接位置,在第一个和最后一个不同字节之间。如果差异只是单个字节或很少几个字节,则放弃。 */ + /* Find a suitable splicing location, somewhere between the first and + the last differing byte. Bail out if the difference is just a single + byte or so. */ - // 定位两个缓冲区中的差异 - locate_diffs(in_buf, new_buf, MIN(len, target->len), &f_diff, &l_diff); + locate_diffs(in_buf, new_buf, MIN(len, target->len), &f_diff, &l_diff); - // 如果没有合适的差异或者差异太小,释放新缓冲区并重试拼接 - if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) { - ck_free(new_buf); - goto retry_splicing; - } + if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) { + ck_free(new_buf); + goto retry_splicing; + } - /* 在第一个和最后一个不同字节之间选择一个位置进行分割。 */ + /* Split somewhere between the first and last differing byte. */ - // 选择分割点 - split_at = f_diff + UR(l_diff - f_diff); + split_at = f_diff + UR(l_diff - f_diff); - /* 执行拼接操作。 */ + /* Do the thing. */ - // 更新长度为目标长度 - len = target->len; - // 将分割点之前的数据复制到新缓冲区 - memcpy(new_buf, in_buf, split_at); - // 更新输入缓冲区为新缓冲区 - in_buf = new_buf; + len = target->len; + memcpy(new_buf, in_buf, split_at); + in_buf = new_buf; - // 释放旧的输出缓冲区 - ck_free(out_buf); - // 分配新的输出缓冲区 - out_buf = ck_alloc_nozero(len); - // 将新缓冲区内容复制到输出缓冲区 - memcpy(out_buf, in_buf, len); + ck_free(out_buf); + out_buf = ck_alloc_nozero(len); + memcpy(out_buf, in_buf, len); - // 跳转到havoc阶段 - goto havoc_stage; + goto havoc_stage; -} + } #endif /* !IGNORE_FINDS */ -// 设置返回值为0 -ret_val = 0; + ret_val = 0; -// 放弃当前条目 abandon_entry: -// 重置拼接目标ID -splicing_with = -1; + splicing_with = -1; - /* 如果我们通过了校准周期并且之前没有见过这个条目,更新待处理未测试计数。 */ + /* Update pending_not_fuzzed count if we made it through the calibration + cycle and have not seen this entry before. */ - // 如果没有停止信号,当前条目没有校准失败,且之前未被测试过 if (!stop_soon && !queue_cur->cal_failed && !queue_cur->was_fuzzed) { - // 标记当前条目为已测试 queue_cur->was_fuzzed = 1; - // 减少待处理未测试计数 pending_not_fuzzed--; - // 如果当前条目是优选的,减少优选计数 if (queue_cur->favored) pending_favored--; } - // 取消映射原始输入缓冲区 munmap(orig_in, queue_cur->len); - // 如果in_buf不是原始输入缓冲区,释放它 if (in_buf != orig_in) ck_free(in_buf); - // 释放输出缓冲区 ck_free(out_buf); - // 释放效果映射缓冲区 ck_free(eff_map); - // 返回结果 return ret_val; #undef FLIP_BIT } -/* 从其他模糊测试器中获取有趣的测试用例。 */ -// 这个函数用于在分布式模糊测试环境中,从其他模糊测试器中同步测试用例。 + +/* Grab interesting test cases from other fuzzers. */ + static void sync_fuzzers(char** argv) { - DIR* sd; // 指向同步目录的目录流 - struct dirent* sd_ent; // 目录流中的当前条目 - u32 sync_cnt = 0; // 同步的模糊测试器数量 + DIR* sd; + struct dirent* sd_ent; + u32 sync_cnt = 0; - // 打开同步目录 sd = opendir(sync_dir); if (!sd) PFATAL("Unable to open '%s'", sync_dir); - // 重置阶段最大值和当前值,以及当前深度 stage_max = stage_cur = 0; cur_depth = 0; - /* 查看同步目录中为每个其他模糊测试器创建的条目。 */ + /* Look at the entries created for every other fuzzer in the sync directory. */ - // 遍历同步目录中的每个条目 while ((sd_ent = readdir(sd))) { - static u8 stage_tmp[128]; // 临时阶段名称 + static u8 stage_tmp[128]; - DIR* qd; // 指向队列目录的目录流 - struct dirent* qd_ent; // 队列目录中的当前条目 - u8 *qd_path, *qd_synced_path; // 队列目录和同步目录的路径 - u32 min_accept = 0, next_min_accept; // 最小接受的测试用例ID和下一个最小接受的测试用例ID + DIR* qd; + struct dirent* qd_ent; + u8 *qd_path, *qd_synced_path; + u32 min_accept = 0, next_min_accept; - s32 id_fd; // 用于存储最后看到的测试用例ID的文件的文件描述符 + s32 id_fd; - /* 跳过隐藏文件和我们自己的输出目录。 */ + /* Skip dot files and our own output directory. */ - // 如果条目是隐藏文件或与我们自己的同步ID相同,则跳过 if (sd_ent->d_name[0] == '.' || !strcmp(sync_id, sd_ent->d_name)) continue; - /* 跳过任何没有queue/子目录的东西。 */ + /* Skip anything that doesn't have a queue/ subdirectory. */ - // 构造队列目录的路径 qd_path = alloc_printf("%s/%s/queue", sync_dir, sd_ent->d_name); - // 打开队列目录 if (!(qd = opendir(qd_path))) { ck_free(qd_path); continue; } - /* 检索最后看到的测试用例的ID。 */ + /* Retrieve the ID of the last seen test case. */ - // 构造同步目录中用于存储最后看到的测试用例ID的文件的路径 qd_synced_path = alloc_printf("%s/.synced/%s", out_dir, sd_ent->d_name); - // 打开或创建用于存储最后看到的测试用例ID的文件 id_fd = open(qd_synced_path, O_RDWR | O_CREAT, 0600); - // 如果打开文件失败,则输出错误信息并退出 if (id_fd < 0) PFATAL("Unable to create '%s'", qd_synced_path); - // 如果文件中已经有数据,则读取最小接受的测试用例ID if (read(id_fd, &min_accept, sizeof(u32)) > 0) lseek(id_fd, 0, SEEK_SET); - // 更新下一个最小接受的测试用例ID next_min_accept = min_accept; - /* 显示统计信息 */ + /* Show stats */ - // 设置阶段名称和当前阶段值 sprintf(stage_tmp, "sync %u", ++sync_cnt); stage_name = stage_tmp; stage_cur = 0; stage_max = 0; - /* 对于这个模糊测试器排队的每个文件,解析ID并查看我们是否之前已经看过它; - 如果没有,执行测试用例。 */ + /* For every file queued by this fuzzer, parse ID and see if we have looked at + it before; exec a test case if not. */ - // 遍历队列目录中的每个条目 while ((qd_ent = readdir(qd))) { - u8* path; // 文件的路径 - s32 fd; // 文件描述符 - struct stat st; // 文件状态 + u8* path; + s32 fd; + struct stat st; - // 如果条目是隐藏文件或测试用例ID小于最小接受的测试用例ID,则跳过 if (qd_ent->d_name[0] == '.' || sscanf(qd_ent->d_name, CASE_PREFIX "%06u", &syncing_case) != 1 || syncing_case < min_accept) continue; - /* 好的,听起来像是一个新测试用例。让我们试试它。 */ + /* OK, sounds like a new one. Let's give it a try. */ - // 如果测试用例ID大于或等于下一个最小接受的测试用例ID if (syncing_case >= next_min_accept) next_min_accept = syncing_case + 1; - // 构造文件的路径 path = alloc_printf("%s/%s", qd_path, qd_ent->d_name); - /* 允许在其他模糊测试器正在恢复等情况下失败... */ + /* Allow this to fail in case the other fuzzer is resuming or so... */ - // 打开文件 fd = open(path, O_RDONLY); - // 如果打开文件失败,则释放路径内存并继续 if (fd < 0) { ck_free(path); continue; } - // 获取文件状态 if (fstat(fd, &st)) PFATAL("fstat() failed"); - /* 忽略大小为零或过大的文件。 */ + /* Ignore zero-sized or oversized files. */ - // 如果文件大小在允许范围内 if (st.st_size && st.st_size <= MAX_FILE) { - u8 fault; // 故障标志 - u8* mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); // 将文件内容映射到内存 + u8 fault; + u8* mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); - // 如果映射失败,则输出错误信息并退出 if (mem == MAP_FAILED) PFATAL("Unable to mmap '%s'", path); - /* 看看会发生什么。我们依赖save_if_interesting()来捕获主要 - 错误并保存测试用例。 */ + /* See what happens. We rely on save_if_interesting() to catch major + errors and save the test case. */ - // 将测试用例写入测试用例缓冲区 write_to_testcase(mem, st.st_size); - // 运行目标程序并获取故障标志 fault = run_target(argv, exec_tmout); - // 如果收到停止信号,则返回 if (stop_soon) return; - // 设置当前正在同步的模糊测试器的名称 syncing_party = sd_ent->d_name; - // 将测试用例添加到队列中 queued_imported += save_if_interesting(argv, mem, st.st_size, fault); - // 重置当前正在同步的模糊测试器的名称 + syncing_party = 0; - // 取消内存映射并释放内存 munmap(mem, st.st_size); - // 如果需要,则显示统计信息 if (!(stage_cur++ % stats_update_freq)) show_stats(); } - // 释放路径内存并关闭文件描述符 ck_free(path); close(fd); } - // 将下一个最小接受的测试用例ID写入文件 ck_write(id_fd, &next_min_accept, sizeof(u32), qd_synced_path); - // 关闭文件描述符 close(id_fd); - // 关闭队列目录流 closedir(qd); - // 释放队列目录路径内存 ck_free(qd_path); - // 释放同步目录路径内存 ck_free(qd_synced_path); } - // 关闭同步目录流 closedir(sd); } -/* 处理停止信号(Ctrl-C等)。 */ -// 这个函数用于处理停止信号,例如用户按下Ctrl-C。 +/* Handle stop signal (Ctrl-C, etc). */ + static void handle_stop_sig(int sig) { - // 设置停止标志 stop_soon = 1; - // 如果子进程存在,则杀死它 if (child_pid > 0) kill(child_pid, SIGKILL); - // 如果fork服务器进程存在,则杀死它 if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); } -/* 处理跳过请求(SIGUSR1)。 */ -// 这个函数用于处理跳过请求信号。 +/* Handle skip request (SIGUSR1). */ + static void handle_skipreq(int sig) { - // 设置跳过请求标志 skip_requested = 1; } -/* 处理超时(SIGALRM)。 */ +/* Handle timeout (SIGALRM). */ -// 这个函数用于处理超时信号。 static void handle_timeout(int sig) { - // 如果子进程存在,则标记它为超时并杀死它 if (child_pid > 0) { child_timed_out = 1; @@ -6737,7 +6713,6 @@ static void handle_timeout(int sig) { } else if (child_pid == -1 && forksrv_pid > 0) { - // 如果子进程不存在但fork服务器进程存在,则标记它为超时并杀死它 child_timed_out = 1; kill(forksrv_pid, SIGKILL); @@ -6746,170 +6721,217 @@ static void handle_timeout(int sig) { } -// 检查目标二进制文件是否存在、是否可执行等属性的函数 -void check_binary(u8* fname) { +/* Do a PATH search and find target binary to see that it exists and + isn't a shell script - a common and painful mistake. We also check for + a valid ELF header and for evidence of AFL instrumentation. */ - u8* env_path = 0; // 环境变量PATH - struct stat st; // 文件状态结构体 +EXP_ST void check_binary(u8* fname) { - s32 fd; // 文件描述符 - u8* f_data; // 文件数据 - u32 f_len = 0; // 文件长度 + u8* env_path = 0; + struct stat st; + + s32 fd; + u8* f_data; + u32 f_len = 0; - ACTF("Validating target binary..."); // 动作提示:验证目标二进制文件 + ACTF("Validating target binary..."); - // 如果文件名中包含路径分隔符'/'或者环境变量PATH未设置,则直接使用文件名 if (strchr(fname, '/') || !(env_path = getenv("PATH"))) { - target_path = ck_strdup(fname); // 复制文件名 - // 检查文件是否存在、是否为普通文件、是否可执行、文件长度是否至少为4字节 + target_path = ck_strdup(fname); if (stat(target_path, &st) || !S_ISREG(st.st_mode) || !(st.st_mode & 0111) || (f_len = st.st_size) < 4) - FATAL("Program '%s' not found or not executable", fname); // 如果检查失败,输出错误信息并退出 + FATAL("Program '%s' not found or not executable", fname); } else { - // 如果环境变量PATH已设置,则遍历PATH中的每个目录 while (env_path) { - u8 *cur_elem, *delim = strchr(env_path, ':'); // 查找路径分隔符':' + u8 *cur_elem, *delim = strchr(env_path, ':'); if (delim) { - // 如果找到分隔符,则复制当前目录到新分配的内存 + cur_elem = ck_alloc(delim - env_path + 1); memcpy(cur_elem, env_path, delim - env_path); delim++; - } else cur_elem = ck_strdup(env_path); // 如果没有分隔符,复制剩余的路径 - env_path = delim; // 更新env_path指针 + } else cur_elem = ck_strdup(env_path); + + env_path = delim; if (cur_elem[0]) - target_path = alloc_printf("%s/%s", cur_elem, fname); // 构造完整的文件路径 + target_path = alloc_printf("%s/%s", cur_elem, fname); else - target_path = ck_strdup(fname); // 如果当前目录为空,则直接使用文件名 + target_path = ck_strdup(fname); - ck_free(cur_elem); // 释放临时内存 + ck_free(cur_elem); - // 如果找到文件并且文件属性符合要求,则跳出循环 if (!stat(target_path, &st) && S_ISREG(st.st_mode) && (st.st_mode & 0111) && (f_len = st.st_size) >= 4) break; - ck_free(target_path); // 释放之前分配的内存 - target_path = 0; // 重置target_path + ck_free(target_path); + target_path = 0; } - if (!target_path) FATAL("Program '%s' not found or not executable", fname); // 如果未找到文件,输出错误信息并退出 + if (!target_path) FATAL("Program '%s' not found or not executable", fname); } - // 如果环境变量AFL_SKIP_BIN_CHECK被设置,则跳过后续检查 if (getenv("AFL_SKIP_BIN_CHECK")) return; - /* 检查用户是否犯了一些明显的错误,比如将二进制文件放在/tmp或/var/tmp目录下 */ + /* Check for blatant user errors. */ + if ((!strncmp(target_path, "/tmp/", 5) && !strchr(target_path + 5, '/')) || (!strncmp(target_path, "/var/tmp/", 9) && !strchr(target_path + 9, '/'))) FATAL("Please don't keep binaries in /tmp or /var/tmp"); - // 打开目标文件 fd = open(target_path, O_RDONLY); - if (fd < 0) PFATAL("Unable to open '%s'", target_path); // 如果打开失败,输出错误信息 - // 将文件内容映射到内存 + if (fd < 0) PFATAL("Unable to open '%s'", target_path); + f_data = mmap(0, f_len, PROT_READ, MAP_PRIVATE, fd, 0); - if (f_data == MAP_FAILED) PFATAL("Unable to mmap file '%s'", target_path); // 如果映射失败,输出错误信息 - close(fd); // 关闭文件描述符 + if (f_data == MAP_FAILED) PFATAL("Unable to mmap file '%s'", target_path); + + close(fd); - // 检查文件是否为脚本文件 if (f_data[0] == '#' && f_data[1] == '!') { - // 如果是脚本文件,输出错误信息并退出 - SAYF("\n" cLRD "[-] " cRST "Oops, the target binary looks like a shell script..."); + + SAYF("\n" cLRD "[-] " cRST + "Oops, the target binary looks like a shell script. Some build systems will\n" + " sometimes generate shell stubs for dynamically linked programs; try static\n" + " library mode (./configure --disable-shared) if that's the case.\n\n" + + " Another possible cause is that you are actually trying to use a shell\n" + " wrapper around the fuzzed component. Invoking shell can slow down the\n" + " fuzzing process by a factor of 20x or more; it's best to write the wrapper\n" + " in a compiled language instead.\n"); + FATAL("Program '%s' is a shell script", target_path); + } #ifndef __APPLE__ - // 检查文件是否为ELF格式 + if (f_data[0] != 0x7f || memcmp(f_data + 1, "ELF", 3)) FATAL("Program '%s' is not an ELF binary", target_path); + #else - // 在苹果系统上,检查文件是否为Mach-O格式 + if (f_data[0] != 0xCF || f_data[1] != 0xFA || f_data[2] != 0xED) FATAL("Program '%s' is not a 64-bit Mach-O binary", target_path); + #endif /* ^!__APPLE__ */ - // 如果没有使用QEMU模式且没有使用dumb模式,检查文件是否被AFL插桩 if (!qemu_mode && !dumb_mode && !memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { - // 如果没有插桩,输出错误信息并退出 - SAYF("\n" cLRD "[-] " cRST "Looks like the target binary is not instrumented!..."); + + SAYF("\n" cLRD "[-] " cRST + "Looks like the target binary is not instrumented! The fuzzer depends on\n" + " compile-time instrumentation to isolate interesting test cases while\n" + " mutating the input data. For more information, and for tips on how to\n" + " instrument binaries, please see %s/README.\n\n" + + " When source code is not available, you may be able to leverage QEMU\n" + " mode support. Consult the README for tips on how to enable this.\n" + + " (It is also possible to use afl-fuzz as a traditional, \"dumb\" fuzzer.\n" + " For that, you can use the -n option - but expect much worse results.)\n", + doc_path); + FATAL("No instrumentation detected"); + } if (qemu_mode && memmem(f_data, f_len, SHM_ENV_VAR, strlen(SHM_ENV_VAR) + 1)) { - // 如果在QEMU模式下检测到插桩,输出错误信息并退出 - SAYF("\n" cLRD "[-] " cRST "This program appears to be instrumented with afl-gcc..."); + + SAYF("\n" cLRD "[-] " cRST + "This program appears to be instrumented with afl-gcc, but is being run in\n" + " QEMU mode (-Q). This is probably not what you want - this setup will be\n" + " slow and offer no practical benefits.\n"); + FATAL("Instrumentation found in -Q mode"); + } - // 检查文件是否使用了AddressSanitizer if (memmem(f_data, f_len, "libasan.so", 10) || memmem(f_data, f_len, "__msan_init", 11)) uses_asan = 1; - /* 检测二进制文件中的持久模式和延迟初始化签名 */ + /* Detect persistent & deferred init signatures in the binary. */ + if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) { + OKF(cPIN "Persistent mode binary detected."); setenv(PERSIST_ENV_VAR, "1", 1); persistent_mode = 1; + } else if (getenv("AFL_PERSISTENT")) { + WARNF("AFL_PERSISTENT is no longer supported and may misbehave!"); + } if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) { + OKF(cPIN "Deferred forkserver binary detected."); setenv(DEFER_ENV_VAR, "1", 1); deferred_mode = 1; + } else if (getenv("AFL_DEFER_FORKSRV")) { + WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!"); + } - if (munmap(f_data, f_len)) PFATAL("unmap() failed"); // 取消内存映射 + if (munmap(f_data, f_len)) PFATAL("unmap() failed"); } -// 修剪并可能为运行创建一个横幅 + +/* Trim and possibly create a banner for the run. */ + static void fix_up_banner(u8* name) { - // 如果没有设置横幅,则根据同步ID或文件名来设置 + if (!use_banner) { + if (sync_id) { + use_banner = sync_id; + } else { - u8* trim = strrchr(name, '/'); // 查找文件名中的路径分隔符 + + u8* trim = strrchr(name, '/'); if (!trim) use_banner = name; else use_banner = trim + 1; + } + } - // 如果横幅字符串过长,则截断它 if (strlen(use_banner) > 40) { + u8* tmp = ck_alloc(44); sprintf(tmp, "%.40s...", use_banner); use_banner = tmp; + } + } -// 检查是否在TTY上运行 + +/* Check if we're on TTY. */ + static void check_if_tty(void) { - struct winsize ws; // 窗口大小结构体 - // 如果设置了环境变量AFL_NO_UI,则禁用UI + struct winsize ws; + if (getenv("AFL_NO_UI")) { OKF("Disabling the UI because AFL_NO_UI is set."); not_on_tty = 1; return; } - // 如果无法获取窗口大小,则认为不在TTY上运行 if (ioctl(1, TIOCGWINSZ, &ws)) { if (errno == ENOTTY) { @@ -6923,30 +6945,27 @@ static void check_if_tty(void) { } -/* 在终端尺寸变化后检查终端尺寸。 */ +/* Check terminal dimensions after resize. */ -// 这个函数检查终端的尺寸,以确保它不是太小,从而无法适当地显示程序的输出。 static void check_term_size(void) { - struct winsize ws; // winsize结构体用于存储终端的尺寸信息 + struct winsize ws; - term_too_small = 0; // 假设终端不是太小 + term_too_small = 0; - // 使用ioctl系统调用来获取终端的尺寸信息 - if (ioctl(1, TIOCGWINSZ, &ws)) return; // 如果ioctl调用失败,则返回 + if (ioctl(1, TIOCGWINSZ, &ws)) return; - // 如果窗口尺寸的行数或列数为0,或者小于某个阈值,则认为终端太小 - if (ws.ws_row == 0 && ws.ws_col == 0) return; // 如果行数和列数都为0,则返回 - if (ws.ws_row < 25 || ws.ws_col < 80) term_too_small = 1; // 设置终端太小的标志 + if (ws.ws_row == 0 && ws.ws_col == 0) return; + if (ws.ws_row < 25 || ws.ws_col < 80) term_too_small = 1; } -/* 显示使用提示。 */ -// 这个函数在用户请求帮助或者使用了错误的命令行参数时显示程序的使用提示。 + +/* Display usage hints. */ + static void usage(u8* argv0) { - // 使用SAYF宏来格式化并输出使用提示信息 SAYF("\n%s [ options ] -- /path/to/fuzzed_app [ ... ]\n\n" "Required parameters:\n\n" @@ -6959,8 +6978,8 @@ static void usage(u8* argv0) { " -f file - location read by the fuzzed program (stdin)\n" " -t msec - timeout for each run (auto-scaled, 50-%u ms)\n" " -m megs - memory limit for child process (%u MB)\n" - " -Q - use binary-only instrumentation (QEMU mode)\n\n" - + " -Q - use binary-only instrumentation (QEMU mode)\n\n" + "Fuzzing behavior settings:\n\n" " -d - quick & dirty mode (skips deterministic steps)\n" @@ -6977,9 +6996,8 @@ static void usage(u8* argv0) { "For additional tips, please consult %s/README.\n\n", - argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); // 使用宏替换标记来插入特定的值 + argv0, EXEC_TIMEOUT, MEM_LIMIT, doc_path); - // 显示使用提示后退出程序 exit(1); } @@ -6987,135 +7005,158 @@ static void usage(u8* argv0) { /* Prepare output directories and fds. */ -/* 准备输出目录和文件描述符。 */ - EXP_ST void setup_dirs_fds(void) { - u8* tmp; // 临时字符串指针 - s32 fd; // 文件描述符 - ACTF("Setting up output directories..."); // 动作提示:设置输出目录 + u8* tmp; + s32 fd; + + ACTF("Setting up output directories..."); - // 如果设置了同步ID,尝试创建同步目录,如果失败且不是因为已存在,则输出错误信息并终止 if (sync_id && mkdir(sync_dir, 0700) && errno != EEXIST) PFATAL("Unable to create '%s'", sync_dir); - // 尝试创建输出目录,如果失败且不是因为已存在,则输出错误信息并终止 if (mkdir(out_dir, 0700)) { + if (errno != EEXIST) PFATAL("Unable to create '%s'", out_dir); - maybe_delete_out_dir(); // 可能删除已存在的输出目录 + maybe_delete_out_dir(); + } else { + if (in_place_resume) - FATAL("Resume attempted but old output directory not found"); // 如果尝试在地恢复,但未找到旧的输出目录,则终止 + FATAL("Resume attempted but old output directory not found"); - out_dir_fd = open(out_dir, O_RDONLY); // 打开输出目录 + out_dir_fd = open(out_dir, O_RDONLY); #ifndef __sun - // 如果无法锁定输出目录,则输出错误信息并终止 + if (out_dir_fd < 0 || flock(out_dir_fd, LOCK_EX | LOCK_NB)) PFATAL("Unable to flock() output directory."); + #endif /* !__sun */ + } - // 创建队列目录,用于存放起始和发现的路径 + /* Queue directory for any starting & discovered paths. */ + tmp = alloc_printf("%s/queue", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - // 创建队列元数据的顶级目录,用于会话恢复等任务 + /* Top-level directory for queue metadata used for session + resume and related tasks. */ + tmp = alloc_printf("%s/queue/.state/", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - // 创建目录,用于标记已经过确定性测试的队列条目 + /* Directory for flagging queue entries that went through + deterministic fuzzing in the past. */ + tmp = alloc_printf("%s/queue/.state/deterministic_done/", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - // 创建目录,用于存放自动选择的字典条目 + /* Directory with the auto-selected dictionary entries. */ + tmp = alloc_printf("%s/queue/.state/auto_extras/", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - // 创建目录,用于标记当前认为多余的路径集 + /* The set of paths currently deemed redundant. */ + tmp = alloc_printf("%s/queue/.state/redundant_edges/", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - // 创建目录,用于标记显示变量行为的路径集 + /* The set of paths showing variable behavior. */ + tmp = alloc_printf("%s/queue/.state/variable_behavior/", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - // 如果设置了同步ID,创建同步目录,用于跟踪合作的模糊测试器 + /* Sync directory for keeping track of cooperating fuzzers. */ + if (sync_id) { + tmp = alloc_printf("%s/.synced/", out_dir); + if (mkdir(tmp, 0700) && (!in_place_resume || errno != EEXIST)) PFATAL("Unable to create '%s'", tmp); + ck_free(tmp); + } - // 创建目录,用于存放所有记录的崩溃 + /* All recorded crashes. */ + tmp = alloc_printf("%s/crashes", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - // 创建目录,用于存放所有记录的挂起 + /* All recorded hangs. */ + tmp = alloc_printf("%s/hangs", out_dir); if (mkdir(tmp, 0700)) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - // 创建一般有用的文件描述符 - dev_null_fd = open("/dev/null", O_RDWR); // 打开null设备文件描述符 + /* Generally useful file descriptors. */ + + dev_null_fd = open("/dev/null", O_RDWR); if (dev_null_fd < 0) PFATAL("Unable to open /dev/null"); - dev_urandom_fd = open("/dev/urandom", O_RDONLY); // 打开随机设备文件描述符 + dev_urandom_fd = open("/dev/urandom", O_RDONLY); if (dev_urandom_fd < 0) PFATAL("Unable to open /dev/urandom"); - // 创建Gnuplot输出文件 + /* Gnuplot output file. */ + tmp = alloc_printf("%s/plot_data", out_dir); - fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600); // 打开或创建plot_data文件 + fd = open(tmp, O_WRONLY | O_CREAT | O_EXCL, 0600); if (fd < 0) PFATAL("Unable to create '%s'", tmp); ck_free(tmp); - plot_file = fdopen(fd, "w"); // 将文件描述符与FILE*关联 - if (!plot_file) PFATAL("fdopen() failed"); // 如果失败,则输出错误信息并终止 + plot_file = fdopen(fd, "w"); + if (!plot_file) PFATAL("fdopen() failed"); - // 写入Gnuplot输出文件的标题行 fprintf(plot_file, "# unix_time, cycles_done, cur_path, paths_total, " "pending_total, pending_favs, map_size, unique_crashes, " "unique_hangs, max_depth, execs_per_sec\n"); /* ignore errors */ + } -/* 如果没有使用-f选项,则设置模糊测试数据的输出文件。 */ + +/* Setup the output file for fuzzed data, if not using -f. */ EXP_ST void setup_stdio_file(void) { - u8* fn = alloc_printf("%s/.cur_input", out_dir); // 构造当前输入文件的路径 - unlink(fn); // 删除已存在的当前输入文件,忽略错误 + u8* fn = alloc_printf("%s/.cur_input", out_dir); + + unlink(fn); /* Ignore errors */ - out_fd = open(fn, O_RDWR | O_CREAT | O_EXCL, 0600); // 打开或创建当前输入文件 + out_fd = open(fn, O_RDWR | O_CREAT | O_EXCL, 0600); - if (out_fd < 0) PFATAL("Unable to create '%s'", fn); // 如果失败,则输出错误信息并终止 + if (out_fd < 0) PFATAL("Unable to create '%s'", fn); + + ck_free(fn); - ck_free(fn); // 释放路径字符串 } -/* 确保核心转储(core dumps)不会发送到外部程序。 */ +/* Make sure that core dumps don't go to a program. */ static void check_crash_handling(void) { #ifdef __APPLE__ - /* 在Mac OS X上,似乎没有简单的C API可以查询已加载的守护进程状态,我也不愿意在没有测试环境的情况下 - 做一些更复杂的操作,比如通过Mach端口禁用崩溃报告。因此,目前我们用一种不太优雅的方式来检查崩溃报告。 */ - - // 尝试执行系统命令来检查是否有崩溃报告被配置为发送到外部程序 + /* Yuck! There appears to be no simple C API to query for the state of + loaded daemons on MacOS X, and I'm a bit hesitant to do something + more sophisticated, such as disabling crash reporting via Mach ports, + until I get a box to test the code. So, for now, we check for crash + reporting the awful way. */ + if (system("launchctl list 2>/dev/null | grep -q '\\.ReportCrash$'")) return; - // 如果系统配置了发送崩溃通知到外部程序,输出警告信息 SAYF("\n" cLRD "[-] " cRST "Whoops, your system is configured to forward crash notifications to an\n" " external crash reporting utility. This will cause issues due to the\n" @@ -7128,28 +7169,23 @@ static void check_crash_handling(void) { " launchctl unload -w ${SL}/LaunchAgents/${PL}.plist\n" " sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist\n"); - // 如果没有设置环境变量来忽略缺失的崩溃报告,则终止程序 if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) FATAL("Crash reporter detected"); #else - /* 这是Linux特定的代码,我不认为*BSD上有等效的设置,所以我们暂时可以忽略这个问题。 */ + /* This is Linux specific, but I don't think there's anything equivalent on + *BSD, so we can just let it slide for now. */ - // 打开核心转储模式文件 s32 fd = open("/proc/sys/kernel/core_pattern", O_RDONLY); u8 fchar; - // 如果打开文件失败,则直接返回 if (fd < 0) return; - // 输出动作信息:正在检查核心转储模式 ACTF("Checking core_pattern..."); - // 读取核心转储模式文件的第一个字符 if (read(fd, &fchar, 1) == 1 && fchar == '|') { - // 如果第一个字符是管道符号(|),说明系统配置了将核心转储发送到外部程序 SAYF("\n" cLRD "[-] " cRST "Hmm, your system is configured to send core dump notifications to an\n" " external utility. This will cause issues: there will be an extended delay\n" @@ -7161,63 +7197,55 @@ static void check_crash_handling(void) { " echo core >/proc/sys/kernel/core_pattern\n"); - // 如果没有设置环境变量来忽略缺失的崩溃报告,则终止程序 if (!getenv("AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES")) FATAL("Pipe at the beginning of 'core_pattern'"); + } - // 关闭核心转储模式文件 close(fd); #endif /* ^__APPLE__ */ + } -/* 检查CPU调速器(scaling governor)。 */ +/* Check CPU governor. */ static void check_cpu_governor(void) { - FILE* f; // 文件指针 - u8 tmp[128]; // 临时缓冲区 - u64 min = 0, max = 0; // 最小和最大CPU频率 + FILE* f; + u8 tmp[128]; + u64 min = 0, max = 0; - // 如果设置了环境变量AFL_SKIP_CPUFREQ,则跳过此检查 if (getenv("AFL_SKIP_CPUFREQ")) return; - // 尝试打开CPU调速器配置文件 f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor", "r"); - if (!f) return; // 如果打开失败,则跳过此检查 + if (!f) return; - ACTF("Checking CPU scaling governor..."); // 输出动作信息 + ACTF("Checking CPU scaling governor..."); - // 读取CPU调速器配置 - if (!fgets(tmp, 128, f)) PFATAL("fgets() failed"); // 如果读取失败,则输出错误信息并终止 + if (!fgets(tmp, 128, f)) PFATAL("fgets() failed"); - fclose(f); // 关闭文件 + fclose(f); - // 如果CPU调速器设置为performance,则不需要调整 if (!strncmp(tmp, "perf", 4)) return; - // 尝试打开最小CPU频率配置文件 f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", "r"); if (f) { - if (fscanf(f, "%llu", &min) != 1) min = 0; // 读取最小频率 + if (fscanf(f, "%llu", &min) != 1) min = 0; fclose(f); } - // 尝试打开最大CPU频率配置文件 f = fopen("/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", "r"); if (f) { - if (fscanf(f, "%llu", &max) != 1) max = 0; // 读取最大频率 + if (fscanf(f, "%llu", &max) != 1) max = 0; fclose(f); } - // 如果最小和最大频率相同,则不需要调整 if (min == max) return; - // 输出警告信息,提示用户调整CPU调速器设置 SAYF("\n" cLRD "[-] " cRST "Whoops, your system uses on-demand CPU frequency scaling, adjusted\n" " between %llu and %llu MHz. Unfortunately, the scaling algorithm in the\n" @@ -7232,32 +7260,32 @@ static void check_cpu_governor(void) { " to make afl-fuzz skip this check - but expect some performance drop.\n", min / 1024, max / 1024); - FATAL("Suboptimal CPU scaling governor"); // 如果CPU调速器设置不合理,则终止程序 + FATAL("Suboptimal CPU scaling governor"); + } -/* 计算逻辑CPU核心数。 */ + +/* Count the number of logical CPU cores. */ static void get_core_count(void) { - u32 cur_runnable = 0; // 当前可运行的任务数 + u32 cur_runnable = 0; #if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) - size_t s = sizeof(cpu_core_count); // 核心数的大小 + size_t s = sizeof(cpu_core_count); - /* 在*BSD系统上,我们可以使用sysctl来获取CPU数量。 */ + /* On *BSD systems, we can just use a sysctl to get the number of CPUs. */ #ifdef __APPLE__ - // 在Mac OS X上获取逻辑CPU核心数 if (sysctlbyname("hw.logicalcpu", &cpu_core_count, &s, NULL, 0) < 0) return; #else - int s_name[2] = { CTL_HW, HW_NCPU }; // sysctl的名称 + int s_name[2] = { CTL_HW, HW_NCPU }; - // 在其他*BSD系统上获取逻辑CPU核心数 if (sysctl(s_name, 2, &cpu_core_count, &s, NULL, 0) < 0) return; #endif /* ^__APPLE__ */ @@ -7266,53 +7294,48 @@ static void get_core_count(void) { #ifdef HAVE_AFFINITY - // 如果支持CPU亲和性,则使用sysconf获取逻辑CPU核心数 cpu_core_count = sysconf(_SC_NPROCESSORS_ONLN); #else - FILE* f = fopen("/proc/stat", "r"); // 尝试打开/proc/stat文件 - u8 tmp[1024]; // 临时缓冲区 + FILE* f = fopen("/proc/stat", "r"); + u8 tmp[1024]; - if (!f) return; // 如果打开失败,则跳过此检查 + if (!f) return; - // 读取/proc/stat文件,计算逻辑CPU核心数 while (fgets(tmp, sizeof(tmp), f)) if (!strncmp(tmp, "cpu", 3) && isdigit(tmp[3])) cpu_core_count++; - fclose(f); // 关闭文件 + fclose(f); #endif /* ^HAVE_AFFINITY */ #endif /* ^(__APPLE__ || __FreeBSD__ || __OpenBSD__) */ - // 如果成功获取逻辑CPU核心数 if (cpu_core_count > 0) { - cur_runnable = (u32)get_runnable_processes(); // 获取当前可运行的任务数 + cur_runnable = (u32)get_runnable_processes(); #if defined(__APPLE__) || defined(__FreeBSD__) || defined (__OpenBSD__) - // 添加当前进程,因为1分钟平均值尚未包括它 + /* Add ourselves, since the 1-minute average doesn't include that yet. */ + cur_runnable++; #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */ - // 输出CPU核心数和当前可运行的任务数 OKF("You have %u CPU core%s and %u runnable tasks (utilization: %0.0f%%).", cpu_core_count, cpu_core_count > 1 ? "s" : "", cur_runnable, cur_runnable * 100.0 / cpu_core_count); if (cpu_core_count > 1) { - // 如果当前可运行的任务数超过CPU核心数的1.5倍,则输出警告信息 if (cur_runnable > cpu_core_count * 1.5) { WARNF("System under apparent load, performance may be spotty."); } else if (cur_runnable + 1 <= cpu_core_count) { - // 如果当前可运行的任务数加1小于或等于CPU核心数,则输出提示信息 OKF("Try parallel jobs - see %s/parallel_fuzzing.txt.", doc_path); } @@ -7321,30 +7344,32 @@ static void get_core_count(void) { } else { - cpu_core_count = 0; // 如果无法获取逻辑CPU核心数,则设置为0 - WARNF("Unable to figure out the number of CPU cores."); // 输出警告信息 + cpu_core_count = 0; + WARNF("Unable to figure out the number of CPU cores."); + } } -/* 验证并修正使用-S时的out_dir和sync_dir。 */ + +/* Validate and fix up out_dir and sync_dir when using -S. */ static void fix_up_sync(void) { - u8* x = sync_id; // 同步ID + u8* x = sync_id; if (dumb_mode) - FATAL("-S / -M and -n are mutually exclusive"); // 如果同时使用-S/-M和-n,则终止程序 + FATAL("-S / -M and -n are mutually exclusive"); if (skip_deterministic) { if (force_deterministic) - FATAL("use -S instead of -M -d"); // 如果同时使用-M -d和-S,则终止程序 + FATAL("use -S instead of -M -d"); else - FATAL("-S already implies -d"); // 如果使用-S,则隐含-d,不需要再次指定 + FATAL("-S already implies -d"); + } - // 检查同步ID是否只包含字母数字、下划线或破折号 while (*x) { if (!isalnum(*x) && *x != '_' && *x != '-') @@ -7354,237 +7379,236 @@ static void fix_up_sync(void) { } - // 如果同步ID太长,则终止程序 if (strlen(sync_id) > 32) FATAL("Fuzzer ID too long"); - // 构造同步目录路径 x = alloc_printf("%s/%s", out_dir, sync_id); - sync_dir = out_dir; // 设置同步目录 - out_dir = x; // 设置输出目录 + sync_dir = out_dir; + out_dir = x; if (!force_deterministic) { - skip_deterministic = 1; // 跳过确定性测试 - use_splicing = 1; // 使用拼接技术 + skip_deterministic = 1; + use_splicing = 1; } } -/* 处理屏幕大小变化(SIGWINCH)。 */ + +/* Handle screen resize (SIGWINCH). */ static void handle_resize(int sig) { - clear_screen = 1; // 设置清除屏幕的标志 + clear_screen = 1; } -/* 检查ASAN选项。 */ + +/* Check ASAN options. */ static void check_asan_opts(void) { - u8* x = getenv("ASAN_OPTIONS"); // 获取ASAN_OPTIONS环境变量 + u8* x = getenv("ASAN_OPTIONS"); if (x) { - // 如果ASAN_OPTIONS没有设置abort_on_error=1,则终止程序 if (!strstr(x, "abort_on_error=1")) FATAL("Custom ASAN_OPTIONS set without abort_on_error=1 - please fix!"); - // 如果ASAN_OPTIONS没有设置symbolize=0,则终止程序 if (!strstr(x, "symbolize=0")) FATAL("Custom ASAN_OPTIONS set without symbolize=0 - please fix!"); } - x = getenv("MSAN_OPTIONS"); // 获取MSAN_OPTIONS环境 - + x = getenv("MSAN_OPTIONS"); if (x) { - // 如果MSAN_OPTIONS环境变量被设置了,检查是否包含了特定的exit_code值 + if (!strstr(x, "exit_code=" STRINGIFY(MSAN_ERROR))) FATAL("Custom MSAN_OPTIONS set without exit_code=" STRINGIFY(MSAN_ERROR) " - please fix!"); - // 检查MSAN_OPTIONS是否设置了symbolize=0,这通常用于防止asan_symbolize.py运行 if (!strstr(x, "symbolize=0")) FATAL("Custom MSAN_OPTIONS set without symbolize=0 - please fix!"); + } + } -/* 检测命令行参数中的'@@'符号并替换为文件路径。 */ + +/* Detect @@ in args. */ EXP_ST void detect_file_args(char** argv) { - u32 i = 0; // 初始化索引变量 - u8* cwd = getcwd(NULL, 0); // 获取当前工作目录 - // 如果无法获取当前工作目录,输出错误信息并终止程序 + u32 i = 0; + u8* cwd = getcwd(NULL, 0); + if (!cwd) PFATAL("getcwd() failed"); - // 遍历命令行参数 while (argv[i]) { - u8* aa_loc = strstr(argv[i], "@@"); // 查找参数中的'@@'符号 - // 如果找到了'@@'符号 + u8* aa_loc = strstr(argv[i], "@@"); + if (aa_loc) { + u8 *aa_subst, *n_arg; - /* 如果还没有指定输出文件名,则使用一个安全的默认值。 */ + /* If we don't have a file name chosen yet, use a safe default. */ + if (!out_file) - out_file = alloc_printf("%s/.cur_input", out_dir); // 使用默认输出文件名 + out_file = alloc_printf("%s/.cur_input", out_dir); + + /* Be sure that we're always using fully-qualified paths. */ - /* 确保我们总是使用完全合格的路径。 */ - if (out_file[0] == '/') - aa_subst = out_file; // 如果out_file是绝对路径,则直接使用 - else - aa_subst = alloc_printf("%s/%s", cwd, out_file); // 否则,构造绝对路径 + if (out_file[0] == '/') aa_subst = out_file; + else aa_subst = alloc_printf("%s/%s", cwd, out_file); - /* 构造替换后的argv值。 */ - *aa_loc = 0; // 临时终止字符串以构造新值 - n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2); // 构造新参数值 - argv[i] = n_arg; // 更新argv - *aa_loc = '@'; // 恢复'@@'符号 + /* Construct a replacement argv value. */ - if (out_file[0] != '/') ck_free(aa_subst); // 如果out_file不是绝对路径,则释放构造的绝对路径 + *aa_loc = 0; + n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2); + argv[i] = n_arg; + *aa_loc = '@'; + + if (out_file[0] != '/') ck_free(aa_subst); } - i++; // 移动到下一个参数 + i++; + } - free(cwd); // 释放当前工作目录字符串 + free(cwd); /* not tracked */ + } -/* 设置信号处理器。Solaris上的libc比较复杂,因为它在中断的read()调用时不会恢复, - 当你调用siginterrupt()时会设置SA_RESETHAND,并且会做一些不必要的事情。 */ +/* Set up signal handlers. More complicated that needs to be, because libc on + Solaris doesn't resume interrupted reads(), sets SA_RESETHAND when you call + siginterrupt(), and does other unnecessary things. */ EXP_ST void setup_signal_handlers(void) { - struct sigaction sa; // 定义信号动作结构体 + struct sigaction sa; - // 初始化信号动作结构体 - sa.sa_handler = NULL; // 没有指定信号处理函数 - sa.sa_flags = SA_RESTART; // 设置信号处理时自动重启被中断的系统调用 - sa.sa_sigaction = NULL; // 没有指定信号的特定处理函数 + sa.sa_handler = NULL; + sa.sa_flags = SA_RESTART; + sa.sa_sigaction = NULL; - sigemptyset(&sa.sa_mask); // 清空信号集 + sigemptyset(&sa.sa_mask); - /* 各种表示“停止”的信号。 */ + /* Various ways of saying "stop". */ - // 设置信号处理函数为handle_stop_sig sa.sa_handler = handle_stop_sig; - sigaction(SIGHUP, &sa, NULL); // 对SIGHUP信号进行设置 - sigaction(SIGINT, &sa, NULL); // 对SIGINT信号进行设置 - sigaction(SIGTERM, &sa, NULL); // 对SIGTERM信号进行设置 + sigaction(SIGHUP, &sa, NULL); + sigaction(SIGINT, &sa, NULL); + sigaction(SIGTERM, &sa, NULL); - /* 执行超时通知。 */ + /* Exec timeout notifications. */ - // 设置信号处理函数为handle_timeout sa.sa_handler = handle_timeout; - sigaction(SIGALRM, &sa, NULL); // 对SIGALRM信号进行设置 + sigaction(SIGALRM, &sa, NULL); - /* 窗口大小改变通知 */ + /* Window resize */ - // 设置信号处理函数为handle_resize sa.sa_handler = handle_resize; - sigaction(SIGWINCH, &sa, NULL); // 对SIGWINCH信号进行设置 + sigaction(SIGWINCH, &sa, NULL); - /* SIGUSR1: 跳过条目 */ + /* SIGUSR1: skip entry */ - // 设置信号处理函数为handle_skipreq sa.sa_handler = handle_skipreq; - sigaction(SIGUSR1, &sa, NULL); // 对SIGUSR1信号进行设置 + sigaction(SIGUSR1, &sa, NULL); - /* 我们不关心的信号。 */ + /* Things we don't care about. */ - // 设置信号处理函数为SIG_IGN,忽略这些信号 sa.sa_handler = SIG_IGN; - sigaction(SIGTSTP, &sa, NULL); // 对SIGTSTP信号进行设置 - sigaction(SIGPIPE, &sa, NULL); // 对SIGPIPE信号进行设置 + sigaction(SIGTSTP, &sa, NULL); + sigaction(SIGPIPE, &sa, NULL); + } -/* 为QEMU重写argv。 */ + +/* Rewrite argv for QEMU. */ static char** get_qemu_argv(u8* own_loc, char** argv, int argc) { - char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); // 分配新的argv数组 + char** new_argv = ck_alloc(sizeof(char*) * (argc + 4)); u8 *tmp, *cp, *rsl, *own_copy; - /* 针对QEMU稳定性问题的工作区。 */ + /* Workaround for a QEMU stability glitch. */ - setenv("QEMU_LOG", "nochain", 1); // 设置环境变量QEMU_LOG + setenv("QEMU_LOG", "nochain", 1); - // 将原始argv的参数复制到新数组中,从第三个参数开始 memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc); - new_argv[2] = target_path; // 设置目标路径 - new_argv[1] = "--"; // 设置参数分隔符 + new_argv[2] = target_path; + new_argv[1] = "--"; - /* 现在我们需要找到QEMU二进制文件并放入argv[0]。 */ + /* Now we need to actually find the QEMU binary to put in argv[0]. */ - tmp = getenv("AFL_PATH"); // 获取环境变量AFL_PATH + tmp = getenv("AFL_PATH"); if (tmp) { - cp = alloc_printf("%s/afl-qemu-trace", tmp); // 构造QEMU路径 + cp = alloc_printf("%s/afl-qemu-trace", tmp); - if (access(cp, X_OK)) // 检查文件是否存在且可执行 - FATAL("Unable to find '%s'", tmp); // 如果找不到,输出错误信息并终止 + if (access(cp, X_OK)) + FATAL("Unable to find '%s'", tmp); - target_path = new_argv[0] = cp; // 设置目标路径和argv[0] - return new_argv; // 返回新的argv数组 + target_path = new_argv[0] = cp; + return new_argv; } - own_copy = ck_strdup(own_loc); // 复制原始位置信息 - rsl = strrchr(own_copy, '/'); // 查找路径分隔符 + own_copy = ck_strdup(own_loc); + rsl = strrchr(own_copy, '/'); if (rsl) { - *rsl = 0; // 将路径分隔符替换为字符串结束符 + *rsl = 0; - cp = alloc_printf("%s/afl-qemu-trace", own_copy); // 构造QEMU路径 - ck_free(own_copy); // 释放原始位置信息 + cp = alloc_printf("%s/afl-qemu-trace", own_copy); + ck_free(own_copy); - if (!access(cp, X_OK)) { // 检查文件是否存在且可执行 + if (!access(cp, X_OK)) { - target_path = new_argv[0] = cp; // 设置目标路径和argv[0] - return new_argv; // 返回新的argv数组 + target_path = new_argv[0] = cp; + return new_argv; } - } else ck_free(own_copy); // 如果没有找到路径分隔符,释放原始位置信息 + } else ck_free(own_copy); - if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { // 检查默认路径下的QEMU是否存在且可执行 + if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) { - target_path = new_argv[0] = ck_strdup(BIN_PATH "/afl-qemu-trace"); // 设置目标路径和argv[0] - return new_argv; // 返回新的argv数组 + target_path = new_argv[0] = ck_strdup(BIN_PATH "/afl-qemu-trace"); + return new_argv; } - SAYF("\n" cLRD "[-] " cRST // 输出错误信息 + SAYF("\n" cLRD "[-] " cRST "Oops, unable to find the 'afl-qemu-trace' binary. The binary must be built\n" " separately by following the instructions in qemu_mode/README.qemu. If you\n" " already have the binary installed, you may need to specify AFL_PATH in the\n" " environment.\n\n" + " Of course, even without QEMU, afl-fuzz can still work with binaries that are\n" " instrumented at compile time with afl-gcc. It is also possible to use it as a\n" " traditional \"dumb\" fuzzer by specifying '-n' in the command line.\n"); - FATAL("Failed to locate 'afl-qemu-trace'."); // 输出错误信息并终止 + FATAL("Failed to locate 'afl-qemu-trace'."); + } -/* 保存当前命令行参数。 */ + +/* Make a copy of the current command line. */ static void save_cmdline(u32 argc, char** argv) { - u32 len = 1, i; // 初始化长度变量 - u8* buf; // 定义缓冲区指针 + u32 len = 1, i; + u8* buf; - // 计算命令行参数的总长度 for (i = 0; i < argc; i++) len += strlen(argv[i]) + 1; - buf = orig_cmdline = ck_alloc(len); // 分配缓冲区 + buf = orig_cmdline = ck_alloc(len); - // 将命令行参数复制到缓冲区 for (i = 0; i < argc; i++) { u32 l = strlen(argv[i]); @@ -7592,11 +7616,12 @@ static void save_cmdline(u32 argc, char** argv) { memcpy(buf, argv[i], l); buf += l; - if (i != argc - 1) *(buf++) = ' '; // 在参数之间添加空格 + if (i != argc - 1) *(buf++) = ' '; } - *buf = 0; // 设置字符串结束符 + *buf = 0; + } @@ -7606,7 +7631,6 @@ static void save_cmdline(u32 argc, char** argv) { int main(int argc, char** argv) { - // 定义了一些变量,用于存储命令行参数和状态 s32 opt; u64 prev_queued = 0; u32 sync_interval_cnt = 0, seek_to; @@ -7615,406 +7639,413 @@ int main(int argc, char** argv) { u8 exit_1 = !!getenv("AFL_BENCH_JUST_ONE"); char** use_argv; - // 定义时间相关的结构体 struct timeval tv; struct timezone tz; - // 打印欢迎信息和版本号 SAYF(cCYA "afl-fuzz " cBRI VERSION cRST " by \n"); - // 设置文档路径 doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH; - // 获取当前时间,用于随机数种子 gettimeofday(&tv, &tz); srandom(tv.tv_sec ^ tv.tv_usec ^ getpid()); - // 解析命令行参数 - while ((opt = getopt(argc, argv, "+i:o:f:m:b:t:T:dnCB:S:M:x:QV")) > 0) { + while ((opt = getopt(argc, argv, "+i:o:f:m:b:t:T:dnCB:S:M:x:QV")) > 0) + switch (opt) { - // 处理不同的命令行选项 + case 'i': /* input dir */ - // 设置输入目录 + if (in_dir) FATAL("Multiple -i options not supported"); in_dir = optarg; + if (!strcmp(in_dir, "-")) in_place_resume = 1; + break; case 'o': /* output dir */ - // 设置输出目录 + if (out_dir) FATAL("Multiple -o options not supported"); out_dir = optarg; break; case 'M': { /* master sync ID */ - // 设置主同步ID - u8* c; - if (sync_id) FATAL("Multiple -S or -M options not supported"); - sync_id = ck_strdup(optarg); - if ((c = strchr(sync_id, ':'))) { - *c = 0; - if (sscanf(c + 1, "%u/%u", &master_id, &master_max) != 2 || - !master_id || !master_max || master_id > master_max || - master_max > 1000000) FATAL("Bogus master ID passed to -M"); + + u8* c; + + if (sync_id) FATAL("Multiple -S or -M options not supported"); + sync_id = ck_strdup(optarg); + + if ((c = strchr(sync_id, ':'))) { + + *c = 0; + + if (sscanf(c + 1, "%u/%u", &master_id, &master_max) != 2 || + !master_id || !master_max || master_id > master_max || + master_max > 1000000) FATAL("Bogus master ID passed to -M"); + + } + + force_deterministic = 1; + } - force_deterministic = 1; - } + break; case 'S': - // 设置同步ID + if (sync_id) FATAL("Multiple -S or -M options not supported"); sync_id = ck_strdup(optarg); break; case 'f': /* target file */ - // 设置目标文件 + if (out_file) FATAL("Multiple -f options not supported"); out_file = optarg; break; case 'x': /* dictionary */ - // 设置额外的字典目录 + if (extras_dir) FATAL("Multiple -x options not supported"); extras_dir = optarg; break; case 't': { /* timeout */ - // 设置超时时间 - u8 suffix = 0; - if (timeout_given) FATAL("Multiple -t options not supported"); - if (sscanf(optarg, "%u%c", &exec_tmout, &suffix) < 1 || - optarg[0] == '-') FATAL("Bad syntax used for -t"); - if (exec_tmout < 5) FATAL("Dangerously low value of -t"); - if (suffix == '+') timeout_given = 2; else timeout_given = 1; - break; + + u8 suffix = 0; + + if (timeout_given) FATAL("Multiple -t options not supported"); + + if (sscanf(optarg, "%u%c", &exec_tmout, &suffix) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -t"); + + if (exec_tmout < 5) FATAL("Dangerously low value of -t"); + + if (suffix == '+') timeout_given = 2; else timeout_given = 1; + + break; + } case 'm': { /* mem limit */ - // 设置内存限制 - u8 suffix = 'M'; - if (mem_limit_given) FATAL("Multiple -m options not supported"); - mem_limit_given = 1; - if (!strcmp(optarg, "none")) { - mem_limit = 0; - break; - } - if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || - optarg[0] == '-') FATAL("Bad syntax used for -m"); - switch (suffix) { - case 'T': mem_limit *= 1024 * 1024; break; - case 'G': mem_limit *= 1024; break; - case 'k': mem_limit /= 1024; break; - case 'M': break; - default: FATAL("Unsupported suffix or bad syntax for -m"); + + u8 suffix = 'M'; + + if (mem_limit_given) FATAL("Multiple -m options not supported"); + mem_limit_given = 1; + + if (!strcmp(optarg, "none")) { + + mem_limit = 0; + break; + + } + + if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -m"); + + switch (suffix) { + + case 'T': mem_limit *= 1024 * 1024; break; + case 'G': mem_limit *= 1024; break; + case 'k': mem_limit /= 1024; break; + case 'M': break; + + default: FATAL("Unsupported suffix or bad syntax for -m"); + + } + + if (mem_limit < 5) FATAL("Dangerously low value of -m"); + + if (sizeof(rlim_t) == 4 && mem_limit > 2000) + FATAL("Value of -m out of range on 32-bit systems"); + } - if (mem_limit < 5) FATAL("Dangerously low value of -m"); - if (sizeof(rlim_t) == 4 && mem_limit > 2000) - FATAL("Value of -m out of range on 32-bit systems"); - } + break; case 'b': { /* bind CPU core */ - // 绑定CPU核心 - if (cpu_to_bind_given) FATAL("Multiple -b options not supported"); - cpu_to_bind_given = 1; - if (sscanf(optarg, "%u", &cpu_to_bind) < 1 || - optarg[0] == '-') FATAL("Bad syntax used for -b"); - break; + + if (cpu_to_bind_given) FATAL("Multiple -b options not supported"); + cpu_to_bind_given = 1; + + if (sscanf(optarg, "%u", &cpu_to_bind) < 1 || + optarg[0] == '-') FATAL("Bad syntax used for -b"); + + break; + } case 'd': /* skip deterministic */ - // 跳过确定性测试 + if (skip_deterministic) FATAL("Multiple -d options not supported"); skip_deterministic = 1; use_splicing = 1; break; case 'B': /* load bitmap */ - // 加载比特图 + + /* This is a secret undocumented option! It is useful if you find + an interesting test case during a normal fuzzing process, and want + to mutate it without rediscovering any of the test cases already + found during an earlier run. + + To use this mode, you need to point -B to the fuzz_bitmap produced + by an earlier run for the exact same binary... and that's it. + + I only used this once or twice to get variants of a particular + file, so I'm not making this an official setting. */ + if (in_bitmap) FATAL("Multiple -B options not supported"); + in_bitmap = optarg; read_bitmap(in_bitmap); break; case 'C': /* crash mode */ - // 设置为崩溃模式 + if (crash_mode) FATAL("Multiple -C options not supported"); crash_mode = FAULT_CRASH; break; case 'n': /* dumb mode */ - // 设置为简单模式 + if (dumb_mode) FATAL("Multiple -n options not supported"); if (getenv("AFL_DUMB_FORKSRV")) dumb_mode = 2; else dumb_mode = 1; + break; case 'T': /* banner */ - // 设置横幅 + if (use_banner) FATAL("Multiple -T options not supported"); use_banner = optarg; break; case 'Q': /* QEMU mode */ - // 设置为QEMU模式 + if (qemu_mode) FATAL("Multiple -Q options not supported"); qemu_mode = 1; + if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU; + break; case 'V': /* Show version number */ - // 显示版本号并退出 + + /* Version number has been printed already, just quit. */ exit(0); default: - // 默认行为:显示使用说明 + usage(argv[0]); + } - } - // 检查必要的参数是否已设置 if (optind == argc || !in_dir || !out_dir) usage(argv[0]); - // 设置信号处理程序 setup_signal_handlers(); check_asan_opts(); - // 如果设置了同步ID,修正同步设置 if (sync_id) fix_up_sync(); - // 输入和输出目录不能相同 if (!strcmp(in_dir, out_dir)) FATAL("Input and output directories can't be the same"); - // 在简单模式下,检查互斥选项 if (dumb_mode) { + if (crash_mode) FATAL("-C and -n are mutually exclusive"); if (qemu_mode) FATAL("-Q and -n are mutually exclusive"); + } - // 读取环境变量设置 if (getenv("AFL_NO_FORKSRV")) no_forkserver = 1; if (getenv("AFL_NO_CPU_RED")) no_cpu_meter_red = 1; if (getenv("AFL_NO_ARITH")) no_arith = 1; if (getenv("AFL_SHUFFLE_QUEUE")) shuffle_queue = 1; if (getenv("AFL_FAST_CAL")) fast_cal = 1; - // 设置挂起超时时间 if (getenv("AFL_HANG_TMOUT")) { hang_tmout = atoi(getenv("AFL_HANG_TMOUT")); if (!hang_tmout) FATAL("Invalid value of AFL_HANG_TMOUT"); } - // 检查互斥的环境变量设置 if (dumb_mode == 2 && no_forkserver) FATAL("AFL_DUMB_FORKSRV and AFL_NO_FORKSRV are mutually exclusive"); - // 设置预加载库 if (getenv("AFL_PRELOAD")) { setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1); setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1); } -// 如果设置了环境变量AFL_LD_PRELOAD,则输出错误信息并终止程序。 -if (getenv("AFL_LD_PRELOAD")) + if (getenv("AFL_LD_PRELOAD")) FATAL("Use AFL_PRELOAD instead of AFL_LD_PRELOAD"); -// 保存命令行参数,以便后续使用。 -save_cmdline(argc, argv); + save_cmdline(argc, argv); -// 修复banner信息,这通常是为了显示程序的版本号或其他信息。 -fix_up_banner(argv[optind]); + fix_up_banner(argv[optind]); -// 检查当前是否是TTY环境,这可能影响程序的输出方式。 -check_if_tty(); + check_if_tty(); -// 获取CPU核心数,这有助于后续的并行处理。 -get_core_count(); + get_core_count(); #ifdef HAVE_AFFINITY -// 如果支持CPU亲和性设置,则将程序绑定到一个空闲的CPU核心上。 -bind_to_free_cpu(); + bind_to_free_cpu(); #endif /* HAVE_AFFINITY */ -// 检查崩溃处理设置,确保程序在崩溃时能够正确处理。 -check_crash_handling(); -check_cpu_governor(); + check_crash_handling(); + check_cpu_governor(); -// 设置后续操作,这可能包括日志文件的设置等。 -setup_post(); -setup_shm(); -init_count_class16(); + setup_post(); + setup_shm(); + init_count_class16(); -// 设置目录和文件描述符,为后续的文件操作做准备。 -setup_dirs_fds(); -read_testcases(); -load_auto(); + setup_dirs_fds(); + read_testcases(); + load_auto(); -// 调整输入,这可能涉及到对测试用例的预处理。 -pivot_inputs(); + pivot_inputs(); -// 如果指定了extras目录,则加载额外的测试用例。 -if (extras_dir) load_extras(extras_dir); + if (extras_dir) load_extras(extras_dir); -// 如果没有给定超时时间,则自动寻找一个合适的超时时间。 -if (!timeout_given) find_timeout(); + if (!timeout_given) find_timeout(); -// 检测文件参数,这可能涉及到对命令行参数的处理。 -detect_file_args(argv + optind + 1); + detect_file_args(argv + optind + 1); -// 如果没有指定输出文件,则设置标准输出文件。 -if (!out_file) setup_stdio_file(); + if (!out_file) setup_stdio_file(); -// 检查二进制文件,这可能涉及到对目标程序的验证。 -check_binary(argv[optind]); + check_binary(argv[optind]); -// 获取当前时间,用于后续的时间统计。 -start_time = get_cur_time(); + start_time = get_cur_time(); -// 如果启用了QEMU模式,则获取QEMU的命令行参数,否则使用原始参数。 -if (qemu_mode) + if (qemu_mode) use_argv = get_qemu_argv(argv[0], argv + optind, argc - optind); -else + else use_argv = argv + optind; -// 执行一次干运行,以检查程序的行为。 -perform_dry_run(use_argv); + perform_dry_run(use_argv); -// 修剪队列,移除无效或重复的测试用例。 -cull_queue(); + cull_queue(); -// 显示初始化统计信息。 -show_init_stats(); + show_init_stats(); -// 寻找开始位置,这可能涉及到对测试用例的排序或选择。 -seek_to = find_start_position(); + seek_to = find_start_position(); -// 写入统计文件,保存当前的状态。 -write_stats_file(0, 0, 0); -save_auto(); + write_stats_file(0, 0, 0); + save_auto(); -// 如果程序即将停止,则跳转到停止处理部分。 -if (stop_soon) goto stop_fuzzing; + if (stop_soon) goto stop_fuzzing; -// 如果不是在TTY环境下,则等待一段时间再开始测试。 -if (!not_on_tty) { + /* Woop woop woop */ + + if (!not_on_tty) { sleep(4); start_time += 4000; if (stop_soon) goto stop_fuzzing; -} + } + + while (1) { -// 主循环开始,这里会不断执行模糊测试,直到程序停止。 -while (1) { u8 skipped_fuzz; - // 修剪队列,移除无效或重复的测试用例。 cull_queue(); - // 如果队列中没有当前的测试用例,则进入下一个循环周期。 if (!queue_cur) { - queue_cycle++; - current_entry = 0; - cur_skipped_paths = 0; - queue_cur = queue; - - // 如果需要seek到特定位置,则移动队列指针。 - while (seek_to) { - current_entry++; - seek_to--; - queue_cur = queue_cur->next; - } - // 显示统计信息。 - show_stats(); + queue_cycle++; + current_entry = 0; + cur_skipped_paths = 0; + queue_cur = queue; - // 如果不是在TTY环境下,则输出当前的循环周期。 - if (not_on_tty) { - ACTF("Entering queue cycle %llu.", queue_cycle); - fflush(stdout); - } + while (seek_to) { + current_entry++; + seek_to--; + queue_cur = queue_cur->next; + } + + show_stats(); + + if (not_on_tty) { + ACTF("Entering queue cycle %llu.", queue_cycle); + fflush(stdout); + } + + /* If we had a full queue cycle with no new finds, try + recombination strategies next. */ + + if (queued_paths == prev_queued) { + + if (use_splicing) cycles_wo_finds++; else use_splicing = 1; + + } else cycles_wo_finds = 0; - // 如果在当前循环周期中没有新的发现,则尝试重组策略。 - if (queued_paths == prev_queued) { - if (use_splicing) cycles_wo_finds++; else use_splicing = 1; - } else cycles_wo_finds = 0; + prev_queued = queued_paths; - // 更新之前的队列路径数。 - prev_queued = queued_paths; + if (sync_id && queue_cycle == 1 && getenv("AFL_IMPORT_FIRST")) + sync_fuzzers(use_argv); - // 如果设置了同步ID并且是第一个循环周期,并且设置了AFL_IMPORT_FIRST环境变量,则同步模糊测试者。 - if (sync_id && queue_cycle == 1 && getenv("AFL_IMPORT_FIRST")) - sync_fuzzers(use_argv); } - // 执行一次模糊测试。 skipped_fuzz = fuzz_one(use_argv); - // 如果程序没有停止并且设置了同步ID并且没有跳过模糊测试,则尝试同步模糊测试者。 if (!stop_soon && sync_id && !skipped_fuzz) { - if (!(sync_interval_cnt++ % SYNC_INTERVAL)) - sync_fuzzers(use_argv); + + if (!(sync_interval_cnt++ % SYNC_INTERVAL)) + sync_fuzzers(use_argv); + } - // 如果程序即将退出并且设置了exit_1,则设置停止标志。 if (!stop_soon && exit_1) stop_soon = 2; - // 如果程序即将停止,则跳出循环。 if (stop_soon) break; - // 移动到下一个测试用例。 queue_cur = queue_cur->next; current_entry++; -} -// 如果队列中还有测试用例,则显示统计信息。 -if (queue_cur) show_stats(); + } + + if (queue_cur) show_stats(); -// 如果程序是被程序性地停止的,那么杀死forkserver和当前的运行者。 -// 如果是手动停止的,那么这部分由信号处理程序完成。 -if (stop_soon == 2) { - if (child_pid > 0) kill(child_pid, SIGKILL); - if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); -} -// 现在我们已经杀死了forkserver,我们可以等待它以便获取资源使用统计信息。 -if (waitpid(forksrv_pid, NULL, 0) <= 0) { + /* If we stopped programmatically, we kill the forkserver and the current runner. + If we stopped manually, this is done by the signal handler. */ + if (stop_soon == 2) { + if (child_pid > 0) kill(child_pid, SIGKILL); + if (forksrv_pid > 0) kill(forksrv_pid, SIGKILL); + } + /* Now that we've killed the forkserver, we wait for it to be able to get rusage stats. */ + if (waitpid(forksrv_pid, NULL, 0) <= 0) { WARNF("error waitpid\n"); -} + } -// 写入bitmap,保存当前的测试覆盖情况。 -write_bitmap(); -// 写入统计文件,保存最终的状态。 -write_stats_file(0, 0, 0); -// 保存自动保存的信息。 -save_auto(); + write_bitmap(); + write_stats_file(0, 0, 0); + save_auto(); -// 跳转到停止模糊测试的处理部分。 stop_fuzzing: -// 输出结束信息,显示测试是被程序性地停止还是被用户停止。 -SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted %s +++\n" cRST, - stop_soon == 2 ? "programmatically" : "by user"); + SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted %s +++\n" cRST, + stop_soon == 2 ? "programmatically" : "by user"); + + /* Running for more than 30 minutes but still doing first cycle? */ + + if (queue_cycle == 1 && get_cur_time() - start_time > 30 * 60 * 1000) { -// 如果运行超过30分钟但仍然在第一个循环周期,输出警告信息。 -if (queue_cycle == 1 && get_cur_time() - start_time > 30 * 60 * 1000) { SAYF("\n" cYEL "[!] " cRST - "Stopped during the first cycle, results may be incomplete.\n" - " (For info on resuming, see %s/README.)\n", doc_path); -} + "Stopped during the first cycle, results may be incomplete.\n" + " (For info on resuming, see %s/README.)\n", doc_path); -// 关闭绘图文件,销毁队列和额外的测试用例,释放内存。 -fclose(plot_file); -destroy_queue(); -destroy_extras(); -ck_free(target_path); -ck_free(sync_id); + } + + fclose(plot_file); + destroy_queue(); + destroy_extras(); + ck_free(target_path); + ck_free(sync_id); -// 生成报告。 -alloc_report(); + alloc_report(); -// 输出结束信息,表示测试完成。 -OKF("We're done here. Have a nice day!\n"); + OKF("We're done here. Have a nice day!\n"); + + exit(0); -// 退出程序。 -exit(0); } + #endif /* !AFL_LIB */ -- 2.34.1 From 3b45ac2f0a31e52881ad2d22981d7ab360300776 Mon Sep 17 00:00:00 2001 From: dongloong <1909842837@qq.com> Date: Mon, 16 Dec 2024 20:36:58 +0800 Subject: [PATCH 6/6] new --- afl-gotcpu.c | 138 ++++++++++++++++++++++++++++----------------------- 1 file changed, 76 insertions(+), 62 deletions(-) diff --git a/afl-gotcpu.c b/afl-gotcpu.c index 630b7ff..6281afe 100644 --- a/afl-gotcpu.c +++ b/afl-gotcpu.c @@ -1,35 +1,29 @@ -/* - Copyright 2015 Google LLC All rights reserved. +/* + 版权所有 2015 Google LLC 保留所有权利。 - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: + 根据Apache License, 版本2.0(“许可证”)授权; + 除非遵守许可证,否则不得使用此文件。 + 您可以在以下网址获得许可证的副本: http://www.apache.org/licenses/LICENSE-2.0 - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. + 除非适用法律要求或书面同意,否则按照许可证分发的软件是基于“原样”分发的基础上进行的, + 不提供任何明示或暗示的保证或条件。 + 请参阅许可证,了解许可证下的具体语言,以了解权限和限制。 */ -/* - american fuzzy lop - free CPU gizmo +/* + 美国模糊跳 - 免费CPU小工具 ----------------------------------- - Written and maintained by Michal Zalewski + 由Michal Zalewski 编写和维护 - This tool provides a fairly accurate measurement of CPU preemption rate. - It is meant to complement the quick-and-dirty load average widget shown - in the afl-fuzz UI. See docs/parallel_fuzzing.txt for more info. + 这个工具提供了一个相当准确的CPU抢占率测量。 + 它旨在补充afl-fuzz UI中显示的快速且粗略的负载平均小部件。更多信息请参见docs/parallel_fuzzing.txt。 - For some work loads, the tool may actually suggest running more instances - than you have CPU cores. This can happen if the tested program is spending - a portion of its run time waiting for I/O, rather than being 100% - CPU-bound. + 对于一些工作负载,该工具实际上可能建议您运行的实例数量超过您拥有的CPU核心数。如果被测试的程序在其运行时间中花费了一部分时间等待I/O,而不是100% CPU绑定,这种情况可能会发生。 - The idea for the getrusage()-based approach comes from Jakub Wilk. + 基于getrusage()的方法的想法来自Jakub Wilk。 */ #define AFL_MAIN @@ -55,119 +49,151 @@ #endif /* __linux__ */ -/* Get unix time in microseconds. */ +/* + 获取以微秒为单位的Unix时间。 +*/ static u64 get_cur_time_us(void) { - + // 定义一个timeval结构体变量tv,用于存储当前时间 struct timeval tv; + // 定义一个timezone结构体变量tz,用于存储时区信息 struct timezone tz; + // 使用gettimeofday函数获取当前时间,并存储到tv和tz中 gettimeofday(&tv, &tz); + // 将秒转换为微秒,并加上微秒部分,返回当前时间的微秒值 return (tv.tv_sec * 1000000ULL) + tv.tv_usec; - } - -/* Get CPU usage in microseconds. */ +/* + 获取CPU使用时间,以微秒为单位。 +*/ static u64 get_cpu_usage_us(void) { - + // 定义一个rusage结构体变量u,用于存储资源使用情况 struct rusage u; + // 使用getrusage函数获取当前进程的资源使用情况,并存储到u中 getrusage(RUSAGE_SELF, &u); + // 计算用户态和核心态的总使用时间(微秒),并返回 return (u.ru_utime.tv_sec * 1000000ULL) + u.ru_utime.tv_usec + (u.ru_stime.tv_sec * 1000000ULL) + u.ru_stime.tv_usec; - } -/* Measure preemption rate. */ +/* + 测量抢占率。 +*/ static u32 measure_preemption(u32 target_ms) { - + // 定义两个易失性变量,用于循环测试 static volatile u32 v1, v2; + // 定义变量用于存储开始和结束的时间(微秒),以及CPU使用时间 u64 st_t, en_t, st_c, en_c, real_delta, slice_delta; + // 定义循环重复次数 s32 loop_repeats = 0; + // 获取当前时间(微秒) st_t = get_cur_time_us(); + // 获取当前CPU使用时间(微秒) st_c = get_cpu_usage_us(); repeat_loop: - + // 设置v1为一个忙循环的计数 v1 = CTEST_BUSY_CYCLES; + // 执行忙循环,同时v2自增 while (v1--) v2++; + // 调用sched_yield(),让出CPU sched_yield(); + // 再次获取当前时间(微秒) en_t = get_cur_time_us(); + // 如果当前时间与开始时间的差小于目标时间(毫秒转换为微秒),则增加循环次数并继续循环 if (en_t - st_t < target_ms * 1000) { loop_repeats++; goto repeat_loop; } - /* Let's see what percentage of this time we actually had a chance to - run, and how much time was spent in the penalty box. */ + /* 让我们看看这段时间里我们实际上有多少百分比的机会运行, + 以及在惩罚箱中花费了多少时间。 */ + // 获取当前CPU使用时间(微秒) en_c = get_cpu_usage_us(); + // 计算实际时间差(毫秒)和CPU使用时间差(毫秒) real_delta = (en_t - st_t) / 1000; slice_delta = (en_c - st_c) / 1000; + // 返回实际时间差占CPU使用时间差的百分比,即抢占率 return real_delta * 100 / slice_delta; - } - -/* Do the benchmark thing. */ +/* + 执行基准测试。 +*/ int main(int argc, char** argv) { #ifdef HAVE_AFFINITY + // 获取在线的CPU核心数 u32 cpu_cnt = sysconf(_SC_NPROCESSORS_ONLN), + // 初始化空闲CPU和可能可用CPU的计数器 idle_cpus = 0, maybe_cpus = 0, i; + // 打印欢迎信息和版本号 SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by \n"); + // 打印测量每个核心抢占率所需的时间 ACTF("Measuring per-core preemption rate (this will take %0.02f sec)...", ((double)CTEST_CORE_TRG_MS) / 1000); + // 遍历每个CPU核心 for (i = 0; i < cpu_cnt; i++) { + // 创建子进程 s32 fr = fork(); + // 如果fork失败,则打印错误信息并退出 if (fr < 0) PFATAL("fork failed"); + // 如果是子进程,则执行以下操作 if (!fr) { + // 定义CPU集合 cpu_set_t c; + // 定义CPU使用率百分比 u32 util_perc; + // 初始化CPU集合 CPU_ZERO(&c); + // 将当前核心加入CPU集合 CPU_SET(i, &c); + // 如果设置CPU亲和性失败,则打印错误信息并退出 if (sched_setaffinity(0, sizeof(c), &c)) PFATAL("sched_setaffinity failed for cpu %d", i); + // 测量抢占率 util_perc = measure_preemption(CTEST_CORE_TRG_MS); + // 如果使用率低于110%,则标记为核心可用,并退出 if (util_perc < 110) { - - SAYF(" Core #%u: " cLGN "AVAILABLE " cRST "(%u%%)\n", i, util_perc); + SAYF(" Core #%u: " cLGN "AVAILABLE" cRST "(%u%%)\n", i, util_perc); exit(0); - } else if (util_perc < 250) { - - SAYF(" Core #%u: " cYEL "CAUTION " cRST "(%u%%)\n", i, util_perc); + // 如果使用率低于250%,则标记为核心需要谨慎,并退出 + SAYF(" Core #%u: " cYEL "CAUTION" cRST "(%u%%)\n", i, util_perc); exit(1); - } - SAYF(" Core #%u: " cLRD "OVERBOOKED " cRST "(%u%%)\n" cRST, i, + // 如果使用率高于250%,则标记为核心过载,并退出 + SAYF(" Core #%u: " cLRD "OVERBOOKED" cRST "(%u%%)\n" cRST, i, util_perc); exit(2); @@ -175,44 +201,35 @@ int main(int argc, char** argv) { } + // 等待子进程结束,并统计空闲和可能可用的核心数 for (i = 0; i < cpu_cnt; i++) { - int ret; if (waitpid(-1, &ret, 0) < 0) PFATAL("waitpid failed"); if (WEXITSTATUS(ret) == 0) idle_cpus++; if (WEXITSTATUS(ret) <= 1) maybe_cpus++; - } + // 根据空闲和可能可用的核心数打印结果 SAYF(cGRA "\n>>> "); if (idle_cpus) { - if (maybe_cpus == idle_cpus) { - SAYF(cLGN "PASS: " cRST "You can run more processes on %u core%s.", idle_cpus, idle_cpus > 1 ? "s" : ""); - } else { - SAYF(cLGN "PASS: " cRST "You can run more processes on %u to %u core%s.", idle_cpus, maybe_cpus, maybe_cpus > 1 ? "s" : ""); - } - SAYF(cGRA " <<<" cRST "\n\n"); return 0; - } if (maybe_cpus) { - SAYF(cYEL "CAUTION: " cRST "You may still have %u core%s available.", maybe_cpus, maybe_cpus > 1 ? "s" : ""); SAYF(cGRA " <<<" cRST "\n\n"); return 1; - } SAYF(cLRD "FAIL: " cRST "All cores are overbooked."); @@ -221,38 +238,35 @@ int main(int argc, char** argv) { #else + // 如果没有CPU亲和性支持,则执行总体抢占率的测量 u32 util_perc; SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by \n"); - /* Run a busy loop for CTEST_TARGET_MS. */ + /* 运行一个忙循环,持续CTEST_TARGET_MS毫秒。 */ ACTF("Measuring gross preemption rate (this will take %0.02f sec)...", ((double)CTEST_TARGET_MS) / 1000); + // 测量抢占率 util_perc = measure_preemption(CTEST_TARGET_MS); - /* Deliver the final verdict. */ + /* 输出最终结果。 */ SAYF(cGRA "\n>>> "); if (util_perc < 105) { - SAYF(cLGN "PASS: " cRST "You can probably run additional processes."); - } else if (util_perc < 130) { - SAYF(cYEL "CAUTION: " cRST "Your CPU may be somewhat overbooked (%u%%).", util_perc); - } else { - SAYF(cLRD "FAIL: " cRST "Your CPU is overbooked (%u%%).", util_perc); - } SAYF(cGRA " <<<" cRST "\n\n"); + // 返回结果代码 return (util_perc > 105) + (util_perc > 130); #endif /* ^HAVE_AFFINITY */ -- 2.34.1