1 /* 2 american fuzzy lop++ - vaguely configurable bits 3 ------------------------------------------------ 4 5 Originally written by Michal Zalewski 6 7 Now maintained by Marc Heuse <[email protected]>, 8 Dominik Maier <[email protected]> 9 Andrea Fioraldi <[email protected]>, 10 Heiko Eissfeldt <[email protected]>, 11 12 Copyright 2016, 2017 Google Inc. All rights reserved. 13 Copyright 2019-2024 AFLplusplus Project. All rights reserved. 14 15 Licensed under the Apache License, Version 2.0 (the "License"); 16 you may not use this file except in compliance with the License. 17 You may obtain a copy of the License at: 18 19 https://www.apache.org/licenses/LICENSE-2.0 20 21 */ 22 23 #ifndef _HAVE_CONFIG_H 24 #define _HAVE_CONFIG_H 25 26 /* Version string: */ 27 28 // c = release, a = volatile github dev, e = experimental branch 29 #define VERSION "++4.10c" 30 31 /****************************************************** 32 * * 33 * Settings that may be of interest to power users: * 34 * * 35 ******************************************************/ 36 37 /* Default shared memory map size. Most targets just need a coverage map 38 between 20-250kb. Plus there is an auto-detection feature in afl-fuzz. 39 However if a target has problematic constructors and init arrays then 40 this can fail. Hence afl-fuzz deploys a larger default map. The largest 41 map seen so far is the xlsx fuzzer for libreoffice which is 5MB. 42 At runtime this value can be overriden via AFL_MAP_SIZE. 43 Default: 8MB (defined in bytes) */ 44 #define DEFAULT_SHMEM_SIZE (8 * 1024 * 1024) 45 46 /* Default time until when no more coverage finds are happening afl-fuzz 47 switches to exploitation mode. It automatically switches back when new 48 coverage is found. 49 Default: 300 (seconds) */ 50 #define STRATEGY_SWITCH_TIME 1000 51 52 /* Default file permission umode when creating files (default: 0600) */ 53 #define DEFAULT_PERMISSION 0600 54 55 /* SkipDet's global configuration */ 56 57 #define MINIMAL_BLOCK_SIZE 64 58 #define SMALL_DET_TIME (60 * 1000 * 1000U) 59 #define MAXIMUM_INF_EXECS (16 * 1024U) 60 #define MAXIMUM_QUICK_EFF_EXECS (64 * 1024U) 61 #define THRESHOLD_DEC_TIME (20 * 60 * 1000U) 62 63 /* Set the Prob of selecting eff_bytes 3 times more than original, 64 Now disabled */ 65 #define EFF_HAVOC_RATE 3 66 67 /* CMPLOG/REDQUEEN TUNING 68 * 69 * Here you can modify tuning and solving options for CMPLOG. 70 * Note that these are run-time options for afl-fuzz, no target 71 * recompilation required. 72 * 73 */ 74 75 /* If a redqueen pass finds more than one solution, try to combine them? */ 76 #define CMPLOG_COMBINE 77 78 /* Minimum % of the corpus to perform cmplog on. Default: 10% */ 79 #define CMPLOG_CORPUS_PERCENT 5U 80 81 /* Number of potential positions from which we decide if cmplog becomes 82 useless, default 12288 */ 83 #define CMPLOG_POSITIONS_MAX (12 * 1024) 84 85 /* Maximum allowed fails per CMP value. Default: 96 */ 86 #define CMPLOG_FAIL_MAX 96 87 88 /* -------------------------------------*/ 89 /* Now non-cmplog configuration options */ 90 /* -------------------------------------*/ 91 92 /* If a persistent target keeps state and found crashes are not reproducable 93 then enable this option and set the AFL_PERSISTENT_RECORD env variable 94 to a number. These number of testcases prior and including the crash case 95 will be kept and written to the crash/ directory as RECORD:... files. 96 Note that every crash will be written, not only unique ones! */ 97 98 // #define AFL_PERSISTENT_RECORD 99 100 /* console output colors: There are three ways to configure its behavior 101 * 1. default: colored outputs fixed on: defined USE_COLOR && defined 102 * ALWAYS_COLORED The env var. AFL_NO_COLOR will have no effect 103 * 2. defined USE_COLOR && !defined ALWAYS_COLORED 104 * -> depending on env var AFL_NO_COLOR=1 colors can be switched off 105 * at run-time. Default is to use colors. 106 * 3. colored outputs fixed off: !defined USE_COLOR 107 * The env var. AFL_NO_COLOR will have no effect 108 */ 109 110 /* Comment out to disable terminal colors (note that this makes afl-analyze 111 a lot less nice): */ 112 113 #define USE_COLOR 114 115 #ifdef USE_COLOR 116 /* Comment in to always enable terminal colors */ 117 /* Comment out to enable runtime controlled terminal colors via AFL_NO_COLOR 118 */ 119 #define ALWAYS_COLORED 1 120 #endif 121 122 /* StatsD config 123 Config can be adjusted via AFL_STATSD_HOST and AFL_STATSD_PORT environment 124 variable. 125 */ 126 #define STATSD_UPDATE_SEC 1 127 #define STATSD_DEFAULT_PORT 8125 128 #define STATSD_DEFAULT_HOST "127.0.0.1" 129 130 /* If you want to have the original afl internal memory corruption checks. 131 Disabled by default for speed. it is better to use "make ASAN_BUILD=1". */ 132 133 // #define _WANT_ORIGINAL_AFL_ALLOC 134 135 /* Comment out to disable fancy boxes and use poor man's 7-bit UI: */ 136 137 #ifndef DISABLE_FANCY 138 #define FANCY_BOXES 139 #endif 140 141 /* Default timeout for fuzzed code (milliseconds). This is the upper bound, 142 also used for detecting hangs; the actual value is auto-scaled: */ 143 144 #define EXEC_TIMEOUT 1000U 145 146 /* Timeout rounding factor when auto-scaling (milliseconds): */ 147 148 #define EXEC_TM_ROUND 20U 149 150 /* 64bit arch MACRO */ 151 #if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__)) 152 #define WORD_SIZE_64 1 153 #endif 154 155 /* Default memory limit for child process (MB) 0 = disabled : */ 156 157 #define MEM_LIMIT 0U 158 159 /* Default memory limit when running in QEMU mode (MB) 0 = disabled : */ 160 161 #define MEM_LIMIT_QEMU 0U 162 163 /* Default memory limit when running in Unicorn mode (MB) 0 = disabled : */ 164 165 #define MEM_LIMIT_UNICORN 0U 166 167 /* Number of calibration cycles per every new test case (and for test 168 cases that show variable behavior): */ 169 170 #define CAL_CYCLES_FAST 3U 171 #define CAL_CYCLES 7U 172 #define CAL_CYCLES_LONG 12U 173 174 /* Number of subsequent timeouts before abandoning an input file: */ 175 176 #define TMOUT_LIMIT 250U 177 178 /* Maximum number of unique hangs or crashes to record: */ 179 180 #define KEEP_UNIQUE_HANG 500U 181 #define KEEP_UNIQUE_CRASH 10000U 182 183 /* Baseline number of random tweaks during a single 'havoc' stage: */ 184 185 #define HAVOC_CYCLES 256U 186 #define HAVOC_CYCLES_INIT 1024U 187 188 /* Maximum multiplier for the above (should be a power of two, beware 189 of 32-bit int overflows): */ 190 191 #define HAVOC_MAX_MULT 64U 192 #define HAVOC_MAX_MULT_MOPT 64U 193 194 /* Absolute minimum number of havoc cycles (after all adjustments): */ 195 196 #define HAVOC_MIN 12U 197 198 /* Power Schedule Divisor */ 199 #define POWER_BETA 1U 200 #define MAX_FACTOR (POWER_BETA * 32) 201 202 /* Maximum stacking for havoc-stage tweaks. The actual value is calculated 203 like this: 204 205 n = random between 1 and HAVOC_STACK_POW2 206 stacking = 2^n 207 208 In other words, the default (n = 4) produces 2, 4, 8, 16 209 stacked tweaks: */ 210 211 #define HAVOC_STACK_POW2 4U 212 213 /* Caps on block sizes for cloning and deletion operations. Each of these 214 ranges has a 33% probability of getting picked, except for the first 215 two cycles where smaller blocks are favored: */ 216 217 #define HAVOC_BLK_SMALL 32U 218 #define HAVOC_BLK_MEDIUM 128U 219 #define HAVOC_BLK_LARGE 1500U 220 221 /* Extra-large blocks, selected very rarely (<5% of the time): */ 222 223 #define HAVOC_BLK_XL 32768U 224 225 /* Probabilities of skipping non-favored entries in the queue, expressed as 226 percentages: */ 227 228 #define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */ 229 #define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */ 230 #define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */ 231 232 /* Splicing cycle count: */ 233 234 #define SPLICE_CYCLES 15 235 236 /* Nominal per-splice havoc cycle length: */ 237 238 #define SPLICE_HAVOC 32 239 240 /* Maximum offset for integer addition / subtraction stages: */ 241 242 #define ARITH_MAX 35 243 244 /* Limits for the test case trimmer. The absolute minimum chunk size; and 245 the starting and ending divisors for chopping up the input file: */ 246 247 #define TRIM_MIN_BYTES 4 248 #define TRIM_START_STEPS 16 249 #define TRIM_END_STEPS 1024 250 251 /* Maximum size of input file, in bytes (keep under 100MB, default 1MB): 252 (note that if this value is changed, several areas in afl-cc.c, afl-fuzz.c 253 and afl-fuzz-state.c have to be changed as well! */ 254 255 #define MAX_FILE (1 * 1024 * 1024L) 256 257 /* The same, for the test case minimizer: */ 258 259 #define TMIN_MAX_FILE (10 * 1024 * 1024L) 260 261 /* Block normalization steps for afl-tmin: */ 262 263 #define TMIN_SET_MIN_SIZE 4 264 #define TMIN_SET_STEPS 128 265 266 /* Maximum dictionary token size (-x), in bytes: */ 267 268 #define MAX_DICT_FILE 128 269 270 /* Length limits for auto-detected dictionary tokens: */ 271 272 #define MIN_AUTO_EXTRA 3 273 #define MAX_AUTO_EXTRA 32 274 275 /* Maximum number of user-specified dictionary tokens to use in deterministic 276 steps; past this point, the "extras/user" step will be still carried out, 277 but with proportionally lower odds: */ 278 279 #define MAX_DET_EXTRAS 256 280 281 /* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing 282 (first value), and to keep in memory as candidates. The latter should be much 283 higher than the former. */ 284 285 #define USE_AUTO_EXTRAS 4096 286 #define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 8) 287 288 /* Scaling factor for the effector map used to skip some of the more 289 expensive deterministic steps. The actual divisor is set to 290 2^EFF_MAP_SCALE2 bytes: */ 291 292 #define EFF_MAP_SCALE2 3 293 294 /* Minimum input file length at which the effector logic kicks in: */ 295 296 #define EFF_MIN_LEN 128 297 298 /* Maximum effector density past which everything is just fuzzed 299 unconditionally (%): */ 300 301 #define EFF_MAX_PERC 90 302 303 /* UI refresh frequency (Hz): */ 304 305 #define UI_TARGET_HZ 5 306 307 /* Fuzzer stats file, queue stats and plot update intervals (sec): */ 308 309 #define STATS_UPDATE_SEC 60 310 #define PLOT_UPDATE_SEC 5 311 #define QUEUE_UPDATE_SEC 1800 312 313 /* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */ 314 315 #define AVG_SMOOTHING 16 316 317 /* Sync interval (every n havoc cycles): */ 318 319 #define SYNC_INTERVAL 8 320 321 /* Sync time (minimum time between syncing in ms, time is halfed for -M main 322 nodes) - default is 30 minutes: */ 323 324 #define SYNC_TIME (30 * 60 * 1000) 325 326 /* Output directory reuse grace period (minutes): */ 327 328 #define OUTPUT_GRACE 25 329 330 /* Uncomment to use simple file names (id_NNNNNN): */ 331 332 // #define SIMPLE_FILES 333 334 /* List of interesting values to use in fuzzing. */ 335 336 #define INTERESTING_8 \ 337 -128, /* Overflow signed 8-bit when decremented */ \ 338 -1, /* */ \ 339 0, /* */ \ 340 1, /* */ \ 341 16, /* One-off with common buffer size */ \ 342 32, /* One-off with common buffer size */ \ 343 64, /* One-off with common buffer size */ \ 344 100, /* One-off with common buffer size */ \ 345 127 /* Overflow signed 8-bit when incremented */ 346 347 #define INTERESTING_8_LEN 9 348 349 #define INTERESTING_16 \ 350 -32768, /* Overflow signed 16-bit when decremented */ \ 351 -129, /* Overflow signed 8-bit */ \ 352 128, /* Overflow signed 8-bit */ \ 353 255, /* Overflow unsig 8-bit when incremented */ \ 354 256, /* Overflow unsig 8-bit */ \ 355 512, /* One-off with common buffer size */ \ 356 1000, /* One-off with common buffer size */ \ 357 1024, /* One-off with common buffer size */ \ 358 4096, /* One-off with common buffer size */ \ 359 32767 /* Overflow signed 16-bit when incremented */ 360 361 #define INTERESTING_16_LEN 10 362 363 #define INTERESTING_32 \ 364 -2147483648LL, /* Overflow signed 32-bit when decremented */ \ 365 -100663046, /* Large negative number (endian-agnostic) */ \ 366 -32769, /* Overflow signed 16-bit */ \ 367 32768, /* Overflow signed 16-bit */ \ 368 65535, /* Overflow unsig 16-bit when incremented */ \ 369 65536, /* Overflow unsig 16 bit */ \ 370 100663045, /* Large positive number (endian-agnostic) */ \ 371 2139095040, /* float infinite */ \ 372 2147483647 /* Overflow signed 32-bit when incremented */ 373 374 #define INTERESTING_32_LEN 9 375 376 /*********************************************************** 377 * * 378 * Really exotic stuff you probably don't want to touch: * 379 * * 380 ***********************************************************/ 381 382 /* Call count interval between reseeding the PRNG from /dev/urandom: */ 383 384 #define RESEED_RNG 2500000 385 386 /* The default maximum testcase cache size in MB, 0 = disable. 387 A value between 50 and 250 is a good default value. Note that the 388 number of entries will be auto assigned if not specified via the 389 AFL_TESTCACHE_ENTRIES env variable */ 390 391 #define TESTCASE_CACHE_SIZE 50 392 393 /* Maximum line length passed from GCC to 'as' and used for parsing 394 configuration files: */ 395 396 #define MAX_LINE 8192 397 398 /* Environment variable used to pass SHM ID to the called program. */ 399 400 #define SHM_ENV_VAR "__AFL_SHM_ID" 401 402 /* Environment variable used to pass SHM FUZZ ID to the called program. */ 403 404 #define SHM_FUZZ_ENV_VAR "__AFL_SHM_FUZZ_ID" 405 406 /* Other less interesting, internal-only variables. */ 407 408 #define CLANG_ENV_VAR "__AFL_CLANG_MODE" 409 #define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK" 410 #define PERSIST_ENV_VAR "__AFL_PERSISTENT" 411 #define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV" 412 413 /* In-code signatures for deferred and persistent mode. */ 414 415 #define PERSIST_SIG "##SIG_AFL_PERSISTENT##" 416 #define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##" 417 418 /* Distinctive bitmap signature used to indicate failed execution: */ 419 420 #define EXEC_FAIL_SIG 0xfee1dead 421 422 /* Distinctive exit code used to indicate MSAN trip condition: */ 423 424 #define MSAN_ERROR 86 425 426 /* Distinctive exit code used to indicate LSAN trip condition: */ 427 428 #define LSAN_ERROR 23 429 430 /* Designated file descriptors for forkserver commands (the application will 431 use FORKSRV_FD and FORKSRV_FD + 1): */ 432 433 #define FORKSRV_FD 198 434 435 /* Fork server init timeout multiplier: we'll wait the user-selected 436 timeout plus this much for the fork server to spin up. */ 437 438 #define FORK_WAIT_MULT 10 439 440 /* Calibration timeout adjustments, to be a bit more generous when resuming 441 fuzzing sessions or trying to calibrate already-added internal finds. 442 The first value is a percentage, the other is in milliseconds: */ 443 444 #define CAL_TMOUT_PERC 125 445 #define CAL_TMOUT_ADD 50 446 447 /* Number of chances to calibrate a case before giving up: */ 448 449 #define CAL_CHANCES 3 450 451 /* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than 452 2; you probably want to keep it under 18 or so for performance reasons 453 (adjusting AFL_INST_RATIO when compiling is probably a better way to solve 454 problems with complex programs). You need to recompile the target binary 455 after changing this - otherwise, SEGVs may ensue. */ 456 457 #define MAP_SIZE_POW2 16 458 459 /* Do not change this unless you really know what you are doing. */ 460 461 #define MAP_SIZE (1U << MAP_SIZE_POW2) 462 #if MAP_SIZE <= 65536 463 #define MAP_INITIAL_SIZE (2 << 20) // = 2097152 464 #else 465 #define MAP_INITIAL_SIZE MAP_SIZE 466 #endif 467 468 /* Maximum allocator request size (keep well under INT_MAX): */ 469 470 #define MAX_ALLOC 0x40000000 471 472 /* A made-up hashing seed: */ 473 474 #define HASH_CONST 0xa5b35705 475 476 /* Constants for afl-gotcpu to control busy loop timing: */ 477 478 #define CTEST_TARGET_MS 5000 479 #define CTEST_CORE_TRG_MS 1000 480 #define CTEST_BUSY_CYCLES (10 * 1000 * 1000) 481 482 /* Enable NeverZero counters in QEMU mode */ 483 484 #define AFL_QEMU_NOT_ZERO 485 486 /* AFL RedQueen */ 487 488 #define CMPLOG_SHM_ENV_VAR "__AFL_CMPLOG_SHM_ID" 489 490 /* CPU Affinity lockfile env var */ 491 492 #define CPU_AFFINITY_ENV_VAR "__AFL_LOCKFILE" 493 494 /* Uncomment this to use inferior block-coverage-based instrumentation. Note 495 that you need to recompile the target binary for this to have any effect: */ 496 497 // #define COVERAGE_ONLY 498 499 /* Uncomment this to ignore hit counts and output just one bit per tuple. 500 As with the previous setting, you will need to recompile the target 501 binary: */ 502 503 // #define SKIP_COUNTS 504 505 /* Uncomment this to use instrumentation data to record newly discovered paths, 506 but do not use them as seeds for fuzzing. This is useful for conveniently 507 measuring coverage that could be attained by a "dumb" fuzzing algorithm: */ 508 509 // #define IGNORE_FINDS 510 511 /* Text mutations */ 512 513 /* Minimum length of a queue input to be evaluated for "is_ascii"? */ 514 515 #define AFL_TXT_MIN_LEN 12 516 517 /* Maximum length of a queue input to be evaluated for "is_ascii"? */ 518 519 #define AFL_TXT_MAX_LEN 65535 520 521 /* What is the minimum percentage of ascii characters present to be classifed 522 as "is_ascii"? */ 523 524 #define AFL_TXT_MIN_PERCENT 99 525 526 /* How often to perform ASCII mutations 0 = disable, 1-8 are good values */ 527 528 #define AFL_TXT_BIAS 6 529 530 /* Maximum length of a string to tamper with */ 531 532 #define AFL_TXT_STRING_MAX_LEN 1024 533 534 /* Maximum mutations on a string */ 535 536 #define AFL_TXT_STRING_MAX_MUTATIONS 6 537 538 #endif /* ! _HAVE_CONFIG_H */ 539 540