1*08b48e0bSAndroid Build Coastguard Worker /* 2*08b48e0bSAndroid Build Coastguard Worker american fuzzy lop++ - vaguely configurable bits 3*08b48e0bSAndroid Build Coastguard Worker ------------------------------------------------ 4*08b48e0bSAndroid Build Coastguard Worker 5*08b48e0bSAndroid Build Coastguard Worker Originally written by Michal Zalewski 6*08b48e0bSAndroid Build Coastguard Worker 7*08b48e0bSAndroid Build Coastguard Worker Now maintained by Marc Heuse <[email protected]>, 8*08b48e0bSAndroid Build Coastguard Worker Dominik Maier <[email protected]> 9*08b48e0bSAndroid Build Coastguard Worker Andrea Fioraldi <[email protected]>, 10*08b48e0bSAndroid Build Coastguard Worker Heiko Eissfeldt <[email protected]>, 11*08b48e0bSAndroid Build Coastguard Worker 12*08b48e0bSAndroid Build Coastguard Worker Copyright 2016, 2017 Google Inc. All rights reserved. 13*08b48e0bSAndroid Build Coastguard Worker Copyright 2019-2024 AFLplusplus Project. All rights reserved. 14*08b48e0bSAndroid Build Coastguard Worker 15*08b48e0bSAndroid Build Coastguard Worker Licensed under the Apache License, Version 2.0 (the "License"); 16*08b48e0bSAndroid Build Coastguard Worker you may not use this file except in compliance with the License. 17*08b48e0bSAndroid Build Coastguard Worker You may obtain a copy of the License at: 18*08b48e0bSAndroid Build Coastguard Worker 19*08b48e0bSAndroid Build Coastguard Worker https://www.apache.org/licenses/LICENSE-2.0 20*08b48e0bSAndroid Build Coastguard Worker 21*08b48e0bSAndroid Build Coastguard Worker */ 22*08b48e0bSAndroid Build Coastguard Worker 23*08b48e0bSAndroid Build Coastguard Worker #ifndef _HAVE_CONFIG_H 24*08b48e0bSAndroid Build Coastguard Worker #define _HAVE_CONFIG_H 25*08b48e0bSAndroid Build Coastguard Worker 26*08b48e0bSAndroid Build Coastguard Worker /* Version string: */ 27*08b48e0bSAndroid Build Coastguard Worker 28*08b48e0bSAndroid Build Coastguard Worker // c = release, a = volatile github dev, e = experimental branch 29*08b48e0bSAndroid Build Coastguard Worker #define VERSION "++4.10c" 30*08b48e0bSAndroid Build Coastguard Worker 31*08b48e0bSAndroid Build Coastguard Worker /****************************************************** 32*08b48e0bSAndroid Build Coastguard Worker * * 33*08b48e0bSAndroid Build Coastguard Worker * Settings that may be of interest to power users: * 34*08b48e0bSAndroid Build Coastguard Worker * * 35*08b48e0bSAndroid Build Coastguard Worker ******************************************************/ 36*08b48e0bSAndroid Build Coastguard Worker 37*08b48e0bSAndroid Build Coastguard Worker /* Default shared memory map size. Most targets just need a coverage map 38*08b48e0bSAndroid Build Coastguard Worker between 20-250kb. Plus there is an auto-detection feature in afl-fuzz. 39*08b48e0bSAndroid Build Coastguard Worker However if a target has problematic constructors and init arrays then 40*08b48e0bSAndroid Build Coastguard Worker this can fail. Hence afl-fuzz deploys a larger default map. The largest 41*08b48e0bSAndroid Build Coastguard Worker map seen so far is the xlsx fuzzer for libreoffice which is 5MB. 42*08b48e0bSAndroid Build Coastguard Worker At runtime this value can be overriden via AFL_MAP_SIZE. 43*08b48e0bSAndroid Build Coastguard Worker Default: 8MB (defined in bytes) */ 44*08b48e0bSAndroid Build Coastguard Worker #define DEFAULT_SHMEM_SIZE (8 * 1024 * 1024) 45*08b48e0bSAndroid Build Coastguard Worker 46*08b48e0bSAndroid Build Coastguard Worker /* Default time until when no more coverage finds are happening afl-fuzz 47*08b48e0bSAndroid Build Coastguard Worker switches to exploitation mode. It automatically switches back when new 48*08b48e0bSAndroid Build Coastguard Worker coverage is found. 49*08b48e0bSAndroid Build Coastguard Worker Default: 300 (seconds) */ 50*08b48e0bSAndroid Build Coastguard Worker #define STRATEGY_SWITCH_TIME 1000 51*08b48e0bSAndroid Build Coastguard Worker 52*08b48e0bSAndroid Build Coastguard Worker /* Default file permission umode when creating files (default: 0600) */ 53*08b48e0bSAndroid Build Coastguard Worker #define DEFAULT_PERMISSION 0600 54*08b48e0bSAndroid Build Coastguard Worker 55*08b48e0bSAndroid Build Coastguard Worker /* SkipDet's global configuration */ 56*08b48e0bSAndroid Build Coastguard Worker 57*08b48e0bSAndroid Build Coastguard Worker #define MINIMAL_BLOCK_SIZE 64 58*08b48e0bSAndroid Build Coastguard Worker #define SMALL_DET_TIME (60 * 1000 * 1000U) 59*08b48e0bSAndroid Build Coastguard Worker #define MAXIMUM_INF_EXECS (16 * 1024U) 60*08b48e0bSAndroid Build Coastguard Worker #define MAXIMUM_QUICK_EFF_EXECS (64 * 1024U) 61*08b48e0bSAndroid Build Coastguard Worker #define THRESHOLD_DEC_TIME (20 * 60 * 1000U) 62*08b48e0bSAndroid Build Coastguard Worker 63*08b48e0bSAndroid Build Coastguard Worker /* Set the Prob of selecting eff_bytes 3 times more than original, 64*08b48e0bSAndroid Build Coastguard Worker Now disabled */ 65*08b48e0bSAndroid Build Coastguard Worker #define EFF_HAVOC_RATE 3 66*08b48e0bSAndroid Build Coastguard Worker 67*08b48e0bSAndroid Build Coastguard Worker /* CMPLOG/REDQUEEN TUNING 68*08b48e0bSAndroid Build Coastguard Worker * 69*08b48e0bSAndroid Build Coastguard Worker * Here you can modify tuning and solving options for CMPLOG. 70*08b48e0bSAndroid Build Coastguard Worker * Note that these are run-time options for afl-fuzz, no target 71*08b48e0bSAndroid Build Coastguard Worker * recompilation required. 72*08b48e0bSAndroid Build Coastguard Worker * 73*08b48e0bSAndroid Build Coastguard Worker */ 74*08b48e0bSAndroid Build Coastguard Worker 75*08b48e0bSAndroid Build Coastguard Worker /* If a redqueen pass finds more than one solution, try to combine them? */ 76*08b48e0bSAndroid Build Coastguard Worker #define CMPLOG_COMBINE 77*08b48e0bSAndroid Build Coastguard Worker 78*08b48e0bSAndroid Build Coastguard Worker /* Minimum % of the corpus to perform cmplog on. Default: 10% */ 79*08b48e0bSAndroid Build Coastguard Worker #define CMPLOG_CORPUS_PERCENT 5U 80*08b48e0bSAndroid Build Coastguard Worker 81*08b48e0bSAndroid Build Coastguard Worker /* Number of potential positions from which we decide if cmplog becomes 82*08b48e0bSAndroid Build Coastguard Worker useless, default 12288 */ 83*08b48e0bSAndroid Build Coastguard Worker #define CMPLOG_POSITIONS_MAX (12 * 1024) 84*08b48e0bSAndroid Build Coastguard Worker 85*08b48e0bSAndroid Build Coastguard Worker /* Maximum allowed fails per CMP value. Default: 96 */ 86*08b48e0bSAndroid Build Coastguard Worker #define CMPLOG_FAIL_MAX 96 87*08b48e0bSAndroid Build Coastguard Worker 88*08b48e0bSAndroid Build Coastguard Worker /* -------------------------------------*/ 89*08b48e0bSAndroid Build Coastguard Worker /* Now non-cmplog configuration options */ 90*08b48e0bSAndroid Build Coastguard Worker /* -------------------------------------*/ 91*08b48e0bSAndroid Build Coastguard Worker 92*08b48e0bSAndroid Build Coastguard Worker /* If a persistent target keeps state and found crashes are not reproducable 93*08b48e0bSAndroid Build Coastguard Worker then enable this option and set the AFL_PERSISTENT_RECORD env variable 94*08b48e0bSAndroid Build Coastguard Worker to a number. These number of testcases prior and including the crash case 95*08b48e0bSAndroid Build Coastguard Worker will be kept and written to the crash/ directory as RECORD:... files. 96*08b48e0bSAndroid Build Coastguard Worker Note that every crash will be written, not only unique ones! */ 97*08b48e0bSAndroid Build Coastguard Worker 98*08b48e0bSAndroid Build Coastguard Worker // #define AFL_PERSISTENT_RECORD 99*08b48e0bSAndroid Build Coastguard Worker 100*08b48e0bSAndroid Build Coastguard Worker /* console output colors: There are three ways to configure its behavior 101*08b48e0bSAndroid Build Coastguard Worker * 1. default: colored outputs fixed on: defined USE_COLOR && defined 102*08b48e0bSAndroid Build Coastguard Worker * ALWAYS_COLORED The env var. AFL_NO_COLOR will have no effect 103*08b48e0bSAndroid Build Coastguard Worker * 2. defined USE_COLOR && !defined ALWAYS_COLORED 104*08b48e0bSAndroid Build Coastguard Worker * -> depending on env var AFL_NO_COLOR=1 colors can be switched off 105*08b48e0bSAndroid Build Coastguard Worker * at run-time. Default is to use colors. 106*08b48e0bSAndroid Build Coastguard Worker * 3. colored outputs fixed off: !defined USE_COLOR 107*08b48e0bSAndroid Build Coastguard Worker * The env var. AFL_NO_COLOR will have no effect 108*08b48e0bSAndroid Build Coastguard Worker */ 109*08b48e0bSAndroid Build Coastguard Worker 110*08b48e0bSAndroid Build Coastguard Worker /* Comment out to disable terminal colors (note that this makes afl-analyze 111*08b48e0bSAndroid Build Coastguard Worker a lot less nice): */ 112*08b48e0bSAndroid Build Coastguard Worker 113*08b48e0bSAndroid Build Coastguard Worker #define USE_COLOR 114*08b48e0bSAndroid Build Coastguard Worker 115*08b48e0bSAndroid Build Coastguard Worker #ifdef USE_COLOR 116*08b48e0bSAndroid Build Coastguard Worker /* Comment in to always enable terminal colors */ 117*08b48e0bSAndroid Build Coastguard Worker /* Comment out to enable runtime controlled terminal colors via AFL_NO_COLOR 118*08b48e0bSAndroid Build Coastguard Worker */ 119*08b48e0bSAndroid Build Coastguard Worker #define ALWAYS_COLORED 1 120*08b48e0bSAndroid Build Coastguard Worker #endif 121*08b48e0bSAndroid Build Coastguard Worker 122*08b48e0bSAndroid Build Coastguard Worker /* StatsD config 123*08b48e0bSAndroid Build Coastguard Worker Config can be adjusted via AFL_STATSD_HOST and AFL_STATSD_PORT environment 124*08b48e0bSAndroid Build Coastguard Worker variable. 125*08b48e0bSAndroid Build Coastguard Worker */ 126*08b48e0bSAndroid Build Coastguard Worker #define STATSD_UPDATE_SEC 1 127*08b48e0bSAndroid Build Coastguard Worker #define STATSD_DEFAULT_PORT 8125 128*08b48e0bSAndroid Build Coastguard Worker #define STATSD_DEFAULT_HOST "127.0.0.1" 129*08b48e0bSAndroid Build Coastguard Worker 130*08b48e0bSAndroid Build Coastguard Worker /* If you want to have the original afl internal memory corruption checks. 131*08b48e0bSAndroid Build Coastguard Worker Disabled by default for speed. it is better to use "make ASAN_BUILD=1". */ 132*08b48e0bSAndroid Build Coastguard Worker 133*08b48e0bSAndroid Build Coastguard Worker // #define _WANT_ORIGINAL_AFL_ALLOC 134*08b48e0bSAndroid Build Coastguard Worker 135*08b48e0bSAndroid Build Coastguard Worker /* Comment out to disable fancy boxes and use poor man's 7-bit UI: */ 136*08b48e0bSAndroid Build Coastguard Worker 137*08b48e0bSAndroid Build Coastguard Worker #ifndef DISABLE_FANCY 138*08b48e0bSAndroid Build Coastguard Worker #define FANCY_BOXES 139*08b48e0bSAndroid Build Coastguard Worker #endif 140*08b48e0bSAndroid Build Coastguard Worker 141*08b48e0bSAndroid Build Coastguard Worker /* Default timeout for fuzzed code (milliseconds). This is the upper bound, 142*08b48e0bSAndroid Build Coastguard Worker also used for detecting hangs; the actual value is auto-scaled: */ 143*08b48e0bSAndroid Build Coastguard Worker 144*08b48e0bSAndroid Build Coastguard Worker #define EXEC_TIMEOUT 1000U 145*08b48e0bSAndroid Build Coastguard Worker 146*08b48e0bSAndroid Build Coastguard Worker /* Timeout rounding factor when auto-scaling (milliseconds): */ 147*08b48e0bSAndroid Build Coastguard Worker 148*08b48e0bSAndroid Build Coastguard Worker #define EXEC_TM_ROUND 20U 149*08b48e0bSAndroid Build Coastguard Worker 150*08b48e0bSAndroid Build Coastguard Worker /* 64bit arch MACRO */ 151*08b48e0bSAndroid Build Coastguard Worker #if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__)) 152*08b48e0bSAndroid Build Coastguard Worker #define WORD_SIZE_64 1 153*08b48e0bSAndroid Build Coastguard Worker #endif 154*08b48e0bSAndroid Build Coastguard Worker 155*08b48e0bSAndroid Build Coastguard Worker /* Default memory limit for child process (MB) 0 = disabled : */ 156*08b48e0bSAndroid Build Coastguard Worker 157*08b48e0bSAndroid Build Coastguard Worker #define MEM_LIMIT 0U 158*08b48e0bSAndroid Build Coastguard Worker 159*08b48e0bSAndroid Build Coastguard Worker /* Default memory limit when running in QEMU mode (MB) 0 = disabled : */ 160*08b48e0bSAndroid Build Coastguard Worker 161*08b48e0bSAndroid Build Coastguard Worker #define MEM_LIMIT_QEMU 0U 162*08b48e0bSAndroid Build Coastguard Worker 163*08b48e0bSAndroid Build Coastguard Worker /* Default memory limit when running in Unicorn mode (MB) 0 = disabled : */ 164*08b48e0bSAndroid Build Coastguard Worker 165*08b48e0bSAndroid Build Coastguard Worker #define MEM_LIMIT_UNICORN 0U 166*08b48e0bSAndroid Build Coastguard Worker 167*08b48e0bSAndroid Build Coastguard Worker /* Number of calibration cycles per every new test case (and for test 168*08b48e0bSAndroid Build Coastguard Worker cases that show variable behavior): */ 169*08b48e0bSAndroid Build Coastguard Worker 170*08b48e0bSAndroid Build Coastguard Worker #define CAL_CYCLES_FAST 3U 171*08b48e0bSAndroid Build Coastguard Worker #define CAL_CYCLES 7U 172*08b48e0bSAndroid Build Coastguard Worker #define CAL_CYCLES_LONG 12U 173*08b48e0bSAndroid Build Coastguard Worker 174*08b48e0bSAndroid Build Coastguard Worker /* Number of subsequent timeouts before abandoning an input file: */ 175*08b48e0bSAndroid Build Coastguard Worker 176*08b48e0bSAndroid Build Coastguard Worker #define TMOUT_LIMIT 250U 177*08b48e0bSAndroid Build Coastguard Worker 178*08b48e0bSAndroid Build Coastguard Worker /* Maximum number of unique hangs or crashes to record: */ 179*08b48e0bSAndroid Build Coastguard Worker 180*08b48e0bSAndroid Build Coastguard Worker #define KEEP_UNIQUE_HANG 500U 181*08b48e0bSAndroid Build Coastguard Worker #define KEEP_UNIQUE_CRASH 10000U 182*08b48e0bSAndroid Build Coastguard Worker 183*08b48e0bSAndroid Build Coastguard Worker /* Baseline number of random tweaks during a single 'havoc' stage: */ 184*08b48e0bSAndroid Build Coastguard Worker 185*08b48e0bSAndroid Build Coastguard Worker #define HAVOC_CYCLES 256U 186*08b48e0bSAndroid Build Coastguard Worker #define HAVOC_CYCLES_INIT 1024U 187*08b48e0bSAndroid Build Coastguard Worker 188*08b48e0bSAndroid Build Coastguard Worker /* Maximum multiplier for the above (should be a power of two, beware 189*08b48e0bSAndroid Build Coastguard Worker of 32-bit int overflows): */ 190*08b48e0bSAndroid Build Coastguard Worker 191*08b48e0bSAndroid Build Coastguard Worker #define HAVOC_MAX_MULT 64U 192*08b48e0bSAndroid Build Coastguard Worker #define HAVOC_MAX_MULT_MOPT 64U 193*08b48e0bSAndroid Build Coastguard Worker 194*08b48e0bSAndroid Build Coastguard Worker /* Absolute minimum number of havoc cycles (after all adjustments): */ 195*08b48e0bSAndroid Build Coastguard Worker 196*08b48e0bSAndroid Build Coastguard Worker #define HAVOC_MIN 12U 197*08b48e0bSAndroid Build Coastguard Worker 198*08b48e0bSAndroid Build Coastguard Worker /* Power Schedule Divisor */ 199*08b48e0bSAndroid Build Coastguard Worker #define POWER_BETA 1U 200*08b48e0bSAndroid Build Coastguard Worker #define MAX_FACTOR (POWER_BETA * 32) 201*08b48e0bSAndroid Build Coastguard Worker 202*08b48e0bSAndroid Build Coastguard Worker /* Maximum stacking for havoc-stage tweaks. The actual value is calculated 203*08b48e0bSAndroid Build Coastguard Worker like this: 204*08b48e0bSAndroid Build Coastguard Worker 205*08b48e0bSAndroid Build Coastguard Worker n = random between 1 and HAVOC_STACK_POW2 206*08b48e0bSAndroid Build Coastguard Worker stacking = 2^n 207*08b48e0bSAndroid Build Coastguard Worker 208*08b48e0bSAndroid Build Coastguard Worker In other words, the default (n = 4) produces 2, 4, 8, 16 209*08b48e0bSAndroid Build Coastguard Worker stacked tweaks: */ 210*08b48e0bSAndroid Build Coastguard Worker 211*08b48e0bSAndroid Build Coastguard Worker #define HAVOC_STACK_POW2 4U 212*08b48e0bSAndroid Build Coastguard Worker 213*08b48e0bSAndroid Build Coastguard Worker /* Caps on block sizes for cloning and deletion operations. Each of these 214*08b48e0bSAndroid Build Coastguard Worker ranges has a 33% probability of getting picked, except for the first 215*08b48e0bSAndroid Build Coastguard Worker two cycles where smaller blocks are favored: */ 216*08b48e0bSAndroid Build Coastguard Worker 217*08b48e0bSAndroid Build Coastguard Worker #define HAVOC_BLK_SMALL 32U 218*08b48e0bSAndroid Build Coastguard Worker #define HAVOC_BLK_MEDIUM 128U 219*08b48e0bSAndroid Build Coastguard Worker #define HAVOC_BLK_LARGE 1500U 220*08b48e0bSAndroid Build Coastguard Worker 221*08b48e0bSAndroid Build Coastguard Worker /* Extra-large blocks, selected very rarely (<5% of the time): */ 222*08b48e0bSAndroid Build Coastguard Worker 223*08b48e0bSAndroid Build Coastguard Worker #define HAVOC_BLK_XL 32768U 224*08b48e0bSAndroid Build Coastguard Worker 225*08b48e0bSAndroid Build Coastguard Worker /* Probabilities of skipping non-favored entries in the queue, expressed as 226*08b48e0bSAndroid Build Coastguard Worker percentages: */ 227*08b48e0bSAndroid Build Coastguard Worker 228*08b48e0bSAndroid Build Coastguard Worker #define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */ 229*08b48e0bSAndroid Build Coastguard Worker #define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */ 230*08b48e0bSAndroid Build Coastguard Worker #define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */ 231*08b48e0bSAndroid Build Coastguard Worker 232*08b48e0bSAndroid Build Coastguard Worker /* Splicing cycle count: */ 233*08b48e0bSAndroid Build Coastguard Worker 234*08b48e0bSAndroid Build Coastguard Worker #define SPLICE_CYCLES 15 235*08b48e0bSAndroid Build Coastguard Worker 236*08b48e0bSAndroid Build Coastguard Worker /* Nominal per-splice havoc cycle length: */ 237*08b48e0bSAndroid Build Coastguard Worker 238*08b48e0bSAndroid Build Coastguard Worker #define SPLICE_HAVOC 32 239*08b48e0bSAndroid Build Coastguard Worker 240*08b48e0bSAndroid Build Coastguard Worker /* Maximum offset for integer addition / subtraction stages: */ 241*08b48e0bSAndroid Build Coastguard Worker 242*08b48e0bSAndroid Build Coastguard Worker #define ARITH_MAX 35 243*08b48e0bSAndroid Build Coastguard Worker 244*08b48e0bSAndroid Build Coastguard Worker /* Limits for the test case trimmer. The absolute minimum chunk size; and 245*08b48e0bSAndroid Build Coastguard Worker the starting and ending divisors for chopping up the input file: */ 246*08b48e0bSAndroid Build Coastguard Worker 247*08b48e0bSAndroid Build Coastguard Worker #define TRIM_MIN_BYTES 4 248*08b48e0bSAndroid Build Coastguard Worker #define TRIM_START_STEPS 16 249*08b48e0bSAndroid Build Coastguard Worker #define TRIM_END_STEPS 1024 250*08b48e0bSAndroid Build Coastguard Worker 251*08b48e0bSAndroid Build Coastguard Worker /* Maximum size of input file, in bytes (keep under 100MB, default 1MB): 252*08b48e0bSAndroid Build Coastguard Worker (note that if this value is changed, several areas in afl-cc.c, afl-fuzz.c 253*08b48e0bSAndroid Build Coastguard Worker and afl-fuzz-state.c have to be changed as well! */ 254*08b48e0bSAndroid Build Coastguard Worker 255*08b48e0bSAndroid Build Coastguard Worker #define MAX_FILE (1 * 1024 * 1024L) 256*08b48e0bSAndroid Build Coastguard Worker 257*08b48e0bSAndroid Build Coastguard Worker /* The same, for the test case minimizer: */ 258*08b48e0bSAndroid Build Coastguard Worker 259*08b48e0bSAndroid Build Coastguard Worker #define TMIN_MAX_FILE (10 * 1024 * 1024L) 260*08b48e0bSAndroid Build Coastguard Worker 261*08b48e0bSAndroid Build Coastguard Worker /* Block normalization steps for afl-tmin: */ 262*08b48e0bSAndroid Build Coastguard Worker 263*08b48e0bSAndroid Build Coastguard Worker #define TMIN_SET_MIN_SIZE 4 264*08b48e0bSAndroid Build Coastguard Worker #define TMIN_SET_STEPS 128 265*08b48e0bSAndroid Build Coastguard Worker 266*08b48e0bSAndroid Build Coastguard Worker /* Maximum dictionary token size (-x), in bytes: */ 267*08b48e0bSAndroid Build Coastguard Worker 268*08b48e0bSAndroid Build Coastguard Worker #define MAX_DICT_FILE 128 269*08b48e0bSAndroid Build Coastguard Worker 270*08b48e0bSAndroid Build Coastguard Worker /* Length limits for auto-detected dictionary tokens: */ 271*08b48e0bSAndroid Build Coastguard Worker 272*08b48e0bSAndroid Build Coastguard Worker #define MIN_AUTO_EXTRA 3 273*08b48e0bSAndroid Build Coastguard Worker #define MAX_AUTO_EXTRA 32 274*08b48e0bSAndroid Build Coastguard Worker 275*08b48e0bSAndroid Build Coastguard Worker /* Maximum number of user-specified dictionary tokens to use in deterministic 276*08b48e0bSAndroid Build Coastguard Worker steps; past this point, the "extras/user" step will be still carried out, 277*08b48e0bSAndroid Build Coastguard Worker but with proportionally lower odds: */ 278*08b48e0bSAndroid Build Coastguard Worker 279*08b48e0bSAndroid Build Coastguard Worker #define MAX_DET_EXTRAS 256 280*08b48e0bSAndroid Build Coastguard Worker 281*08b48e0bSAndroid Build Coastguard Worker /* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing 282*08b48e0bSAndroid Build Coastguard Worker (first value), and to keep in memory as candidates. The latter should be much 283*08b48e0bSAndroid Build Coastguard Worker higher than the former. */ 284*08b48e0bSAndroid Build Coastguard Worker 285*08b48e0bSAndroid Build Coastguard Worker #define USE_AUTO_EXTRAS 4096 286*08b48e0bSAndroid Build Coastguard Worker #define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 8) 287*08b48e0bSAndroid Build Coastguard Worker 288*08b48e0bSAndroid Build Coastguard Worker /* Scaling factor for the effector map used to skip some of the more 289*08b48e0bSAndroid Build Coastguard Worker expensive deterministic steps. The actual divisor is set to 290*08b48e0bSAndroid Build Coastguard Worker 2^EFF_MAP_SCALE2 bytes: */ 291*08b48e0bSAndroid Build Coastguard Worker 292*08b48e0bSAndroid Build Coastguard Worker #define EFF_MAP_SCALE2 3 293*08b48e0bSAndroid Build Coastguard Worker 294*08b48e0bSAndroid Build Coastguard Worker /* Minimum input file length at which the effector logic kicks in: */ 295*08b48e0bSAndroid Build Coastguard Worker 296*08b48e0bSAndroid Build Coastguard Worker #define EFF_MIN_LEN 128 297*08b48e0bSAndroid Build Coastguard Worker 298*08b48e0bSAndroid Build Coastguard Worker /* Maximum effector density past which everything is just fuzzed 299*08b48e0bSAndroid Build Coastguard Worker unconditionally (%): */ 300*08b48e0bSAndroid Build Coastguard Worker 301*08b48e0bSAndroid Build Coastguard Worker #define EFF_MAX_PERC 90 302*08b48e0bSAndroid Build Coastguard Worker 303*08b48e0bSAndroid Build Coastguard Worker /* UI refresh frequency (Hz): */ 304*08b48e0bSAndroid Build Coastguard Worker 305*08b48e0bSAndroid Build Coastguard Worker #define UI_TARGET_HZ 5 306*08b48e0bSAndroid Build Coastguard Worker 307*08b48e0bSAndroid Build Coastguard Worker /* Fuzzer stats file, queue stats and plot update intervals (sec): */ 308*08b48e0bSAndroid Build Coastguard Worker 309*08b48e0bSAndroid Build Coastguard Worker #define STATS_UPDATE_SEC 60 310*08b48e0bSAndroid Build Coastguard Worker #define PLOT_UPDATE_SEC 5 311*08b48e0bSAndroid Build Coastguard Worker #define QUEUE_UPDATE_SEC 1800 312*08b48e0bSAndroid Build Coastguard Worker 313*08b48e0bSAndroid Build Coastguard Worker /* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */ 314*08b48e0bSAndroid Build Coastguard Worker 315*08b48e0bSAndroid Build Coastguard Worker #define AVG_SMOOTHING 16 316*08b48e0bSAndroid Build Coastguard Worker 317*08b48e0bSAndroid Build Coastguard Worker /* Sync interval (every n havoc cycles): */ 318*08b48e0bSAndroid Build Coastguard Worker 319*08b48e0bSAndroid Build Coastguard Worker #define SYNC_INTERVAL 8 320*08b48e0bSAndroid Build Coastguard Worker 321*08b48e0bSAndroid Build Coastguard Worker /* Sync time (minimum time between syncing in ms, time is halfed for -M main 322*08b48e0bSAndroid Build Coastguard Worker nodes) - default is 30 minutes: */ 323*08b48e0bSAndroid Build Coastguard Worker 324*08b48e0bSAndroid Build Coastguard Worker #define SYNC_TIME (30 * 60 * 1000) 325*08b48e0bSAndroid Build Coastguard Worker 326*08b48e0bSAndroid Build Coastguard Worker /* Output directory reuse grace period (minutes): */ 327*08b48e0bSAndroid Build Coastguard Worker 328*08b48e0bSAndroid Build Coastguard Worker #define OUTPUT_GRACE 25 329*08b48e0bSAndroid Build Coastguard Worker 330*08b48e0bSAndroid Build Coastguard Worker /* Uncomment to use simple file names (id_NNNNNN): */ 331*08b48e0bSAndroid Build Coastguard Worker 332*08b48e0bSAndroid Build Coastguard Worker // #define SIMPLE_FILES 333*08b48e0bSAndroid Build Coastguard Worker 334*08b48e0bSAndroid Build Coastguard Worker /* List of interesting values to use in fuzzing. */ 335*08b48e0bSAndroid Build Coastguard Worker 336*08b48e0bSAndroid Build Coastguard Worker #define INTERESTING_8 \ 337*08b48e0bSAndroid Build Coastguard Worker -128, /* Overflow signed 8-bit when decremented */ \ 338*08b48e0bSAndroid Build Coastguard Worker -1, /* */ \ 339*08b48e0bSAndroid Build Coastguard Worker 0, /* */ \ 340*08b48e0bSAndroid Build Coastguard Worker 1, /* */ \ 341*08b48e0bSAndroid Build Coastguard Worker 16, /* One-off with common buffer size */ \ 342*08b48e0bSAndroid Build Coastguard Worker 32, /* One-off with common buffer size */ \ 343*08b48e0bSAndroid Build Coastguard Worker 64, /* One-off with common buffer size */ \ 344*08b48e0bSAndroid Build Coastguard Worker 100, /* One-off with common buffer size */ \ 345*08b48e0bSAndroid Build Coastguard Worker 127 /* Overflow signed 8-bit when incremented */ 346*08b48e0bSAndroid Build Coastguard Worker 347*08b48e0bSAndroid Build Coastguard Worker #define INTERESTING_8_LEN 9 348*08b48e0bSAndroid Build Coastguard Worker 349*08b48e0bSAndroid Build Coastguard Worker #define INTERESTING_16 \ 350*08b48e0bSAndroid Build Coastguard Worker -32768, /* Overflow signed 16-bit when decremented */ \ 351*08b48e0bSAndroid Build Coastguard Worker -129, /* Overflow signed 8-bit */ \ 352*08b48e0bSAndroid Build Coastguard Worker 128, /* Overflow signed 8-bit */ \ 353*08b48e0bSAndroid Build Coastguard Worker 255, /* Overflow unsig 8-bit when incremented */ \ 354*08b48e0bSAndroid Build Coastguard Worker 256, /* Overflow unsig 8-bit */ \ 355*08b48e0bSAndroid Build Coastguard Worker 512, /* One-off with common buffer size */ \ 356*08b48e0bSAndroid Build Coastguard Worker 1000, /* One-off with common buffer size */ \ 357*08b48e0bSAndroid Build Coastguard Worker 1024, /* One-off with common buffer size */ \ 358*08b48e0bSAndroid Build Coastguard Worker 4096, /* One-off with common buffer size */ \ 359*08b48e0bSAndroid Build Coastguard Worker 32767 /* Overflow signed 16-bit when incremented */ 360*08b48e0bSAndroid Build Coastguard Worker 361*08b48e0bSAndroid Build Coastguard Worker #define INTERESTING_16_LEN 10 362*08b48e0bSAndroid Build Coastguard Worker 363*08b48e0bSAndroid Build Coastguard Worker #define INTERESTING_32 \ 364*08b48e0bSAndroid Build Coastguard Worker -2147483648LL, /* Overflow signed 32-bit when decremented */ \ 365*08b48e0bSAndroid Build Coastguard Worker -100663046, /* Large negative number (endian-agnostic) */ \ 366*08b48e0bSAndroid Build Coastguard Worker -32769, /* Overflow signed 16-bit */ \ 367*08b48e0bSAndroid Build Coastguard Worker 32768, /* Overflow signed 16-bit */ \ 368*08b48e0bSAndroid Build Coastguard Worker 65535, /* Overflow unsig 16-bit when incremented */ \ 369*08b48e0bSAndroid Build Coastguard Worker 65536, /* Overflow unsig 16 bit */ \ 370*08b48e0bSAndroid Build Coastguard Worker 100663045, /* Large positive number (endian-agnostic) */ \ 371*08b48e0bSAndroid Build Coastguard Worker 2139095040, /* float infinite */ \ 372*08b48e0bSAndroid Build Coastguard Worker 2147483647 /* Overflow signed 32-bit when incremented */ 373*08b48e0bSAndroid Build Coastguard Worker 374*08b48e0bSAndroid Build Coastguard Worker #define INTERESTING_32_LEN 9 375*08b48e0bSAndroid Build Coastguard Worker 376*08b48e0bSAndroid Build Coastguard Worker /*********************************************************** 377*08b48e0bSAndroid Build Coastguard Worker * * 378*08b48e0bSAndroid Build Coastguard Worker * Really exotic stuff you probably don't want to touch: * 379*08b48e0bSAndroid Build Coastguard Worker * * 380*08b48e0bSAndroid Build Coastguard Worker ***********************************************************/ 381*08b48e0bSAndroid Build Coastguard Worker 382*08b48e0bSAndroid Build Coastguard Worker /* Call count interval between reseeding the PRNG from /dev/urandom: */ 383*08b48e0bSAndroid Build Coastguard Worker 384*08b48e0bSAndroid Build Coastguard Worker #define RESEED_RNG 2500000 385*08b48e0bSAndroid Build Coastguard Worker 386*08b48e0bSAndroid Build Coastguard Worker /* The default maximum testcase cache size in MB, 0 = disable. 387*08b48e0bSAndroid Build Coastguard Worker A value between 50 and 250 is a good default value. Note that the 388*08b48e0bSAndroid Build Coastguard Worker number of entries will be auto assigned if not specified via the 389*08b48e0bSAndroid Build Coastguard Worker AFL_TESTCACHE_ENTRIES env variable */ 390*08b48e0bSAndroid Build Coastguard Worker 391*08b48e0bSAndroid Build Coastguard Worker #define TESTCASE_CACHE_SIZE 50 392*08b48e0bSAndroid Build Coastguard Worker 393*08b48e0bSAndroid Build Coastguard Worker /* Maximum line length passed from GCC to 'as' and used for parsing 394*08b48e0bSAndroid Build Coastguard Worker configuration files: */ 395*08b48e0bSAndroid Build Coastguard Worker 396*08b48e0bSAndroid Build Coastguard Worker #define MAX_LINE 8192 397*08b48e0bSAndroid Build Coastguard Worker 398*08b48e0bSAndroid Build Coastguard Worker /* Environment variable used to pass SHM ID to the called program. */ 399*08b48e0bSAndroid Build Coastguard Worker 400*08b48e0bSAndroid Build Coastguard Worker #define SHM_ENV_VAR "__AFL_SHM_ID" 401*08b48e0bSAndroid Build Coastguard Worker 402*08b48e0bSAndroid Build Coastguard Worker /* Environment variable used to pass SHM FUZZ ID to the called program. */ 403*08b48e0bSAndroid Build Coastguard Worker 404*08b48e0bSAndroid Build Coastguard Worker #define SHM_FUZZ_ENV_VAR "__AFL_SHM_FUZZ_ID" 405*08b48e0bSAndroid Build Coastguard Worker 406*08b48e0bSAndroid Build Coastguard Worker /* Other less interesting, internal-only variables. */ 407*08b48e0bSAndroid Build Coastguard Worker 408*08b48e0bSAndroid Build Coastguard Worker #define CLANG_ENV_VAR "__AFL_CLANG_MODE" 409*08b48e0bSAndroid Build Coastguard Worker #define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK" 410*08b48e0bSAndroid Build Coastguard Worker #define PERSIST_ENV_VAR "__AFL_PERSISTENT" 411*08b48e0bSAndroid Build Coastguard Worker #define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV" 412*08b48e0bSAndroid Build Coastguard Worker 413*08b48e0bSAndroid Build Coastguard Worker /* In-code signatures for deferred and persistent mode. */ 414*08b48e0bSAndroid Build Coastguard Worker 415*08b48e0bSAndroid Build Coastguard Worker #define PERSIST_SIG "##SIG_AFL_PERSISTENT##" 416*08b48e0bSAndroid Build Coastguard Worker #define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##" 417*08b48e0bSAndroid Build Coastguard Worker 418*08b48e0bSAndroid Build Coastguard Worker /* Distinctive bitmap signature used to indicate failed execution: */ 419*08b48e0bSAndroid Build Coastguard Worker 420*08b48e0bSAndroid Build Coastguard Worker #define EXEC_FAIL_SIG 0xfee1dead 421*08b48e0bSAndroid Build Coastguard Worker 422*08b48e0bSAndroid Build Coastguard Worker /* Distinctive exit code used to indicate MSAN trip condition: */ 423*08b48e0bSAndroid Build Coastguard Worker 424*08b48e0bSAndroid Build Coastguard Worker #define MSAN_ERROR 86 425*08b48e0bSAndroid Build Coastguard Worker 426*08b48e0bSAndroid Build Coastguard Worker /* Distinctive exit code used to indicate LSAN trip condition: */ 427*08b48e0bSAndroid Build Coastguard Worker 428*08b48e0bSAndroid Build Coastguard Worker #define LSAN_ERROR 23 429*08b48e0bSAndroid Build Coastguard Worker 430*08b48e0bSAndroid Build Coastguard Worker /* Designated file descriptors for forkserver commands (the application will 431*08b48e0bSAndroid Build Coastguard Worker use FORKSRV_FD and FORKSRV_FD + 1): */ 432*08b48e0bSAndroid Build Coastguard Worker 433*08b48e0bSAndroid Build Coastguard Worker #define FORKSRV_FD 198 434*08b48e0bSAndroid Build Coastguard Worker 435*08b48e0bSAndroid Build Coastguard Worker /* Fork server init timeout multiplier: we'll wait the user-selected 436*08b48e0bSAndroid Build Coastguard Worker timeout plus this much for the fork server to spin up. */ 437*08b48e0bSAndroid Build Coastguard Worker 438*08b48e0bSAndroid Build Coastguard Worker #define FORK_WAIT_MULT 10 439*08b48e0bSAndroid Build Coastguard Worker 440*08b48e0bSAndroid Build Coastguard Worker /* Calibration timeout adjustments, to be a bit more generous when resuming 441*08b48e0bSAndroid Build Coastguard Worker fuzzing sessions or trying to calibrate already-added internal finds. 442*08b48e0bSAndroid Build Coastguard Worker The first value is a percentage, the other is in milliseconds: */ 443*08b48e0bSAndroid Build Coastguard Worker 444*08b48e0bSAndroid Build Coastguard Worker #define CAL_TMOUT_PERC 125 445*08b48e0bSAndroid Build Coastguard Worker #define CAL_TMOUT_ADD 50 446*08b48e0bSAndroid Build Coastguard Worker 447*08b48e0bSAndroid Build Coastguard Worker /* Number of chances to calibrate a case before giving up: */ 448*08b48e0bSAndroid Build Coastguard Worker 449*08b48e0bSAndroid Build Coastguard Worker #define CAL_CHANCES 3 450*08b48e0bSAndroid Build Coastguard Worker 451*08b48e0bSAndroid Build Coastguard Worker /* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than 452*08b48e0bSAndroid Build Coastguard Worker 2; you probably want to keep it under 18 or so for performance reasons 453*08b48e0bSAndroid Build Coastguard Worker (adjusting AFL_INST_RATIO when compiling is probably a better way to solve 454*08b48e0bSAndroid Build Coastguard Worker problems with complex programs). You need to recompile the target binary 455*08b48e0bSAndroid Build Coastguard Worker after changing this - otherwise, SEGVs may ensue. */ 456*08b48e0bSAndroid Build Coastguard Worker 457*08b48e0bSAndroid Build Coastguard Worker #define MAP_SIZE_POW2 16 458*08b48e0bSAndroid Build Coastguard Worker 459*08b48e0bSAndroid Build Coastguard Worker /* Do not change this unless you really know what you are doing. */ 460*08b48e0bSAndroid Build Coastguard Worker 461*08b48e0bSAndroid Build Coastguard Worker #define MAP_SIZE (1U << MAP_SIZE_POW2) 462*08b48e0bSAndroid Build Coastguard Worker #if MAP_SIZE <= 65536 463*08b48e0bSAndroid Build Coastguard Worker #define MAP_INITIAL_SIZE (2 << 20) // = 2097152 464*08b48e0bSAndroid Build Coastguard Worker #else 465*08b48e0bSAndroid Build Coastguard Worker #define MAP_INITIAL_SIZE MAP_SIZE 466*08b48e0bSAndroid Build Coastguard Worker #endif 467*08b48e0bSAndroid Build Coastguard Worker 468*08b48e0bSAndroid Build Coastguard Worker /* Maximum allocator request size (keep well under INT_MAX): */ 469*08b48e0bSAndroid Build Coastguard Worker 470*08b48e0bSAndroid Build Coastguard Worker #define MAX_ALLOC 0x40000000 471*08b48e0bSAndroid Build Coastguard Worker 472*08b48e0bSAndroid Build Coastguard Worker /* A made-up hashing seed: */ 473*08b48e0bSAndroid Build Coastguard Worker 474*08b48e0bSAndroid Build Coastguard Worker #define HASH_CONST 0xa5b35705 475*08b48e0bSAndroid Build Coastguard Worker 476*08b48e0bSAndroid Build Coastguard Worker /* Constants for afl-gotcpu to control busy loop timing: */ 477*08b48e0bSAndroid Build Coastguard Worker 478*08b48e0bSAndroid Build Coastguard Worker #define CTEST_TARGET_MS 5000 479*08b48e0bSAndroid Build Coastguard Worker #define CTEST_CORE_TRG_MS 1000 480*08b48e0bSAndroid Build Coastguard Worker #define CTEST_BUSY_CYCLES (10 * 1000 * 1000) 481*08b48e0bSAndroid Build Coastguard Worker 482*08b48e0bSAndroid Build Coastguard Worker /* Enable NeverZero counters in QEMU mode */ 483*08b48e0bSAndroid Build Coastguard Worker 484*08b48e0bSAndroid Build Coastguard Worker #define AFL_QEMU_NOT_ZERO 485*08b48e0bSAndroid Build Coastguard Worker 486*08b48e0bSAndroid Build Coastguard Worker /* AFL RedQueen */ 487*08b48e0bSAndroid Build Coastguard Worker 488*08b48e0bSAndroid Build Coastguard Worker #define CMPLOG_SHM_ENV_VAR "__AFL_CMPLOG_SHM_ID" 489*08b48e0bSAndroid Build Coastguard Worker 490*08b48e0bSAndroid Build Coastguard Worker /* CPU Affinity lockfile env var */ 491*08b48e0bSAndroid Build Coastguard Worker 492*08b48e0bSAndroid Build Coastguard Worker #define CPU_AFFINITY_ENV_VAR "__AFL_LOCKFILE" 493*08b48e0bSAndroid Build Coastguard Worker 494*08b48e0bSAndroid Build Coastguard Worker /* Uncomment this to use inferior block-coverage-based instrumentation. Note 495*08b48e0bSAndroid Build Coastguard Worker that you need to recompile the target binary for this to have any effect: */ 496*08b48e0bSAndroid Build Coastguard Worker 497*08b48e0bSAndroid Build Coastguard Worker // #define COVERAGE_ONLY 498*08b48e0bSAndroid Build Coastguard Worker 499*08b48e0bSAndroid Build Coastguard Worker /* Uncomment this to ignore hit counts and output just one bit per tuple. 500*08b48e0bSAndroid Build Coastguard Worker As with the previous setting, you will need to recompile the target 501*08b48e0bSAndroid Build Coastguard Worker binary: */ 502*08b48e0bSAndroid Build Coastguard Worker 503*08b48e0bSAndroid Build Coastguard Worker // #define SKIP_COUNTS 504*08b48e0bSAndroid Build Coastguard Worker 505*08b48e0bSAndroid Build Coastguard Worker /* Uncomment this to use instrumentation data to record newly discovered paths, 506*08b48e0bSAndroid Build Coastguard Worker but do not use them as seeds for fuzzing. This is useful for conveniently 507*08b48e0bSAndroid Build Coastguard Worker measuring coverage that could be attained by a "dumb" fuzzing algorithm: */ 508*08b48e0bSAndroid Build Coastguard Worker 509*08b48e0bSAndroid Build Coastguard Worker // #define IGNORE_FINDS 510*08b48e0bSAndroid Build Coastguard Worker 511*08b48e0bSAndroid Build Coastguard Worker /* Text mutations */ 512*08b48e0bSAndroid Build Coastguard Worker 513*08b48e0bSAndroid Build Coastguard Worker /* Minimum length of a queue input to be evaluated for "is_ascii"? */ 514*08b48e0bSAndroid Build Coastguard Worker 515*08b48e0bSAndroid Build Coastguard Worker #define AFL_TXT_MIN_LEN 12 516*08b48e0bSAndroid Build Coastguard Worker 517*08b48e0bSAndroid Build Coastguard Worker /* Maximum length of a queue input to be evaluated for "is_ascii"? */ 518*08b48e0bSAndroid Build Coastguard Worker 519*08b48e0bSAndroid Build Coastguard Worker #define AFL_TXT_MAX_LEN 65535 520*08b48e0bSAndroid Build Coastguard Worker 521*08b48e0bSAndroid Build Coastguard Worker /* What is the minimum percentage of ascii characters present to be classifed 522*08b48e0bSAndroid Build Coastguard Worker as "is_ascii"? */ 523*08b48e0bSAndroid Build Coastguard Worker 524*08b48e0bSAndroid Build Coastguard Worker #define AFL_TXT_MIN_PERCENT 99 525*08b48e0bSAndroid Build Coastguard Worker 526*08b48e0bSAndroid Build Coastguard Worker /* How often to perform ASCII mutations 0 = disable, 1-8 are good values */ 527*08b48e0bSAndroid Build Coastguard Worker 528*08b48e0bSAndroid Build Coastguard Worker #define AFL_TXT_BIAS 6 529*08b48e0bSAndroid Build Coastguard Worker 530*08b48e0bSAndroid Build Coastguard Worker /* Maximum length of a string to tamper with */ 531*08b48e0bSAndroid Build Coastguard Worker 532*08b48e0bSAndroid Build Coastguard Worker #define AFL_TXT_STRING_MAX_LEN 1024 533*08b48e0bSAndroid Build Coastguard Worker 534*08b48e0bSAndroid Build Coastguard Worker /* Maximum mutations on a string */ 535*08b48e0bSAndroid Build Coastguard Worker 536*08b48e0bSAndroid Build Coastguard Worker #define AFL_TXT_STRING_MAX_MUTATIONS 6 537*08b48e0bSAndroid Build Coastguard Worker 538*08b48e0bSAndroid Build Coastguard Worker #endif /* ! _HAVE_CONFIG_H */ 539*08b48e0bSAndroid Build Coastguard Worker 540