1*08b48e0bSAndroid Build Coastguard Worker /*
2*08b48e0bSAndroid Build Coastguard Worker american fuzzy lop++ - target execution related routines
3*08b48e0bSAndroid Build Coastguard Worker --------------------------------------------------------
4*08b48e0bSAndroid Build Coastguard Worker
5*08b48e0bSAndroid Build Coastguard Worker Originally written by Michal Zalewski
6*08b48e0bSAndroid Build Coastguard Worker
7*08b48e0bSAndroid Build Coastguard Worker Now maintained by Marc Heuse <[email protected]>,
8*08b48e0bSAndroid Build Coastguard Worker Heiko Eißfeldt <[email protected]> and
9*08b48e0bSAndroid Build Coastguard Worker Andrea Fioraldi <[email protected]> and
10*08b48e0bSAndroid Build Coastguard Worker Dominik Maier <[email protected]>
11*08b48e0bSAndroid Build Coastguard Worker
12*08b48e0bSAndroid Build Coastguard Worker Copyright 2016, 2017 Google Inc. All rights reserved.
13*08b48e0bSAndroid Build Coastguard Worker Copyright 2019-2024 AFLplusplus Project. All rights reserved.
14*08b48e0bSAndroid Build Coastguard Worker
15*08b48e0bSAndroid Build Coastguard Worker Licensed under the Apache License, Version 2.0 (the "License");
16*08b48e0bSAndroid Build Coastguard Worker you may not use this file except in compliance with the License.
17*08b48e0bSAndroid Build Coastguard Worker You may obtain a copy of the License at:
18*08b48e0bSAndroid Build Coastguard Worker
19*08b48e0bSAndroid Build Coastguard Worker https://www.apache.org/licenses/LICENSE-2.0
20*08b48e0bSAndroid Build Coastguard Worker
21*08b48e0bSAndroid Build Coastguard Worker This is the real deal: the program takes an instrumented binary and
22*08b48e0bSAndroid Build Coastguard Worker attempts a variety of basic fuzzing tricks, paying close attention to
23*08b48e0bSAndroid Build Coastguard Worker how they affect the execution path.
24*08b48e0bSAndroid Build Coastguard Worker
25*08b48e0bSAndroid Build Coastguard Worker */
26*08b48e0bSAndroid Build Coastguard Worker
27*08b48e0bSAndroid Build Coastguard Worker #include "afl-fuzz.h"
28*08b48e0bSAndroid Build Coastguard Worker #include <sys/time.h>
29*08b48e0bSAndroid Build Coastguard Worker #include <signal.h>
30*08b48e0bSAndroid Build Coastguard Worker #include <limits.h>
31*08b48e0bSAndroid Build Coastguard Worker #if !defined NAME_MAX
32*08b48e0bSAndroid Build Coastguard Worker #define NAME_MAX _XOPEN_NAME_MAX
33*08b48e0bSAndroid Build Coastguard Worker #endif
34*08b48e0bSAndroid Build Coastguard Worker
35*08b48e0bSAndroid Build Coastguard Worker #include "cmplog.h"
36*08b48e0bSAndroid Build Coastguard Worker
37*08b48e0bSAndroid Build Coastguard Worker #ifdef PROFILING
38*08b48e0bSAndroid Build Coastguard Worker u64 time_spent_working = 0;
39*08b48e0bSAndroid Build Coastguard Worker #endif
40*08b48e0bSAndroid Build Coastguard Worker
41*08b48e0bSAndroid Build Coastguard Worker /* Execute target application, monitoring for timeouts. Return status
42*08b48e0bSAndroid Build Coastguard Worker information. The called program will update afl->fsrv->trace_bits. */
43*08b48e0bSAndroid Build Coastguard Worker
44*08b48e0bSAndroid Build Coastguard Worker fsrv_run_result_t __attribute__((hot))
fuzz_run_target(afl_state_t * afl,afl_forkserver_t * fsrv,u32 timeout)45*08b48e0bSAndroid Build Coastguard Worker fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv, u32 timeout) {
46*08b48e0bSAndroid Build Coastguard Worker
47*08b48e0bSAndroid Build Coastguard Worker #ifdef PROFILING
48*08b48e0bSAndroid Build Coastguard Worker static u64 time_spent_start = 0;
49*08b48e0bSAndroid Build Coastguard Worker struct timespec spec;
50*08b48e0bSAndroid Build Coastguard Worker if (time_spent_start) {
51*08b48e0bSAndroid Build Coastguard Worker
52*08b48e0bSAndroid Build Coastguard Worker u64 current;
53*08b48e0bSAndroid Build Coastguard Worker clock_gettime(CLOCK_REALTIME, &spec);
54*08b48e0bSAndroid Build Coastguard Worker current = (spec.tv_sec * 1000000000) + spec.tv_nsec;
55*08b48e0bSAndroid Build Coastguard Worker time_spent_working += (current - time_spent_start);
56*08b48e0bSAndroid Build Coastguard Worker
57*08b48e0bSAndroid Build Coastguard Worker }
58*08b48e0bSAndroid Build Coastguard Worker
59*08b48e0bSAndroid Build Coastguard Worker #endif
60*08b48e0bSAndroid Build Coastguard Worker
61*08b48e0bSAndroid Build Coastguard Worker fsrv_run_result_t res = afl_fsrv_run_target(fsrv, timeout, &afl->stop_soon);
62*08b48e0bSAndroid Build Coastguard Worker
63*08b48e0bSAndroid Build Coastguard Worker /* If post_run() function is defined in custom mutator, the function will be
64*08b48e0bSAndroid Build Coastguard Worker called each time after AFL++ executes the target program. */
65*08b48e0bSAndroid Build Coastguard Worker
66*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->custom_mutators_count)) {
67*08b48e0bSAndroid Build Coastguard Worker
68*08b48e0bSAndroid Build Coastguard Worker LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
69*08b48e0bSAndroid Build Coastguard Worker
70*08b48e0bSAndroid Build Coastguard Worker if (unlikely(el->afl_custom_post_run)) {
71*08b48e0bSAndroid Build Coastguard Worker
72*08b48e0bSAndroid Build Coastguard Worker el->afl_custom_post_run(el->data);
73*08b48e0bSAndroid Build Coastguard Worker
74*08b48e0bSAndroid Build Coastguard Worker }
75*08b48e0bSAndroid Build Coastguard Worker
76*08b48e0bSAndroid Build Coastguard Worker });
77*08b48e0bSAndroid Build Coastguard Worker
78*08b48e0bSAndroid Build Coastguard Worker }
79*08b48e0bSAndroid Build Coastguard Worker
80*08b48e0bSAndroid Build Coastguard Worker #ifdef PROFILING
81*08b48e0bSAndroid Build Coastguard Worker clock_gettime(CLOCK_REALTIME, &spec);
82*08b48e0bSAndroid Build Coastguard Worker time_spent_start = (spec.tv_sec * 1000000000) + spec.tv_nsec;
83*08b48e0bSAndroid Build Coastguard Worker #endif
84*08b48e0bSAndroid Build Coastguard Worker
85*08b48e0bSAndroid Build Coastguard Worker return res;
86*08b48e0bSAndroid Build Coastguard Worker
87*08b48e0bSAndroid Build Coastguard Worker }
88*08b48e0bSAndroid Build Coastguard Worker
89*08b48e0bSAndroid Build Coastguard Worker /* Write modified data to file for testing. If afl->fsrv.out_file is set, the
90*08b48e0bSAndroid Build Coastguard Worker old file is unlinked and a new one is created. Otherwise, afl->fsrv.out_fd is
91*08b48e0bSAndroid Build Coastguard Worker rewound and truncated. */
92*08b48e0bSAndroid Build Coastguard Worker
93*08b48e0bSAndroid Build Coastguard Worker u32 __attribute__((hot))
write_to_testcase(afl_state_t * afl,void ** mem,u32 len,u32 fix)94*08b48e0bSAndroid Build Coastguard Worker write_to_testcase(afl_state_t *afl, void **mem, u32 len, u32 fix) {
95*08b48e0bSAndroid Build Coastguard Worker
96*08b48e0bSAndroid Build Coastguard Worker u8 sent = 0;
97*08b48e0bSAndroid Build Coastguard Worker
98*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->custom_mutators_count)) {
99*08b48e0bSAndroid Build Coastguard Worker
100*08b48e0bSAndroid Build Coastguard Worker ssize_t new_size = len;
101*08b48e0bSAndroid Build Coastguard Worker u8 *new_mem = *mem;
102*08b48e0bSAndroid Build Coastguard Worker u8 *new_buf = NULL;
103*08b48e0bSAndroid Build Coastguard Worker
104*08b48e0bSAndroid Build Coastguard Worker LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
105*08b48e0bSAndroid Build Coastguard Worker
106*08b48e0bSAndroid Build Coastguard Worker if (el->afl_custom_post_process) {
107*08b48e0bSAndroid Build Coastguard Worker
108*08b48e0bSAndroid Build Coastguard Worker new_size =
109*08b48e0bSAndroid Build Coastguard Worker el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf);
110*08b48e0bSAndroid Build Coastguard Worker
111*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!new_buf || new_size <= 0)) {
112*08b48e0bSAndroid Build Coastguard Worker
113*08b48e0bSAndroid Build Coastguard Worker new_size = 0;
114*08b48e0bSAndroid Build Coastguard Worker new_buf = new_mem;
115*08b48e0bSAndroid Build Coastguard Worker // FATAL("Custom_post_process failed (ret: %lu)", (long
116*08b48e0bSAndroid Build Coastguard Worker // unsigned)new_size);
117*08b48e0bSAndroid Build Coastguard Worker
118*08b48e0bSAndroid Build Coastguard Worker } else {
119*08b48e0bSAndroid Build Coastguard Worker
120*08b48e0bSAndroid Build Coastguard Worker new_mem = new_buf;
121*08b48e0bSAndroid Build Coastguard Worker
122*08b48e0bSAndroid Build Coastguard Worker }
123*08b48e0bSAndroid Build Coastguard Worker
124*08b48e0bSAndroid Build Coastguard Worker }
125*08b48e0bSAndroid Build Coastguard Worker
126*08b48e0bSAndroid Build Coastguard Worker });
127*08b48e0bSAndroid Build Coastguard Worker
128*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!new_size)) {
129*08b48e0bSAndroid Build Coastguard Worker
130*08b48e0bSAndroid Build Coastguard Worker // perform dummy runs (fix = 1), but skip all others
131*08b48e0bSAndroid Build Coastguard Worker if (fix) {
132*08b48e0bSAndroid Build Coastguard Worker
133*08b48e0bSAndroid Build Coastguard Worker new_size = len;
134*08b48e0bSAndroid Build Coastguard Worker
135*08b48e0bSAndroid Build Coastguard Worker } else {
136*08b48e0bSAndroid Build Coastguard Worker
137*08b48e0bSAndroid Build Coastguard Worker return 0;
138*08b48e0bSAndroid Build Coastguard Worker
139*08b48e0bSAndroid Build Coastguard Worker }
140*08b48e0bSAndroid Build Coastguard Worker
141*08b48e0bSAndroid Build Coastguard Worker }
142*08b48e0bSAndroid Build Coastguard Worker
143*08b48e0bSAndroid Build Coastguard Worker if (unlikely(new_size < afl->min_length && !fix)) {
144*08b48e0bSAndroid Build Coastguard Worker
145*08b48e0bSAndroid Build Coastguard Worker new_size = afl->min_length;
146*08b48e0bSAndroid Build Coastguard Worker
147*08b48e0bSAndroid Build Coastguard Worker } else if (unlikely(new_size > afl->max_length)) {
148*08b48e0bSAndroid Build Coastguard Worker
149*08b48e0bSAndroid Build Coastguard Worker new_size = afl->max_length;
150*08b48e0bSAndroid Build Coastguard Worker
151*08b48e0bSAndroid Build Coastguard Worker }
152*08b48e0bSAndroid Build Coastguard Worker
153*08b48e0bSAndroid Build Coastguard Worker if (new_mem != *mem && new_mem != NULL && new_size > 0) {
154*08b48e0bSAndroid Build Coastguard Worker
155*08b48e0bSAndroid Build Coastguard Worker new_buf = afl_realloc(AFL_BUF_PARAM(out_scratch), new_size);
156*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!new_buf)) { PFATAL("alloc"); }
157*08b48e0bSAndroid Build Coastguard Worker memcpy(new_buf, new_mem, new_size);
158*08b48e0bSAndroid Build Coastguard Worker
159*08b48e0bSAndroid Build Coastguard Worker /* if AFL_POST_PROCESS_KEEP_ORIGINAL is set then save the original memory
160*08b48e0bSAndroid Build Coastguard Worker prior post-processing in new_mem to restore it later */
161*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->afl_env.afl_post_process_keep_original)) {
162*08b48e0bSAndroid Build Coastguard Worker
163*08b48e0bSAndroid Build Coastguard Worker new_mem = *mem;
164*08b48e0bSAndroid Build Coastguard Worker
165*08b48e0bSAndroid Build Coastguard Worker }
166*08b48e0bSAndroid Build Coastguard Worker
167*08b48e0bSAndroid Build Coastguard Worker *mem = new_buf;
168*08b48e0bSAndroid Build Coastguard Worker afl_swap_bufs(AFL_BUF_PARAM(out), AFL_BUF_PARAM(out_scratch));
169*08b48e0bSAndroid Build Coastguard Worker
170*08b48e0bSAndroid Build Coastguard Worker }
171*08b48e0bSAndroid Build Coastguard Worker
172*08b48e0bSAndroid Build Coastguard Worker LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
173*08b48e0bSAndroid Build Coastguard Worker
174*08b48e0bSAndroid Build Coastguard Worker if (el->afl_custom_fuzz_send) {
175*08b48e0bSAndroid Build Coastguard Worker
176*08b48e0bSAndroid Build Coastguard Worker el->afl_custom_fuzz_send(el->data, *mem, new_size);
177*08b48e0bSAndroid Build Coastguard Worker sent = 1;
178*08b48e0bSAndroid Build Coastguard Worker
179*08b48e0bSAndroid Build Coastguard Worker }
180*08b48e0bSAndroid Build Coastguard Worker
181*08b48e0bSAndroid Build Coastguard Worker });
182*08b48e0bSAndroid Build Coastguard Worker
183*08b48e0bSAndroid Build Coastguard Worker if (likely(!sent)) {
184*08b48e0bSAndroid Build Coastguard Worker
185*08b48e0bSAndroid Build Coastguard Worker /* everything as planned. use the potentially new data. */
186*08b48e0bSAndroid Build Coastguard Worker afl_fsrv_write_to_testcase(&afl->fsrv, *mem, new_size);
187*08b48e0bSAndroid Build Coastguard Worker
188*08b48e0bSAndroid Build Coastguard Worker if (likely(!afl->afl_env.afl_post_process_keep_original)) {
189*08b48e0bSAndroid Build Coastguard Worker
190*08b48e0bSAndroid Build Coastguard Worker len = new_size;
191*08b48e0bSAndroid Build Coastguard Worker
192*08b48e0bSAndroid Build Coastguard Worker } else {
193*08b48e0bSAndroid Build Coastguard Worker
194*08b48e0bSAndroid Build Coastguard Worker /* restore the original memory which was saved in new_mem */
195*08b48e0bSAndroid Build Coastguard Worker *mem = new_mem;
196*08b48e0bSAndroid Build Coastguard Worker afl_swap_bufs(AFL_BUF_PARAM(out), AFL_BUF_PARAM(out_scratch));
197*08b48e0bSAndroid Build Coastguard Worker
198*08b48e0bSAndroid Build Coastguard Worker }
199*08b48e0bSAndroid Build Coastguard Worker
200*08b48e0bSAndroid Build Coastguard Worker }
201*08b48e0bSAndroid Build Coastguard Worker
202*08b48e0bSAndroid Build Coastguard Worker } else { /* !afl->custom_mutators_count */
203*08b48e0bSAndroid Build Coastguard Worker
204*08b48e0bSAndroid Build Coastguard Worker if (unlikely(len < afl->min_length && !fix)) {
205*08b48e0bSAndroid Build Coastguard Worker
206*08b48e0bSAndroid Build Coastguard Worker len = afl->min_length;
207*08b48e0bSAndroid Build Coastguard Worker
208*08b48e0bSAndroid Build Coastguard Worker } else if (unlikely(len > afl->max_length)) {
209*08b48e0bSAndroid Build Coastguard Worker
210*08b48e0bSAndroid Build Coastguard Worker len = afl->max_length;
211*08b48e0bSAndroid Build Coastguard Worker
212*08b48e0bSAndroid Build Coastguard Worker }
213*08b48e0bSAndroid Build Coastguard Worker
214*08b48e0bSAndroid Build Coastguard Worker /* boring uncustom. */
215*08b48e0bSAndroid Build Coastguard Worker afl_fsrv_write_to_testcase(&afl->fsrv, *mem, len);
216*08b48e0bSAndroid Build Coastguard Worker
217*08b48e0bSAndroid Build Coastguard Worker }
218*08b48e0bSAndroid Build Coastguard Worker
219*08b48e0bSAndroid Build Coastguard Worker #ifdef _AFL_DOCUMENT_MUTATIONS
220*08b48e0bSAndroid Build Coastguard Worker s32 doc_fd;
221*08b48e0bSAndroid Build Coastguard Worker char fn[PATH_MAX];
222*08b48e0bSAndroid Build Coastguard Worker snprintf(fn, PATH_MAX, "%s/mutations/%09u:%s", afl->out_dir,
223*08b48e0bSAndroid Build Coastguard Worker afl->document_counter++,
224*08b48e0bSAndroid Build Coastguard Worker describe_op(afl, 0, NAME_MAX - strlen("000000000:")));
225*08b48e0bSAndroid Build Coastguard Worker
226*08b48e0bSAndroid Build Coastguard Worker if ((doc_fd = open(fn, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION)) >=
227*08b48e0bSAndroid Build Coastguard Worker 0) {
228*08b48e0bSAndroid Build Coastguard Worker
229*08b48e0bSAndroid Build Coastguard Worker if (write(doc_fd, *mem, len) != len)
230*08b48e0bSAndroid Build Coastguard Worker PFATAL("write to mutation file failed: %s", fn);
231*08b48e0bSAndroid Build Coastguard Worker close(doc_fd);
232*08b48e0bSAndroid Build Coastguard Worker
233*08b48e0bSAndroid Build Coastguard Worker }
234*08b48e0bSAndroid Build Coastguard Worker
235*08b48e0bSAndroid Build Coastguard Worker #endif
236*08b48e0bSAndroid Build Coastguard Worker
237*08b48e0bSAndroid Build Coastguard Worker return len;
238*08b48e0bSAndroid Build Coastguard Worker
239*08b48e0bSAndroid Build Coastguard Worker }
240*08b48e0bSAndroid Build Coastguard Worker
241*08b48e0bSAndroid Build Coastguard Worker /* The same, but with an adjustable gap. Used for trimming. */
242*08b48e0bSAndroid Build Coastguard Worker
write_with_gap(afl_state_t * afl,u8 * mem,u32 len,u32 skip_at,u32 skip_len)243*08b48e0bSAndroid Build Coastguard Worker static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
244*08b48e0bSAndroid Build Coastguard Worker u32 skip_len) {
245*08b48e0bSAndroid Build Coastguard Worker
246*08b48e0bSAndroid Build Coastguard Worker s32 fd = afl->fsrv.out_fd;
247*08b48e0bSAndroid Build Coastguard Worker u32 tail_len = len - skip_at - skip_len;
248*08b48e0bSAndroid Build Coastguard Worker
249*08b48e0bSAndroid Build Coastguard Worker /*
250*08b48e0bSAndroid Build Coastguard Worker This memory is used to carry out the post_processing(if present) after copying
251*08b48e0bSAndroid Build Coastguard Worker the testcase by removing the gaps. This can break though
252*08b48e0bSAndroid Build Coastguard Worker */
253*08b48e0bSAndroid Build Coastguard Worker u8 *mem_trimmed = afl_realloc(AFL_BUF_PARAM(out_scratch), len - skip_len + 1);
254*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!mem_trimmed)) { PFATAL("alloc"); }
255*08b48e0bSAndroid Build Coastguard Worker
256*08b48e0bSAndroid Build Coastguard Worker ssize_t new_size = len - skip_len;
257*08b48e0bSAndroid Build Coastguard Worker u8 *new_mem = mem;
258*08b48e0bSAndroid Build Coastguard Worker
259*08b48e0bSAndroid Build Coastguard Worker bool post_process_skipped = true;
260*08b48e0bSAndroid Build Coastguard Worker
261*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->custom_mutators_count)) {
262*08b48e0bSAndroid Build Coastguard Worker
263*08b48e0bSAndroid Build Coastguard Worker u8 *new_buf = NULL;
264*08b48e0bSAndroid Build Coastguard Worker new_mem = mem_trimmed;
265*08b48e0bSAndroid Build Coastguard Worker
266*08b48e0bSAndroid Build Coastguard Worker LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
267*08b48e0bSAndroid Build Coastguard Worker
268*08b48e0bSAndroid Build Coastguard Worker if (el->afl_custom_post_process) {
269*08b48e0bSAndroid Build Coastguard Worker
270*08b48e0bSAndroid Build Coastguard Worker // We copy into the mem_trimmed only if we actually have custom mutators
271*08b48e0bSAndroid Build Coastguard Worker // *with* post_processing installed
272*08b48e0bSAndroid Build Coastguard Worker
273*08b48e0bSAndroid Build Coastguard Worker if (post_process_skipped) {
274*08b48e0bSAndroid Build Coastguard Worker
275*08b48e0bSAndroid Build Coastguard Worker if (skip_at) { memcpy(mem_trimmed, (u8 *)mem, skip_at); }
276*08b48e0bSAndroid Build Coastguard Worker
277*08b48e0bSAndroid Build Coastguard Worker if (tail_len) {
278*08b48e0bSAndroid Build Coastguard Worker
279*08b48e0bSAndroid Build Coastguard Worker memcpy(mem_trimmed + skip_at, (u8 *)mem + skip_at + skip_len,
280*08b48e0bSAndroid Build Coastguard Worker tail_len);
281*08b48e0bSAndroid Build Coastguard Worker
282*08b48e0bSAndroid Build Coastguard Worker }
283*08b48e0bSAndroid Build Coastguard Worker
284*08b48e0bSAndroid Build Coastguard Worker post_process_skipped = false;
285*08b48e0bSAndroid Build Coastguard Worker
286*08b48e0bSAndroid Build Coastguard Worker }
287*08b48e0bSAndroid Build Coastguard Worker
288*08b48e0bSAndroid Build Coastguard Worker new_size =
289*08b48e0bSAndroid Build Coastguard Worker el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf);
290*08b48e0bSAndroid Build Coastguard Worker
291*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!new_buf && new_size <= 0)) {
292*08b48e0bSAndroid Build Coastguard Worker
293*08b48e0bSAndroid Build Coastguard Worker new_size = 0;
294*08b48e0bSAndroid Build Coastguard Worker new_buf = new_mem;
295*08b48e0bSAndroid Build Coastguard Worker // FATAL("Custom_post_process failed (ret: %lu)", (long
296*08b48e0bSAndroid Build Coastguard Worker // unsigned)new_size);
297*08b48e0bSAndroid Build Coastguard Worker
298*08b48e0bSAndroid Build Coastguard Worker } else {
299*08b48e0bSAndroid Build Coastguard Worker
300*08b48e0bSAndroid Build Coastguard Worker new_mem = new_buf;
301*08b48e0bSAndroid Build Coastguard Worker
302*08b48e0bSAndroid Build Coastguard Worker }
303*08b48e0bSAndroid Build Coastguard Worker
304*08b48e0bSAndroid Build Coastguard Worker }
305*08b48e0bSAndroid Build Coastguard Worker
306*08b48e0bSAndroid Build Coastguard Worker });
307*08b48e0bSAndroid Build Coastguard Worker
308*08b48e0bSAndroid Build Coastguard Worker }
309*08b48e0bSAndroid Build Coastguard Worker
310*08b48e0bSAndroid Build Coastguard Worker if (likely(afl->fsrv.use_shmem_fuzz)) {
311*08b48e0bSAndroid Build Coastguard Worker
312*08b48e0bSAndroid Build Coastguard Worker if (!post_process_skipped) {
313*08b48e0bSAndroid Build Coastguard Worker
314*08b48e0bSAndroid Build Coastguard Worker // If we did post_processing, copy directly from the new_mem buffer
315*08b48e0bSAndroid Build Coastguard Worker
316*08b48e0bSAndroid Build Coastguard Worker memcpy(afl->fsrv.shmem_fuzz, new_mem, new_size);
317*08b48e0bSAndroid Build Coastguard Worker
318*08b48e0bSAndroid Build Coastguard Worker } else {
319*08b48e0bSAndroid Build Coastguard Worker
320*08b48e0bSAndroid Build Coastguard Worker memcpy(afl->fsrv.shmem_fuzz, mem, skip_at);
321*08b48e0bSAndroid Build Coastguard Worker
322*08b48e0bSAndroid Build Coastguard Worker memcpy(afl->fsrv.shmem_fuzz + skip_at, mem + skip_at + skip_len,
323*08b48e0bSAndroid Build Coastguard Worker tail_len);
324*08b48e0bSAndroid Build Coastguard Worker
325*08b48e0bSAndroid Build Coastguard Worker }
326*08b48e0bSAndroid Build Coastguard Worker
327*08b48e0bSAndroid Build Coastguard Worker *afl->fsrv.shmem_fuzz_len = new_size;
328*08b48e0bSAndroid Build Coastguard Worker
329*08b48e0bSAndroid Build Coastguard Worker #ifdef _DEBUG
330*08b48e0bSAndroid Build Coastguard Worker if (afl->debug) {
331*08b48e0bSAndroid Build Coastguard Worker
332*08b48e0bSAndroid Build Coastguard Worker fprintf(
333*08b48e0bSAndroid Build Coastguard Worker stderr, "FS crc: %16llx len: %u\n",
334*08b48e0bSAndroid Build Coastguard Worker hash64(afl->fsrv.shmem_fuzz, *afl->fsrv.shmem_fuzz_len, HASH_CONST),
335*08b48e0bSAndroid Build Coastguard Worker *afl->fsrv.shmem_fuzz_len);
336*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr, "SHM :");
337*08b48e0bSAndroid Build Coastguard Worker for (u32 i = 0; i < *afl->fsrv.shmem_fuzz_len; i++)
338*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr, "%02x", afl->fsrv.shmem_fuzz[i]);
339*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr, "\nORIG:");
340*08b48e0bSAndroid Build Coastguard Worker for (u32 i = 0; i < *afl->fsrv.shmem_fuzz_len; i++)
341*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr, "%02x", (u8)((u8 *)mem)[i]);
342*08b48e0bSAndroid Build Coastguard Worker fprintf(stderr, "\n");
343*08b48e0bSAndroid Build Coastguard Worker
344*08b48e0bSAndroid Build Coastguard Worker }
345*08b48e0bSAndroid Build Coastguard Worker
346*08b48e0bSAndroid Build Coastguard Worker #endif
347*08b48e0bSAndroid Build Coastguard Worker
348*08b48e0bSAndroid Build Coastguard Worker return;
349*08b48e0bSAndroid Build Coastguard Worker
350*08b48e0bSAndroid Build Coastguard Worker } else if (unlikely(!afl->fsrv.use_stdin)) {
351*08b48e0bSAndroid Build Coastguard Worker
352*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->no_unlink)) {
353*08b48e0bSAndroid Build Coastguard Worker
354*08b48e0bSAndroid Build Coastguard Worker fd = open(afl->fsrv.out_file, O_WRONLY | O_CREAT | O_TRUNC,
355*08b48e0bSAndroid Build Coastguard Worker DEFAULT_PERMISSION);
356*08b48e0bSAndroid Build Coastguard Worker
357*08b48e0bSAndroid Build Coastguard Worker } else {
358*08b48e0bSAndroid Build Coastguard Worker
359*08b48e0bSAndroid Build Coastguard Worker unlink(afl->fsrv.out_file); /* Ignore errors. */
360*08b48e0bSAndroid Build Coastguard Worker fd = open(afl->fsrv.out_file, O_WRONLY | O_CREAT | O_EXCL,
361*08b48e0bSAndroid Build Coastguard Worker DEFAULT_PERMISSION);
362*08b48e0bSAndroid Build Coastguard Worker
363*08b48e0bSAndroid Build Coastguard Worker }
364*08b48e0bSAndroid Build Coastguard Worker
365*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { PFATAL("Unable to create '%s'", afl->fsrv.out_file); }
366*08b48e0bSAndroid Build Coastguard Worker
367*08b48e0bSAndroid Build Coastguard Worker } else {
368*08b48e0bSAndroid Build Coastguard Worker
369*08b48e0bSAndroid Build Coastguard Worker lseek(fd, 0, SEEK_SET);
370*08b48e0bSAndroid Build Coastguard Worker
371*08b48e0bSAndroid Build Coastguard Worker }
372*08b48e0bSAndroid Build Coastguard Worker
373*08b48e0bSAndroid Build Coastguard Worker if (!post_process_skipped) {
374*08b48e0bSAndroid Build Coastguard Worker
375*08b48e0bSAndroid Build Coastguard Worker ck_write(fd, new_mem, new_size, afl->fsrv.out_file);
376*08b48e0bSAndroid Build Coastguard Worker
377*08b48e0bSAndroid Build Coastguard Worker } else {
378*08b48e0bSAndroid Build Coastguard Worker
379*08b48e0bSAndroid Build Coastguard Worker ck_write(fd, mem, skip_at, afl->fsrv.out_file);
380*08b48e0bSAndroid Build Coastguard Worker
381*08b48e0bSAndroid Build Coastguard Worker ck_write(fd, mem + skip_at + skip_len, tail_len, afl->fsrv.out_file);
382*08b48e0bSAndroid Build Coastguard Worker
383*08b48e0bSAndroid Build Coastguard Worker }
384*08b48e0bSAndroid Build Coastguard Worker
385*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.use_stdin) {
386*08b48e0bSAndroid Build Coastguard Worker
387*08b48e0bSAndroid Build Coastguard Worker if (ftruncate(fd, new_size)) { PFATAL("ftruncate() failed"); }
388*08b48e0bSAndroid Build Coastguard Worker lseek(fd, 0, SEEK_SET);
389*08b48e0bSAndroid Build Coastguard Worker
390*08b48e0bSAndroid Build Coastguard Worker } else {
391*08b48e0bSAndroid Build Coastguard Worker
392*08b48e0bSAndroid Build Coastguard Worker close(fd);
393*08b48e0bSAndroid Build Coastguard Worker
394*08b48e0bSAndroid Build Coastguard Worker }
395*08b48e0bSAndroid Build Coastguard Worker
396*08b48e0bSAndroid Build Coastguard Worker }
397*08b48e0bSAndroid Build Coastguard Worker
398*08b48e0bSAndroid Build Coastguard Worker /* Calibrate a new test case. This is done when processing the input directory
399*08b48e0bSAndroid Build Coastguard Worker to warn about flaky or otherwise problematic test cases early on; and when
400*08b48e0bSAndroid Build Coastguard Worker new paths are discovered to detect variable behavior and so on. */
401*08b48e0bSAndroid Build Coastguard Worker
calibrate_case(afl_state_t * afl,struct queue_entry * q,u8 * use_mem,u32 handicap,u8 from_queue)402*08b48e0bSAndroid Build Coastguard Worker u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
403*08b48e0bSAndroid Build Coastguard Worker u32 handicap, u8 from_queue) {
404*08b48e0bSAndroid Build Coastguard Worker
405*08b48e0bSAndroid Build Coastguard Worker u8 fault = 0, new_bits = 0, var_detected = 0, hnb = 0,
406*08b48e0bSAndroid Build Coastguard Worker first_run = (q->exec_cksum == 0);
407*08b48e0bSAndroid Build Coastguard Worker u64 start_us, stop_us, diff_us;
408*08b48e0bSAndroid Build Coastguard Worker s32 old_sc = afl->stage_cur, old_sm = afl->stage_max;
409*08b48e0bSAndroid Build Coastguard Worker u32 use_tmout = afl->fsrv.exec_tmout;
410*08b48e0bSAndroid Build Coastguard Worker u8 *old_sn = afl->stage_name;
411*08b48e0bSAndroid Build Coastguard Worker
412*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; }
413*08b48e0bSAndroid Build Coastguard Worker
414*08b48e0bSAndroid Build Coastguard Worker /* Be a bit more generous about timeouts when resuming sessions, or when
415*08b48e0bSAndroid Build Coastguard Worker trying to calibrate already-added finds. This helps avoid trouble due
416*08b48e0bSAndroid Build Coastguard Worker to intermittent latency. */
417*08b48e0bSAndroid Build Coastguard Worker
418*08b48e0bSAndroid Build Coastguard Worker if (!from_queue || afl->resuming_fuzz) {
419*08b48e0bSAndroid Build Coastguard Worker
420*08b48e0bSAndroid Build Coastguard Worker use_tmout = MAX(afl->fsrv.exec_tmout + CAL_TMOUT_ADD,
421*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.exec_tmout * CAL_TMOUT_PERC / 100);
422*08b48e0bSAndroid Build Coastguard Worker
423*08b48e0bSAndroid Build Coastguard Worker }
424*08b48e0bSAndroid Build Coastguard Worker
425*08b48e0bSAndroid Build Coastguard Worker ++q->cal_failed;
426*08b48e0bSAndroid Build Coastguard Worker
427*08b48e0bSAndroid Build Coastguard Worker afl->stage_name = "calibration";
428*08b48e0bSAndroid Build Coastguard Worker afl->stage_max = afl->afl_env.afl_cal_fast ? CAL_CYCLES_FAST : CAL_CYCLES;
429*08b48e0bSAndroid Build Coastguard Worker
430*08b48e0bSAndroid Build Coastguard Worker /* Make sure the forkserver is up before we do anything, and let's not
431*08b48e0bSAndroid Build Coastguard Worker count its spin-up time toward binary calibration. */
432*08b48e0bSAndroid Build Coastguard Worker
433*08b48e0bSAndroid Build Coastguard Worker if (!afl->fsrv.fsrv_pid) {
434*08b48e0bSAndroid Build Coastguard Worker
435*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.cmplog_binary &&
436*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.init_child_func != cmplog_exec_child) {
437*08b48e0bSAndroid Build Coastguard Worker
438*08b48e0bSAndroid Build Coastguard Worker FATAL("BUG in afl-fuzz detected. Cmplog mode not set correctly.");
439*08b48e0bSAndroid Build Coastguard Worker
440*08b48e0bSAndroid Build Coastguard Worker }
441*08b48e0bSAndroid Build Coastguard Worker
442*08b48e0bSAndroid Build Coastguard Worker afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon,
443*08b48e0bSAndroid Build Coastguard Worker afl->afl_env.afl_debug_child);
444*08b48e0bSAndroid Build Coastguard Worker
445*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.support_shmem_fuzz && !afl->fsrv.use_shmem_fuzz) {
446*08b48e0bSAndroid Build Coastguard Worker
447*08b48e0bSAndroid Build Coastguard Worker afl_shm_deinit(afl->shm_fuzz);
448*08b48e0bSAndroid Build Coastguard Worker ck_free(afl->shm_fuzz);
449*08b48e0bSAndroid Build Coastguard Worker afl->shm_fuzz = NULL;
450*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.support_shmem_fuzz = 0;
451*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.shmem_fuzz = NULL;
452*08b48e0bSAndroid Build Coastguard Worker
453*08b48e0bSAndroid Build Coastguard Worker }
454*08b48e0bSAndroid Build Coastguard Worker
455*08b48e0bSAndroid Build Coastguard Worker }
456*08b48e0bSAndroid Build Coastguard Worker
457*08b48e0bSAndroid Build Coastguard Worker /* we need a dummy run if this is LTO + cmplog */
458*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->shm.cmplog_mode)) {
459*08b48e0bSAndroid Build Coastguard Worker
460*08b48e0bSAndroid Build Coastguard Worker (void)write_to_testcase(afl, (void **)&use_mem, q->len, 1);
461*08b48e0bSAndroid Build Coastguard Worker
462*08b48e0bSAndroid Build Coastguard Worker fault = fuzz_run_target(afl, &afl->fsrv, use_tmout);
463*08b48e0bSAndroid Build Coastguard Worker
464*08b48e0bSAndroid Build Coastguard Worker /* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed,
465*08b48e0bSAndroid Build Coastguard Worker we want to bail out quickly. */
466*08b48e0bSAndroid Build Coastguard Worker
467*08b48e0bSAndroid Build Coastguard Worker if (afl->stop_soon || fault != afl->crash_mode) { goto abort_calibration; }
468*08b48e0bSAndroid Build Coastguard Worker
469*08b48e0bSAndroid Build Coastguard Worker if (!afl->non_instrumented_mode && !afl->stage_cur &&
470*08b48e0bSAndroid Build Coastguard Worker !count_bytes(afl, afl->fsrv.trace_bits)) {
471*08b48e0bSAndroid Build Coastguard Worker
472*08b48e0bSAndroid Build Coastguard Worker fault = FSRV_RUN_NOINST;
473*08b48e0bSAndroid Build Coastguard Worker goto abort_calibration;
474*08b48e0bSAndroid Build Coastguard Worker
475*08b48e0bSAndroid Build Coastguard Worker }
476*08b48e0bSAndroid Build Coastguard Worker
477*08b48e0bSAndroid Build Coastguard Worker #ifdef INTROSPECTION
478*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!q->bitsmap_size)) q->bitsmap_size = afl->bitsmap_size;
479*08b48e0bSAndroid Build Coastguard Worker #endif
480*08b48e0bSAndroid Build Coastguard Worker
481*08b48e0bSAndroid Build Coastguard Worker }
482*08b48e0bSAndroid Build Coastguard Worker
483*08b48e0bSAndroid Build Coastguard Worker if (q->exec_cksum) {
484*08b48e0bSAndroid Build Coastguard Worker
485*08b48e0bSAndroid Build Coastguard Worker memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size);
486*08b48e0bSAndroid Build Coastguard Worker hnb = has_new_bits(afl, afl->virgin_bits);
487*08b48e0bSAndroid Build Coastguard Worker if (hnb > new_bits) { new_bits = hnb; }
488*08b48e0bSAndroid Build Coastguard Worker
489*08b48e0bSAndroid Build Coastguard Worker }
490*08b48e0bSAndroid Build Coastguard Worker
491*08b48e0bSAndroid Build Coastguard Worker start_us = get_cur_time_us();
492*08b48e0bSAndroid Build Coastguard Worker
493*08b48e0bSAndroid Build Coastguard Worker for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
494*08b48e0bSAndroid Build Coastguard Worker
495*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->debug)) {
496*08b48e0bSAndroid Build Coastguard Worker
497*08b48e0bSAndroid Build Coastguard Worker DEBUGF("calibration stage %d/%d\n", afl->stage_cur + 1, afl->stage_max);
498*08b48e0bSAndroid Build Coastguard Worker
499*08b48e0bSAndroid Build Coastguard Worker }
500*08b48e0bSAndroid Build Coastguard Worker
501*08b48e0bSAndroid Build Coastguard Worker u64 cksum;
502*08b48e0bSAndroid Build Coastguard Worker
503*08b48e0bSAndroid Build Coastguard Worker (void)write_to_testcase(afl, (void **)&use_mem, q->len, 1);
504*08b48e0bSAndroid Build Coastguard Worker
505*08b48e0bSAndroid Build Coastguard Worker fault = fuzz_run_target(afl, &afl->fsrv, use_tmout);
506*08b48e0bSAndroid Build Coastguard Worker
507*08b48e0bSAndroid Build Coastguard Worker /* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed,
508*08b48e0bSAndroid Build Coastguard Worker we want to bail out quickly. */
509*08b48e0bSAndroid Build Coastguard Worker
510*08b48e0bSAndroid Build Coastguard Worker if (afl->stop_soon || fault != afl->crash_mode) { goto abort_calibration; }
511*08b48e0bSAndroid Build Coastguard Worker
512*08b48e0bSAndroid Build Coastguard Worker if (!afl->non_instrumented_mode && !afl->stage_cur &&
513*08b48e0bSAndroid Build Coastguard Worker !count_bytes(afl, afl->fsrv.trace_bits)) {
514*08b48e0bSAndroid Build Coastguard Worker
515*08b48e0bSAndroid Build Coastguard Worker fault = FSRV_RUN_NOINST;
516*08b48e0bSAndroid Build Coastguard Worker goto abort_calibration;
517*08b48e0bSAndroid Build Coastguard Worker
518*08b48e0bSAndroid Build Coastguard Worker }
519*08b48e0bSAndroid Build Coastguard Worker
520*08b48e0bSAndroid Build Coastguard Worker #ifdef INTROSPECTION
521*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!q->bitsmap_size)) q->bitsmap_size = afl->bitsmap_size;
522*08b48e0bSAndroid Build Coastguard Worker #endif
523*08b48e0bSAndroid Build Coastguard Worker
524*08b48e0bSAndroid Build Coastguard Worker classify_counts(&afl->fsrv);
525*08b48e0bSAndroid Build Coastguard Worker cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
526*08b48e0bSAndroid Build Coastguard Worker if (q->exec_cksum != cksum) {
527*08b48e0bSAndroid Build Coastguard Worker
528*08b48e0bSAndroid Build Coastguard Worker hnb = has_new_bits(afl, afl->virgin_bits);
529*08b48e0bSAndroid Build Coastguard Worker if (hnb > new_bits) { new_bits = hnb; }
530*08b48e0bSAndroid Build Coastguard Worker
531*08b48e0bSAndroid Build Coastguard Worker if (q->exec_cksum) {
532*08b48e0bSAndroid Build Coastguard Worker
533*08b48e0bSAndroid Build Coastguard Worker u32 i;
534*08b48e0bSAndroid Build Coastguard Worker
535*08b48e0bSAndroid Build Coastguard Worker for (i = 0; i < afl->fsrv.map_size; ++i) {
536*08b48e0bSAndroid Build Coastguard Worker
537*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!afl->var_bytes[i]) &&
538*08b48e0bSAndroid Build Coastguard Worker unlikely(afl->first_trace[i] != afl->fsrv.trace_bits[i])) {
539*08b48e0bSAndroid Build Coastguard Worker
540*08b48e0bSAndroid Build Coastguard Worker afl->var_bytes[i] = 1;
541*08b48e0bSAndroid Build Coastguard Worker // ignore the variable edge by setting it to fully discovered
542*08b48e0bSAndroid Build Coastguard Worker afl->virgin_bits[i] = 0;
543*08b48e0bSAndroid Build Coastguard Worker
544*08b48e0bSAndroid Build Coastguard Worker }
545*08b48e0bSAndroid Build Coastguard Worker
546*08b48e0bSAndroid Build Coastguard Worker }
547*08b48e0bSAndroid Build Coastguard Worker
548*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!var_detected && !afl->afl_env.afl_no_warn_instability)) {
549*08b48e0bSAndroid Build Coastguard Worker
550*08b48e0bSAndroid Build Coastguard Worker // note: from_queue seems to only be set during initialization
551*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_no_ui || from_queue) {
552*08b48e0bSAndroid Build Coastguard Worker
553*08b48e0bSAndroid Build Coastguard Worker WARNF("instability detected during calibration");
554*08b48e0bSAndroid Build Coastguard Worker
555*08b48e0bSAndroid Build Coastguard Worker } else if (afl->debug) {
556*08b48e0bSAndroid Build Coastguard Worker
557*08b48e0bSAndroid Build Coastguard Worker DEBUGF("instability detected during calibration\n");
558*08b48e0bSAndroid Build Coastguard Worker
559*08b48e0bSAndroid Build Coastguard Worker }
560*08b48e0bSAndroid Build Coastguard Worker
561*08b48e0bSAndroid Build Coastguard Worker }
562*08b48e0bSAndroid Build Coastguard Worker
563*08b48e0bSAndroid Build Coastguard Worker var_detected = 1;
564*08b48e0bSAndroid Build Coastguard Worker afl->stage_max =
565*08b48e0bSAndroid Build Coastguard Worker afl->afl_env.afl_cal_fast ? CAL_CYCLES : CAL_CYCLES_LONG;
566*08b48e0bSAndroid Build Coastguard Worker
567*08b48e0bSAndroid Build Coastguard Worker } else {
568*08b48e0bSAndroid Build Coastguard Worker
569*08b48e0bSAndroid Build Coastguard Worker q->exec_cksum = cksum;
570*08b48e0bSAndroid Build Coastguard Worker memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size);
571*08b48e0bSAndroid Build Coastguard Worker
572*08b48e0bSAndroid Build Coastguard Worker }
573*08b48e0bSAndroid Build Coastguard Worker
574*08b48e0bSAndroid Build Coastguard Worker }
575*08b48e0bSAndroid Build Coastguard Worker
576*08b48e0bSAndroid Build Coastguard Worker }
577*08b48e0bSAndroid Build Coastguard Worker
578*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->fixed_seed)) {
579*08b48e0bSAndroid Build Coastguard Worker
580*08b48e0bSAndroid Build Coastguard Worker diff_us = (u64)(afl->fsrv.exec_tmout - 1) * (u64)afl->stage_max;
581*08b48e0bSAndroid Build Coastguard Worker
582*08b48e0bSAndroid Build Coastguard Worker } else {
583*08b48e0bSAndroid Build Coastguard Worker
584*08b48e0bSAndroid Build Coastguard Worker stop_us = get_cur_time_us();
585*08b48e0bSAndroid Build Coastguard Worker diff_us = stop_us - start_us;
586*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!diff_us)) { ++diff_us; }
587*08b48e0bSAndroid Build Coastguard Worker
588*08b48e0bSAndroid Build Coastguard Worker }
589*08b48e0bSAndroid Build Coastguard Worker
590*08b48e0bSAndroid Build Coastguard Worker afl->total_cal_us += diff_us;
591*08b48e0bSAndroid Build Coastguard Worker afl->total_cal_cycles += afl->stage_max;
592*08b48e0bSAndroid Build Coastguard Worker
593*08b48e0bSAndroid Build Coastguard Worker /* OK, let's collect some stats about the performance of this test case.
594*08b48e0bSAndroid Build Coastguard Worker This is used for fuzzing air time calculations in calculate_score(). */
595*08b48e0bSAndroid Build Coastguard Worker
596*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!afl->stage_max)) {
597*08b48e0bSAndroid Build Coastguard Worker
598*08b48e0bSAndroid Build Coastguard Worker // Pretty sure this cannot happen, yet scan-build complains.
599*08b48e0bSAndroid Build Coastguard Worker FATAL("BUG: stage_max should not be 0 here! Please report this condition.");
600*08b48e0bSAndroid Build Coastguard Worker
601*08b48e0bSAndroid Build Coastguard Worker }
602*08b48e0bSAndroid Build Coastguard Worker
603*08b48e0bSAndroid Build Coastguard Worker q->exec_us = diff_us / afl->stage_max;
604*08b48e0bSAndroid Build Coastguard Worker q->bitmap_size = count_bytes(afl, afl->fsrv.trace_bits);
605*08b48e0bSAndroid Build Coastguard Worker q->handicap = handicap;
606*08b48e0bSAndroid Build Coastguard Worker q->cal_failed = 0;
607*08b48e0bSAndroid Build Coastguard Worker
608*08b48e0bSAndroid Build Coastguard Worker afl->total_bitmap_size += q->bitmap_size;
609*08b48e0bSAndroid Build Coastguard Worker ++afl->total_bitmap_entries;
610*08b48e0bSAndroid Build Coastguard Worker
611*08b48e0bSAndroid Build Coastguard Worker update_bitmap_score(afl, q);
612*08b48e0bSAndroid Build Coastguard Worker
613*08b48e0bSAndroid Build Coastguard Worker /* If this case didn't result in new output from the instrumentation, tell
614*08b48e0bSAndroid Build Coastguard Worker parent. This is a non-critical problem, but something to warn the user
615*08b48e0bSAndroid Build Coastguard Worker about. */
616*08b48e0bSAndroid Build Coastguard Worker
617*08b48e0bSAndroid Build Coastguard Worker if (!afl->non_instrumented_mode && first_run && !fault && !new_bits) {
618*08b48e0bSAndroid Build Coastguard Worker
619*08b48e0bSAndroid Build Coastguard Worker fault = FSRV_RUN_NOBITS;
620*08b48e0bSAndroid Build Coastguard Worker
621*08b48e0bSAndroid Build Coastguard Worker }
622*08b48e0bSAndroid Build Coastguard Worker
623*08b48e0bSAndroid Build Coastguard Worker abort_calibration:
624*08b48e0bSAndroid Build Coastguard Worker
625*08b48e0bSAndroid Build Coastguard Worker if (new_bits == 2 && !q->has_new_cov) {
626*08b48e0bSAndroid Build Coastguard Worker
627*08b48e0bSAndroid Build Coastguard Worker q->has_new_cov = 1;
628*08b48e0bSAndroid Build Coastguard Worker ++afl->queued_with_cov;
629*08b48e0bSAndroid Build Coastguard Worker
630*08b48e0bSAndroid Build Coastguard Worker }
631*08b48e0bSAndroid Build Coastguard Worker
632*08b48e0bSAndroid Build Coastguard Worker /* Mark variable paths. */
633*08b48e0bSAndroid Build Coastguard Worker
634*08b48e0bSAndroid Build Coastguard Worker if (var_detected) {
635*08b48e0bSAndroid Build Coastguard Worker
636*08b48e0bSAndroid Build Coastguard Worker afl->var_byte_count = count_bytes(afl, afl->var_bytes);
637*08b48e0bSAndroid Build Coastguard Worker
638*08b48e0bSAndroid Build Coastguard Worker if (!q->var_behavior) {
639*08b48e0bSAndroid Build Coastguard Worker
640*08b48e0bSAndroid Build Coastguard Worker mark_as_variable(afl, q);
641*08b48e0bSAndroid Build Coastguard Worker ++afl->queued_variable;
642*08b48e0bSAndroid Build Coastguard Worker
643*08b48e0bSAndroid Build Coastguard Worker }
644*08b48e0bSAndroid Build Coastguard Worker
645*08b48e0bSAndroid Build Coastguard Worker }
646*08b48e0bSAndroid Build Coastguard Worker
647*08b48e0bSAndroid Build Coastguard Worker afl->stage_name = old_sn;
648*08b48e0bSAndroid Build Coastguard Worker afl->stage_cur = old_sc;
649*08b48e0bSAndroid Build Coastguard Worker afl->stage_max = old_sm;
650*08b48e0bSAndroid Build Coastguard Worker
651*08b48e0bSAndroid Build Coastguard Worker if (!first_run) { show_stats(afl); }
652*08b48e0bSAndroid Build Coastguard Worker
653*08b48e0bSAndroid Build Coastguard Worker return fault;
654*08b48e0bSAndroid Build Coastguard Worker
655*08b48e0bSAndroid Build Coastguard Worker }
656*08b48e0bSAndroid Build Coastguard Worker
657*08b48e0bSAndroid Build Coastguard Worker /* Grab interesting test cases from other fuzzers. */
658*08b48e0bSAndroid Build Coastguard Worker
sync_fuzzers(afl_state_t * afl)659*08b48e0bSAndroid Build Coastguard Worker void sync_fuzzers(afl_state_t *afl) {
660*08b48e0bSAndroid Build Coastguard Worker
661*08b48e0bSAndroid Build Coastguard Worker DIR *sd;
662*08b48e0bSAndroid Build Coastguard Worker struct dirent *sd_ent;
663*08b48e0bSAndroid Build Coastguard Worker u32 sync_cnt = 0, synced = 0, entries = 0;
664*08b48e0bSAndroid Build Coastguard Worker u8 path[PATH_MAX + 1 + NAME_MAX];
665*08b48e0bSAndroid Build Coastguard Worker
666*08b48e0bSAndroid Build Coastguard Worker sd = opendir(afl->sync_dir);
667*08b48e0bSAndroid Build Coastguard Worker if (!sd) { PFATAL("Unable to open '%s'", afl->sync_dir); }
668*08b48e0bSAndroid Build Coastguard Worker
669*08b48e0bSAndroid Build Coastguard Worker afl->stage_max = afl->stage_cur = 0;
670*08b48e0bSAndroid Build Coastguard Worker afl->cur_depth = 0;
671*08b48e0bSAndroid Build Coastguard Worker
672*08b48e0bSAndroid Build Coastguard Worker /* Look at the entries created for every other fuzzer in the sync directory.
673*08b48e0bSAndroid Build Coastguard Worker */
674*08b48e0bSAndroid Build Coastguard Worker
675*08b48e0bSAndroid Build Coastguard Worker while ((sd_ent = readdir(sd))) {
676*08b48e0bSAndroid Build Coastguard Worker
677*08b48e0bSAndroid Build Coastguard Worker u8 qd_synced_path[PATH_MAX], qd_path[PATH_MAX];
678*08b48e0bSAndroid Build Coastguard Worker u32 min_accept = 0, next_min_accept = 0;
679*08b48e0bSAndroid Build Coastguard Worker
680*08b48e0bSAndroid Build Coastguard Worker s32 id_fd;
681*08b48e0bSAndroid Build Coastguard Worker
682*08b48e0bSAndroid Build Coastguard Worker /* Skip dot files and our own output directory. */
683*08b48e0bSAndroid Build Coastguard Worker
684*08b48e0bSAndroid Build Coastguard Worker if (sd_ent->d_name[0] == '.' || !strcmp(afl->sync_id, sd_ent->d_name)) {
685*08b48e0bSAndroid Build Coastguard Worker
686*08b48e0bSAndroid Build Coastguard Worker continue;
687*08b48e0bSAndroid Build Coastguard Worker
688*08b48e0bSAndroid Build Coastguard Worker }
689*08b48e0bSAndroid Build Coastguard Worker
690*08b48e0bSAndroid Build Coastguard Worker entries++;
691*08b48e0bSAndroid Build Coastguard Worker
692*08b48e0bSAndroid Build Coastguard Worker // secondary nodes only syncs from main, the main node syncs from everyone
693*08b48e0bSAndroid Build Coastguard Worker if (likely(afl->is_secondary_node)) {
694*08b48e0bSAndroid Build Coastguard Worker
695*08b48e0bSAndroid Build Coastguard Worker sprintf(qd_path, "%s/%s/is_main_node", afl->sync_dir, sd_ent->d_name);
696*08b48e0bSAndroid Build Coastguard Worker int res = access(qd_path, F_OK);
697*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->is_main_node)) { // an elected temporary main node
698*08b48e0bSAndroid Build Coastguard Worker
699*08b48e0bSAndroid Build Coastguard Worker if (likely(res == 0)) { // there is another main node? downgrade.
700*08b48e0bSAndroid Build Coastguard Worker
701*08b48e0bSAndroid Build Coastguard Worker afl->is_main_node = 0;
702*08b48e0bSAndroid Build Coastguard Worker sprintf(qd_path, "%s/is_main_node", afl->out_dir);
703*08b48e0bSAndroid Build Coastguard Worker unlink(qd_path);
704*08b48e0bSAndroid Build Coastguard Worker
705*08b48e0bSAndroid Build Coastguard Worker }
706*08b48e0bSAndroid Build Coastguard Worker
707*08b48e0bSAndroid Build Coastguard Worker } else {
708*08b48e0bSAndroid Build Coastguard Worker
709*08b48e0bSAndroid Build Coastguard Worker if (likely(res != 0)) { continue; }
710*08b48e0bSAndroid Build Coastguard Worker
711*08b48e0bSAndroid Build Coastguard Worker }
712*08b48e0bSAndroid Build Coastguard Worker
713*08b48e0bSAndroid Build Coastguard Worker }
714*08b48e0bSAndroid Build Coastguard Worker
715*08b48e0bSAndroid Build Coastguard Worker synced++;
716*08b48e0bSAndroid Build Coastguard Worker
717*08b48e0bSAndroid Build Coastguard Worker /* document the attempt to sync to this instance */
718*08b48e0bSAndroid Build Coastguard Worker
719*08b48e0bSAndroid Build Coastguard Worker sprintf(qd_synced_path, "%s/.synced/%s.last", afl->out_dir, sd_ent->d_name);
720*08b48e0bSAndroid Build Coastguard Worker id_fd =
721*08b48e0bSAndroid Build Coastguard Worker open(qd_synced_path, O_RDWR | O_CREAT | O_TRUNC, DEFAULT_PERMISSION);
722*08b48e0bSAndroid Build Coastguard Worker if (id_fd >= 0) close(id_fd);
723*08b48e0bSAndroid Build Coastguard Worker
724*08b48e0bSAndroid Build Coastguard Worker /* Skip anything that doesn't have a queue/ subdirectory. */
725*08b48e0bSAndroid Build Coastguard Worker
726*08b48e0bSAndroid Build Coastguard Worker sprintf(qd_path, "%s/%s/queue", afl->sync_dir, sd_ent->d_name);
727*08b48e0bSAndroid Build Coastguard Worker
728*08b48e0bSAndroid Build Coastguard Worker struct dirent **namelist = NULL;
729*08b48e0bSAndroid Build Coastguard Worker int m = 0, n, o;
730*08b48e0bSAndroid Build Coastguard Worker
731*08b48e0bSAndroid Build Coastguard Worker n = scandir(qd_path, &namelist, NULL, alphasort);
732*08b48e0bSAndroid Build Coastguard Worker
733*08b48e0bSAndroid Build Coastguard Worker if (n < 1) {
734*08b48e0bSAndroid Build Coastguard Worker
735*08b48e0bSAndroid Build Coastguard Worker if (namelist) free(namelist);
736*08b48e0bSAndroid Build Coastguard Worker continue;
737*08b48e0bSAndroid Build Coastguard Worker
738*08b48e0bSAndroid Build Coastguard Worker }
739*08b48e0bSAndroid Build Coastguard Worker
740*08b48e0bSAndroid Build Coastguard Worker /* Retrieve the ID of the last seen test case. */
741*08b48e0bSAndroid Build Coastguard Worker
742*08b48e0bSAndroid Build Coastguard Worker sprintf(qd_synced_path, "%s/.synced/%s", afl->out_dir, sd_ent->d_name);
743*08b48e0bSAndroid Build Coastguard Worker
744*08b48e0bSAndroid Build Coastguard Worker id_fd = open(qd_synced_path, O_RDWR | O_CREAT, DEFAULT_PERMISSION);
745*08b48e0bSAndroid Build Coastguard Worker
746*08b48e0bSAndroid Build Coastguard Worker if (id_fd < 0) { PFATAL("Unable to create '%s'", qd_synced_path); }
747*08b48e0bSAndroid Build Coastguard Worker
748*08b48e0bSAndroid Build Coastguard Worker if (read(id_fd, &min_accept, sizeof(u32)) == sizeof(u32)) {
749*08b48e0bSAndroid Build Coastguard Worker
750*08b48e0bSAndroid Build Coastguard Worker next_min_accept = min_accept;
751*08b48e0bSAndroid Build Coastguard Worker lseek(id_fd, 0, SEEK_SET);
752*08b48e0bSAndroid Build Coastguard Worker
753*08b48e0bSAndroid Build Coastguard Worker }
754*08b48e0bSAndroid Build Coastguard Worker
755*08b48e0bSAndroid Build Coastguard Worker /* Show stats */
756*08b48e0bSAndroid Build Coastguard Worker
757*08b48e0bSAndroid Build Coastguard Worker snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "sync %u", ++sync_cnt);
758*08b48e0bSAndroid Build Coastguard Worker
759*08b48e0bSAndroid Build Coastguard Worker afl->stage_name = afl->stage_name_buf;
760*08b48e0bSAndroid Build Coastguard Worker afl->stage_cur = 0;
761*08b48e0bSAndroid Build Coastguard Worker afl->stage_max = 0;
762*08b48e0bSAndroid Build Coastguard Worker
763*08b48e0bSAndroid Build Coastguard Worker /* For every file queued by this fuzzer, parse ID and see if we have
764*08b48e0bSAndroid Build Coastguard Worker looked at it before; exec a test case if not. */
765*08b48e0bSAndroid Build Coastguard Worker
766*08b48e0bSAndroid Build Coastguard Worker u8 entry[12];
767*08b48e0bSAndroid Build Coastguard Worker sprintf(entry, "id:%06u", next_min_accept);
768*08b48e0bSAndroid Build Coastguard Worker
769*08b48e0bSAndroid Build Coastguard Worker while (m < n) {
770*08b48e0bSAndroid Build Coastguard Worker
771*08b48e0bSAndroid Build Coastguard Worker if (strncmp(namelist[m]->d_name, entry, 9)) {
772*08b48e0bSAndroid Build Coastguard Worker
773*08b48e0bSAndroid Build Coastguard Worker m++;
774*08b48e0bSAndroid Build Coastguard Worker
775*08b48e0bSAndroid Build Coastguard Worker } else {
776*08b48e0bSAndroid Build Coastguard Worker
777*08b48e0bSAndroid Build Coastguard Worker break;
778*08b48e0bSAndroid Build Coastguard Worker
779*08b48e0bSAndroid Build Coastguard Worker }
780*08b48e0bSAndroid Build Coastguard Worker
781*08b48e0bSAndroid Build Coastguard Worker }
782*08b48e0bSAndroid Build Coastguard Worker
783*08b48e0bSAndroid Build Coastguard Worker if (m >= n) { goto close_sync; } // nothing new
784*08b48e0bSAndroid Build Coastguard Worker
785*08b48e0bSAndroid Build Coastguard Worker for (o = m; o < n; o++) {
786*08b48e0bSAndroid Build Coastguard Worker
787*08b48e0bSAndroid Build Coastguard Worker s32 fd;
788*08b48e0bSAndroid Build Coastguard Worker struct stat st;
789*08b48e0bSAndroid Build Coastguard Worker
790*08b48e0bSAndroid Build Coastguard Worker snprintf(path, sizeof(path), "%s/%s", qd_path, namelist[o]->d_name);
791*08b48e0bSAndroid Build Coastguard Worker afl->syncing_case = next_min_accept;
792*08b48e0bSAndroid Build Coastguard Worker next_min_accept++;
793*08b48e0bSAndroid Build Coastguard Worker
794*08b48e0bSAndroid Build Coastguard Worker /* Allow this to fail in case the other fuzzer is resuming or so... */
795*08b48e0bSAndroid Build Coastguard Worker
796*08b48e0bSAndroid Build Coastguard Worker fd = open(path, O_RDONLY);
797*08b48e0bSAndroid Build Coastguard Worker
798*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { continue; }
799*08b48e0bSAndroid Build Coastguard Worker
800*08b48e0bSAndroid Build Coastguard Worker if (fstat(fd, &st)) { WARNF("fstat() failed"); }
801*08b48e0bSAndroid Build Coastguard Worker
802*08b48e0bSAndroid Build Coastguard Worker /* Ignore zero-sized or oversized files. */
803*08b48e0bSAndroid Build Coastguard Worker
804*08b48e0bSAndroid Build Coastguard Worker if (st.st_size && st.st_size <= MAX_FILE) {
805*08b48e0bSAndroid Build Coastguard Worker
806*08b48e0bSAndroid Build Coastguard Worker u8 fault;
807*08b48e0bSAndroid Build Coastguard Worker u8 *mem = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
808*08b48e0bSAndroid Build Coastguard Worker
809*08b48e0bSAndroid Build Coastguard Worker if (mem == MAP_FAILED) { PFATAL("Unable to mmap '%s'", path); }
810*08b48e0bSAndroid Build Coastguard Worker
811*08b48e0bSAndroid Build Coastguard Worker /* See what happens. We rely on save_if_interesting() to catch major
812*08b48e0bSAndroid Build Coastguard Worker errors and save the test case. */
813*08b48e0bSAndroid Build Coastguard Worker
814*08b48e0bSAndroid Build Coastguard Worker (void)write_to_testcase(afl, (void **)&mem, st.st_size, 1);
815*08b48e0bSAndroid Build Coastguard Worker
816*08b48e0bSAndroid Build Coastguard Worker fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
817*08b48e0bSAndroid Build Coastguard Worker
818*08b48e0bSAndroid Build Coastguard Worker if (afl->stop_soon) { goto close_sync; }
819*08b48e0bSAndroid Build Coastguard Worker
820*08b48e0bSAndroid Build Coastguard Worker afl->syncing_party = sd_ent->d_name;
821*08b48e0bSAndroid Build Coastguard Worker afl->queued_imported +=
822*08b48e0bSAndroid Build Coastguard Worker save_if_interesting(afl, mem, st.st_size, fault);
823*08b48e0bSAndroid Build Coastguard Worker afl->syncing_party = 0;
824*08b48e0bSAndroid Build Coastguard Worker
825*08b48e0bSAndroid Build Coastguard Worker munmap(mem, st.st_size);
826*08b48e0bSAndroid Build Coastguard Worker
827*08b48e0bSAndroid Build Coastguard Worker }
828*08b48e0bSAndroid Build Coastguard Worker
829*08b48e0bSAndroid Build Coastguard Worker close(fd);
830*08b48e0bSAndroid Build Coastguard Worker
831*08b48e0bSAndroid Build Coastguard Worker }
832*08b48e0bSAndroid Build Coastguard Worker
833*08b48e0bSAndroid Build Coastguard Worker ck_write(id_fd, &next_min_accept, sizeof(u32), qd_synced_path);
834*08b48e0bSAndroid Build Coastguard Worker
835*08b48e0bSAndroid Build Coastguard Worker close_sync:
836*08b48e0bSAndroid Build Coastguard Worker close(id_fd);
837*08b48e0bSAndroid Build Coastguard Worker if (n > 0)
838*08b48e0bSAndroid Build Coastguard Worker for (m = 0; m < n; m++)
839*08b48e0bSAndroid Build Coastguard Worker free(namelist[m]);
840*08b48e0bSAndroid Build Coastguard Worker free(namelist);
841*08b48e0bSAndroid Build Coastguard Worker
842*08b48e0bSAndroid Build Coastguard Worker }
843*08b48e0bSAndroid Build Coastguard Worker
844*08b48e0bSAndroid Build Coastguard Worker closedir(sd);
845*08b48e0bSAndroid Build Coastguard Worker
846*08b48e0bSAndroid Build Coastguard Worker // If we are a secondary and no main was found to sync then become the main
847*08b48e0bSAndroid Build Coastguard Worker if (unlikely(synced == 0) && likely(entries) &&
848*08b48e0bSAndroid Build Coastguard Worker likely(afl->is_secondary_node)) {
849*08b48e0bSAndroid Build Coastguard Worker
850*08b48e0bSAndroid Build Coastguard Worker // there is a small race condition here that another secondary runs at the
851*08b48e0bSAndroid Build Coastguard Worker // same time. If so, the first temporary main node running again will demote
852*08b48e0bSAndroid Build Coastguard Worker // themselves so this is not an issue
853*08b48e0bSAndroid Build Coastguard Worker
854*08b48e0bSAndroid Build Coastguard Worker // u8 path2[PATH_MAX];
855*08b48e0bSAndroid Build Coastguard Worker afl->is_main_node = 1;
856*08b48e0bSAndroid Build Coastguard Worker sprintf(path, "%s/is_main_node", afl->out_dir);
857*08b48e0bSAndroid Build Coastguard Worker int fd = open(path, O_CREAT | O_RDWR, 0644);
858*08b48e0bSAndroid Build Coastguard Worker if (fd >= 0) { close(fd); }
859*08b48e0bSAndroid Build Coastguard Worker
860*08b48e0bSAndroid Build Coastguard Worker }
861*08b48e0bSAndroid Build Coastguard Worker
862*08b48e0bSAndroid Build Coastguard Worker if (afl->foreign_sync_cnt) read_foreign_testcases(afl, 0);
863*08b48e0bSAndroid Build Coastguard Worker
864*08b48e0bSAndroid Build Coastguard Worker afl->last_sync_time = get_cur_time();
865*08b48e0bSAndroid Build Coastguard Worker afl->last_sync_cycle = afl->queue_cycle;
866*08b48e0bSAndroid Build Coastguard Worker
867*08b48e0bSAndroid Build Coastguard Worker }
868*08b48e0bSAndroid Build Coastguard Worker
869*08b48e0bSAndroid Build Coastguard Worker /* Trim all new test cases to save cycles when doing deterministic checks. The
870*08b48e0bSAndroid Build Coastguard Worker trimmer uses power-of-two increments somewhere between 1/16 and 1/1024 of
871*08b48e0bSAndroid Build Coastguard Worker file size, to keep the stage short and sweet. */
872*08b48e0bSAndroid Build Coastguard Worker
trim_case(afl_state_t * afl,struct queue_entry * q,u8 * in_buf)873*08b48e0bSAndroid Build Coastguard Worker u8 trim_case(afl_state_t *afl, struct queue_entry *q, u8 *in_buf) {
874*08b48e0bSAndroid Build Coastguard Worker
875*08b48e0bSAndroid Build Coastguard Worker u32 orig_len = q->len;
876*08b48e0bSAndroid Build Coastguard Worker
877*08b48e0bSAndroid Build Coastguard Worker /* Custom mutator trimmer */
878*08b48e0bSAndroid Build Coastguard Worker if (afl->custom_mutators_count) {
879*08b48e0bSAndroid Build Coastguard Worker
880*08b48e0bSAndroid Build Coastguard Worker u8 trimmed_case = 0;
881*08b48e0bSAndroid Build Coastguard Worker bool custom_trimmed = false;
882*08b48e0bSAndroid Build Coastguard Worker
883*08b48e0bSAndroid Build Coastguard Worker LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
884*08b48e0bSAndroid Build Coastguard Worker
885*08b48e0bSAndroid Build Coastguard Worker if (el->afl_custom_trim) {
886*08b48e0bSAndroid Build Coastguard Worker
887*08b48e0bSAndroid Build Coastguard Worker trimmed_case = trim_case_custom(afl, q, in_buf, el);
888*08b48e0bSAndroid Build Coastguard Worker custom_trimmed = true;
889*08b48e0bSAndroid Build Coastguard Worker
890*08b48e0bSAndroid Build Coastguard Worker }
891*08b48e0bSAndroid Build Coastguard Worker
892*08b48e0bSAndroid Build Coastguard Worker });
893*08b48e0bSAndroid Build Coastguard Worker
894*08b48e0bSAndroid Build Coastguard Worker if (orig_len != q->len || custom_trimmed) {
895*08b48e0bSAndroid Build Coastguard Worker
896*08b48e0bSAndroid Build Coastguard Worker queue_testcase_retake(afl, q, orig_len);
897*08b48e0bSAndroid Build Coastguard Worker
898*08b48e0bSAndroid Build Coastguard Worker }
899*08b48e0bSAndroid Build Coastguard Worker
900*08b48e0bSAndroid Build Coastguard Worker if (custom_trimmed) return trimmed_case;
901*08b48e0bSAndroid Build Coastguard Worker
902*08b48e0bSAndroid Build Coastguard Worker }
903*08b48e0bSAndroid Build Coastguard Worker
904*08b48e0bSAndroid Build Coastguard Worker u8 needs_write = 0, fault = 0;
905*08b48e0bSAndroid Build Coastguard Worker u32 trim_exec = 0;
906*08b48e0bSAndroid Build Coastguard Worker u32 remove_len;
907*08b48e0bSAndroid Build Coastguard Worker u32 len_p2;
908*08b48e0bSAndroid Build Coastguard Worker
909*08b48e0bSAndroid Build Coastguard Worker u8 val_bufs[2][STRINGIFY_VAL_SIZE_MAX];
910*08b48e0bSAndroid Build Coastguard Worker
911*08b48e0bSAndroid Build Coastguard Worker /* Although the trimmer will be less useful when variable behavior is
912*08b48e0bSAndroid Build Coastguard Worker detected, it will still work to some extent, so we don't check for
913*08b48e0bSAndroid Build Coastguard Worker this. */
914*08b48e0bSAndroid Build Coastguard Worker
915*08b48e0bSAndroid Build Coastguard Worker if (unlikely(q->len < 5)) { return 0; }
916*08b48e0bSAndroid Build Coastguard Worker
917*08b48e0bSAndroid Build Coastguard Worker afl->stage_name = afl->stage_name_buf;
918*08b48e0bSAndroid Build Coastguard Worker afl->bytes_trim_in += q->len;
919*08b48e0bSAndroid Build Coastguard Worker
920*08b48e0bSAndroid Build Coastguard Worker /* Select initial chunk len, starting with large steps. */
921*08b48e0bSAndroid Build Coastguard Worker
922*08b48e0bSAndroid Build Coastguard Worker len_p2 = next_pow2(q->len);
923*08b48e0bSAndroid Build Coastguard Worker
924*08b48e0bSAndroid Build Coastguard Worker remove_len = MAX(len_p2 / TRIM_START_STEPS, (u32)TRIM_MIN_BYTES);
925*08b48e0bSAndroid Build Coastguard Worker
926*08b48e0bSAndroid Build Coastguard Worker /* Continue until the number of steps gets too high or the stepover
927*08b48e0bSAndroid Build Coastguard Worker gets too small. */
928*08b48e0bSAndroid Build Coastguard Worker
929*08b48e0bSAndroid Build Coastguard Worker while (remove_len >= MAX(len_p2 / TRIM_END_STEPS, (u32)TRIM_MIN_BYTES)) {
930*08b48e0bSAndroid Build Coastguard Worker
931*08b48e0bSAndroid Build Coastguard Worker u32 remove_pos = remove_len;
932*08b48e0bSAndroid Build Coastguard Worker
933*08b48e0bSAndroid Build Coastguard Worker sprintf(afl->stage_name_buf, "trim %s/%s",
934*08b48e0bSAndroid Build Coastguard Worker u_stringify_int(val_bufs[0], remove_len),
935*08b48e0bSAndroid Build Coastguard Worker u_stringify_int(val_bufs[1], remove_len));
936*08b48e0bSAndroid Build Coastguard Worker
937*08b48e0bSAndroid Build Coastguard Worker afl->stage_cur = 0;
938*08b48e0bSAndroid Build Coastguard Worker afl->stage_max = q->len / remove_len;
939*08b48e0bSAndroid Build Coastguard Worker
940*08b48e0bSAndroid Build Coastguard Worker while (remove_pos < q->len) {
941*08b48e0bSAndroid Build Coastguard Worker
942*08b48e0bSAndroid Build Coastguard Worker u32 trim_avail = MIN(remove_len, q->len - remove_pos);
943*08b48e0bSAndroid Build Coastguard Worker u64 cksum;
944*08b48e0bSAndroid Build Coastguard Worker
945*08b48e0bSAndroid Build Coastguard Worker write_with_gap(afl, in_buf, q->len, remove_pos, trim_avail);
946*08b48e0bSAndroid Build Coastguard Worker
947*08b48e0bSAndroid Build Coastguard Worker fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
948*08b48e0bSAndroid Build Coastguard Worker
949*08b48e0bSAndroid Build Coastguard Worker if (afl->stop_soon || fault == FSRV_RUN_ERROR) { goto abort_trimming; }
950*08b48e0bSAndroid Build Coastguard Worker
951*08b48e0bSAndroid Build Coastguard Worker /* Note that we don't keep track of crashes or hangs here; maybe TODO?
952*08b48e0bSAndroid Build Coastguard Worker */
953*08b48e0bSAndroid Build Coastguard Worker
954*08b48e0bSAndroid Build Coastguard Worker ++afl->trim_execs;
955*08b48e0bSAndroid Build Coastguard Worker classify_counts(&afl->fsrv);
956*08b48e0bSAndroid Build Coastguard Worker cksum = hash64(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
957*08b48e0bSAndroid Build Coastguard Worker
958*08b48e0bSAndroid Build Coastguard Worker /* If the deletion had no impact on the trace, make it permanent. This
959*08b48e0bSAndroid Build Coastguard Worker isn't perfect for variable-path inputs, but we're just making a
960*08b48e0bSAndroid Build Coastguard Worker best-effort pass, so it's not a big deal if we end up with false
961*08b48e0bSAndroid Build Coastguard Worker negatives every now and then. */
962*08b48e0bSAndroid Build Coastguard Worker
963*08b48e0bSAndroid Build Coastguard Worker if (cksum == q->exec_cksum) {
964*08b48e0bSAndroid Build Coastguard Worker
965*08b48e0bSAndroid Build Coastguard Worker u32 move_tail = q->len - remove_pos - trim_avail;
966*08b48e0bSAndroid Build Coastguard Worker
967*08b48e0bSAndroid Build Coastguard Worker q->len -= trim_avail;
968*08b48e0bSAndroid Build Coastguard Worker len_p2 = next_pow2(q->len);
969*08b48e0bSAndroid Build Coastguard Worker
970*08b48e0bSAndroid Build Coastguard Worker memmove(in_buf + remove_pos, in_buf + remove_pos + trim_avail,
971*08b48e0bSAndroid Build Coastguard Worker move_tail);
972*08b48e0bSAndroid Build Coastguard Worker
973*08b48e0bSAndroid Build Coastguard Worker /* Let's save a clean trace, which will be needed by
974*08b48e0bSAndroid Build Coastguard Worker update_bitmap_score once we're done with the trimming stuff. */
975*08b48e0bSAndroid Build Coastguard Worker
976*08b48e0bSAndroid Build Coastguard Worker if (!needs_write) {
977*08b48e0bSAndroid Build Coastguard Worker
978*08b48e0bSAndroid Build Coastguard Worker needs_write = 1;
979*08b48e0bSAndroid Build Coastguard Worker memcpy(afl->clean_trace, afl->fsrv.trace_bits, afl->fsrv.map_size);
980*08b48e0bSAndroid Build Coastguard Worker
981*08b48e0bSAndroid Build Coastguard Worker }
982*08b48e0bSAndroid Build Coastguard Worker
983*08b48e0bSAndroid Build Coastguard Worker } else {
984*08b48e0bSAndroid Build Coastguard Worker
985*08b48e0bSAndroid Build Coastguard Worker remove_pos += remove_len;
986*08b48e0bSAndroid Build Coastguard Worker
987*08b48e0bSAndroid Build Coastguard Worker }
988*08b48e0bSAndroid Build Coastguard Worker
989*08b48e0bSAndroid Build Coastguard Worker /* Since this can be slow, update the screen every now and then. */
990*08b48e0bSAndroid Build Coastguard Worker
991*08b48e0bSAndroid Build Coastguard Worker if (!(trim_exec++ % afl->stats_update_freq)) { show_stats(afl); }
992*08b48e0bSAndroid Build Coastguard Worker ++afl->stage_cur;
993*08b48e0bSAndroid Build Coastguard Worker
994*08b48e0bSAndroid Build Coastguard Worker }
995*08b48e0bSAndroid Build Coastguard Worker
996*08b48e0bSAndroid Build Coastguard Worker remove_len >>= 1;
997*08b48e0bSAndroid Build Coastguard Worker
998*08b48e0bSAndroid Build Coastguard Worker }
999*08b48e0bSAndroid Build Coastguard Worker
1000*08b48e0bSAndroid Build Coastguard Worker /* If we have made changes to in_buf, we also need to update the on-disk
1001*08b48e0bSAndroid Build Coastguard Worker version of the test case. */
1002*08b48e0bSAndroid Build Coastguard Worker
1003*08b48e0bSAndroid Build Coastguard Worker if (needs_write) {
1004*08b48e0bSAndroid Build Coastguard Worker
1005*08b48e0bSAndroid Build Coastguard Worker s32 fd;
1006*08b48e0bSAndroid Build Coastguard Worker
1007*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->no_unlink)) {
1008*08b48e0bSAndroid Build Coastguard Worker
1009*08b48e0bSAndroid Build Coastguard Worker fd = open(q->fname, O_WRONLY | O_CREAT | O_TRUNC, DEFAULT_PERMISSION);
1010*08b48e0bSAndroid Build Coastguard Worker
1011*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); }
1012*08b48e0bSAndroid Build Coastguard Worker
1013*08b48e0bSAndroid Build Coastguard Worker u32 written = 0;
1014*08b48e0bSAndroid Build Coastguard Worker while (written < q->len) {
1015*08b48e0bSAndroid Build Coastguard Worker
1016*08b48e0bSAndroid Build Coastguard Worker ssize_t result = write(fd, in_buf, q->len - written);
1017*08b48e0bSAndroid Build Coastguard Worker if (result > 0) written += result;
1018*08b48e0bSAndroid Build Coastguard Worker
1019*08b48e0bSAndroid Build Coastguard Worker }
1020*08b48e0bSAndroid Build Coastguard Worker
1021*08b48e0bSAndroid Build Coastguard Worker } else {
1022*08b48e0bSAndroid Build Coastguard Worker
1023*08b48e0bSAndroid Build Coastguard Worker unlink(q->fname); /* ignore errors */
1024*08b48e0bSAndroid Build Coastguard Worker fd = open(q->fname, O_WRONLY | O_CREAT | O_EXCL, DEFAULT_PERMISSION);
1025*08b48e0bSAndroid Build Coastguard Worker
1026*08b48e0bSAndroid Build Coastguard Worker if (fd < 0) { PFATAL("Unable to create '%s'", q->fname); }
1027*08b48e0bSAndroid Build Coastguard Worker
1028*08b48e0bSAndroid Build Coastguard Worker ck_write(fd, in_buf, q->len, q->fname);
1029*08b48e0bSAndroid Build Coastguard Worker
1030*08b48e0bSAndroid Build Coastguard Worker }
1031*08b48e0bSAndroid Build Coastguard Worker
1032*08b48e0bSAndroid Build Coastguard Worker close(fd);
1033*08b48e0bSAndroid Build Coastguard Worker
1034*08b48e0bSAndroid Build Coastguard Worker queue_testcase_retake_mem(afl, q, in_buf, q->len, orig_len);
1035*08b48e0bSAndroid Build Coastguard Worker
1036*08b48e0bSAndroid Build Coastguard Worker memcpy(afl->fsrv.trace_bits, afl->clean_trace, afl->fsrv.map_size);
1037*08b48e0bSAndroid Build Coastguard Worker update_bitmap_score(afl, q);
1038*08b48e0bSAndroid Build Coastguard Worker
1039*08b48e0bSAndroid Build Coastguard Worker }
1040*08b48e0bSAndroid Build Coastguard Worker
1041*08b48e0bSAndroid Build Coastguard Worker abort_trimming:
1042*08b48e0bSAndroid Build Coastguard Worker
1043*08b48e0bSAndroid Build Coastguard Worker afl->bytes_trim_out += q->len;
1044*08b48e0bSAndroid Build Coastguard Worker return fault;
1045*08b48e0bSAndroid Build Coastguard Worker
1046*08b48e0bSAndroid Build Coastguard Worker }
1047*08b48e0bSAndroid Build Coastguard Worker
1048*08b48e0bSAndroid Build Coastguard Worker /* Write a modified test case, run program, process results. Handle
1049*08b48e0bSAndroid Build Coastguard Worker error conditions, returning 1 if it's time to bail out. This is
1050*08b48e0bSAndroid Build Coastguard Worker a helper function for fuzz_one(). */
1051*08b48e0bSAndroid Build Coastguard Worker
1052*08b48e0bSAndroid Build Coastguard Worker u8 __attribute__((hot))
common_fuzz_stuff(afl_state_t * afl,u8 * out_buf,u32 len)1053*08b48e0bSAndroid Build Coastguard Worker common_fuzz_stuff(afl_state_t *afl, u8 *out_buf, u32 len) {
1054*08b48e0bSAndroid Build Coastguard Worker
1055*08b48e0bSAndroid Build Coastguard Worker u8 fault;
1056*08b48e0bSAndroid Build Coastguard Worker
1057*08b48e0bSAndroid Build Coastguard Worker if (unlikely(len = write_to_testcase(afl, (void **)&out_buf, len, 0)) == 0) {
1058*08b48e0bSAndroid Build Coastguard Worker
1059*08b48e0bSAndroid Build Coastguard Worker return 0;
1060*08b48e0bSAndroid Build Coastguard Worker
1061*08b48e0bSAndroid Build Coastguard Worker }
1062*08b48e0bSAndroid Build Coastguard Worker
1063*08b48e0bSAndroid Build Coastguard Worker fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
1064*08b48e0bSAndroid Build Coastguard Worker
1065*08b48e0bSAndroid Build Coastguard Worker if (afl->stop_soon) { return 1; }
1066*08b48e0bSAndroid Build Coastguard Worker
1067*08b48e0bSAndroid Build Coastguard Worker if (fault == FSRV_RUN_TMOUT) {
1068*08b48e0bSAndroid Build Coastguard Worker
1069*08b48e0bSAndroid Build Coastguard Worker if (afl->subseq_tmouts++ > TMOUT_LIMIT) {
1070*08b48e0bSAndroid Build Coastguard Worker
1071*08b48e0bSAndroid Build Coastguard Worker ++afl->cur_skipped_items;
1072*08b48e0bSAndroid Build Coastguard Worker return 1;
1073*08b48e0bSAndroid Build Coastguard Worker
1074*08b48e0bSAndroid Build Coastguard Worker }
1075*08b48e0bSAndroid Build Coastguard Worker
1076*08b48e0bSAndroid Build Coastguard Worker } else {
1077*08b48e0bSAndroid Build Coastguard Worker
1078*08b48e0bSAndroid Build Coastguard Worker afl->subseq_tmouts = 0;
1079*08b48e0bSAndroid Build Coastguard Worker
1080*08b48e0bSAndroid Build Coastguard Worker }
1081*08b48e0bSAndroid Build Coastguard Worker
1082*08b48e0bSAndroid Build Coastguard Worker /* Users can hit us with SIGUSR1 to request the current input
1083*08b48e0bSAndroid Build Coastguard Worker to be abandoned. */
1084*08b48e0bSAndroid Build Coastguard Worker
1085*08b48e0bSAndroid Build Coastguard Worker if (afl->skip_requested) {
1086*08b48e0bSAndroid Build Coastguard Worker
1087*08b48e0bSAndroid Build Coastguard Worker afl->skip_requested = 0;
1088*08b48e0bSAndroid Build Coastguard Worker ++afl->cur_skipped_items;
1089*08b48e0bSAndroid Build Coastguard Worker return 1;
1090*08b48e0bSAndroid Build Coastguard Worker
1091*08b48e0bSAndroid Build Coastguard Worker }
1092*08b48e0bSAndroid Build Coastguard Worker
1093*08b48e0bSAndroid Build Coastguard Worker /* This handles FAULT_ERROR for us: */
1094*08b48e0bSAndroid Build Coastguard Worker
1095*08b48e0bSAndroid Build Coastguard Worker afl->queued_discovered += save_if_interesting(afl, out_buf, len, fault);
1096*08b48e0bSAndroid Build Coastguard Worker
1097*08b48e0bSAndroid Build Coastguard Worker if (!(afl->stage_cur % afl->stats_update_freq) ||
1098*08b48e0bSAndroid Build Coastguard Worker afl->stage_cur + 1 == afl->stage_max) {
1099*08b48e0bSAndroid Build Coastguard Worker
1100*08b48e0bSAndroid Build Coastguard Worker show_stats(afl);
1101*08b48e0bSAndroid Build Coastguard Worker
1102*08b48e0bSAndroid Build Coastguard Worker }
1103*08b48e0bSAndroid Build Coastguard Worker
1104*08b48e0bSAndroid Build Coastguard Worker return 0;
1105*08b48e0bSAndroid Build Coastguard Worker
1106*08b48e0bSAndroid Build Coastguard Worker }
1107*08b48e0bSAndroid Build Coastguard Worker
1108