1*08b48e0bSAndroid Build Coastguard Worker /*
2*08b48e0bSAndroid Build Coastguard Worker american fuzzy lop++ - fuzzer code
3*08b48e0bSAndroid Build Coastguard Worker --------------------------------
4*08b48e0bSAndroid Build Coastguard Worker
5*08b48e0bSAndroid Build Coastguard Worker Originally written by Michal Zalewski
6*08b48e0bSAndroid Build Coastguard Worker
7*08b48e0bSAndroid Build Coastguard Worker Now maintained by Marc Heuse <[email protected]>,
8*08b48e0bSAndroid Build Coastguard Worker Heiko Eißfeldt <[email protected]> and
9*08b48e0bSAndroid Build Coastguard Worker Andrea Fioraldi <[email protected]>
10*08b48e0bSAndroid Build Coastguard Worker
11*08b48e0bSAndroid Build Coastguard Worker Copyright 2016, 2017 Google Inc. All rights reserved.
12*08b48e0bSAndroid Build Coastguard Worker Copyright 2019-2024 AFLplusplus Project. All rights reserved.
13*08b48e0bSAndroid Build Coastguard Worker
14*08b48e0bSAndroid Build Coastguard Worker Licensed under the Apache License, Version 2.0 (the "License");
15*08b48e0bSAndroid Build Coastguard Worker you may not use this file except in compliance with the License.
16*08b48e0bSAndroid Build Coastguard Worker You may obtain a copy of the License at:
17*08b48e0bSAndroid Build Coastguard Worker
18*08b48e0bSAndroid Build Coastguard Worker https://www.apache.org/licenses/LICENSE-2.0
19*08b48e0bSAndroid Build Coastguard Worker
20*08b48e0bSAndroid Build Coastguard Worker This is the real deal: the program takes an instrumented binary and
21*08b48e0bSAndroid Build Coastguard Worker attempts a variety of basic fuzzing tricks, paying close attention to
22*08b48e0bSAndroid Build Coastguard Worker how they affect the execution path.
23*08b48e0bSAndroid Build Coastguard Worker
24*08b48e0bSAndroid Build Coastguard Worker */
25*08b48e0bSAndroid Build Coastguard Worker
26*08b48e0bSAndroid Build Coastguard Worker #include "afl-fuzz.h"
27*08b48e0bSAndroid Build Coastguard Worker #include "cmplog.h"
28*08b48e0bSAndroid Build Coastguard Worker #include "common.h"
29*08b48e0bSAndroid Build Coastguard Worker #include <limits.h>
30*08b48e0bSAndroid Build Coastguard Worker #include <stdlib.h>
31*08b48e0bSAndroid Build Coastguard Worker #ifndef USEMMAP
32*08b48e0bSAndroid Build Coastguard Worker #include <sys/mman.h>
33*08b48e0bSAndroid Build Coastguard Worker #include <sys/stat.h>
34*08b48e0bSAndroid Build Coastguard Worker #include <fcntl.h>
35*08b48e0bSAndroid Build Coastguard Worker #include <sys/ipc.h>
36*08b48e0bSAndroid Build Coastguard Worker #include <sys/shm.h>
37*08b48e0bSAndroid Build Coastguard Worker #endif
38*08b48e0bSAndroid Build Coastguard Worker
39*08b48e0bSAndroid Build Coastguard Worker #ifdef __APPLE__
40*08b48e0bSAndroid Build Coastguard Worker #include <sys/qos.h>
41*08b48e0bSAndroid Build Coastguard Worker #include <pthread/qos.h>
42*08b48e0bSAndroid Build Coastguard Worker #endif
43*08b48e0bSAndroid Build Coastguard Worker
44*08b48e0bSAndroid Build Coastguard Worker #ifdef PROFILING
45*08b48e0bSAndroid Build Coastguard Worker extern u64 time_spent_working;
46*08b48e0bSAndroid Build Coastguard Worker #endif
47*08b48e0bSAndroid Build Coastguard Worker
at_exit()48*08b48e0bSAndroid Build Coastguard Worker static void at_exit() {
49*08b48e0bSAndroid Build Coastguard Worker
50*08b48e0bSAndroid Build Coastguard Worker s32 i, pid1 = 0, pid2 = 0, pgrp = -1;
51*08b48e0bSAndroid Build Coastguard Worker char *list[4] = {SHM_ENV_VAR, SHM_FUZZ_ENV_VAR, CMPLOG_SHM_ENV_VAR, NULL};
52*08b48e0bSAndroid Build Coastguard Worker char *ptr;
53*08b48e0bSAndroid Build Coastguard Worker
54*08b48e0bSAndroid Build Coastguard Worker ptr = getenv("__AFL_TARGET_PID2");
55*08b48e0bSAndroid Build Coastguard Worker if (ptr && *ptr && (pid2 = atoi(ptr)) > 0) {
56*08b48e0bSAndroid Build Coastguard Worker
57*08b48e0bSAndroid Build Coastguard Worker pgrp = getpgid(pid2);
58*08b48e0bSAndroid Build Coastguard Worker if (pgrp > 0) { killpg(pgrp, SIGTERM); }
59*08b48e0bSAndroid Build Coastguard Worker kill(pid2, SIGTERM);
60*08b48e0bSAndroid Build Coastguard Worker
61*08b48e0bSAndroid Build Coastguard Worker }
62*08b48e0bSAndroid Build Coastguard Worker
63*08b48e0bSAndroid Build Coastguard Worker ptr = getenv("__AFL_TARGET_PID1");
64*08b48e0bSAndroid Build Coastguard Worker if (ptr && *ptr && (pid1 = atoi(ptr)) > 0) {
65*08b48e0bSAndroid Build Coastguard Worker
66*08b48e0bSAndroid Build Coastguard Worker pgrp = getpgid(pid1);
67*08b48e0bSAndroid Build Coastguard Worker if (pgrp > 0) { killpg(pgrp, SIGTERM); }
68*08b48e0bSAndroid Build Coastguard Worker kill(pid1, SIGTERM);
69*08b48e0bSAndroid Build Coastguard Worker
70*08b48e0bSAndroid Build Coastguard Worker }
71*08b48e0bSAndroid Build Coastguard Worker
72*08b48e0bSAndroid Build Coastguard Worker ptr = getenv(CPU_AFFINITY_ENV_VAR);
73*08b48e0bSAndroid Build Coastguard Worker if (ptr && *ptr) unlink(ptr);
74*08b48e0bSAndroid Build Coastguard Worker
75*08b48e0bSAndroid Build Coastguard Worker i = 0;
76*08b48e0bSAndroid Build Coastguard Worker while (list[i] != NULL) {
77*08b48e0bSAndroid Build Coastguard Worker
78*08b48e0bSAndroid Build Coastguard Worker ptr = getenv(list[i]);
79*08b48e0bSAndroid Build Coastguard Worker if (ptr && *ptr) {
80*08b48e0bSAndroid Build Coastguard Worker
81*08b48e0bSAndroid Build Coastguard Worker #ifdef USEMMAP
82*08b48e0bSAndroid Build Coastguard Worker
83*08b48e0bSAndroid Build Coastguard Worker shm_unlink(ptr);
84*08b48e0bSAndroid Build Coastguard Worker
85*08b48e0bSAndroid Build Coastguard Worker #else
86*08b48e0bSAndroid Build Coastguard Worker
87*08b48e0bSAndroid Build Coastguard Worker shmctl(atoi(ptr), IPC_RMID, NULL);
88*08b48e0bSAndroid Build Coastguard Worker
89*08b48e0bSAndroid Build Coastguard Worker #endif
90*08b48e0bSAndroid Build Coastguard Worker
91*08b48e0bSAndroid Build Coastguard Worker }
92*08b48e0bSAndroid Build Coastguard Worker
93*08b48e0bSAndroid Build Coastguard Worker i++;
94*08b48e0bSAndroid Build Coastguard Worker
95*08b48e0bSAndroid Build Coastguard Worker }
96*08b48e0bSAndroid Build Coastguard Worker
97*08b48e0bSAndroid Build Coastguard Worker int kill_signal = SIGKILL;
98*08b48e0bSAndroid Build Coastguard Worker /* AFL_KILL_SIGNAL should already be a valid int at this point */
99*08b48e0bSAndroid Build Coastguard Worker if ((ptr = getenv("AFL_KILL_SIGNAL"))) { kill_signal = atoi(ptr); }
100*08b48e0bSAndroid Build Coastguard Worker
101*08b48e0bSAndroid Build Coastguard Worker if (pid1 > 0) {
102*08b48e0bSAndroid Build Coastguard Worker
103*08b48e0bSAndroid Build Coastguard Worker pgrp = getpgid(pid1);
104*08b48e0bSAndroid Build Coastguard Worker if (pgrp > 0) { killpg(pgrp, kill_signal); }
105*08b48e0bSAndroid Build Coastguard Worker kill(pid1, kill_signal);
106*08b48e0bSAndroid Build Coastguard Worker
107*08b48e0bSAndroid Build Coastguard Worker }
108*08b48e0bSAndroid Build Coastguard Worker
109*08b48e0bSAndroid Build Coastguard Worker if (pid2 > 0) {
110*08b48e0bSAndroid Build Coastguard Worker
111*08b48e0bSAndroid Build Coastguard Worker pgrp = getpgid(pid1);
112*08b48e0bSAndroid Build Coastguard Worker if (pgrp > 0) { killpg(pgrp, kill_signal); }
113*08b48e0bSAndroid Build Coastguard Worker kill(pid2, kill_signal);
114*08b48e0bSAndroid Build Coastguard Worker
115*08b48e0bSAndroid Build Coastguard Worker }
116*08b48e0bSAndroid Build Coastguard Worker
117*08b48e0bSAndroid Build Coastguard Worker }
118*08b48e0bSAndroid Build Coastguard Worker
119*08b48e0bSAndroid Build Coastguard Worker /* Display usage hints. */
120*08b48e0bSAndroid Build Coastguard Worker
usage(u8 * argv0,int more_help)121*08b48e0bSAndroid Build Coastguard Worker static void usage(u8 *argv0, int more_help) {
122*08b48e0bSAndroid Build Coastguard Worker
123*08b48e0bSAndroid Build Coastguard Worker SAYF(
124*08b48e0bSAndroid Build Coastguard Worker "\n%s [ options ] -- /path/to/fuzzed_app [ ... ]\n\n"
125*08b48e0bSAndroid Build Coastguard Worker
126*08b48e0bSAndroid Build Coastguard Worker "Required parameters:\n"
127*08b48e0bSAndroid Build Coastguard Worker " -i dir - input directory with test cases (or '-' to resume, "
128*08b48e0bSAndroid Build Coastguard Worker "also see \n"
129*08b48e0bSAndroid Build Coastguard Worker " AFL_AUTORESUME)\n"
130*08b48e0bSAndroid Build Coastguard Worker " -o dir - output directory for fuzzer findings\n\n"
131*08b48e0bSAndroid Build Coastguard Worker
132*08b48e0bSAndroid Build Coastguard Worker "Execution control settings:\n"
133*08b48e0bSAndroid Build Coastguard Worker " -P strategy - set fix mutation strategy: explore (focus on new "
134*08b48e0bSAndroid Build Coastguard Worker "coverage),\n"
135*08b48e0bSAndroid Build Coastguard Worker " exploit (focus on triggering crashes). You can also "
136*08b48e0bSAndroid Build Coastguard Worker "set a\n"
137*08b48e0bSAndroid Build Coastguard Worker " number of seconds after without any finds it switches "
138*08b48e0bSAndroid Build Coastguard Worker "to\n"
139*08b48e0bSAndroid Build Coastguard Worker " exploit mode, and back on new coverage (default: %u)\n"
140*08b48e0bSAndroid Build Coastguard Worker " -p schedule - power schedules compute a seed's performance score:\n"
141*08b48e0bSAndroid Build Coastguard Worker " explore(default), fast, exploit, seek, rare, mmopt, "
142*08b48e0bSAndroid Build Coastguard Worker "coe, lin\n"
143*08b48e0bSAndroid Build Coastguard Worker " quad -- see docs/FAQ.md for more information\n"
144*08b48e0bSAndroid Build Coastguard Worker " -f file - location read by the fuzzed program (default: stdin "
145*08b48e0bSAndroid Build Coastguard Worker "or @@)\n"
146*08b48e0bSAndroid Build Coastguard Worker " -t msec - timeout for each run (auto-scaled, default %u ms). "
147*08b48e0bSAndroid Build Coastguard Worker "Add a '+'\n"
148*08b48e0bSAndroid Build Coastguard Worker " to auto-calculate the timeout, the value being the "
149*08b48e0bSAndroid Build Coastguard Worker "maximum.\n"
150*08b48e0bSAndroid Build Coastguard Worker " -m megs - memory limit for child process (%u MB, 0 = no limit "
151*08b48e0bSAndroid Build Coastguard Worker "[default])\n"
152*08b48e0bSAndroid Build Coastguard Worker #if defined(__linux__) && defined(__aarch64__)
153*08b48e0bSAndroid Build Coastguard Worker " -A - use binary-only instrumentation (ARM CoreSight mode)\n"
154*08b48e0bSAndroid Build Coastguard Worker #endif
155*08b48e0bSAndroid Build Coastguard Worker " -O - use binary-only instrumentation (FRIDA mode)\n"
156*08b48e0bSAndroid Build Coastguard Worker #if defined(__linux__)
157*08b48e0bSAndroid Build Coastguard Worker " -Q - use binary-only instrumentation (QEMU mode)\n"
158*08b48e0bSAndroid Build Coastguard Worker " -U - use unicorn-based instrumentation (Unicorn mode)\n"
159*08b48e0bSAndroid Build Coastguard Worker " -W - use qemu-based instrumentation with Wine (Wine mode)\n"
160*08b48e0bSAndroid Build Coastguard Worker #endif
161*08b48e0bSAndroid Build Coastguard Worker #if defined(__linux__)
162*08b48e0bSAndroid Build Coastguard Worker " -X - use VM fuzzing (NYX mode - standalone mode)\n"
163*08b48e0bSAndroid Build Coastguard Worker " -Y - use VM fuzzing (NYX mode - multiple instances mode)\n"
164*08b48e0bSAndroid Build Coastguard Worker #endif
165*08b48e0bSAndroid Build Coastguard Worker "\n"
166*08b48e0bSAndroid Build Coastguard Worker
167*08b48e0bSAndroid Build Coastguard Worker "Mutator settings:\n"
168*08b48e0bSAndroid Build Coastguard Worker " -a type - target input format, \"text\" or \"binary\" (default: "
169*08b48e0bSAndroid Build Coastguard Worker "generic)\n"
170*08b48e0bSAndroid Build Coastguard Worker " -g minlength - set min length of generated fuzz input (default: 1)\n"
171*08b48e0bSAndroid Build Coastguard Worker " -G maxlength - set max length of generated fuzz input (default: "
172*08b48e0bSAndroid Build Coastguard Worker "%lu)\n"
173*08b48e0bSAndroid Build Coastguard Worker " -D - enable (a new) effective deterministic fuzzing\n"
174*08b48e0bSAndroid Build Coastguard Worker " -L minutes - use MOpt(imize) mode and set the time limit for "
175*08b48e0bSAndroid Build Coastguard Worker "entering the\n"
176*08b48e0bSAndroid Build Coastguard Worker " pacemaker mode (minutes of no new finds). 0 = "
177*08b48e0bSAndroid Build Coastguard Worker "immediately,\n"
178*08b48e0bSAndroid Build Coastguard Worker " -1 = immediately and together with normal mutation.\n"
179*08b48e0bSAndroid Build Coastguard Worker " Note: this option is usually not very effective\n"
180*08b48e0bSAndroid Build Coastguard Worker " -c program - enable CmpLog by specifying a binary compiled for "
181*08b48e0bSAndroid Build Coastguard Worker "it.\n"
182*08b48e0bSAndroid Build Coastguard Worker " if using QEMU/FRIDA or the fuzzing target is "
183*08b48e0bSAndroid Build Coastguard Worker "compiled\n"
184*08b48e0bSAndroid Build Coastguard Worker " for CmpLog then use '-c 0'. To disable Cmplog use '-c "
185*08b48e0bSAndroid Build Coastguard Worker "-'.\n"
186*08b48e0bSAndroid Build Coastguard Worker " -l cmplog_opts - CmpLog configuration values (e.g. \"2ATR\"):\n"
187*08b48e0bSAndroid Build Coastguard Worker " 1=small files, 2=larger files (default), 3=all "
188*08b48e0bSAndroid Build Coastguard Worker "files,\n"
189*08b48e0bSAndroid Build Coastguard Worker " A=arithmetic solving, T=transformational solving,\n"
190*08b48e0bSAndroid Build Coastguard Worker " X=extreme transform solving, R=random colorization "
191*08b48e0bSAndroid Build Coastguard Worker "bytes.\n\n"
192*08b48e0bSAndroid Build Coastguard Worker "Fuzzing behavior settings:\n"
193*08b48e0bSAndroid Build Coastguard Worker " -Z - sequential queue selection instead of weighted "
194*08b48e0bSAndroid Build Coastguard Worker "random\n"
195*08b48e0bSAndroid Build Coastguard Worker " -N - do not unlink the fuzzing input file (for devices "
196*08b48e0bSAndroid Build Coastguard Worker "etc.)\n"
197*08b48e0bSAndroid Build Coastguard Worker " -n - fuzz without instrumentation (non-instrumented mode)\n"
198*08b48e0bSAndroid Build Coastguard Worker " -x dict_file - fuzzer dictionary (see README.md, specify up to 4 "
199*08b48e0bSAndroid Build Coastguard Worker "times)\n\n"
200*08b48e0bSAndroid Build Coastguard Worker
201*08b48e0bSAndroid Build Coastguard Worker "Test settings:\n"
202*08b48e0bSAndroid Build Coastguard Worker " -s seed - use a fixed seed for the RNG\n"
203*08b48e0bSAndroid Build Coastguard Worker " -V seconds - fuzz for a specified time then terminate\n"
204*08b48e0bSAndroid Build Coastguard Worker " -E execs - fuzz for an approx. no. of total executions then "
205*08b48e0bSAndroid Build Coastguard Worker "terminate\n"
206*08b48e0bSAndroid Build Coastguard Worker " Note: not precise and can have several more "
207*08b48e0bSAndroid Build Coastguard Worker "executions.\n\n"
208*08b48e0bSAndroid Build Coastguard Worker
209*08b48e0bSAndroid Build Coastguard Worker "Other stuff:\n"
210*08b48e0bSAndroid Build Coastguard Worker " -M/-S id - distributed mode (-M sets -Z and disables trimming)\n"
211*08b48e0bSAndroid Build Coastguard Worker " see docs/fuzzing_in_depth.md#c-using-multiple-cores\n"
212*08b48e0bSAndroid Build Coastguard Worker " for effective recommendations for parallel fuzzing.\n"
213*08b48e0bSAndroid Build Coastguard Worker " -F path - sync to a foreign fuzzer queue directory (requires "
214*08b48e0bSAndroid Build Coastguard Worker "-M, can\n"
215*08b48e0bSAndroid Build Coastguard Worker " be specified up to %u times)\n"
216*08b48e0bSAndroid Build Coastguard Worker // " -d - skip deterministic fuzzing in -M mode\n"
217*08b48e0bSAndroid Build Coastguard Worker " -T text - text banner to show on the screen\n"
218*08b48e0bSAndroid Build Coastguard Worker " -I command - execute this command/script when a new crash is "
219*08b48e0bSAndroid Build Coastguard Worker "found\n"
220*08b48e0bSAndroid Build Coastguard Worker //" -B bitmap.txt - mutate a specific test case, use the
221*08b48e0bSAndroid Build Coastguard Worker // out/default/fuzz_bitmap file\n"
222*08b48e0bSAndroid Build Coastguard Worker " -C - crash exploration mode (the peruvian rabbit thing)\n"
223*08b48e0bSAndroid Build Coastguard Worker " -b cpu_id - bind the fuzzing process to the specified CPU core "
224*08b48e0bSAndroid Build Coastguard Worker "(0-...)\n"
225*08b48e0bSAndroid Build Coastguard Worker " -e ext - file extension for the fuzz test input file (if "
226*08b48e0bSAndroid Build Coastguard Worker "needed)\n"
227*08b48e0bSAndroid Build Coastguard Worker "\n",
228*08b48e0bSAndroid Build Coastguard Worker argv0, STRATEGY_SWITCH_TIME, EXEC_TIMEOUT, MEM_LIMIT, MAX_FILE,
229*08b48e0bSAndroid Build Coastguard Worker FOREIGN_SYNCS_MAX);
230*08b48e0bSAndroid Build Coastguard Worker
231*08b48e0bSAndroid Build Coastguard Worker if (more_help > 1) {
232*08b48e0bSAndroid Build Coastguard Worker
233*08b48e0bSAndroid Build Coastguard Worker #if defined USE_COLOR && !defined ALWAYS_COLORED
234*08b48e0bSAndroid Build Coastguard Worker #define DYN_COLOR \
235*08b48e0bSAndroid Build Coastguard Worker "AFL_NO_COLOR or AFL_NO_COLOUR: switch colored console output off\n"
236*08b48e0bSAndroid Build Coastguard Worker #else
237*08b48e0bSAndroid Build Coastguard Worker #define DYN_COLOR
238*08b48e0bSAndroid Build Coastguard Worker #endif
239*08b48e0bSAndroid Build Coastguard Worker
240*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_PERSISTENT_RECORD
241*08b48e0bSAndroid Build Coastguard Worker #define PERSISTENT_MSG \
242*08b48e0bSAndroid Build Coastguard Worker "AFL_PERSISTENT_RECORD: record the last X inputs to every crash in " \
243*08b48e0bSAndroid Build Coastguard Worker "out/crashes\n"
244*08b48e0bSAndroid Build Coastguard Worker #else
245*08b48e0bSAndroid Build Coastguard Worker #define PERSISTENT_MSG
246*08b48e0bSAndroid Build Coastguard Worker #endif
247*08b48e0bSAndroid Build Coastguard Worker
248*08b48e0bSAndroid Build Coastguard Worker SAYF(
249*08b48e0bSAndroid Build Coastguard Worker "Environment variables used:\n"
250*08b48e0bSAndroid Build Coastguard Worker "LD_BIND_LAZY: do not set LD_BIND_NOW env var for target\n"
251*08b48e0bSAndroid Build Coastguard Worker "ASAN_OPTIONS: custom settings for ASAN\n"
252*08b48e0bSAndroid Build Coastguard Worker " (must contain abort_on_error=1 and symbolize=0)\n"
253*08b48e0bSAndroid Build Coastguard Worker "MSAN_OPTIONS: custom settings for MSAN\n"
254*08b48e0bSAndroid Build Coastguard Worker " (must contain exitcode="STRINGIFY(MSAN_ERROR)" and symbolize=0)\n"
255*08b48e0bSAndroid Build Coastguard Worker "AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists\n"
256*08b48e0bSAndroid Build Coastguard Worker "AFL_BENCH_JUST_ONE: run the target just once\n"
257*08b48e0bSAndroid Build Coastguard Worker "AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found\n"
258*08b48e0bSAndroid Build Coastguard Worker "AFL_CMPLOG_ONLY_NEW: do not run cmplog on initial testcases (good for resumes!)\n"
259*08b48e0bSAndroid Build Coastguard Worker "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n"
260*08b48e0bSAndroid Build Coastguard Worker "AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs\n"
261*08b48e0bSAndroid Build Coastguard Worker "AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators\n"
262*08b48e0bSAndroid Build Coastguard Worker "AFL_CYCLE_SCHEDULES: after completing a cycle, switch to a different -p schedule\n"
263*08b48e0bSAndroid Build Coastguard Worker "AFL_DEBUG: extra debugging output for Python mode trimming\n"
264*08b48e0bSAndroid Build Coastguard Worker "AFL_DEBUG_CHILD: do not suppress stdout/stderr from target\n"
265*08b48e0bSAndroid Build Coastguard Worker "AFL_DISABLE_TRIM: disable the trimming of test cases\n"
266*08b48e0bSAndroid Build Coastguard Worker "AFL_DUMB_FORKSRV: use fork server without feedback from target\n"
267*08b48e0bSAndroid Build Coastguard Worker "AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found\n"
268*08b48e0bSAndroid Build Coastguard Worker "AFL_EXIT_ON_TIME: exit when no new coverage is found within the specified time\n"
269*08b48e0bSAndroid Build Coastguard Worker "AFL_EXIT_ON_SEED_ISSUES: exit on any kind of seed issues\n"
270*08b48e0bSAndroid Build Coastguard Worker "AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60\n"
271*08b48e0bSAndroid Build Coastguard Worker " minutes and a cycle without finds)\n"
272*08b48e0bSAndroid Build Coastguard Worker "AFL_FAST_CAL: limit the calibration stage to three cycles for speedup\n"
273*08b48e0bSAndroid Build Coastguard Worker "AFL_FORCE_UI: force showing the status screen (for virtual consoles)\n"
274*08b48e0bSAndroid Build Coastguard Worker "AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in ms)\n"
275*08b48e0bSAndroid Build Coastguard Worker "AFL_HANG_TMOUT: override timeout value (in milliseconds)\n"
276*08b48e0bSAndroid Build Coastguard Worker "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers\n"
277*08b48e0bSAndroid Build Coastguard Worker "AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected\n"
278*08b48e0bSAndroid Build Coastguard Worker "AFL_IGNORE_PROBLEMS_COVERAGE: if set in addition to AFL_IGNORE_PROBLEMS - also\n"
279*08b48e0bSAndroid Build Coastguard Worker " ignore those libs for coverage\n"
280*08b48e0bSAndroid Build Coastguard Worker "AFL_IGNORE_SEED_PROBLEMS: skip over crashes and timeouts in the seeds instead of\n"
281*08b48e0bSAndroid Build Coastguard Worker " exiting\n"
282*08b48e0bSAndroid Build Coastguard Worker "AFL_IGNORE_TIMEOUTS: do not process or save any timeouts\n"
283*08b48e0bSAndroid Build Coastguard Worker "AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars\n"
284*08b48e0bSAndroid Build Coastguard Worker "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n"
285*08b48e0bSAndroid Build Coastguard Worker "AFL_INPUT_LEN_MIN/AFL_INPUT_LEN_MAX: like -g/-G set min/max fuzz length produced\n"
286*08b48e0bSAndroid Build Coastguard Worker "AFL_PIZZA_MODE: 1 - enforce pizza mode, -1 - disable for April 1st,\n"
287*08b48e0bSAndroid Build Coastguard Worker " 0 (default) - activate on April 1st\n"
288*08b48e0bSAndroid Build Coastguard Worker "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc.\n"
289*08b48e0bSAndroid Build Coastguard Worker " (default: SIGKILL)\n"
290*08b48e0bSAndroid Build Coastguard Worker "AFL_FORK_SERVER_KILL_SIGNAL: Kill signal for the fork server on termination\n"
291*08b48e0bSAndroid Build Coastguard Worker " (default: SIGTERM). If unset and AFL_KILL_SIGNAL is\n"
292*08b48e0bSAndroid Build Coastguard Worker " set, that value will be used.\n"
293*08b48e0bSAndroid Build Coastguard Worker "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n"
294*08b48e0bSAndroid Build Coastguard Worker " the target was compiled for\n"
295*08b48e0bSAndroid Build Coastguard Worker "AFL_MAX_DET_EXTRAS: if more entries are in the dictionary list than this value\n"
296*08b48e0bSAndroid Build Coastguard Worker " then they are randomly selected instead all of them being\n"
297*08b48e0bSAndroid Build Coastguard Worker " used. Defaults to 200.\n"
298*08b48e0bSAndroid Build Coastguard Worker "AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing\n"
299*08b48e0bSAndroid Build Coastguard Worker "AFL_TRY_AFFINITY: try to bind to an unused core, but don't fail if unsuccessful\n"
300*08b48e0bSAndroid Build Coastguard Worker "AFL_NO_ARITH: skip arithmetic mutations in deterministic stage\n"
301*08b48e0bSAndroid Build Coastguard Worker "AFL_NO_AUTODICT: do not load an offered auto dictionary compiled into a target\n"
302*08b48e0bSAndroid Build Coastguard Worker "AFL_NO_CPU_RED: avoid red color for showing very high cpu usage\n"
303*08b48e0bSAndroid Build Coastguard Worker "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n"
304*08b48e0bSAndroid Build Coastguard Worker "AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)\n"
305*08b48e0bSAndroid Build Coastguard Worker "AFL_NO_STARTUP_CALIBRATION: no initial seed calibration, start fuzzing at once\n"
306*08b48e0bSAndroid Build Coastguard Worker "AFL_NO_WARN_INSTABILITY: no warn about instability issues on startup calibration\n"
307*08b48e0bSAndroid Build Coastguard Worker "AFL_NO_UI: switch status screen off\n"
308*08b48e0bSAndroid Build Coastguard Worker "AFL_NYX_AUX_SIZE: size of the Nyx auxiliary buffer. Must be a multiple of 4096.\n"
309*08b48e0bSAndroid Build Coastguard Worker " Increase this value in case the crash reports are truncated.\n"
310*08b48e0bSAndroid Build Coastguard Worker " Default value is 4096.\n"
311*08b48e0bSAndroid Build Coastguard Worker "AFL_NYX_DISABLE_SNAPSHOT_MODE: disable snapshot mode (must be supported by the agent)\n"
312*08b48e0bSAndroid Build Coastguard Worker "AFL_NYX_LOG: output NYX hprintf messages to another file\n"
313*08b48e0bSAndroid Build Coastguard Worker "AFL_NYX_REUSE_SNAPSHOT: reuse an existing Nyx root snapshot\n"
314*08b48e0bSAndroid Build Coastguard Worker DYN_COLOR
315*08b48e0bSAndroid Build Coastguard Worker
316*08b48e0bSAndroid Build Coastguard Worker "AFL_PATH: path to AFL support binaries\n"
317*08b48e0bSAndroid Build Coastguard Worker "AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module\n"
318*08b48e0bSAndroid Build Coastguard Worker "AFL_QUIET: suppress forkserver status messages\n"
319*08b48e0bSAndroid Build Coastguard Worker
320*08b48e0bSAndroid Build Coastguard Worker PERSISTENT_MSG
321*08b48e0bSAndroid Build Coastguard Worker
322*08b48e0bSAndroid Build Coastguard Worker "AFL_POST_PROCESS_KEEP_ORIGINAL: save the file as it was prior post-processing to\n"
323*08b48e0bSAndroid Build Coastguard Worker " the queue, but execute the post-processed one\n"
324*08b48e0bSAndroid Build Coastguard Worker "AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target\n"
325*08b48e0bSAndroid Build Coastguard Worker "AFL_TARGET_ENV: pass extra environment variables to target\n"
326*08b48e0bSAndroid Build Coastguard Worker "AFL_SHUFFLE_QUEUE: reorder the input queue randomly on startup\n"
327*08b48e0bSAndroid Build Coastguard Worker "AFL_SKIP_BIN_CHECK: skip afl compatibility checks, also disables auto map size\n"
328*08b48e0bSAndroid Build Coastguard Worker "AFL_SKIP_CPUFREQ: do not warn about variable cpu clocking\n"
329*08b48e0bSAndroid Build Coastguard Worker //"AFL_SKIP_CRASHES: during initial dry run do not terminate for crashing inputs\n"
330*08b48e0bSAndroid Build Coastguard Worker "AFL_STATSD: enables StatsD metrics collection\n"
331*08b48e0bSAndroid Build Coastguard Worker "AFL_STATSD_HOST: change default statsd host (default 127.0.0.1)\n"
332*08b48e0bSAndroid Build Coastguard Worker "AFL_STATSD_PORT: change default statsd port (default: 8125)\n"
333*08b48e0bSAndroid Build Coastguard Worker "AFL_STATSD_TAGS_FLAVOR: set statsd tags format (default: disable tags)\n"
334*08b48e0bSAndroid Build Coastguard Worker " suported formats: dogstatsd, librato, signalfx, influxdb\n"
335*08b48e0bSAndroid Build Coastguard Worker "AFL_SYNC_TIME: sync time between fuzzing instances (in minutes)\n"
336*08b48e0bSAndroid Build Coastguard Worker "AFL_FINAL_SYNC: sync a final time when exiting (will delay the exit!)\n"
337*08b48e0bSAndroid Build Coastguard Worker "AFL_NO_CRASH_README: do not create a README in the crashes directory\n"
338*08b48e0bSAndroid Build Coastguard Worker "AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)\n"
339*08b48e0bSAndroid Build Coastguard Worker "AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n"
340*08b48e0bSAndroid Build Coastguard Worker "AFL_EARLY_FORKSERVER: force an early forkserver in an afl-clang-fast/\n"
341*08b48e0bSAndroid Build Coastguard Worker " afl-clang-lto/afl-gcc-fast target\n"
342*08b48e0bSAndroid Build Coastguard Worker "AFL_PERSISTENT: enforce persistent mode (if __AFL_LOOP is in a shared lib)\n"
343*08b48e0bSAndroid Build Coastguard Worker "AFL_DEFER_FORKSRV: enforced deferred forkserver (__AFL_INIT is in a shared lib)\n"
344*08b48e0bSAndroid Build Coastguard Worker "AFL_FUZZER_STATS_UPDATE_INTERVAL: interval to update fuzzer_stats file in\n"
345*08b48e0bSAndroid Build Coastguard Worker " seconds (default: 60, minimum: 1)\n"
346*08b48e0bSAndroid Build Coastguard Worker "\n"
347*08b48e0bSAndroid Build Coastguard Worker );
348*08b48e0bSAndroid Build Coastguard Worker
349*08b48e0bSAndroid Build Coastguard Worker } else {
350*08b48e0bSAndroid Build Coastguard Worker
351*08b48e0bSAndroid Build Coastguard Worker SAYF(
352*08b48e0bSAndroid Build Coastguard Worker "To view also the supported environment variables of afl-fuzz please "
353*08b48e0bSAndroid Build Coastguard Worker "use \"-hh\".\n\n");
354*08b48e0bSAndroid Build Coastguard Worker
355*08b48e0bSAndroid Build Coastguard Worker }
356*08b48e0bSAndroid Build Coastguard Worker
357*08b48e0bSAndroid Build Coastguard Worker #ifdef USE_PYTHON
358*08b48e0bSAndroid Build Coastguard Worker SAYF("Compiled with %s module support, see docs/custom_mutators.md\n",
359*08b48e0bSAndroid Build Coastguard Worker (char *)PYTHON_VERSION);
360*08b48e0bSAndroid Build Coastguard Worker #else
361*08b48e0bSAndroid Build Coastguard Worker SAYF("Compiled without Python module support.\n");
362*08b48e0bSAndroid Build Coastguard Worker #endif
363*08b48e0bSAndroid Build Coastguard Worker
364*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_PERSISTENT_RECORD
365*08b48e0bSAndroid Build Coastguard Worker SAYF("Compiled with AFL_PERSISTENT_RECORD support.\n");
366*08b48e0bSAndroid Build Coastguard Worker #else
367*08b48e0bSAndroid Build Coastguard Worker SAYF("Compiled without AFL_PERSISTENT_RECORD support.\n");
368*08b48e0bSAndroid Build Coastguard Worker #endif
369*08b48e0bSAndroid Build Coastguard Worker
370*08b48e0bSAndroid Build Coastguard Worker #ifdef USEMMAP
371*08b48e0bSAndroid Build Coastguard Worker SAYF("Compiled with shm_open support.\n");
372*08b48e0bSAndroid Build Coastguard Worker #else
373*08b48e0bSAndroid Build Coastguard Worker SAYF("Compiled with shmat support.\n");
374*08b48e0bSAndroid Build Coastguard Worker #endif
375*08b48e0bSAndroid Build Coastguard Worker
376*08b48e0bSAndroid Build Coastguard Worker #ifdef ASAN_BUILD
377*08b48e0bSAndroid Build Coastguard Worker SAYF("Compiled with ASAN_BUILD.\n");
378*08b48e0bSAndroid Build Coastguard Worker #endif
379*08b48e0bSAndroid Build Coastguard Worker
380*08b48e0bSAndroid Build Coastguard Worker #ifdef NO_SPLICING
381*08b48e0bSAndroid Build Coastguard Worker SAYF("Compiled with NO_SPLICING.\n");
382*08b48e0bSAndroid Build Coastguard Worker #endif
383*08b48e0bSAndroid Build Coastguard Worker
384*08b48e0bSAndroid Build Coastguard Worker #ifdef FANCY_BOXES_NO_UTF
385*08b48e0bSAndroid Build Coastguard Worker SAYF("Compiled without UTF-8 support for line rendering in status screen.\n");
386*08b48e0bSAndroid Build Coastguard Worker #endif
387*08b48e0bSAndroid Build Coastguard Worker
388*08b48e0bSAndroid Build Coastguard Worker #ifdef PROFILING
389*08b48e0bSAndroid Build Coastguard Worker SAYF("Compiled with PROFILING.\n");
390*08b48e0bSAndroid Build Coastguard Worker #endif
391*08b48e0bSAndroid Build Coastguard Worker
392*08b48e0bSAndroid Build Coastguard Worker #ifdef INTROSPECTION
393*08b48e0bSAndroid Build Coastguard Worker SAYF("Compiled with INTROSPECTION.\n");
394*08b48e0bSAndroid Build Coastguard Worker #endif
395*08b48e0bSAndroid Build Coastguard Worker
396*08b48e0bSAndroid Build Coastguard Worker #ifdef _DEBUG
397*08b48e0bSAndroid Build Coastguard Worker SAYF("Compiled with _DEBUG.\n");
398*08b48e0bSAndroid Build Coastguard Worker #endif
399*08b48e0bSAndroid Build Coastguard Worker
400*08b48e0bSAndroid Build Coastguard Worker #ifdef _AFL_DOCUMENT_MUTATIONS
401*08b48e0bSAndroid Build Coastguard Worker SAYF("Compiled with _AFL_DOCUMENT_MUTATIONS.\n");
402*08b48e0bSAndroid Build Coastguard Worker #endif
403*08b48e0bSAndroid Build Coastguard Worker
404*08b48e0bSAndroid Build Coastguard Worker SAYF("For additional help please consult %s/README.md :)\n\n", doc_path);
405*08b48e0bSAndroid Build Coastguard Worker
406*08b48e0bSAndroid Build Coastguard Worker exit(1);
407*08b48e0bSAndroid Build Coastguard Worker #undef PHYTON_SUPPORT
408*08b48e0bSAndroid Build Coastguard Worker
409*08b48e0bSAndroid Build Coastguard Worker }
410*08b48e0bSAndroid Build Coastguard Worker
411*08b48e0bSAndroid Build Coastguard Worker #ifndef AFL_LIB
412*08b48e0bSAndroid Build Coastguard Worker
stricmp(char const * a,char const * b)413*08b48e0bSAndroid Build Coastguard Worker static int stricmp(char const *a, char const *b) {
414*08b48e0bSAndroid Build Coastguard Worker
415*08b48e0bSAndroid Build Coastguard Worker if (!a || !b) { FATAL("Null reference"); }
416*08b48e0bSAndroid Build Coastguard Worker
417*08b48e0bSAndroid Build Coastguard Worker for (;; ++a, ++b) {
418*08b48e0bSAndroid Build Coastguard Worker
419*08b48e0bSAndroid Build Coastguard Worker int d;
420*08b48e0bSAndroid Build Coastguard Worker d = tolower((int)*a) - tolower((int)*b);
421*08b48e0bSAndroid Build Coastguard Worker if (d != 0 || !*a) { return d; }
422*08b48e0bSAndroid Build Coastguard Worker
423*08b48e0bSAndroid Build Coastguard Worker }
424*08b48e0bSAndroid Build Coastguard Worker
425*08b48e0bSAndroid Build Coastguard Worker }
426*08b48e0bSAndroid Build Coastguard Worker
fasan_check_afl_preload(char * afl_preload)427*08b48e0bSAndroid Build Coastguard Worker static void fasan_check_afl_preload(char *afl_preload) {
428*08b48e0bSAndroid Build Coastguard Worker
429*08b48e0bSAndroid Build Coastguard Worker char first_preload[PATH_MAX + 1] = {0};
430*08b48e0bSAndroid Build Coastguard Worker char *separator = strchr(afl_preload, ':');
431*08b48e0bSAndroid Build Coastguard Worker size_t first_preload_len = PATH_MAX;
432*08b48e0bSAndroid Build Coastguard Worker char *basename;
433*08b48e0bSAndroid Build Coastguard Worker char clang_runtime_prefix[] = "libclang_rt.asan";
434*08b48e0bSAndroid Build Coastguard Worker
435*08b48e0bSAndroid Build Coastguard Worker if (separator != NULL && (separator - afl_preload) < PATH_MAX) {
436*08b48e0bSAndroid Build Coastguard Worker
437*08b48e0bSAndroid Build Coastguard Worker first_preload_len = separator - afl_preload;
438*08b48e0bSAndroid Build Coastguard Worker
439*08b48e0bSAndroid Build Coastguard Worker }
440*08b48e0bSAndroid Build Coastguard Worker
441*08b48e0bSAndroid Build Coastguard Worker strncpy(first_preload, afl_preload, first_preload_len);
442*08b48e0bSAndroid Build Coastguard Worker
443*08b48e0bSAndroid Build Coastguard Worker basename = strrchr(first_preload, '/');
444*08b48e0bSAndroid Build Coastguard Worker if (basename == NULL) {
445*08b48e0bSAndroid Build Coastguard Worker
446*08b48e0bSAndroid Build Coastguard Worker basename = first_preload;
447*08b48e0bSAndroid Build Coastguard Worker
448*08b48e0bSAndroid Build Coastguard Worker } else {
449*08b48e0bSAndroid Build Coastguard Worker
450*08b48e0bSAndroid Build Coastguard Worker basename = basename + 1;
451*08b48e0bSAndroid Build Coastguard Worker
452*08b48e0bSAndroid Build Coastguard Worker }
453*08b48e0bSAndroid Build Coastguard Worker
454*08b48e0bSAndroid Build Coastguard Worker if (strncmp(basename, clang_runtime_prefix,
455*08b48e0bSAndroid Build Coastguard Worker sizeof(clang_runtime_prefix) - 1) != 0) {
456*08b48e0bSAndroid Build Coastguard Worker
457*08b48e0bSAndroid Build Coastguard Worker FATAL("Address Sanitizer DSO must be the first DSO in AFL_PRELOAD");
458*08b48e0bSAndroid Build Coastguard Worker
459*08b48e0bSAndroid Build Coastguard Worker }
460*08b48e0bSAndroid Build Coastguard Worker
461*08b48e0bSAndroid Build Coastguard Worker if (access(first_preload, R_OK) != 0) {
462*08b48e0bSAndroid Build Coastguard Worker
463*08b48e0bSAndroid Build Coastguard Worker FATAL("Address Sanitizer DSO not found");
464*08b48e0bSAndroid Build Coastguard Worker
465*08b48e0bSAndroid Build Coastguard Worker }
466*08b48e0bSAndroid Build Coastguard Worker
467*08b48e0bSAndroid Build Coastguard Worker OKF("Found ASAN DSO: %s", first_preload);
468*08b48e0bSAndroid Build Coastguard Worker
469*08b48e0bSAndroid Build Coastguard Worker }
470*08b48e0bSAndroid Build Coastguard Worker
471*08b48e0bSAndroid Build Coastguard Worker /* Main entry point */
472*08b48e0bSAndroid Build Coastguard Worker
main(int argc,char ** argv_orig,char ** envp)473*08b48e0bSAndroid Build Coastguard Worker int main(int argc, char **argv_orig, char **envp) {
474*08b48e0bSAndroid Build Coastguard Worker
475*08b48e0bSAndroid Build Coastguard Worker s32 opt, auto_sync = 0 /*, user_set_cache = 0*/;
476*08b48e0bSAndroid Build Coastguard Worker u64 prev_queued = 0;
477*08b48e0bSAndroid Build Coastguard Worker u32 sync_interval_cnt = 0, seek_to = 0, show_help = 0, default_output = 1,
478*08b48e0bSAndroid Build Coastguard Worker map_size = get_map_size();
479*08b48e0bSAndroid Build Coastguard Worker u8 *extras_dir[4];
480*08b48e0bSAndroid Build Coastguard Worker u8 mem_limit_given = 0, exit_1 = 0, debug = 0,
481*08b48e0bSAndroid Build Coastguard Worker extras_dir_cnt = 0 /*, have_p = 0*/;
482*08b48e0bSAndroid Build Coastguard Worker char *afl_preload;
483*08b48e0bSAndroid Build Coastguard Worker char *frida_afl_preload = NULL;
484*08b48e0bSAndroid Build Coastguard Worker char **use_argv;
485*08b48e0bSAndroid Build Coastguard Worker
486*08b48e0bSAndroid Build Coastguard Worker struct timeval tv;
487*08b48e0bSAndroid Build Coastguard Worker struct timezone tz;
488*08b48e0bSAndroid Build Coastguard Worker
489*08b48e0bSAndroid Build Coastguard Worker doc_path = access(DOC_PATH, F_OK) != 0 ? (u8 *)"docs" : (u8 *)DOC_PATH;
490*08b48e0bSAndroid Build Coastguard Worker
491*08b48e0bSAndroid Build Coastguard Worker if (argc > 1 && strcmp(argv_orig[1], "--version") == 0) {
492*08b48e0bSAndroid Build Coastguard Worker
493*08b48e0bSAndroid Build Coastguard Worker printf("afl-fuzz" VERSION "\n");
494*08b48e0bSAndroid Build Coastguard Worker exit(0);
495*08b48e0bSAndroid Build Coastguard Worker
496*08b48e0bSAndroid Build Coastguard Worker }
497*08b48e0bSAndroid Build Coastguard Worker
498*08b48e0bSAndroid Build Coastguard Worker if (argc > 1 && strcmp(argv_orig[1], "--help") == 0) {
499*08b48e0bSAndroid Build Coastguard Worker
500*08b48e0bSAndroid Build Coastguard Worker usage(argv_orig[0], 1);
501*08b48e0bSAndroid Build Coastguard Worker exit(0);
502*08b48e0bSAndroid Build Coastguard Worker
503*08b48e0bSAndroid Build Coastguard Worker }
504*08b48e0bSAndroid Build Coastguard Worker
505*08b48e0bSAndroid Build Coastguard Worker #if defined USE_COLOR && defined ALWAYS_COLORED
506*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_NO_COLOR") || getenv("AFL_NO_COLOUR")) {
507*08b48e0bSAndroid Build Coastguard Worker
508*08b48e0bSAndroid Build Coastguard Worker WARNF(
509*08b48e0bSAndroid Build Coastguard Worker "Setting AFL_NO_COLOR has no effect (colors are configured on at "
510*08b48e0bSAndroid Build Coastguard Worker "compile time)");
511*08b48e0bSAndroid Build Coastguard Worker
512*08b48e0bSAndroid Build Coastguard Worker }
513*08b48e0bSAndroid Build Coastguard Worker
514*08b48e0bSAndroid Build Coastguard Worker #endif
515*08b48e0bSAndroid Build Coastguard Worker
516*08b48e0bSAndroid Build Coastguard Worker char **argv = argv_cpy_dup(argc, argv_orig);
517*08b48e0bSAndroid Build Coastguard Worker
518*08b48e0bSAndroid Build Coastguard Worker afl_state_t *afl = calloc(1, sizeof(afl_state_t));
519*08b48e0bSAndroid Build Coastguard Worker if (!afl) { FATAL("Could not create afl state"); }
520*08b48e0bSAndroid Build Coastguard Worker
521*08b48e0bSAndroid Build Coastguard Worker if (get_afl_env("AFL_DEBUG")) { debug = afl->debug = 1; }
522*08b48e0bSAndroid Build Coastguard Worker
523*08b48e0bSAndroid Build Coastguard Worker afl_state_init(afl, map_size);
524*08b48e0bSAndroid Build Coastguard Worker afl->debug = debug;
525*08b48e0bSAndroid Build Coastguard Worker afl_fsrv_init(&afl->fsrv);
526*08b48e0bSAndroid Build Coastguard Worker if (debug) { afl->fsrv.debug = true; }
527*08b48e0bSAndroid Build Coastguard Worker read_afl_environment(afl, envp);
528*08b48e0bSAndroid Build Coastguard Worker if (afl->shm.map_size) { afl->fsrv.map_size = afl->shm.map_size; }
529*08b48e0bSAndroid Build Coastguard Worker exit_1 = !!afl->afl_env.afl_bench_just_one;
530*08b48e0bSAndroid Build Coastguard Worker
531*08b48e0bSAndroid Build Coastguard Worker SAYF(cCYA "afl-fuzz" VERSION cRST
532*08b48e0bSAndroid Build Coastguard Worker " based on afl by Michal Zalewski and a large online community\n");
533*08b48e0bSAndroid Build Coastguard Worker
534*08b48e0bSAndroid Build Coastguard Worker gettimeofday(&tv, &tz);
535*08b48e0bSAndroid Build Coastguard Worker rand_set_seed(afl, tv.tv_sec ^ tv.tv_usec ^ getpid());
536*08b48e0bSAndroid Build Coastguard Worker
537*08b48e0bSAndroid Build Coastguard Worker afl->shmem_testcase_mode = 1; // we always try to perform shmem fuzzing
538*08b48e0bSAndroid Build Coastguard Worker
539*08b48e0bSAndroid Build Coastguard Worker // still available: HjJkKqruvwz
540*08b48e0bSAndroid Build Coastguard Worker while ((opt = getopt(argc, argv,
541*08b48e0bSAndroid Build Coastguard Worker "+a:Ab:B:c:CdDe:E:f:F:g:G:hi:I:l:L:m:M:nNo:Op:P:QRs:S:t:"
542*08b48e0bSAndroid Build Coastguard Worker "T:UV:WXx:YZ")) > 0) {
543*08b48e0bSAndroid Build Coastguard Worker
544*08b48e0bSAndroid Build Coastguard Worker switch (opt) {
545*08b48e0bSAndroid Build Coastguard Worker
546*08b48e0bSAndroid Build Coastguard Worker case 'a':
547*08b48e0bSAndroid Build Coastguard Worker
548*08b48e0bSAndroid Build Coastguard Worker if (!stricmp(optarg, "text") || !stricmp(optarg, "ascii") ||
549*08b48e0bSAndroid Build Coastguard Worker !stricmp(optarg, "txt") || !stricmp(optarg, "asc")) {
550*08b48e0bSAndroid Build Coastguard Worker
551*08b48e0bSAndroid Build Coastguard Worker afl->input_mode = 1;
552*08b48e0bSAndroid Build Coastguard Worker
553*08b48e0bSAndroid Build Coastguard Worker } else if (!stricmp(optarg, "bin") || !stricmp(optarg, "binary")) {
554*08b48e0bSAndroid Build Coastguard Worker
555*08b48e0bSAndroid Build Coastguard Worker afl->input_mode = 2;
556*08b48e0bSAndroid Build Coastguard Worker
557*08b48e0bSAndroid Build Coastguard Worker } else if (!stricmp(optarg, "def") || !stricmp(optarg, "default")) {
558*08b48e0bSAndroid Build Coastguard Worker
559*08b48e0bSAndroid Build Coastguard Worker afl->input_mode = 0;
560*08b48e0bSAndroid Build Coastguard Worker
561*08b48e0bSAndroid Build Coastguard Worker } else {
562*08b48e0bSAndroid Build Coastguard Worker
563*08b48e0bSAndroid Build Coastguard Worker FATAL("-a input mode needs to be \"text\" or \"binary\".");
564*08b48e0bSAndroid Build Coastguard Worker
565*08b48e0bSAndroid Build Coastguard Worker }
566*08b48e0bSAndroid Build Coastguard Worker
567*08b48e0bSAndroid Build Coastguard Worker break;
568*08b48e0bSAndroid Build Coastguard Worker
569*08b48e0bSAndroid Build Coastguard Worker case 'P':
570*08b48e0bSAndroid Build Coastguard Worker if (!stricmp(optarg, "explore") || !stricmp(optarg, "exploration")) {
571*08b48e0bSAndroid Build Coastguard Worker
572*08b48e0bSAndroid Build Coastguard Worker afl->fuzz_mode = 0;
573*08b48e0bSAndroid Build Coastguard Worker afl->switch_fuzz_mode = 0;
574*08b48e0bSAndroid Build Coastguard Worker
575*08b48e0bSAndroid Build Coastguard Worker } else if (!stricmp(optarg, "exploit") ||
576*08b48e0bSAndroid Build Coastguard Worker
577*08b48e0bSAndroid Build Coastguard Worker !stricmp(optarg, "exploitation")) {
578*08b48e0bSAndroid Build Coastguard Worker
579*08b48e0bSAndroid Build Coastguard Worker afl->fuzz_mode = 1;
580*08b48e0bSAndroid Build Coastguard Worker afl->switch_fuzz_mode = 0;
581*08b48e0bSAndroid Build Coastguard Worker
582*08b48e0bSAndroid Build Coastguard Worker } else {
583*08b48e0bSAndroid Build Coastguard Worker
584*08b48e0bSAndroid Build Coastguard Worker if ((afl->switch_fuzz_mode = (u32)atoi(optarg)) > INT_MAX) {
585*08b48e0bSAndroid Build Coastguard Worker
586*08b48e0bSAndroid Build Coastguard Worker FATAL(
587*08b48e0bSAndroid Build Coastguard Worker "Parameter for option -P must be \"explore\", \"exploit\" or a "
588*08b48e0bSAndroid Build Coastguard Worker "number!");
589*08b48e0bSAndroid Build Coastguard Worker
590*08b48e0bSAndroid Build Coastguard Worker } else {
591*08b48e0bSAndroid Build Coastguard Worker
592*08b48e0bSAndroid Build Coastguard Worker afl->switch_fuzz_mode *= 1000;
593*08b48e0bSAndroid Build Coastguard Worker
594*08b48e0bSAndroid Build Coastguard Worker }
595*08b48e0bSAndroid Build Coastguard Worker
596*08b48e0bSAndroid Build Coastguard Worker }
597*08b48e0bSAndroid Build Coastguard Worker
598*08b48e0bSAndroid Build Coastguard Worker break;
599*08b48e0bSAndroid Build Coastguard Worker
600*08b48e0bSAndroid Build Coastguard Worker case 'g':
601*08b48e0bSAndroid Build Coastguard Worker afl->min_length = atoi(optarg);
602*08b48e0bSAndroid Build Coastguard Worker break;
603*08b48e0bSAndroid Build Coastguard Worker
604*08b48e0bSAndroid Build Coastguard Worker case 'G':
605*08b48e0bSAndroid Build Coastguard Worker afl->max_length = atoi(optarg);
606*08b48e0bSAndroid Build Coastguard Worker break;
607*08b48e0bSAndroid Build Coastguard Worker
608*08b48e0bSAndroid Build Coastguard Worker case 'Z':
609*08b48e0bSAndroid Build Coastguard Worker afl->old_seed_selection = 1;
610*08b48e0bSAndroid Build Coastguard Worker break;
611*08b48e0bSAndroid Build Coastguard Worker
612*08b48e0bSAndroid Build Coastguard Worker case 'I':
613*08b48e0bSAndroid Build Coastguard Worker afl->infoexec = optarg;
614*08b48e0bSAndroid Build Coastguard Worker break;
615*08b48e0bSAndroid Build Coastguard Worker
616*08b48e0bSAndroid Build Coastguard Worker case 'b': { /* bind CPU core */
617*08b48e0bSAndroid Build Coastguard Worker
618*08b48e0bSAndroid Build Coastguard Worker if (afl->cpu_to_bind != -1) FATAL("Multiple -b options not supported");
619*08b48e0bSAndroid Build Coastguard Worker
620*08b48e0bSAndroid Build Coastguard Worker if (sscanf(optarg, "%d", &afl->cpu_to_bind) < 0) {
621*08b48e0bSAndroid Build Coastguard Worker
622*08b48e0bSAndroid Build Coastguard Worker FATAL("Bad syntax used for -b");
623*08b48e0bSAndroid Build Coastguard Worker
624*08b48e0bSAndroid Build Coastguard Worker }
625*08b48e0bSAndroid Build Coastguard Worker
626*08b48e0bSAndroid Build Coastguard Worker break;
627*08b48e0bSAndroid Build Coastguard Worker
628*08b48e0bSAndroid Build Coastguard Worker }
629*08b48e0bSAndroid Build Coastguard Worker
630*08b48e0bSAndroid Build Coastguard Worker case 'c': {
631*08b48e0bSAndroid Build Coastguard Worker
632*08b48e0bSAndroid Build Coastguard Worker if (strcmp(optarg, "-") == 0) {
633*08b48e0bSAndroid Build Coastguard Worker
634*08b48e0bSAndroid Build Coastguard Worker if (afl->shm.cmplog_mode) {
635*08b48e0bSAndroid Build Coastguard Worker
636*08b48e0bSAndroid Build Coastguard Worker ACTF("Disabling cmplog again because of '-c -'.");
637*08b48e0bSAndroid Build Coastguard Worker afl->shm.cmplog_mode = 0;
638*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_binary = NULL;
639*08b48e0bSAndroid Build Coastguard Worker
640*08b48e0bSAndroid Build Coastguard Worker }
641*08b48e0bSAndroid Build Coastguard Worker
642*08b48e0bSAndroid Build Coastguard Worker } else {
643*08b48e0bSAndroid Build Coastguard Worker
644*08b48e0bSAndroid Build Coastguard Worker afl->shm.cmplog_mode = 1;
645*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_binary = ck_strdup(optarg);
646*08b48e0bSAndroid Build Coastguard Worker
647*08b48e0bSAndroid Build Coastguard Worker }
648*08b48e0bSAndroid Build Coastguard Worker
649*08b48e0bSAndroid Build Coastguard Worker break;
650*08b48e0bSAndroid Build Coastguard Worker
651*08b48e0bSAndroid Build Coastguard Worker }
652*08b48e0bSAndroid Build Coastguard Worker
653*08b48e0bSAndroid Build Coastguard Worker case 's': {
654*08b48e0bSAndroid Build Coastguard Worker
655*08b48e0bSAndroid Build Coastguard Worker if (optarg == NULL) { FATAL("No valid seed provided. Got NULL."); }
656*08b48e0bSAndroid Build Coastguard Worker rand_set_seed(afl, strtoul(optarg, 0L, 10));
657*08b48e0bSAndroid Build Coastguard Worker afl->fixed_seed = 1;
658*08b48e0bSAndroid Build Coastguard Worker break;
659*08b48e0bSAndroid Build Coastguard Worker
660*08b48e0bSAndroid Build Coastguard Worker }
661*08b48e0bSAndroid Build Coastguard Worker
662*08b48e0bSAndroid Build Coastguard Worker case 'p': /* Power schedule */
663*08b48e0bSAndroid Build Coastguard Worker
664*08b48e0bSAndroid Build Coastguard Worker if (!stricmp(optarg, "fast")) {
665*08b48e0bSAndroid Build Coastguard Worker
666*08b48e0bSAndroid Build Coastguard Worker afl->schedule = FAST;
667*08b48e0bSAndroid Build Coastguard Worker
668*08b48e0bSAndroid Build Coastguard Worker } else if (!stricmp(optarg, "coe")) {
669*08b48e0bSAndroid Build Coastguard Worker
670*08b48e0bSAndroid Build Coastguard Worker afl->schedule = COE;
671*08b48e0bSAndroid Build Coastguard Worker
672*08b48e0bSAndroid Build Coastguard Worker } else if (!stricmp(optarg, "exploit")) {
673*08b48e0bSAndroid Build Coastguard Worker
674*08b48e0bSAndroid Build Coastguard Worker afl->schedule = EXPLOIT;
675*08b48e0bSAndroid Build Coastguard Worker
676*08b48e0bSAndroid Build Coastguard Worker } else if (!stricmp(optarg, "lin")) {
677*08b48e0bSAndroid Build Coastguard Worker
678*08b48e0bSAndroid Build Coastguard Worker afl->schedule = LIN;
679*08b48e0bSAndroid Build Coastguard Worker
680*08b48e0bSAndroid Build Coastguard Worker } else if (!stricmp(optarg, "quad")) {
681*08b48e0bSAndroid Build Coastguard Worker
682*08b48e0bSAndroid Build Coastguard Worker afl->schedule = QUAD;
683*08b48e0bSAndroid Build Coastguard Worker
684*08b48e0bSAndroid Build Coastguard Worker } else if (!stricmp(optarg, "mopt") || !stricmp(optarg, "mmopt")) {
685*08b48e0bSAndroid Build Coastguard Worker
686*08b48e0bSAndroid Build Coastguard Worker afl->schedule = MMOPT;
687*08b48e0bSAndroid Build Coastguard Worker
688*08b48e0bSAndroid Build Coastguard Worker } else if (!stricmp(optarg, "rare")) {
689*08b48e0bSAndroid Build Coastguard Worker
690*08b48e0bSAndroid Build Coastguard Worker afl->schedule = RARE;
691*08b48e0bSAndroid Build Coastguard Worker
692*08b48e0bSAndroid Build Coastguard Worker } else if (!stricmp(optarg, "explore") || !stricmp(optarg, "afl") ||
693*08b48e0bSAndroid Build Coastguard Worker
694*08b48e0bSAndroid Build Coastguard Worker !stricmp(optarg, "default") ||
695*08b48e0bSAndroid Build Coastguard Worker
696*08b48e0bSAndroid Build Coastguard Worker !stricmp(optarg, "normal")) {
697*08b48e0bSAndroid Build Coastguard Worker
698*08b48e0bSAndroid Build Coastguard Worker afl->schedule = EXPLORE;
699*08b48e0bSAndroid Build Coastguard Worker
700*08b48e0bSAndroid Build Coastguard Worker } else if (!stricmp(optarg, "seek")) {
701*08b48e0bSAndroid Build Coastguard Worker
702*08b48e0bSAndroid Build Coastguard Worker afl->schedule = SEEK;
703*08b48e0bSAndroid Build Coastguard Worker
704*08b48e0bSAndroid Build Coastguard Worker } else {
705*08b48e0bSAndroid Build Coastguard Worker
706*08b48e0bSAndroid Build Coastguard Worker FATAL("Unknown -p power schedule");
707*08b48e0bSAndroid Build Coastguard Worker
708*08b48e0bSAndroid Build Coastguard Worker }
709*08b48e0bSAndroid Build Coastguard Worker
710*08b48e0bSAndroid Build Coastguard Worker // have_p = 1;
711*08b48e0bSAndroid Build Coastguard Worker
712*08b48e0bSAndroid Build Coastguard Worker break;
713*08b48e0bSAndroid Build Coastguard Worker
714*08b48e0bSAndroid Build Coastguard Worker case 'e':
715*08b48e0bSAndroid Build Coastguard Worker
716*08b48e0bSAndroid Build Coastguard Worker if (afl->file_extension) { FATAL("Multiple -e options not supported"); }
717*08b48e0bSAndroid Build Coastguard Worker
718*08b48e0bSAndroid Build Coastguard Worker afl->file_extension = optarg;
719*08b48e0bSAndroid Build Coastguard Worker
720*08b48e0bSAndroid Build Coastguard Worker break;
721*08b48e0bSAndroid Build Coastguard Worker
722*08b48e0bSAndroid Build Coastguard Worker case 'i': /* input dir */
723*08b48e0bSAndroid Build Coastguard Worker
724*08b48e0bSAndroid Build Coastguard Worker if (afl->in_dir) { FATAL("Multiple -i options not supported"); }
725*08b48e0bSAndroid Build Coastguard Worker if (optarg == NULL) { FATAL("Invalid -i option (got NULL)."); }
726*08b48e0bSAndroid Build Coastguard Worker afl->in_dir = optarg;
727*08b48e0bSAndroid Build Coastguard Worker
728*08b48e0bSAndroid Build Coastguard Worker if (!strcmp(afl->in_dir, "-")) { afl->in_place_resume = 1; }
729*08b48e0bSAndroid Build Coastguard Worker
730*08b48e0bSAndroid Build Coastguard Worker break;
731*08b48e0bSAndroid Build Coastguard Worker
732*08b48e0bSAndroid Build Coastguard Worker case 'o': /* output dir */
733*08b48e0bSAndroid Build Coastguard Worker
734*08b48e0bSAndroid Build Coastguard Worker if (afl->out_dir) { FATAL("Multiple -o options not supported"); }
735*08b48e0bSAndroid Build Coastguard Worker afl->out_dir = optarg;
736*08b48e0bSAndroid Build Coastguard Worker break;
737*08b48e0bSAndroid Build Coastguard Worker
738*08b48e0bSAndroid Build Coastguard Worker case 'M': { /* main sync ID */
739*08b48e0bSAndroid Build Coastguard Worker
740*08b48e0bSAndroid Build Coastguard Worker u8 *c;
741*08b48e0bSAndroid Build Coastguard Worker
742*08b48e0bSAndroid Build Coastguard Worker if (afl->non_instrumented_mode) {
743*08b48e0bSAndroid Build Coastguard Worker
744*08b48e0bSAndroid Build Coastguard Worker FATAL("-M is not supported in non-instrumented mode");
745*08b48e0bSAndroid Build Coastguard Worker
746*08b48e0bSAndroid Build Coastguard Worker }
747*08b48e0bSAndroid Build Coastguard Worker
748*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.cs_mode) {
749*08b48e0bSAndroid Build Coastguard Worker
750*08b48e0bSAndroid Build Coastguard Worker FATAL("-M is not supported in ARM CoreSight mode");
751*08b48e0bSAndroid Build Coastguard Worker
752*08b48e0bSAndroid Build Coastguard Worker }
753*08b48e0bSAndroid Build Coastguard Worker
754*08b48e0bSAndroid Build Coastguard Worker if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
755*08b48e0bSAndroid Build Coastguard Worker
756*08b48e0bSAndroid Build Coastguard Worker /* sanity check for argument: should not begin with '-' (possible
757*08b48e0bSAndroid Build Coastguard Worker * option) */
758*08b48e0bSAndroid Build Coastguard Worker if (optarg && *optarg == '-') {
759*08b48e0bSAndroid Build Coastguard Worker
760*08b48e0bSAndroid Build Coastguard Worker FATAL(
761*08b48e0bSAndroid Build Coastguard Worker "argument for -M started with a dash '-', which is used for "
762*08b48e0bSAndroid Build Coastguard Worker "options");
763*08b48e0bSAndroid Build Coastguard Worker
764*08b48e0bSAndroid Build Coastguard Worker }
765*08b48e0bSAndroid Build Coastguard Worker
766*08b48e0bSAndroid Build Coastguard Worker afl->sync_id = ck_strdup(optarg);
767*08b48e0bSAndroid Build Coastguard Worker afl->old_seed_selection = 1; // force old queue walking seed selection
768*08b48e0bSAndroid Build Coastguard Worker afl->disable_trim = 1; // disable trimming
769*08b48e0bSAndroid Build Coastguard Worker
770*08b48e0bSAndroid Build Coastguard Worker if ((c = strchr(afl->sync_id, ':'))) {
771*08b48e0bSAndroid Build Coastguard Worker
772*08b48e0bSAndroid Build Coastguard Worker *c = 0;
773*08b48e0bSAndroid Build Coastguard Worker
774*08b48e0bSAndroid Build Coastguard Worker if (sscanf(c + 1, "%u/%u", &afl->main_node_id, &afl->main_node_max) !=
775*08b48e0bSAndroid Build Coastguard Worker 2 ||
776*08b48e0bSAndroid Build Coastguard Worker !afl->main_node_id || !afl->main_node_max ||
777*08b48e0bSAndroid Build Coastguard Worker afl->main_node_id > afl->main_node_max ||
778*08b48e0bSAndroid Build Coastguard Worker afl->main_node_max > 1000000) {
779*08b48e0bSAndroid Build Coastguard Worker
780*08b48e0bSAndroid Build Coastguard Worker FATAL("Bogus main node ID passed to -M");
781*08b48e0bSAndroid Build Coastguard Worker
782*08b48e0bSAndroid Build Coastguard Worker }
783*08b48e0bSAndroid Build Coastguard Worker
784*08b48e0bSAndroid Build Coastguard Worker }
785*08b48e0bSAndroid Build Coastguard Worker
786*08b48e0bSAndroid Build Coastguard Worker afl->is_main_node = 1;
787*08b48e0bSAndroid Build Coastguard Worker
788*08b48e0bSAndroid Build Coastguard Worker }
789*08b48e0bSAndroid Build Coastguard Worker
790*08b48e0bSAndroid Build Coastguard Worker break;
791*08b48e0bSAndroid Build Coastguard Worker
792*08b48e0bSAndroid Build Coastguard Worker case 'S': /* secondary sync id */
793*08b48e0bSAndroid Build Coastguard Worker
794*08b48e0bSAndroid Build Coastguard Worker if (afl->non_instrumented_mode) {
795*08b48e0bSAndroid Build Coastguard Worker
796*08b48e0bSAndroid Build Coastguard Worker FATAL("-S is not supported in non-instrumented mode");
797*08b48e0bSAndroid Build Coastguard Worker
798*08b48e0bSAndroid Build Coastguard Worker }
799*08b48e0bSAndroid Build Coastguard Worker
800*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.cs_mode) {
801*08b48e0bSAndroid Build Coastguard Worker
802*08b48e0bSAndroid Build Coastguard Worker FATAL("-S is not supported in ARM CoreSight mode");
803*08b48e0bSAndroid Build Coastguard Worker
804*08b48e0bSAndroid Build Coastguard Worker }
805*08b48e0bSAndroid Build Coastguard Worker
806*08b48e0bSAndroid Build Coastguard Worker if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
807*08b48e0bSAndroid Build Coastguard Worker
808*08b48e0bSAndroid Build Coastguard Worker /* sanity check for argument: should not begin with '-' (possible
809*08b48e0bSAndroid Build Coastguard Worker * option) */
810*08b48e0bSAndroid Build Coastguard Worker if (optarg && *optarg == '-') {
811*08b48e0bSAndroid Build Coastguard Worker
812*08b48e0bSAndroid Build Coastguard Worker FATAL(
813*08b48e0bSAndroid Build Coastguard Worker "argument for -M started with a dash '-', which is used for "
814*08b48e0bSAndroid Build Coastguard Worker "options");
815*08b48e0bSAndroid Build Coastguard Worker
816*08b48e0bSAndroid Build Coastguard Worker }
817*08b48e0bSAndroid Build Coastguard Worker
818*08b48e0bSAndroid Build Coastguard Worker afl->sync_id = ck_strdup(optarg);
819*08b48e0bSAndroid Build Coastguard Worker afl->is_secondary_node = 1;
820*08b48e0bSAndroid Build Coastguard Worker break;
821*08b48e0bSAndroid Build Coastguard Worker
822*08b48e0bSAndroid Build Coastguard Worker case 'F': /* foreign sync dir */
823*08b48e0bSAndroid Build Coastguard Worker
824*08b48e0bSAndroid Build Coastguard Worker if (!optarg) { FATAL("Missing path for -F"); }
825*08b48e0bSAndroid Build Coastguard Worker if (!afl->is_main_node) {
826*08b48e0bSAndroid Build Coastguard Worker
827*08b48e0bSAndroid Build Coastguard Worker FATAL(
828*08b48e0bSAndroid Build Coastguard Worker "Option -F can only be specified after the -M option for the "
829*08b48e0bSAndroid Build Coastguard Worker "main fuzzer of a fuzzing campaign");
830*08b48e0bSAndroid Build Coastguard Worker
831*08b48e0bSAndroid Build Coastguard Worker }
832*08b48e0bSAndroid Build Coastguard Worker
833*08b48e0bSAndroid Build Coastguard Worker if (afl->foreign_sync_cnt >= FOREIGN_SYNCS_MAX) {
834*08b48e0bSAndroid Build Coastguard Worker
835*08b48e0bSAndroid Build Coastguard Worker FATAL("Maximum %u entried of -F option can be specified",
836*08b48e0bSAndroid Build Coastguard Worker FOREIGN_SYNCS_MAX);
837*08b48e0bSAndroid Build Coastguard Worker
838*08b48e0bSAndroid Build Coastguard Worker }
839*08b48e0bSAndroid Build Coastguard Worker
840*08b48e0bSAndroid Build Coastguard Worker afl->foreign_syncs[afl->foreign_sync_cnt].dir = optarg;
841*08b48e0bSAndroid Build Coastguard Worker while (afl->foreign_syncs[afl->foreign_sync_cnt]
842*08b48e0bSAndroid Build Coastguard Worker .dir[strlen(afl->foreign_syncs[afl->foreign_sync_cnt].dir) -
843*08b48e0bSAndroid Build Coastguard Worker 1] == '/') {
844*08b48e0bSAndroid Build Coastguard Worker
845*08b48e0bSAndroid Build Coastguard Worker afl->foreign_syncs[afl->foreign_sync_cnt]
846*08b48e0bSAndroid Build Coastguard Worker .dir[strlen(afl->foreign_syncs[afl->foreign_sync_cnt].dir) - 1] =
847*08b48e0bSAndroid Build Coastguard Worker 0;
848*08b48e0bSAndroid Build Coastguard Worker
849*08b48e0bSAndroid Build Coastguard Worker }
850*08b48e0bSAndroid Build Coastguard Worker
851*08b48e0bSAndroid Build Coastguard Worker afl->foreign_sync_cnt++;
852*08b48e0bSAndroid Build Coastguard Worker break;
853*08b48e0bSAndroid Build Coastguard Worker
854*08b48e0bSAndroid Build Coastguard Worker case 'f': /* target file */
855*08b48e0bSAndroid Build Coastguard Worker
856*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.out_file) { FATAL("Multiple -f options not supported"); }
857*08b48e0bSAndroid Build Coastguard Worker
858*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.out_file = ck_strdup(optarg);
859*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.use_stdin = 0;
860*08b48e0bSAndroid Build Coastguard Worker default_output = 0;
861*08b48e0bSAndroid Build Coastguard Worker break;
862*08b48e0bSAndroid Build Coastguard Worker
863*08b48e0bSAndroid Build Coastguard Worker case 'x': /* dictionary */
864*08b48e0bSAndroid Build Coastguard Worker
865*08b48e0bSAndroid Build Coastguard Worker if (extras_dir_cnt >= 4) {
866*08b48e0bSAndroid Build Coastguard Worker
867*08b48e0bSAndroid Build Coastguard Worker FATAL("More than four -x options are not supported");
868*08b48e0bSAndroid Build Coastguard Worker
869*08b48e0bSAndroid Build Coastguard Worker }
870*08b48e0bSAndroid Build Coastguard Worker
871*08b48e0bSAndroid Build Coastguard Worker extras_dir[extras_dir_cnt++] = optarg;
872*08b48e0bSAndroid Build Coastguard Worker break;
873*08b48e0bSAndroid Build Coastguard Worker
874*08b48e0bSAndroid Build Coastguard Worker case 't': { /* timeout */
875*08b48e0bSAndroid Build Coastguard Worker
876*08b48e0bSAndroid Build Coastguard Worker u8 suffix = 0;
877*08b48e0bSAndroid Build Coastguard Worker
878*08b48e0bSAndroid Build Coastguard Worker if (afl->timeout_given) { FATAL("Multiple -t options not supported"); }
879*08b48e0bSAndroid Build Coastguard Worker
880*08b48e0bSAndroid Build Coastguard Worker if (!optarg ||
881*08b48e0bSAndroid Build Coastguard Worker sscanf(optarg, "%u%c", &afl->fsrv.exec_tmout, &suffix) < 1 ||
882*08b48e0bSAndroid Build Coastguard Worker optarg[0] == '-') {
883*08b48e0bSAndroid Build Coastguard Worker
884*08b48e0bSAndroid Build Coastguard Worker FATAL("Bad syntax used for -t");
885*08b48e0bSAndroid Build Coastguard Worker
886*08b48e0bSAndroid Build Coastguard Worker }
887*08b48e0bSAndroid Build Coastguard Worker
888*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.exec_tmout < 5) { FATAL("Dangerously low value of -t"); }
889*08b48e0bSAndroid Build Coastguard Worker
890*08b48e0bSAndroid Build Coastguard Worker if (suffix == '+') {
891*08b48e0bSAndroid Build Coastguard Worker
892*08b48e0bSAndroid Build Coastguard Worker afl->timeout_given = 2;
893*08b48e0bSAndroid Build Coastguard Worker
894*08b48e0bSAndroid Build Coastguard Worker } else {
895*08b48e0bSAndroid Build Coastguard Worker
896*08b48e0bSAndroid Build Coastguard Worker afl->timeout_given = 1;
897*08b48e0bSAndroid Build Coastguard Worker
898*08b48e0bSAndroid Build Coastguard Worker }
899*08b48e0bSAndroid Build Coastguard Worker
900*08b48e0bSAndroid Build Coastguard Worker break;
901*08b48e0bSAndroid Build Coastguard Worker
902*08b48e0bSAndroid Build Coastguard Worker }
903*08b48e0bSAndroid Build Coastguard Worker
904*08b48e0bSAndroid Build Coastguard Worker case 'm': { /* mem limit */
905*08b48e0bSAndroid Build Coastguard Worker
906*08b48e0bSAndroid Build Coastguard Worker u8 suffix = 'M';
907*08b48e0bSAndroid Build Coastguard Worker
908*08b48e0bSAndroid Build Coastguard Worker if (mem_limit_given) { FATAL("Multiple -m options not supported"); }
909*08b48e0bSAndroid Build Coastguard Worker mem_limit_given = 1;
910*08b48e0bSAndroid Build Coastguard Worker
911*08b48e0bSAndroid Build Coastguard Worker if (!optarg) { FATAL("Wrong usage of -m"); }
912*08b48e0bSAndroid Build Coastguard Worker
913*08b48e0bSAndroid Build Coastguard Worker if (!strcmp(optarg, "none")) {
914*08b48e0bSAndroid Build Coastguard Worker
915*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.mem_limit = 0;
916*08b48e0bSAndroid Build Coastguard Worker break;
917*08b48e0bSAndroid Build Coastguard Worker
918*08b48e0bSAndroid Build Coastguard Worker }
919*08b48e0bSAndroid Build Coastguard Worker
920*08b48e0bSAndroid Build Coastguard Worker if (sscanf(optarg, "%llu%c", &afl->fsrv.mem_limit, &suffix) < 1 ||
921*08b48e0bSAndroid Build Coastguard Worker optarg[0] == '-') {
922*08b48e0bSAndroid Build Coastguard Worker
923*08b48e0bSAndroid Build Coastguard Worker FATAL("Bad syntax used for -m");
924*08b48e0bSAndroid Build Coastguard Worker
925*08b48e0bSAndroid Build Coastguard Worker }
926*08b48e0bSAndroid Build Coastguard Worker
927*08b48e0bSAndroid Build Coastguard Worker switch (suffix) {
928*08b48e0bSAndroid Build Coastguard Worker
929*08b48e0bSAndroid Build Coastguard Worker case 'T':
930*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.mem_limit *= 1024 * 1024;
931*08b48e0bSAndroid Build Coastguard Worker break;
932*08b48e0bSAndroid Build Coastguard Worker case 'G':
933*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.mem_limit *= 1024;
934*08b48e0bSAndroid Build Coastguard Worker break;
935*08b48e0bSAndroid Build Coastguard Worker case 'k':
936*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.mem_limit /= 1024;
937*08b48e0bSAndroid Build Coastguard Worker break;
938*08b48e0bSAndroid Build Coastguard Worker case 'M':
939*08b48e0bSAndroid Build Coastguard Worker break;
940*08b48e0bSAndroid Build Coastguard Worker
941*08b48e0bSAndroid Build Coastguard Worker default:
942*08b48e0bSAndroid Build Coastguard Worker FATAL("Unsupported suffix or bad syntax for -m");
943*08b48e0bSAndroid Build Coastguard Worker
944*08b48e0bSAndroid Build Coastguard Worker }
945*08b48e0bSAndroid Build Coastguard Worker
946*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.mem_limit < 5) { FATAL("Dangerously low value of -m"); }
947*08b48e0bSAndroid Build Coastguard Worker
948*08b48e0bSAndroid Build Coastguard Worker if (sizeof(rlim_t) == 4 && afl->fsrv.mem_limit > 2000) {
949*08b48e0bSAndroid Build Coastguard Worker
950*08b48e0bSAndroid Build Coastguard Worker FATAL("Value of -m out of range on 32-bit systems");
951*08b48e0bSAndroid Build Coastguard Worker
952*08b48e0bSAndroid Build Coastguard Worker }
953*08b48e0bSAndroid Build Coastguard Worker
954*08b48e0bSAndroid Build Coastguard Worker }
955*08b48e0bSAndroid Build Coastguard Worker
956*08b48e0bSAndroid Build Coastguard Worker break;
957*08b48e0bSAndroid Build Coastguard Worker
958*08b48e0bSAndroid Build Coastguard Worker case 'D': /* partial deterministic */
959*08b48e0bSAndroid Build Coastguard Worker
960*08b48e0bSAndroid Build Coastguard Worker afl->skip_deterministic = 0;
961*08b48e0bSAndroid Build Coastguard Worker break;
962*08b48e0bSAndroid Build Coastguard Worker
963*08b48e0bSAndroid Build Coastguard Worker case 'd': /* no deterministic */
964*08b48e0bSAndroid Build Coastguard Worker
965*08b48e0bSAndroid Build Coastguard Worker // this is the default and currently a lot of infrastructure enforces
966*08b48e0bSAndroid Build Coastguard Worker // it (e.g. clusterfuzz, fuzzbench) based on that this feature
967*08b48e0bSAndroid Build Coastguard Worker // originally was bad performance wise. We now have a better
968*08b48e0bSAndroid Build Coastguard Worker // implementation, hence if it is activated, we do not want to
969*08b48e0bSAndroid Build Coastguard Worker // deactivate it by such setups.
970*08b48e0bSAndroid Build Coastguard Worker
971*08b48e0bSAndroid Build Coastguard Worker // afl->skip_deterministic = 1;
972*08b48e0bSAndroid Build Coastguard Worker break;
973*08b48e0bSAndroid Build Coastguard Worker
974*08b48e0bSAndroid Build Coastguard Worker case 'B': /* load bitmap */
975*08b48e0bSAndroid Build Coastguard Worker
976*08b48e0bSAndroid Build Coastguard Worker /* This is a secret undocumented option! It is useful if you find
977*08b48e0bSAndroid Build Coastguard Worker an interesting test case during a normal fuzzing process, and want
978*08b48e0bSAndroid Build Coastguard Worker to mutate it without rediscovering any of the test cases already
979*08b48e0bSAndroid Build Coastguard Worker found during an earlier run.
980*08b48e0bSAndroid Build Coastguard Worker
981*08b48e0bSAndroid Build Coastguard Worker To use this mode, you need to point -B to the fuzz_bitmap produced
982*08b48e0bSAndroid Build Coastguard Worker by an earlier run for the exact same binary... and that's it.
983*08b48e0bSAndroid Build Coastguard Worker
984*08b48e0bSAndroid Build Coastguard Worker I only used this once or twice to get variants of a particular
985*08b48e0bSAndroid Build Coastguard Worker file, so I'm not making this an official setting. */
986*08b48e0bSAndroid Build Coastguard Worker
987*08b48e0bSAndroid Build Coastguard Worker if (afl->in_bitmap) { FATAL("Multiple -B options not supported"); }
988*08b48e0bSAndroid Build Coastguard Worker
989*08b48e0bSAndroid Build Coastguard Worker afl->in_bitmap = optarg;
990*08b48e0bSAndroid Build Coastguard Worker break;
991*08b48e0bSAndroid Build Coastguard Worker
992*08b48e0bSAndroid Build Coastguard Worker case 'C': /* crash mode */
993*08b48e0bSAndroid Build Coastguard Worker
994*08b48e0bSAndroid Build Coastguard Worker if (afl->crash_mode) { FATAL("Multiple -C options not supported"); }
995*08b48e0bSAndroid Build Coastguard Worker afl->crash_mode = FSRV_RUN_CRASH;
996*08b48e0bSAndroid Build Coastguard Worker break;
997*08b48e0bSAndroid Build Coastguard Worker
998*08b48e0bSAndroid Build Coastguard Worker case 'n': /* dumb mode */
999*08b48e0bSAndroid Build Coastguard Worker
1000*08b48e0bSAndroid Build Coastguard Worker if (afl->is_main_node || afl->is_secondary_node) {
1001*08b48e0bSAndroid Build Coastguard Worker
1002*08b48e0bSAndroid Build Coastguard Worker FATAL("Non instrumented mode is not supported with -M / -S");
1003*08b48e0bSAndroid Build Coastguard Worker
1004*08b48e0bSAndroid Build Coastguard Worker }
1005*08b48e0bSAndroid Build Coastguard Worker
1006*08b48e0bSAndroid Build Coastguard Worker if (afl->non_instrumented_mode) {
1007*08b48e0bSAndroid Build Coastguard Worker
1008*08b48e0bSAndroid Build Coastguard Worker FATAL("Multiple -n options not supported");
1009*08b48e0bSAndroid Build Coastguard Worker
1010*08b48e0bSAndroid Build Coastguard Worker }
1011*08b48e0bSAndroid Build Coastguard Worker
1012*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_dumb_forksrv) {
1013*08b48e0bSAndroid Build Coastguard Worker
1014*08b48e0bSAndroid Build Coastguard Worker afl->non_instrumented_mode = 2;
1015*08b48e0bSAndroid Build Coastguard Worker
1016*08b48e0bSAndroid Build Coastguard Worker } else {
1017*08b48e0bSAndroid Build Coastguard Worker
1018*08b48e0bSAndroid Build Coastguard Worker afl->non_instrumented_mode = 1;
1019*08b48e0bSAndroid Build Coastguard Worker
1020*08b48e0bSAndroid Build Coastguard Worker }
1021*08b48e0bSAndroid Build Coastguard Worker
1022*08b48e0bSAndroid Build Coastguard Worker break;
1023*08b48e0bSAndroid Build Coastguard Worker
1024*08b48e0bSAndroid Build Coastguard Worker case 'T': /* banner */
1025*08b48e0bSAndroid Build Coastguard Worker
1026*08b48e0bSAndroid Build Coastguard Worker if (afl->use_banner) { FATAL("Multiple -T options not supported"); }
1027*08b48e0bSAndroid Build Coastguard Worker afl->use_banner = optarg;
1028*08b48e0bSAndroid Build Coastguard Worker break;
1029*08b48e0bSAndroid Build Coastguard Worker
1030*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__
1031*08b48e0bSAndroid Build Coastguard Worker case 'X': /* NYX mode */
1032*08b48e0bSAndroid Build Coastguard Worker
1033*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.nyx_mode) { FATAL("Multiple -X options not supported"); }
1034*08b48e0bSAndroid Build Coastguard Worker
1035*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.nyx_parent = true;
1036*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.nyx_standalone = true;
1037*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.nyx_mode = 1;
1038*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.nyx_id = 0;
1039*08b48e0bSAndroid Build Coastguard Worker
1040*08b48e0bSAndroid Build Coastguard Worker break;
1041*08b48e0bSAndroid Build Coastguard Worker
1042*08b48e0bSAndroid Build Coastguard Worker case 'Y': /* NYX distributed mode */
1043*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.nyx_mode) { FATAL("Multiple -Y options not supported"); }
1044*08b48e0bSAndroid Build Coastguard Worker
1045*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.nyx_mode = 1;
1046*08b48e0bSAndroid Build Coastguard Worker
1047*08b48e0bSAndroid Build Coastguard Worker break;
1048*08b48e0bSAndroid Build Coastguard Worker #else
1049*08b48e0bSAndroid Build Coastguard Worker case 'X':
1050*08b48e0bSAndroid Build Coastguard Worker case 'Y':
1051*08b48e0bSAndroid Build Coastguard Worker FATAL("Nyx mode is only availabe on linux...");
1052*08b48e0bSAndroid Build Coastguard Worker break;
1053*08b48e0bSAndroid Build Coastguard Worker #endif
1054*08b48e0bSAndroid Build Coastguard Worker case 'A': /* CoreSight mode */
1055*08b48e0bSAndroid Build Coastguard Worker
1056*08b48e0bSAndroid Build Coastguard Worker #if !defined(__aarch64__) || !defined(__linux__)
1057*08b48e0bSAndroid Build Coastguard Worker FATAL("-A option is not supported on this platform");
1058*08b48e0bSAndroid Build Coastguard Worker #endif
1059*08b48e0bSAndroid Build Coastguard Worker
1060*08b48e0bSAndroid Build Coastguard Worker if (afl->is_main_node || afl->is_secondary_node) {
1061*08b48e0bSAndroid Build Coastguard Worker
1062*08b48e0bSAndroid Build Coastguard Worker FATAL("ARM CoreSight mode is not supported with -M / -S");
1063*08b48e0bSAndroid Build Coastguard Worker
1064*08b48e0bSAndroid Build Coastguard Worker }
1065*08b48e0bSAndroid Build Coastguard Worker
1066*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.cs_mode) { FATAL("Multiple -A options not supported"); }
1067*08b48e0bSAndroid Build Coastguard Worker
1068*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.cs_mode = 1;
1069*08b48e0bSAndroid Build Coastguard Worker
1070*08b48e0bSAndroid Build Coastguard Worker break;
1071*08b48e0bSAndroid Build Coastguard Worker
1072*08b48e0bSAndroid Build Coastguard Worker case 'O': /* FRIDA mode */
1073*08b48e0bSAndroid Build Coastguard Worker
1074*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.frida_mode) {
1075*08b48e0bSAndroid Build Coastguard Worker
1076*08b48e0bSAndroid Build Coastguard Worker FATAL("Multiple -O options not supported");
1077*08b48e0bSAndroid Build Coastguard Worker
1078*08b48e0bSAndroid Build Coastguard Worker }
1079*08b48e0bSAndroid Build Coastguard Worker
1080*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.frida_mode = 1;
1081*08b48e0bSAndroid Build Coastguard Worker if (get_afl_env("AFL_USE_FASAN")) { afl->fsrv.frida_asan = 1; }
1082*08b48e0bSAndroid Build Coastguard Worker
1083*08b48e0bSAndroid Build Coastguard Worker break;
1084*08b48e0bSAndroid Build Coastguard Worker
1085*08b48e0bSAndroid Build Coastguard Worker case 'Q': /* QEMU mode */
1086*08b48e0bSAndroid Build Coastguard Worker
1087*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.qemu_mode) { FATAL("Multiple -Q options not supported"); }
1088*08b48e0bSAndroid Build Coastguard Worker
1089*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.qemu_mode = 1;
1090*08b48e0bSAndroid Build Coastguard Worker
1091*08b48e0bSAndroid Build Coastguard Worker if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_QEMU; }
1092*08b48e0bSAndroid Build Coastguard Worker
1093*08b48e0bSAndroid Build Coastguard Worker break;
1094*08b48e0bSAndroid Build Coastguard Worker
1095*08b48e0bSAndroid Build Coastguard Worker case 'N': /* Unicorn mode */
1096*08b48e0bSAndroid Build Coastguard Worker
1097*08b48e0bSAndroid Build Coastguard Worker if (afl->no_unlink) { FATAL("Multiple -N options not supported"); }
1098*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.no_unlink = (afl->no_unlink = true);
1099*08b48e0bSAndroid Build Coastguard Worker
1100*08b48e0bSAndroid Build Coastguard Worker break;
1101*08b48e0bSAndroid Build Coastguard Worker
1102*08b48e0bSAndroid Build Coastguard Worker case 'U': /* Unicorn mode */
1103*08b48e0bSAndroid Build Coastguard Worker
1104*08b48e0bSAndroid Build Coastguard Worker if (afl->unicorn_mode) { FATAL("Multiple -U options not supported"); }
1105*08b48e0bSAndroid Build Coastguard Worker afl->unicorn_mode = 1;
1106*08b48e0bSAndroid Build Coastguard Worker
1107*08b48e0bSAndroid Build Coastguard Worker if (!mem_limit_given) { afl->fsrv.mem_limit = MEM_LIMIT_UNICORN; }
1108*08b48e0bSAndroid Build Coastguard Worker
1109*08b48e0bSAndroid Build Coastguard Worker break;
1110*08b48e0bSAndroid Build Coastguard Worker
1111*08b48e0bSAndroid Build Coastguard Worker case 'W': /* Wine+QEMU mode */
1112*08b48e0bSAndroid Build Coastguard Worker
1113*08b48e0bSAndroid Build Coastguard Worker if (afl->use_wine) { FATAL("Multiple -W options not supported"); }
1114*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.qemu_mode = 1;
1115*08b48e0bSAndroid Build Coastguard Worker afl->use_wine = 1;
1116*08b48e0bSAndroid Build Coastguard Worker
1117*08b48e0bSAndroid Build Coastguard Worker if (!mem_limit_given) { afl->fsrv.mem_limit = 0; }
1118*08b48e0bSAndroid Build Coastguard Worker
1119*08b48e0bSAndroid Build Coastguard Worker break;
1120*08b48e0bSAndroid Build Coastguard Worker
1121*08b48e0bSAndroid Build Coastguard Worker case 'V': {
1122*08b48e0bSAndroid Build Coastguard Worker
1123*08b48e0bSAndroid Build Coastguard Worker afl->most_time_key = 1;
1124*08b48e0bSAndroid Build Coastguard Worker if (!optarg || sscanf(optarg, "%llu", &afl->most_time) < 1 ||
1125*08b48e0bSAndroid Build Coastguard Worker optarg[0] == '-') {
1126*08b48e0bSAndroid Build Coastguard Worker
1127*08b48e0bSAndroid Build Coastguard Worker FATAL("Bad syntax used for -V");
1128*08b48e0bSAndroid Build Coastguard Worker
1129*08b48e0bSAndroid Build Coastguard Worker }
1130*08b48e0bSAndroid Build Coastguard Worker
1131*08b48e0bSAndroid Build Coastguard Worker } break;
1132*08b48e0bSAndroid Build Coastguard Worker
1133*08b48e0bSAndroid Build Coastguard Worker case 'E': {
1134*08b48e0bSAndroid Build Coastguard Worker
1135*08b48e0bSAndroid Build Coastguard Worker afl->most_execs_key = 1;
1136*08b48e0bSAndroid Build Coastguard Worker if (!optarg || sscanf(optarg, "%llu", &afl->most_execs) < 1 ||
1137*08b48e0bSAndroid Build Coastguard Worker optarg[0] == '-') {
1138*08b48e0bSAndroid Build Coastguard Worker
1139*08b48e0bSAndroid Build Coastguard Worker FATAL("Bad syntax used for -E");
1140*08b48e0bSAndroid Build Coastguard Worker
1141*08b48e0bSAndroid Build Coastguard Worker }
1142*08b48e0bSAndroid Build Coastguard Worker
1143*08b48e0bSAndroid Build Coastguard Worker } break;
1144*08b48e0bSAndroid Build Coastguard Worker
1145*08b48e0bSAndroid Build Coastguard Worker case 'l': {
1146*08b48e0bSAndroid Build Coastguard Worker
1147*08b48e0bSAndroid Build Coastguard Worker if (!optarg) { FATAL("missing parameter for 'l'"); }
1148*08b48e0bSAndroid Build Coastguard Worker char *c = optarg;
1149*08b48e0bSAndroid Build Coastguard Worker while (*c) {
1150*08b48e0bSAndroid Build Coastguard Worker
1151*08b48e0bSAndroid Build Coastguard Worker switch (*c) {
1152*08b48e0bSAndroid Build Coastguard Worker
1153*08b48e0bSAndroid Build Coastguard Worker case '0':
1154*08b48e0bSAndroid Build Coastguard Worker case '1':
1155*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_lvl = 1;
1156*08b48e0bSAndroid Build Coastguard Worker break;
1157*08b48e0bSAndroid Build Coastguard Worker case '2':
1158*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_lvl = 2;
1159*08b48e0bSAndroid Build Coastguard Worker break;
1160*08b48e0bSAndroid Build Coastguard Worker case '3':
1161*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_lvl = 3;
1162*08b48e0bSAndroid Build Coastguard Worker
1163*08b48e0bSAndroid Build Coastguard Worker if (!afl->disable_trim) {
1164*08b48e0bSAndroid Build Coastguard Worker
1165*08b48e0bSAndroid Build Coastguard Worker ACTF("Deactivating trimming due CMPLOG level 3");
1166*08b48e0bSAndroid Build Coastguard Worker afl->disable_trim = 1;
1167*08b48e0bSAndroid Build Coastguard Worker
1168*08b48e0bSAndroid Build Coastguard Worker }
1169*08b48e0bSAndroid Build Coastguard Worker
1170*08b48e0bSAndroid Build Coastguard Worker break;
1171*08b48e0bSAndroid Build Coastguard Worker case 'a':
1172*08b48e0bSAndroid Build Coastguard Worker case 'A':
1173*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_enable_arith = 1;
1174*08b48e0bSAndroid Build Coastguard Worker break;
1175*08b48e0bSAndroid Build Coastguard Worker case 's':
1176*08b48e0bSAndroid Build Coastguard Worker case 'S':
1177*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_enable_scale = 1;
1178*08b48e0bSAndroid Build Coastguard Worker break;
1179*08b48e0bSAndroid Build Coastguard Worker case 't':
1180*08b48e0bSAndroid Build Coastguard Worker case 'T':
1181*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_enable_transform = 1;
1182*08b48e0bSAndroid Build Coastguard Worker break;
1183*08b48e0bSAndroid Build Coastguard Worker case 'x':
1184*08b48e0bSAndroid Build Coastguard Worker case 'X':
1185*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_enable_xtreme_transform = 1;
1186*08b48e0bSAndroid Build Coastguard Worker break;
1187*08b48e0bSAndroid Build Coastguard Worker case 'r':
1188*08b48e0bSAndroid Build Coastguard Worker case 'R':
1189*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_random_colorization = 1;
1190*08b48e0bSAndroid Build Coastguard Worker break;
1191*08b48e0bSAndroid Build Coastguard Worker default:
1192*08b48e0bSAndroid Build Coastguard Worker FATAL("Unknown option value '%c' in -l %s", *c, optarg);
1193*08b48e0bSAndroid Build Coastguard Worker
1194*08b48e0bSAndroid Build Coastguard Worker }
1195*08b48e0bSAndroid Build Coastguard Worker
1196*08b48e0bSAndroid Build Coastguard Worker ++c;
1197*08b48e0bSAndroid Build Coastguard Worker
1198*08b48e0bSAndroid Build Coastguard Worker }
1199*08b48e0bSAndroid Build Coastguard Worker
1200*08b48e0bSAndroid Build Coastguard Worker if (afl->cmplog_lvl == CMPLOG_LVL_MAX) {
1201*08b48e0bSAndroid Build Coastguard Worker
1202*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_max_filesize = MAX_FILE;
1203*08b48e0bSAndroid Build Coastguard Worker
1204*08b48e0bSAndroid Build Coastguard Worker }
1205*08b48e0bSAndroid Build Coastguard Worker
1206*08b48e0bSAndroid Build Coastguard Worker } break;
1207*08b48e0bSAndroid Build Coastguard Worker
1208*08b48e0bSAndroid Build Coastguard Worker case 'L': { /* MOpt mode */
1209*08b48e0bSAndroid Build Coastguard Worker
1210*08b48e0bSAndroid Build Coastguard Worker if (afl->limit_time_sig) { FATAL("Multiple -L options not supported"); }
1211*08b48e0bSAndroid Build Coastguard Worker
1212*08b48e0bSAndroid Build Coastguard Worker afl->havoc_max_mult = HAVOC_MAX_MULT_MOPT;
1213*08b48e0bSAndroid Build Coastguard Worker
1214*08b48e0bSAndroid Build Coastguard Worker if (sscanf(optarg, "%d", &afl->limit_time_puppet) < 1) {
1215*08b48e0bSAndroid Build Coastguard Worker
1216*08b48e0bSAndroid Build Coastguard Worker FATAL("Bad syntax used for -L");
1217*08b48e0bSAndroid Build Coastguard Worker
1218*08b48e0bSAndroid Build Coastguard Worker }
1219*08b48e0bSAndroid Build Coastguard Worker
1220*08b48e0bSAndroid Build Coastguard Worker if (afl->limit_time_puppet == -1) {
1221*08b48e0bSAndroid Build Coastguard Worker
1222*08b48e0bSAndroid Build Coastguard Worker afl->limit_time_sig = -1;
1223*08b48e0bSAndroid Build Coastguard Worker afl->limit_time_puppet = 0;
1224*08b48e0bSAndroid Build Coastguard Worker
1225*08b48e0bSAndroid Build Coastguard Worker } else if (afl->limit_time_puppet < 0) {
1226*08b48e0bSAndroid Build Coastguard Worker
1227*08b48e0bSAndroid Build Coastguard Worker FATAL("-L value must be between 0 and 2000000 or -1");
1228*08b48e0bSAndroid Build Coastguard Worker
1229*08b48e0bSAndroid Build Coastguard Worker } else {
1230*08b48e0bSAndroid Build Coastguard Worker
1231*08b48e0bSAndroid Build Coastguard Worker afl->limit_time_sig = 1;
1232*08b48e0bSAndroid Build Coastguard Worker
1233*08b48e0bSAndroid Build Coastguard Worker }
1234*08b48e0bSAndroid Build Coastguard Worker
1235*08b48e0bSAndroid Build Coastguard Worker u64 limit_time_puppet2 = afl->limit_time_puppet * 60 * 1000;
1236*08b48e0bSAndroid Build Coastguard Worker
1237*08b48e0bSAndroid Build Coastguard Worker if ((s32)limit_time_puppet2 < afl->limit_time_puppet) {
1238*08b48e0bSAndroid Build Coastguard Worker
1239*08b48e0bSAndroid Build Coastguard Worker FATAL("limit_time overflow");
1240*08b48e0bSAndroid Build Coastguard Worker
1241*08b48e0bSAndroid Build Coastguard Worker }
1242*08b48e0bSAndroid Build Coastguard Worker
1243*08b48e0bSAndroid Build Coastguard Worker afl->limit_time_puppet = limit_time_puppet2;
1244*08b48e0bSAndroid Build Coastguard Worker afl->swarm_now = 0;
1245*08b48e0bSAndroid Build Coastguard Worker if (afl->limit_time_puppet == 0) { afl->key_puppet = 1; }
1246*08b48e0bSAndroid Build Coastguard Worker
1247*08b48e0bSAndroid Build Coastguard Worker int j;
1248*08b48e0bSAndroid Build Coastguard Worker int tmp_swarm = 0;
1249*08b48e0bSAndroid Build Coastguard Worker
1250*08b48e0bSAndroid Build Coastguard Worker if (afl->g_now > afl->g_max) { afl->g_now = 0; }
1251*08b48e0bSAndroid Build Coastguard Worker afl->w_now = (afl->w_init - afl->w_end) * (afl->g_max - afl->g_now) /
1252*08b48e0bSAndroid Build Coastguard Worker (afl->g_max) +
1253*08b48e0bSAndroid Build Coastguard Worker afl->w_end;
1254*08b48e0bSAndroid Build Coastguard Worker
1255*08b48e0bSAndroid Build Coastguard Worker for (tmp_swarm = 0; tmp_swarm < swarm_num; ++tmp_swarm) {
1256*08b48e0bSAndroid Build Coastguard Worker
1257*08b48e0bSAndroid Build Coastguard Worker double total_puppet_temp = 0.0;
1258*08b48e0bSAndroid Build Coastguard Worker afl->swarm_fitness[tmp_swarm] = 0.0;
1259*08b48e0bSAndroid Build Coastguard Worker
1260*08b48e0bSAndroid Build Coastguard Worker for (j = 0; j < operator_num; ++j) {
1261*08b48e0bSAndroid Build Coastguard Worker
1262*08b48e0bSAndroid Build Coastguard Worker afl->stage_finds_puppet[tmp_swarm][j] = 0;
1263*08b48e0bSAndroid Build Coastguard Worker afl->probability_now[tmp_swarm][j] = 0.0;
1264*08b48e0bSAndroid Build Coastguard Worker afl->x_now[tmp_swarm][j] =
1265*08b48e0bSAndroid Build Coastguard Worker ((double)(random() % 7000) * 0.0001 + 0.1);
1266*08b48e0bSAndroid Build Coastguard Worker total_puppet_temp += afl->x_now[tmp_swarm][j];
1267*08b48e0bSAndroid Build Coastguard Worker afl->v_now[tmp_swarm][j] = 0.1;
1268*08b48e0bSAndroid Build Coastguard Worker afl->L_best[tmp_swarm][j] = 0.5;
1269*08b48e0bSAndroid Build Coastguard Worker afl->G_best[j] = 0.5;
1270*08b48e0bSAndroid Build Coastguard Worker afl->eff_best[tmp_swarm][j] = 0.0;
1271*08b48e0bSAndroid Build Coastguard Worker
1272*08b48e0bSAndroid Build Coastguard Worker }
1273*08b48e0bSAndroid Build Coastguard Worker
1274*08b48e0bSAndroid Build Coastguard Worker for (j = 0; j < operator_num; ++j) {
1275*08b48e0bSAndroid Build Coastguard Worker
1276*08b48e0bSAndroid Build Coastguard Worker afl->stage_cycles_puppet_v2[tmp_swarm][j] =
1277*08b48e0bSAndroid Build Coastguard Worker afl->stage_cycles_puppet[tmp_swarm][j];
1278*08b48e0bSAndroid Build Coastguard Worker afl->stage_finds_puppet_v2[tmp_swarm][j] =
1279*08b48e0bSAndroid Build Coastguard Worker afl->stage_finds_puppet[tmp_swarm][j];
1280*08b48e0bSAndroid Build Coastguard Worker afl->x_now[tmp_swarm][j] =
1281*08b48e0bSAndroid Build Coastguard Worker afl->x_now[tmp_swarm][j] / total_puppet_temp;
1282*08b48e0bSAndroid Build Coastguard Worker
1283*08b48e0bSAndroid Build Coastguard Worker }
1284*08b48e0bSAndroid Build Coastguard Worker
1285*08b48e0bSAndroid Build Coastguard Worker double x_temp = 0.0;
1286*08b48e0bSAndroid Build Coastguard Worker
1287*08b48e0bSAndroid Build Coastguard Worker for (j = 0; j < operator_num; ++j) {
1288*08b48e0bSAndroid Build Coastguard Worker
1289*08b48e0bSAndroid Build Coastguard Worker afl->probability_now[tmp_swarm][j] = 0.0;
1290*08b48e0bSAndroid Build Coastguard Worker afl->v_now[tmp_swarm][j] =
1291*08b48e0bSAndroid Build Coastguard Worker afl->w_now * afl->v_now[tmp_swarm][j] +
1292*08b48e0bSAndroid Build Coastguard Worker RAND_C *
1293*08b48e0bSAndroid Build Coastguard Worker (afl->L_best[tmp_swarm][j] - afl->x_now[tmp_swarm][j]) +
1294*08b48e0bSAndroid Build Coastguard Worker RAND_C * (afl->G_best[j] - afl->x_now[tmp_swarm][j]);
1295*08b48e0bSAndroid Build Coastguard Worker
1296*08b48e0bSAndroid Build Coastguard Worker afl->x_now[tmp_swarm][j] += afl->v_now[tmp_swarm][j];
1297*08b48e0bSAndroid Build Coastguard Worker
1298*08b48e0bSAndroid Build Coastguard Worker if (afl->x_now[tmp_swarm][j] > v_max) {
1299*08b48e0bSAndroid Build Coastguard Worker
1300*08b48e0bSAndroid Build Coastguard Worker afl->x_now[tmp_swarm][j] = v_max;
1301*08b48e0bSAndroid Build Coastguard Worker
1302*08b48e0bSAndroid Build Coastguard Worker } else if (afl->x_now[tmp_swarm][j] < v_min) {
1303*08b48e0bSAndroid Build Coastguard Worker
1304*08b48e0bSAndroid Build Coastguard Worker afl->x_now[tmp_swarm][j] = v_min;
1305*08b48e0bSAndroid Build Coastguard Worker
1306*08b48e0bSAndroid Build Coastguard Worker }
1307*08b48e0bSAndroid Build Coastguard Worker
1308*08b48e0bSAndroid Build Coastguard Worker x_temp += afl->x_now[tmp_swarm][j];
1309*08b48e0bSAndroid Build Coastguard Worker
1310*08b48e0bSAndroid Build Coastguard Worker }
1311*08b48e0bSAndroid Build Coastguard Worker
1312*08b48e0bSAndroid Build Coastguard Worker for (j = 0; j < operator_num; ++j) {
1313*08b48e0bSAndroid Build Coastguard Worker
1314*08b48e0bSAndroid Build Coastguard Worker afl->x_now[tmp_swarm][j] = afl->x_now[tmp_swarm][j] / x_temp;
1315*08b48e0bSAndroid Build Coastguard Worker if (likely(j != 0)) {
1316*08b48e0bSAndroid Build Coastguard Worker
1317*08b48e0bSAndroid Build Coastguard Worker afl->probability_now[tmp_swarm][j] =
1318*08b48e0bSAndroid Build Coastguard Worker afl->probability_now[tmp_swarm][j - 1] +
1319*08b48e0bSAndroid Build Coastguard Worker afl->x_now[tmp_swarm][j];
1320*08b48e0bSAndroid Build Coastguard Worker
1321*08b48e0bSAndroid Build Coastguard Worker } else {
1322*08b48e0bSAndroid Build Coastguard Worker
1323*08b48e0bSAndroid Build Coastguard Worker afl->probability_now[tmp_swarm][j] = afl->x_now[tmp_swarm][j];
1324*08b48e0bSAndroid Build Coastguard Worker
1325*08b48e0bSAndroid Build Coastguard Worker }
1326*08b48e0bSAndroid Build Coastguard Worker
1327*08b48e0bSAndroid Build Coastguard Worker }
1328*08b48e0bSAndroid Build Coastguard Worker
1329*08b48e0bSAndroid Build Coastguard Worker if (afl->probability_now[tmp_swarm][operator_num - 1] < 0.99 ||
1330*08b48e0bSAndroid Build Coastguard Worker afl->probability_now[tmp_swarm][operator_num - 1] > 1.01) {
1331*08b48e0bSAndroid Build Coastguard Worker
1332*08b48e0bSAndroid Build Coastguard Worker FATAL("ERROR probability");
1333*08b48e0bSAndroid Build Coastguard Worker
1334*08b48e0bSAndroid Build Coastguard Worker }
1335*08b48e0bSAndroid Build Coastguard Worker
1336*08b48e0bSAndroid Build Coastguard Worker }
1337*08b48e0bSAndroid Build Coastguard Worker
1338*08b48e0bSAndroid Build Coastguard Worker for (j = 0; j < operator_num; ++j) {
1339*08b48e0bSAndroid Build Coastguard Worker
1340*08b48e0bSAndroid Build Coastguard Worker afl->core_operator_finds_puppet[j] = 0;
1341*08b48e0bSAndroid Build Coastguard Worker afl->core_operator_finds_puppet_v2[j] = 0;
1342*08b48e0bSAndroid Build Coastguard Worker afl->core_operator_cycles_puppet[j] = 0;
1343*08b48e0bSAndroid Build Coastguard Worker afl->core_operator_cycles_puppet_v2[j] = 0;
1344*08b48e0bSAndroid Build Coastguard Worker afl->core_operator_cycles_puppet_v3[j] = 0;
1345*08b48e0bSAndroid Build Coastguard Worker
1346*08b48e0bSAndroid Build Coastguard Worker }
1347*08b48e0bSAndroid Build Coastguard Worker
1348*08b48e0bSAndroid Build Coastguard Worker WARNF(
1349*08b48e0bSAndroid Build Coastguard Worker "Note that the MOpt mode is not maintained and is not as effective "
1350*08b48e0bSAndroid Build Coastguard Worker "as normal havoc mode.");
1351*08b48e0bSAndroid Build Coastguard Worker
1352*08b48e0bSAndroid Build Coastguard Worker } break;
1353*08b48e0bSAndroid Build Coastguard Worker
1354*08b48e0bSAndroid Build Coastguard Worker case 'h':
1355*08b48e0bSAndroid Build Coastguard Worker show_help++;
1356*08b48e0bSAndroid Build Coastguard Worker break; // not needed
1357*08b48e0bSAndroid Build Coastguard Worker
1358*08b48e0bSAndroid Build Coastguard Worker case 'R':
1359*08b48e0bSAndroid Build Coastguard Worker
1360*08b48e0bSAndroid Build Coastguard Worker FATAL(
1361*08b48e0bSAndroid Build Coastguard Worker "Radamsa is now a custom mutator, please use that "
1362*08b48e0bSAndroid Build Coastguard Worker "(custom_mutators/radamsa/).");
1363*08b48e0bSAndroid Build Coastguard Worker
1364*08b48e0bSAndroid Build Coastguard Worker break;
1365*08b48e0bSAndroid Build Coastguard Worker
1366*08b48e0bSAndroid Build Coastguard Worker default:
1367*08b48e0bSAndroid Build Coastguard Worker if (!show_help) { show_help = 1; }
1368*08b48e0bSAndroid Build Coastguard Worker
1369*08b48e0bSAndroid Build Coastguard Worker }
1370*08b48e0bSAndroid Build Coastguard Worker
1371*08b48e0bSAndroid Build Coastguard Worker }
1372*08b48e0bSAndroid Build Coastguard Worker
1373*08b48e0bSAndroid Build Coastguard Worker if (afl->sync_id && strcmp(afl->sync_id, "addseeds") == 0) {
1374*08b48e0bSAndroid Build Coastguard Worker
1375*08b48e0bSAndroid Build Coastguard Worker FATAL("-M/-S name 'addseeds' is a reserved name, choose something else");
1376*08b48e0bSAndroid Build Coastguard Worker
1377*08b48e0bSAndroid Build Coastguard Worker }
1378*08b48e0bSAndroid Build Coastguard Worker
1379*08b48e0bSAndroid Build Coastguard Worker if (afl->is_main_node == 1 && afl->schedule != FAST &&
1380*08b48e0bSAndroid Build Coastguard Worker afl->schedule != EXPLORE) {
1381*08b48e0bSAndroid Build Coastguard Worker
1382*08b48e0bSAndroid Build Coastguard Worker FATAL("-M is compatible only with fast and explore -p power schedules");
1383*08b48e0bSAndroid Build Coastguard Worker
1384*08b48e0bSAndroid Build Coastguard Worker }
1385*08b48e0bSAndroid Build Coastguard Worker
1386*08b48e0bSAndroid Build Coastguard Worker if (optind == argc || !afl->in_dir || !afl->out_dir || show_help) {
1387*08b48e0bSAndroid Build Coastguard Worker
1388*08b48e0bSAndroid Build Coastguard Worker usage(argv[0], show_help);
1389*08b48e0bSAndroid Build Coastguard Worker
1390*08b48e0bSAndroid Build Coastguard Worker }
1391*08b48e0bSAndroid Build Coastguard Worker
1392*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->afl_env.afl_persistent_record)) {
1393*08b48e0bSAndroid Build Coastguard Worker
1394*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_PERSISTENT_RECORD
1395*08b48e0bSAndroid Build Coastguard Worker
1396*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.persistent_record = atoi(afl->afl_env.afl_persistent_record);
1397*08b48e0bSAndroid Build Coastguard Worker
1398*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.persistent_record < 2) {
1399*08b48e0bSAndroid Build Coastguard Worker
1400*08b48e0bSAndroid Build Coastguard Worker FATAL(
1401*08b48e0bSAndroid Build Coastguard Worker "AFL_PERSISTENT_RECORD value must be be at least 2, recommended is "
1402*08b48e0bSAndroid Build Coastguard Worker "100 or 1000.");
1403*08b48e0bSAndroid Build Coastguard Worker
1404*08b48e0bSAndroid Build Coastguard Worker }
1405*08b48e0bSAndroid Build Coastguard Worker
1406*08b48e0bSAndroid Build Coastguard Worker #else
1407*08b48e0bSAndroid Build Coastguard Worker
1408*08b48e0bSAndroid Build Coastguard Worker FATAL(
1409*08b48e0bSAndroid Build Coastguard Worker "afl-fuzz was not compiled with AFL_PERSISTENT_RECORD enabled in "
1410*08b48e0bSAndroid Build Coastguard Worker "config.h!");
1411*08b48e0bSAndroid Build Coastguard Worker
1412*08b48e0bSAndroid Build Coastguard Worker #endif
1413*08b48e0bSAndroid Build Coastguard Worker
1414*08b48e0bSAndroid Build Coastguard Worker }
1415*08b48e0bSAndroid Build Coastguard Worker
1416*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.mem_limit && afl->shm.cmplog_mode) afl->fsrv.mem_limit += 260;
1417*08b48e0bSAndroid Build Coastguard Worker
1418*08b48e0bSAndroid Build Coastguard Worker OKF("AFL++ is maintained by Marc \"van Hauser\" Heuse, Dominik Maier, Andrea "
1419*08b48e0bSAndroid Build Coastguard Worker "Fioraldi and Heiko \"hexcoder\" Eißfeldt");
1420*08b48e0bSAndroid Build Coastguard Worker OKF("AFL++ is open source, get it at "
1421*08b48e0bSAndroid Build Coastguard Worker "https://github.com/AFLplusplus/AFLplusplus");
1422*08b48e0bSAndroid Build Coastguard Worker OKF("NOTE: AFL++ >= v3 has changed defaults and behaviours - see README.md");
1423*08b48e0bSAndroid Build Coastguard Worker
1424*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__
1425*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.nyx_mode) {
1426*08b48e0bSAndroid Build Coastguard Worker
1427*08b48e0bSAndroid Build Coastguard Worker OKF("AFL++ Nyx mode is enabled (developed and mainted by Sergej Schumilo)");
1428*08b48e0bSAndroid Build Coastguard Worker OKF("Nyx is open source, get it at https://github.com/Nyx-Fuzz");
1429*08b48e0bSAndroid Build Coastguard Worker
1430*08b48e0bSAndroid Build Coastguard Worker }
1431*08b48e0bSAndroid Build Coastguard Worker
1432*08b48e0bSAndroid Build Coastguard Worker #endif
1433*08b48e0bSAndroid Build Coastguard Worker
1434*08b48e0bSAndroid Build Coastguard Worker // silently disable deterministic mutation if custom mutators are used
1435*08b48e0bSAndroid Build Coastguard Worker if (!afl->skip_deterministic && afl->afl_env.afl_custom_mutator_only) {
1436*08b48e0bSAndroid Build Coastguard Worker
1437*08b48e0bSAndroid Build Coastguard Worker afl->skip_deterministic = 1;
1438*08b48e0bSAndroid Build Coastguard Worker
1439*08b48e0bSAndroid Build Coastguard Worker }
1440*08b48e0bSAndroid Build Coastguard Worker
1441*08b48e0bSAndroid Build Coastguard Worker if (afl->fixed_seed) {
1442*08b48e0bSAndroid Build Coastguard Worker
1443*08b48e0bSAndroid Build Coastguard Worker OKF("Running with fixed seed: %u", (u32)afl->init_seed);
1444*08b48e0bSAndroid Build Coastguard Worker
1445*08b48e0bSAndroid Build Coastguard Worker }
1446*08b48e0bSAndroid Build Coastguard Worker
1447*08b48e0bSAndroid Build Coastguard Worker #if defined(__SANITIZE_ADDRESS__)
1448*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.mem_limit) {
1449*08b48e0bSAndroid Build Coastguard Worker
1450*08b48e0bSAndroid Build Coastguard Worker WARNF("in the ASAN build we disable all memory limits");
1451*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.mem_limit = 0;
1452*08b48e0bSAndroid Build Coastguard Worker
1453*08b48e0bSAndroid Build Coastguard Worker }
1454*08b48e0bSAndroid Build Coastguard Worker
1455*08b48e0bSAndroid Build Coastguard Worker #endif
1456*08b48e0bSAndroid Build Coastguard Worker
1457*08b48e0bSAndroid Build Coastguard Worker configure_afl_kill_signals(&afl->fsrv, afl->afl_env.afl_child_kill_signal,
1458*08b48e0bSAndroid Build Coastguard Worker afl->afl_env.afl_fsrv_kill_signal,
1459*08b48e0bSAndroid Build Coastguard Worker (afl->fsrv.qemu_mode || afl->unicorn_mode
1460*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__
1461*08b48e0bSAndroid Build Coastguard Worker || afl->fsrv.nyx_mode
1462*08b48e0bSAndroid Build Coastguard Worker #endif
1463*08b48e0bSAndroid Build Coastguard Worker )
1464*08b48e0bSAndroid Build Coastguard Worker ? SIGKILL
1465*08b48e0bSAndroid Build Coastguard Worker : SIGTERM);
1466*08b48e0bSAndroid Build Coastguard Worker
1467*08b48e0bSAndroid Build Coastguard Worker setup_signal_handlers();
1468*08b48e0bSAndroid Build Coastguard Worker check_asan_opts(afl);
1469*08b48e0bSAndroid Build Coastguard Worker
1470*08b48e0bSAndroid Build Coastguard Worker afl->power_name = power_names[afl->schedule];
1471*08b48e0bSAndroid Build Coastguard Worker
1472*08b48e0bSAndroid Build Coastguard Worker if (!afl->non_instrumented_mode && !afl->sync_id) {
1473*08b48e0bSAndroid Build Coastguard Worker
1474*08b48e0bSAndroid Build Coastguard Worker auto_sync = 1;
1475*08b48e0bSAndroid Build Coastguard Worker afl->sync_id = ck_strdup("default");
1476*08b48e0bSAndroid Build Coastguard Worker afl->is_secondary_node = 1;
1477*08b48e0bSAndroid Build Coastguard Worker OKF("No -M/-S set, autoconfiguring for \"-S %s\"", afl->sync_id);
1478*08b48e0bSAndroid Build Coastguard Worker
1479*08b48e0bSAndroid Build Coastguard Worker }
1480*08b48e0bSAndroid Build Coastguard Worker
1481*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__
1482*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.nyx_mode) {
1483*08b48e0bSAndroid Build Coastguard Worker
1484*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.nyx_standalone && strcmp(afl->sync_id, "default") != 0) {
1485*08b48e0bSAndroid Build Coastguard Worker
1486*08b48e0bSAndroid Build Coastguard Worker FATAL(
1487*08b48e0bSAndroid Build Coastguard Worker "distributed fuzzing is not supported in this Nyx mode (use -Y "
1488*08b48e0bSAndroid Build Coastguard Worker "instead)");
1489*08b48e0bSAndroid Build Coastguard Worker
1490*08b48e0bSAndroid Build Coastguard Worker }
1491*08b48e0bSAndroid Build Coastguard Worker
1492*08b48e0bSAndroid Build Coastguard Worker if (!afl->fsrv.nyx_standalone) {
1493*08b48e0bSAndroid Build Coastguard Worker
1494*08b48e0bSAndroid Build Coastguard Worker if (afl->is_main_node) {
1495*08b48e0bSAndroid Build Coastguard Worker
1496*08b48e0bSAndroid Build Coastguard Worker if (strcmp("0", afl->sync_id) != 0) {
1497*08b48e0bSAndroid Build Coastguard Worker
1498*08b48e0bSAndroid Build Coastguard Worker FATAL(
1499*08b48e0bSAndroid Build Coastguard Worker "for Nyx -Y mode, the Main (-M) parameter has to be set to 0 (-M "
1500*08b48e0bSAndroid Build Coastguard Worker "0)");
1501*08b48e0bSAndroid Build Coastguard Worker
1502*08b48e0bSAndroid Build Coastguard Worker }
1503*08b48e0bSAndroid Build Coastguard Worker
1504*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.nyx_parent = true;
1505*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.nyx_id = 0;
1506*08b48e0bSAndroid Build Coastguard Worker
1507*08b48e0bSAndroid Build Coastguard Worker }
1508*08b48e0bSAndroid Build Coastguard Worker
1509*08b48e0bSAndroid Build Coastguard Worker if (afl->is_secondary_node) {
1510*08b48e0bSAndroid Build Coastguard Worker
1511*08b48e0bSAndroid Build Coastguard Worker long nyx_id = strtol(afl->sync_id, NULL, 10);
1512*08b48e0bSAndroid Build Coastguard Worker
1513*08b48e0bSAndroid Build Coastguard Worker if (nyx_id == 0 || nyx_id == LONG_MAX) {
1514*08b48e0bSAndroid Build Coastguard Worker
1515*08b48e0bSAndroid Build Coastguard Worker FATAL(
1516*08b48e0bSAndroid Build Coastguard Worker "for Nyx -Y mode, the Secondary (-S) parameter has to be a "
1517*08b48e0bSAndroid Build Coastguard Worker "numeric value and >= 1 (e.g. -S 1)");
1518*08b48e0bSAndroid Build Coastguard Worker
1519*08b48e0bSAndroid Build Coastguard Worker }
1520*08b48e0bSAndroid Build Coastguard Worker
1521*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.nyx_id = nyx_id;
1522*08b48e0bSAndroid Build Coastguard Worker
1523*08b48e0bSAndroid Build Coastguard Worker }
1524*08b48e0bSAndroid Build Coastguard Worker
1525*08b48e0bSAndroid Build Coastguard Worker }
1526*08b48e0bSAndroid Build Coastguard Worker
1527*08b48e0bSAndroid Build Coastguard Worker }
1528*08b48e0bSAndroid Build Coastguard Worker
1529*08b48e0bSAndroid Build Coastguard Worker #endif
1530*08b48e0bSAndroid Build Coastguard Worker
1531*08b48e0bSAndroid Build Coastguard Worker if (afl->sync_id) {
1532*08b48e0bSAndroid Build Coastguard Worker
1533*08b48e0bSAndroid Build Coastguard Worker if (strlen(afl->sync_id) > 50) {
1534*08b48e0bSAndroid Build Coastguard Worker
1535*08b48e0bSAndroid Build Coastguard Worker FATAL("sync_id max length is 50 characters");
1536*08b48e0bSAndroid Build Coastguard Worker
1537*08b48e0bSAndroid Build Coastguard Worker }
1538*08b48e0bSAndroid Build Coastguard Worker
1539*08b48e0bSAndroid Build Coastguard Worker fix_up_sync(afl);
1540*08b48e0bSAndroid Build Coastguard Worker
1541*08b48e0bSAndroid Build Coastguard Worker }
1542*08b48e0bSAndroid Build Coastguard Worker
1543*08b48e0bSAndroid Build Coastguard Worker if (!strcmp(afl->in_dir, afl->out_dir)) {
1544*08b48e0bSAndroid Build Coastguard Worker
1545*08b48e0bSAndroid Build Coastguard Worker FATAL("Input and output directories can't be the same");
1546*08b48e0bSAndroid Build Coastguard Worker
1547*08b48e0bSAndroid Build Coastguard Worker }
1548*08b48e0bSAndroid Build Coastguard Worker
1549*08b48e0bSAndroid Build Coastguard Worker if (afl->non_instrumented_mode) {
1550*08b48e0bSAndroid Build Coastguard Worker
1551*08b48e0bSAndroid Build Coastguard Worker if (afl->crash_mode) { FATAL("-C and -n are mutually exclusive"); }
1552*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.frida_mode) { FATAL("-O and -n are mutually exclusive"); }
1553*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.qemu_mode) { FATAL("-Q and -n are mutually exclusive"); }
1554*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.cs_mode) { FATAL("-A and -n are mutually exclusive"); }
1555*08b48e0bSAndroid Build Coastguard Worker if (afl->unicorn_mode) { FATAL("-U and -n are mutually exclusive"); }
1556*08b48e0bSAndroid Build Coastguard Worker
1557*08b48e0bSAndroid Build Coastguard Worker }
1558*08b48e0bSAndroid Build Coastguard Worker
1559*08b48e0bSAndroid Build Coastguard Worker setenv("__AFL_OUT_DIR", afl->out_dir, 1);
1560*08b48e0bSAndroid Build Coastguard Worker
1561*08b48e0bSAndroid Build Coastguard Worker if (get_afl_env("AFL_DISABLE_TRIM")) { afl->disable_trim = 1; }
1562*08b48e0bSAndroid Build Coastguard Worker
1563*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_NO_UI") && getenv("AFL_FORCE_UI")) {
1564*08b48e0bSAndroid Build Coastguard Worker
1565*08b48e0bSAndroid Build Coastguard Worker FATAL("AFL_NO_UI and AFL_FORCE_UI are mutually exclusive");
1566*08b48e0bSAndroid Build Coastguard Worker
1567*08b48e0bSAndroid Build Coastguard Worker }
1568*08b48e0bSAndroid Build Coastguard Worker
1569*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->afl_env.afl_statsd)) { statsd_setup_format(afl); }
1570*08b48e0bSAndroid Build Coastguard Worker
1571*08b48e0bSAndroid Build Coastguard Worker if (!afl->use_banner) { afl->use_banner = argv[optind]; }
1572*08b48e0bSAndroid Build Coastguard Worker
1573*08b48e0bSAndroid Build Coastguard Worker if (afl->shm.cmplog_mode && strcmp("0", afl->cmplog_binary) == 0) {
1574*08b48e0bSAndroid Build Coastguard Worker
1575*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_binary = strdup(argv[optind]);
1576*08b48e0bSAndroid Build Coastguard Worker
1577*08b48e0bSAndroid Build Coastguard Worker }
1578*08b48e0bSAndroid Build Coastguard Worker
1579*08b48e0bSAndroid Build Coastguard Worker if (strchr(argv[optind], '/') == NULL && !afl->unicorn_mode) {
1580*08b48e0bSAndroid Build Coastguard Worker
1581*08b48e0bSAndroid Build Coastguard Worker WARNF(cLRD
1582*08b48e0bSAndroid Build Coastguard Worker "Target binary called without a prefixed path, make sure you are "
1583*08b48e0bSAndroid Build Coastguard Worker "fuzzing the right binary: " cRST "%s",
1584*08b48e0bSAndroid Build Coastguard Worker argv[optind]);
1585*08b48e0bSAndroid Build Coastguard Worker
1586*08b48e0bSAndroid Build Coastguard Worker }
1587*08b48e0bSAndroid Build Coastguard Worker
1588*08b48e0bSAndroid Build Coastguard Worker ACTF("Getting to work...");
1589*08b48e0bSAndroid Build Coastguard Worker
1590*08b48e0bSAndroid Build Coastguard Worker switch (afl->schedule) {
1591*08b48e0bSAndroid Build Coastguard Worker
1592*08b48e0bSAndroid Build Coastguard Worker case FAST:
1593*08b48e0bSAndroid Build Coastguard Worker OKF("Using exponential power schedule (FAST)");
1594*08b48e0bSAndroid Build Coastguard Worker break;
1595*08b48e0bSAndroid Build Coastguard Worker case COE:
1596*08b48e0bSAndroid Build Coastguard Worker OKF("Using cut-off exponential power schedule (COE)");
1597*08b48e0bSAndroid Build Coastguard Worker break;
1598*08b48e0bSAndroid Build Coastguard Worker case EXPLOIT:
1599*08b48e0bSAndroid Build Coastguard Worker OKF("Using exploitation-based constant power schedule (EXPLOIT)");
1600*08b48e0bSAndroid Build Coastguard Worker break;
1601*08b48e0bSAndroid Build Coastguard Worker case LIN:
1602*08b48e0bSAndroid Build Coastguard Worker OKF("Using linear power schedule (LIN)");
1603*08b48e0bSAndroid Build Coastguard Worker break;
1604*08b48e0bSAndroid Build Coastguard Worker case QUAD:
1605*08b48e0bSAndroid Build Coastguard Worker OKF("Using quadratic power schedule (QUAD)");
1606*08b48e0bSAndroid Build Coastguard Worker break;
1607*08b48e0bSAndroid Build Coastguard Worker case MMOPT:
1608*08b48e0bSAndroid Build Coastguard Worker OKF("Using modified MOpt power schedule (MMOPT)");
1609*08b48e0bSAndroid Build Coastguard Worker break;
1610*08b48e0bSAndroid Build Coastguard Worker case RARE:
1611*08b48e0bSAndroid Build Coastguard Worker OKF("Using rare edge focus power schedule (RARE)");
1612*08b48e0bSAndroid Build Coastguard Worker break;
1613*08b48e0bSAndroid Build Coastguard Worker case SEEK:
1614*08b48e0bSAndroid Build Coastguard Worker OKF("Using seek power schedule (SEEK)");
1615*08b48e0bSAndroid Build Coastguard Worker break;
1616*08b48e0bSAndroid Build Coastguard Worker case EXPLORE:
1617*08b48e0bSAndroid Build Coastguard Worker OKF("Using exploration-based constant power schedule (EXPLORE)");
1618*08b48e0bSAndroid Build Coastguard Worker break;
1619*08b48e0bSAndroid Build Coastguard Worker default:
1620*08b48e0bSAndroid Build Coastguard Worker FATAL("Unknown power schedule");
1621*08b48e0bSAndroid Build Coastguard Worker break;
1622*08b48e0bSAndroid Build Coastguard Worker
1623*08b48e0bSAndroid Build Coastguard Worker }
1624*08b48e0bSAndroid Build Coastguard Worker
1625*08b48e0bSAndroid Build Coastguard Worker if (afl->shm.cmplog_mode) { OKF("CmpLog level: %u", afl->cmplog_lvl); }
1626*08b48e0bSAndroid Build Coastguard Worker
1627*08b48e0bSAndroid Build Coastguard Worker /* Dynamically allocate memory for AFLFast schedules */
1628*08b48e0bSAndroid Build Coastguard Worker if (afl->schedule >= FAST && afl->schedule <= RARE) {
1629*08b48e0bSAndroid Build Coastguard Worker
1630*08b48e0bSAndroid Build Coastguard Worker afl->n_fuzz = ck_alloc(N_FUZZ_SIZE * sizeof(u32));
1631*08b48e0bSAndroid Build Coastguard Worker
1632*08b48e0bSAndroid Build Coastguard Worker }
1633*08b48e0bSAndroid Build Coastguard Worker
1634*08b48e0bSAndroid Build Coastguard Worker if (get_afl_env("AFL_NO_FORKSRV")) { afl->no_forkserver = 1; }
1635*08b48e0bSAndroid Build Coastguard Worker if (get_afl_env("AFL_NO_CPU_RED")) { afl->no_cpu_meter_red = 1; }
1636*08b48e0bSAndroid Build Coastguard Worker if (get_afl_env("AFL_NO_ARITH")) { afl->no_arith = 1; }
1637*08b48e0bSAndroid Build Coastguard Worker if (get_afl_env("AFL_SHUFFLE_QUEUE")) { afl->shuffle_queue = 1; }
1638*08b48e0bSAndroid Build Coastguard Worker if (get_afl_env("AFL_EXPAND_HAVOC_NOW")) { afl->expand_havoc = 1; }
1639*08b48e0bSAndroid Build Coastguard Worker
1640*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_autoresume) {
1641*08b48e0bSAndroid Build Coastguard Worker
1642*08b48e0bSAndroid Build Coastguard Worker afl->autoresume = 1;
1643*08b48e0bSAndroid Build Coastguard Worker if (afl->in_place_resume) {
1644*08b48e0bSAndroid Build Coastguard Worker
1645*08b48e0bSAndroid Build Coastguard Worker SAYF("AFL_AUTORESUME has no effect for '-i -'");
1646*08b48e0bSAndroid Build Coastguard Worker
1647*08b48e0bSAndroid Build Coastguard Worker }
1648*08b48e0bSAndroid Build Coastguard Worker
1649*08b48e0bSAndroid Build Coastguard Worker }
1650*08b48e0bSAndroid Build Coastguard Worker
1651*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_hang_tmout) {
1652*08b48e0bSAndroid Build Coastguard Worker
1653*08b48e0bSAndroid Build Coastguard Worker s32 hang_tmout = atoi(afl->afl_env.afl_hang_tmout);
1654*08b48e0bSAndroid Build Coastguard Worker if (hang_tmout < 1) { FATAL("Invalid value for AFL_HANG_TMOUT"); }
1655*08b48e0bSAndroid Build Coastguard Worker afl->hang_tmout = (u32)hang_tmout;
1656*08b48e0bSAndroid Build Coastguard Worker
1657*08b48e0bSAndroid Build Coastguard Worker }
1658*08b48e0bSAndroid Build Coastguard Worker
1659*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_exit_on_time) {
1660*08b48e0bSAndroid Build Coastguard Worker
1661*08b48e0bSAndroid Build Coastguard Worker u64 exit_on_time = atoi(afl->afl_env.afl_exit_on_time);
1662*08b48e0bSAndroid Build Coastguard Worker afl->exit_on_time = (u64)exit_on_time * 1000;
1663*08b48e0bSAndroid Build Coastguard Worker
1664*08b48e0bSAndroid Build Coastguard Worker }
1665*08b48e0bSAndroid Build Coastguard Worker
1666*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_max_det_extras) {
1667*08b48e0bSAndroid Build Coastguard Worker
1668*08b48e0bSAndroid Build Coastguard Worker s32 max_det_extras = atoi(afl->afl_env.afl_max_det_extras);
1669*08b48e0bSAndroid Build Coastguard Worker if (max_det_extras < 1) { FATAL("Invalid value for AFL_MAX_DET_EXTRAS"); }
1670*08b48e0bSAndroid Build Coastguard Worker afl->max_det_extras = (u32)max_det_extras;
1671*08b48e0bSAndroid Build Coastguard Worker
1672*08b48e0bSAndroid Build Coastguard Worker } else {
1673*08b48e0bSAndroid Build Coastguard Worker
1674*08b48e0bSAndroid Build Coastguard Worker afl->max_det_extras = MAX_DET_EXTRAS;
1675*08b48e0bSAndroid Build Coastguard Worker
1676*08b48e0bSAndroid Build Coastguard Worker }
1677*08b48e0bSAndroid Build Coastguard Worker
1678*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_testcache_size) {
1679*08b48e0bSAndroid Build Coastguard Worker
1680*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_size =
1681*08b48e0bSAndroid Build Coastguard Worker (u64)atoi(afl->afl_env.afl_testcache_size) * 1048576;
1682*08b48e0bSAndroid Build Coastguard Worker
1683*08b48e0bSAndroid Build Coastguard Worker }
1684*08b48e0bSAndroid Build Coastguard Worker
1685*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_testcache_entries) {
1686*08b48e0bSAndroid Build Coastguard Worker
1687*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_entries =
1688*08b48e0bSAndroid Build Coastguard Worker (u32)atoi(afl->afl_env.afl_testcache_entries);
1689*08b48e0bSAndroid Build Coastguard Worker
1690*08b48e0bSAndroid Build Coastguard Worker // user_set_cache = 1;
1691*08b48e0bSAndroid Build Coastguard Worker
1692*08b48e0bSAndroid Build Coastguard Worker }
1693*08b48e0bSAndroid Build Coastguard Worker
1694*08b48e0bSAndroid Build Coastguard Worker if (!afl->afl_env.afl_testcache_size || !afl->afl_env.afl_testcache_entries) {
1695*08b48e0bSAndroid Build Coastguard Worker
1696*08b48e0bSAndroid Build Coastguard Worker afl->afl_env.afl_testcache_entries = 0;
1697*08b48e0bSAndroid Build Coastguard Worker afl->afl_env.afl_testcache_size = 0;
1698*08b48e0bSAndroid Build Coastguard Worker
1699*08b48e0bSAndroid Build Coastguard Worker }
1700*08b48e0bSAndroid Build Coastguard Worker
1701*08b48e0bSAndroid Build Coastguard Worker if (!afl->q_testcase_max_cache_size) {
1702*08b48e0bSAndroid Build Coastguard Worker
1703*08b48e0bSAndroid Build Coastguard Worker ACTF(
1704*08b48e0bSAndroid Build Coastguard Worker "No testcache was configured. it is recommended to use a testcache, it "
1705*08b48e0bSAndroid Build Coastguard Worker "improves performance: set AFL_TESTCACHE_SIZE=(value in MB)");
1706*08b48e0bSAndroid Build Coastguard Worker
1707*08b48e0bSAndroid Build Coastguard Worker } else if (afl->q_testcase_max_cache_size < 2 * MAX_FILE) {
1708*08b48e0bSAndroid Build Coastguard Worker
1709*08b48e0bSAndroid Build Coastguard Worker FATAL("AFL_TESTCACHE_SIZE must be set to %ld or more, or 0 to disable",
1710*08b48e0bSAndroid Build Coastguard Worker (2 * MAX_FILE) % 1048576 == 0 ? (2 * MAX_FILE) / 1048576
1711*08b48e0bSAndroid Build Coastguard Worker : 1 + ((2 * MAX_FILE) / 1048576));
1712*08b48e0bSAndroid Build Coastguard Worker
1713*08b48e0bSAndroid Build Coastguard Worker } else {
1714*08b48e0bSAndroid Build Coastguard Worker
1715*08b48e0bSAndroid Build Coastguard Worker OKF("Enabled testcache with %llu MB",
1716*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_max_cache_size / 1048576);
1717*08b48e0bSAndroid Build Coastguard Worker
1718*08b48e0bSAndroid Build Coastguard Worker }
1719*08b48e0bSAndroid Build Coastguard Worker
1720*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_forksrv_init_tmout) {
1721*08b48e0bSAndroid Build Coastguard Worker
1722*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.init_tmout = atoi(afl->afl_env.afl_forksrv_init_tmout);
1723*08b48e0bSAndroid Build Coastguard Worker if (!afl->fsrv.init_tmout) {
1724*08b48e0bSAndroid Build Coastguard Worker
1725*08b48e0bSAndroid Build Coastguard Worker FATAL("Invalid value of AFL_FORKSRV_INIT_TMOUT");
1726*08b48e0bSAndroid Build Coastguard Worker
1727*08b48e0bSAndroid Build Coastguard Worker }
1728*08b48e0bSAndroid Build Coastguard Worker
1729*08b48e0bSAndroid Build Coastguard Worker } else {
1730*08b48e0bSAndroid Build Coastguard Worker
1731*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.init_tmout = afl->fsrv.exec_tmout * FORK_WAIT_MULT;
1732*08b48e0bSAndroid Build Coastguard Worker
1733*08b48e0bSAndroid Build Coastguard Worker }
1734*08b48e0bSAndroid Build Coastguard Worker
1735*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_crash_exitcode) {
1736*08b48e0bSAndroid Build Coastguard Worker
1737*08b48e0bSAndroid Build Coastguard Worker long exitcode = strtol(afl->afl_env.afl_crash_exitcode, NULL, 10);
1738*08b48e0bSAndroid Build Coastguard Worker if ((!exitcode && (errno == EINVAL || errno == ERANGE)) ||
1739*08b48e0bSAndroid Build Coastguard Worker exitcode < -127 || exitcode > 128) {
1740*08b48e0bSAndroid Build Coastguard Worker
1741*08b48e0bSAndroid Build Coastguard Worker FATAL("Invalid crash exitcode, expected -127 to 128, but got %s",
1742*08b48e0bSAndroid Build Coastguard Worker afl->afl_env.afl_crash_exitcode);
1743*08b48e0bSAndroid Build Coastguard Worker
1744*08b48e0bSAndroid Build Coastguard Worker }
1745*08b48e0bSAndroid Build Coastguard Worker
1746*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.uses_crash_exitcode = true;
1747*08b48e0bSAndroid Build Coastguard Worker // WEXITSTATUS is 8 bit unsigned
1748*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.crash_exitcode = (u8)exitcode;
1749*08b48e0bSAndroid Build Coastguard Worker
1750*08b48e0bSAndroid Build Coastguard Worker }
1751*08b48e0bSAndroid Build Coastguard Worker
1752*08b48e0bSAndroid Build Coastguard Worker if (afl->non_instrumented_mode == 2 && afl->no_forkserver) {
1753*08b48e0bSAndroid Build Coastguard Worker
1754*08b48e0bSAndroid Build Coastguard Worker FATAL("AFL_DUMB_FORKSRV and AFL_NO_FORKSRV are mutually exclusive");
1755*08b48e0bSAndroid Build Coastguard Worker
1756*08b48e0bSAndroid Build Coastguard Worker }
1757*08b48e0bSAndroid Build Coastguard Worker
1758*08b48e0bSAndroid Build Coastguard Worker // Marker: ADD_TO_INJECTIONS
1759*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_LLVM_INJECTIONS_ALL") || getenv("AFL_LLVM_INJECTIONS_SQL") ||
1760*08b48e0bSAndroid Build Coastguard Worker getenv("AFL_LLVM_INJECTIONS_LDAP") || getenv("AFL_LLVM_INJECTIONS_XSS")) {
1761*08b48e0bSAndroid Build Coastguard Worker
1762*08b48e0bSAndroid Build Coastguard Worker OKF("Adding injection tokens to dictionary.");
1763*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_LLVM_INJECTIONS_ALL") ||
1764*08b48e0bSAndroid Build Coastguard Worker getenv("AFL_LLVM_INJECTIONS_SQL")) {
1765*08b48e0bSAndroid Build Coastguard Worker
1766*08b48e0bSAndroid Build Coastguard Worker add_extra(afl, "'\"\"'", 4);
1767*08b48e0bSAndroid Build Coastguard Worker
1768*08b48e0bSAndroid Build Coastguard Worker }
1769*08b48e0bSAndroid Build Coastguard Worker
1770*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_LLVM_INJECTIONS_ALL") ||
1771*08b48e0bSAndroid Build Coastguard Worker getenv("AFL_LLVM_INJECTIONS_LDAP")) {
1772*08b48e0bSAndroid Build Coastguard Worker
1773*08b48e0bSAndroid Build Coastguard Worker add_extra(afl, "*)(1=*))(|", 10);
1774*08b48e0bSAndroid Build Coastguard Worker
1775*08b48e0bSAndroid Build Coastguard Worker }
1776*08b48e0bSAndroid Build Coastguard Worker
1777*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_LLVM_INJECTIONS_ALL") ||
1778*08b48e0bSAndroid Build Coastguard Worker getenv("AFL_LLVM_INJECTIONS_XSS")) {
1779*08b48e0bSAndroid Build Coastguard Worker
1780*08b48e0bSAndroid Build Coastguard Worker add_extra(afl, "1\"><\"", 5);
1781*08b48e0bSAndroid Build Coastguard Worker
1782*08b48e0bSAndroid Build Coastguard Worker }
1783*08b48e0bSAndroid Build Coastguard Worker
1784*08b48e0bSAndroid Build Coastguard Worker }
1785*08b48e0bSAndroid Build Coastguard Worker
1786*08b48e0bSAndroid Build Coastguard Worker OKF("Generating fuzz data with a length of min=%u max=%u", afl->min_length,
1787*08b48e0bSAndroid Build Coastguard Worker afl->max_length);
1788*08b48e0bSAndroid Build Coastguard Worker u32 min_alloc = MAX(64U, afl->min_length);
1789*08b48e0bSAndroid Build Coastguard Worker afl_realloc(AFL_BUF_PARAM(in_scratch), min_alloc);
1790*08b48e0bSAndroid Build Coastguard Worker afl_realloc(AFL_BUF_PARAM(in), min_alloc);
1791*08b48e0bSAndroid Build Coastguard Worker afl_realloc(AFL_BUF_PARAM(out_scratch), min_alloc);
1792*08b48e0bSAndroid Build Coastguard Worker afl_realloc(AFL_BUF_PARAM(out), min_alloc);
1793*08b48e0bSAndroid Build Coastguard Worker afl_realloc(AFL_BUF_PARAM(eff), min_alloc);
1794*08b48e0bSAndroid Build Coastguard Worker afl_realloc(AFL_BUF_PARAM(ex), min_alloc);
1795*08b48e0bSAndroid Build Coastguard Worker
1796*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver;
1797*08b48e0bSAndroid Build Coastguard Worker
1798*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__
1799*08b48e0bSAndroid Build Coastguard Worker if (!afl->fsrv.nyx_mode) {
1800*08b48e0bSAndroid Build Coastguard Worker
1801*08b48e0bSAndroid Build Coastguard Worker check_crash_handling();
1802*08b48e0bSAndroid Build Coastguard Worker check_cpu_governor(afl);
1803*08b48e0bSAndroid Build Coastguard Worker
1804*08b48e0bSAndroid Build Coastguard Worker } else {
1805*08b48e0bSAndroid Build Coastguard Worker
1806*08b48e0bSAndroid Build Coastguard Worker u8 *libnyx_binary = find_afl_binary(argv[0], "libnyx.so");
1807*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.nyx_handlers = afl_load_libnyx_plugin(libnyx_binary);
1808*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.nyx_handlers == NULL) {
1809*08b48e0bSAndroid Build Coastguard Worker
1810*08b48e0bSAndroid Build Coastguard Worker FATAL("failed to initialize libnyx.so...");
1811*08b48e0bSAndroid Build Coastguard Worker
1812*08b48e0bSAndroid Build Coastguard Worker }
1813*08b48e0bSAndroid Build Coastguard Worker
1814*08b48e0bSAndroid Build Coastguard Worker }
1815*08b48e0bSAndroid Build Coastguard Worker
1816*08b48e0bSAndroid Build Coastguard Worker #else
1817*08b48e0bSAndroid Build Coastguard Worker check_crash_handling();
1818*08b48e0bSAndroid Build Coastguard Worker check_cpu_governor(afl);
1819*08b48e0bSAndroid Build Coastguard Worker #endif
1820*08b48e0bSAndroid Build Coastguard Worker
1821*08b48e0bSAndroid Build Coastguard Worker #ifdef __APPLE__
1822*08b48e0bSAndroid Build Coastguard Worker setenv("DYLD_NO_PIE", "1", 0);
1823*08b48e0bSAndroid Build Coastguard Worker #endif
1824*08b48e0bSAndroid Build Coastguard Worker
1825*08b48e0bSAndroid Build Coastguard Worker if (getenv("LD_PRELOAD")) {
1826*08b48e0bSAndroid Build Coastguard Worker
1827*08b48e0bSAndroid Build Coastguard Worker WARNF(
1828*08b48e0bSAndroid Build Coastguard Worker "LD_PRELOAD is set, are you sure that is what you want to do "
1829*08b48e0bSAndroid Build Coastguard Worker "instead of using AFL_PRELOAD?");
1830*08b48e0bSAndroid Build Coastguard Worker
1831*08b48e0bSAndroid Build Coastguard Worker }
1832*08b48e0bSAndroid Build Coastguard Worker
1833*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_preload) {
1834*08b48e0bSAndroid Build Coastguard Worker
1835*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.qemu_mode) {
1836*08b48e0bSAndroid Build Coastguard Worker
1837*08b48e0bSAndroid Build Coastguard Worker /* afl-qemu-trace takes care of converting AFL_PRELOAD. */
1838*08b48e0bSAndroid Build Coastguard Worker
1839*08b48e0bSAndroid Build Coastguard Worker } else if (afl->fsrv.frida_mode) {
1840*08b48e0bSAndroid Build Coastguard Worker
1841*08b48e0bSAndroid Build Coastguard Worker afl_preload = getenv("AFL_PRELOAD");
1842*08b48e0bSAndroid Build Coastguard Worker u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so");
1843*08b48e0bSAndroid Build Coastguard Worker OKF("Injecting %s ...", frida_binary);
1844*08b48e0bSAndroid Build Coastguard Worker if (afl_preload) {
1845*08b48e0bSAndroid Build Coastguard Worker
1846*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.frida_asan) {
1847*08b48e0bSAndroid Build Coastguard Worker
1848*08b48e0bSAndroid Build Coastguard Worker OKF("Using Frida Address Sanitizer Mode");
1849*08b48e0bSAndroid Build Coastguard Worker
1850*08b48e0bSAndroid Build Coastguard Worker fasan_check_afl_preload(afl_preload);
1851*08b48e0bSAndroid Build Coastguard Worker
1852*08b48e0bSAndroid Build Coastguard Worker setenv("ASAN_OPTIONS", "detect_leaks=false", 1);
1853*08b48e0bSAndroid Build Coastguard Worker
1854*08b48e0bSAndroid Build Coastguard Worker }
1855*08b48e0bSAndroid Build Coastguard Worker
1856*08b48e0bSAndroid Build Coastguard Worker u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so");
1857*08b48e0bSAndroid Build Coastguard Worker OKF("Injecting %s ...", frida_binary);
1858*08b48e0bSAndroid Build Coastguard Worker frida_afl_preload = alloc_printf("%s:%s", afl_preload, frida_binary);
1859*08b48e0bSAndroid Build Coastguard Worker
1860*08b48e0bSAndroid Build Coastguard Worker ck_free(frida_binary);
1861*08b48e0bSAndroid Build Coastguard Worker
1862*08b48e0bSAndroid Build Coastguard Worker setenv("LD_PRELOAD", frida_afl_preload, 1);
1863*08b48e0bSAndroid Build Coastguard Worker setenv("DYLD_INSERT_LIBRARIES", frida_afl_preload, 1);
1864*08b48e0bSAndroid Build Coastguard Worker
1865*08b48e0bSAndroid Build Coastguard Worker }
1866*08b48e0bSAndroid Build Coastguard Worker
1867*08b48e0bSAndroid Build Coastguard Worker } else {
1868*08b48e0bSAndroid Build Coastguard Worker
1869*08b48e0bSAndroid Build Coastguard Worker /* CoreSight mode uses the default behavior. */
1870*08b48e0bSAndroid Build Coastguard Worker
1871*08b48e0bSAndroid Build Coastguard Worker setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1);
1872*08b48e0bSAndroid Build Coastguard Worker setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1);
1873*08b48e0bSAndroid Build Coastguard Worker
1874*08b48e0bSAndroid Build Coastguard Worker }
1875*08b48e0bSAndroid Build Coastguard Worker
1876*08b48e0bSAndroid Build Coastguard Worker } else if (afl->fsrv.frida_mode) {
1877*08b48e0bSAndroid Build Coastguard Worker
1878*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.frida_asan) {
1879*08b48e0bSAndroid Build Coastguard Worker
1880*08b48e0bSAndroid Build Coastguard Worker OKF("Using Frida Address Sanitizer Mode");
1881*08b48e0bSAndroid Build Coastguard Worker FATAL(
1882*08b48e0bSAndroid Build Coastguard Worker "Address Sanitizer DSO must be loaded using AFL_PRELOAD in Frida "
1883*08b48e0bSAndroid Build Coastguard Worker "Address Sanitizer Mode");
1884*08b48e0bSAndroid Build Coastguard Worker
1885*08b48e0bSAndroid Build Coastguard Worker } else {
1886*08b48e0bSAndroid Build Coastguard Worker
1887*08b48e0bSAndroid Build Coastguard Worker u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so");
1888*08b48e0bSAndroid Build Coastguard Worker OKF("Injecting %s ...", frida_binary);
1889*08b48e0bSAndroid Build Coastguard Worker setenv("LD_PRELOAD", frida_binary, 1);
1890*08b48e0bSAndroid Build Coastguard Worker setenv("DYLD_INSERT_LIBRARIES", frida_binary, 1);
1891*08b48e0bSAndroid Build Coastguard Worker ck_free(frida_binary);
1892*08b48e0bSAndroid Build Coastguard Worker
1893*08b48e0bSAndroid Build Coastguard Worker }
1894*08b48e0bSAndroid Build Coastguard Worker
1895*08b48e0bSAndroid Build Coastguard Worker }
1896*08b48e0bSAndroid Build Coastguard Worker
1897*08b48e0bSAndroid Build Coastguard Worker if (getenv("AFL_LD_PRELOAD")) {
1898*08b48e0bSAndroid Build Coastguard Worker
1899*08b48e0bSAndroid Build Coastguard Worker FATAL("Use AFL_PRELOAD instead of AFL_LD_PRELOAD");
1900*08b48e0bSAndroid Build Coastguard Worker
1901*08b48e0bSAndroid Build Coastguard Worker }
1902*08b48e0bSAndroid Build Coastguard Worker
1903*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_target_env &&
1904*08b48e0bSAndroid Build Coastguard Worker !extract_and_set_env(afl->afl_env.afl_target_env)) {
1905*08b48e0bSAndroid Build Coastguard Worker
1906*08b48e0bSAndroid Build Coastguard Worker FATAL("Bad value of AFL_TARGET_ENV");
1907*08b48e0bSAndroid Build Coastguard Worker
1908*08b48e0bSAndroid Build Coastguard Worker }
1909*08b48e0bSAndroid Build Coastguard Worker
1910*08b48e0bSAndroid Build Coastguard Worker save_cmdline(afl, argc, argv);
1911*08b48e0bSAndroid Build Coastguard Worker check_if_tty(afl);
1912*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_force_ui) { afl->not_on_tty = 0; }
1913*08b48e0bSAndroid Build Coastguard Worker
1914*08b48e0bSAndroid Build Coastguard Worker get_core_count(afl);
1915*08b48e0bSAndroid Build Coastguard Worker
1916*08b48e0bSAndroid Build Coastguard Worker atexit(at_exit);
1917*08b48e0bSAndroid Build Coastguard Worker
1918*08b48e0bSAndroid Build Coastguard Worker setup_dirs_fds(afl);
1919*08b48e0bSAndroid Build Coastguard Worker
1920*08b48e0bSAndroid Build Coastguard Worker #ifdef HAVE_AFFINITY
1921*08b48e0bSAndroid Build Coastguard Worker bind_to_free_cpu(afl);
1922*08b48e0bSAndroid Build Coastguard Worker #endif /* HAVE_AFFINITY */
1923*08b48e0bSAndroid Build Coastguard Worker
1924*08b48e0bSAndroid Build Coastguard Worker #ifdef __linux__
1925*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.nyx_mode && afl->fsrv.nyx_bind_cpu_id == 0xFFFFFFFF) {
1926*08b48e0bSAndroid Build Coastguard Worker
1927*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.nyx_bind_cpu_id = 0;
1928*08b48e0bSAndroid Build Coastguard Worker
1929*08b48e0bSAndroid Build Coastguard Worker }
1930*08b48e0bSAndroid Build Coastguard Worker
1931*08b48e0bSAndroid Build Coastguard Worker #endif
1932*08b48e0bSAndroid Build Coastguard Worker
1933*08b48e0bSAndroid Build Coastguard Worker #ifdef __HAIKU__
1934*08b48e0bSAndroid Build Coastguard Worker /* Prioritizes performance over power saving */
1935*08b48e0bSAndroid Build Coastguard Worker set_scheduler_mode(SCHEDULER_MODE_LOW_LATENCY);
1936*08b48e0bSAndroid Build Coastguard Worker #endif
1937*08b48e0bSAndroid Build Coastguard Worker
1938*08b48e0bSAndroid Build Coastguard Worker #ifdef __APPLE__
1939*08b48e0bSAndroid Build Coastguard Worker if (pthread_set_qos_class_self_np(QOS_CLASS_USER_INTERACTIVE, 0) != 0) {
1940*08b48e0bSAndroid Build Coastguard Worker
1941*08b48e0bSAndroid Build Coastguard Worker WARNF("general thread priority settings failed");
1942*08b48e0bSAndroid Build Coastguard Worker
1943*08b48e0bSAndroid Build Coastguard Worker }
1944*08b48e0bSAndroid Build Coastguard Worker
1945*08b48e0bSAndroid Build Coastguard Worker #endif
1946*08b48e0bSAndroid Build Coastguard Worker
1947*08b48e0bSAndroid Build Coastguard Worker init_count_class16();
1948*08b48e0bSAndroid Build Coastguard Worker
1949*08b48e0bSAndroid Build Coastguard Worker if (afl->is_main_node && check_main_node_exists(afl) == 1) {
1950*08b48e0bSAndroid Build Coastguard Worker
1951*08b48e0bSAndroid Build Coastguard Worker WARNF("it is wasteful to run more than one main node!");
1952*08b48e0bSAndroid Build Coastguard Worker sleep(1);
1953*08b48e0bSAndroid Build Coastguard Worker
1954*08b48e0bSAndroid Build Coastguard Worker } else if (!auto_sync && afl->is_secondary_node &&
1955*08b48e0bSAndroid Build Coastguard Worker
1956*08b48e0bSAndroid Build Coastguard Worker check_main_node_exists(afl) == 0) {
1957*08b48e0bSAndroid Build Coastguard Worker
1958*08b48e0bSAndroid Build Coastguard Worker WARNF(
1959*08b48e0bSAndroid Build Coastguard Worker "no -M main node found. It is recommended to run exactly one main "
1960*08b48e0bSAndroid Build Coastguard Worker "instance.");
1961*08b48e0bSAndroid Build Coastguard Worker sleep(1);
1962*08b48e0bSAndroid Build Coastguard Worker
1963*08b48e0bSAndroid Build Coastguard Worker }
1964*08b48e0bSAndroid Build Coastguard Worker
1965*08b48e0bSAndroid Build Coastguard Worker #ifdef RAND_TEST_VALUES
1966*08b48e0bSAndroid Build Coastguard Worker u32 counter;
1967*08b48e0bSAndroid Build Coastguard Worker for (counter = 0; counter < 100000; counter++)
1968*08b48e0bSAndroid Build Coastguard Worker printf("DEBUG: rand %06d is %u\n", counter, rand_below(afl, 65536));
1969*08b48e0bSAndroid Build Coastguard Worker #endif
1970*08b48e0bSAndroid Build Coastguard Worker
1971*08b48e0bSAndroid Build Coastguard Worker if (!getenv("AFL_CUSTOM_INFO_PROGRAM")) {
1972*08b48e0bSAndroid Build Coastguard Worker
1973*08b48e0bSAndroid Build Coastguard Worker setenv("AFL_CUSTOM_INFO_PROGRAM", argv[optind], 1);
1974*08b48e0bSAndroid Build Coastguard Worker
1975*08b48e0bSAndroid Build Coastguard Worker }
1976*08b48e0bSAndroid Build Coastguard Worker
1977*08b48e0bSAndroid Build Coastguard Worker if (!getenv("AFL_CUSTOM_INFO_PROGRAM_INPUT") && afl->fsrv.out_file) {
1978*08b48e0bSAndroid Build Coastguard Worker
1979*08b48e0bSAndroid Build Coastguard Worker setenv("AFL_CUSTOM_INFO_PROGRAM_INPUT", afl->fsrv.out_file, 1);
1980*08b48e0bSAndroid Build Coastguard Worker
1981*08b48e0bSAndroid Build Coastguard Worker }
1982*08b48e0bSAndroid Build Coastguard Worker
1983*08b48e0bSAndroid Build Coastguard Worker if (!getenv("AFL_CUSTOM_INFO_PROGRAM_ARGV")) {
1984*08b48e0bSAndroid Build Coastguard Worker
1985*08b48e0bSAndroid Build Coastguard Worker u8 envbuf[8096] = "", tmpbuf[8096] = "";
1986*08b48e0bSAndroid Build Coastguard Worker for (s32 i = optind + 1; i < argc; ++i) {
1987*08b48e0bSAndroid Build Coastguard Worker
1988*08b48e0bSAndroid Build Coastguard Worker strcpy(tmpbuf, envbuf);
1989*08b48e0bSAndroid Build Coastguard Worker if (strchr(argv[i], ' ') && !strchr(argv[i], '"') &&
1990*08b48e0bSAndroid Build Coastguard Worker !strchr(argv[i], '\'')) {
1991*08b48e0bSAndroid Build Coastguard Worker
1992*08b48e0bSAndroid Build Coastguard Worker if (!strchr(argv[i], '\'')) {
1993*08b48e0bSAndroid Build Coastguard Worker
1994*08b48e0bSAndroid Build Coastguard Worker snprintf(envbuf, sizeof(tmpbuf), "%s '%s'", tmpbuf, argv[i]);
1995*08b48e0bSAndroid Build Coastguard Worker
1996*08b48e0bSAndroid Build Coastguard Worker } else {
1997*08b48e0bSAndroid Build Coastguard Worker
1998*08b48e0bSAndroid Build Coastguard Worker snprintf(envbuf, sizeof(tmpbuf), "%s \"%s\"", tmpbuf, argv[i]);
1999*08b48e0bSAndroid Build Coastguard Worker
2000*08b48e0bSAndroid Build Coastguard Worker }
2001*08b48e0bSAndroid Build Coastguard Worker
2002*08b48e0bSAndroid Build Coastguard Worker } else {
2003*08b48e0bSAndroid Build Coastguard Worker
2004*08b48e0bSAndroid Build Coastguard Worker snprintf(envbuf, sizeof(tmpbuf), "%s %s", tmpbuf, argv[i]);
2005*08b48e0bSAndroid Build Coastguard Worker
2006*08b48e0bSAndroid Build Coastguard Worker }
2007*08b48e0bSAndroid Build Coastguard Worker
2008*08b48e0bSAndroid Build Coastguard Worker }
2009*08b48e0bSAndroid Build Coastguard Worker
2010*08b48e0bSAndroid Build Coastguard Worker setenv("AFL_CUSTOM_INFO_PROGRAM_ARGV", envbuf + 1, 1);
2011*08b48e0bSAndroid Build Coastguard Worker
2012*08b48e0bSAndroid Build Coastguard Worker }
2013*08b48e0bSAndroid Build Coastguard Worker
2014*08b48e0bSAndroid Build Coastguard Worker if (!getenv("AFL_CUSTOM_INFO_OUT")) {
2015*08b48e0bSAndroid Build Coastguard Worker
2016*08b48e0bSAndroid Build Coastguard Worker setenv("AFL_CUSTOM_INFO_OUT", afl->out_dir, 1); // same as __AFL_OUT_DIR
2017*08b48e0bSAndroid Build Coastguard Worker
2018*08b48e0bSAndroid Build Coastguard Worker }
2019*08b48e0bSAndroid Build Coastguard Worker
2020*08b48e0bSAndroid Build Coastguard Worker setup_custom_mutators(afl);
2021*08b48e0bSAndroid Build Coastguard Worker
2022*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_custom_mutator_only) {
2023*08b48e0bSAndroid Build Coastguard Worker
2024*08b48e0bSAndroid Build Coastguard Worker if (!afl->custom_mutators_count) {
2025*08b48e0bSAndroid Build Coastguard Worker
2026*08b48e0bSAndroid Build Coastguard Worker if (afl->shm.cmplog_mode) {
2027*08b48e0bSAndroid Build Coastguard Worker
2028*08b48e0bSAndroid Build Coastguard Worker WARNF(
2029*08b48e0bSAndroid Build Coastguard Worker "No custom mutator loaded, using AFL_CUSTOM_MUTATOR_ONLY is "
2030*08b48e0bSAndroid Build Coastguard Worker "pointless and only allowed now to allow experiments with CMPLOG.");
2031*08b48e0bSAndroid Build Coastguard Worker
2032*08b48e0bSAndroid Build Coastguard Worker } else {
2033*08b48e0bSAndroid Build Coastguard Worker
2034*08b48e0bSAndroid Build Coastguard Worker FATAL(
2035*08b48e0bSAndroid Build Coastguard Worker "No custom mutator loaded but AFL_CUSTOM_MUTATOR_ONLY specified.");
2036*08b48e0bSAndroid Build Coastguard Worker
2037*08b48e0bSAndroid Build Coastguard Worker }
2038*08b48e0bSAndroid Build Coastguard Worker
2039*08b48e0bSAndroid Build Coastguard Worker }
2040*08b48e0bSAndroid Build Coastguard Worker
2041*08b48e0bSAndroid Build Coastguard Worker /* This ensures we don't proceed to havoc/splice */
2042*08b48e0bSAndroid Build Coastguard Worker afl->custom_only = 1;
2043*08b48e0bSAndroid Build Coastguard Worker
2044*08b48e0bSAndroid Build Coastguard Worker /* Ensure we also skip all deterministic steps */
2045*08b48e0bSAndroid Build Coastguard Worker afl->skip_deterministic = 1;
2046*08b48e0bSAndroid Build Coastguard Worker
2047*08b48e0bSAndroid Build Coastguard Worker }
2048*08b48e0bSAndroid Build Coastguard Worker
2049*08b48e0bSAndroid Build Coastguard Worker if (afl->limit_time_sig > 0 && afl->custom_mutators_count) {
2050*08b48e0bSAndroid Build Coastguard Worker
2051*08b48e0bSAndroid Build Coastguard Worker if (afl->custom_only) {
2052*08b48e0bSAndroid Build Coastguard Worker
2053*08b48e0bSAndroid Build Coastguard Worker FATAL("Custom mutators are incompatible with MOpt (-L)");
2054*08b48e0bSAndroid Build Coastguard Worker
2055*08b48e0bSAndroid Build Coastguard Worker }
2056*08b48e0bSAndroid Build Coastguard Worker
2057*08b48e0bSAndroid Build Coastguard Worker u32 custom_fuzz = 0;
2058*08b48e0bSAndroid Build Coastguard Worker LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {
2059*08b48e0bSAndroid Build Coastguard Worker
2060*08b48e0bSAndroid Build Coastguard Worker if (el->afl_custom_fuzz) { custom_fuzz = 1; }
2061*08b48e0bSAndroid Build Coastguard Worker
2062*08b48e0bSAndroid Build Coastguard Worker });
2063*08b48e0bSAndroid Build Coastguard Worker
2064*08b48e0bSAndroid Build Coastguard Worker if (custom_fuzz) {
2065*08b48e0bSAndroid Build Coastguard Worker
2066*08b48e0bSAndroid Build Coastguard Worker WARNF("afl_custom_fuzz is incompatible with MOpt (-L)");
2067*08b48e0bSAndroid Build Coastguard Worker
2068*08b48e0bSAndroid Build Coastguard Worker }
2069*08b48e0bSAndroid Build Coastguard Worker
2070*08b48e0bSAndroid Build Coastguard Worker }
2071*08b48e0bSAndroid Build Coastguard Worker
2072*08b48e0bSAndroid Build Coastguard Worker write_setup_file(afl, argc, argv);
2073*08b48e0bSAndroid Build Coastguard Worker
2074*08b48e0bSAndroid Build Coastguard Worker setup_cmdline_file(afl, argv + optind);
2075*08b48e0bSAndroid Build Coastguard Worker
2076*08b48e0bSAndroid Build Coastguard Worker read_testcases(afl, NULL);
2077*08b48e0bSAndroid Build Coastguard Worker // read_foreign_testcases(afl, 1); for the moment dont do this
2078*08b48e0bSAndroid Build Coastguard Worker OKF("Loaded a total of %u seeds.", afl->queued_items);
2079*08b48e0bSAndroid Build Coastguard Worker
2080*08b48e0bSAndroid Build Coastguard Worker pivot_inputs(afl);
2081*08b48e0bSAndroid Build Coastguard Worker
2082*08b48e0bSAndroid Build Coastguard Worker if (!afl->timeout_given) { find_timeout(afl); } // only for resumes!
2083*08b48e0bSAndroid Build Coastguard Worker
2084*08b48e0bSAndroid Build Coastguard Worker if ((afl->tmp_dir = afl->afl_env.afl_tmpdir) != NULL &&
2085*08b48e0bSAndroid Build Coastguard Worker !afl->in_place_resume) {
2086*08b48e0bSAndroid Build Coastguard Worker
2087*08b48e0bSAndroid Build Coastguard Worker char tmpfile[PATH_MAX];
2088*08b48e0bSAndroid Build Coastguard Worker
2089*08b48e0bSAndroid Build Coastguard Worker if (afl->file_extension) {
2090*08b48e0bSAndroid Build Coastguard Worker
2091*08b48e0bSAndroid Build Coastguard Worker snprintf(tmpfile, PATH_MAX, "%s/.cur_input.%s", afl->tmp_dir,
2092*08b48e0bSAndroid Build Coastguard Worker afl->file_extension);
2093*08b48e0bSAndroid Build Coastguard Worker
2094*08b48e0bSAndroid Build Coastguard Worker } else {
2095*08b48e0bSAndroid Build Coastguard Worker
2096*08b48e0bSAndroid Build Coastguard Worker snprintf(tmpfile, PATH_MAX, "%s/.cur_input", afl->tmp_dir);
2097*08b48e0bSAndroid Build Coastguard Worker
2098*08b48e0bSAndroid Build Coastguard Worker }
2099*08b48e0bSAndroid Build Coastguard Worker
2100*08b48e0bSAndroid Build Coastguard Worker /* there is still a race condition here, but well ... */
2101*08b48e0bSAndroid Build Coastguard Worker if (access(tmpfile, F_OK) != -1) {
2102*08b48e0bSAndroid Build Coastguard Worker
2103*08b48e0bSAndroid Build Coastguard Worker FATAL(
2104*08b48e0bSAndroid Build Coastguard Worker "AFL_TMPDIR already has an existing temporary input file: %s - if "
2105*08b48e0bSAndroid Build Coastguard Worker "this is not from another instance, then just remove the file.",
2106*08b48e0bSAndroid Build Coastguard Worker tmpfile);
2107*08b48e0bSAndroid Build Coastguard Worker
2108*08b48e0bSAndroid Build Coastguard Worker }
2109*08b48e0bSAndroid Build Coastguard Worker
2110*08b48e0bSAndroid Build Coastguard Worker } else {
2111*08b48e0bSAndroid Build Coastguard Worker
2112*08b48e0bSAndroid Build Coastguard Worker afl->tmp_dir = afl->out_dir;
2113*08b48e0bSAndroid Build Coastguard Worker
2114*08b48e0bSAndroid Build Coastguard Worker }
2115*08b48e0bSAndroid Build Coastguard Worker
2116*08b48e0bSAndroid Build Coastguard Worker /* If we don't have a file name chosen yet, use a safe default. */
2117*08b48e0bSAndroid Build Coastguard Worker
2118*08b48e0bSAndroid Build Coastguard Worker if (!afl->fsrv.out_file) {
2119*08b48e0bSAndroid Build Coastguard Worker
2120*08b48e0bSAndroid Build Coastguard Worker u32 j = optind + 1;
2121*08b48e0bSAndroid Build Coastguard Worker while (argv[j]) {
2122*08b48e0bSAndroid Build Coastguard Worker
2123*08b48e0bSAndroid Build Coastguard Worker u8 *aa_loc = strstr(argv[j], "@@");
2124*08b48e0bSAndroid Build Coastguard Worker
2125*08b48e0bSAndroid Build Coastguard Worker if (aa_loc && !afl->fsrv.out_file) {
2126*08b48e0bSAndroid Build Coastguard Worker
2127*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.use_stdin = 0;
2128*08b48e0bSAndroid Build Coastguard Worker default_output = 0;
2129*08b48e0bSAndroid Build Coastguard Worker
2130*08b48e0bSAndroid Build Coastguard Worker if (afl->file_extension) {
2131*08b48e0bSAndroid Build Coastguard Worker
2132*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.out_file = alloc_printf("%s/.cur_input.%s", afl->tmp_dir,
2133*08b48e0bSAndroid Build Coastguard Worker afl->file_extension);
2134*08b48e0bSAndroid Build Coastguard Worker
2135*08b48e0bSAndroid Build Coastguard Worker } else {
2136*08b48e0bSAndroid Build Coastguard Worker
2137*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.out_file = alloc_printf("%s/.cur_input", afl->tmp_dir);
2138*08b48e0bSAndroid Build Coastguard Worker
2139*08b48e0bSAndroid Build Coastguard Worker }
2140*08b48e0bSAndroid Build Coastguard Worker
2141*08b48e0bSAndroid Build Coastguard Worker detect_file_args(argv + optind + 1, afl->fsrv.out_file,
2142*08b48e0bSAndroid Build Coastguard Worker &afl->fsrv.use_stdin);
2143*08b48e0bSAndroid Build Coastguard Worker break;
2144*08b48e0bSAndroid Build Coastguard Worker
2145*08b48e0bSAndroid Build Coastguard Worker }
2146*08b48e0bSAndroid Build Coastguard Worker
2147*08b48e0bSAndroid Build Coastguard Worker ++j;
2148*08b48e0bSAndroid Build Coastguard Worker
2149*08b48e0bSAndroid Build Coastguard Worker }
2150*08b48e0bSAndroid Build Coastguard Worker
2151*08b48e0bSAndroid Build Coastguard Worker }
2152*08b48e0bSAndroid Build Coastguard Worker
2153*08b48e0bSAndroid Build Coastguard Worker if (!afl->fsrv.out_file) { setup_stdio_file(afl); }
2154*08b48e0bSAndroid Build Coastguard Worker
2155*08b48e0bSAndroid Build Coastguard Worker if (afl->cmplog_binary) {
2156*08b48e0bSAndroid Build Coastguard Worker
2157*08b48e0bSAndroid Build Coastguard Worker if (afl->unicorn_mode) {
2158*08b48e0bSAndroid Build Coastguard Worker
2159*08b48e0bSAndroid Build Coastguard Worker FATAL("CmpLog and Unicorn mode are not compatible at the moment, sorry");
2160*08b48e0bSAndroid Build Coastguard Worker
2161*08b48e0bSAndroid Build Coastguard Worker }
2162*08b48e0bSAndroid Build Coastguard Worker
2163*08b48e0bSAndroid Build Coastguard Worker if (!afl->fsrv.qemu_mode && !afl->fsrv.frida_mode && !afl->fsrv.cs_mode &&
2164*08b48e0bSAndroid Build Coastguard Worker !afl->non_instrumented_mode) {
2165*08b48e0bSAndroid Build Coastguard Worker
2166*08b48e0bSAndroid Build Coastguard Worker check_binary(afl, afl->cmplog_binary);
2167*08b48e0bSAndroid Build Coastguard Worker
2168*08b48e0bSAndroid Build Coastguard Worker }
2169*08b48e0bSAndroid Build Coastguard Worker
2170*08b48e0bSAndroid Build Coastguard Worker }
2171*08b48e0bSAndroid Build Coastguard Worker
2172*08b48e0bSAndroid Build Coastguard Worker check_binary(afl, argv[optind]);
2173*08b48e0bSAndroid Build Coastguard Worker
2174*08b48e0bSAndroid Build Coastguard Worker #ifdef AFL_PERSISTENT_RECORD
2175*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->fsrv.persistent_record)) {
2176*08b48e0bSAndroid Build Coastguard Worker
2177*08b48e0bSAndroid Build Coastguard Worker if (!getenv(PERSIST_ENV_VAR)) {
2178*08b48e0bSAndroid Build Coastguard Worker
2179*08b48e0bSAndroid Build Coastguard Worker FATAL(
2180*08b48e0bSAndroid Build Coastguard Worker "Target binary is not compiled in persistent mode, "
2181*08b48e0bSAndroid Build Coastguard Worker "AFL_PERSISTENT_RECORD makes no sense.");
2182*08b48e0bSAndroid Build Coastguard Worker
2183*08b48e0bSAndroid Build Coastguard Worker }
2184*08b48e0bSAndroid Build Coastguard Worker
2185*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.persistent_record_dir = alloc_printf("%s/crashes", afl->out_dir);
2186*08b48e0bSAndroid Build Coastguard Worker
2187*08b48e0bSAndroid Build Coastguard Worker }
2188*08b48e0bSAndroid Build Coastguard Worker
2189*08b48e0bSAndroid Build Coastguard Worker #endif
2190*08b48e0bSAndroid Build Coastguard Worker
2191*08b48e0bSAndroid Build Coastguard Worker if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); }
2192*08b48e0bSAndroid Build Coastguard Worker
2193*08b48e0bSAndroid Build Coastguard Worker afl->start_time = get_cur_time();
2194*08b48e0bSAndroid Build Coastguard Worker
2195*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.qemu_mode) {
2196*08b48e0bSAndroid Build Coastguard Worker
2197*08b48e0bSAndroid Build Coastguard Worker if (afl->use_wine) {
2198*08b48e0bSAndroid Build Coastguard Worker
2199*08b48e0bSAndroid Build Coastguard Worker use_argv = get_wine_argv(argv[0], &afl->fsrv.target_path, argc - optind,
2200*08b48e0bSAndroid Build Coastguard Worker argv + optind);
2201*08b48e0bSAndroid Build Coastguard Worker
2202*08b48e0bSAndroid Build Coastguard Worker } else {
2203*08b48e0bSAndroid Build Coastguard Worker
2204*08b48e0bSAndroid Build Coastguard Worker use_argv = get_qemu_argv(argv[0], &afl->fsrv.target_path, argc - optind,
2205*08b48e0bSAndroid Build Coastguard Worker argv + optind);
2206*08b48e0bSAndroid Build Coastguard Worker
2207*08b48e0bSAndroid Build Coastguard Worker }
2208*08b48e0bSAndroid Build Coastguard Worker
2209*08b48e0bSAndroid Build Coastguard Worker } else if (afl->fsrv.cs_mode) {
2210*08b48e0bSAndroid Build Coastguard Worker
2211*08b48e0bSAndroid Build Coastguard Worker use_argv = get_cs_argv(argv[0], &afl->fsrv.target_path, argc - optind,
2212*08b48e0bSAndroid Build Coastguard Worker argv + optind);
2213*08b48e0bSAndroid Build Coastguard Worker
2214*08b48e0bSAndroid Build Coastguard Worker } else {
2215*08b48e0bSAndroid Build Coastguard Worker
2216*08b48e0bSAndroid Build Coastguard Worker use_argv = argv + optind;
2217*08b48e0bSAndroid Build Coastguard Worker
2218*08b48e0bSAndroid Build Coastguard Worker }
2219*08b48e0bSAndroid Build Coastguard Worker
2220*08b48e0bSAndroid Build Coastguard Worker if (afl->non_instrumented_mode || afl->fsrv.qemu_mode ||
2221*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.frida_mode || afl->fsrv.cs_mode || afl->unicorn_mode) {
2222*08b48e0bSAndroid Build Coastguard Worker
2223*08b48e0bSAndroid Build Coastguard Worker u32 old_map_size = map_size;
2224*08b48e0bSAndroid Build Coastguard Worker map_size = afl->fsrv.real_map_size = afl->fsrv.map_size = MAP_SIZE;
2225*08b48e0bSAndroid Build Coastguard Worker afl->virgin_bits = ck_realloc(afl->virgin_bits, map_size);
2226*08b48e0bSAndroid Build Coastguard Worker afl->virgin_tmout = ck_realloc(afl->virgin_tmout, map_size);
2227*08b48e0bSAndroid Build Coastguard Worker afl->virgin_crash = ck_realloc(afl->virgin_crash, map_size);
2228*08b48e0bSAndroid Build Coastguard Worker afl->var_bytes = ck_realloc(afl->var_bytes, map_size);
2229*08b48e0bSAndroid Build Coastguard Worker afl->top_rated = ck_realloc(afl->top_rated, map_size * sizeof(void *));
2230*08b48e0bSAndroid Build Coastguard Worker afl->clean_trace = ck_realloc(afl->clean_trace, map_size);
2231*08b48e0bSAndroid Build Coastguard Worker afl->clean_trace_custom = ck_realloc(afl->clean_trace_custom, map_size);
2232*08b48e0bSAndroid Build Coastguard Worker afl->first_trace = ck_realloc(afl->first_trace, map_size);
2233*08b48e0bSAndroid Build Coastguard Worker afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, map_size);
2234*08b48e0bSAndroid Build Coastguard Worker
2235*08b48e0bSAndroid Build Coastguard Worker if (old_map_size < map_size) {
2236*08b48e0bSAndroid Build Coastguard Worker
2237*08b48e0bSAndroid Build Coastguard Worker memset(afl->var_bytes + old_map_size, 0, map_size - old_map_size);
2238*08b48e0bSAndroid Build Coastguard Worker memset(afl->top_rated + old_map_size, 0, map_size - old_map_size);
2239*08b48e0bSAndroid Build Coastguard Worker memset(afl->clean_trace + old_map_size, 0, map_size - old_map_size);
2240*08b48e0bSAndroid Build Coastguard Worker memset(afl->clean_trace_custom + old_map_size, 0,
2241*08b48e0bSAndroid Build Coastguard Worker map_size - old_map_size);
2242*08b48e0bSAndroid Build Coastguard Worker memset(afl->first_trace + old_map_size, 0, map_size - old_map_size);
2243*08b48e0bSAndroid Build Coastguard Worker memset(afl->map_tmp_buf + old_map_size, 0, map_size - old_map_size);
2244*08b48e0bSAndroid Build Coastguard Worker
2245*08b48e0bSAndroid Build Coastguard Worker }
2246*08b48e0bSAndroid Build Coastguard Worker
2247*08b48e0bSAndroid Build Coastguard Worker }
2248*08b48e0bSAndroid Build Coastguard Worker
2249*08b48e0bSAndroid Build Coastguard Worker afl->argv = use_argv;
2250*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.trace_bits =
2251*08b48e0bSAndroid Build Coastguard Worker afl_shm_init(&afl->shm, afl->fsrv.map_size, afl->non_instrumented_mode);
2252*08b48e0bSAndroid Build Coastguard Worker
2253*08b48e0bSAndroid Build Coastguard Worker if (!afl->non_instrumented_mode && !afl->fsrv.qemu_mode &&
2254*08b48e0bSAndroid Build Coastguard Worker !afl->unicorn_mode && !afl->fsrv.frida_mode && !afl->fsrv.cs_mode &&
2255*08b48e0bSAndroid Build Coastguard Worker !afl->afl_env.afl_skip_bin_check) {
2256*08b48e0bSAndroid Build Coastguard Worker
2257*08b48e0bSAndroid Build Coastguard Worker if (map_size <= DEFAULT_SHMEM_SIZE) {
2258*08b48e0bSAndroid Build Coastguard Worker
2259*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.map_size = DEFAULT_SHMEM_SIZE; // dummy temporary value
2260*08b48e0bSAndroid Build Coastguard Worker char vbuf[16];
2261*08b48e0bSAndroid Build Coastguard Worker snprintf(vbuf, sizeof(vbuf), "%u", DEFAULT_SHMEM_SIZE);
2262*08b48e0bSAndroid Build Coastguard Worker setenv("AFL_MAP_SIZE", vbuf, 1);
2263*08b48e0bSAndroid Build Coastguard Worker
2264*08b48e0bSAndroid Build Coastguard Worker }
2265*08b48e0bSAndroid Build Coastguard Worker
2266*08b48e0bSAndroid Build Coastguard Worker u32 new_map_size = afl_fsrv_get_mapsize(
2267*08b48e0bSAndroid Build Coastguard Worker &afl->fsrv, afl->argv, &afl->stop_soon, afl->afl_env.afl_debug_child);
2268*08b48e0bSAndroid Build Coastguard Worker
2269*08b48e0bSAndroid Build Coastguard Worker // only reinitialize if the map needs to be larger than what we have.
2270*08b48e0bSAndroid Build Coastguard Worker if (map_size < new_map_size) {
2271*08b48e0bSAndroid Build Coastguard Worker
2272*08b48e0bSAndroid Build Coastguard Worker OKF("Re-initializing maps to %u bytes", new_map_size);
2273*08b48e0bSAndroid Build Coastguard Worker
2274*08b48e0bSAndroid Build Coastguard Worker u32 old_map_size = map_size;
2275*08b48e0bSAndroid Build Coastguard Worker afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size);
2276*08b48e0bSAndroid Build Coastguard Worker afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size);
2277*08b48e0bSAndroid Build Coastguard Worker afl->virgin_crash = ck_realloc(afl->virgin_crash, new_map_size);
2278*08b48e0bSAndroid Build Coastguard Worker afl->var_bytes = ck_realloc(afl->var_bytes, new_map_size);
2279*08b48e0bSAndroid Build Coastguard Worker afl->top_rated =
2280*08b48e0bSAndroid Build Coastguard Worker ck_realloc(afl->top_rated, new_map_size * sizeof(void *));
2281*08b48e0bSAndroid Build Coastguard Worker afl->clean_trace = ck_realloc(afl->clean_trace, new_map_size);
2282*08b48e0bSAndroid Build Coastguard Worker afl->clean_trace_custom =
2283*08b48e0bSAndroid Build Coastguard Worker ck_realloc(afl->clean_trace_custom, new_map_size);
2284*08b48e0bSAndroid Build Coastguard Worker afl->first_trace = ck_realloc(afl->first_trace, new_map_size);
2285*08b48e0bSAndroid Build Coastguard Worker afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, new_map_size);
2286*08b48e0bSAndroid Build Coastguard Worker
2287*08b48e0bSAndroid Build Coastguard Worker if (old_map_size < new_map_size) {
2288*08b48e0bSAndroid Build Coastguard Worker
2289*08b48e0bSAndroid Build Coastguard Worker memset(afl->var_bytes + old_map_size, 0, new_map_size - old_map_size);
2290*08b48e0bSAndroid Build Coastguard Worker memset(afl->top_rated + old_map_size, 0, new_map_size - old_map_size);
2291*08b48e0bSAndroid Build Coastguard Worker memset(afl->clean_trace + old_map_size, 0, new_map_size - old_map_size);
2292*08b48e0bSAndroid Build Coastguard Worker memset(afl->clean_trace_custom + old_map_size, 0,
2293*08b48e0bSAndroid Build Coastguard Worker new_map_size - old_map_size);
2294*08b48e0bSAndroid Build Coastguard Worker memset(afl->first_trace + old_map_size, 0, new_map_size - old_map_size);
2295*08b48e0bSAndroid Build Coastguard Worker memset(afl->map_tmp_buf + old_map_size, 0, new_map_size - old_map_size);
2296*08b48e0bSAndroid Build Coastguard Worker
2297*08b48e0bSAndroid Build Coastguard Worker }
2298*08b48e0bSAndroid Build Coastguard Worker
2299*08b48e0bSAndroid Build Coastguard Worker afl_fsrv_kill(&afl->fsrv);
2300*08b48e0bSAndroid Build Coastguard Worker afl_shm_deinit(&afl->shm);
2301*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.map_size = new_map_size;
2302*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.trace_bits =
2303*08b48e0bSAndroid Build Coastguard Worker afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode);
2304*08b48e0bSAndroid Build Coastguard Worker setenv("AFL_NO_AUTODICT", "1", 1); // loaded already
2305*08b48e0bSAndroid Build Coastguard Worker afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon,
2306*08b48e0bSAndroid Build Coastguard Worker afl->afl_env.afl_debug_child);
2307*08b48e0bSAndroid Build Coastguard Worker
2308*08b48e0bSAndroid Build Coastguard Worker map_size = new_map_size;
2309*08b48e0bSAndroid Build Coastguard Worker
2310*08b48e0bSAndroid Build Coastguard Worker }
2311*08b48e0bSAndroid Build Coastguard Worker
2312*08b48e0bSAndroid Build Coastguard Worker }
2313*08b48e0bSAndroid Build Coastguard Worker
2314*08b48e0bSAndroid Build Coastguard Worker if (afl->cmplog_binary) {
2315*08b48e0bSAndroid Build Coastguard Worker
2316*08b48e0bSAndroid Build Coastguard Worker ACTF("Spawning cmplog forkserver");
2317*08b48e0bSAndroid Build Coastguard Worker afl_fsrv_init_dup(&afl->cmplog_fsrv, &afl->fsrv);
2318*08b48e0bSAndroid Build Coastguard Worker // TODO: this is semi-nice
2319*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_fsrv.trace_bits = afl->fsrv.trace_bits;
2320*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_fsrv.cs_mode = afl->fsrv.cs_mode;
2321*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_fsrv.qemu_mode = afl->fsrv.qemu_mode;
2322*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_fsrv.frida_mode = afl->fsrv.frida_mode;
2323*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_fsrv.cmplog_binary = afl->cmplog_binary;
2324*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_fsrv.target_path = afl->fsrv.target_path;
2325*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_fsrv.init_child_func = cmplog_exec_child;
2326*08b48e0bSAndroid Build Coastguard Worker
2327*08b48e0bSAndroid Build Coastguard Worker if ((map_size <= DEFAULT_SHMEM_SIZE ||
2328*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_fsrv.map_size < map_size) &&
2329*08b48e0bSAndroid Build Coastguard Worker !afl->non_instrumented_mode && !afl->fsrv.qemu_mode &&
2330*08b48e0bSAndroid Build Coastguard Worker !afl->fsrv.frida_mode && !afl->unicorn_mode && !afl->fsrv.cs_mode &&
2331*08b48e0bSAndroid Build Coastguard Worker !afl->afl_env.afl_skip_bin_check) {
2332*08b48e0bSAndroid Build Coastguard Worker
2333*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_fsrv.map_size = MAX(map_size, (u32)DEFAULT_SHMEM_SIZE);
2334*08b48e0bSAndroid Build Coastguard Worker char vbuf[16];
2335*08b48e0bSAndroid Build Coastguard Worker snprintf(vbuf, sizeof(vbuf), "%u", afl->cmplog_fsrv.map_size);
2336*08b48e0bSAndroid Build Coastguard Worker setenv("AFL_MAP_SIZE", vbuf, 1);
2337*08b48e0bSAndroid Build Coastguard Worker
2338*08b48e0bSAndroid Build Coastguard Worker }
2339*08b48e0bSAndroid Build Coastguard Worker
2340*08b48e0bSAndroid Build Coastguard Worker u32 new_map_size =
2341*08b48e0bSAndroid Build Coastguard Worker afl_fsrv_get_mapsize(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon,
2342*08b48e0bSAndroid Build Coastguard Worker afl->afl_env.afl_debug_child);
2343*08b48e0bSAndroid Build Coastguard Worker
2344*08b48e0bSAndroid Build Coastguard Worker // only reinitialize when it needs to be larger
2345*08b48e0bSAndroid Build Coastguard Worker if (map_size < new_map_size) {
2346*08b48e0bSAndroid Build Coastguard Worker
2347*08b48e0bSAndroid Build Coastguard Worker OKF("Re-initializing maps to %u bytes due cmplog", new_map_size);
2348*08b48e0bSAndroid Build Coastguard Worker
2349*08b48e0bSAndroid Build Coastguard Worker u32 old_map_size = map_size;
2350*08b48e0bSAndroid Build Coastguard Worker afl->virgin_bits = ck_realloc(afl->virgin_bits, new_map_size);
2351*08b48e0bSAndroid Build Coastguard Worker afl->virgin_tmout = ck_realloc(afl->virgin_tmout, new_map_size);
2352*08b48e0bSAndroid Build Coastguard Worker afl->virgin_crash = ck_realloc(afl->virgin_crash, new_map_size);
2353*08b48e0bSAndroid Build Coastguard Worker afl->var_bytes = ck_realloc(afl->var_bytes, new_map_size);
2354*08b48e0bSAndroid Build Coastguard Worker afl->top_rated =
2355*08b48e0bSAndroid Build Coastguard Worker ck_realloc(afl->top_rated, new_map_size * sizeof(void *));
2356*08b48e0bSAndroid Build Coastguard Worker afl->clean_trace = ck_realloc(afl->clean_trace, new_map_size);
2357*08b48e0bSAndroid Build Coastguard Worker afl->clean_trace_custom =
2358*08b48e0bSAndroid Build Coastguard Worker ck_realloc(afl->clean_trace_custom, new_map_size);
2359*08b48e0bSAndroid Build Coastguard Worker afl->first_trace = ck_realloc(afl->first_trace, new_map_size);
2360*08b48e0bSAndroid Build Coastguard Worker afl->map_tmp_buf = ck_realloc(afl->map_tmp_buf, new_map_size);
2361*08b48e0bSAndroid Build Coastguard Worker
2362*08b48e0bSAndroid Build Coastguard Worker if (old_map_size < new_map_size) {
2363*08b48e0bSAndroid Build Coastguard Worker
2364*08b48e0bSAndroid Build Coastguard Worker memset(afl->var_bytes + old_map_size, 0, new_map_size - old_map_size);
2365*08b48e0bSAndroid Build Coastguard Worker memset(afl->top_rated + old_map_size, 0, new_map_size - old_map_size);
2366*08b48e0bSAndroid Build Coastguard Worker memset(afl->clean_trace + old_map_size, 0, new_map_size - old_map_size);
2367*08b48e0bSAndroid Build Coastguard Worker memset(afl->clean_trace_custom + old_map_size, 0,
2368*08b48e0bSAndroid Build Coastguard Worker new_map_size - old_map_size);
2369*08b48e0bSAndroid Build Coastguard Worker memset(afl->first_trace + old_map_size, 0, new_map_size - old_map_size);
2370*08b48e0bSAndroid Build Coastguard Worker memset(afl->map_tmp_buf + old_map_size, 0, new_map_size - old_map_size);
2371*08b48e0bSAndroid Build Coastguard Worker
2372*08b48e0bSAndroid Build Coastguard Worker }
2373*08b48e0bSAndroid Build Coastguard Worker
2374*08b48e0bSAndroid Build Coastguard Worker afl_fsrv_kill(&afl->fsrv);
2375*08b48e0bSAndroid Build Coastguard Worker afl_fsrv_kill(&afl->cmplog_fsrv);
2376*08b48e0bSAndroid Build Coastguard Worker afl_shm_deinit(&afl->shm);
2377*08b48e0bSAndroid Build Coastguard Worker
2378*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_fsrv.map_size = new_map_size; // non-cmplog stays the same
2379*08b48e0bSAndroid Build Coastguard Worker map_size = new_map_size;
2380*08b48e0bSAndroid Build Coastguard Worker
2381*08b48e0bSAndroid Build Coastguard Worker setenv("AFL_NO_AUTODICT", "1", 1); // loaded already
2382*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.trace_bits =
2383*08b48e0bSAndroid Build Coastguard Worker afl_shm_init(&afl->shm, new_map_size, afl->non_instrumented_mode);
2384*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_fsrv.trace_bits = afl->fsrv.trace_bits;
2385*08b48e0bSAndroid Build Coastguard Worker afl_fsrv_start(&afl->fsrv, afl->argv, &afl->stop_soon,
2386*08b48e0bSAndroid Build Coastguard Worker afl->afl_env.afl_debug_child);
2387*08b48e0bSAndroid Build Coastguard Worker afl_fsrv_start(&afl->cmplog_fsrv, afl->argv, &afl->stop_soon,
2388*08b48e0bSAndroid Build Coastguard Worker afl->afl_env.afl_debug_child);
2389*08b48e0bSAndroid Build Coastguard Worker
2390*08b48e0bSAndroid Build Coastguard Worker }
2391*08b48e0bSAndroid Build Coastguard Worker
2392*08b48e0bSAndroid Build Coastguard Worker OKF("Cmplog forkserver successfully started");
2393*08b48e0bSAndroid Build Coastguard Worker
2394*08b48e0bSAndroid Build Coastguard Worker }
2395*08b48e0bSAndroid Build Coastguard Worker
2396*08b48e0bSAndroid Build Coastguard Worker load_auto(afl);
2397*08b48e0bSAndroid Build Coastguard Worker
2398*08b48e0bSAndroid Build Coastguard Worker if (extras_dir_cnt) {
2399*08b48e0bSAndroid Build Coastguard Worker
2400*08b48e0bSAndroid Build Coastguard Worker for (u8 i = 0; i < extras_dir_cnt; i++) {
2401*08b48e0bSAndroid Build Coastguard Worker
2402*08b48e0bSAndroid Build Coastguard Worker load_extras(afl, extras_dir[i]);
2403*08b48e0bSAndroid Build Coastguard Worker
2404*08b48e0bSAndroid Build Coastguard Worker }
2405*08b48e0bSAndroid Build Coastguard Worker
2406*08b48e0bSAndroid Build Coastguard Worker }
2407*08b48e0bSAndroid Build Coastguard Worker
2408*08b48e0bSAndroid Build Coastguard Worker if (afl->fsrv.out_file && afl->fsrv.use_shmem_fuzz) {
2409*08b48e0bSAndroid Build Coastguard Worker
2410*08b48e0bSAndroid Build Coastguard Worker unlink(afl->fsrv.out_file);
2411*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.out_file = NULL;
2412*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.use_stdin = 0;
2413*08b48e0bSAndroid Build Coastguard Worker close(afl->fsrv.out_fd);
2414*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.out_fd = -1;
2415*08b48e0bSAndroid Build Coastguard Worker
2416*08b48e0bSAndroid Build Coastguard Worker if (!afl->unicorn_mode && !afl->fsrv.use_stdin && !default_output) {
2417*08b48e0bSAndroid Build Coastguard Worker
2418*08b48e0bSAndroid Build Coastguard Worker WARNF(
2419*08b48e0bSAndroid Build Coastguard Worker "You specified -f or @@ on the command line but the target harness "
2420*08b48e0bSAndroid Build Coastguard Worker "specified fuzz cases via shmem, switching to shmem!");
2421*08b48e0bSAndroid Build Coastguard Worker
2422*08b48e0bSAndroid Build Coastguard Worker }
2423*08b48e0bSAndroid Build Coastguard Worker
2424*08b48e0bSAndroid Build Coastguard Worker }
2425*08b48e0bSAndroid Build Coastguard Worker
2426*08b48e0bSAndroid Build Coastguard Worker deunicode_extras(afl);
2427*08b48e0bSAndroid Build Coastguard Worker dedup_extras(afl);
2428*08b48e0bSAndroid Build Coastguard Worker if (afl->extras_cnt) { OKF("Loaded a total of %u extras.", afl->extras_cnt); }
2429*08b48e0bSAndroid Build Coastguard Worker
2430*08b48e0bSAndroid Build Coastguard Worker // after we have the correct bitmap size we can read the bitmap -B option
2431*08b48e0bSAndroid Build Coastguard Worker // and set the virgin maps
2432*08b48e0bSAndroid Build Coastguard Worker if (afl->in_bitmap) {
2433*08b48e0bSAndroid Build Coastguard Worker
2434*08b48e0bSAndroid Build Coastguard Worker read_bitmap(afl->in_bitmap, afl->virgin_bits, afl->fsrv.map_size);
2435*08b48e0bSAndroid Build Coastguard Worker
2436*08b48e0bSAndroid Build Coastguard Worker } else {
2437*08b48e0bSAndroid Build Coastguard Worker
2438*08b48e0bSAndroid Build Coastguard Worker memset(afl->virgin_bits, 255, map_size);
2439*08b48e0bSAndroid Build Coastguard Worker
2440*08b48e0bSAndroid Build Coastguard Worker }
2441*08b48e0bSAndroid Build Coastguard Worker
2442*08b48e0bSAndroid Build Coastguard Worker memset(afl->virgin_tmout, 255, map_size);
2443*08b48e0bSAndroid Build Coastguard Worker memset(afl->virgin_crash, 255, map_size);
2444*08b48e0bSAndroid Build Coastguard Worker
2445*08b48e0bSAndroid Build Coastguard Worker if (likely(!afl->afl_env.afl_no_startup_calibration)) {
2446*08b48e0bSAndroid Build Coastguard Worker
2447*08b48e0bSAndroid Build Coastguard Worker perform_dry_run(afl);
2448*08b48e0bSAndroid Build Coastguard Worker
2449*08b48e0bSAndroid Build Coastguard Worker } else {
2450*08b48e0bSAndroid Build Coastguard Worker
2451*08b48e0bSAndroid Build Coastguard Worker ACTF("skipping initial seed calibration due option override!");
2452*08b48e0bSAndroid Build Coastguard Worker usleep(1000);
2453*08b48e0bSAndroid Build Coastguard Worker
2454*08b48e0bSAndroid Build Coastguard Worker }
2455*08b48e0bSAndroid Build Coastguard Worker
2456*08b48e0bSAndroid Build Coastguard Worker if (afl->q_testcase_max_cache_entries) {
2457*08b48e0bSAndroid Build Coastguard Worker
2458*08b48e0bSAndroid Build Coastguard Worker afl->q_testcase_cache =
2459*08b48e0bSAndroid Build Coastguard Worker ck_alloc(afl->q_testcase_max_cache_entries * sizeof(size_t));
2460*08b48e0bSAndroid Build Coastguard Worker if (!afl->q_testcase_cache) { PFATAL("malloc failed for cache entries"); }
2461*08b48e0bSAndroid Build Coastguard Worker
2462*08b48e0bSAndroid Build Coastguard Worker }
2463*08b48e0bSAndroid Build Coastguard Worker
2464*08b48e0bSAndroid Build Coastguard Worker cull_queue(afl);
2465*08b48e0bSAndroid Build Coastguard Worker
2466*08b48e0bSAndroid Build Coastguard Worker // ensure we have at least one seed that is not disabled.
2467*08b48e0bSAndroid Build Coastguard Worker u32 entry, valid_seeds = 0;
2468*08b48e0bSAndroid Build Coastguard Worker for (entry = 0; entry < afl->queued_items; ++entry)
2469*08b48e0bSAndroid Build Coastguard Worker if (!afl->queue_buf[entry]->disabled) { ++valid_seeds; }
2470*08b48e0bSAndroid Build Coastguard Worker
2471*08b48e0bSAndroid Build Coastguard Worker if (!afl->pending_not_fuzzed || !valid_seeds) {
2472*08b48e0bSAndroid Build Coastguard Worker
2473*08b48e0bSAndroid Build Coastguard Worker FATAL("We need at least one valid input seed that does not crash!");
2474*08b48e0bSAndroid Build Coastguard Worker
2475*08b48e0bSAndroid Build Coastguard Worker }
2476*08b48e0bSAndroid Build Coastguard Worker
2477*08b48e0bSAndroid Build Coastguard Worker if (afl->timeout_given == 2) { // -t ...+ option
2478*08b48e0bSAndroid Build Coastguard Worker
2479*08b48e0bSAndroid Build Coastguard Worker if (valid_seeds == 1) {
2480*08b48e0bSAndroid Build Coastguard Worker
2481*08b48e0bSAndroid Build Coastguard Worker WARNF(
2482*08b48e0bSAndroid Build Coastguard Worker "Only one valid seed is present, auto-calculating the timeout is "
2483*08b48e0bSAndroid Build Coastguard Worker "disabled!");
2484*08b48e0bSAndroid Build Coastguard Worker afl->timeout_given = 1;
2485*08b48e0bSAndroid Build Coastguard Worker
2486*08b48e0bSAndroid Build Coastguard Worker } else {
2487*08b48e0bSAndroid Build Coastguard Worker
2488*08b48e0bSAndroid Build Coastguard Worker u64 max_ms = 0;
2489*08b48e0bSAndroid Build Coastguard Worker
2490*08b48e0bSAndroid Build Coastguard Worker for (entry = 0; entry < afl->queued_items; ++entry)
2491*08b48e0bSAndroid Build Coastguard Worker if (!afl->queue_buf[entry]->disabled)
2492*08b48e0bSAndroid Build Coastguard Worker if (afl->queue_buf[entry]->exec_us > max_ms)
2493*08b48e0bSAndroid Build Coastguard Worker max_ms = afl->queue_buf[entry]->exec_us;
2494*08b48e0bSAndroid Build Coastguard Worker
2495*08b48e0bSAndroid Build Coastguard Worker afl->fsrv.exec_tmout = max_ms;
2496*08b48e0bSAndroid Build Coastguard Worker afl->timeout_given = 1;
2497*08b48e0bSAndroid Build Coastguard Worker
2498*08b48e0bSAndroid Build Coastguard Worker }
2499*08b48e0bSAndroid Build Coastguard Worker
2500*08b48e0bSAndroid Build Coastguard Worker }
2501*08b48e0bSAndroid Build Coastguard Worker
2502*08b48e0bSAndroid Build Coastguard Worker show_init_stats(afl);
2503*08b48e0bSAndroid Build Coastguard Worker
2504*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->old_seed_selection)) seek_to = find_start_position(afl);
2505*08b48e0bSAndroid Build Coastguard Worker
2506*08b48e0bSAndroid Build Coastguard Worker afl->start_time = get_cur_time();
2507*08b48e0bSAndroid Build Coastguard Worker if (afl->in_place_resume || afl->afl_env.afl_autoresume) {
2508*08b48e0bSAndroid Build Coastguard Worker
2509*08b48e0bSAndroid Build Coastguard Worker load_stats_file(afl);
2510*08b48e0bSAndroid Build Coastguard Worker
2511*08b48e0bSAndroid Build Coastguard Worker }
2512*08b48e0bSAndroid Build Coastguard Worker
2513*08b48e0bSAndroid Build Coastguard Worker if (!afl->non_instrumented_mode) { write_stats_file(afl, 0, 0, 0, 0); }
2514*08b48e0bSAndroid Build Coastguard Worker maybe_update_plot_file(afl, 0, 0, 0);
2515*08b48e0bSAndroid Build Coastguard Worker save_auto(afl);
2516*08b48e0bSAndroid Build Coastguard Worker
2517*08b48e0bSAndroid Build Coastguard Worker if (afl->stop_soon) { goto stop_fuzzing; }
2518*08b48e0bSAndroid Build Coastguard Worker
2519*08b48e0bSAndroid Build Coastguard Worker /* Woop woop woop */
2520*08b48e0bSAndroid Build Coastguard Worker
2521*08b48e0bSAndroid Build Coastguard Worker if (!afl->not_on_tty) {
2522*08b48e0bSAndroid Build Coastguard Worker
2523*08b48e0bSAndroid Build Coastguard Worker sleep(1);
2524*08b48e0bSAndroid Build Coastguard Worker if (afl->stop_soon) { goto stop_fuzzing; }
2525*08b48e0bSAndroid Build Coastguard Worker
2526*08b48e0bSAndroid Build Coastguard Worker }
2527*08b48e0bSAndroid Build Coastguard Worker
2528*08b48e0bSAndroid Build Coastguard Worker // (void)nice(-20); // does not improve the speed
2529*08b48e0bSAndroid Build Coastguard Worker // real start time, we reset, so this works correctly with -V
2530*08b48e0bSAndroid Build Coastguard Worker afl->start_time = get_cur_time();
2531*08b48e0bSAndroid Build Coastguard Worker
2532*08b48e0bSAndroid Build Coastguard Worker #ifdef INTROSPECTION
2533*08b48e0bSAndroid Build Coastguard Worker u32 prev_saved_crashes = 0, prev_saved_tmouts = 0;
2534*08b48e0bSAndroid Build Coastguard Worker #endif
2535*08b48e0bSAndroid Build Coastguard Worker u32 prev_queued_items = 0, runs_in_current_cycle = (u32)-1;
2536*08b48e0bSAndroid Build Coastguard Worker u8 skipped_fuzz;
2537*08b48e0bSAndroid Build Coastguard Worker
2538*08b48e0bSAndroid Build Coastguard Worker #ifdef INTROSPECTION
2539*08b48e0bSAndroid Build Coastguard Worker char ifn[4096];
2540*08b48e0bSAndroid Build Coastguard Worker snprintf(ifn, sizeof(ifn), "%s/introspection.txt", afl->out_dir);
2541*08b48e0bSAndroid Build Coastguard Worker if ((afl->introspection_file = fopen(ifn, "w")) == NULL) {
2542*08b48e0bSAndroid Build Coastguard Worker
2543*08b48e0bSAndroid Build Coastguard Worker PFATAL("could not create '%s'", ifn);
2544*08b48e0bSAndroid Build Coastguard Worker
2545*08b48e0bSAndroid Build Coastguard Worker }
2546*08b48e0bSAndroid Build Coastguard Worker
2547*08b48e0bSAndroid Build Coastguard Worker setvbuf(afl->introspection_file, NULL, _IONBF, 0);
2548*08b48e0bSAndroid Build Coastguard Worker OKF("Writing mutation introspection to '%s'", ifn);
2549*08b48e0bSAndroid Build Coastguard Worker #endif
2550*08b48e0bSAndroid Build Coastguard Worker
2551*08b48e0bSAndroid Build Coastguard Worker while (likely(!afl->stop_soon)) {
2552*08b48e0bSAndroid Build Coastguard Worker
2553*08b48e0bSAndroid Build Coastguard Worker cull_queue(afl);
2554*08b48e0bSAndroid Build Coastguard Worker
2555*08b48e0bSAndroid Build Coastguard Worker if (unlikely((!afl->old_seed_selection &&
2556*08b48e0bSAndroid Build Coastguard Worker runs_in_current_cycle > afl->queued_items) ||
2557*08b48e0bSAndroid Build Coastguard Worker (afl->old_seed_selection && !afl->queue_cur))) {
2558*08b48e0bSAndroid Build Coastguard Worker
2559*08b48e0bSAndroid Build Coastguard Worker if (unlikely((afl->last_sync_cycle < afl->queue_cycle ||
2560*08b48e0bSAndroid Build Coastguard Worker (!afl->queue_cycle && afl->afl_env.afl_import_first)) &&
2561*08b48e0bSAndroid Build Coastguard Worker afl->sync_id)) {
2562*08b48e0bSAndroid Build Coastguard Worker
2563*08b48e0bSAndroid Build Coastguard Worker if (!afl->queue_cycle && afl->afl_env.afl_import_first) {
2564*08b48e0bSAndroid Build Coastguard Worker
2565*08b48e0bSAndroid Build Coastguard Worker OKF("Syncing queues from other fuzzer instances first ...");
2566*08b48e0bSAndroid Build Coastguard Worker
2567*08b48e0bSAndroid Build Coastguard Worker }
2568*08b48e0bSAndroid Build Coastguard Worker
2569*08b48e0bSAndroid Build Coastguard Worker sync_fuzzers(afl);
2570*08b48e0bSAndroid Build Coastguard Worker
2571*08b48e0bSAndroid Build Coastguard Worker }
2572*08b48e0bSAndroid Build Coastguard Worker
2573*08b48e0bSAndroid Build Coastguard Worker ++afl->queue_cycle;
2574*08b48e0bSAndroid Build Coastguard Worker runs_in_current_cycle = (u32)-1;
2575*08b48e0bSAndroid Build Coastguard Worker afl->cur_skipped_items = 0;
2576*08b48e0bSAndroid Build Coastguard Worker
2577*08b48e0bSAndroid Build Coastguard Worker // 1st april fool joke - enable pizza mode
2578*08b48e0bSAndroid Build Coastguard Worker // to not waste time on checking the date we only do this when the
2579*08b48e0bSAndroid Build Coastguard Worker // queue is fully cycled.
2580*08b48e0bSAndroid Build Coastguard Worker time_t cursec = time(NULL);
2581*08b48e0bSAndroid Build Coastguard Worker struct tm *curdate = localtime(&cursec);
2582*08b48e0bSAndroid Build Coastguard Worker if (likely(!afl->afl_env.afl_pizza_mode)) {
2583*08b48e0bSAndroid Build Coastguard Worker
2584*08b48e0bSAndroid Build Coastguard Worker if (unlikely(curdate->tm_mon == 3 && curdate->tm_mday == 1)) {
2585*08b48e0bSAndroid Build Coastguard Worker
2586*08b48e0bSAndroid Build Coastguard Worker afl->pizza_is_served = 1;
2587*08b48e0bSAndroid Build Coastguard Worker
2588*08b48e0bSAndroid Build Coastguard Worker } else {
2589*08b48e0bSAndroid Build Coastguard Worker
2590*08b48e0bSAndroid Build Coastguard Worker afl->pizza_is_served = 0;
2591*08b48e0bSAndroid Build Coastguard Worker
2592*08b48e0bSAndroid Build Coastguard Worker }
2593*08b48e0bSAndroid Build Coastguard Worker
2594*08b48e0bSAndroid Build Coastguard Worker }
2595*08b48e0bSAndroid Build Coastguard Worker
2596*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->old_seed_selection)) {
2597*08b48e0bSAndroid Build Coastguard Worker
2598*08b48e0bSAndroid Build Coastguard Worker afl->current_entry = 0;
2599*08b48e0bSAndroid Build Coastguard Worker while (unlikely(afl->current_entry < afl->queued_items &&
2600*08b48e0bSAndroid Build Coastguard Worker afl->queue_buf[afl->current_entry]->disabled)) {
2601*08b48e0bSAndroid Build Coastguard Worker
2602*08b48e0bSAndroid Build Coastguard Worker ++afl->current_entry;
2603*08b48e0bSAndroid Build Coastguard Worker
2604*08b48e0bSAndroid Build Coastguard Worker }
2605*08b48e0bSAndroid Build Coastguard Worker
2606*08b48e0bSAndroid Build Coastguard Worker if (afl->current_entry >= afl->queued_items) { afl->current_entry = 0; }
2607*08b48e0bSAndroid Build Coastguard Worker
2608*08b48e0bSAndroid Build Coastguard Worker afl->queue_cur = afl->queue_buf[afl->current_entry];
2609*08b48e0bSAndroid Build Coastguard Worker
2610*08b48e0bSAndroid Build Coastguard Worker if (unlikely(seek_to)) {
2611*08b48e0bSAndroid Build Coastguard Worker
2612*08b48e0bSAndroid Build Coastguard Worker if (unlikely(seek_to >= afl->queued_items)) {
2613*08b48e0bSAndroid Build Coastguard Worker
2614*08b48e0bSAndroid Build Coastguard Worker // This should never happen.
2615*08b48e0bSAndroid Build Coastguard Worker FATAL("BUG: seek_to location out of bounds!\n");
2616*08b48e0bSAndroid Build Coastguard Worker
2617*08b48e0bSAndroid Build Coastguard Worker }
2618*08b48e0bSAndroid Build Coastguard Worker
2619*08b48e0bSAndroid Build Coastguard Worker afl->current_entry = seek_to;
2620*08b48e0bSAndroid Build Coastguard Worker afl->queue_cur = afl->queue_buf[seek_to];
2621*08b48e0bSAndroid Build Coastguard Worker seek_to = 0;
2622*08b48e0bSAndroid Build Coastguard Worker
2623*08b48e0bSAndroid Build Coastguard Worker }
2624*08b48e0bSAndroid Build Coastguard Worker
2625*08b48e0bSAndroid Build Coastguard Worker }
2626*08b48e0bSAndroid Build Coastguard Worker
2627*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->not_on_tty)) {
2628*08b48e0bSAndroid Build Coastguard Worker
2629*08b48e0bSAndroid Build Coastguard Worker ACTF("Entering queue cycle %llu.", afl->queue_cycle);
2630*08b48e0bSAndroid Build Coastguard Worker fflush(stdout);
2631*08b48e0bSAndroid Build Coastguard Worker
2632*08b48e0bSAndroid Build Coastguard Worker }
2633*08b48e0bSAndroid Build Coastguard Worker
2634*08b48e0bSAndroid Build Coastguard Worker /* If we had a full queue cycle with no new finds, try
2635*08b48e0bSAndroid Build Coastguard Worker recombination strategies next. */
2636*08b48e0bSAndroid Build Coastguard Worker
2637*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->queued_items == prev_queued
2638*08b48e0bSAndroid Build Coastguard Worker /* FIXME TODO BUG: && (get_cur_time() - afl->start_time) >=
2639*08b48e0bSAndroid Build Coastguard Worker 3600 */
2640*08b48e0bSAndroid Build Coastguard Worker )) {
2641*08b48e0bSAndroid Build Coastguard Worker
2642*08b48e0bSAndroid Build Coastguard Worker if (afl->use_splicing) {
2643*08b48e0bSAndroid Build Coastguard Worker
2644*08b48e0bSAndroid Build Coastguard Worker ++afl->cycles_wo_finds;
2645*08b48e0bSAndroid Build Coastguard Worker
2646*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->shm.cmplog_mode &&
2647*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_max_filesize < MAX_FILE)) {
2648*08b48e0bSAndroid Build Coastguard Worker
2649*08b48e0bSAndroid Build Coastguard Worker afl->cmplog_max_filesize <<= 4;
2650*08b48e0bSAndroid Build Coastguard Worker
2651*08b48e0bSAndroid Build Coastguard Worker }
2652*08b48e0bSAndroid Build Coastguard Worker
2653*08b48e0bSAndroid Build Coastguard Worker switch (afl->expand_havoc) {
2654*08b48e0bSAndroid Build Coastguard Worker
2655*08b48e0bSAndroid Build Coastguard Worker case 0:
2656*08b48e0bSAndroid Build Coastguard Worker // this adds extra splicing mutation options to havoc mode
2657*08b48e0bSAndroid Build Coastguard Worker afl->expand_havoc = 1;
2658*08b48e0bSAndroid Build Coastguard Worker break;
2659*08b48e0bSAndroid Build Coastguard Worker case 1:
2660*08b48e0bSAndroid Build Coastguard Worker // add MOpt mutator
2661*08b48e0bSAndroid Build Coastguard Worker /*
2662*08b48e0bSAndroid Build Coastguard Worker if (afl->limit_time_sig == 0 && !afl->custom_only &&
2663*08b48e0bSAndroid Build Coastguard Worker !afl->python_only) {
2664*08b48e0bSAndroid Build Coastguard Worker
2665*08b48e0bSAndroid Build Coastguard Worker afl->limit_time_sig = -1;
2666*08b48e0bSAndroid Build Coastguard Worker afl->limit_time_puppet = 0;
2667*08b48e0bSAndroid Build Coastguard Worker
2668*08b48e0bSAndroid Build Coastguard Worker }
2669*08b48e0bSAndroid Build Coastguard Worker
2670*08b48e0bSAndroid Build Coastguard Worker */
2671*08b48e0bSAndroid Build Coastguard Worker afl->expand_havoc = 2;
2672*08b48e0bSAndroid Build Coastguard Worker if (afl->cmplog_lvl && afl->cmplog_lvl < 2) afl->cmplog_lvl = 2;
2673*08b48e0bSAndroid Build Coastguard Worker break;
2674*08b48e0bSAndroid Build Coastguard Worker case 2:
2675*08b48e0bSAndroid Build Coastguard Worker // increase havoc mutations per fuzz attempt
2676*08b48e0bSAndroid Build Coastguard Worker afl->havoc_stack_pow2++;
2677*08b48e0bSAndroid Build Coastguard Worker afl->expand_havoc = 3;
2678*08b48e0bSAndroid Build Coastguard Worker break;
2679*08b48e0bSAndroid Build Coastguard Worker case 3:
2680*08b48e0bSAndroid Build Coastguard Worker // further increase havoc mutations per fuzz attempt
2681*08b48e0bSAndroid Build Coastguard Worker afl->havoc_stack_pow2++;
2682*08b48e0bSAndroid Build Coastguard Worker afl->expand_havoc = 4;
2683*08b48e0bSAndroid Build Coastguard Worker break;
2684*08b48e0bSAndroid Build Coastguard Worker case 4:
2685*08b48e0bSAndroid Build Coastguard Worker afl->expand_havoc = 5;
2686*08b48e0bSAndroid Build Coastguard Worker // if (afl->cmplog_lvl && afl->cmplog_lvl < 3) afl->cmplog_lvl =
2687*08b48e0bSAndroid Build Coastguard Worker // 3;
2688*08b48e0bSAndroid Build Coastguard Worker break;
2689*08b48e0bSAndroid Build Coastguard Worker case 5:
2690*08b48e0bSAndroid Build Coastguard Worker // nothing else currently
2691*08b48e0bSAndroid Build Coastguard Worker break;
2692*08b48e0bSAndroid Build Coastguard Worker
2693*08b48e0bSAndroid Build Coastguard Worker }
2694*08b48e0bSAndroid Build Coastguard Worker
2695*08b48e0bSAndroid Build Coastguard Worker } else {
2696*08b48e0bSAndroid Build Coastguard Worker
2697*08b48e0bSAndroid Build Coastguard Worker #ifndef NO_SPLICING
2698*08b48e0bSAndroid Build Coastguard Worker afl->use_splicing = 1;
2699*08b48e0bSAndroid Build Coastguard Worker #else
2700*08b48e0bSAndroid Build Coastguard Worker afl->use_splicing = 0;
2701*08b48e0bSAndroid Build Coastguard Worker #endif
2702*08b48e0bSAndroid Build Coastguard Worker
2703*08b48e0bSAndroid Build Coastguard Worker }
2704*08b48e0bSAndroid Build Coastguard Worker
2705*08b48e0bSAndroid Build Coastguard Worker } else {
2706*08b48e0bSAndroid Build Coastguard Worker
2707*08b48e0bSAndroid Build Coastguard Worker afl->cycles_wo_finds = 0;
2708*08b48e0bSAndroid Build Coastguard Worker
2709*08b48e0bSAndroid Build Coastguard Worker }
2710*08b48e0bSAndroid Build Coastguard Worker
2711*08b48e0bSAndroid Build Coastguard Worker #ifdef INTROSPECTION
2712*08b48e0bSAndroid Build Coastguard Worker {
2713*08b48e0bSAndroid Build Coastguard Worker
2714*08b48e0bSAndroid Build Coastguard Worker u64 cur_time = get_cur_time();
2715*08b48e0bSAndroid Build Coastguard Worker fprintf(afl->introspection_file,
2716*08b48e0bSAndroid Build Coastguard Worker "CYCLE cycle=%llu cycle_wo_finds=%llu time_wo_finds=%llu "
2717*08b48e0bSAndroid Build Coastguard Worker "expand_havoc=%u queue=%u\n",
2718*08b48e0bSAndroid Build Coastguard Worker afl->queue_cycle, afl->cycles_wo_finds,
2719*08b48e0bSAndroid Build Coastguard Worker afl->longest_find_time > cur_time - afl->last_find_time
2720*08b48e0bSAndroid Build Coastguard Worker ? afl->longest_find_time / 1000
2721*08b48e0bSAndroid Build Coastguard Worker : ((afl->start_time == 0 || afl->last_find_time == 0)
2722*08b48e0bSAndroid Build Coastguard Worker ? 0
2723*08b48e0bSAndroid Build Coastguard Worker : (cur_time - afl->last_find_time) / 1000),
2724*08b48e0bSAndroid Build Coastguard Worker afl->expand_havoc, afl->queued_items);
2725*08b48e0bSAndroid Build Coastguard Worker
2726*08b48e0bSAndroid Build Coastguard Worker }
2727*08b48e0bSAndroid Build Coastguard Worker
2728*08b48e0bSAndroid Build Coastguard Worker #endif
2729*08b48e0bSAndroid Build Coastguard Worker
2730*08b48e0bSAndroid Build Coastguard Worker if (afl->cycle_schedules) {
2731*08b48e0bSAndroid Build Coastguard Worker
2732*08b48e0bSAndroid Build Coastguard Worker /* we cannot mix non-AFLfast schedules with others */
2733*08b48e0bSAndroid Build Coastguard Worker
2734*08b48e0bSAndroid Build Coastguard Worker switch (afl->schedule) {
2735*08b48e0bSAndroid Build Coastguard Worker
2736*08b48e0bSAndroid Build Coastguard Worker case EXPLORE:
2737*08b48e0bSAndroid Build Coastguard Worker afl->schedule = EXPLOIT;
2738*08b48e0bSAndroid Build Coastguard Worker break;
2739*08b48e0bSAndroid Build Coastguard Worker case EXPLOIT:
2740*08b48e0bSAndroid Build Coastguard Worker afl->schedule = MMOPT;
2741*08b48e0bSAndroid Build Coastguard Worker break;
2742*08b48e0bSAndroid Build Coastguard Worker case MMOPT:
2743*08b48e0bSAndroid Build Coastguard Worker afl->schedule = SEEK;
2744*08b48e0bSAndroid Build Coastguard Worker break;
2745*08b48e0bSAndroid Build Coastguard Worker case SEEK:
2746*08b48e0bSAndroid Build Coastguard Worker afl->schedule = EXPLORE;
2747*08b48e0bSAndroid Build Coastguard Worker break;
2748*08b48e0bSAndroid Build Coastguard Worker case FAST:
2749*08b48e0bSAndroid Build Coastguard Worker afl->schedule = COE;
2750*08b48e0bSAndroid Build Coastguard Worker break;
2751*08b48e0bSAndroid Build Coastguard Worker case COE:
2752*08b48e0bSAndroid Build Coastguard Worker afl->schedule = LIN;
2753*08b48e0bSAndroid Build Coastguard Worker break;
2754*08b48e0bSAndroid Build Coastguard Worker case LIN:
2755*08b48e0bSAndroid Build Coastguard Worker afl->schedule = QUAD;
2756*08b48e0bSAndroid Build Coastguard Worker break;
2757*08b48e0bSAndroid Build Coastguard Worker case QUAD:
2758*08b48e0bSAndroid Build Coastguard Worker afl->schedule = RARE;
2759*08b48e0bSAndroid Build Coastguard Worker break;
2760*08b48e0bSAndroid Build Coastguard Worker case RARE:
2761*08b48e0bSAndroid Build Coastguard Worker afl->schedule = FAST;
2762*08b48e0bSAndroid Build Coastguard Worker break;
2763*08b48e0bSAndroid Build Coastguard Worker
2764*08b48e0bSAndroid Build Coastguard Worker }
2765*08b48e0bSAndroid Build Coastguard Worker
2766*08b48e0bSAndroid Build Coastguard Worker // we must recalculate the scores of all queue entries
2767*08b48e0bSAndroid Build Coastguard Worker for (u32 i = 0; i < afl->queued_items; i++) {
2768*08b48e0bSAndroid Build Coastguard Worker
2769*08b48e0bSAndroid Build Coastguard Worker if (likely(!afl->queue_buf[i]->disabled)) {
2770*08b48e0bSAndroid Build Coastguard Worker
2771*08b48e0bSAndroid Build Coastguard Worker update_bitmap_score(afl, afl->queue_buf[i]);
2772*08b48e0bSAndroid Build Coastguard Worker
2773*08b48e0bSAndroid Build Coastguard Worker }
2774*08b48e0bSAndroid Build Coastguard Worker
2775*08b48e0bSAndroid Build Coastguard Worker }
2776*08b48e0bSAndroid Build Coastguard Worker
2777*08b48e0bSAndroid Build Coastguard Worker }
2778*08b48e0bSAndroid Build Coastguard Worker
2779*08b48e0bSAndroid Build Coastguard Worker prev_queued = afl->queued_items;
2780*08b48e0bSAndroid Build Coastguard Worker
2781*08b48e0bSAndroid Build Coastguard Worker }
2782*08b48e0bSAndroid Build Coastguard Worker
2783*08b48e0bSAndroid Build Coastguard Worker ++runs_in_current_cycle;
2784*08b48e0bSAndroid Build Coastguard Worker
2785*08b48e0bSAndroid Build Coastguard Worker do {
2786*08b48e0bSAndroid Build Coastguard Worker
2787*08b48e0bSAndroid Build Coastguard Worker if (likely(!afl->old_seed_selection)) {
2788*08b48e0bSAndroid Build Coastguard Worker
2789*08b48e0bSAndroid Build Coastguard Worker if (likely(afl->pending_favored && afl->smallest_favored >= 0)) {
2790*08b48e0bSAndroid Build Coastguard Worker
2791*08b48e0bSAndroid Build Coastguard Worker afl->current_entry = afl->smallest_favored;
2792*08b48e0bSAndroid Build Coastguard Worker
2793*08b48e0bSAndroid Build Coastguard Worker /*
2794*08b48e0bSAndroid Build Coastguard Worker
2795*08b48e0bSAndroid Build Coastguard Worker } else {
2796*08b48e0bSAndroid Build Coastguard Worker
2797*08b48e0bSAndroid Build Coastguard Worker for (s32 iter = afl->queued_items - 1; iter >= 0; --iter)
2798*08b48e0bSAndroid Build Coastguard Worker {
2799*08b48e0bSAndroid Build Coastguard Worker
2800*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->queue_buf[iter]->favored &&
2801*08b48e0bSAndroid Build Coastguard Worker !afl->queue_buf[iter]->was_fuzzed)) {
2802*08b48e0bSAndroid Build Coastguard Worker
2803*08b48e0bSAndroid Build Coastguard Worker afl->current_entry = iter;
2804*08b48e0bSAndroid Build Coastguard Worker break;
2805*08b48e0bSAndroid Build Coastguard Worker
2806*08b48e0bSAndroid Build Coastguard Worker }
2807*08b48e0bSAndroid Build Coastguard Worker
2808*08b48e0bSAndroid Build Coastguard Worker }
2809*08b48e0bSAndroid Build Coastguard Worker
2810*08b48e0bSAndroid Build Coastguard Worker */
2811*08b48e0bSAndroid Build Coastguard Worker
2812*08b48e0bSAndroid Build Coastguard Worker afl->queue_cur = afl->queue_buf[afl->current_entry];
2813*08b48e0bSAndroid Build Coastguard Worker
2814*08b48e0bSAndroid Build Coastguard Worker } else {
2815*08b48e0bSAndroid Build Coastguard Worker
2816*08b48e0bSAndroid Build Coastguard Worker if (unlikely(prev_queued_items < afl->queued_items ||
2817*08b48e0bSAndroid Build Coastguard Worker afl->reinit_table)) {
2818*08b48e0bSAndroid Build Coastguard Worker
2819*08b48e0bSAndroid Build Coastguard Worker // we have new queue entries since the last run, recreate alias
2820*08b48e0bSAndroid Build Coastguard Worker // table
2821*08b48e0bSAndroid Build Coastguard Worker prev_queued_items = afl->queued_items;
2822*08b48e0bSAndroid Build Coastguard Worker create_alias_table(afl);
2823*08b48e0bSAndroid Build Coastguard Worker
2824*08b48e0bSAndroid Build Coastguard Worker }
2825*08b48e0bSAndroid Build Coastguard Worker
2826*08b48e0bSAndroid Build Coastguard Worker do {
2827*08b48e0bSAndroid Build Coastguard Worker
2828*08b48e0bSAndroid Build Coastguard Worker afl->current_entry = select_next_queue_entry(afl);
2829*08b48e0bSAndroid Build Coastguard Worker
2830*08b48e0bSAndroid Build Coastguard Worker } while (unlikely(afl->current_entry >= afl->queued_items));
2831*08b48e0bSAndroid Build Coastguard Worker
2832*08b48e0bSAndroid Build Coastguard Worker afl->queue_cur = afl->queue_buf[afl->current_entry];
2833*08b48e0bSAndroid Build Coastguard Worker
2834*08b48e0bSAndroid Build Coastguard Worker }
2835*08b48e0bSAndroid Build Coastguard Worker
2836*08b48e0bSAndroid Build Coastguard Worker }
2837*08b48e0bSAndroid Build Coastguard Worker
2838*08b48e0bSAndroid Build Coastguard Worker skipped_fuzz = fuzz_one(afl);
2839*08b48e0bSAndroid Build Coastguard Worker #ifdef INTROSPECTION
2840*08b48e0bSAndroid Build Coastguard Worker ++afl->queue_cur->stats_selected;
2841*08b48e0bSAndroid Build Coastguard Worker
2842*08b48e0bSAndroid Build Coastguard Worker if (unlikely(skipped_fuzz)) {
2843*08b48e0bSAndroid Build Coastguard Worker
2844*08b48e0bSAndroid Build Coastguard Worker ++afl->queue_cur->stats_skipped;
2845*08b48e0bSAndroid Build Coastguard Worker
2846*08b48e0bSAndroid Build Coastguard Worker } else {
2847*08b48e0bSAndroid Build Coastguard Worker
2848*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->queued_items > prev_queued_items)) {
2849*08b48e0bSAndroid Build Coastguard Worker
2850*08b48e0bSAndroid Build Coastguard Worker afl->queue_cur->stats_finds += afl->queued_items - prev_queued_items;
2851*08b48e0bSAndroid Build Coastguard Worker prev_queued_items = afl->queued_items;
2852*08b48e0bSAndroid Build Coastguard Worker
2853*08b48e0bSAndroid Build Coastguard Worker }
2854*08b48e0bSAndroid Build Coastguard Worker
2855*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->saved_crashes > prev_saved_crashes)) {
2856*08b48e0bSAndroid Build Coastguard Worker
2857*08b48e0bSAndroid Build Coastguard Worker afl->queue_cur->stats_crashes +=
2858*08b48e0bSAndroid Build Coastguard Worker afl->saved_crashes - prev_saved_crashes;
2859*08b48e0bSAndroid Build Coastguard Worker prev_saved_crashes = afl->saved_crashes;
2860*08b48e0bSAndroid Build Coastguard Worker
2861*08b48e0bSAndroid Build Coastguard Worker }
2862*08b48e0bSAndroid Build Coastguard Worker
2863*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->saved_tmouts > prev_saved_tmouts)) {
2864*08b48e0bSAndroid Build Coastguard Worker
2865*08b48e0bSAndroid Build Coastguard Worker afl->queue_cur->stats_tmouts += afl->saved_tmouts - prev_saved_tmouts;
2866*08b48e0bSAndroid Build Coastguard Worker prev_saved_tmouts = afl->saved_tmouts;
2867*08b48e0bSAndroid Build Coastguard Worker
2868*08b48e0bSAndroid Build Coastguard Worker }
2869*08b48e0bSAndroid Build Coastguard Worker
2870*08b48e0bSAndroid Build Coastguard Worker }
2871*08b48e0bSAndroid Build Coastguard Worker
2872*08b48e0bSAndroid Build Coastguard Worker #endif
2873*08b48e0bSAndroid Build Coastguard Worker
2874*08b48e0bSAndroid Build Coastguard Worker if (unlikely(!afl->stop_soon && exit_1)) { afl->stop_soon = 2; }
2875*08b48e0bSAndroid Build Coastguard Worker
2876*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->old_seed_selection)) {
2877*08b48e0bSAndroid Build Coastguard Worker
2878*08b48e0bSAndroid Build Coastguard Worker while (++afl->current_entry < afl->queued_items &&
2879*08b48e0bSAndroid Build Coastguard Worker afl->queue_buf[afl->current_entry]->disabled) {};
2880*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->current_entry >= afl->queued_items ||
2881*08b48e0bSAndroid Build Coastguard Worker afl->queue_buf[afl->current_entry] == NULL ||
2882*08b48e0bSAndroid Build Coastguard Worker afl->queue_buf[afl->current_entry]->disabled)) {
2883*08b48e0bSAndroid Build Coastguard Worker
2884*08b48e0bSAndroid Build Coastguard Worker afl->queue_cur = NULL;
2885*08b48e0bSAndroid Build Coastguard Worker
2886*08b48e0bSAndroid Build Coastguard Worker } else {
2887*08b48e0bSAndroid Build Coastguard Worker
2888*08b48e0bSAndroid Build Coastguard Worker afl->queue_cur = afl->queue_buf[afl->current_entry];
2889*08b48e0bSAndroid Build Coastguard Worker
2890*08b48e0bSAndroid Build Coastguard Worker }
2891*08b48e0bSAndroid Build Coastguard Worker
2892*08b48e0bSAndroid Build Coastguard Worker }
2893*08b48e0bSAndroid Build Coastguard Worker
2894*08b48e0bSAndroid Build Coastguard Worker } while (skipped_fuzz && afl->queue_cur && !afl->stop_soon);
2895*08b48e0bSAndroid Build Coastguard Worker
2896*08b48e0bSAndroid Build Coastguard Worker u64 cur_time = get_cur_time();
2897*08b48e0bSAndroid Build Coastguard Worker
2898*08b48e0bSAndroid Build Coastguard Worker if (likely(afl->switch_fuzz_mode && afl->fuzz_mode == 0 &&
2899*08b48e0bSAndroid Build Coastguard Worker !afl->non_instrumented_mode) &&
2900*08b48e0bSAndroid Build Coastguard Worker unlikely(cur_time > (likely(afl->last_find_time) ? afl->last_find_time
2901*08b48e0bSAndroid Build Coastguard Worker : afl->start_time) +
2902*08b48e0bSAndroid Build Coastguard Worker afl->switch_fuzz_mode)) {
2903*08b48e0bSAndroid Build Coastguard Worker
2904*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_no_ui) {
2905*08b48e0bSAndroid Build Coastguard Worker
2906*08b48e0bSAndroid Build Coastguard Worker ACTF(
2907*08b48e0bSAndroid Build Coastguard Worker "No new coverage found for %llu seconds, switching to exploitation "
2908*08b48e0bSAndroid Build Coastguard Worker "strategy.",
2909*08b48e0bSAndroid Build Coastguard Worker afl->switch_fuzz_mode / 1000);
2910*08b48e0bSAndroid Build Coastguard Worker
2911*08b48e0bSAndroid Build Coastguard Worker }
2912*08b48e0bSAndroid Build Coastguard Worker
2913*08b48e0bSAndroid Build Coastguard Worker afl->fuzz_mode = 1;
2914*08b48e0bSAndroid Build Coastguard Worker
2915*08b48e0bSAndroid Build Coastguard Worker }
2916*08b48e0bSAndroid Build Coastguard Worker
2917*08b48e0bSAndroid Build Coastguard Worker if (likely(!afl->stop_soon && afl->sync_id)) {
2918*08b48e0bSAndroid Build Coastguard Worker
2919*08b48e0bSAndroid Build Coastguard Worker if (likely(afl->skip_deterministic)) {
2920*08b48e0bSAndroid Build Coastguard Worker
2921*08b48e0bSAndroid Build Coastguard Worker if (unlikely(afl->is_main_node)) {
2922*08b48e0bSAndroid Build Coastguard Worker
2923*08b48e0bSAndroid Build Coastguard Worker if (unlikely(cur_time >
2924*08b48e0bSAndroid Build Coastguard Worker (afl->sync_time >> 1) + afl->last_sync_time)) {
2925*08b48e0bSAndroid Build Coastguard Worker
2926*08b48e0bSAndroid Build Coastguard Worker if (!(sync_interval_cnt++ % (SYNC_INTERVAL / 3))) {
2927*08b48e0bSAndroid Build Coastguard Worker
2928*08b48e0bSAndroid Build Coastguard Worker sync_fuzzers(afl);
2929*08b48e0bSAndroid Build Coastguard Worker
2930*08b48e0bSAndroid Build Coastguard Worker }
2931*08b48e0bSAndroid Build Coastguard Worker
2932*08b48e0bSAndroid Build Coastguard Worker }
2933*08b48e0bSAndroid Build Coastguard Worker
2934*08b48e0bSAndroid Build Coastguard Worker } else {
2935*08b48e0bSAndroid Build Coastguard Worker
2936*08b48e0bSAndroid Build Coastguard Worker if (unlikely(cur_time > afl->sync_time + afl->last_sync_time)) {
2937*08b48e0bSAndroid Build Coastguard Worker
2938*08b48e0bSAndroid Build Coastguard Worker if (!(sync_interval_cnt++ % SYNC_INTERVAL)) { sync_fuzzers(afl); }
2939*08b48e0bSAndroid Build Coastguard Worker
2940*08b48e0bSAndroid Build Coastguard Worker }
2941*08b48e0bSAndroid Build Coastguard Worker
2942*08b48e0bSAndroid Build Coastguard Worker }
2943*08b48e0bSAndroid Build Coastguard Worker
2944*08b48e0bSAndroid Build Coastguard Worker } else {
2945*08b48e0bSAndroid Build Coastguard Worker
2946*08b48e0bSAndroid Build Coastguard Worker sync_fuzzers(afl);
2947*08b48e0bSAndroid Build Coastguard Worker
2948*08b48e0bSAndroid Build Coastguard Worker }
2949*08b48e0bSAndroid Build Coastguard Worker
2950*08b48e0bSAndroid Build Coastguard Worker }
2951*08b48e0bSAndroid Build Coastguard Worker
2952*08b48e0bSAndroid Build Coastguard Worker }
2953*08b48e0bSAndroid Build Coastguard Worker
2954*08b48e0bSAndroid Build Coastguard Worker stop_fuzzing:
2955*08b48e0bSAndroid Build Coastguard Worker
2956*08b48e0bSAndroid Build Coastguard Worker afl->force_ui_update = 1; // ensure the screen is reprinted
2957*08b48e0bSAndroid Build Coastguard Worker afl->stop_soon = 1; // ensure everything is written
2958*08b48e0bSAndroid Build Coastguard Worker show_stats(afl); // print the screen one last time
2959*08b48e0bSAndroid Build Coastguard Worker write_bitmap(afl);
2960*08b48e0bSAndroid Build Coastguard Worker save_auto(afl);
2961*08b48e0bSAndroid Build Coastguard Worker
2962*08b48e0bSAndroid Build Coastguard Worker if (afl->pizza_is_served) {
2963*08b48e0bSAndroid Build Coastguard Worker
2964*08b48e0bSAndroid Build Coastguard Worker SAYF(CURSOR_SHOW cLRD "\n\n+++ Baking aborted %s +++\n" cRST,
2965*08b48e0bSAndroid Build Coastguard Worker afl->stop_soon == 2 ? "programmatically" : "by the chef");
2966*08b48e0bSAndroid Build Coastguard Worker
2967*08b48e0bSAndroid Build Coastguard Worker } else {
2968*08b48e0bSAndroid Build Coastguard Worker
2969*08b48e0bSAndroid Build Coastguard Worker SAYF(CURSOR_SHOW cLRD "\n\n+++ Testing aborted %s +++\n" cRST,
2970*08b48e0bSAndroid Build Coastguard Worker afl->stop_soon == 2 ? "programmatically" : "by user");
2971*08b48e0bSAndroid Build Coastguard Worker
2972*08b48e0bSAndroid Build Coastguard Worker }
2973*08b48e0bSAndroid Build Coastguard Worker
2974*08b48e0bSAndroid Build Coastguard Worker if (afl->most_time_key == 2) {
2975*08b48e0bSAndroid Build Coastguard Worker
2976*08b48e0bSAndroid Build Coastguard Worker SAYF(cYEL "[!] " cRST "Time limit was reached\n");
2977*08b48e0bSAndroid Build Coastguard Worker
2978*08b48e0bSAndroid Build Coastguard Worker }
2979*08b48e0bSAndroid Build Coastguard Worker
2980*08b48e0bSAndroid Build Coastguard Worker if (afl->most_execs_key == 2) {
2981*08b48e0bSAndroid Build Coastguard Worker
2982*08b48e0bSAndroid Build Coastguard Worker SAYF(cYEL "[!] " cRST "Execution limit was reached\n");
2983*08b48e0bSAndroid Build Coastguard Worker
2984*08b48e0bSAndroid Build Coastguard Worker }
2985*08b48e0bSAndroid Build Coastguard Worker
2986*08b48e0bSAndroid Build Coastguard Worker /* Running for more than 30 minutes but still doing first cycle? */
2987*08b48e0bSAndroid Build Coastguard Worker
2988*08b48e0bSAndroid Build Coastguard Worker if (afl->queue_cycle == 1 &&
2989*08b48e0bSAndroid Build Coastguard Worker get_cur_time() - afl->start_time > 30 * 60 * 1000) {
2990*08b48e0bSAndroid Build Coastguard Worker
2991*08b48e0bSAndroid Build Coastguard Worker SAYF("\n" cYEL "[!] " cRST
2992*08b48e0bSAndroid Build Coastguard Worker "Stopped during the first cycle, results may be incomplete.\n"
2993*08b48e0bSAndroid Build Coastguard Worker " (For info on resuming, see %s/README.md)\n",
2994*08b48e0bSAndroid Build Coastguard Worker doc_path);
2995*08b48e0bSAndroid Build Coastguard Worker
2996*08b48e0bSAndroid Build Coastguard Worker }
2997*08b48e0bSAndroid Build Coastguard Worker
2998*08b48e0bSAndroid Build Coastguard Worker if (afl->not_on_tty) {
2999*08b48e0bSAndroid Build Coastguard Worker
3000*08b48e0bSAndroid Build Coastguard Worker u32 t_bytes = count_non_255_bytes(afl, afl->virgin_bits);
3001*08b48e0bSAndroid Build Coastguard Worker u8 time_tmp[64];
3002*08b48e0bSAndroid Build Coastguard Worker u_stringify_time_diff(time_tmp, get_cur_time(), afl->start_time);
3003*08b48e0bSAndroid Build Coastguard Worker ACTF(
3004*08b48e0bSAndroid Build Coastguard Worker "Statistics: %u new corpus items found, %.02f%% coverage achieved, "
3005*08b48e0bSAndroid Build Coastguard Worker "%llu crashes saved, %llu timeouts saved, total runtime %s",
3006*08b48e0bSAndroid Build Coastguard Worker afl->queued_discovered,
3007*08b48e0bSAndroid Build Coastguard Worker ((double)t_bytes * 100) / afl->fsrv.real_map_size, afl->saved_crashes,
3008*08b48e0bSAndroid Build Coastguard Worker afl->saved_hangs, time_tmp);
3009*08b48e0bSAndroid Build Coastguard Worker
3010*08b48e0bSAndroid Build Coastguard Worker }
3011*08b48e0bSAndroid Build Coastguard Worker
3012*08b48e0bSAndroid Build Coastguard Worker #ifdef PROFILING
3013*08b48e0bSAndroid Build Coastguard Worker SAYF(cYEL "[!] " cRST
3014*08b48e0bSAndroid Build Coastguard Worker "Profiling information: %llu ms total work, %llu ns/run\n",
3015*08b48e0bSAndroid Build Coastguard Worker time_spent_working / 1000000,
3016*08b48e0bSAndroid Build Coastguard Worker time_spent_working / afl->fsrv.total_execs);
3017*08b48e0bSAndroid Build Coastguard Worker #endif
3018*08b48e0bSAndroid Build Coastguard Worker
3019*08b48e0bSAndroid Build Coastguard Worker if (afl->afl_env.afl_final_sync) {
3020*08b48e0bSAndroid Build Coastguard Worker
3021*08b48e0bSAndroid Build Coastguard Worker SAYF(cYEL "[!] " cRST
3022*08b48e0bSAndroid Build Coastguard Worker "\nPerforming final sync, this make take some time ...\n");
3023*08b48e0bSAndroid Build Coastguard Worker sync_fuzzers(afl);
3024*08b48e0bSAndroid Build Coastguard Worker write_bitmap(afl);
3025*08b48e0bSAndroid Build Coastguard Worker SAYF(cYEL "[!] " cRST "Done!\n\n");
3026*08b48e0bSAndroid Build Coastguard Worker
3027*08b48e0bSAndroid Build Coastguard Worker }
3028*08b48e0bSAndroid Build Coastguard Worker
3029*08b48e0bSAndroid Build Coastguard Worker if (afl->is_main_node) {
3030*08b48e0bSAndroid Build Coastguard Worker
3031*08b48e0bSAndroid Build Coastguard Worker u8 path[PATH_MAX];
3032*08b48e0bSAndroid Build Coastguard Worker sprintf(path, "%s/is_main_node", afl->out_dir);
3033*08b48e0bSAndroid Build Coastguard Worker unlink(path);
3034*08b48e0bSAndroid Build Coastguard Worker
3035*08b48e0bSAndroid Build Coastguard Worker }
3036*08b48e0bSAndroid Build Coastguard Worker
3037*08b48e0bSAndroid Build Coastguard Worker if (frida_afl_preload) { ck_free(frida_afl_preload); }
3038*08b48e0bSAndroid Build Coastguard Worker
3039*08b48e0bSAndroid Build Coastguard Worker fclose(afl->fsrv.plot_file);
3040*08b48e0bSAndroid Build Coastguard Worker
3041*08b48e0bSAndroid Build Coastguard Worker #ifdef INTROSPECTION
3042*08b48e0bSAndroid Build Coastguard Worker fclose(afl->fsrv.det_plot_file);
3043*08b48e0bSAndroid Build Coastguard Worker #endif
3044*08b48e0bSAndroid Build Coastguard Worker
3045*08b48e0bSAndroid Build Coastguard Worker destroy_queue(afl);
3046*08b48e0bSAndroid Build Coastguard Worker destroy_extras(afl);
3047*08b48e0bSAndroid Build Coastguard Worker destroy_custom_mutators(afl);
3048*08b48e0bSAndroid Build Coastguard Worker afl_shm_deinit(&afl->shm);
3049*08b48e0bSAndroid Build Coastguard Worker
3050*08b48e0bSAndroid Build Coastguard Worker if (afl->shm_fuzz) {
3051*08b48e0bSAndroid Build Coastguard Worker
3052*08b48e0bSAndroid Build Coastguard Worker afl_shm_deinit(afl->shm_fuzz);
3053*08b48e0bSAndroid Build Coastguard Worker ck_free(afl->shm_fuzz);
3054*08b48e0bSAndroid Build Coastguard Worker
3055*08b48e0bSAndroid Build Coastguard Worker }
3056*08b48e0bSAndroid Build Coastguard Worker
3057*08b48e0bSAndroid Build Coastguard Worker afl_fsrv_deinit(&afl->fsrv);
3058*08b48e0bSAndroid Build Coastguard Worker
3059*08b48e0bSAndroid Build Coastguard Worker /* remove tmpfile */
3060*08b48e0bSAndroid Build Coastguard Worker if (afl->tmp_dir != NULL && !afl->in_place_resume && afl->fsrv.out_file) {
3061*08b48e0bSAndroid Build Coastguard Worker
3062*08b48e0bSAndroid Build Coastguard Worker (void)unlink(afl->fsrv.out_file);
3063*08b48e0bSAndroid Build Coastguard Worker
3064*08b48e0bSAndroid Build Coastguard Worker }
3065*08b48e0bSAndroid Build Coastguard Worker
3066*08b48e0bSAndroid Build Coastguard Worker if (afl->orig_cmdline) { ck_free(afl->orig_cmdline); }
3067*08b48e0bSAndroid Build Coastguard Worker ck_free(afl->fsrv.target_path);
3068*08b48e0bSAndroid Build Coastguard Worker ck_free(afl->fsrv.out_file);
3069*08b48e0bSAndroid Build Coastguard Worker ck_free(afl->sync_id);
3070*08b48e0bSAndroid Build Coastguard Worker if (afl->q_testcase_cache) { ck_free(afl->q_testcase_cache); }
3071*08b48e0bSAndroid Build Coastguard Worker afl_state_deinit(afl);
3072*08b48e0bSAndroid Build Coastguard Worker free(afl); /* not tracked */
3073*08b48e0bSAndroid Build Coastguard Worker
3074*08b48e0bSAndroid Build Coastguard Worker argv_cpy_free(argv);
3075*08b48e0bSAndroid Build Coastguard Worker
3076*08b48e0bSAndroid Build Coastguard Worker alloc_report();
3077*08b48e0bSAndroid Build Coastguard Worker
3078*08b48e0bSAndroid Build Coastguard Worker OKF("We're done here. Have a nice day!\n");
3079*08b48e0bSAndroid Build Coastguard Worker
3080*08b48e0bSAndroid Build Coastguard Worker exit(0);
3081*08b48e0bSAndroid Build Coastguard Worker
3082*08b48e0bSAndroid Build Coastguard Worker }
3083*08b48e0bSAndroid Build Coastguard Worker
3084*08b48e0bSAndroid Build Coastguard Worker #endif /* !AFL_LIB */
3085*08b48e0bSAndroid Build Coastguard Worker
3086