From 4ab7ccbe377ada518f42d61e413b95d1b1f61a9c Mon Sep 17 00:00:00 2001 From: Laurent Simon Date: Wed, 29 Apr 2020 01:39:06 +0000 Subject: [PATCH 1/2] add support for -x -d/-S together --- afl-fuzz.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/afl-fuzz.c b/afl-fuzz.c index 029afe93e..9647d898d 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -133,6 +133,7 @@ EXP_ST u8 skip_deterministic, /* Skip deterministic stages? */ run_over10m, /* Run time over 10 minutes? */ persistent_mode, /* Running in persistent mode? */ deferred_mode, /* Deferred forkserver mode? */ + use_dictionary, /* Use dictionary? */ fast_cal; /* Try to calibrate faster? */ static s32 out_fd, /* Persistent fd for out_file */ @@ -5117,7 +5118,7 @@ static u8 fuzz_one(char** argv) { this entry ourselves (was_fuzzed), or if it has gone through deterministic testing in earlier, resumed runs (passed_det). */ - if (skip_deterministic || queue_cur->was_fuzzed || queue_cur->passed_det) + if ((skip_deterministic && !use_dictionary) || queue_cur->was_fuzzed || queue_cur->passed_det) goto havoc_stage; /* Skip deterministic fuzzing if exec path checksum puts this out of scope @@ -5128,6 +5129,10 @@ static u8 fuzz_one(char** argv) { doing_det = 1; + /* We skip deterministic steps but still perform the dictionary part */ + if (skip_deterministic && use_dictionary) + goto dict_stage; + /********************************************* * SIMPLE BITFLIP (+dictionary construction) * *********************************************/ @@ -5915,6 +5920,10 @@ static u8 fuzz_one(char** argv) { * DICTIONARY STUFF * ********************/ +dict_stage: + + new_hit_cnt = queued_paths + unique_crashes; + if (!extras_cnt) goto skip_user_extras; /* Overwrite with user-supplied extras. */ @@ -5949,7 +5958,8 @@ static u8 fuzz_one(char** argv) { if ((extras_cnt > MAX_DET_EXTRAS && UR(extras_cnt) >= MAX_DET_EXTRAS) || extras[j].len > len - i || !memcmp(extras[j].data, out_buf + i, extras[j].len) || - !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, extras[j].len))) { + /* WARNING: eff_map is not allocated if skip_deterministic and use_dictionary are set */ + (eff_map && !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, extras[j].len)))) { stage_max--; continue; @@ -7822,6 +7832,7 @@ int main(int argc, char** argv) { if (extras_dir) FATAL("Multiple -x options not supported"); extras_dir = optarg; + use_dictionary = 1; break; case 't': { /* timeout */ From 6aa9157a52acae681b0bc7a4daa863c26e2f91b1 Mon Sep 17 00:00:00 2001 From: Laurent Simon Date: Thu, 30 Apr 2020 16:30:14 +0000 Subject: [PATCH 2/2] disable non-deterministic dictionary usage in havovc stage, as per https://github.com/Samsung/afl_cc/blob/master/afl-fuzz.c#L6669 --- afl-fuzz.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/afl-fuzz.c b/afl-fuzz.c index 9647d898d..6b80f8f14 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -133,7 +133,7 @@ EXP_ST u8 skip_deterministic, /* Skip deterministic stages? */ run_over10m, /* Run time over 10 minutes? */ persistent_mode, /* Running in persistent mode? */ deferred_mode, /* Deferred forkserver mode? */ - use_dictionary, /* Use dictionary? */ + force_det_dictionary, /* Force deterministic dictionary? */ fast_cal; /* Try to calibrate faster? */ static s32 out_fd, /* Persistent fd for out_file */ @@ -5118,7 +5118,7 @@ static u8 fuzz_one(char** argv) { this entry ourselves (was_fuzzed), or if it has gone through deterministic testing in earlier, resumed runs (passed_det). */ - if ((skip_deterministic && !use_dictionary) || queue_cur->was_fuzzed || queue_cur->passed_det) + if ((skip_deterministic && !force_det_dictionary) || queue_cur->was_fuzzed || queue_cur->passed_det) goto havoc_stage; /* Skip deterministic fuzzing if exec path checksum puts this out of scope @@ -5129,9 +5129,9 @@ static u8 fuzz_one(char** argv) { doing_det = 1; - /* We skip deterministic steps but still perform the dictionary part */ - if (skip_deterministic && use_dictionary) - goto dict_stage; + /* We skip deterministic steps but still perform the dictionary mutation deterministically */ + if (skip_deterministic && force_det_dictionary) + goto dict_stage; /********************************************* * SIMPLE BITFLIP (+dictionary construction) * @@ -5958,7 +5958,7 @@ static u8 fuzz_one(char** argv) { if ((extras_cnt > MAX_DET_EXTRAS && UR(extras_cnt) >= MAX_DET_EXTRAS) || extras[j].len > len - i || !memcmp(extras[j].data, out_buf + i, extras[j].len) || - /* WARNING: eff_map is not allocated if skip_deterministic and use_dictionary are set */ + /* WARNING: eff_map is not allocated if skip_deterministic and force_det_dictionary are set */ (eff_map && !memchr(eff_map + EFF_APOS(i), 1, EFF_SPAN_ALEN(i, extras[j].len)))) { stage_max--; @@ -6143,7 +6143,7 @@ static u8 fuzz_one(char** argv) { for (i = 0; i < use_stacking; i++) { - switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { + switch (UR(15 + ((!force_det_dictionary && (extras_cnt + a_extras_cnt)) ? 2 : 0))) { case 0: @@ -7832,7 +7832,7 @@ int main(int argc, char** argv) { if (extras_dir) FATAL("Multiple -x options not supported"); extras_dir = optarg; - use_dictionary = 1; + // force_det_dictionary = 1; break; case 't': { /* timeout */