Skip to content

Commit

Permalink
2.40b
Browse files Browse the repository at this point in the history
  • Loading branch information
@thomas-huet
thomas-huet committed Jun 18, 2017
1 parent a08fadf commit 0e4298b
Show file tree
Hide file tree
Showing 5 changed files with 92 additions and 18 deletions.
55 changes: 40 additions & 15 deletions afl-fuzz.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1122,7 +1122,7 @@ static const u8 count_class_lookup8[256] = {
static u16 count_class_lookup16[65536];


static void init_count_class16(void) {
EXP_ST void init_count_class16(void) {

u32 b1, b2;

Expand Down Expand Up @@ -3976,14 +3976,17 @@ static void show_stats(void) {

} else {

u64 min_wo_finds = (cur_ms - last_path_time) / 1000 / 60;

/* First queue cycle: don't stop now! */
if (queue_cycle == 1) strcpy(tmp, cMGN); else
if (queue_cycle == 1 || min_wo_finds < 15) strcpy(tmp, cMGN); else

/* Subsequent cycles, but we're still making finds. */
if (cycles_wo_finds < 25) strcpy(tmp, cYEL); else
if (cycles_wo_finds < 25 || min_wo_finds < 30) strcpy(tmp, cYEL); else

/* No finds for a long time and no test cases to try. */
if (cycles_wo_finds > 100 && !pending_not_fuzzed) strcpy(tmp, cLGN);
if (cycles_wo_finds > 100 && !pending_not_fuzzed && min_wo_finds > 120)
strcpy(tmp, cLGN);

/* Default: cautiously OK to stop? */
else strcpy(tmp, cLBL);
Expand Down Expand Up @@ -4600,9 +4603,19 @@ static u32 choose_block_len(u32 limit) {
max_value = HAVOC_BLK_MEDIUM;
break;

default: min_value = HAVOC_BLK_MEDIUM;
max_value = HAVOC_BLK_LARGE;
default:

if (UR(10)) {

min_value = HAVOC_BLK_MEDIUM;
max_value = HAVOC_BLK_LARGE;

} else {

min_value = HAVOC_BLK_LARGE;
max_value = HAVOC_BLK_XL;

}

}

Expand Down Expand Up @@ -5553,7 +5566,7 @@ static u8 fuzz_one(char** argv) {
/* Little endian first. Same deal as with 16-bit: we only want to
try if the operation would have effect on more than two bytes. */

stage_val_type = STAGE_VAL_LE;
stage_val_type = STAGE_VAL_LE;

if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) {

Expand Down Expand Up @@ -5881,7 +5894,7 @@ static u8 fuzz_one(char** argv) {

ex_tmp = ck_alloc(len + MAX_DICT_FILE);

for (i = 0; i < len; i++) {
for (i = 0; i <= len; i++) {

stage_cur_byte = i;

Expand Down Expand Up @@ -6230,16 +6243,26 @@ static u8 fuzz_one(char** argv) {

case 13:

if (temp_len + HAVOC_BLK_LARGE < MAX_FILE) {
if (temp_len + HAVOC_BLK_XL < MAX_FILE) {

/* Clone bytes (75%) or insert a block of constant bytes (25%). */

u8 actually_clone = UR(4);
u32 clone_from, clone_to, clone_len;
u8* new_buf;

clone_len = choose_block_len(temp_len);
if (actually_clone) {

clone_len = choose_block_len(temp_len);
clone_from = UR(temp_len - clone_len + 1);

} else {

clone_len = choose_block_len(HAVOC_BLK_XL);
clone_from = 0;

}

clone_from = UR(temp_len - clone_len + 1);
clone_to = UR(temp_len);

new_buf = ck_alloc_nozero(temp_len + clone_len);
Expand All @@ -6250,10 +6273,11 @@ static u8 fuzz_one(char** argv) {

/* Inserted part */

if (UR(4))
if (actually_clone)
memcpy(new_buf + clone_to, out_buf + clone_from, clone_len);
else
memset(new_buf + clone_to, UR(256), clone_len);
memset(new_buf + clone_to,
UR(2) ? UR(256) : out_buf[UR(temp_len)], clone_len);

/* Tail */
memcpy(new_buf + clone_to + clone_len, out_buf + clone_to,
Expand Down Expand Up @@ -6286,7 +6310,8 @@ static u8 fuzz_one(char** argv) {
if (copy_from != copy_to)
memmove(out_buf + copy_to, out_buf + copy_from, copy_len);

} else memset(out_buf + copy_to, UR(256), copy_len);
} else memset(out_buf + copy_to,
UR(2) ? UR(256) : out_buf[UR(temp_len)], copy_len);

break;

Expand Down Expand Up @@ -6334,7 +6359,7 @@ static u8 fuzz_one(char** argv) {

case 16: {

u32 use_extra, extra_len, insert_at = UR(temp_len);
u32 use_extra, extra_len, insert_at = UR(temp_len + 1);
u8* new_buf;

/* Insert an extra. Do the same dice-rolling stuff as for the
Expand Down
6 changes: 5 additions & 1 deletion config.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@

/* Version string: */

#define VERSION "2.39b"
#define VERSION "2.40b"

/******************************************************
* *
Expand Down Expand Up @@ -106,6 +106,10 @@
#define HAVOC_BLK_MEDIUM 128
#define HAVOC_BLK_LARGE 1500

/* Extra-large blocks, selected very rarely (<5% of the time): */

#define HAVOC_BLK_XL 32768

/* Probabilities of skipping non-favored entries in the queue, expressed as
percentages: */

Expand Down
13 changes: 12 additions & 1 deletion docs/ChangeLog
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,17 @@ Not sure if you should upgrade? The lowest currently recommended version
is 2.31b. If you're stuck on an earlier release, it's strongly advisable
to get on with the times.

--------------
Version 2.40b:
--------------

- Fixed a minor oversight in the insertion strategy for dictionary words.
Spotted by Andrzej Jackowski.

- Made a small improvement to the havoc block insertion strategy.

- Adjusted color rules for "is it done yet?" indicators.

--------------
Version 2.39b:
--------------
Expand Down Expand Up @@ -71,7 +82,7 @@ Version 2.36b:
are unique to the input file, but not to the "boring" baseline.
Suggested by Sami Liedes.

- "Fixed" a getPassName() problem with never versions of clang.
- "Fixed" a getPassName() problem with newer versions of clang.
Reported by Craig Young and several other folks.

Yep, I know I have a backlog on several other feature requests.
Expand Down
1 change: 1 addition & 0 deletions docs/README
View file
Original file line number Diff line number Diff line change
Expand Up @@ -481,6 +481,7 @@ bug reports, or patches from:
Joshua J. Drake Toby Hutton
Rene Freingruber Sergey Davidoff
Sami Liedes Craig Young
Andrzej Jackowski

Thank you!

Expand Down
35 changes: 34 additions & 1 deletion docs/sister_projects.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,10 @@ WinAFL (Ivan Fratric)

https://github.com/ivanfratric/winafl

Another Windows alternative may be:

https://github.com/carlosgprado/BrundleFuzz/

----------------
Network fuzzing:
----------------
Expand Down Expand Up @@ -120,6 +124,13 @@ Distfuzz-AFL (Martijn Bogaard)

https://github.com/MartijnB/disfuzz-afl

AFLDFF (quantumvm)
------------------

A nice GUI for managing AFL jobs.

https://github.com/quantumvm/AFLDFF

afl-launch (Ben Nagy)
---------------------

Expand All @@ -134,6 +145,10 @@ AFL Utils (rc0r)

https://github.com/rc0r/afl-utils

Another crash triage tool:

https://github.com/floyd-fuh/afl-crash-analyzer

afl-fuzzing-scripts (Tobias Ospelt)
-----------------------------------

Expand All @@ -148,6 +163,10 @@ afl-sid (Jacek Wielemborek)

https://github.com/d33tah/afl-sid

Another Docker-related project:

https://github.com/ozzyjohnson/docker-afl

afl-monitor (Paul S. Ziegler)
-----------------------------

Expand Down Expand Up @@ -226,7 +245,7 @@ Pause and resume scripts (Ben Nagy)

Simple automation to suspend and resume groups of fuzzing jobs.

https://gist.github.com/bnagy/8f0eb29eb125653f73fd
https://github.com/bnagy/afl-trivia

Static binary-only instrumentation (Aleksandar Nikolich)
--------------------------------------------------------
Expand Down Expand Up @@ -303,3 +322,17 @@ Kernel fuzzing (Dmitry Vyukov)
https://github.com/google/syzkaller/wiki/Found-Bugs
https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd6125931
http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf

Android support (ele7enxxh)
---------------------------

Based on a somewhat dated version of AFL:

https://github.com/ele7enxxh/android-afl

CGI wrapper (floyd)
-------------------

Facilitates the testing of CGI scripts.

https://github.com/floyd-fuh/afl-cgi-wrapper

0 comments on commit 0e4298b

Please sign in to comment.