diff --git a/afl-fuzz.c b/afl-fuzz.c index e730cb29..62a5086b 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -1122,7 +1122,7 @@ static const u8 count_class_lookup8[256] = { static u16 count_class_lookup16[65536]; -static void init_count_class16(void) { +EXP_ST void init_count_class16(void) { u32 b1, b2; @@ -3976,14 +3976,17 @@ static void show_stats(void) { } else { + u64 min_wo_finds = (cur_ms - last_path_time) / 1000 / 60; + /* First queue cycle: don't stop now! */ - if (queue_cycle == 1) strcpy(tmp, cMGN); else + if (queue_cycle == 1 || min_wo_finds < 15) strcpy(tmp, cMGN); else /* Subsequent cycles, but we're still making finds. */ - if (cycles_wo_finds < 25) strcpy(tmp, cYEL); else + if (cycles_wo_finds < 25 || min_wo_finds < 30) strcpy(tmp, cYEL); else /* No finds for a long time and no test cases to try. */ - if (cycles_wo_finds > 100 && !pending_not_fuzzed) strcpy(tmp, cLGN); + if (cycles_wo_finds > 100 && !pending_not_fuzzed && min_wo_finds > 120) + strcpy(tmp, cLGN); /* Default: cautiously OK to stop? */ else strcpy(tmp, cLBL); @@ -4600,9 +4603,19 @@ static u32 choose_block_len(u32 limit) { max_value = HAVOC_BLK_MEDIUM; break; - default: min_value = HAVOC_BLK_MEDIUM; - max_value = HAVOC_BLK_LARGE; + default: + + if (UR(10)) { + + min_value = HAVOC_BLK_MEDIUM; + max_value = HAVOC_BLK_LARGE; + + } else { + min_value = HAVOC_BLK_LARGE; + max_value = HAVOC_BLK_XL; + + } } @@ -5553,7 +5566,7 @@ static u8 fuzz_one(char** argv) { /* Little endian first. Same deal as with 16-bit: we only want to try if the operation would have effect on more than two bytes. */ - stage_val_type = STAGE_VAL_LE; + stage_val_type = STAGE_VAL_LE; if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) { @@ -5881,7 +5894,7 @@ static u8 fuzz_one(char** argv) { ex_tmp = ck_alloc(len + MAX_DICT_FILE); - for (i = 0; i < len; i++) { + for (i = 0; i <= len; i++) { stage_cur_byte = i; @@ -6230,16 +6243,26 @@ static u8 fuzz_one(char** argv) { case 13: - if (temp_len + HAVOC_BLK_LARGE < MAX_FILE) { + if (temp_len + HAVOC_BLK_XL < MAX_FILE) { /* Clone bytes (75%) or insert a block of constant bytes (25%). */ + u8 actually_clone = UR(4); u32 clone_from, clone_to, clone_len; u8* new_buf; - clone_len = choose_block_len(temp_len); + if (actually_clone) { + + clone_len = choose_block_len(temp_len); + clone_from = UR(temp_len - clone_len + 1); + + } else { + + clone_len = choose_block_len(HAVOC_BLK_XL); + clone_from = 0; + + } - clone_from = UR(temp_len - clone_len + 1); clone_to = UR(temp_len); new_buf = ck_alloc_nozero(temp_len + clone_len); @@ -6250,10 +6273,11 @@ static u8 fuzz_one(char** argv) { /* Inserted part */ - if (UR(4)) + if (actually_clone) memcpy(new_buf + clone_to, out_buf + clone_from, clone_len); else - memset(new_buf + clone_to, UR(256), clone_len); + memset(new_buf + clone_to, + UR(2) ? UR(256) : out_buf[UR(temp_len)], clone_len); /* Tail */ memcpy(new_buf + clone_to + clone_len, out_buf + clone_to, @@ -6286,7 +6310,8 @@ static u8 fuzz_one(char** argv) { if (copy_from != copy_to) memmove(out_buf + copy_to, out_buf + copy_from, copy_len); - } else memset(out_buf + copy_to, UR(256), copy_len); + } else memset(out_buf + copy_to, + UR(2) ? UR(256) : out_buf[UR(temp_len)], copy_len); break; @@ -6334,7 +6359,7 @@ static u8 fuzz_one(char** argv) { case 16: { - u32 use_extra, extra_len, insert_at = UR(temp_len); + u32 use_extra, extra_len, insert_at = UR(temp_len + 1); u8* new_buf; /* Insert an extra. Do the same dice-rolling stuff as for the diff --git a/config.h b/config.h index 511235b6..4e610d4c 100644 --- a/config.h +++ b/config.h @@ -21,7 +21,7 @@ /* Version string: */ -#define VERSION "2.39b" +#define VERSION "2.40b" /****************************************************** * * @@ -106,6 +106,10 @@ #define HAVOC_BLK_MEDIUM 128 #define HAVOC_BLK_LARGE 1500 +/* Extra-large blocks, selected very rarely (<5% of the time): */ + +#define HAVOC_BLK_XL 32768 + /* Probabilities of skipping non-favored entries in the queue, expressed as percentages: */ diff --git a/docs/ChangeLog b/docs/ChangeLog index 1112df2f..6eca31d5 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -16,6 +16,17 @@ Not sure if you should upgrade? The lowest currently recommended version is 2.31b. If you're stuck on an earlier release, it's strongly advisable to get on with the times. +-------------- +Version 2.40b: +-------------- + + - Fixed a minor oversight in the insertion strategy for dictionary words. + Spotted by Andrzej Jackowski. + + - Made a small improvement to the havoc block insertion strategy. + + - Adjusted color rules for "is it done yet?" indicators. + -------------- Version 2.39b: -------------- @@ -71,7 +82,7 @@ Version 2.36b: are unique to the input file, but not to the "boring" baseline. Suggested by Sami Liedes. - - "Fixed" a getPassName() problem with never versions of clang. + - "Fixed" a getPassName() problem with newer versions of clang. Reported by Craig Young and several other folks. Yep, I know I have a backlog on several other feature requests. diff --git a/docs/README b/docs/README index 501bdd43..d6a6096d 100644 --- a/docs/README +++ b/docs/README @@ -481,6 +481,7 @@ bug reports, or patches from: Joshua J. Drake Toby Hutton Rene Freingruber Sergey Davidoff Sami Liedes Craig Young + Andrzej Jackowski Thank you! diff --git a/docs/sister_projects.txt b/docs/sister_projects.txt index 4a7ebdc2..1d87acb4 100644 --- a/docs/sister_projects.txt +++ b/docs/sister_projects.txt @@ -85,6 +85,10 @@ WinAFL (Ivan Fratric) https://github.com/ivanfratric/winafl + Another Windows alternative may be: + + https://github.com/carlosgprado/BrundleFuzz/ + ---------------- Network fuzzing: ---------------- @@ -120,6 +124,13 @@ Distfuzz-AFL (Martijn Bogaard) https://github.com/MartijnB/disfuzz-afl +AFLDFF (quantumvm) +------------------ + + A nice GUI for managing AFL jobs. + + https://github.com/quantumvm/AFLDFF + afl-launch (Ben Nagy) --------------------- @@ -134,6 +145,10 @@ AFL Utils (rc0r) https://github.com/rc0r/afl-utils + Another crash triage tool: + + https://github.com/floyd-fuh/afl-crash-analyzer + afl-fuzzing-scripts (Tobias Ospelt) ----------------------------------- @@ -148,6 +163,10 @@ afl-sid (Jacek Wielemborek) https://github.com/d33tah/afl-sid + Another Docker-related project: + + https://github.com/ozzyjohnson/docker-afl + afl-monitor (Paul S. Ziegler) ----------------------------- @@ -226,7 +245,7 @@ Pause and resume scripts (Ben Nagy) Simple automation to suspend and resume groups of fuzzing jobs. - https://gist.github.com/bnagy/8f0eb29eb125653f73fd + https://github.com/bnagy/afl-trivia Static binary-only instrumentation (Aleksandar Nikolich) -------------------------------------------------------- @@ -303,3 +322,17 @@ Kernel fuzzing (Dmitry Vyukov) https://github.com/google/syzkaller/wiki/Found-Bugs https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd6125931 http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf + +Android support (ele7enxxh) +--------------------------- + + Based on a somewhat dated version of AFL: + + https://github.com/ele7enxxh/android-afl + +CGI wrapper (floyd) +------------------- + + Facilitates the testing of CGI scripts. + + https://github.com/floyd-fuh/afl-cgi-wrapper