2.11b

Makefile

@@ -14,7 +14,7 @@
 #
 
 PROGNAME    = afl
-VERSION     = 2.10b
+VERSION     = 2.11b
 
 PREFIX     ?= /usr/local
 BIN_PATH    = $(PREFIX)/bin

afl-fuzz.c

@@ -5750,6 +5750,11 @@ static u8 fuzz_one(char** argv) {
 
     for (j = 0; j < extras_cnt; j++) {
 
+      if (len + extras[j].len > MAX_FILE) {
+        stage_max--; 
+        continue;
+      }
+
       /* Insert token */
       memcpy(ex_tmp + i, extras[j].data, extras[j].len);
 

afl-gotcpu.c

@@ -37,6 +37,7 @@
 #include <sys/time.h>
 #include <sys/times.h>
 #include <sys/resource.h>
+#include <sys/wait.h>
 
 #include "types.h"
 #include "debug.h"
@@ -125,41 +126,57 @@ int main(int argc, char** argv) {
   SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by <[email protected]>\n");
 
   ACTF("Measuring per-core preemption rate (this will take %0.02f sec)...",
-       ((double)CTEST_CORE_TRG_MS) * cpu_cnt / 1000);
+       ((double)CTEST_CORE_TRG_MS) / 1000);
 
   for (i = 0; i < cpu_cnt; i++) {
 
-    cpu_set_t c;
-    u32 util_perc;
+    s32 fr = fork();
 
-    CPU_ZERO(&c);
-    CPU_SET(i, &c);
+    if (fr < 0) PFATAL("fork failed");
 
-    if (sched_setaffinity(0, sizeof(c), &c))
-      PFATAL("sched_setaffinity failed");
+    if (!fr) {
 
-    util_perc = measure_preemption(CTEST_CORE_TRG_MS);
+      cpu_set_t c;
+      u32 util_perc;
 
-    if (util_perc < 105) {
+      CPU_ZERO(&c);
+      CPU_SET(i, &c);
 
-      SAYF("    Core #%u: " cLGN "AVAILABLE\n" cRST, i); 
-      maybe_cpus++;
-      idle_cpus++;
+      if (sched_setaffinity(0, sizeof(c), &c))
+        PFATAL("sched_setaffinity failed");
 
-    } else if (util_perc < 130) {
+      util_perc = measure_preemption(CTEST_CORE_TRG_MS);
 
-      SAYF("    Core #%u: " cYEL "CAUTION " cRST "(%u%%)\n", i, util_perc); 
-      maybe_cpus++;
+      if (util_perc < 110) {
 
-    } else {
+        SAYF("    Core #%u: " cLGN "AVAILABLE\n" cRST, i);
+        exit(0);
+
+      } else if (util_perc < 250) {
+
+        SAYF("    Core #%u: " cYEL "CAUTION " cRST "(%u%%)\n", i, util_perc); 
+        exit(1);
+
+      }
 
       SAYF("    Core #%u: " cLRD "OVERBOOKED " cRST "(%u%%)\n" cRST, i,
            util_perc);
+      exit(2);
 
     }
 
   }
 
+  for (i = 0; i < cpu_cnt; i++) {
+
+    int ret;
+    if (waitpid(-1, &ret, 0) < 0) PFATAL("waitpid failed");
+
+    if (WEXITSTATUS(ret) == 0) idle_cpus++;
+    if (WEXITSTATUS(ret) <= 1) maybe_cpus++;
+
+  }
+
   SAYF(cGRA "\n>>> ");
 
   if (idle_cpus) {

docs/ChangeLog

@@ -16,6 +16,19 @@ Not sure if you should upgrade? The lowest currently recommended version
 is 2.07b. If you're stuck on an earlier release, it's strongly advisable
 to get on with the times.
 
+--------------
+Version 2.11b:
+--------------
+
+  - Fixed a minor typo in instrumented_cmp, spotted by Hanno Eissfeldt.
+
+  - Added a missing size check for deterministic insertion steps.
+
+  - Made an improvement to afl-gotcpu when -Z not used.
+
+  - Fixed a typo in post_library_png.so.c in experimental/. Spotted by Kostya
+    Serebryany.
+
 --------------
 Version 2.10b:
 --------------

docs/parallel_fuzzing.txt

@@ -52,10 +52,10 @@ for any test cases found by other fuzzers - and will incorporate them into
 its own fuzzing when they are deemed interesting enough.
 
 The only difference between the -M and -S modes is that the master instance
-will still perform deterministic checks; while the slaves will proceed straight
-to random tweaks. If you don't want to do deterministic fuzzing at all, it's OK
-to run all instances with -S. With very slow or complex targets, or when running
-heavily parallelized jobs, this is usually a good plan.
+will still perform deterministic checks; while the secondary instances will
+proceed straight to random tweaks. If you don't want to do deterministic
+fuzzing at all, it's OK to run all instances with -S. With very slow or complex
+targets, or when running heavily parallelized jobs, this is usually a good plan.
 
 You can monitor the progress of your jobs from the command line with the
 provided afl-whatsup tool. When the instances are no longer finding new paths,
@@ -160,11 +160,11 @@ In principle, you can use the status screen of the master (-M) instance to
 monitor the overall fuzzing progress and decide when to stop. In this
 mode, the most important signal is just that no new paths are being found
 for a longer while. If you do not have a master instance, just pick any
-single slave and go by that.
+single secondary instance to watch and go by that.
 
 You can also rely on that instance's output directory to collect the
 synthesized corpus that covers all the noteworthy paths discovered anywhere
-within the fleet. The slave (-S) instances do not require any special
+within the fleet. Secondary (-S) instances do not require any special
 monitoring, other than just making sure that they are up.
 
 Keep in mind that crashing inputs are *not* automatically propagated to the

experimental/instrumented_cmp/instrumented_cmp.c

@@ -1,6 +1,6 @@
 /*
 
-   A simple proof-of-concept for instrumented strcpy() or memcpy().
+   A simple proof-of-concept for instrumented strcmp() or memcmp().
 
    Normally, afl-fuzz will have difficulty ever reaching the code behind
    something like:
@@ -9,7 +9,7 @@
 
    This is because the strcmp() operation is completely opaque to the tool.
    A simple and non-invasive workaround that doesn't require complex code
-   analysis is to replace strcpy(), memcpy(), and equivalents with
+   analysis is to replace strcmp(), memcmp(), and equivalents with
    inlined, non-optimized code.
 
    I am still evaluating the value of doing this, but for time being, here's

experimental/post_library/post_library_png.so.c

@@ -67,7 +67,7 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
     /* Chunk checksum is calculated for chunk ID (dword) and the actual
        payload. */
 
-    real_cksum = ntohl(crc32(0, in_buf + pos + 4, chunk_len + 4));
+    real_cksum = htonl(crc32(0, in_buf + pos + 4, chunk_len + 4));
 
     /* The in-file checksum is the last dword past the chunk data. */