diff --git a/Makefile b/Makefile index 1442394f..a6ef4631 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ # PROGNAME = afl -VERSION = 2.10b +VERSION = 2.11b PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin diff --git a/afl-fuzz.c b/afl-fuzz.c index 37239dc8..6770e4f0 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -5750,6 +5750,11 @@ static u8 fuzz_one(char** argv) { for (j = 0; j < extras_cnt; j++) { + if (len + extras[j].len > MAX_FILE) { + stage_max--; + continue; + } + /* Insert token */ memcpy(ex_tmp + i, extras[j].data, extras[j].len); diff --git a/afl-gotcpu.c b/afl-gotcpu.c index 72819cf8..c296993b 100644 --- a/afl-gotcpu.c +++ b/afl-gotcpu.c @@ -37,6 +37,7 @@ #include #include #include +#include #include "types.h" #include "debug.h" @@ -125,41 +126,57 @@ int main(int argc, char** argv) { SAYF(cCYA "afl-gotcpu " cBRI VERSION cRST " by \n"); ACTF("Measuring per-core preemption rate (this will take %0.02f sec)...", - ((double)CTEST_CORE_TRG_MS) * cpu_cnt / 1000); + ((double)CTEST_CORE_TRG_MS) / 1000); for (i = 0; i < cpu_cnt; i++) { - cpu_set_t c; - u32 util_perc; + s32 fr = fork(); - CPU_ZERO(&c); - CPU_SET(i, &c); + if (fr < 0) PFATAL("fork failed"); - if (sched_setaffinity(0, sizeof(c), &c)) - PFATAL("sched_setaffinity failed"); + if (!fr) { - util_perc = measure_preemption(CTEST_CORE_TRG_MS); + cpu_set_t c; + u32 util_perc; - if (util_perc < 105) { + CPU_ZERO(&c); + CPU_SET(i, &c); - SAYF(" Core #%u: " cLGN "AVAILABLE\n" cRST, i); - maybe_cpus++; - idle_cpus++; + if (sched_setaffinity(0, sizeof(c), &c)) + PFATAL("sched_setaffinity failed"); - } else if (util_perc < 130) { + util_perc = measure_preemption(CTEST_CORE_TRG_MS); - SAYF(" Core #%u: " cYEL "CAUTION " cRST "(%u%%)\n", i, util_perc); - maybe_cpus++; + if (util_perc < 110) { - } else { + SAYF(" Core #%u: " cLGN "AVAILABLE\n" cRST, i); + exit(0); + + } else if (util_perc < 250) { + + SAYF(" Core #%u: " cYEL "CAUTION " cRST "(%u%%)\n", i, util_perc); + exit(1); + + } SAYF(" Core #%u: " cLRD "OVERBOOKED " cRST "(%u%%)\n" cRST, i, util_perc); + exit(2); } } + for (i = 0; i < cpu_cnt; i++) { + + int ret; + if (waitpid(-1, &ret, 0) < 0) PFATAL("waitpid failed"); + + if (WEXITSTATUS(ret) == 0) idle_cpus++; + if (WEXITSTATUS(ret) <= 1) maybe_cpus++; + + } + SAYF(cGRA "\n>>> "); if (idle_cpus) { diff --git a/docs/ChangeLog b/docs/ChangeLog index 45460626..154373d7 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -16,6 +16,19 @@ Not sure if you should upgrade? The lowest currently recommended version is 2.07b. If you're stuck on an earlier release, it's strongly advisable to get on with the times. +-------------- +Version 2.11b: +-------------- + + - Fixed a minor typo in instrumented_cmp, spotted by Hanno Eissfeldt. + + - Added a missing size check for deterministic insertion steps. + + - Made an improvement to afl-gotcpu when -Z not used. + + - Fixed a typo in post_library_png.so.c in experimental/. Spotted by Kostya + Serebryany. + -------------- Version 2.10b: -------------- diff --git a/docs/parallel_fuzzing.txt b/docs/parallel_fuzzing.txt index 5addf7ba..69c1a9ae 100644 --- a/docs/parallel_fuzzing.txt +++ b/docs/parallel_fuzzing.txt @@ -52,10 +52,10 @@ for any test cases found by other fuzzers - and will incorporate them into its own fuzzing when they are deemed interesting enough. The only difference between the -M and -S modes is that the master instance -will still perform deterministic checks; while the slaves will proceed straight -to random tweaks. If you don't want to do deterministic fuzzing at all, it's OK -to run all instances with -S. With very slow or complex targets, or when running -heavily parallelized jobs, this is usually a good plan. +will still perform deterministic checks; while the secondary instances will +proceed straight to random tweaks. If you don't want to do deterministic +fuzzing at all, it's OK to run all instances with -S. With very slow or complex +targets, or when running heavily parallelized jobs, this is usually a good plan. You can monitor the progress of your jobs from the command line with the provided afl-whatsup tool. When the instances are no longer finding new paths, @@ -160,11 +160,11 @@ In principle, you can use the status screen of the master (-M) instance to monitor the overall fuzzing progress and decide when to stop. In this mode, the most important signal is just that no new paths are being found for a longer while. If you do not have a master instance, just pick any -single slave and go by that. +single secondary instance to watch and go by that. You can also rely on that instance's output directory to collect the synthesized corpus that covers all the noteworthy paths discovered anywhere -within the fleet. The slave (-S) instances do not require any special +within the fleet. Secondary (-S) instances do not require any special monitoring, other than just making sure that they are up. Keep in mind that crashing inputs are *not* automatically propagated to the diff --git a/experimental/instrumented_cmp/instrumented_cmp.c b/experimental/instrumented_cmp/instrumented_cmp.c index 53e7d7a8..867da5c0 100644 --- a/experimental/instrumented_cmp/instrumented_cmp.c +++ b/experimental/instrumented_cmp/instrumented_cmp.c @@ -1,6 +1,6 @@ /* - A simple proof-of-concept for instrumented strcpy() or memcpy(). + A simple proof-of-concept for instrumented strcmp() or memcmp(). Normally, afl-fuzz will have difficulty ever reaching the code behind something like: @@ -9,7 +9,7 @@ This is because the strcmp() operation is completely opaque to the tool. A simple and non-invasive workaround that doesn't require complex code - analysis is to replace strcpy(), memcpy(), and equivalents with + analysis is to replace strcmp(), memcmp(), and equivalents with inlined, non-optimized code. I am still evaluating the value of doing this, but for time being, here's diff --git a/experimental/post_library/post_library_png.so.c b/experimental/post_library/post_library_png.so.c index 7ebb968e..080a6938 100644 --- a/experimental/post_library/post_library_png.so.c +++ b/experimental/post_library/post_library_png.so.c @@ -67,7 +67,7 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf, /* Chunk checksum is calculated for chunk ID (dword) and the actual payload. */ - real_cksum = ntohl(crc32(0, in_buf + pos + 4, chunk_len + 4)); + real_cksum = htonl(crc32(0, in_buf + pos + 4, chunk_len + 4)); /* The in-file checksum is the last dword past the chunk data. */