1.86b

Makefile

@@ -14,7 +14,7 @@
 #
 
 PROGNAME    = afl
-VERSION     = 1.85b
+VERSION     = 1.86b
 
 PREFIX     ?= /usr/local
 BIN_PATH    = $(PREFIX)/bin

afl-fuzz.c

@@ -88,6 +88,7 @@ static u8  skip_deterministic,        /* Skip deterministic stages?       */
            resuming_fuzz,             /* Resuming an older fuzzing job?   */
            timeout_given,             /* Specific timeout given?          */
            not_on_tty,                /* stdout is not a tty              */
+           term_too_small,            /* terminal dimensions too small    */
            uses_asan,                 /* Target uses ASAN?                */
            no_forkserver,             /* Disable forkserver?              */
            crash_mode,                /* Crash mode! Yeah!                */
@@ -2491,8 +2492,8 @@ static void check_map_coverage(void) {
 static void perform_dry_run(char** argv) {
 
   struct queue_entry* q = queue;
-  u32 id = 0;
   u32 cal_failures = 0;
+  u8* skip_crashes = getenv("AFL_SKIP_CRASHES");
 
   while (q) {
 
@@ -2576,6 +2577,13 @@ static void perform_dry_run(char** argv) {
 
         if (crash_mode) break;
 
+        if (skip_crashes) {
+          WARNF("Test case results in a crash (skipping)");
+          q->cal_failed = CAL_CHANCES;
+          cal_failures++;
+          break;
+        }
+
         if (mem_limit) {
 
           SAYF("\n" cLRD "[-] " cRST
@@ -2660,17 +2668,18 @@ static void perform_dry_run(char** argv) {
     if (q->var_behavior) WARNF("Instrumentation output varies across runs.");
 
     q = q->next;
-    id++;
 
   }
 
   if (cal_failures) {
 
     if (cal_failures == queued_paths)
-      FATAL("All test cases time out, giving up!");
+      FATAL("All test cases time out%s, giving up!",
+            skip_crashes ? " or crash" : "");
 
-    WARNF("Skipped %u test cases (%0.02f%%) due to timeouts.", cal_failures,
-          ((double)cal_failures) * 100 / queued_paths);
+    WARNF("Skipped %u test cases (%0.02f%%) due to timeouts%s.", cal_failures,
+          ((double)cal_failures) * 100 / queued_paths,
+          skip_crashes ? " or crashes" : "");
 
     if (cal_failures * 5 > queued_paths)
       WARNF(cLRD "High percentage of rejected test cases, check settings!");
@@ -3605,6 +3614,9 @@ static void maybe_delete_out_dir(void) {
 }
 
 
+static void check_term_size(void);
+
+
 /* A spiffy retro stats screen! This is called every stats_update_freq
    execve() calls, plus in several other circumstances. */
 
@@ -3700,10 +3712,21 @@ static void show_stats(void) {
     SAYF(TERM_CLEAR CURSOR_HIDE);
     clear_screen = 0;
 
+    check_term_size();
+
   }
 
   SAYF(TERM_HOME);
 
+  if (term_too_small) {
+
+    SAYF(cBRI "Your terminal is too small to display the UI.\n"
+         "Please resize terminal window to at least 80x25.\n" cNOR);
+
+    return;
+
+  }
+
   /* Let's start by drawing a centered banner. */
 
   banner_len = (crash_mode ? 24 : 22) + strlen(VERSION) + strlen(use_banner);
@@ -3916,7 +3939,7 @@ static void show_stats(void) {
 
     sprintf(tmp, "%s/%s, %s/%s, %s/%s",
             DI(stage_finds[STAGE_FLIP1]), DI(stage_cycles[STAGE_FLIP1]),
-            DI(stage_finds[STAGE_FLIP4]), DI(stage_cycles[STAGE_FLIP2]),
+            DI(stage_finds[STAGE_FLIP2]), DI(stage_cycles[STAGE_FLIP2]),
             DI(stage_finds[STAGE_FLIP4]), DI(stage_cycles[STAGE_FLIP4]));
 
   }
@@ -6618,9 +6641,9 @@ static void fix_up_banner(u8* name) {
 }
 
 
-/* Check terminal dimensions. */
+/* Check if we're on TTY. */
 
-static void check_terminal(void) {
+static void check_if_tty(void) {
 
   struct winsize ws;
 
@@ -6634,19 +6657,20 @@ static void check_terminal(void) {
     return;
   }
 
-  if (ws.ws_row < 25 || ws.ws_col < 80) {
+}
 
-    SAYF("\n" cLRD "[-] " cRST
-         "Oops, your terminal window seems to be smaller than 80 x 25 characters.\n"
-         "    That's not enough for afl-fuzz to correctly draw its fancy ANSI UI!\n\n"
 
-         "    Depending on the terminal software you are using, you should be able to\n"
-         "    resize the window by dragging its edges, or to adjust the dimensions in\n"
-         "    the settings menu.\n");
+/* Check terminal dimensions after resize. */
 
-    FATAL("Please resize terminal to 80x25 or more");
+static void check_term_size(void) {
 
-  }
+  struct winsize ws;
+
+  term_too_small = 0;
+
+  if (ioctl(1, TIOCGWINSZ, &ws)) return;
+
+  if (ws.ws_row < 25 || ws.ws_col < 80) term_too_small = 1;
 
 }
 
@@ -7481,7 +7505,7 @@ int main(int argc, char** argv) {
 
   fix_up_banner(argv[optind]);
 
-  check_terminal();
+  check_if_tty();
 
   get_core_count();
   check_crash_handling();

docs/ChangeLog

@@ -16,6 +16,18 @@ Not sure if you should upgrade? The lowest currently recommended version
 is 1.76b. If you're stuck on an earlier release, it's strongly advisable
 to get on with the times.
 
+--------------
+Version 1.86b:
+--------------
+
+  - Added support for AFL_SKIP_CRASHES, which is a very hackish solution to
+    the problem of resuming sessions with intermittently crashing inputs.
+
+  - Removed the hard-fail terminal size check, replaced with a dynamic
+    warning shown in place of the UI. Based on feedback from Christian Holler.
+
+  - Fixed a minor typo in show_stats. Spotted by Dingbao Xie.
+
 --------------
 Version 1.85b:
 --------------

docs/README

@@ -427,6 +427,7 @@ bug reports, or patches from:
   Keegan McAllister                     Kostya Serebryany
   Richo Healey                          Martijn Bogaard
   rc0r                                  Jonathan Foote
+  Christian Holler
 
 Thank you!
 

docs/env_variables.txt

@@ -107,6 +107,11 @@ checks or alter some of the more exotic semantics of the tool:
     normally indicated by the cycle counter in the UI turning green. May be
     convenient for some types of automated jobs.
 
+  - AFL_SKIP_CRASHES causes AFL to tolerate crashing files in the input
+    queue. This can help with rare situations where a program crashes only
+    intermittently, but it's not really recommended under normal operating
+    conditions.
+
   - When developing custom instrumentation on top of afl-fuzz, you can use
     AFL_SKIP_BIN_CHECK to inhibit the checks for non-instrumented binaries
     and shell scripts; and AFL_DUMB_FORKSRV in conjunction with the -n

docs/notes_for_asan.txt

@@ -109,3 +109,16 @@ ASAN, MSAN, and other sanitizers appear to be incompatible with QEMU user
 emulation, so please do not try to use them with the -Q option; QEMU doesn't
 seem to appreciate the shadow VM trick used by these tools, and will likely
 just allocate all your physical memory, then crash.
+
+4) What about UBSAN?
+--------------------
+
+Some folks expressed interest in fuzzing with UBSAN. This isn't officially
+supported, because many installations of UBSAN don't offer a consistent way
+to abort() on fault conditions or to terminate with a distinctive exit code.
+
+That said, some versions of the library can be binary-patched to address this
+issue, while newer releases support explicit compile-time flags - see this
+mailing list thread for tips:
+
+  https://groups.google.com/forum/#!topic/afl-users/GyeSBJt4M38

docs/sister_projects.txt

@@ -21,7 +21,7 @@ Python AFL (Jakub Wilk)
 Go-fuzz (Dmitry Vyukov)
 -----------------------
 
-  AFL-style guided fuzzing approach for Go targets:
+  AFL-inspired guided fuzzing approach for Go targets:
 
   https://github.com/dvyukov/go-fuzz
 
@@ -154,6 +154,13 @@ RecidiVM (Jakub Wilk)
 Narrow-purpose or experimental:
 -------------------------------
 
+Pause and resume scripts (Ben Nagy)
+-----------------------------------
+
+  Simple automation to suspend and resume groups of fuzzing jobs.
+
+  https://gist.github.com/bnagy/8f0eb29eb125653f73fd
+
 Static binary-only instrumentation (Aleksandar Nikolich)
 --------------------------------------------------------