1 /*
2 american fuzzy lop++ - globals declarations
3 -------------------------------------------
4
5 Originally written by Michal Zalewski
6
7 Now maintained by Marc Heuse <mh@mh-sec.de>,
8 Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
9 Andrea Fioraldi <andreafioraldi@gmail.com>
10
11 Copyright 2016, 2017 Google Inc. All rights reserved.
12 Copyright 2019-2022 AFLplusplus Project. All rights reserved.
13
14 Licensed under the Apache License, Version 2.0 (the "License");
15 you may not use this file except in compliance with the License.
16 You may obtain a copy of the License at:
17
18 https://www.apache.org/licenses/LICENSE-2.0
19
20 This is the real deal: the program takes an instrumented binary and
21 attempts a variety of basic fuzzing tricks, paying close attention to
22 how they affect the execution path.
23
24 */
25
26 #include "afl-fuzz.h"
27 #include "envs.h"
28
29 s8 interesting_8[] = {INTERESTING_8};
30 s16 interesting_16[] = {INTERESTING_8, INTERESTING_16};
31 s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32};
32
33 char *power_names[POWER_SCHEDULES_NUM] = {"explore", "mmopt", "exploit",
34 "fast", "coe", "lin",
35 "quad", "rare", "seek"};
36
37 /* Initialize MOpt "globals" for this afl state */
38
init_mopt_globals(afl_state_t * afl)39 static void init_mopt_globals(afl_state_t *afl) {
40
41 MOpt_globals_t *core = &afl->mopt_globals_core;
42 core->finds = afl->core_operator_finds_puppet;
43 core->finds_v2 = afl->core_operator_finds_puppet_v2;
44 core->cycles = afl->core_operator_cycles_puppet;
45 core->cycles_v2 = afl->core_operator_cycles_puppet_v2;
46 core->cycles_v3 = afl->core_operator_cycles_puppet_v3;
47 core->is_pilot_mode = 0;
48 core->pTime = &afl->tmp_core_time;
49 core->period = period_core;
50 core->havoc_stagename = "MOpt-core-havoc";
51 core->splice_stageformat = "MOpt-core-splice %u";
52 core->havoc_stagenameshort = "MOpt_core_havoc";
53 core->splice_stagenameshort = "MOpt_core_splice";
54
55 MOpt_globals_t *pilot = &afl->mopt_globals_pilot;
56 pilot->finds = afl->stage_finds_puppet[0];
57 pilot->finds_v2 = afl->stage_finds_puppet_v2[0];
58 pilot->cycles = afl->stage_cycles_puppet[0];
59 pilot->cycles_v2 = afl->stage_cycles_puppet_v2[0];
60 pilot->cycles_v3 = afl->stage_cycles_puppet_v3[0];
61 pilot->is_pilot_mode = 1;
62 pilot->pTime = &afl->tmp_pilot_time;
63 pilot->period = period_pilot;
64 pilot->havoc_stagename = "MOpt-havoc";
65 pilot->splice_stageformat = "MOpt-splice %u";
66 pilot->havoc_stagenameshort = "MOpt_havoc";
67 pilot->splice_stagenameshort = "MOpt_splice";
68
69 }
70
71 /* A global pointer to all instances is needed (for now) for signals to arrive
72 */
73
74 static list_t afl_states = {.element_prealloc_count = 0};
75
76 /* Initializes an afl_state_t. */
77
afl_state_init(afl_state_t * afl,uint32_t map_size)78 void afl_state_init(afl_state_t *afl, uint32_t map_size) {
79
80 /* thanks to this memset, growing vars like out_buf
81 and out_size are NULL/0 by default. */
82 memset(afl, 0, sizeof(afl_state_t));
83
84 afl->shm.map_size = map_size ? map_size : MAP_SIZE;
85
86 afl->w_init = 0.9;
87 afl->w_end = 0.3;
88 afl->g_max = 5000;
89 afl->period_pilot_tmp = 5000.0;
90 afl->schedule = FAST; /* Power schedule (default: FAST) */
91 afl->havoc_max_mult = HAVOC_MAX_MULT;
92
93 afl->clear_screen = 1; /* Window resized? */
94 afl->havoc_div = 1; /* Cycle count divisor for havoc */
95 afl->stage_name = "init"; /* Name of the current fuzz stage */
96 afl->splicing_with = -1; /* Splicing with which test case? */
97 afl->cpu_to_bind = -1;
98 afl->havoc_stack_pow2 = HAVOC_STACK_POW2;
99 afl->hang_tmout = EXEC_TIMEOUT;
100 afl->exit_on_time = 0;
101 afl->stats_update_freq = 1;
102 afl->stats_avg_exec = 0;
103 afl->skip_deterministic = 1;
104 afl->cmplog_lvl = 2;
105 afl->min_length = 1;
106 afl->max_length = MAX_FILE;
107 #ifndef NO_SPLICING
108 afl->use_splicing = 1;
109 #endif
110 afl->q_testcase_max_cache_size = TESTCASE_CACHE_SIZE * 1048576UL;
111 afl->q_testcase_max_cache_entries = 64 * 1024;
112
113 #ifdef HAVE_AFFINITY
114 afl->cpu_aff = -1; /* Selected CPU core */
115 #endif /* HAVE_AFFINITY */
116
117 afl->virgin_bits = ck_alloc(map_size);
118 afl->virgin_tmout = ck_alloc(map_size);
119 afl->virgin_crash = ck_alloc(map_size);
120 afl->var_bytes = ck_alloc(map_size);
121 afl->top_rated = ck_alloc(map_size * sizeof(void *));
122 afl->clean_trace = ck_alloc(map_size);
123 afl->clean_trace_custom = ck_alloc(map_size);
124 afl->first_trace = ck_alloc(map_size);
125 afl->map_tmp_buf = ck_alloc(map_size);
126
127 afl->fsrv.use_stdin = 1;
128 afl->fsrv.map_size = map_size;
129 // afl_state_t is not available in forkserver.c
130 afl->fsrv.afl_ptr = (void *)afl;
131 afl->fsrv.add_extra_func = (void (*)(void *, u8 *, u32)) & add_extra;
132 afl->fsrv.exec_tmout = EXEC_TIMEOUT;
133 afl->fsrv.mem_limit = MEM_LIMIT;
134 afl->fsrv.dev_urandom_fd = -1;
135 afl->fsrv.dev_null_fd = -1;
136 afl->fsrv.child_pid = -1;
137 afl->fsrv.out_dir_fd = -1;
138
139 init_mopt_globals(afl);
140
141 list_append(&afl_states, afl);
142
143 }
144
145 /*This sets up the environment variables for afl-fuzz into the afl_state
146 * struct*/
147
read_afl_environment(afl_state_t * afl,char ** envp)148 void read_afl_environment(afl_state_t *afl, char **envp) {
149
150 int index = 0, issue_detected = 0;
151 char *env;
152 while ((env = envp[index++]) != NULL) {
153
154 if (strncmp(env, "ALF_", 4) == 0) {
155
156 WARNF("Potentially mistyped AFL environment variable: %s", env);
157 issue_detected = 1;
158
159 } else if (strncmp(env, "USE_", 4) == 0) {
160
161 WARNF(
162 "Potentially mistyped AFL environment variable: %s, did you mean "
163 "AFL_%s?",
164 env, env);
165 issue_detected = 1;
166
167 } else if (strncmp(env, "AFL_", 4) == 0) {
168
169 int i = 0, match = 0;
170 while (match == 0 && afl_environment_variables[i] != NULL) {
171
172 size_t afl_environment_variable_len =
173 strlen(afl_environment_variables[i]);
174 if (strncmp(env, afl_environment_variables[i],
175 afl_environment_variable_len) == 0 &&
176 env[afl_environment_variable_len] == '=') {
177
178 match = 1;
179 if (!strncmp(env, "AFL_SKIP_CPUFREQ", afl_environment_variable_len)) {
180
181 afl->afl_env.afl_skip_cpufreq =
182 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
183
184 } else if (!strncmp(env, "AFL_EXIT_WHEN_DONE",
185
186 afl_environment_variable_len)) {
187
188 afl->afl_env.afl_exit_when_done =
189 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
190
191 } else if (!strncmp(env, "AFL_EXIT_ON_TIME",
192
193 afl_environment_variable_len)) {
194
195 afl->afl_env.afl_exit_on_time =
196 (u8 *)get_afl_env(afl_environment_variables[i]);
197
198 } else if (!strncmp(env, "AFL_NO_AFFINITY",
199
200 afl_environment_variable_len)) {
201
202 afl->afl_env.afl_no_affinity =
203 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
204
205 } else if (!strncmp(env, "AFL_TRY_AFFINITY",
206
207 afl_environment_variable_len)) {
208
209 afl->afl_env.afl_try_affinity =
210 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
211
212 } else if (!strncmp(env, "AFL_SKIP_CRASHES",
213
214 afl_environment_variable_len)) {
215
216 // we should mark this obsolete in a few versions
217
218 } else if (!strncmp(env, "AFL_HANG_TMOUT",
219
220 afl_environment_variable_len)) {
221
222 afl->afl_env.afl_hang_tmout =
223 (u8 *)get_afl_env(afl_environment_variables[i]);
224
225 } else if (!strncmp(env, "AFL_KEEP_TIMEOUTS",
226
227 afl_environment_variable_len)) {
228
229 afl->afl_env.afl_keep_timeouts =
230 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
231
232 } else if (!strncmp(env, "AFL_SKIP_BIN_CHECK",
233
234 afl_environment_variable_len)) {
235
236 afl->afl_env.afl_skip_bin_check =
237 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
238
239 } else if (!strncmp(env, "AFL_DUMB_FORKSRV",
240
241 afl_environment_variable_len)) {
242
243 afl->afl_env.afl_dumb_forksrv =
244 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
245
246 } else if (!strncmp(env, "AFL_IMPORT_FIRST",
247
248 afl_environment_variable_len)) {
249
250 afl->afl_env.afl_import_first =
251 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
252
253 } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_ONLY",
254
255 afl_environment_variable_len)) {
256
257 afl->afl_env.afl_custom_mutator_only =
258 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
259
260 } else if (!strncmp(env, "AFL_CMPLOG_ONLY_NEW",
261
262 afl_environment_variable_len)) {
263
264 afl->afl_env.afl_cmplog_only_new =
265 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
266
267 } else if (!strncmp(env, "AFL_NO_UI", afl_environment_variable_len)) {
268
269 afl->afl_env.afl_no_ui =
270 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
271
272 } else if (!strncmp(env, "AFL_FORCE_UI",
273
274 afl_environment_variable_len)) {
275
276 afl->afl_env.afl_force_ui =
277 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
278
279 } else if (!strncmp(env, "AFL_IGNORE_PROBLEMS",
280
281 afl_environment_variable_len)) {
282
283 afl->afl_env.afl_ignore_problems =
284 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
285
286 } else if (!strncmp(env, "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES",
287
288 afl_environment_variable_len)) {
289
290 afl->afl_env.afl_i_dont_care_about_missing_crashes =
291 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
292
293 } else if (!strncmp(env, "AFL_BENCH_JUST_ONE",
294
295 afl_environment_variable_len)) {
296
297 afl->afl_env.afl_bench_just_one =
298 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
299
300 } else if (!strncmp(env, "AFL_BENCH_UNTIL_CRASH",
301
302 afl_environment_variable_len)) {
303
304 afl->afl_env.afl_bench_until_crash =
305 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
306
307 } else if (!strncmp(env, "AFL_DEBUG_CHILD",
308
309 afl_environment_variable_len) ||
310 !strncmp(env, "AFL_DEBUG_CHILD_OUTPUT",
311 afl_environment_variable_len)) {
312
313 afl->afl_env.afl_debug_child =
314 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
315
316 } else if (!strncmp(env, "AFL_AUTORESUME",
317
318 afl_environment_variable_len)) {
319
320 afl->afl_env.afl_autoresume =
321 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
322
323 } else if (!strncmp(env, "AFL_PERSISTENT_RECORD",
324
325 afl_environment_variable_len)) {
326
327 afl->afl_env.afl_persistent_record =
328 get_afl_env(afl_environment_variables[i]);
329
330 } else if (!strncmp(env, "AFL_CYCLE_SCHEDULES",
331
332 afl_environment_variable_len)) {
333
334 afl->cycle_schedules = afl->afl_env.afl_cycle_schedules =
335 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
336
337 } else if (!strncmp(env, "AFL_EXIT_ON_SEED_ISSUES",
338
339 afl_environment_variable_len)) {
340
341 afl->afl_env.afl_exit_on_seed_issues =
342 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
343
344 } else if (!strncmp(env, "AFL_EXPAND_HAVOC_NOW",
345
346 afl_environment_variable_len)) {
347
348 afl->expand_havoc = afl->afl_env.afl_expand_havoc =
349 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
350
351 } else if (!strncmp(env, "AFL_CAL_FAST",
352
353 afl_environment_variable_len)) {
354
355 afl->afl_env.afl_cal_fast =
356 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
357
358 } else if (!strncmp(env, "AFL_FAST_CAL",
359
360 afl_environment_variable_len)) {
361
362 afl->afl_env.afl_cal_fast =
363 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
364
365 } else if (!strncmp(env, "AFL_STATSD",
366
367 afl_environment_variable_len)) {
368
369 afl->afl_env.afl_statsd =
370 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
371
372 } else if (!strncmp(env, "AFL_TMPDIR",
373
374 afl_environment_variable_len)) {
375
376 afl->afl_env.afl_tmpdir =
377 (u8 *)get_afl_env(afl_environment_variables[i]);
378
379 } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_LIBRARY",
380
381 afl_environment_variable_len)) {
382
383 afl->afl_env.afl_custom_mutator_library =
384 (u8 *)get_afl_env(afl_environment_variables[i]);
385
386 } else if (!strncmp(env, "AFL_PYTHON_MODULE",
387
388 afl_environment_variable_len)) {
389
390 afl->afl_env.afl_python_module =
391 (u8 *)get_afl_env(afl_environment_variables[i]);
392
393 } else if (!strncmp(env, "AFL_PATH", afl_environment_variable_len)) {
394
395 afl->afl_env.afl_path =
396 (u8 *)get_afl_env(afl_environment_variables[i]);
397
398 } else if (!strncmp(env, "AFL_PRELOAD",
399
400 afl_environment_variable_len)) {
401
402 afl->afl_env.afl_preload =
403 (u8 *)get_afl_env(afl_environment_variables[i]);
404
405 } else if (!strncmp(env, "AFL_MAX_DET_EXTRAS",
406
407 afl_environment_variable_len)) {
408
409 afl->afl_env.afl_max_det_extras =
410 (u8 *)get_afl_env(afl_environment_variables[i]);
411
412 } else if (!strncmp(env, "AFL_FORKSRV_INIT_TMOUT",
413
414 afl_environment_variable_len)) {
415
416 afl->afl_env.afl_forksrv_init_tmout =
417 (u8 *)get_afl_env(afl_environment_variables[i]);
418
419 } else if (!strncmp(env, "AFL_TESTCACHE_SIZE",
420
421 afl_environment_variable_len)) {
422
423 afl->afl_env.afl_testcache_size =
424 (u8 *)get_afl_env(afl_environment_variables[i]);
425
426 } else if (!strncmp(env, "AFL_TESTCACHE_ENTRIES",
427
428 afl_environment_variable_len)) {
429
430 afl->afl_env.afl_testcache_entries =
431 (u8 *)get_afl_env(afl_environment_variables[i]);
432
433 } else if (!strncmp(env, "AFL_STATSD_HOST",
434
435 afl_environment_variable_len)) {
436
437 afl->afl_env.afl_statsd_host =
438 (u8 *)get_afl_env(afl_environment_variables[i]);
439
440 } else if (!strncmp(env, "AFL_STATSD_PORT",
441
442 afl_environment_variable_len)) {
443
444 afl->afl_env.afl_statsd_port =
445 (u8 *)get_afl_env(afl_environment_variables[i]);
446
447 } else if (!strncmp(env, "AFL_STATSD_TAGS_FLAVOR",
448
449 afl_environment_variable_len)) {
450
451 afl->afl_env.afl_statsd_tags_flavor =
452 (u8 *)get_afl_env(afl_environment_variables[i]);
453
454 } else if (!strncmp(env, "AFL_CRASH_EXITCODE",
455
456 afl_environment_variable_len)) {
457
458 afl->afl_env.afl_crash_exitcode =
459 (u8 *)get_afl_env(afl_environment_variables[i]);
460
461 #if defined USE_COLOR && !defined ALWAYS_COLORED
462
463 } else if (!strncmp(env, "AFL_NO_COLOR",
464
465 afl_environment_variable_len)) {
466
467 afl->afl_env.afl_statsd_tags_flavor =
468 (u8 *)get_afl_env(afl_environment_variables[i]);
469
470 } else if (!strncmp(env, "AFL_NO_COLOUR",
471
472 afl_environment_variable_len)) {
473
474 afl->afl_env.afl_statsd_tags_flavor =
475 (u8 *)get_afl_env(afl_environment_variables[i]);
476 #endif
477
478 } else if (!strncmp(env, "AFL_KILL_SIGNAL",
479
480 afl_environment_variable_len)) {
481
482 afl->afl_env.afl_kill_signal =
483 (u8 *)get_afl_env(afl_environment_variables[i]);
484
485 } else if (!strncmp(env, "AFL_TARGET_ENV",
486
487 afl_environment_variable_len)) {
488
489 afl->afl_env.afl_target_env =
490 (u8 *)get_afl_env(afl_environment_variables[i]);
491
492 } else if (!strncmp(env, "AFL_INPUT_LEN_MIN",
493
494 afl_environment_variable_len)) {
495
496 afl->min_length =
497 atoi((u8 *)get_afl_env(afl_environment_variables[i]));
498
499 } else if (!strncmp(env, "AFL_INPUT_LEN_MAX",
500
501 afl_environment_variable_len)) {
502
503 afl->max_length =
504 atoi((u8 *)get_afl_env(afl_environment_variables[i]));
505
506 } else if (!strncmp(env, "AFL_PIZZA_MODE",
507
508 afl_environment_variable_len)) {
509
510 afl->afl_env.afl_pizza_mode =
511 atoi((u8 *)get_afl_env(afl_environment_variables[i]));
512 if (afl->afl_env.afl_pizza_mode == 0) {
513
514 afl->afl_env.afl_pizza_mode = 1;
515
516 } else {
517
518 afl->pizza_is_served = 1;
519
520 }
521
522 }
523
524 } else {
525
526 i++;
527
528 }
529
530 }
531
532 i = 0;
533 while (match == 0 && afl_environment_variables[i] != NULL) {
534
535 if (strncmp(env, afl_environment_variables[i],
536 strlen(afl_environment_variables[i])) == 0 &&
537 env[strlen(afl_environment_variables[i])] == '=') {
538
539 match = 1;
540
541 } else {
542
543 i++;
544
545 }
546
547 }
548
549 i = 0;
550 while (match == 0 && afl_environment_deprecated[i] != NULL) {
551
552 if (strncmp(env, afl_environment_deprecated[i],
553 strlen(afl_environment_deprecated[i])) == 0 &&
554 env[strlen(afl_environment_deprecated[i])] == '=') {
555
556 match = 1;
557
558 WARNF("AFL environment variable %s is deprecated!",
559 afl_environment_deprecated[i]);
560 issue_detected = 1;
561
562 } else {
563
564 i++;
565
566 }
567
568 }
569
570 if (match == 0) {
571
572 WARNF("Mistyped AFL environment variable: %s", env);
573 issue_detected = 1;
574
575 print_suggested_envs(env);
576
577 }
578
579 }
580
581 }
582
583 if (issue_detected) { sleep(2); }
584
585 }
586
587 /* Removes this afl_state instance and frees it. */
588
afl_state_deinit(afl_state_t * afl)589 void afl_state_deinit(afl_state_t *afl) {
590
591 if (afl->in_place_resume) { ck_free(afl->in_dir); }
592 if (afl->sync_id) { ck_free(afl->out_dir); }
593 if (afl->pass_stats) { ck_free(afl->pass_stats); }
594 if (afl->orig_cmp_map) { ck_free(afl->orig_cmp_map); }
595 if (afl->cmplog_binary) { ck_free(afl->cmplog_binary); }
596
597 afl_free(afl->queue_buf);
598 afl_free(afl->out_buf);
599 afl_free(afl->out_scratch_buf);
600 afl_free(afl->eff_buf);
601 afl_free(afl->in_buf);
602 afl_free(afl->in_scratch_buf);
603 afl_free(afl->ex_buf);
604
605 ck_free(afl->virgin_bits);
606 ck_free(afl->virgin_tmout);
607 ck_free(afl->virgin_crash);
608 ck_free(afl->var_bytes);
609 ck_free(afl->top_rated);
610 ck_free(afl->clean_trace);
611 ck_free(afl->clean_trace_custom);
612 ck_free(afl->first_trace);
613 ck_free(afl->map_tmp_buf);
614
615 list_remove(&afl_states, afl);
616
617 }
618
afl_states_stop(void)619 void afl_states_stop(void) {
620
621 /* We may be inside a signal handler.
622 Set flags first, send kill signals to child proceses later. */
623 LIST_FOREACH(&afl_states, afl_state_t, {
624
625 el->stop_soon = 1;
626
627 });
628
629 LIST_FOREACH(&afl_states, afl_state_t, {
630
631 if (el->fsrv.child_pid > 0) kill(el->fsrv.child_pid, el->fsrv.kill_signal);
632 if (el->fsrv.fsrv_pid > 0) kill(el->fsrv.fsrv_pid, el->fsrv.kill_signal);
633
634 });
635
636 }
637
afl_states_clear_screen(void)638 void afl_states_clear_screen(void) {
639
640 LIST_FOREACH(&afl_states, afl_state_t, { el->clear_screen = 1; });
641
642 }
643
afl_states_request_skip(void)644 void afl_states_request_skip(void) {
645
646 LIST_FOREACH(&afl_states, afl_state_t, { el->skip_requested = 1; });
647
648 }
649
650