1 /*
2 american fuzzy lop++ - fuzzer header
3 ------------------------------------
4
5 Originally written by Michal Zalewski
6
7 Now maintained by Marc Heuse <mh@mh-sec.de>,
8 Heiko Eißfeldt <heiko.eissfeldt@hexco.de>,
9 Andrea Fioraldi <andreafioraldi@gmail.com>,
10 Dominik Maier <mail@dmnk.co>
11
12 Copyright 2016, 2017 Google Inc. All rights reserved.
13 Copyright 2019-2022 AFLplusplus Project. All rights reserved.
14
15 Licensed under the Apache License, Version 2.0 (the "License");
16 you may not use this file except in compliance with the License.
17 You may obtain a copy of the License at:
18
19 https://www.apache.org/licenses/LICENSE-2.0
20
21 This is the real deal: the program takes an instrumented binary and
22 attempts a variety of basic fuzzing tricks, paying close attention to
23 how they affect the execution path.
24
25 */
26
27 #ifndef _AFL_FUZZ_H
28 #define _AFL_FUZZ_H
29
30 #define AFL_MAIN
31 #define MESSAGES_TO_STDOUT
32
33 #ifndef _GNU_SOURCE
34 #define _GNU_SOURCE 1
35 #endif
36 #ifndef _FILE_OFFSET_BITS
37 #define _FILE_OFFSET_BITS 64
38 #endif
39
40 #include "config.h"
41 #include "types.h"
42 #include "debug.h"
43 #include "alloc-inl.h"
44 #include "hash.h"
45 #include "sharedmem.h"
46 #include "forkserver.h"
47 #include "common.h"
48
49 #include <stdio.h>
50 #include <unistd.h>
51 #include <stdlib.h>
52 #include <string.h>
53 #include <time.h>
54 #include <errno.h>
55 #include <signal.h>
56 #include <dirent.h>
57 #include <ctype.h>
58 #include <fcntl.h>
59 #include <termios.h>
60 #include <dlfcn.h>
61 #include <sched.h>
62
63 #include <netdb.h>
64 #include <netinet/in.h>
65
66 #include <sys/wait.h>
67 #include <sys/time.h>
68 #ifndef USEMMAP
69 #include <sys/shm.h>
70 #endif
71 #include <sys/stat.h>
72 #include <sys/types.h>
73 #include <sys/resource.h>
74 #include <sys/mman.h>
75 #include <sys/ioctl.h>
76 #include <sys/file.h>
77 #include <sys/types.h>
78
79 #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \
80 defined(__NetBSD__) || defined(__DragonFly__)
81 #include <sys/sysctl.h>
82 #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */
83
84 #if defined(__HAIKU__)
85 #include <kernel/OS.h>
86 #include <kernel/scheduler.h>
87 #endif
88
89 /* For systems that have sched_setaffinity; right now just Linux, but one
90 can hope... */
91
92 #if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \
93 defined(__DragonFly__) || defined(__sun)
94 #define HAVE_AFFINITY 1
95 #if defined(__FreeBSD__) || defined(__DragonFly__)
96 #include <sys/param.h>
97 #if defined(__FreeBSD__)
98 #include <sys/cpuset.h>
99 #endif
100 #include <sys/user.h>
101 #include <pthread.h>
102 #include <pthread_np.h>
103 #define cpu_set_t cpuset_t
104 #elif defined(__NetBSD__)
105 #include <pthread.h>
106 #elif defined(__sun)
107 #include <sys/types.h>
108 #include <kstat.h>
109 #include <sys/sysinfo.h>
110 #include <sys/pset.h>
111 #include <strings.h>
112 #endif
113 #endif /* __linux__ */
114
115 #ifdef __APPLE__
116 #include <TargetConditionals.h>
117 #endif
118
119 #undef LIST_FOREACH /* clashes with FreeBSD */
120 #include "list.h"
121 #ifndef SIMPLE_FILES
122 #define CASE_PREFIX "id:"
123 #else
124 #define CASE_PREFIX "id_"
125 #endif /* ^!SIMPLE_FILES */
126
127 #define STAGE_BUF_SIZE (64) /* usable size for stage name buf in afl_state */
128
129 // Little helper to access the ptr to afl->##name_buf - for use in afl_realloc.
130 #define AFL_BUF_PARAM(name) ((void **)&afl->name##_buf)
131
132 #ifdef WORD_SIZE_64
133 #define AFL_RAND_RETURN u64
134 #else
135 #define AFL_RAND_RETURN u32
136 #endif
137
138 extern s8 interesting_8[INTERESTING_8_LEN];
139 extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN];
140 extern s32
141 interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN];
142
143 struct tainted {
144
145 u32 pos;
146 u32 len;
147 struct tainted *next;
148 struct tainted *prev;
149
150 };
151
152 struct queue_entry {
153
154 u8 *fname; /* File name for the test case */
155 u32 len; /* Input length */
156 u32 id; /* entry number in queue_buf */
157
158 u8 colorized, /* Do not run redqueen stage again */
159 cal_failed; /* Calibration failed? */
160 bool trim_done, /* Trimmed? */
161 was_fuzzed, /* historical, but needed for MOpt */
162 passed_det, /* Deterministic stages passed? */
163 has_new_cov, /* Triggers new coverage? */
164 var_behavior, /* Variable behavior? */
165 favored, /* Currently favored? */
166 fs_redundant, /* Marked as redundant in the fs? */
167 is_ascii, /* Is the input just ascii text? */
168 disabled; /* Is disabled from fuzz selection */
169
170 u32 bitmap_size, /* Number of bits set in bitmap */
171 fuzz_level, /* Number of fuzzing iterations */
172 n_fuzz_entry; /* offset in n_fuzz */
173
174 u64 exec_us, /* Execution time (us) */
175 handicap, /* Number of queue cycles behind */
176 depth, /* Path depth */
177 exec_cksum; /* Checksum of the execution trace */
178
179 u8 *trace_mini; /* Trace bytes, if kept */
180 u32 tc_ref; /* Trace bytes ref count */
181
182 #ifdef INTROSPECTION
183 u32 bitsmap_size;
184 #endif
185
186 double perf_score, /* performance score */
187 weight;
188
189 u8 *testcase_buf; /* The testcase buffer, if loaded. */
190
191 u8 * cmplog_colorinput; /* the result buf of colorization */
192 struct tainted *taint; /* Taint information from CmpLog */
193
194 struct queue_entry *mother; /* queue entry this based on */
195
196 };
197
198 struct extra_data {
199
200 u8 *data; /* Dictionary token data */
201 u32 len; /* Dictionary token length */
202 u32 hit_cnt; /* Use count in the corpus */
203
204 };
205
206 struct auto_extra_data {
207
208 u8 data[MAX_AUTO_EXTRA]; /* Dictionary token data */
209 u32 len; /* Dictionary token length */
210 u32 hit_cnt; /* Use count in the corpus */
211
212 };
213
214 /* Fuzzing stages */
215
216 enum {
217
218 /* 00 */ STAGE_FLIP1,
219 /* 01 */ STAGE_FLIP2,
220 /* 02 */ STAGE_FLIP4,
221 /* 03 */ STAGE_FLIP8,
222 /* 04 */ STAGE_FLIP16,
223 /* 05 */ STAGE_FLIP32,
224 /* 06 */ STAGE_ARITH8,
225 /* 07 */ STAGE_ARITH16,
226 /* 08 */ STAGE_ARITH32,
227 /* 09 */ STAGE_INTEREST8,
228 /* 10 */ STAGE_INTEREST16,
229 /* 11 */ STAGE_INTEREST32,
230 /* 12 */ STAGE_EXTRAS_UO,
231 /* 13 */ STAGE_EXTRAS_UI,
232 /* 14 */ STAGE_EXTRAS_AO,
233 /* 15 */ STAGE_EXTRAS_AI,
234 /* 16 */ STAGE_HAVOC,
235 /* 17 */ STAGE_SPLICE,
236 /* 18 */ STAGE_PYTHON,
237 /* 19 */ STAGE_CUSTOM_MUTATOR,
238 /* 20 */ STAGE_COLORIZATION,
239 /* 21 */ STAGE_ITS,
240
241 STAGE_NUM_MAX
242
243 };
244
245 /* Stage value types */
246
247 enum {
248
249 /* 00 */ STAGE_VAL_NONE,
250 /* 01 */ STAGE_VAL_LE,
251 /* 02 */ STAGE_VAL_BE
252
253 };
254
255 #define operator_num 19
256 #define swarm_num 5
257 #define period_core 500000
258
259 #define RAND_C (rand() % 1000 * 0.001)
260 #define v_max 1
261 #define v_min 0.05
262 #define limit_time_bound 1.1
263 #define SPLICE_CYCLES_puppet_up 25
264 #define SPLICE_CYCLES_puppet_low 5
265 #define STAGE_RANDOMBYTE 12
266 #define STAGE_DELETEBYTE 13
267 #define STAGE_Clone75 14
268 #define STAGE_OverWrite75 15
269 #define STAGE_OverWriteExtra 16
270 #define STAGE_InsertExtra 17
271 #define STAGE_Splice 18
272 #define period_pilot 50000
273
274 enum {
275
276 /* 00 */ EXPLORE, /* AFL default, Exploration-based constant schedule */
277 /* 01 */ MMOPT, /* Modified MOPT schedule */
278 /* 02 */ EXPLOIT, /* AFL's exploitation-based const. */
279 /* 03 */ FAST, /* Exponential schedule */
280 /* 04 */ COE, /* Cut-Off Exponential schedule */
281 /* 05 */ LIN, /* Linear schedule */
282 /* 06 */ QUAD, /* Quadratic schedule */
283 /* 07 */ RARE, /* Rare edges */
284 /* 08 */ SEEK, /* EXPLORE that ignores timings */
285
286 POWER_SCHEDULES_NUM
287
288 };
289
290 /* Python stuff */
291 #ifdef USE_PYTHON
292
293 // because Python sets stuff it should not ...
294 #ifdef _POSIX_C_SOURCE
295 #define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE
296 #undef _POSIX_C_SOURCE
297 #endif
298 #ifdef _XOPEN_SOURCE
299 #define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE
300 #undef _XOPEN_SOURCE
301 #endif
302
303 #include <Python.h>
304
305 #ifdef _SAVE_POSIX_C_SOURCE
306 #ifdef _POSIX_C_SOURCE
307 #undef _POSIX_C_SOURCE
308 #endif
309 #define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE
310 #endif
311 #ifdef _SAVE_XOPEN_SOURCE
312 #ifdef _XOPEN_SOURCE
313 #undef _XOPEN_SOURCE
314 #endif
315 #define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE
316 #endif
317
318 enum {
319
320 /* 00 */ PY_FUNC_INIT,
321 /* 01 */ PY_FUNC_DEINIT,
322 /* FROM HERE ON BELOW ALL ARE OPTIONAL */
323 /* 02 */ PY_OPTIONAL = 2,
324 /* 02 */ PY_FUNC_FUZZ = 2,
325 /* 03 */ PY_FUNC_FUZZ_COUNT,
326 /* 04 */ PY_FUNC_POST_PROCESS,
327 /* 05 */ PY_FUNC_INIT_TRIM,
328 /* 06 */ PY_FUNC_POST_TRIM,
329 /* 07 */ PY_FUNC_TRIM,
330 /* 08 */ PY_FUNC_HAVOC_MUTATION,
331 /* 09 */ PY_FUNC_HAVOC_MUTATION_PROBABILITY,
332 /* 10 */ PY_FUNC_QUEUE_GET,
333 /* 11 */ PY_FUNC_QUEUE_NEW_ENTRY,
334 /* 12 */ PY_FUNC_INTROSPECTION,
335 /* 13 */ PY_FUNC_DESCRIBE,
336 PY_FUNC_COUNT
337
338 };
339
340 typedef struct py_mutator {
341
342 PyObject *py_module;
343 PyObject *py_functions[PY_FUNC_COUNT];
344 void * afl_state;
345 void * py_data;
346
347 u8 * fuzz_buf;
348 size_t fuzz_size;
349
350 Py_buffer post_process_buf;
351
352 u8 * trim_buf;
353 size_t trim_size;
354
355 u8 * havoc_buf;
356 size_t havoc_size;
357
358 } py_mutator_t;
359
360 #endif
361
362 typedef struct MOpt_globals {
363
364 u64 * finds;
365 u64 * finds_v2;
366 u64 * cycles;
367 u64 * cycles_v2;
368 u64 * cycles_v3;
369 u32 is_pilot_mode;
370 u64 * pTime;
371 u64 period;
372 char *havoc_stagename;
373 char *splice_stageformat;
374 char *havoc_stagenameshort;
375 char *splice_stagenameshort;
376
377 } MOpt_globals_t;
378
379 extern char *power_names[POWER_SCHEDULES_NUM];
380
381 typedef struct afl_env_vars {
382
383 u8 afl_skip_cpufreq, afl_exit_when_done, afl_no_affinity, afl_skip_bin_check,
384 afl_dumb_forksrv, afl_import_first, afl_custom_mutator_only, afl_no_ui,
385 afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one,
386 afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
387 afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
388 afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems,
389 afl_keep_timeouts, afl_pizza_mode;
390
391 u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
392 *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,
393 *afl_max_det_extras, *afl_statsd_host, *afl_statsd_port,
394 *afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size,
395 *afl_testcache_entries, *afl_kill_signal, *afl_target_env,
396 *afl_persistent_record, *afl_exit_on_time;
397
398 } afl_env_vars_t;
399
400 struct afl_pass_stat {
401
402 u8 total;
403 u8 faileds;
404
405 };
406
407 struct foreign_sync {
408
409 u8 * dir;
410 time_t mtime;
411
412 };
413
414 typedef struct afl_state {
415
416 /* Position of this state in the global states list */
417 u32 _id;
418
419 afl_forkserver_t fsrv;
420 sharedmem_t shm;
421 sharedmem_t * shm_fuzz;
422 afl_env_vars_t afl_env;
423
424 char **argv; /* argv if needed */
425
426 /* MOpt:
427 Lots of globals, but mostly for the status UI and other things where it
428 really makes no sense to haul them around as function parameters. */
429 u64 orig_hit_cnt_puppet, last_limit_time_start, tmp_pilot_time,
430 total_pacemaker_time, total_puppet_find, temp_puppet_find, most_time_key,
431 most_time, most_execs_key, most_execs, old_hit_count, force_ui_update,
432 prev_run_time;
433
434 MOpt_globals_t mopt_globals_core, mopt_globals_pilot;
435
436 s32 limit_time_puppet, SPLICE_CYCLES_puppet, limit_time_sig, key_puppet,
437 key_module;
438
439 double w_init, w_end, w_now;
440
441 s32 g_now;
442 s32 g_max;
443
444 u64 tmp_core_time;
445 s32 swarm_now;
446
447 double x_now[swarm_num][operator_num], L_best[swarm_num][operator_num],
448 eff_best[swarm_num][operator_num], G_best[operator_num],
449 v_now[swarm_num][operator_num], probability_now[swarm_num][operator_num],
450 swarm_fitness[swarm_num];
451
452 u64 stage_finds_puppet[swarm_num][operator_num], /* Patterns found per
453 fuzz stage */
454 stage_finds_puppet_v2[swarm_num][operator_num],
455 stage_cycles_puppet_v2[swarm_num][operator_num],
456 stage_cycles_puppet_v3[swarm_num][operator_num],
457 stage_cycles_puppet[swarm_num][operator_num],
458 operator_finds_puppet[operator_num],
459 core_operator_finds_puppet[operator_num],
460 core_operator_finds_puppet_v2[operator_num],
461 core_operator_cycles_puppet[operator_num],
462 core_operator_cycles_puppet_v2[operator_num],
463 core_operator_cycles_puppet_v3[operator_num]; /* Execs per fuzz stage */
464
465 double period_pilot_tmp;
466 s32 key_lv;
467
468 u8 *in_dir, /* Input directory with test cases */
469 *out_dir, /* Working & output directory */
470 *tmp_dir, /* Temporary directory for input */
471 *sync_dir, /* Synchronization directory */
472 *sync_id, /* Fuzzer ID */
473 *power_name, /* Power schedule name */
474 *use_banner, /* Display banner */
475 *in_bitmap, /* Input bitmap */
476 *file_extension, /* File extension */
477 *orig_cmdline, /* Original command line */
478 *infoexec; /* Command to execute on a new crash */
479
480 u32 hang_tmout; /* Timeout used for hang det (ms) */
481
482 u8 havoc_stack_pow2, /* HAVOC_STACK_POW2 */
483 no_unlink, /* do not unlink cur_input */
484 debug, /* Debug mode */
485 custom_only, /* Custom mutator only mode */
486 is_main_node, /* if this is the main node */
487 is_secondary_node, /* if this is a secondary instance */
488 pizza_is_served; /* pizza mode */
489
490 u32 stats_update_freq; /* Stats update frequency (execs) */
491
492 u8 schedule; /* Power schedule (default: EXPLORE)*/
493 u8 havoc_max_mult;
494
495 u8 skip_deterministic, /* Skip deterministic stages? */
496 use_splicing, /* Recombine input files? */
497 non_instrumented_mode, /* Run in non-instrumented mode? */
498 score_changed, /* Scoring for favorites changed? */
499 resuming_fuzz, /* Resuming an older fuzzing job? */
500 timeout_given, /* Specific timeout given? */
501 not_on_tty, /* stdout is not a tty */
502 term_too_small, /* terminal dimensions too small */
503 no_forkserver, /* Disable forkserver? */
504 crash_mode, /* Crash mode! Yeah! */
505 in_place_resume, /* Attempt in-place resume? */
506 autoresume, /* Resume if afl->out_dir exists? */
507 auto_changed, /* Auto-generated tokens changed? */
508 no_cpu_meter_red, /* Feng shui on the status screen */
509 no_arith, /* Skip most arithmetic ops */
510 shuffle_queue, /* Shuffle input queue? */
511 bitmap_changed, /* Time to update bitmap? */
512 unicorn_mode, /* Running in Unicorn mode? */
513 use_wine, /* Use WINE with QEMU mode */
514 skip_requested, /* Skip request, via SIGUSR1 */
515 run_over10m, /* Run time over 10 minutes? */
516 persistent_mode, /* Running in persistent mode? */
517 deferred_mode, /* Deferred forkserver mode? */
518 fixed_seed, /* do not reseed */
519 fast_cal, /* Try to calibrate faster? */
520 disable_trim, /* Never trim in fuzz_one */
521 shmem_testcase_mode, /* If sharedmem testcases are used */
522 expand_havoc, /* perform expensive havoc after no find */
523 cycle_schedules, /* cycle power schedules? */
524 old_seed_selection, /* use vanilla afl seed selection */
525 reinit_table; /* reinit the queue weight table */
526
527 u8 *virgin_bits, /* Regions yet untouched by fuzzing */
528 *virgin_tmout, /* Bits we haven't seen in tmouts */
529 *virgin_crash; /* Bits we haven't seen in crashes */
530
531 double *alias_probability; /* alias weighted probabilities */
532 u32 * alias_table; /* alias weighted random lookup table */
533 u32 active_items; /* enabled entries in the queue */
534
535 u8 *var_bytes; /* Bytes that appear to be variable */
536
537 #define N_FUZZ_SIZE (1 << 21)
538 u32 *n_fuzz;
539
540 volatile u8 stop_soon, /* Ctrl-C pressed? */
541 clear_screen; /* Window resized? */
542
543 u32 queued_items, /* Total number of queued testcases */
544 queued_variable, /* Testcases with variable behavior */
545 queued_at_start, /* Total number of initial inputs */
546 queued_discovered, /* Items discovered during this run */
547 queued_imported, /* Items imported via -S */
548 queued_favored, /* Paths deemed favorable */
549 queued_with_cov, /* Paths with new coverage bytes */
550 pending_not_fuzzed, /* Queued but not done yet */
551 pending_favored, /* Pending favored paths */
552 cur_skipped_items, /* Abandoned inputs in cur cycle */
553 cur_depth, /* Current path depth */
554 max_depth, /* Max path depth */
555 useless_at_start, /* Number of useless starting paths */
556 var_byte_count, /* Bitmap bytes with var behavior */
557 current_entry, /* Current queue entry ID */
558 havoc_div, /* Cycle count divisor for havoc */
559 max_det_extras; /* deterministic extra count (dicts)*/
560
561 u64 total_crashes, /* Total number of crashes */
562 saved_crashes, /* Crashes with unique signatures */
563 total_tmouts, /* Total number of timeouts */
564 saved_tmouts, /* Timeouts with unique signatures */
565 saved_hangs, /* Hangs with unique signatures */
566 last_crash_execs, /* Exec counter at last crash */
567 queue_cycle, /* Queue round counter */
568 cycles_wo_finds, /* Cycles without any new paths */
569 trim_execs, /* Execs done to trim input files */
570 bytes_trim_in, /* Bytes coming into the trimmer */
571 bytes_trim_out, /* Bytes coming outa the trimmer */
572 blocks_eff_total, /* Blocks subject to effector maps */
573 blocks_eff_select, /* Blocks selected as fuzzable */
574 start_time, /* Unix start time (ms) */
575 last_sync_time, /* Time of last sync */
576 last_sync_cycle, /* Cycle no. of the last sync */
577 last_find_time, /* Time for most recent path (ms) */
578 last_crash_time, /* Time for most recent crash (ms) */
579 last_hang_time, /* Time for most recent hang (ms) */
580 exit_on_time; /* Delay to exit if no new paths */
581
582 u32 slowest_exec_ms, /* Slowest testcase non hang in ms */
583 subseq_tmouts; /* Number of timeouts in a row */
584
585 u8 *stage_name, /* Name of the current fuzz stage */
586 *stage_short, /* Short stage name */
587 *syncing_party; /* Currently syncing with... */
588
589 u8 stage_name_buf[STAGE_BUF_SIZE]; /* reused stagename buf with len 64 */
590
591 u32 stage_cur, stage_max; /* Stage progression */
592 s32 splicing_with; /* Splicing with which test case? */
593
594 u32 main_node_id, main_node_max; /* Main instance job splitting */
595
596 u32 syncing_case; /* Syncing with case #... */
597
598 s32 stage_cur_byte, /* Byte offset of current stage op */
599 stage_cur_val; /* Value used for stage op */
600
601 u8 stage_val_type; /* Value type (STAGE_VAL_*) */
602
603 u64 stage_finds[32], /* Patterns found per fuzz stage */
604 stage_cycles[32]; /* Execs per fuzz stage */
605
606 u32 rand_cnt; /* Random number counter */
607
608 /* unsigned long rand_seed[3]; would also work */
609 AFL_RAND_RETURN rand_seed[3];
610 s64 init_seed;
611
612 u64 total_cal_us, /* Total calibration time (us) */
613 total_cal_cycles; /* Total calibration cycles */
614
615 u64 total_bitmap_size, /* Total bit count for all bitmaps */
616 total_bitmap_entries; /* Number of bitmaps counted */
617
618 s32 cpu_core_count, /* CPU core count */
619 cpu_to_bind; /* bind to specific CPU */
620
621 #ifdef HAVE_AFFINITY
622 s32 cpu_aff; /* Selected CPU core */
623 #endif /* HAVE_AFFINITY */
624
625 struct queue_entry *queue, /* Fuzzing queue (linked list) */
626 *queue_cur, /* Current offset within the queue */
627 *queue_top; /* Top of the list */
628
629 // growing buf
630 struct queue_entry **queue_buf;
631
632 struct queue_entry **top_rated; /* Top entries for bitmap bytes */
633
634 struct extra_data *extras; /* Extra tokens to fuzz with */
635 u32 extras_cnt; /* Total number of tokens read */
636
637 struct auto_extra_data
638 a_extras[MAX_AUTO_EXTRAS]; /* Automatically selected extras */
639 u32 a_extras_cnt; /* Total number of tokens available */
640
641 /* afl_postprocess API - Now supported via custom mutators */
642
643 /* CmpLog */
644
645 char * cmplog_binary;
646 afl_forkserver_t cmplog_fsrv; /* cmplog has its own little forkserver */
647
648 /* Custom mutators */
649 struct custom_mutator *mutator;
650
651 /* cmplog forkserver ids */
652 s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd;
653 u32 cmplog_prev_timed_out;
654 u32 cmplog_max_filesize;
655 u32 cmplog_lvl;
656 u32 colorize_success;
657 u8 cmplog_enable_arith, cmplog_enable_transform;
658
659 struct afl_pass_stat *pass_stats;
660 struct cmp_map * orig_cmp_map;
661
662 u8 describe_op_buf_256[256]; /* describe_op will use this to return a string
663 up to 256 */
664
665 unsigned long long int last_avg_exec_update;
666 u32 last_avg_execs;
667 double last_avg_execs_saved;
668
669 /* foreign sync */
670 #define FOREIGN_SYNCS_MAX 32U
671 u8 foreign_sync_cnt;
672 struct foreign_sync foreign_syncs[FOREIGN_SYNCS_MAX];
673
674 #ifdef _AFL_DOCUMENT_MUTATIONS
675 u8 do_document;
676 u32 document_counter;
677 #endif
678
679 /* statistics file */
680 double last_bitmap_cvg, last_stability, last_eps;
681
682 /* plot file saves from last run */
683 u32 plot_prev_qp, plot_prev_pf, plot_prev_pnf, plot_prev_ce, plot_prev_md;
684 u64 plot_prev_qc, plot_prev_uc, plot_prev_uh, plot_prev_ed;
685
686 u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs;
687
688 /* StatsD */
689 u64 statsd_last_send_ms;
690 struct sockaddr_in statsd_server;
691 int statsd_sock;
692 char * statsd_tags_flavor;
693 char * statsd_tags_format;
694 char * statsd_metric_format;
695 int statsd_metric_format_type;
696
697 double stats_avg_exec;
698
699 u8 *clean_trace;
700 u8 *clean_trace_custom;
701 u8 *first_trace;
702
703 /*needed for afl_fuzz_one */
704 // TODO: see which we can reuse
705 u8 *out_buf;
706
707 u8 *out_scratch_buf;
708
709 u8 *eff_buf;
710
711 u8 *in_buf;
712
713 u8 *in_scratch_buf;
714
715 u8 *ex_buf;
716
717 u8 *testcase_buf, *splicecase_buf;
718
719 u32 custom_mutators_count;
720
721 struct custom_mutator *current_custom_fuzz;
722
723 list_t custom_mutator_list;
724
725 /* this is a fixed buffer of size map_size that can be used by any function if
726 * they do not call another function */
727 u8 *map_tmp_buf;
728
729 /* queue entries ready for splicing count (len > 4) */
730 u32 ready_for_splicing_count;
731
732 /* min/max length for generated fuzzing inputs */
733 u32 min_length, max_length;
734
735 /* This is the user specified maximum size to use for the testcase cache */
736 u64 q_testcase_max_cache_size;
737
738 /* This is the user specified maximum entries in the testcase cache */
739 u32 q_testcase_max_cache_entries;
740
741 /* How much of the testcase cache is used so far */
742 u64 q_testcase_cache_size;
743
744 /* highest cache count so far */
745 u32 q_testcase_max_cache_count;
746
747 /* How many queue entries currently have cached testcases */
748 u32 q_testcase_cache_count;
749
750 /* the smallest id currently known free entry */
751 u32 q_testcase_smallest_free;
752
753 /* How often did we evict from the cache (for statistics only) */
754 u32 q_testcase_evictions;
755
756 /* Refs to each queue entry with cached testcase (for eviction, if cache_count
757 * is too large) */
758 struct queue_entry **q_testcase_cache;
759
760 #ifdef INTROSPECTION
761 char mutation[8072];
762 char m_tmp[4096];
763 FILE *introspection_file;
764 u32 bitsmap_size;
765 #endif
766
767 } afl_state_t;
768
769 struct custom_mutator {
770
771 const char *name;
772 char * name_short;
773 void * dh;
774 u8 * post_process_buf;
775 u8 stacked_custom_prob, stacked_custom;
776
777 void *data; /* custom mutator data ptr */
778
779 /* hooks for the custom mutator function */
780
781 /**
782 * Initialize the custom mutator.
783 *
784 * @param afl AFL instance.
785 * @param seed Seed used for the mutation.
786 * @return pointer to internal data or NULL on error
787 */
788 void *(*afl_custom_init)(afl_state_t *afl, unsigned int seed);
789
790 /**
791 * When afl-fuzz was compiled with INTROSPECTION=1 then custom mutators can
792 * also give introspection information back with this function.
793 *
794 * @param data pointer returned in afl_custom_init by this custom mutator
795 * @return pointer to a text string (const char*)
796 */
797 const char *(*afl_custom_introspection)(void *data);
798
799 /**
800 * This method is called just before fuzzing a queue entry with the custom
801 * mutator, and receives the initial buffer. It should return the number of
802 * fuzzes to perform.
803 *
804 * A value of 0 means no fuzzing of this queue entry.
805 *
806 * The function is now allowed to change the data.
807 *
808 * (Optional)
809 *
810 * @param data pointer returned in afl_custom_init by this custom mutator
811 * @param buf Buffer containing the test case
812 * @param buf_size Size of the test case
813 * @return The amount of fuzzes to perform on this queue entry, 0 = skip
814 */
815 u32 (*afl_custom_fuzz_count)(void *data, const u8 *buf, size_t buf_size);
816
817 /**
818 * Perform custom mutations on a given input
819 *
820 * (Optional for now. Required in the future)
821 *
822 * @param data pointer returned in afl_custom_init by this custom mutator
823 * @param[in] buf Pointer to the input data to be mutated and the mutated
824 * output
825 * @param[in] buf_size Size of the input/output data
826 * @param[out] out_buf the new buffer. We may reuse *buf if large enough.
827 * *out_buf = NULL is treated as FATAL.
828 * @param[in] add_buf Buffer containing the additional test case
829 * @param[in] add_buf_size Size of the additional test case
830 * @param[in] max_size Maximum size of the mutated output. The mutation must
831 * not produce data larger than max_size.
832 * @return Size of the mutated output.
833 */
834 size_t (*afl_custom_fuzz)(void *data, u8 *buf, size_t buf_size, u8 **out_buf,
835 u8 *add_buf, size_t add_buf_size, size_t max_size);
836
837 /**
838 * Describe the current testcase, generated by the last mutation.
839 * This will be called, for example, to give the written testcase a name
840 * after a crash ocurred. It can help to reproduce crashing mutations.
841 *
842 * (Optional)
843 *
844 * @param data pointer returned by afl_customm_init for this custom mutator
845 * @paramp[in] max_description_len maximum size avaliable for the description.
846 * A longer return string is legal, but will be truncated.
847 * @return A valid ptr to a 0-terminated string.
848 * An empty or NULL return will result in a default description
849 */
850 const char *(*afl_custom_describe)(void *data, size_t max_description_len);
851
852 /**
853 * A post-processing function to use right before AFL writes the test case to
854 * disk in order to execute the target.
855 *
856 * (Optional) If this functionality is not needed, simply don't define this
857 * function.
858 *
859 * @param[in] data pointer returned in afl_custom_init by this custom mutator
860 * @param[in] buf Buffer containing the test case to be executed
861 * @param[in] buf_size Size of the test case
862 * @param[out] out_buf Pointer to the buffer storing the test case after
863 * processing. External library should allocate memory for out_buf.
864 * It can chose to alter buf in-place, if the space is large enough.
865 * @return Size of the output buffer.
866 */
867 size_t (*afl_custom_post_process)(void *data, u8 *buf, size_t buf_size,
868 u8 **out_buf);
869
870 /**
871 * This method is called at the start of each trimming operation and receives
872 * the initial buffer. It should return the amount of iteration steps possible
873 * on this input (e.g. if your input has n elements and you want to remove
874 * them one by one, return n, if you do a binary search, return log(n),
875 * and so on...).
876 *
877 * If your trimming algorithm doesn't allow you to determine the amount of
878 * (remaining) steps easily (esp. while running), then you can alternatively
879 * return 1 here and always return 0 in post_trim until you are finished and
880 * no steps remain. In that case, returning 1 in post_trim will end the
881 * trimming routine. The whole current index/max iterations stuff is only used
882 * to show progress.
883 *
884 * (Optional)
885 *
886 * @param data pointer returned in afl_custom_init by this custom mutator
887 * @param buf Buffer containing the test case
888 * @param buf_size Size of the test case
889 * @return The amount of possible iteration steps to trim the input.
890 * Negative on error.
891 */
892 s32 (*afl_custom_init_trim)(void *data, u8 *buf, size_t buf_size);
893
894 /**
895 * This method is called for each trimming operation. It doesn't have any
896 * arguments because we already have the initial buffer from init_trim and we
897 * can memorize the current state in global variables. This can also save
898 * reparsing steps for each iteration. It should return the trimmed input
899 * buffer, where the returned data must not exceed the initial input data in
900 * length. Returning anything that is larger than the original data (passed
901 * to init_trim) will result in a fatal abort of AFLFuzz.
902 *
903 * (Optional)
904 *
905 * @param data pointer returned in afl_custom_init by this custom mutator
906 * @param[out] out_buf Pointer to the buffer containing the trimmed test case.
907 * The library can reuse a buffer for each call
908 * and will have to free the buf (for example in deinit)
909 * @return the size of the trimmed test case
910 */
911 size_t (*afl_custom_trim)(void *data, u8 **out_buf);
912
913 /**
914 * This method is called after each trim operation to inform you if your
915 * trimming step was successful or not (in terms of coverage). If you receive
916 * a failure here, you should reset your input to the last known good state.
917 *
918 * (Optional)
919 *
920 * @param data pointer returned in afl_custom_init by this custom mutator
921 * @param success Indicates if the last trim operation was successful.
922 * @return The next trim iteration index (from 0 to the maximum amount of
923 * steps returned in init_trim). Negative on error.
924 */
925 s32 (*afl_custom_post_trim)(void *data, u8 success);
926
927 /**
928 * Perform a single custom mutation on a given input.
929 * This mutation is stacked with the other muatations in havoc.
930 *
931 * (Optional)
932 *
933 * @param[in] data pointer returned in afl_custom_init by this custom mutator
934 * @param[in] buf Pointer to the input data to be mutated and the mutated
935 * output
936 * @param[in] buf_size Size of input data
937 * @param[out] out_buf The new buffer. It's legal to reuse *buf if it's <
938 * buf_size.
939 * @param[in] max_size Maximum size of the mutated output. The mutation must
940 * not produce data larger than max_size.
941 * @return Size of the mutated output (out_size).
942 */
943 size_t (*afl_custom_havoc_mutation)(void *data, u8 *buf, size_t buf_size,
944 u8 **out_buf, size_t max_size);
945
946 /**
947 * Return the probability (in percentage) that afl_custom_havoc_mutation
948 * is called in havoc. By default it is 6 %.
949 *
950 * (Optional)
951 *
952 * @param data pointer returned in afl_custom_init by this custom mutator
953 * @return The probability (0-100).
954 */
955 u8 (*afl_custom_havoc_mutation_probability)(void *data);
956
957 /**
958 * Determine whether the fuzzer should fuzz the current queue entry or not.
959 *
960 * (Optional)
961 *
962 * @param data pointer returned in afl_custom_init by this custom mutator
963 * @param filename File name of the test case in the queue entry
964 * @return Return True(1) if the fuzzer will fuzz the queue entry, and
965 * False(0) otherwise.
966 */
967 u8 (*afl_custom_queue_get)(void *data, const u8 *filename);
968
969 /**
970 * Allow for additional analysis (e.g. calling a different tool that does a
971 * different kind of coverage and saves this for the custom mutator).
972 *
973 * (Optional)
974 *
975 * @param data pointer returned in afl_custom_init by this custom mutator
976 * @param filename_new_queue File name of the new queue entry
977 * @param filename_orig_queue File name of the original queue entry. This
978 * argument can be NULL while initializing the fuzzer
979 */
980 u8 (*afl_custom_queue_new_entry)(void *data, const u8 *filename_new_queue,
981 const u8 *filename_orig_queue);
982 /**
983 * Deinitialize the custom mutator.
984 *
985 * @param data pointer returned in afl_custom_init by this custom mutator
986 */
987 void (*afl_custom_deinit)(void *data);
988
989 };
990
991 void afl_state_init(afl_state_t *, uint32_t map_size);
992 void afl_state_deinit(afl_state_t *);
993
994 /* Set stop_soon flag on all childs, kill all childs */
995 void afl_states_stop(void);
996 /* Set clear_screen flag on all states */
997 void afl_states_clear_screen(void);
998 /* Sets the skip flag on all states */
999 void afl_states_request_skip(void);
1000
1001 /* Setup shmem for testcase delivery */
1002 void setup_testcase_shmem(afl_state_t *afl);
1003
1004 void read_afl_environment(afl_state_t *, char **);
1005
1006 /**** Prototypes ****/
1007
1008 /* Custom mutators */
1009 void setup_custom_mutators(afl_state_t *);
1010 void destroy_custom_mutators(afl_state_t *);
1011 u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 *in_buf,
1012 struct custom_mutator *mutator);
1013 void run_afl_custom_queue_new_entry(afl_state_t *, struct queue_entry *, u8 *,
1014 u8 *);
1015
1016 /* Python */
1017 #ifdef USE_PYTHON
1018
1019 struct custom_mutator *load_custom_mutator_py(afl_state_t *, char *);
1020 void finalize_py_module(void *);
1021
1022 u32 fuzz_count_py(void *, const u8 *, size_t);
1023 size_t post_process_py(void *, u8 *, size_t, u8 **);
1024 s32 init_trim_py(void *, u8 *, size_t);
1025 s32 post_trim_py(void *, u8);
1026 size_t trim_py(void *, u8 **);
1027 size_t havoc_mutation_py(void *, u8 *, size_t, u8 **, size_t);
1028 u8 havoc_mutation_probability_py(void *);
1029 u8 queue_get_py(void *, const u8 *);
1030 const char *introspection_py(void *);
1031 u8 queue_new_entry_py(void *, const u8 *, const u8 *);
1032 void deinit_py(void *);
1033
1034 #endif
1035
1036 /* Queue */
1037
1038 void mark_as_det_done(afl_state_t *, struct queue_entry *);
1039 void mark_as_variable(afl_state_t *, struct queue_entry *);
1040 void mark_as_redundant(afl_state_t *, struct queue_entry *, u8);
1041 void add_to_queue(afl_state_t *, u8 *, u32, u8);
1042 void destroy_queue(afl_state_t *);
1043 void update_bitmap_score(afl_state_t *, struct queue_entry *);
1044 void cull_queue(afl_state_t *);
1045 u32 calculate_score(afl_state_t *, struct queue_entry *);
1046
1047 /* Bitmap */
1048
1049 void write_bitmap(afl_state_t *);
1050 u32 count_bits(afl_state_t *, u8 *);
1051 u32 count_bytes(afl_state_t *, u8 *);
1052 u32 count_non_255_bytes(afl_state_t *, u8 *);
1053 void simplify_trace(afl_state_t *, u8 *);
1054 void classify_counts(afl_forkserver_t *);
1055 #ifdef WORD_SIZE_64
1056 void discover_word(u8 *ret, u64 *current, u64 *virgin);
1057 #else
1058 void discover_word(u8 *ret, u32 *current, u32 *virgin);
1059 #endif
1060 void init_count_class16(void);
1061 void minimize_bits(afl_state_t *, u8 *, u8 *);
1062 #ifndef SIMPLE_FILES
1063 u8 *describe_op(afl_state_t *, u8, size_t);
1064 #endif
1065 u8 save_if_interesting(afl_state_t *, void *, u32, u8);
1066 u8 has_new_bits(afl_state_t *, u8 *);
1067 u8 has_new_bits_unclassified(afl_state_t *, u8 *);
1068
1069 /* Extras */
1070
1071 void load_extras_file(afl_state_t *, u8 *, u32 *, u32 *, u32);
1072 void load_extras(afl_state_t *, u8 *);
1073 void dedup_extras(afl_state_t *);
1074 void deunicode_extras(afl_state_t *);
1075 void add_extra(afl_state_t *afl, u8 *mem, u32 len);
1076 void maybe_add_auto(afl_state_t *, u8 *, u32);
1077 void save_auto(afl_state_t *);
1078 void load_auto(afl_state_t *);
1079 void destroy_extras(afl_state_t *);
1080
1081 /* Stats */
1082
1083 void load_stats_file(afl_state_t *);
1084 void write_setup_file(afl_state_t *, u32, char **);
1085 void write_stats_file(afl_state_t *, u32, double, double, double);
1086 void maybe_update_plot_file(afl_state_t *, u32, double, double);
1087 void show_stats(afl_state_t *);
1088 void show_stats_normal(afl_state_t *);
1089 void show_stats_pizza(afl_state_t *);
1090 void show_init_stats(afl_state_t *);
1091
1092 /* StatsD */
1093
1094 void statsd_setup_format(afl_state_t *afl);
1095 int statsd_socket_init(afl_state_t *afl);
1096 int statsd_send_metric(afl_state_t *afl);
1097 int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen);
1098
1099 /* Run */
1100
1101 void sync_fuzzers(afl_state_t *);
1102 u32 write_to_testcase(afl_state_t *, void **, u32, u32);
1103 u8 calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8);
1104 u8 trim_case(afl_state_t *, struct queue_entry *, u8 *);
1105 u8 common_fuzz_stuff(afl_state_t *, u8 *, u32);
1106 fsrv_run_result_t fuzz_run_target(afl_state_t *, afl_forkserver_t *fsrv, u32);
1107
1108 /* Fuzz one */
1109
1110 u8 fuzz_one_original(afl_state_t *);
1111 u8 pilot_fuzzing(afl_state_t *);
1112 u8 core_fuzzing(afl_state_t *);
1113 void pso_updating(afl_state_t *);
1114 u8 fuzz_one(afl_state_t *);
1115
1116 /* Init */
1117
1118 #ifdef HAVE_AFFINITY
1119 void bind_to_free_cpu(afl_state_t *);
1120 #endif
1121 void setup_post(afl_state_t *);
1122 void read_testcases(afl_state_t *, u8 *);
1123 void perform_dry_run(afl_state_t *);
1124 void pivot_inputs(afl_state_t *);
1125 u32 find_start_position(afl_state_t *);
1126 void find_timeout(afl_state_t *);
1127 double get_runnable_processes(void);
1128 void nuke_resume_dir(afl_state_t *);
1129 int check_main_node_exists(afl_state_t *);
1130 u32 select_next_queue_entry(afl_state_t *afl);
1131 void create_alias_table(afl_state_t *afl);
1132 void setup_dirs_fds(afl_state_t *);
1133 void setup_cmdline_file(afl_state_t *, char **);
1134 void setup_stdio_file(afl_state_t *);
1135 void check_crash_handling(void);
1136 void check_cpu_governor(afl_state_t *);
1137 void get_core_count(afl_state_t *);
1138 void fix_up_sync(afl_state_t *);
1139 void check_asan_opts(afl_state_t *);
1140 void check_binary(afl_state_t *, u8 *);
1141 void check_if_tty(afl_state_t *);
1142 void setup_signal_handlers(void);
1143 void save_cmdline(afl_state_t *, u32, char **);
1144 void read_foreign_testcases(afl_state_t *, int);
1145 void write_crash_readme(afl_state_t *afl);
1146 u8 check_if_text_buf(u8 *buf, u32 len);
1147
1148 /* CmpLog */
1149
1150 u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len);
1151
1152 /* RedQueen */
1153 u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len);
1154
1155 /* our RNG wrapper */
1156 AFL_RAND_RETURN rand_next(afl_state_t *afl);
1157
1158 /* probability between 0.0 and 1.0 */
1159 double rand_next_percent(afl_state_t *afl);
1160
1161 /**** Inline routines ****/
1162
1163 /* Generate a random number (from 0 to limit - 1). This may
1164 have slight bias. */
1165
rand_below(afl_state_t * afl,u32 limit)1166 static inline u32 rand_below(afl_state_t *afl, u32 limit) {
1167
1168 if (limit <= 1) return 0;
1169
1170 /* The boundary not being necessarily a power of 2,
1171 we need to ensure the result uniformity. */
1172 if (unlikely(!afl->rand_cnt--) && likely(!afl->fixed_seed)) {
1173
1174 ck_read(afl->fsrv.dev_urandom_fd, &afl->rand_seed, sizeof(afl->rand_seed),
1175 "/dev/urandom");
1176 // srandom(afl->rand_seed[0]);
1177 afl->rand_cnt = (RESEED_RNG / 2) + (afl->rand_seed[1] % RESEED_RNG);
1178
1179 }
1180
1181 /* Modulo is biased - we don't want our fuzzing to be biased so let's do it
1182 right. See:
1183 https://stackoverflow.com/questions/10984974/why-do-people-say-there-is-modulo-bias-when-using-a-random-number-generator
1184 */
1185 u64 unbiased_rnd;
1186 do {
1187
1188 unbiased_rnd = rand_next(afl);
1189
1190 } while (unlikely(unbiased_rnd >= (UINT64_MAX - (UINT64_MAX % limit))));
1191
1192 return unbiased_rnd % limit;
1193
1194 }
1195
1196 /* we prefer lower range values here */
1197 /* this is only called with normal havoc, not MOpt, to have an equalizer for
1198 expand havoc mode */
rand_below_datalen(afl_state_t * afl,u32 limit)1199 static inline u32 rand_below_datalen(afl_state_t *afl, u32 limit) {
1200
1201 if (limit <= 1) return 0;
1202
1203 switch (rand_below(afl, 3)) {
1204
1205 case 2:
1206 return (rand_below(afl, limit) % (1 + rand_below(afl, limit - 1))) %
1207 (1 + rand_below(afl, limit - 1));
1208 break;
1209 case 1:
1210 return rand_below(afl, limit) % (1 + rand_below(afl, limit - 1));
1211 break;
1212 case 0:
1213 return rand_below(afl, limit);
1214 break;
1215
1216 }
1217
1218 return 1; // cannot be reached
1219
1220 }
1221
rand_get_seed(afl_state_t * afl)1222 static inline s64 rand_get_seed(afl_state_t *afl) {
1223
1224 if (unlikely(afl->fixed_seed)) { return afl->init_seed; }
1225 return afl->rand_seed[0];
1226
1227 }
1228
1229 /* initialize randomness with a given seed. Can be called again at any time. */
1230 void rand_set_seed(afl_state_t *afl, s64 init_seed);
1231
1232 /* Find first power of two greater or equal to val (assuming val under
1233 2^63). */
1234
next_p2(u64 val)1235 static inline u64 next_p2(u64 val) {
1236
1237 u64 ret = 1;
1238 while (val > ret) {
1239
1240 ret <<= 1;
1241
1242 }
1243
1244 return ret;
1245
1246 }
1247
1248 /* Returns the testcase buf from the file behind this queue entry.
1249 Increases the refcount. */
1250 u8 *queue_testcase_get(afl_state_t *afl, struct queue_entry *q);
1251
1252 /* If trimming changes the testcase size we have to reload it */
1253 void queue_testcase_retake(afl_state_t *afl, struct queue_entry *q,
1254 u32 old_len);
1255
1256 /* If trimming changes the testcase size we have to replace it */
1257 void queue_testcase_retake_mem(afl_state_t *afl, struct queue_entry *q, u8 *in,
1258 u32 len, u32 old_len);
1259
1260 /* Add a new queue entry directly to the cache */
1261
1262 void queue_testcase_store_mem(afl_state_t *afl, struct queue_entry *q, u8 *mem);
1263
1264 #if TESTCASE_CACHE == 1
1265 #error define of TESTCASE_CACHE must be zero or larger than 1
1266 #endif
1267
1268 #endif
1269
1270