2    american fuzzy lop++ - map display utility
3    ------------------------------------------
9    Now maintained by Marc Heuse <mh@mh-sec.de>,
15    Copyright 2019-2024 AFLplusplus Project. All rights reserved.
21      https://www.apache.org/licenses/LICENSE-2.0
24    the contents of the trace bitmap in a human-readable form. Useful in
36 #include "afl-fuzz.h"
39 #include "alloc-inl.h"
88 static bool quiet_mode,                /* Hide non-essential messages?      */
91     cmin_mode,                         /* Generate output in afl-cmin mode? */
102 static volatile u8 stop_soon,          /* Ctrl-C pressed?                   */
110    afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */
137   if (fsrv->child_pid > 0) {  in kill_child()
139     kill(fsrv->child_pid, fsrv->child_kill_signal);  in kill_child()
140     fsrv->child_pid = -1;  in kill_child()
180   u8       *mem = fsrv->trace_bits;  in classify_counts()
187     while (i--) {  in classify_counts()
196     while (i--) {  in classify_counts()
211   fsrv->support_shmem_fuzz = 0;  in deinit_shmem()
212   fsrv->shmem_fuzz_len = NULL;  in deinit_shmem()
213   fsrv->shmem_fuzz = NULL;  in deinit_shmem()
228     if (fsrv->use_shmem_fuzz) deinit_shmem(fsrv, shm_fuzz);  in at_exit_handler()
243     if (fsrv->trace_bits[i]) {  in analyze_results()
245       total += fsrv->trace_bits[i];  in analyze_results()
246       if (fsrv->trace_bits[i] > highest) highest = fsrv->trace_bits[i];  in analyze_results()
248       coverage_map[i] |= fsrv->trace_bits[i];  in analyze_results()
273       (fsrv->last_run_timed_out || (!caa && child_crashed != cco))) {  in write_results_to_file()
275     if (strcmp(outfile, "-")) {  in write_results_to_file()
277       // create empty file to prevent error messages in afl-cmin  in write_results_to_file()
293   } else if (!strcmp(outfile, "-")) {  in write_results_to_file()
310       if (fsrv->trace_bits[i]) { ret++; }  in write_results_to_file()
314     ck_write(fd, fsrv->trace_bits, map_size, outfile);  in write_results_to_file()
325       if (!fsrv->trace_bits[i]) { continue; }  in write_results_to_file()
328       total += fsrv->trace_bits[i];  in write_results_to_file()
329       if (highest < fsrv->trace_bits[i]) { highest = fsrv->trace_bits[i]; }  in write_results_to_file()
333         fprintf(f, "%u%03u\n", i, fsrv->trace_bits[i]);  in write_results_to_file()
337         fprintf(f, "%06u:%u\n", i, fsrv->trace_bits[i]);  in write_results_to_file()
356   if (unlikely(afl->custom_mutators_count)) {  in pre_afl_fsrv_write_to_testcase()
362     LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {  in pre_afl_fsrv_write_to_testcase()
364       if (el->afl_custom_post_process) {  in pre_afl_fsrv_write_to_testcase()
367             el->afl_custom_post_process(el->data, new_mem, new_size, &new_buf);  in pre_afl_fsrv_write_to_testcase()
391     if (unlikely(afl->custom_mutators_count)) {  in pre_afl_fsrv_write_to_testcase()
393       LIST_FOREACH(&afl->custom_mutator_list, struct custom_mutator, {  in pre_afl_fsrv_write_to_testcase()
395         if (el->afl_custom_fuzz_send) {  in pre_afl_fsrv_write_to_testcase()
397           el->afl_custom_fuzz_send(el->data, mem, len);  in pre_afl_fsrv_write_to_testcase()
419   if (!quiet_mode) { SAYF("-- Program output begins --\n" cRST); }  in showmap_run_target_forkserver()
421   if (afl_fsrv_run_target(fsrv, fsrv->exec_tmout, &stop_soon) ==  in showmap_run_target_forkserver()
428   if (fsrv->trace_bits[0]) {  in showmap_run_target_forkserver()
430     fsrv->trace_bits[0] -= 1;  in showmap_run_target_forkserver()
441   if (!quiet_mode) { SAYF(cRST "-- Program output ends --\n"); }  in showmap_run_target_forkserver()
443   if (!fsrv->last_run_timed_out && !stop_soon &&  in showmap_run_target_forkserver()
444       WIFSIGNALED(fsrv->child_status)) {  in showmap_run_target_forkserver()
456     if (timed_out || fsrv->last_run_timed_out) {  in showmap_run_target_forkserver()
468            WTERMSIG(fsrv->child_status));  in showmap_run_target_forkserver()
476     SAYF(cRST cLRD "\n+++ afl-showmap folder mode aborted by user +++\n" cRST);  in showmap_run_target_forkserver()
503       WARNF("Zero-sized input file '%s'.", in_file);  in read_file()
544   if (afl_fsrv_run_target(fsrv, fsrv->exec_tmout, &stop_soon) ==  in showmap_run_target_nyx_mode()
562   if (!quiet_mode) { SAYF("-- Program output begins --\n" cRST); }  in showmap_run_target()
566   fsrv->child_pid = fork();  in showmap_run_target()
568   if (fsrv->child_pid < 0) { PFATAL("fork() failed"); }  in showmap_run_target()
570   if (!fsrv->child_pid) {  in showmap_run_target()
580         *(u32 *)fsrv->trace_bits = EXEC_FAIL_SIG;  in showmap_run_target()
589     if (fsrv->mem_limit) {  in showmap_run_target()
591       r.rlim_max = r.rlim_cur = ((rlim_t)fsrv->mem_limit) << 20;  in showmap_run_target()
621     execv(fsrv->target_path, argv);  in showmap_run_target()
623     *(u32 *)fsrv->trace_bits = EXEC_FAIL_SIG;  in showmap_run_target()
630   if (fsrv->exec_tmout) {  in showmap_run_target()
632     fsrv->last_run_timed_out = 0;  in showmap_run_target()
633     it.it_value.tv_sec = (fsrv->exec_tmout / 1000);  in showmap_run_target()
634     it.it_value.tv_usec = (fsrv->exec_tmout % 1000) * 1000;  in showmap_run_target()
642   if (waitpid(fsrv->child_pid, &status, 0) <= 0) { FATAL("waitpid() failed"); }  in showmap_run_target()
644   fsrv->child_pid = 0;  in showmap_run_target()
653   if (*(u32 *)fsrv->trace_bits == EXEC_FAIL_SIG) {  in showmap_run_target()
659   if (fsrv->trace_bits[0]) {  in showmap_run_target()
661     fsrv->trace_bits[0] -= 1;  in showmap_run_target()
672   if (!quiet_mode) { SAYF(cRST "-- Program output ends --\n"); }  in showmap_run_target()
674   if (!fsrv->last_run_timed_out && !stop_soon && WIFSIGNALED(status)) {  in showmap_run_target()
682     if (timed_out || fsrv->last_run_timed_out) {  in showmap_run_target()
702 /* Handle Ctrl-C and the like. */
712 /* Do basic preparations - persistent fds, filenames, etc. */
723     if (fsrv->qemu_mode) {  in set_up_environment()
725       /* afl-qemu-trace takes care of converting AFL_PRELOAD. */  in set_up_environment()
727     } else if (fsrv->frida_mode) {  in set_up_environment()
730       u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so");  in set_up_environment()
755   } else if (fsrv->frida_mode) {  in set_up_environment()
757     u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so");  in set_up_environment()
814     u8 *fn2 = alloc_printf("%s/%s", dir, nl[i]->d_name);  in execute_testcases()
825     if (subdirs && S_ISDIR(st.st_mode) && nl[i]->d_name[0] != '.') {  in execute_testcases()
851       snprintf(outfile, sizeof(outfile), "%s/%s", out_file, nl[i]->d_name);  in execute_testcases()
859         fprintf(stderr, "exec: gdb -p %d\n", fsrv->child_pid);  in execute_testcases()
860         fprintf(stderr, "exec: kill -CONT %d\n", getpid());  in execute_testcases()
908            (fn2[strlen(fn2) - 1] == '\r' || fn2[strlen(fn2) - 1] == '\n' ||  in execute_testcases_filelist()
909             fn2[strlen(fn2) - 1] == ' ')) {  in execute_testcases_filelist()
911       fn2[strlen(fn2) - 1] = 0;  in execute_testcases_filelist()
958         fprintf(stderr, "exec: gdb -p %d\n", fsrv->child_pid);  in execute_testcases_filelist()
959         fprintf(stderr, "exec: kill -CONT %d\n", getpid());  in execute_testcases_filelist()
986   SAYF(cCYA "afl-showmap" VERSION cRST " by Michal Zalewski\n");  in show_banner()
997       "\n%s [ options ] -- /path/to/target_app [ ... ]\n\n"  in usage()
1000       "  -o file    - file to write the trace data to\n\n"  in usage()
1003       "  -t msec    - timeout for each run (default: 1000ms)\n"  in usage()
1004       "  -m megs    - memory limit for child process (default: none)\n"  in usage()
1006       "  -A         - use binary-only instrumentation (ARM CoreSight mode)\n"  in usage()
1008       "  -O         - use binary-only instrumentation (FRIDA mode)\n"  in usage()
1010       "  -Q         - use binary-only instrumentation (QEMU mode)\n"  in usage()
1011       "  -U         - use Unicorn-based instrumentation (Unicorn mode)\n"  in usage()
1012       "  -W         - use qemu-based instrumentation with Wine (Wine mode)\n"  in usage()
1013       "               (Not necessary, here for consistency with other afl-* "  in usage()
1015       "  -X         - use Nyx mode\n"  in usage()
1019       "  -i dir     - process all files below this directory, must be combined "  in usage()
1020       "with -o.\n"  in usage()
1021       "               With -C, -o is a file, without -C it must be a "  in usage()
1024       "  -I filelist - alternatively to -i, -I is a list of files\n"  in usage()
1025       "  -C         - collect coverage, writes all edges to -o and gives a "  in usage()
1027       "               Must be combined with -i.\n"  in usage()
1028       "  -q         - sink program's output and don't show messages\n"  in usage()
1029       "  -e         - show edge coverage only, ignore hit counts\n"  in usage()
1030       "  -r         - show real tuple values instead of AFL filter values\n"  in usage()
1031       "  -s         - do not classify the map\n"  in usage()
1032       "  -c         - allow core dumps\n\n"  in usage()
1037       "If you use -i/-I mode, then custom mutator post_process send send "  in usage()
1093   fsrv->map_size = map_size;  in main()
1113         if (in_dir) { FATAL("Multiple -i options not supported"); }  in main()
1118         if (in_filelist) { FATAL("Multiple -I options not supported"); }  in main()
1124         if (out_file) { FATAL("Multiple -o options not supported"); }  in main()
1132         if (mem_limit_given) { FATAL("Multiple -m options not supported"); }  in main()
1135         if (!optarg) { FATAL("Wrong usage of -m"); }  in main()
1139           fsrv->mem_limit = 0;  in main()
1144         if (sscanf(optarg, "%llu%c", &fsrv->mem_limit, &suffix) < 1 ||  in main()
1145             optarg[0] == '-') {  in main()
1147           FATAL("Bad syntax used for -m");  in main()
1154             fsrv->mem_limit *= 1024 * 1024;  in main()
1157             fsrv->mem_limit *= 1024;  in main()
1160             fsrv->mem_limit /= 1024;  in main()
1166             FATAL("Unsupported suffix or bad syntax for -m");  in main()
1170         if (fsrv->mem_limit < 5) { FATAL("Dangerously low value of -m"); }  in main()
1172         if (sizeof(rlim_t) == 4 && fsrv->mem_limit > 2000) {  in main()
1174           FATAL("Value of -m out of range on 32-bit systems");  in main()
1184         FATAL("Option -f is not supported in afl-showmap");  in main()
1186         fsrv->use_stdin = 0;  in main()
1187         fsrv->out_file = strdup(optarg);  in main()
1193         if (timeout_given) { FATAL("Multiple -t options not supported"); }  in main()
1196         if (!optarg) { FATAL("Wrong usage of -t"); }  in main()
1200           fsrv->exec_tmout = atoi(optarg);  in main()
1202           if (fsrv->exec_tmout < 20 || optarg[0] == '-') {  in main()
1204             FATAL("Dangerously low value of -t");  in main()
1216           fsrv->exec_tmout = 120 * 1000;  in main()
1224         if (edges_only) { FATAL("Multiple -e options not supported"); }  in main()
1225         if (raw_instr_output) { FATAL("-e and -r are mutually exclusive"); }  in main()
1237            by afl-cmin. Nobody else should have any use for this. */  in main()
1244         /* Another afl-cmin specific feature. */  in main()
1250         if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); }  in main()
1252         fsrv->frida_mode = true;  in main()
1257       /* FIXME: We want to use -P for consistency, but it is already unsed for  in main()
1258        * undocumenetd feature "Another afl-cmin specific feature." */  in main()
1262         FATAL("-A option is not supported on this platform");  in main()
1265         if (fsrv->cs_mode) { FATAL("Multiple -A options not supported"); }  in main()
1267         fsrv->cs_mode = true;  in main()
1272         if (fsrv->qemu_mode) { FATAL("Multiple -Q options not supported"); }  in main()
1274         fsrv->qemu_mode = true;  in main()
1279         if (unicorn_mode) { FATAL("Multiple -U options not supported"); }  in main()
1284       case 'W':                                           /* Wine+QEMU mode */  in main()
1286         if (use_wine) { FATAL("Multiple -W options not supported"); }  in main()
1287         fsrv->qemu_mode = true;  in main()
1296         if (fsrv->nyx_mode) { FATAL("Multiple -X options not supported"); }  in main()
1298         fsrv->nyx_mode = 1;  in main()
1299         fsrv->nyx_parent = true;  in main()
1300         fsrv->nyx_standalone = true;  in main()
1312            similar to that dumped by afl-fuzz in <out_dir/queue/fuzz_bitmap. */  in main()
1319         if (keep_cores) { FATAL("Multiple -c options not supported"); }  in main()
1325         if (raw_instr_output) { FATAL("Multiple -r options not supported"); }  in main()
1326         if (edges_only) { FATAL("-e and -r are mutually exclusive"); }  in main()
1332         return -1;  in main()
1344   if (in_dir && in_filelist) { FATAL("you can only specify either -i or -I"); }  in main()
1349       FATAL("for -i/-I you need to specify either -C and/or -o");  in main()
1353   if (fsrv->qemu_mode && !mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_QEMU; }  in main()
1354   if (unicorn_mode && !mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_UNICORN; }  in main()
1359     fsrv->use_fauxsrv = true;  in main()
1372   //  if (afl->shmem_testcase_mode) { setup_testcase_shmem(afl); }  in main()
1383   if (!fsrv->nyx_mode) {  in main()
1385     fsrv->target_path = find_binary(argv[optind]);  in main()
1389     fsrv->target_path = ck_strdup(argv[optind]);  in main()
1394   fsrv->target_path = find_binary(argv[optind]);  in main()
1397   fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);  in main()
1402     ACTF("Executing '%s'...", fsrv->target_path);  in main()
1419                          : (char *)alloc_printf("%s/.afl-showmap-temp-%u",  in main()
1424     detect_file_args(argv + optind, stdin_file, &fsrv->use_stdin);  in main()
1426     fsrv->dev_null_fd = open("/dev/null", O_RDWR);  in main()
1427     if (fsrv->dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); }  in main()
1429     fsrv->out_file = stdin_file;  in main()
1430     fsrv->out_fd =  in main()
1432     if (fsrv->out_fd < 0) { PFATAL("Unable to create '%s'", stdin_file); }  in main()
1437     detect_file_args(argv + optind, at_file, &fsrv->use_stdin);  in main()
1441   if (fsrv->qemu_mode) {  in main()
1445       use_argv = get_wine_argv(argv[0], &fsrv->target_path, argc - optind,  in main()
1450       use_argv = get_qemu_argv(argv[0], &fsrv->target_path, argc - optind,  in main()
1455   } else if (fsrv->cs_mode) {  in main()
1458         get_cs_argv(argv[0], &fsrv->target_path, argc - optind, argv + optind);  in main()
1462   } else if (fsrv->nyx_mode) {  in main()
1467     fsrv->nyx_id = 0;  in main()
1470     fsrv->nyx_handlers = afl_load_libnyx_plugin(libnyx_binary);  in main()
1471     if (fsrv->nyx_handlers == NULL) {  in main()
1477     fsrv->nyx_use_tmp_workdir = true;  in main()
1478     fsrv->nyx_bind_cpu_id = 0;  in main()
1498     fsrv->init_tmout = (u32)forksrv_init_tmout;  in main()
1506         exitcode < -127 || exitcode > 128) {  in main()
1508       FATAL("Invalid crash exitcode, expected -127 to 128, but got %s",  in main()
1513     fsrv->uses_crash_exitcode = true;  in main()
1515     fsrv->crash_exitcode = (u8)exitcode;  in main()
1520   if (!fsrv->nyx_mode && (in_dir || in_filelist)) {  in main()
1522     (void)check_binary_signatures(fsrv->target_path);  in main()
1527   if (in_dir) { (void)check_binary_signatures(fsrv->target_path); }  in main()
1533   shm_fuzz->cmplog_mode = 0;  in main()
1535   shm_fuzz->shmemfuzz_mode = true;  in main()
1538   setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1);  in main()
1540   u8 *shm_str = alloc_printf("%d", shm_fuzz->shm_id);  in main()
1544   fsrv->support_shmem_fuzz = true;  in main()
1545   fsrv->shmem_fuzz_len = (u32 *)map;  in main()
1546   fsrv->shmem_fuzz = map + sizeof(u32);  in main()
1549                              (fsrv->qemu_mode || unicorn_mode  in main()
1551                               || fsrv->nyx_mode  in main()
1557   if (!fsrv->cs_mode && !fsrv->qemu_mode && !unicorn_mode) {  in main()
1563       fsrv->map_size = map_size;  in main()
1567       fsrv->map_size = 4194304;  // dummy temporary value  in main()
1583           (new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) {  in main()
1590         fsrv->map_size = new_map_size;  in main()
1591         fsrv->trace_bits = afl_shm_init(&shm, new_map_size, 0);  in main()
1599     fsrv->map_size = map_size;  in main()
1613     afl->fsrv.dev_urandom_fd = open("/dev/urandom", O_RDONLY);  in main()
1614     if (afl->fsrv.dev_urandom_fd < 0) { PFATAL("Unable to open /dev/urandom"); }  in main()
1615     afl->afl_env.afl_custom_mutator_library =  in main()
1617     afl->afl_env.afl_python_module = getenv("AFL_PYTHON_MODULE");  in main()
1626           "-i/-I mode!\n");  in main()
1689       DEBUGF("%s:", fsrv->target_path);  in main()
1700     map_size = fsrv->map_size;  in main()
1702     if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz)  in main()
1723     if (!quiet_mode) { OKF("Processed %llu input files.", fsrv->total_execs); }  in main()
1729       memcpy(fsrv->trace_bits, coverage_map, map_size);  in main()
1736     if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz)  in main()
1740     if (!fsrv->nyx_mode) {  in main()
1757           hash64(fsrv->trace_bits, fsrv->map_size, HASH_CONST));  in main()
1768         tcnt, fsrv->real_map_size, highest, total, out_file);  in main()
1773           fsrv->total_execs);  in main()
1787   if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz);  in main()
1793     ret = fsrv->last_run_timed_out;  in main()
1797     ret = child_crashed * 2 + fsrv->last_run_timed_out;  in main()
1801   if (fsrv->target_path) { ck_free(fsrv->target_path); }  in main()
1809   if (fsrv->qemu_mode) { free(use_argv[2]); }  in main()