Lines Matching +full:qemu +full:- +full:consistency
2 american fuzzy lop++ - test case minimizer
3 ------------------------------------------
9 Now maintained by Marc Heuse <mh@mh-sec.de>,
15 Copyright 2019-2024 AFLplusplus Project. All rights reserved.
21 https://www.apache.org/licenses/LICENSE-2.0
25 *or* producing consistent instrumentation output (the mode is auto-selected
35 #include "alloc-inl.h"
61 static u8 *mask_bitmap; /* Mask for trace bits (-B) */
76 static u8 crash_mode, /* Crash-centric mode? */
78 exit_crash, /* Treat non-zero exit as crash? */
85 static volatile u8 stop_soon; /* Ctrl-C pressed? */
114 if (fsrv->child_pid > 0) { in kill_child()
116 kill(fsrv->child_pid, fsrv->child_kill_signal); in kill_child()
117 fsrv->child_pid = -1; in kill_child()
127 fsrv->support_shmem_fuzz = 0; in deinit_shmem()
128 fsrv->shmem_fuzz_len = NULL; in deinit_shmem()
129 fsrv->shmem_fuzz = NULL; in deinit_shmem()
143 while (i--) { in apply_mask()
155 u8 *mem = fsrv->trace_bits; in classify_counts()
160 while (i--) { in classify_counts()
169 while (i--) { in classify_counts()
184 u32 *ptr = (u32 *)fsrv->trace_bits; in anything_set()
187 while (i--) { in anything_set()
202 if (fsrv->use_shmem_fuzz) deinit_shmem(fsrv, shm_fuzz); in at_exit_handler()
220 if (fstat(fd, &st) || !st.st_size) { FATAL("Zero-sized input file."); } in read_initial_file()
268 afl_fsrv_run_target(fsrv, fsrv->exec_tmout, &stop_soon); in tmin_run_target()
300 apply_mask((u32 *)fsrv->trace_bits, (u32 *)mask_bitmap); in tmin_run_target()
328 /* Handle non-crashing inputs appropriately. */ in tmin_run_target()
341 u64 cksum = hash64(fsrv->trace_bits, fsrv->map_size, HASH_CONST); in tmin_run_target()
374 ACTF(cBRI "Stage #0: " cRST "One-time block normalization..."); in minimize()
378 u32 use_len = MIN(set_len, in_len - set_pos); in minimize()
415 ACTF(cYEL "--- " cBRI "Pass #%u " cYEL "---", ++cur_pass); in minimize()
441 tail_len = in_len - del_pos - del_len; in minimize()
447 as the previous one... skip this step as a no-op. */ in minimize()
450 !memcmp(in_data + del_pos - del_len, in_data + del_pos, del_len)) { in minimize()
490 OKF("Block removal complete, %u bytes deleted.", stage_o_len - in_len); in minimize()
495 "Down to zero bytes - check the command line and mem limit!" cRST); in minimize()
605 100 - ((double)in_len) * 100 / orig_len, in_len, in minimize()
608 fsrv->total_execs, missed_paths, missed_crashes); in minimize()
617 100 - ((double)in_len) * 100 / orig_len, in_len, in_len == 1 ? "" : "s", in minimize()
619 fsrv->total_execs, missed_paths, missed_crashes, in minimize()
622 if (fsrv->total_execs > 50 && missed_hangs * 10 > fsrv->total_execs && in minimize()
625 WARNF(cLRD "Frequent timeouts - results may be skewed." cRST); in minimize()
631 /* Handle Ctrl-C and the like. */
641 /* Do basic preparations - persistent fds, filenames, etc. */
649 fsrv->dev_null_fd = open("/dev/null", O_RDWR); in set_up_environment()
650 if (fsrv->dev_null_fd < 0) { PFATAL("Unable to open /dev/null"); } in set_up_environment()
663 out_file = alloc_printf("%s/.afl-tmin-temp-%u", use_dir, (u32)getpid()); in set_up_environment()
670 fsrv->out_file = out_file; in set_up_environment()
671 fsrv->out_fd = open(out_file, O_RDWR | O_CREAT | O_EXCL, DEFAULT_PERMISSION); in set_up_environment()
673 if (fsrv->out_fd < 0) { PFATAL("Unable to create '%s'", out_file); } in set_up_environment()
684 MSAN_ERROR) " - please fix!"); in set_up_environment()
694 if (fsrv->qemu_mode) { in set_up_environment()
696 /* afl-qemu-trace takes care of converting AFL_PRELOAD. */ in set_up_environment()
698 } else if (fsrv->frida_mode) { in set_up_environment()
701 u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); in set_up_environment()
726 } else if (fsrv->frida_mode) { in set_up_environment()
728 u8 *frida_binary = find_afl_binary(argv[0], "afl-frida-trace.so"); in set_up_environment()
769 "\n%s [ options ] -- /path/to/target_app [ ... ]\n\n" in usage()
773 " -i file - input test case to be shrunk by the tool\n" in usage()
774 " -o file - final output location for the minimized data\n\n" in usage()
778 " -f file - input file read by the tested program (stdin)\n" in usage()
779 " -t msec - timeout for each run (%u ms)\n" in usage()
780 " -m megs - memory limit for child process (%u MB)\n" in usage()
782 " -A - use binary-only instrumentation (ARM CoreSight mode)\n" in usage()
784 " -O - use binary-only instrumentation (FRIDA mode)\n" in usage()
786 " -Q - use binary-only instrumentation (QEMU mode)\n" in usage()
787 " -U - use unicorn-based instrumentation (Unicorn mode)\n" in usage()
788 " -W - use qemu-based instrumentation with Wine (Wine " in usage()
790 " (Not necessary, here for consistency with other afl-* " in usage()
792 " -X - use Nyx mode\n" in usage()
798 " -e - solve for edge coverage only, ignore hit counts\n" in usage()
799 " -x - treat non-zero exit codes as crashes\n\n" in usage()
800 " -H - minimize a hang (hang mode)\n" in usage()
843 fsrv->map_size = map_size; in main()
847 SAYF(cCYA "afl-tmin" VERSION cRST " by Michal Zalewski\n"); in main()
855 if (in_file) { FATAL("Multiple -i options not supported"); } in main()
861 if (output_file) { FATAL("Multiple -o options not supported"); } in main()
867 if (out_file) { FATAL("Multiple -f options not supported"); } in main()
868 fsrv->use_stdin = 0; in main()
874 if (edges_only) { FATAL("Multiple -e options not supported"); } in main()
886 if (exit_crash) { FATAL("Multiple -x options not supported"); } in main()
894 if (mem_limit_given) { FATAL("Multiple -m options not supported"); } in main()
897 if (!optarg) { FATAL("Wrong usage of -m"); } in main()
901 fsrv->mem_limit = 0; in main()
906 if (sscanf(optarg, "%llu%c", &fsrv->mem_limit, &suffix) < 1 || in main()
907 optarg[0] == '-') { in main()
909 FATAL("Bad syntax used for -m"); in main()
916 fsrv->mem_limit *= 1024 * 1024; in main()
919 fsrv->mem_limit *= 1024; in main()
922 fsrv->mem_limit /= 1024; in main()
928 FATAL("Unsupported suffix or bad syntax for -m"); in main()
932 if (fsrv->mem_limit < 5) { FATAL("Dangerously low value of -m"); } in main()
934 if (sizeof(rlim_t) == 4 && fsrv->mem_limit > 2000) { in main()
936 FATAL("Value of -m out of range on 32-bit systems"); in main()
946 if (timeout_given) { FATAL("Multiple -t options not supported"); } in main()
949 if (!optarg) { FATAL("Wrong usage of -t"); } in main()
951 fsrv->exec_tmout = atoi(optarg); in main()
953 if (fsrv->exec_tmout < 10 || optarg[0] == '-') { in main()
955 FATAL("Dangerously low value of -t"); in main()
964 FATAL("-A option is not supported on this platform"); in main()
967 if (fsrv->cs_mode) { FATAL("Multiple -A options not supported"); } in main()
969 fsrv->cs_mode = 1; in main()
974 if (fsrv->frida_mode) { FATAL("Multiple -O options not supported"); } in main()
976 fsrv->frida_mode = 1; in main()
983 if (fsrv->qemu_mode) { FATAL("Multiple -Q options not supported"); } in main()
984 if (!mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_QEMU; } in main()
986 fsrv->qemu_mode = 1; in main()
991 if (unicorn_mode) { FATAL("Multiple -Q options not supported"); } in main()
992 if (!mem_limit_given) { fsrv->mem_limit = MEM_LIMIT_UNICORN; } in main()
997 case 'W': /* Wine+QEMU mode */ in main()
999 if (use_wine) { FATAL("Multiple -W options not supported"); } in main()
1000 fsrv->qemu_mode = 1; in main()
1003 if (!mem_limit_given) { fsrv->mem_limit = 0; } in main()
1011 if (fsrv->nyx_mode) { FATAL("Multiple -X options not supported"); } in main()
1013 fsrv->nyx_mode = 1; in main()
1014 fsrv->nyx_parent = true; in main()
1015 fsrv->nyx_standalone = true; in main()
1028 if (hang_mode) { FATAL("Multipe -H options not supported"); } in main()
1045 afl-showmap -b, and then load it into afl-tmin via -B. The minimizer in main()
1053 if (mask_bitmap) { FATAL("Multiple -B options not supported"); } in main()
1060 return -1; in main()
1075 fsrv->use_fauxsrv = true; in main()
1090 if (!fsrv->nyx_mode) { in main()
1092 fsrv->target_path = find_binary(argv[optind]); in main()
1096 fsrv->target_path = ck_strdup(argv[optind]); in main()
1101 fsrv->target_path = find_binary(argv[optind]); in main()
1104 fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); in main()
1105 detect_file_args(argv + optind, out_file, &fsrv->use_stdin); in main()
1108 if (fsrv->qemu_mode) { in main()
1112 use_argv = get_wine_argv(argv[0], &fsrv->target_path, argc - optind, in main()
1117 use_argv = get_qemu_argv(argv[0], &fsrv->target_path, argc - optind, in main()
1122 } else if (fsrv->cs_mode) { in main()
1125 get_cs_argv(argv[0], &fsrv->target_path, argc - optind, argv + optind); in main()
1129 } else if (fsrv->nyx_mode) { in main()
1131 fsrv->nyx_id = 0; in main()
1134 fsrv->nyx_handlers = afl_load_libnyx_plugin(libnyx_binary); in main()
1135 if (fsrv->nyx_handlers == NULL) { in main()
1141 fsrv->nyx_use_tmp_workdir = true; in main()
1142 fsrv->nyx_bind_cpu_id = 0; in main()
1173 fsrv->init_tmout = (u32)forksrv_init_tmout; in main()
1178 fsrv, NULL, NULL, (fsrv->qemu_mode || unicorn_mode) ? SIGKILL : SIGTERM); in main()
1184 exitcode < -127 || exitcode > 128) { in main()
1186 FATAL("Invalid crash exitcode, expected -127 to 128, but got %s", in main()
1191 fsrv->uses_crash_exitcode = true; in main()
1193 fsrv->crash_exitcode = (u8)exitcode; in main()
1200 shm_fuzz->cmplog_mode = 0; in main()
1202 shm_fuzz->shmemfuzz_mode = 1; in main()
1205 setenv(SHM_FUZZ_ENV_VAR, shm_fuzz->g_shm_file_path, 1); in main()
1207 u8 *shm_str = alloc_printf("%d", shm_fuzz->shm_id); in main()
1211 fsrv->support_shmem_fuzz = 1; in main()
1212 fsrv->shmem_fuzz_len = (u32 *)map; in main()
1213 fsrv->shmem_fuzz = map + sizeof(u32); in main()
1218 if (!fsrv->nyx_mode) { (void)check_binary_signatures(fsrv->target_path); } in main()
1220 (void)check_binary_signatures(fsrv->target_path); in main()
1223 if (!fsrv->qemu_mode && !unicorn_mode) { in main()
1225 fsrv->map_size = 4194304; // dummy temporary value in main()
1236 (new_map_size > map_size && new_map_size - map_size > MAP_SIZE)) { in main()
1243 fsrv->map_size = new_map_size; in main()
1244 fsrv->trace_bits = afl_shm_init(&shm, new_map_size, 0); in main()
1257 fsrv->map_size = map_size; in main()
1269 if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz) in main()
1273 fsrv->mem_limit, fsrv->exec_tmout, edges_only ? ", edges only" : ""); in main()
1277 if (hang_mode && !fsrv->last_run_timed_out) { in main()
1281 "(-H) was set (-t %u).", in main()
1282 fsrv->exec_tmout); in main()
1286 if (fsrv->last_run_timed_out && !hang_mode) { in main()
1289 "Target binary times out (adjusting -t may help). Use -H to minimize a " in main()
1327 if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz); in main()
1329 if (fsrv->target_path) { ck_free(fsrv->target_path); } in main()