1 /*
2 american fuzzy lop++ - fuzzer header
3 ------------------------------------
4
5 Originally written by Michal Zalewski
6
7 Now maintained by Marc Heuse <mh@mh-sec.de>,
8 Heiko Eißfeldt <heiko.eissfeldt@hexco.de>,
9 Andrea Fioraldi <andreafioraldi@gmail.com>,
10 Dominik Maier <mail@dmnk.co>
11
12 Copyright 2016, 2017 Google Inc. All rights reserved.
13 Copyright 2019-2020 AFLplusplus Project. All rights reserved.
14
15 Licensed under the Apache License, Version 2.0 (the "License");
16 you may not use this file except in compliance with the License.
17 You may obtain a copy of the License at:
18
19 http://www.apache.org/licenses/LICENSE-2.0
20
21 This is the real deal: the program takes an instrumented binary and
22 attempts a variety of basic fuzzing tricks, paying close attention to
23 how they affect the execution path.
24
25 */
26
27 #ifndef _AFL_FUZZ_H
28 #define _AFL_FUZZ_H
29
30 #define AFL_MAIN
31 #define MESSAGES_TO_STDOUT
32
33 #ifndef _GNU_SOURCE
34 #define _GNU_SOURCE 1
35 #endif
36 #ifndef _FILE_OFFSET_BITS
37 #define _FILE_OFFSET_BITS 64
38 #endif
39
40 #include "config.h"
41 #include "types.h"
42 #include "debug.h"
43 #include "alloc-inl.h"
44 #include "hash.h"
45 #include "sharedmem.h"
46 #include "forkserver.h"
47 #include "common.h"
48 #include "hash.h"
49
50 #include <stdio.h>
51 #include <unistd.h>
52 #include <stdlib.h>
53 #include <string.h>
54 #include <time.h>
55 #include <errno.h>
56 #include <signal.h>
57 #include <dirent.h>
58 #include <ctype.h>
59 #include <fcntl.h>
60 #include <termios.h>
61 #include <dlfcn.h>
62 #include <sched.h>
63
64 #include <netdb.h>
65 #include <netinet/in.h>
66
67 #include <sys/wait.h>
68 #include <sys/time.h>
69 #ifndef USEMMAP
70 #include <sys/shm.h>
71 #endif
72 #include <sys/stat.h>
73 #include <sys/types.h>
74 #include <sys/resource.h>
75 #include <sys/mman.h>
76 #include <sys/ioctl.h>
77 #include <sys/file.h>
78 #include <sys/types.h>
79
80 #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \
81 defined(__NetBSD__) || defined(__DragonFly__)
82 #include <sys/sysctl.h>
83 #endif /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */
84
85 #if defined(__HAIKU__)
86 #include <kernel/OS.h>
87 #include <kernel/scheduler.h>
88 #endif
89
90 /* For systems that have sched_setaffinity; right now just Linux, but one
91 can hope... */
92
93 #if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \
94 defined(__DragonFly__) || defined(__sun)
95 #define HAVE_AFFINITY 1
96 #if defined(__FreeBSD__) || defined(__DragonFly__)
97 #include <sys/param.h>
98 #if defined(__FreeBSD__)
99 #include <sys/cpuset.h>
100 #endif
101 #include <sys/user.h>
102 #include <pthread.h>
103 #include <pthread_np.h>
104 #define cpu_set_t cpuset_t
105 #elif defined(__NetBSD__)
106 #include <pthread.h>
107 #elif defined(__sun)
108 #include <sys/types.h>
109 #include <kstat.h>
110 #include <sys/sysinfo.h>
111 #include <sys/pset.h>
112 #include <strings.h>
113 #endif
114 #endif /* __linux__ */
115
116 #ifdef __APPLE__
117 #include <TargetConditionals.h>
118 #endif
119
120 #undef LIST_FOREACH /* clashes with FreeBSD */
121 #include "list.h"
122 #ifndef SIMPLE_FILES
123 #define CASE_PREFIX "id:"
124 #else
125 #define CASE_PREFIX "id_"
126 #endif /* ^!SIMPLE_FILES */
127
128 #define STAGE_BUF_SIZE (64) /* usable size for stage name buf in afl_state */
129
130 // Little helper to access the ptr to afl->##name_buf - for use in afl_realloc.
131 #define AFL_BUF_PARAM(name) ((void **)&afl->name##_buf)
132
133 #ifdef WORD_SIZE_64
134 #define AFL_RAND_RETURN u64
135 #else
136 #define AFL_RAND_RETURN u32
137 #endif
138
139 extern s8 interesting_8[INTERESTING_8_LEN];
140 extern s16 interesting_16[INTERESTING_8_LEN + INTERESTING_16_LEN];
141 extern s32
142 interesting_32[INTERESTING_8_LEN + INTERESTING_16_LEN + INTERESTING_32_LEN];
143
144 struct tainted {
145
146 u32 pos;
147 u32 len;
148 struct tainted *next;
149 struct tainted *prev;
150
151 };
152
153 struct queue_entry {
154
155 u8 *fname; /* File name for the test case */
156 u32 len; /* Input length */
157 u32 id; /* entry number in queue_buf */
158
159 u8 colorized, /* Do not run redqueen stage again */
160 cal_failed; /* Calibration failed? */
161 bool trim_done, /* Trimmed? */
162 was_fuzzed, /* historical, but needed for MOpt */
163 passed_det, /* Deterministic stages passed? */
164 has_new_cov, /* Triggers new coverage? */
165 var_behavior, /* Variable behavior? */
166 favored, /* Currently favored? */
167 fs_redundant, /* Marked as redundant in the fs? */
168 is_ascii, /* Is the input just ascii text? */
169 disabled; /* Is disabled from fuzz selection */
170
171 u32 bitmap_size, /* Number of bits set in bitmap */
172 fuzz_level, /* Number of fuzzing iterations */
173 n_fuzz_entry; /* offset in n_fuzz */
174
175 u64 exec_us, /* Execution time (us) */
176 handicap, /* Number of queue cycles behind */
177 depth, /* Path depth */
178 exec_cksum; /* Checksum of the execution trace */
179
180 u8 *trace_mini; /* Trace bytes, if kept */
181 u32 tc_ref; /* Trace bytes ref count */
182
183 #ifdef INTROSPECTION
184 u32 bitsmap_size;
185 #endif
186
187 double perf_score, /* performance score */
188 weight;
189
190 u8 *testcase_buf; /* The testcase buffer, if loaded. */
191
192 u8 * cmplog_colorinput; /* the result buf of colorization */
193 struct tainted *taint; /* Taint information from CmpLog */
194
195 struct queue_entry *mother; /* queue entry this based on */
196
197 };
198
199 struct extra_data {
200
201 u8 *data; /* Dictionary token data */
202 u32 len; /* Dictionary token length */
203 u32 hit_cnt; /* Use count in the corpus */
204
205 };
206
207 struct auto_extra_data {
208
209 u8 data[MAX_AUTO_EXTRA]; /* Dictionary token data */
210 u32 len; /* Dictionary token length */
211 u32 hit_cnt; /* Use count in the corpus */
212
213 };
214
215 /* Fuzzing stages */
216
217 enum {
218
219 /* 00 */ STAGE_FLIP1,
220 /* 01 */ STAGE_FLIP2,
221 /* 02 */ STAGE_FLIP4,
222 /* 03 */ STAGE_FLIP8,
223 /* 04 */ STAGE_FLIP16,
224 /* 05 */ STAGE_FLIP32,
225 /* 06 */ STAGE_ARITH8,
226 /* 07 */ STAGE_ARITH16,
227 /* 08 */ STAGE_ARITH32,
228 /* 09 */ STAGE_INTEREST8,
229 /* 10 */ STAGE_INTEREST16,
230 /* 11 */ STAGE_INTEREST32,
231 /* 12 */ STAGE_EXTRAS_UO,
232 /* 13 */ STAGE_EXTRAS_UI,
233 /* 14 */ STAGE_EXTRAS_AO,
234 /* 15 */ STAGE_HAVOC,
235 /* 16 */ STAGE_SPLICE,
236 /* 17 */ STAGE_PYTHON,
237 /* 18 */ STAGE_CUSTOM_MUTATOR,
238 /* 19 */ STAGE_COLORIZATION,
239 /* 20 */ STAGE_ITS,
240
241 STAGE_NUM_MAX
242
243 };
244
245 /* Stage value types */
246
247 enum {
248
249 /* 00 */ STAGE_VAL_NONE,
250 /* 01 */ STAGE_VAL_LE,
251 /* 02 */ STAGE_VAL_BE
252
253 };
254
255 #define operator_num 19
256 #define swarm_num 5
257 #define period_core 500000
258
259 #define RAND_C (rand() % 1000 * 0.001)
260 #define v_max 1
261 #define v_min 0.05
262 #define limit_time_bound 1.1
263 #define SPLICE_CYCLES_puppet_up 25
264 #define SPLICE_CYCLES_puppet_low 5
265 #define STAGE_RANDOMBYTE 12
266 #define STAGE_DELETEBYTE 13
267 #define STAGE_Clone75 14
268 #define STAGE_OverWrite75 15
269 #define STAGE_OverWriteExtra 16
270 #define STAGE_InsertExtra 17
271 #define STAGE_Splice 18
272 #define period_pilot 50000
273
274 enum {
275
276 /* 00 */ EXPLORE, /* AFL default, Exploration-based constant schedule */
277 /* 01 */ MMOPT, /* Modified MOPT schedule */
278 /* 02 */ EXPLOIT, /* AFL's exploitation-based const. */
279 /* 03 */ FAST, /* Exponential schedule */
280 /* 04 */ COE, /* Cut-Off Exponential schedule */
281 /* 05 */ LIN, /* Linear schedule */
282 /* 06 */ QUAD, /* Quadratic schedule */
283 /* 07 */ RARE, /* Rare edges */
284 /* 08 */ SEEK, /* EXPLORE that ignores timings */
285
286 POWER_SCHEDULES_NUM
287
288 };
289
290 /* Python stuff */
291 #ifdef USE_PYTHON
292
293 // because Python sets stuff it should not ...
294 #ifdef _POSIX_C_SOURCE
295 #define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE
296 #undef _POSIX_C_SOURCE
297 #endif
298 #ifdef _XOPEN_SOURCE
299 #define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE
300 #undef _XOPEN_SOURCE
301 #endif
302
303 #include <Python.h>
304
305 #ifdef _SAVE_POSIX_C_SOURCE
306 #ifdef _POSIX_C_SOURCE
307 #undef _POSIX_C_SOURCE
308 #endif
309 #define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE
310 #endif
311 #ifdef _SAVE_XOPEN_SOURCE
312 #ifdef _XOPEN_SOURCE
313 #undef _XOPEN_SOURCE
314 #endif
315 #define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE
316 #endif
317
318 enum {
319
320 /* 00 */ PY_FUNC_INIT,
321 /* 01 */ PY_FUNC_DEINIT,
322 /* FROM HERE ON BELOW ALL ARE OPTIONAL */
323 /* 02 */ PY_OPTIONAL = 2,
324 /* 02 */ PY_FUNC_FUZZ = 2,
325 /* 03 */ PY_FUNC_FUZZ_COUNT,
326 /* 04 */ PY_FUNC_POST_PROCESS,
327 /* 05 */ PY_FUNC_INIT_TRIM,
328 /* 06 */ PY_FUNC_POST_TRIM,
329 /* 07 */ PY_FUNC_TRIM,
330 /* 08 */ PY_FUNC_HAVOC_MUTATION,
331 /* 09 */ PY_FUNC_HAVOC_MUTATION_PROBABILITY,
332 /* 10 */ PY_FUNC_QUEUE_GET,
333 /* 11 */ PY_FUNC_QUEUE_NEW_ENTRY,
334 /* 12 */ PY_FUNC_INTROSPECTION,
335 /* 13 */ PY_FUNC_DESCRIBE,
336 PY_FUNC_COUNT
337
338 };
339
340 typedef struct py_mutator {
341
342 PyObject *py_module;
343 PyObject *py_functions[PY_FUNC_COUNT];
344 void * afl_state;
345 void * py_data;
346
347 u8 * fuzz_buf;
348 size_t fuzz_size;
349
350 Py_buffer post_process_buf;
351
352 u8 * trim_buf;
353 size_t trim_size;
354
355 u8 * havoc_buf;
356 size_t havoc_size;
357
358 } py_mutator_t;
359
360 #endif
361
362 typedef struct MOpt_globals {
363
364 u64 * finds;
365 u64 * finds_v2;
366 u64 * cycles;
367 u64 * cycles_v2;
368 u64 * cycles_v3;
369 u32 is_pilot_mode;
370 u64 * pTime;
371 u64 period;
372 char *havoc_stagename;
373 char *splice_stageformat;
374 char *havoc_stagenameshort;
375 char *splice_stagenameshort;
376
377 } MOpt_globals_t;
378
379 extern char *power_names[POWER_SCHEDULES_NUM];
380
381 typedef struct afl_env_vars {
382
383 u8 afl_skip_cpufreq, afl_exit_when_done, afl_no_affinity, afl_skip_bin_check,
384 afl_dumb_forksrv, afl_import_first, afl_custom_mutator_only, afl_no_ui,
385 afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one,
386 afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast,
387 afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new,
388 afl_exit_on_seed_issues, afl_try_affinity;
389
390 u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
391 *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload,
392 *afl_max_det_extras, *afl_statsd_host, *afl_statsd_port,
393 *afl_crash_exitcode, *afl_statsd_tags_flavor, *afl_testcache_size,
394 *afl_testcache_entries, *afl_kill_signal, *afl_target_env,
395 *afl_persistent_record, *afl_exit_on_time;
396
397 } afl_env_vars_t;
398
399 struct afl_pass_stat {
400
401 u8 total;
402 u8 faileds;
403
404 };
405
406 struct foreign_sync {
407
408 u8 * dir;
409 time_t mtime;
410
411 };
412
413 typedef struct afl_state {
414
415 /* Position of this state in the global states list */
416 u32 _id;
417
418 afl_forkserver_t fsrv;
419 sharedmem_t shm;
420 sharedmem_t * shm_fuzz;
421 afl_env_vars_t afl_env;
422
423 char **argv; /* argv if needed */
424
425 /* MOpt:
426 Lots of globals, but mostly for the status UI and other things where it
427 really makes no sense to haul them around as function parameters. */
428 u64 orig_hit_cnt_puppet, last_limit_time_start, tmp_pilot_time,
429 total_pacemaker_time, total_puppet_find, temp_puppet_find, most_time_key,
430 most_time, most_execs_key, most_execs, old_hit_count, force_ui_update,
431 prev_run_time;
432
433 MOpt_globals_t mopt_globals_core, mopt_globals_pilot;
434
435 s32 limit_time_puppet, SPLICE_CYCLES_puppet, limit_time_sig, key_puppet,
436 key_module;
437
438 double w_init, w_end, w_now;
439
440 s32 g_now;
441 s32 g_max;
442
443 u64 tmp_core_time;
444 s32 swarm_now;
445
446 double x_now[swarm_num][operator_num], L_best[swarm_num][operator_num],
447 eff_best[swarm_num][operator_num], G_best[operator_num],
448 v_now[swarm_num][operator_num], probability_now[swarm_num][operator_num],
449 swarm_fitness[swarm_num];
450
451 u64 stage_finds_puppet[swarm_num][operator_num], /* Patterns found per
452 fuzz stage */
453 stage_finds_puppet_v2[swarm_num][operator_num],
454 stage_cycles_puppet_v2[swarm_num][operator_num],
455 stage_cycles_puppet_v3[swarm_num][operator_num],
456 stage_cycles_puppet[swarm_num][operator_num],
457 operator_finds_puppet[operator_num],
458 core_operator_finds_puppet[operator_num],
459 core_operator_finds_puppet_v2[operator_num],
460 core_operator_cycles_puppet[operator_num],
461 core_operator_cycles_puppet_v2[operator_num],
462 core_operator_cycles_puppet_v3[operator_num]; /* Execs per fuzz stage */
463
464 double period_pilot_tmp;
465 s32 key_lv;
466
467 u8 *in_dir, /* Input directory with test cases */
468 *out_dir, /* Working & output directory */
469 *tmp_dir, /* Temporary directory for input */
470 *sync_dir, /* Synchronization directory */
471 *sync_id, /* Fuzzer ID */
472 *power_name, /* Power schedule name */
473 *use_banner, /* Display banner */
474 *in_bitmap, /* Input bitmap */
475 *file_extension, /* File extension */
476 *orig_cmdline, /* Original command line */
477 *infoexec; /* Command to execute on a new crash */
478
479 u32 hang_tmout; /* Timeout used for hang det (ms) */
480
481 u8 havoc_stack_pow2, /* HAVOC_STACK_POW2 */
482 no_unlink, /* do not unlink cur_input */
483 debug, /* Debug mode */
484 custom_only, /* Custom mutator only mode */
485 is_main_node, /* if this is the main node */
486 is_secondary_node; /* if this is a secondary instance */
487
488 u32 stats_update_freq; /* Stats update frequency (execs) */
489
490 u8 schedule; /* Power schedule (default: EXPLORE)*/
491 u8 havoc_max_mult;
492
493 u8 skip_deterministic, /* Skip deterministic stages? */
494 use_splicing, /* Recombine input files? */
495 non_instrumented_mode, /* Run in non-instrumented mode? */
496 score_changed, /* Scoring for favorites changed? */
497 resuming_fuzz, /* Resuming an older fuzzing job? */
498 timeout_given, /* Specific timeout given? */
499 not_on_tty, /* stdout is not a tty */
500 term_too_small, /* terminal dimensions too small */
501 no_forkserver, /* Disable forkserver? */
502 crash_mode, /* Crash mode! Yeah! */
503 in_place_resume, /* Attempt in-place resume? */
504 autoresume, /* Resume if afl->out_dir exists? */
505 auto_changed, /* Auto-generated tokens changed? */
506 no_cpu_meter_red, /* Feng shui on the status screen */
507 no_arith, /* Skip most arithmetic ops */
508 shuffle_queue, /* Shuffle input queue? */
509 bitmap_changed, /* Time to update bitmap? */
510 unicorn_mode, /* Running in Unicorn mode? */
511 use_wine, /* Use WINE with QEMU mode */
512 skip_requested, /* Skip request, via SIGUSR1 */
513 run_over10m, /* Run time over 10 minutes? */
514 persistent_mode, /* Running in persistent mode? */
515 deferred_mode, /* Deferred forkserver mode? */
516 fixed_seed, /* do not reseed */
517 fast_cal, /* Try to calibrate faster? */
518 disable_trim, /* Never trim in fuzz_one */
519 shmem_testcase_mode, /* If sharedmem testcases are used */
520 expand_havoc, /* perform expensive havoc after no find */
521 cycle_schedules, /* cycle power schedules? */
522 old_seed_selection, /* use vanilla afl seed selection */
523 reinit_table; /* reinit the queue weight table */
524
525 u8 *virgin_bits, /* Regions yet untouched by fuzzing */
526 *virgin_tmout, /* Bits we haven't seen in tmouts */
527 *virgin_crash; /* Bits we haven't seen in crashes */
528
529 double *alias_probability; /* alias weighted probabilities */
530 u32 * alias_table; /* alias weighted random lookup table */
531 u32 active_paths; /* enabled entries in the queue */
532
533 u8 *var_bytes; /* Bytes that appear to be variable */
534
535 #define N_FUZZ_SIZE (1 << 21)
536 u32 *n_fuzz;
537
538 volatile u8 stop_soon, /* Ctrl-C pressed? */
539 clear_screen; /* Window resized? */
540
541 u32 queued_paths, /* Total number of queued testcases */
542 queued_variable, /* Testcases with variable behavior */
543 queued_at_start, /* Total number of initial inputs */
544 queued_discovered, /* Items discovered during this run */
545 queued_imported, /* Items imported via -S */
546 queued_favored, /* Paths deemed favorable */
547 queued_with_cov, /* Paths with new coverage bytes */
548 pending_not_fuzzed, /* Queued but not done yet */
549 pending_favored, /* Pending favored paths */
550 cur_skipped_paths, /* Abandoned inputs in cur cycle */
551 cur_depth, /* Current path depth */
552 max_depth, /* Max path depth */
553 useless_at_start, /* Number of useless starting paths */
554 var_byte_count, /* Bitmap bytes with var behavior */
555 current_entry, /* Current queue entry ID */
556 havoc_div, /* Cycle count divisor for havoc */
557 max_det_extras; /* deterministic extra count (dicts)*/
558
559 u64 total_crashes, /* Total number of crashes */
560 unique_crashes, /* Crashes with unique signatures */
561 total_tmouts, /* Total number of timeouts */
562 unique_tmouts, /* Timeouts with unique signatures */
563 unique_hangs, /* Hangs with unique signatures */
564 last_crash_execs, /* Exec counter at last crash */
565 queue_cycle, /* Queue round counter */
566 cycles_wo_finds, /* Cycles without any new paths */
567 trim_execs, /* Execs done to trim input files */
568 bytes_trim_in, /* Bytes coming into the trimmer */
569 bytes_trim_out, /* Bytes coming outa the trimmer */
570 blocks_eff_total, /* Blocks subject to effector maps */
571 blocks_eff_select, /* Blocks selected as fuzzable */
572 start_time, /* Unix start time (ms) */
573 last_sync_time, /* Time of last sync */
574 last_sync_cycle, /* Cycle no. of the last sync */
575 last_path_time, /* Time for most recent path (ms) */
576 last_crash_time, /* Time for most recent crash (ms) */
577 last_hang_time, /* Time for most recent hang (ms) */
578 exit_on_time; /* Delay to exit if no new paths */
579
580 u32 slowest_exec_ms, /* Slowest testcase non hang in ms */
581 subseq_tmouts; /* Number of timeouts in a row */
582
583 u8 *stage_name, /* Name of the current fuzz stage */
584 *stage_short, /* Short stage name */
585 *syncing_party; /* Currently syncing with... */
586
587 u8 stage_name_buf[STAGE_BUF_SIZE]; /* reused stagename buf with len 64 */
588
589 u32 stage_cur, stage_max; /* Stage progression */
590 s32 splicing_with; /* Splicing with which test case? */
591
592 u32 main_node_id, main_node_max; /* Main instance job splitting */
593
594 u32 syncing_case; /* Syncing with case #... */
595
596 s32 stage_cur_byte, /* Byte offset of current stage op */
597 stage_cur_val; /* Value used for stage op */
598
599 u8 stage_val_type; /* Value type (STAGE_VAL_*) */
600
601 u64 stage_finds[32], /* Patterns found per fuzz stage */
602 stage_cycles[32]; /* Execs per fuzz stage */
603
604 u32 rand_cnt; /* Random number counter */
605
606 /* unsigned long rand_seed[3]; would also work */
607 AFL_RAND_RETURN rand_seed[3];
608 s64 init_seed;
609
610 u64 total_cal_us, /* Total calibration time (us) */
611 total_cal_cycles; /* Total calibration cycles */
612
613 u64 total_bitmap_size, /* Total bit count for all bitmaps */
614 total_bitmap_entries; /* Number of bitmaps counted */
615
616 s32 cpu_core_count, /* CPU core count */
617 cpu_to_bind; /* bind to specific CPU */
618
619 #ifdef HAVE_AFFINITY
620 s32 cpu_aff; /* Selected CPU core */
621 #endif /* HAVE_AFFINITY */
622
623 struct queue_entry *queue, /* Fuzzing queue (linked list) */
624 *queue_cur, /* Current offset within the queue */
625 *queue_top; /* Top of the list */
626
627 // growing buf
628 struct queue_entry **queue_buf;
629
630 struct queue_entry **top_rated; /* Top entries for bitmap bytes */
631
632 struct extra_data *extras; /* Extra tokens to fuzz with */
633 u32 extras_cnt; /* Total number of tokens read */
634
635 struct auto_extra_data
636 a_extras[MAX_AUTO_EXTRAS]; /* Automatically selected extras */
637 u32 a_extras_cnt; /* Total number of tokens available */
638
639 /* afl_postprocess API - Now supported via custom mutators */
640
641 /* CmpLog */
642
643 char * cmplog_binary;
644 afl_forkserver_t cmplog_fsrv; /* cmplog has its own little forkserver */
645
646 /* Custom mutators */
647 struct custom_mutator *mutator;
648
649 /* cmplog forkserver ids */
650 s32 cmplog_fsrv_ctl_fd, cmplog_fsrv_st_fd;
651 u32 cmplog_prev_timed_out;
652 u32 cmplog_max_filesize;
653 u32 cmplog_lvl;
654 u32 colorize_success;
655 u8 cmplog_enable_arith, cmplog_enable_transform;
656
657 struct afl_pass_stat *pass_stats;
658 struct cmp_map * orig_cmp_map;
659
660 u8 describe_op_buf_256[256]; /* describe_op will use this to return a string
661 up to 256 */
662
663 unsigned long long int last_avg_exec_update;
664 u32 last_avg_execs;
665 double last_avg_execs_saved;
666
667 /* foreign sync */
668 #define FOREIGN_SYNCS_MAX 32U
669 u8 foreign_sync_cnt;
670 struct foreign_sync foreign_syncs[FOREIGN_SYNCS_MAX];
671
672 #ifdef _AFL_DOCUMENT_MUTATIONS
673 u8 do_document;
674 u32 document_counter;
675 #endif
676
677 /* statistics file */
678 double last_bitmap_cvg, last_stability, last_eps;
679
680 /* plot file saves from last run */
681 u32 plot_prev_qp, plot_prev_pf, plot_prev_pnf, plot_prev_ce, plot_prev_md;
682 u64 plot_prev_qc, plot_prev_uc, plot_prev_uh, plot_prev_ed;
683
684 u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs;
685
686 /* StatsD */
687 u64 statsd_last_send_ms;
688 struct sockaddr_in statsd_server;
689 int statsd_sock;
690 char * statsd_tags_flavor;
691 char * statsd_tags_format;
692 char * statsd_metric_format;
693 int statsd_metric_format_type;
694
695 double stats_avg_exec;
696
697 u8 *clean_trace;
698 u8 *clean_trace_custom;
699 u8 *first_trace;
700
701 /*needed for afl_fuzz_one */
702 // TODO: see which we can reuse
703 u8 *out_buf;
704
705 u8 *out_scratch_buf;
706
707 u8 *eff_buf;
708
709 u8 *in_buf;
710
711 u8 *in_scratch_buf;
712
713 u8 *ex_buf;
714
715 u8 *testcase_buf, *splicecase_buf;
716
717 u32 custom_mutators_count;
718
719 struct custom_mutator *current_custom_fuzz;
720
721 list_t custom_mutator_list;
722
723 /* this is a fixed buffer of size map_size that can be used by any function if
724 * they do not call another function */
725 u8 *map_tmp_buf;
726
727 /* queue entries ready for splicing count (len > 4) */
728 u32 ready_for_splicing_count;
729
730 /* This is the user specified maximum size to use for the testcase cache */
731 u64 q_testcase_max_cache_size;
732
733 /* This is the user specified maximum entries in the testcase cache */
734 u32 q_testcase_max_cache_entries;
735
736 /* How much of the testcase cache is used so far */
737 u64 q_testcase_cache_size;
738
739 /* highest cache count so far */
740 u32 q_testcase_max_cache_count;
741
742 /* How many queue entries currently have cached testcases */
743 u32 q_testcase_cache_count;
744
745 /* the smallest id currently known free entry */
746 u32 q_testcase_smallest_free;
747
748 /* How often did we evict from the cache (for statistics only) */
749 u32 q_testcase_evictions;
750
751 /* Refs to each queue entry with cached testcase (for eviction, if cache_count
752 * is too large) */
753 struct queue_entry **q_testcase_cache;
754
755 #ifdef INTROSPECTION
756 char mutation[8072];
757 char m_tmp[4096];
758 FILE *introspection_file;
759 u32 bitsmap_size;
760 #endif
761
762 } afl_state_t;
763
764 struct custom_mutator {
765
766 const char *name;
767 char * name_short;
768 void * dh;
769 u8 * post_process_buf;
770 u8 stacked_custom_prob, stacked_custom;
771
772 void *data; /* custom mutator data ptr */
773
774 /* hooks for the custom mutator function */
775
776 /**
777 * Initialize the custom mutator.
778 *
779 * @param afl AFL instance.
780 * @param seed Seed used for the mutation.
781 * @return pointer to internal data or NULL on error
782 */
783 void *(*afl_custom_init)(afl_state_t *afl, unsigned int seed);
784
785 /**
786 * When afl-fuzz was compiled with INTROSPECTION=1 then custom mutators can
787 * also give introspection information back with this function.
788 *
789 * @param data pointer returned in afl_custom_init by this custom mutator
790 * @return pointer to a text string (const char*)
791 */
792 const char *(*afl_custom_introspection)(void *data);
793
794 /**
795 * This method is called just before fuzzing a queue entry with the custom
796 * mutator, and receives the initial buffer. It should return the number of
797 * fuzzes to perform.
798 *
799 * A value of 0 means no fuzzing of this queue entry.
800 *
801 * The function is now allowed to change the data.
802 *
803 * (Optional)
804 *
805 * @param data pointer returned in afl_custom_init by this custom mutator
806 * @param buf Buffer containing the test case
807 * @param buf_size Size of the test case
808 * @return The amount of fuzzes to perform on this queue entry, 0 = skip
809 */
810 u32 (*afl_custom_fuzz_count)(void *data, const u8 *buf, size_t buf_size);
811
812 /**
813 * Perform custom mutations on a given input
814 *
815 * (Optional for now. Required in the future)
816 *
817 * @param data pointer returned in afl_custom_init by this custom mutator
818 * @param[in] buf Pointer to the input data to be mutated and the mutated
819 * output
820 * @param[in] buf_size Size of the input/output data
821 * @param[out] out_buf the new buffer. We may reuse *buf if large enough.
822 * *out_buf = NULL is treated as FATAL.
823 * @param[in] add_buf Buffer containing the additional test case
824 * @param[in] add_buf_size Size of the additional test case
825 * @param[in] max_size Maximum size of the mutated output. The mutation must
826 * not produce data larger than max_size.
827 * @return Size of the mutated output.
828 */
829 size_t (*afl_custom_fuzz)(void *data, u8 *buf, size_t buf_size, u8 **out_buf,
830 u8 *add_buf, size_t add_buf_size, size_t max_size);
831
832 /**
833 * Describe the current testcase, generated by the last mutation.
834 * This will be called, for example, to give the written testcase a name
835 * after a crash ocurred. It can help to reproduce crashing mutations.
836 *
837 * (Optional)
838 *
839 * @param data pointer returned by afl_customm_init for this custom mutator
840 * @paramp[in] max_description_len maximum size avaliable for the description.
841 * A longer return string is legal, but will be truncated.
842 * @return A valid ptr to a 0-terminated string.
843 * An empty or NULL return will result in a default description
844 */
845 const char *(*afl_custom_describe)(void *data, size_t max_description_len);
846
847 /**
848 * A post-processing function to use right before AFL writes the test case to
849 * disk in order to execute the target.
850 *
851 * (Optional) If this functionality is not needed, simply don't define this
852 * function.
853 *
854 * @param[in] data pointer returned in afl_custom_init by this custom mutator
855 * @param[in] buf Buffer containing the test case to be executed
856 * @param[in] buf_size Size of the test case
857 * @param[out] out_buf Pointer to the buffer storing the test case after
858 * processing. External library should allocate memory for out_buf.
859 * It can chose to alter buf in-place, if the space is large enough.
860 * @return Size of the output buffer.
861 */
862 size_t (*afl_custom_post_process)(void *data, u8 *buf, size_t buf_size,
863 u8 **out_buf);
864
865 /**
866 * This method is called at the start of each trimming operation and receives
867 * the initial buffer. It should return the amount of iteration steps possible
868 * on this input (e.g. if your input has n elements and you want to remove
869 * them one by one, return n, if you do a binary search, return log(n),
870 * and so on...).
871 *
872 * If your trimming algorithm doesn't allow you to determine the amount of
873 * (remaining) steps easily (esp. while running), then you can alternatively
874 * return 1 here and always return 0 in post_trim until you are finished and
875 * no steps remain. In that case, returning 1 in post_trim will end the
876 * trimming routine. The whole current index/max iterations stuff is only used
877 * to show progress.
878 *
879 * (Optional)
880 *
881 * @param data pointer returned in afl_custom_init by this custom mutator
882 * @param buf Buffer containing the test case
883 * @param buf_size Size of the test case
884 * @return The amount of possible iteration steps to trim the input.
885 * Negative on error.
886 */
887 s32 (*afl_custom_init_trim)(void *data, u8 *buf, size_t buf_size);
888
889 /**
890 * This method is called for each trimming operation. It doesn't have any
891 * arguments because we already have the initial buffer from init_trim and we
892 * can memorize the current state in global variables. This can also save
893 * reparsing steps for each iteration. It should return the trimmed input
894 * buffer, where the returned data must not exceed the initial input data in
895 * length. Returning anything that is larger than the original data (passed
896 * to init_trim) will result in a fatal abort of AFLFuzz.
897 *
898 * (Optional)
899 *
900 * @param data pointer returned in afl_custom_init by this custom mutator
901 * @param[out] out_buf Pointer to the buffer containing the trimmed test case.
902 * The library can reuse a buffer for each call
903 * and will have to free the buf (for example in deinit)
904 * @return the size of the trimmed test case
905 */
906 size_t (*afl_custom_trim)(void *data, u8 **out_buf);
907
908 /**
909 * This method is called after each trim operation to inform you if your
910 * trimming step was successful or not (in terms of coverage). If you receive
911 * a failure here, you should reset your input to the last known good state.
912 *
913 * (Optional)
914 *
915 * @param data pointer returned in afl_custom_init by this custom mutator
916 * @param success Indicates if the last trim operation was successful.
917 * @return The next trim iteration index (from 0 to the maximum amount of
918 * steps returned in init_trim). Negative on error.
919 */
920 s32 (*afl_custom_post_trim)(void *data, u8 success);
921
922 /**
923 * Perform a single custom mutation on a given input.
924 * This mutation is stacked with the other muatations in havoc.
925 *
926 * (Optional)
927 *
928 * @param[in] data pointer returned in afl_custom_init by this custom mutator
929 * @param[in] buf Pointer to the input data to be mutated and the mutated
930 * output
931 * @param[in] buf_size Size of input data
932 * @param[out] out_buf The new buffer. It's legal to reuse *buf if it's <
933 * buf_size.
934 * @param[in] max_size Maximum size of the mutated output. The mutation must
935 * not produce data larger than max_size.
936 * @return Size of the mutated output (out_size).
937 */
938 size_t (*afl_custom_havoc_mutation)(void *data, u8 *buf, size_t buf_size,
939 u8 **out_buf, size_t max_size);
940
941 /**
942 * Return the probability (in percentage) that afl_custom_havoc_mutation
943 * is called in havoc. By default it is 6 %.
944 *
945 * (Optional)
946 *
947 * @param data pointer returned in afl_custom_init by this custom mutator
948 * @return The probability (0-100).
949 */
950 u8 (*afl_custom_havoc_mutation_probability)(void *data);
951
952 /**
953 * Determine whether the fuzzer should fuzz the current queue entry or not.
954 *
955 * (Optional)
956 *
957 * @param data pointer returned in afl_custom_init by this custom mutator
958 * @param filename File name of the test case in the queue entry
959 * @return Return True(1) if the fuzzer will fuzz the queue entry, and
960 * False(0) otherwise.
961 */
962 u8 (*afl_custom_queue_get)(void *data, const u8 *filename);
963
964 /**
965 * Allow for additional analysis (e.g. calling a different tool that does a
966 * different kind of coverage and saves this for the custom mutator).
967 *
968 * (Optional)
969 *
970 * @param data pointer returned in afl_custom_init by this custom mutator
971 * @param filename_new_queue File name of the new queue entry
972 * @param filename_orig_queue File name of the original queue entry. This
973 * argument can be NULL while initializing the fuzzer
974 */
975 void (*afl_custom_queue_new_entry)(void *data, const u8 *filename_new_queue,
976 const u8 *filename_orig_queue);
977 /**
978 * Deinitialize the custom mutator.
979 *
980 * @param data pointer returned in afl_custom_init by this custom mutator
981 */
982 void (*afl_custom_deinit)(void *data);
983
984 };
985
986 void afl_state_init(afl_state_t *, uint32_t map_size);
987 void afl_state_deinit(afl_state_t *);
988
989 /* Set stop_soon flag on all childs, kill all childs */
990 void afl_states_stop(void);
991 /* Set clear_screen flag on all states */
992 void afl_states_clear_screen(void);
993 /* Sets the skip flag on all states */
994 void afl_states_request_skip(void);
995
996 /* Setup shmem for testcase delivery */
997 void setup_testcase_shmem(afl_state_t *afl);
998
999 void read_afl_environment(afl_state_t *, char **);
1000
1001 /**** Prototypes ****/
1002
1003 /* Custom mutators */
1004 void setup_custom_mutators(afl_state_t *);
1005 void destroy_custom_mutators(afl_state_t *);
1006 u8 trim_case_custom(afl_state_t *, struct queue_entry *q, u8 *in_buf,
1007 struct custom_mutator *mutator);
1008
1009 /* Python */
1010 #ifdef USE_PYTHON
1011
1012 struct custom_mutator *load_custom_mutator_py(afl_state_t *, char *);
1013 void finalize_py_module(void *);
1014
1015 u32 fuzz_count_py(void *, const u8 *, size_t);
1016 size_t post_process_py(void *, u8 *, size_t, u8 **);
1017 s32 init_trim_py(void *, u8 *, size_t);
1018 s32 post_trim_py(void *, u8);
1019 size_t trim_py(void *, u8 **);
1020 size_t havoc_mutation_py(void *, u8 *, size_t, u8 **, size_t);
1021 u8 havoc_mutation_probability_py(void *);
1022 u8 queue_get_py(void *, const u8 *);
1023 const char *introspection_py(void *);
1024 void queue_new_entry_py(void *, const u8 *, const u8 *);
1025 void deinit_py(void *);
1026
1027 #endif
1028
1029 /* Queue */
1030
1031 void mark_as_det_done(afl_state_t *, struct queue_entry *);
1032 void mark_as_variable(afl_state_t *, struct queue_entry *);
1033 void mark_as_redundant(afl_state_t *, struct queue_entry *, u8);
1034 void add_to_queue(afl_state_t *, u8 *, u32, u8);
1035 void destroy_queue(afl_state_t *);
1036 void update_bitmap_score(afl_state_t *, struct queue_entry *);
1037 void cull_queue(afl_state_t *);
1038 u32 calculate_score(afl_state_t *, struct queue_entry *);
1039
1040 /* Bitmap */
1041
1042 void write_bitmap(afl_state_t *);
1043 u32 count_bits(afl_state_t *, u8 *);
1044 u32 count_bytes(afl_state_t *, u8 *);
1045 u32 count_non_255_bytes(afl_state_t *, u8 *);
1046 void simplify_trace(afl_state_t *, u8 *);
1047 void classify_counts(afl_forkserver_t *);
1048 #ifdef WORD_SIZE_64
1049 void discover_word(u8 *ret, u64 *current, u64 *virgin);
1050 #else
1051 void discover_word(u8 *ret, u32 *current, u32 *virgin);
1052 #endif
1053 void init_count_class16(void);
1054 void minimize_bits(afl_state_t *, u8 *, u8 *);
1055 #ifndef SIMPLE_FILES
1056 u8 *describe_op(afl_state_t *, u8, size_t);
1057 #endif
1058 u8 save_if_interesting(afl_state_t *, void *, u32, u8);
1059 u8 has_new_bits(afl_state_t *, u8 *);
1060 u8 has_new_bits_unclassified(afl_state_t *, u8 *);
1061
1062 /* Extras */
1063
1064 void load_extras_file(afl_state_t *, u8 *, u32 *, u32 *, u32);
1065 void load_extras(afl_state_t *, u8 *);
1066 void dedup_extras(afl_state_t *);
1067 void deunicode_extras(afl_state_t *);
1068 void add_extra(afl_state_t *afl, u8 *mem, u32 len);
1069 void maybe_add_auto(afl_state_t *, u8 *, u32);
1070 void save_auto(afl_state_t *);
1071 void load_auto(afl_state_t *);
1072 void destroy_extras(afl_state_t *);
1073
1074 /* Stats */
1075
1076 void load_stats_file(afl_state_t *);
1077 void write_setup_file(afl_state_t *, u32, char **);
1078 void write_stats_file(afl_state_t *, u32, double, double, double);
1079 void maybe_update_plot_file(afl_state_t *, u32, double, double);
1080 void show_stats(afl_state_t *);
1081 void show_init_stats(afl_state_t *);
1082
1083 /* StatsD */
1084
1085 void statsd_setup_format(afl_state_t *afl);
1086 int statsd_socket_init(afl_state_t *afl);
1087 int statsd_send_metric(afl_state_t *afl);
1088 int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen);
1089
1090 /* Run */
1091
1092 fsrv_run_result_t fuzz_run_target(afl_state_t *, afl_forkserver_t *fsrv, u32);
1093 void write_to_testcase(afl_state_t *, void *, u32);
1094 u8 calibrate_case(afl_state_t *, struct queue_entry *, u8 *, u32, u8);
1095 void sync_fuzzers(afl_state_t *);
1096 u8 trim_case(afl_state_t *, struct queue_entry *, u8 *);
1097 u8 common_fuzz_stuff(afl_state_t *, u8 *, u32);
1098
1099 /* Fuzz one */
1100
1101 u8 fuzz_one_original(afl_state_t *);
1102 u8 pilot_fuzzing(afl_state_t *);
1103 u8 core_fuzzing(afl_state_t *);
1104 void pso_updating(afl_state_t *);
1105 u8 fuzz_one(afl_state_t *);
1106
1107 /* Init */
1108
1109 #ifdef HAVE_AFFINITY
1110 void bind_to_free_cpu(afl_state_t *);
1111 #endif
1112 void setup_post(afl_state_t *);
1113 void read_testcases(afl_state_t *, u8 *);
1114 void perform_dry_run(afl_state_t *);
1115 void pivot_inputs(afl_state_t *);
1116 u32 find_start_position(afl_state_t *);
1117 void find_timeout(afl_state_t *);
1118 double get_runnable_processes(void);
1119 void nuke_resume_dir(afl_state_t *);
1120 int check_main_node_exists(afl_state_t *);
1121 u32 select_next_queue_entry(afl_state_t *afl);
1122 void create_alias_table(afl_state_t *afl);
1123 void setup_dirs_fds(afl_state_t *);
1124 void setup_cmdline_file(afl_state_t *, char **);
1125 void setup_stdio_file(afl_state_t *);
1126 void check_crash_handling(void);
1127 void check_cpu_governor(afl_state_t *);
1128 void get_core_count(afl_state_t *);
1129 void fix_up_sync(afl_state_t *);
1130 void check_asan_opts(afl_state_t *);
1131 void check_binary(afl_state_t *, u8 *);
1132 void fix_up_banner(afl_state_t *, u8 *);
1133 void check_if_tty(afl_state_t *);
1134 void setup_signal_handlers(void);
1135 void save_cmdline(afl_state_t *, u32, char **);
1136 void read_foreign_testcases(afl_state_t *, int);
1137 void write_crash_readme(afl_state_t *afl);
1138
1139 /* CmpLog */
1140
1141 u8 common_fuzz_cmplog_stuff(afl_state_t *afl, u8 *out_buf, u32 len);
1142
1143 /* RedQueen */
1144 u8 input_to_state_stage(afl_state_t *afl, u8 *orig_buf, u8 *buf, u32 len);
1145
1146 /* our RNG wrapper */
1147 AFL_RAND_RETURN rand_next(afl_state_t *afl);
1148
1149 /* probability between 0.0 and 1.0 */
1150 double rand_next_percent(afl_state_t *afl);
1151
1152 /**** Inline routines ****/
1153
1154 /* Generate a random number (from 0 to limit - 1). This may
1155 have slight bias. */
1156
rand_below(afl_state_t * afl,u32 limit)1157 static inline u32 rand_below(afl_state_t *afl, u32 limit) {
1158
1159 if (limit <= 1) return 0;
1160
1161 /* The boundary not being necessarily a power of 2,
1162 we need to ensure the result uniformity. */
1163 if (unlikely(!afl->rand_cnt--) && likely(!afl->fixed_seed)) {
1164
1165 ck_read(afl->fsrv.dev_urandom_fd, &afl->rand_seed, sizeof(afl->rand_seed),
1166 "/dev/urandom");
1167 // srandom(afl->rand_seed[0]);
1168 afl->rand_cnt = (RESEED_RNG / 2) + (afl->rand_seed[1] % RESEED_RNG);
1169
1170 }
1171
1172 /* Modulo is biased - we don't want our fuzzing to be biased so let's do it
1173 right. See:
1174 https://stackoverflow.com/questions/10984974/why-do-people-say-there-is-modulo-bias-when-using-a-random-number-generator
1175 */
1176 u64 unbiased_rnd;
1177 do {
1178
1179 unbiased_rnd = rand_next(afl);
1180
1181 } while (unlikely(unbiased_rnd >= (UINT64_MAX - (UINT64_MAX % limit))));
1182
1183 return unbiased_rnd % limit;
1184
1185 }
1186
1187 /* we prefer lower range values here */
1188 /* this is only called with normal havoc, not MOpt, to have an equalizer for
1189 expand havoc mode */
rand_below_datalen(afl_state_t * afl,u32 limit)1190 static inline u32 rand_below_datalen(afl_state_t *afl, u32 limit) {
1191
1192 if (limit <= 1) return 0;
1193
1194 switch (rand_below(afl, 3)) {
1195
1196 case 2:
1197 return (rand_below(afl, limit) % (1 + rand_below(afl, limit - 1))) %
1198 (1 + rand_below(afl, limit - 1));
1199 break;
1200 case 1:
1201 return rand_below(afl, limit) % (1 + rand_below(afl, limit - 1));
1202 break;
1203 case 0:
1204 return rand_below(afl, limit);
1205 break;
1206
1207 }
1208
1209 return 1; // cannot be reached
1210
1211 }
1212
rand_get_seed(afl_state_t * afl)1213 static inline s64 rand_get_seed(afl_state_t *afl) {
1214
1215 if (unlikely(afl->fixed_seed)) { return afl->init_seed; }
1216 return afl->rand_seed[0];
1217
1218 }
1219
1220 /* initialize randomness with a given seed. Can be called again at any time. */
1221 void rand_set_seed(afl_state_t *afl, s64 init_seed);
1222
1223 /* Find first power of two greater or equal to val (assuming val under
1224 2^63). */
1225
next_p2(u64 val)1226 static inline u64 next_p2(u64 val) {
1227
1228 u64 ret = 1;
1229 while (val > ret) {
1230
1231 ret <<= 1;
1232
1233 }
1234
1235 return ret;
1236
1237 }
1238
1239 /* Returns the testcase buf from the file behind this queue entry.
1240 Increases the refcount. */
1241 u8 *queue_testcase_get(afl_state_t *afl, struct queue_entry *q);
1242
1243 /* If trimming changes the testcase size we have to reload it */
1244 void queue_testcase_retake(afl_state_t *afl, struct queue_entry *q,
1245 u32 old_len);
1246
1247 /* If trimming changes the testcase size we have to replace it */
1248 void queue_testcase_retake_mem(afl_state_t *afl, struct queue_entry *q, u8 *in,
1249 u32 len, u32 old_len);
1250
1251 /* Add a new queue entry directly to the cache */
1252
1253 void queue_testcase_store_mem(afl_state_t *afl, struct queue_entry *q, u8 *mem);
1254
1255 #if TESTCASE_CACHE == 1
1256 #error define of TESTCASE_CACHE must be zero or larger than 1
1257 #endif
1258
1259 #endif
1260
1261