1 /*
2 american fuzzy lop++ - globals declarations
3 -------------------------------------------
4
5 Originally written by Michal Zalewski
6
7 Now maintained by Marc Heuse <mh@mh-sec.de>,
8 Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
9 Andrea Fioraldi <andreafioraldi@gmail.com>
10
11 Copyright 2016, 2017 Google Inc. All rights reserved.
12 Copyright 2019-2020 AFLplusplus Project. All rights reserved.
13
14 Licensed under the Apache License, Version 2.0 (the "License");
15 you may not use this file except in compliance with the License.
16 You may obtain a copy of the License at:
17
18 http://www.apache.org/licenses/LICENSE-2.0
19
20 This is the real deal: the program takes an instrumented binary and
21 attempts a variety of basic fuzzing tricks, paying close attention to
22 how they affect the execution path.
23
24 */
25
26 #include "afl-fuzz.h"
27 #include "envs.h"
28
29 s8 interesting_8[] = {INTERESTING_8};
30 s16 interesting_16[] = {INTERESTING_8, INTERESTING_16};
31 s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32};
32
33 char *power_names[POWER_SCHEDULES_NUM] = {"explore", "mmopt", "exploit",
34 "fast", "coe", "lin",
35 "quad", "rare", "seek"};
36
37 /* Initialize MOpt "globals" for this afl state */
38
init_mopt_globals(afl_state_t * afl)39 static void init_mopt_globals(afl_state_t *afl) {
40
41 MOpt_globals_t *core = &afl->mopt_globals_core;
42 core->finds = afl->core_operator_finds_puppet;
43 core->finds_v2 = afl->core_operator_finds_puppet_v2;
44 core->cycles = afl->core_operator_cycles_puppet;
45 core->cycles_v2 = afl->core_operator_cycles_puppet_v2;
46 core->cycles_v3 = afl->core_operator_cycles_puppet_v3;
47 core->is_pilot_mode = 0;
48 core->pTime = &afl->tmp_core_time;
49 core->period = period_core;
50 core->havoc_stagename = "MOpt-core-havoc";
51 core->splice_stageformat = "MOpt-core-splice %u";
52 core->havoc_stagenameshort = "MOpt_core_havoc";
53 core->splice_stagenameshort = "MOpt_core_splice";
54
55 MOpt_globals_t *pilot = &afl->mopt_globals_pilot;
56 pilot->finds = afl->stage_finds_puppet[0];
57 pilot->finds_v2 = afl->stage_finds_puppet_v2[0];
58 pilot->cycles = afl->stage_cycles_puppet[0];
59 pilot->cycles_v2 = afl->stage_cycles_puppet_v2[0];
60 pilot->cycles_v3 = afl->stage_cycles_puppet_v3[0];
61 pilot->is_pilot_mode = 1;
62 pilot->pTime = &afl->tmp_pilot_time;
63 pilot->period = period_pilot;
64 pilot->havoc_stagename = "MOpt-havoc";
65 pilot->splice_stageformat = "MOpt-splice %u";
66 pilot->havoc_stagenameshort = "MOpt_havoc";
67 pilot->splice_stagenameshort = "MOpt_splice";
68
69 }
70
71 /* A global pointer to all instances is needed (for now) for signals to arrive
72 */
73
74 static list_t afl_states = {.element_prealloc_count = 0};
75
76 /* Initializes an afl_state_t. */
77
afl_state_init(afl_state_t * afl,uint32_t map_size)78 void afl_state_init(afl_state_t *afl, uint32_t map_size) {
79
80 /* thanks to this memset, growing vars like out_buf
81 and out_size are NULL/0 by default. */
82 memset(afl, 0, sizeof(afl_state_t));
83
84 afl->shm.map_size = map_size ? map_size : MAP_SIZE;
85
86 afl->w_init = 0.9;
87 afl->w_end = 0.3;
88 afl->g_max = 5000;
89 afl->period_pilot_tmp = 5000.0;
90 afl->schedule = FAST; /* Power schedule (default: FAST) */
91 afl->havoc_max_mult = HAVOC_MAX_MULT;
92
93 afl->clear_screen = 1; /* Window resized? */
94 afl->havoc_div = 1; /* Cycle count divisor for havoc */
95 afl->stage_name = "init"; /* Name of the current fuzz stage */
96 afl->splicing_with = -1; /* Splicing with which test case? */
97 afl->cpu_to_bind = -1;
98 afl->havoc_stack_pow2 = HAVOC_STACK_POW2;
99 afl->hang_tmout = EXEC_TIMEOUT;
100 afl->exit_on_time = 0;
101 afl->stats_update_freq = 1;
102 afl->stats_avg_exec = 0;
103 afl->skip_deterministic = 1;
104 afl->cmplog_lvl = 2;
105 #ifndef NO_SPLICING
106 afl->use_splicing = 1;
107 #endif
108 afl->q_testcase_max_cache_size = TESTCASE_CACHE_SIZE * 1048576UL;
109 afl->q_testcase_max_cache_entries = 64 * 1024;
110
111 #ifdef HAVE_AFFINITY
112 afl->cpu_aff = -1; /* Selected CPU core */
113 #endif /* HAVE_AFFINITY */
114
115 afl->virgin_bits = ck_alloc(map_size);
116 afl->virgin_tmout = ck_alloc(map_size);
117 afl->virgin_crash = ck_alloc(map_size);
118 afl->var_bytes = ck_alloc(map_size);
119 afl->top_rated = ck_alloc(map_size * sizeof(void *));
120 afl->clean_trace = ck_alloc(map_size);
121 afl->clean_trace_custom = ck_alloc(map_size);
122 afl->first_trace = ck_alloc(map_size);
123 afl->map_tmp_buf = ck_alloc(map_size);
124
125 afl->fsrv.use_stdin = 1;
126 afl->fsrv.map_size = map_size;
127 // afl_state_t is not available in forkserver.c
128 afl->fsrv.afl_ptr = (void *)afl;
129 afl->fsrv.add_extra_func = (void (*)(void *, u8 *, u32)) & add_extra;
130 afl->fsrv.exec_tmout = EXEC_TIMEOUT;
131 afl->fsrv.mem_limit = MEM_LIMIT;
132 afl->fsrv.dev_urandom_fd = -1;
133 afl->fsrv.dev_null_fd = -1;
134 afl->fsrv.child_pid = -1;
135 afl->fsrv.out_dir_fd = -1;
136
137 init_mopt_globals(afl);
138
139 list_append(&afl_states, afl);
140
141 }
142
143 /*This sets up the environment variables for afl-fuzz into the afl_state
144 * struct*/
145
read_afl_environment(afl_state_t * afl,char ** envp)146 void read_afl_environment(afl_state_t *afl, char **envp) {
147
148 int index = 0, issue_detected = 0;
149 char *env;
150 while ((env = envp[index++]) != NULL) {
151
152 if (strncmp(env, "ALF_", 4) == 0) {
153
154 WARNF("Potentially mistyped AFL environment variable: %s", env);
155 issue_detected = 1;
156
157 } else if (strncmp(env, "USE_", 4) == 0) {
158
159 WARNF(
160 "Potentially mistyped AFL environment variable: %s, did you mean "
161 "AFL_%s?",
162 env, env);
163 issue_detected = 1;
164
165 } else if (strncmp(env, "AFL_", 4) == 0) {
166
167 int i = 0, match = 0;
168 while (match == 0 && afl_environment_variables[i] != NULL) {
169
170 size_t afl_environment_variable_len =
171 strlen(afl_environment_variables[i]);
172 if (strncmp(env, afl_environment_variables[i],
173 afl_environment_variable_len) == 0 &&
174 env[afl_environment_variable_len] == '=') {
175
176 match = 1;
177 if (!strncmp(env, "AFL_SKIP_CPUFREQ", afl_environment_variable_len)) {
178
179 afl->afl_env.afl_skip_cpufreq =
180 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
181
182 } else if (!strncmp(env, "AFL_EXIT_WHEN_DONE",
183
184 afl_environment_variable_len)) {
185
186 afl->afl_env.afl_exit_when_done =
187 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
188
189 } else if (!strncmp(env, "AFL_EXIT_ON_TIME",
190
191 afl_environment_variable_len)) {
192
193 afl->afl_env.afl_exit_on_time =
194 (u8 *)get_afl_env(afl_environment_variables[i]);
195
196 } else if (!strncmp(env, "AFL_NO_AFFINITY",
197
198 afl_environment_variable_len)) {
199
200 afl->afl_env.afl_no_affinity =
201 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
202
203 } else if (!strncmp(env, "AFL_TRY_AFFINITY",
204
205 afl_environment_variable_len)) {
206
207 afl->afl_env.afl_try_affinity =
208 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
209
210 } else if (!strncmp(env, "AFL_SKIP_CRASHES",
211
212 afl_environment_variable_len)) {
213
214 // we should mark this obsolete in a few versions
215
216 } else if (!strncmp(env, "AFL_HANG_TMOUT",
217
218 afl_environment_variable_len)) {
219
220 afl->afl_env.afl_hang_tmout =
221 (u8 *)get_afl_env(afl_environment_variables[i]);
222
223 } else if (!strncmp(env, "AFL_SKIP_BIN_CHECK",
224
225 afl_environment_variable_len)) {
226
227 afl->afl_env.afl_skip_bin_check =
228 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
229
230 } else if (!strncmp(env, "AFL_DUMB_FORKSRV",
231
232 afl_environment_variable_len)) {
233
234 afl->afl_env.afl_dumb_forksrv =
235 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
236
237 } else if (!strncmp(env, "AFL_IMPORT_FIRST",
238
239 afl_environment_variable_len)) {
240
241 afl->afl_env.afl_import_first =
242 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
243
244 } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_ONLY",
245
246 afl_environment_variable_len)) {
247
248 afl->afl_env.afl_custom_mutator_only =
249 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
250
251 } else if (!strncmp(env, "AFL_CMPLOG_ONLY_NEW",
252
253 afl_environment_variable_len)) {
254
255 afl->afl_env.afl_cmplog_only_new =
256 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
257
258 } else if (!strncmp(env, "AFL_NO_UI", afl_environment_variable_len)) {
259
260 afl->afl_env.afl_no_ui =
261 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
262
263 } else if (!strncmp(env, "AFL_FORCE_UI",
264
265 afl_environment_variable_len)) {
266
267 afl->afl_env.afl_force_ui =
268 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
269
270 } else if (!strncmp(env, "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES",
271
272 afl_environment_variable_len)) {
273
274 afl->afl_env.afl_i_dont_care_about_missing_crashes =
275 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
276
277 } else if (!strncmp(env, "AFL_BENCH_JUST_ONE",
278
279 afl_environment_variable_len)) {
280
281 afl->afl_env.afl_bench_just_one =
282 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
283
284 } else if (!strncmp(env, "AFL_BENCH_UNTIL_CRASH",
285
286 afl_environment_variable_len)) {
287
288 afl->afl_env.afl_bench_until_crash =
289 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
290
291 } else if (!strncmp(env, "AFL_DEBUG_CHILD",
292
293 afl_environment_variable_len) ||
294 !strncmp(env, "AFL_DEBUG_CHILD_OUTPUT",
295 afl_environment_variable_len)) {
296
297 afl->afl_env.afl_debug_child =
298 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
299
300 } else if (!strncmp(env, "AFL_AUTORESUME",
301
302 afl_environment_variable_len)) {
303
304 afl->afl_env.afl_autoresume =
305 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
306
307 } else if (!strncmp(env, "AFL_PERSISTENT_RECORD",
308
309 afl_environment_variable_len)) {
310
311 afl->afl_env.afl_persistent_record =
312 get_afl_env(afl_environment_variables[i]);
313
314 } else if (!strncmp(env, "AFL_CYCLE_SCHEDULES",
315
316 afl_environment_variable_len)) {
317
318 afl->cycle_schedules = afl->afl_env.afl_cycle_schedules =
319 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
320
321 } else if (!strncmp(env, "AFL_EXIT_ON_SEED_ISSUES",
322
323 afl_environment_variable_len)) {
324
325 afl->afl_env.afl_exit_on_seed_issues =
326 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
327
328 } else if (!strncmp(env, "AFL_EXPAND_HAVOC_NOW",
329
330 afl_environment_variable_len)) {
331
332 afl->expand_havoc = afl->afl_env.afl_expand_havoc =
333 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
334
335 } else if (!strncmp(env, "AFL_CAL_FAST",
336
337 afl_environment_variable_len)) {
338
339 afl->afl_env.afl_cal_fast =
340 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
341
342 } else if (!strncmp(env, "AFL_FAST_CAL",
343
344 afl_environment_variable_len)) {
345
346 afl->afl_env.afl_cal_fast =
347 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
348
349 } else if (!strncmp(env, "AFL_STATSD",
350
351 afl_environment_variable_len)) {
352
353 afl->afl_env.afl_statsd =
354 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
355
356 } else if (!strncmp(env, "AFL_TMPDIR",
357
358 afl_environment_variable_len)) {
359
360 afl->afl_env.afl_tmpdir =
361 (u8 *)get_afl_env(afl_environment_variables[i]);
362
363 } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_LIBRARY",
364
365 afl_environment_variable_len)) {
366
367 afl->afl_env.afl_custom_mutator_library =
368 (u8 *)get_afl_env(afl_environment_variables[i]);
369
370 } else if (!strncmp(env, "AFL_PYTHON_MODULE",
371
372 afl_environment_variable_len)) {
373
374 afl->afl_env.afl_python_module =
375 (u8 *)get_afl_env(afl_environment_variables[i]);
376
377 } else if (!strncmp(env, "AFL_PATH", afl_environment_variable_len)) {
378
379 afl->afl_env.afl_path =
380 (u8 *)get_afl_env(afl_environment_variables[i]);
381
382 } else if (!strncmp(env, "AFL_PRELOAD",
383
384 afl_environment_variable_len)) {
385
386 afl->afl_env.afl_preload =
387 (u8 *)get_afl_env(afl_environment_variables[i]);
388
389 } else if (!strncmp(env, "AFL_MAX_DET_EXTRAS",
390
391 afl_environment_variable_len)) {
392
393 afl->afl_env.afl_max_det_extras =
394 (u8 *)get_afl_env(afl_environment_variables[i]);
395
396 } else if (!strncmp(env, "AFL_FORKSRV_INIT_TMOUT",
397
398 afl_environment_variable_len)) {
399
400 afl->afl_env.afl_forksrv_init_tmout =
401 (u8 *)get_afl_env(afl_environment_variables[i]);
402
403 } else if (!strncmp(env, "AFL_TESTCACHE_SIZE",
404
405 afl_environment_variable_len)) {
406
407 afl->afl_env.afl_testcache_size =
408 (u8 *)get_afl_env(afl_environment_variables[i]);
409
410 } else if (!strncmp(env, "AFL_TESTCACHE_ENTRIES",
411
412 afl_environment_variable_len)) {
413
414 afl->afl_env.afl_testcache_entries =
415 (u8 *)get_afl_env(afl_environment_variables[i]);
416
417 } else if (!strncmp(env, "AFL_STATSD_HOST",
418
419 afl_environment_variable_len)) {
420
421 afl->afl_env.afl_statsd_host =
422 (u8 *)get_afl_env(afl_environment_variables[i]);
423
424 } else if (!strncmp(env, "AFL_STATSD_PORT",
425
426 afl_environment_variable_len)) {
427
428 afl->afl_env.afl_statsd_port =
429 (u8 *)get_afl_env(afl_environment_variables[i]);
430
431 } else if (!strncmp(env, "AFL_STATSD_TAGS_FLAVOR",
432
433 afl_environment_variable_len)) {
434
435 afl->afl_env.afl_statsd_tags_flavor =
436 (u8 *)get_afl_env(afl_environment_variables[i]);
437
438 } else if (!strncmp(env, "AFL_CRASH_EXITCODE",
439
440 afl_environment_variable_len)) {
441
442 afl->afl_env.afl_crash_exitcode =
443 (u8 *)get_afl_env(afl_environment_variables[i]);
444
445 #if defined USE_COLOR && !defined ALWAYS_COLORED
446
447 } else if (!strncmp(env, "AFL_NO_COLOR",
448
449 afl_environment_variable_len)) {
450
451 afl->afl_env.afl_statsd_tags_flavor =
452 (u8 *)get_afl_env(afl_environment_variables[i]);
453
454 } else if (!strncmp(env, "AFL_NO_COLOUR",
455
456 afl_environment_variable_len)) {
457
458 afl->afl_env.afl_statsd_tags_flavor =
459 (u8 *)get_afl_env(afl_environment_variables[i]);
460 #endif
461
462 } else if (!strncmp(env, "AFL_KILL_SIGNAL",
463
464 afl_environment_variable_len)) {
465
466 afl->afl_env.afl_kill_signal =
467 (u8 *)get_afl_env(afl_environment_variables[i]);
468
469 } else if (!strncmp(env, "AFL_TARGET_ENV",
470
471 afl_environment_variable_len)) {
472
473 afl->afl_env.afl_target_env =
474 (u8 *)get_afl_env(afl_environment_variables[i]);
475
476 }
477
478 } else {
479
480 i++;
481
482 }
483
484 }
485
486 i = 0;
487 while (match == 0 && afl_environment_variables[i] != NULL) {
488
489 if (strncmp(env, afl_environment_variables[i],
490 strlen(afl_environment_variables[i])) == 0 &&
491 env[strlen(afl_environment_variables[i])] == '=') {
492
493 match = 1;
494
495 } else {
496
497 i++;
498
499 }
500
501 }
502
503 i = 0;
504 while (match == 0 && afl_environment_deprecated[i] != NULL) {
505
506 if (strncmp(env, afl_environment_deprecated[i],
507 strlen(afl_environment_deprecated[i])) == 0 &&
508 env[strlen(afl_environment_deprecated[i])] == '=') {
509
510 match = 1;
511
512 WARNF("AFL environment variable %s is deprecated!",
513 afl_environment_deprecated[i]);
514 issue_detected = 1;
515
516 } else {
517
518 i++;
519
520 }
521
522 }
523
524 if (match == 0) {
525
526 WARNF("Mistyped AFL environment variable: %s", env);
527 issue_detected = 1;
528
529 print_suggested_envs(env);
530
531 }
532
533 }
534
535 }
536
537 if (issue_detected) { sleep(2); }
538
539 }
540
541 /* Removes this afl_state instance and frees it. */
542
afl_state_deinit(afl_state_t * afl)543 void afl_state_deinit(afl_state_t *afl) {
544
545 if (afl->in_place_resume) { ck_free(afl->in_dir); }
546 if (afl->sync_id) { ck_free(afl->out_dir); }
547 if (afl->pass_stats) { ck_free(afl->pass_stats); }
548 if (afl->orig_cmp_map) { ck_free(afl->orig_cmp_map); }
549
550 afl_free(afl->queue_buf);
551 afl_free(afl->out_buf);
552 afl_free(afl->out_scratch_buf);
553 afl_free(afl->eff_buf);
554 afl_free(afl->in_buf);
555 afl_free(afl->in_scratch_buf);
556 afl_free(afl->ex_buf);
557
558 ck_free(afl->virgin_bits);
559 ck_free(afl->virgin_tmout);
560 ck_free(afl->virgin_crash);
561 ck_free(afl->var_bytes);
562 ck_free(afl->top_rated);
563 ck_free(afl->clean_trace);
564 ck_free(afl->clean_trace_custom);
565 ck_free(afl->first_trace);
566 ck_free(afl->map_tmp_buf);
567
568 list_remove(&afl_states, afl);
569
570 }
571
afl_states_stop(void)572 void afl_states_stop(void) {
573
574 /* We may be inside a signal handler.
575 Set flags first, send kill signals to child proceses later. */
576 LIST_FOREACH(&afl_states, afl_state_t, {
577
578 el->stop_soon = 1;
579
580 });
581
582 LIST_FOREACH(&afl_states, afl_state_t, {
583
584 if (el->fsrv.child_pid > 0) kill(el->fsrv.child_pid, el->fsrv.kill_signal);
585 if (el->fsrv.fsrv_pid > 0) kill(el->fsrv.fsrv_pid, el->fsrv.kill_signal);
586
587 });
588
589 }
590
afl_states_clear_screen(void)591 void afl_states_clear_screen(void) {
592
593 LIST_FOREACH(&afl_states, afl_state_t, { el->clear_screen = 1; });
594
595 }
596
afl_states_request_skip(void)597 void afl_states_request_skip(void) {
598
599 LIST_FOREACH(&afl_states, afl_state_t, { el->skip_requested = 1; });
600
601 }
602
603