1 /*
2    american fuzzy lop - vaguely configurable bits
3    ----------------------------------------------
4 
5    Written and maintained by Michal Zalewski <lcamtuf@google.com>
6 
7    Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
8 
9    Licensed under the Apache License, Version 2.0 (the "License");
10    you may not use this file except in compliance with the License.
11    You may obtain a copy of the License at:
12 
13      http://www.apache.org/licenses/LICENSE-2.0
14 
15  */
16 
17 #ifndef _HAVE_CONFIG_H
18 #define _HAVE_CONFIG_H
19 
20 #include "types.h"
21 
22 /* Version string: */
23 
24 #define VERSION             "2.52b"
25 
26 /******************************************************
27  *                                                    *
28  *  Settings that may be of interest to power users:  *
29  *                                                    *
30  ******************************************************/
31 
32 /* Comment out to disable terminal colors (note that this makes afl-analyze
33    a lot less nice): */
34 
35 #define USE_COLOR
36 
37 /* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */
38 
39 #define FANCY_BOXES
40 
41 /* Default timeout for fuzzed code (milliseconds). This is the upper bound,
42    also used for detecting hangs; the actual value is auto-scaled: */
43 
44 #define EXEC_TIMEOUT        1000
45 
46 /* Timeout rounding factor when auto-scaling (milliseconds): */
47 
48 #define EXEC_TM_ROUND       20
49 
50 /* Default memory limit for child process (MB): */
51 
52 #ifndef __x86_64__
53 #  define MEM_LIMIT         25
54 #else
55 #  define MEM_LIMIT         50
56 #endif /* ^!__x86_64__ */
57 
58 /* Default memory limit when running in QEMU mode (MB): */
59 
60 #define MEM_LIMIT_QEMU      200
61 
62 /* Number of calibration cycles per every new test case (and for test
63    cases that show variable behavior): */
64 
65 #define CAL_CYCLES          8
66 #define CAL_CYCLES_LONG     40
67 
68 /* Number of subsequent timeouts before abandoning an input file: */
69 
70 #define TMOUT_LIMIT         250
71 
72 /* Maximum number of unique hangs or crashes to record: */
73 
74 #define KEEP_UNIQUE_HANG    500
75 #define KEEP_UNIQUE_CRASH   5000
76 
77 /* Baseline number of random tweaks during a single 'havoc' stage: */
78 
79 #define HAVOC_CYCLES        256
80 #define HAVOC_CYCLES_INIT   1024
81 
82 /* Maximum multiplier for the above (should be a power of two, beware
83    of 32-bit int overflows): */
84 
85 #define HAVOC_MAX_MULT      16
86 
87 /* Absolute minimum number of havoc cycles (after all adjustments): */
88 
89 #define HAVOC_MIN           16
90 
91 /* Maximum stacking for havoc-stage tweaks. The actual value is calculated
92    like this:
93 
94    n = random between 1 and HAVOC_STACK_POW2
95    stacking = 2^n
96 
97    In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or
98    128 stacked tweaks: */
99 
100 #define HAVOC_STACK_POW2    7
101 
102 /* Caps on block sizes for cloning and deletion operations. Each of these
103    ranges has a 33% probability of getting picked, except for the first
104    two cycles where smaller blocks are favored: */
105 
106 #define HAVOC_BLK_SMALL     32
107 #define HAVOC_BLK_MEDIUM    128
108 #define HAVOC_BLK_LARGE     1500
109 
110 /* Extra-large blocks, selected very rarely (<5% of the time): */
111 
112 #define HAVOC_BLK_XL        32768
113 
114 /* Probabilities of skipping non-favored entries in the queue, expressed as
115    percentages: */
116 
117 #define SKIP_TO_NEW_PROB    99 /* ...when there are new, pending favorites */
118 #define SKIP_NFAV_OLD_PROB  95 /* ...no new favs, cur entry already fuzzed */
119 #define SKIP_NFAV_NEW_PROB  75 /* ...no new favs, cur entry not fuzzed yet */
120 
121 /* Splicing cycle count: */
122 
123 #define SPLICE_CYCLES       15
124 
125 /* Nominal per-splice havoc cycle length: */
126 
127 #define SPLICE_HAVOC        32
128 
129 /* Maximum offset for integer addition / subtraction stages: */
130 
131 #define ARITH_MAX           35
132 
133 /* Limits for the test case trimmer. The absolute minimum chunk size; and
134    the starting and ending divisors for chopping up the input file: */
135 
136 #define TRIM_MIN_BYTES      4
137 #define TRIM_START_STEPS    16
138 #define TRIM_END_STEPS      1024
139 
140 /* Maximum size of input file, in bytes (keep under 100MB): */
141 
142 #define MAX_FILE            (1 * 1024 * 1024)
143 
144 /* The same, for the test case minimizer: */
145 
146 #define TMIN_MAX_FILE       (10 * 1024 * 1024)
147 
148 /* Block normalization steps for afl-tmin: */
149 
150 #define TMIN_SET_MIN_SIZE   4
151 #define TMIN_SET_STEPS      128
152 
153 /* Maximum dictionary token size (-x), in bytes: */
154 
155 #define MAX_DICT_FILE       128
156 
157 /* Length limits for auto-detected dictionary tokens: */
158 
159 #define MIN_AUTO_EXTRA      3
160 #define MAX_AUTO_EXTRA      32
161 
162 /* Maximum number of user-specified dictionary tokens to use in deterministic
163    steps; past this point, the "extras/user" step will be still carried out,
164    but with proportionally lower odds: */
165 
166 #define MAX_DET_EXTRAS      200
167 
168 /* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing
169    (first value), and to keep in memory as candidates. The latter should be much
170    higher than the former. */
171 
172 #define USE_AUTO_EXTRAS     50
173 #define MAX_AUTO_EXTRAS     (USE_AUTO_EXTRAS * 10)
174 
175 /* Scaling factor for the effector map used to skip some of the more
176    expensive deterministic steps. The actual divisor is set to
177    2^EFF_MAP_SCALE2 bytes: */
178 
179 #define EFF_MAP_SCALE2      3
180 
181 /* Minimum input file length at which the effector logic kicks in: */
182 
183 #define EFF_MIN_LEN         128
184 
185 /* Maximum effector density past which everything is just fuzzed
186    unconditionally (%): */
187 
188 #define EFF_MAX_PERC        90
189 
190 /* UI refresh frequency (Hz): */
191 
192 #define UI_TARGET_HZ        5
193 
194 /* Fuzzer stats file and plot update intervals (sec): */
195 
196 #define STATS_UPDATE_SEC    60
197 #define PLOT_UPDATE_SEC     5
198 
199 /* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */
200 
201 #define AVG_SMOOTHING       16
202 
203 /* Sync interval (every n havoc cycles): */
204 
205 #define SYNC_INTERVAL       5
206 
207 /* Output directory reuse grace period (minutes): */
208 
209 #define OUTPUT_GRACE        25
210 
211 /* Uncomment to use simple file names (id_NNNNNN): */
212 
213 // #define SIMPLE_FILES
214 
215 /* List of interesting values to use in fuzzing. */
216 
217 #define INTERESTING_8 \
218   -128,          /* Overflow signed 8-bit when decremented  */ \
219   -1,            /*                                         */ \
220    0,            /*                                         */ \
221    1,            /*                                         */ \
222    16,           /* One-off with common buffer size         */ \
223    32,           /* One-off with common buffer size         */ \
224    64,           /* One-off with common buffer size         */ \
225    100,          /* One-off with common buffer size         */ \
226    127           /* Overflow signed 8-bit when incremented  */
227 
228 #define INTERESTING_16 \
229   -32768,        /* Overflow signed 16-bit when decremented */ \
230   -129,          /* Overflow signed 8-bit                   */ \
231    128,          /* Overflow signed 8-bit                   */ \
232    255,          /* Overflow unsig 8-bit when incremented   */ \
233    256,          /* Overflow unsig 8-bit                    */ \
234    512,          /* One-off with common buffer size         */ \
235    1000,         /* One-off with common buffer size         */ \
236    1024,         /* One-off with common buffer size         */ \
237    4096,         /* One-off with common buffer size         */ \
238    32767         /* Overflow signed 16-bit when incremented */
239 
240 #define INTERESTING_32 \
241   -2147483648LL, /* Overflow signed 32-bit when decremented */ \
242   -100663046,    /* Large negative number (endian-agnostic) */ \
243   -32769,        /* Overflow signed 16-bit                  */ \
244    32768,        /* Overflow signed 16-bit                  */ \
245    65535,        /* Overflow unsig 16-bit when incremented  */ \
246    65536,        /* Overflow unsig 16 bit                   */ \
247    100663045,    /* Large positive number (endian-agnostic) */ \
248    2147483647    /* Overflow signed 32-bit when incremented */
249 
250 /***********************************************************
251  *                                                         *
252  *  Really exotic stuff you probably don't want to touch:  *
253  *                                                         *
254  ***********************************************************/
255 
256 /* Call count interval between reseeding the libc PRNG from /dev/urandom: */
257 
258 #define RESEED_RNG          10000
259 
260 /* Maximum line length passed from GCC to 'as' and used for parsing
261    configuration files: */
262 
263 #define MAX_LINE            8192
264 
265 /* Environment variable used to pass SHM ID to the called program. */
266 
267 #define SHM_ENV_VAR         "__AFL_SHM_ID"
268 
269 /* Other less interesting, internal-only variables. */
270 
271 #define CLANG_ENV_VAR       "__AFL_CLANG_MODE"
272 #define AS_LOOP_ENV_VAR     "__AFL_AS_LOOPCHECK"
273 #define PERSIST_ENV_VAR     "__AFL_PERSISTENT"
274 #define DEFER_ENV_VAR       "__AFL_DEFER_FORKSRV"
275 
276 /* In-code signatures for deferred and persistent mode. */
277 
278 #define PERSIST_SIG         "##SIG_AFL_PERSISTENT##"
279 #define DEFER_SIG           "##SIG_AFL_DEFER_FORKSRV##"
280 
281 /* Distinctive bitmap signature used to indicate failed execution: */
282 
283 #define EXEC_FAIL_SIG       0xfee1dead
284 
285 /* Distinctive exit code used to indicate MSAN trip condition: */
286 
287 #define MSAN_ERROR          86
288 
289 /* Designated file descriptors for forkserver commands (the application will
290    use FORKSRV_FD and FORKSRV_FD + 1): */
291 
292 #define FORKSRV_FD          198
293 
294 /* Fork server init timeout multiplier: we'll wait the user-selected
295    timeout plus this much for the fork server to spin up. */
296 
297 #define FORK_WAIT_MULT      10
298 
299 /* Calibration timeout adjustments, to be a bit more generous when resuming
300    fuzzing sessions or trying to calibrate already-added internal finds.
301    The first value is a percentage, the other is in milliseconds: */
302 
303 #define CAL_TMOUT_PERC      125
304 #define CAL_TMOUT_ADD       50
305 
306 /* Number of chances to calibrate a case before giving up: */
307 
308 #define CAL_CHANCES         3
309 
310 /* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than
311    2; you probably want to keep it under 18 or so for performance reasons
312    (adjusting AFL_INST_RATIO when compiling is probably a better way to solve
313    problems with complex programs). You need to recompile the target binary
314    after changing this - otherwise, SEGVs may ensue. */
315 
316 #define MAP_SIZE_POW2       16
317 #define MAP_SIZE            (1 << MAP_SIZE_POW2)
318 
319 /* Maximum allocator request size (keep well under INT_MAX): */
320 
321 #define MAX_ALLOC           0x40000000
322 
323 /* A made-up hashing seed: */
324 
325 #define HASH_CONST          0xa5b35705
326 
327 /* Constants for afl-gotcpu to control busy loop timing: */
328 
329 #define  CTEST_TARGET_MS    5000
330 #define  CTEST_CORE_TRG_MS  1000
331 #define  CTEST_BUSY_CYCLES  (10 * 1000 * 1000)
332 
333 /* Uncomment this to use inferior block-coverage-based instrumentation. Note
334    that you need to recompile the target binary for this to have any effect: */
335 
336 // #define COVERAGE_ONLY
337 
338 /* Uncomment this to ignore hit counts and output just one bit per tuple.
339    As with the previous setting, you will need to recompile the target
340    binary: */
341 
342 // #define SKIP_COUNTS
343 
344 /* Uncomment this to use instrumentation data to record newly discovered paths,
345    but do not use them as seeds for fuzzing. This is useful for conveniently
346    measuring coverage that could be attained by a "dumb" fuzzing algorithm: */
347 
348 // #define IGNORE_FINDS
349 
350 #endif /* ! _HAVE_CONFIG_H */
351