Merge branch 'debug' into dev

author: van Hauser <vh@thc.org> 2020-08-14 13:23:14 +0200
committer: GitHub <noreply@github.com> 2020-08-14 13:23:14 +0200
commit: a7537b5511ad767d2240cf2dc6d3e261daa676f9 (patch)
tree: 2cd8418efff844e634425e050ef716301adfd84b /include
parent: 15e799f7ae666418e75c6a79db833c5316b21f97 (diff)
parent: 83281503b3f1d4109c6f7a6af62a2133d55f1150 (diff)
download: AFLplusplus-a7537b5511ad767d2240cf2dc6d3e261daa676f9.tar.gz
4 files changed, 32 insertions, 8 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index ca7d10fe..ad7b0cd6 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -133,8 +133,10 @@ extern s32
 
 struct queue_entry {
 
-  u8 *fname;                            /* File name for the test case      */
-  u32 len;                              /* Input length                     */
+  u8 *                fname;            /* File name for the test case      */
+  u8 *                fname_taint;      /* File name for taint data         */
+  u32                 len;              /* Input length                     */
+  struct queue_entry *prev;             /* previous queue entry, if any     */
 
   u8 cal_failed,                        /* Calibration failed?              */
       trim_done,                        /* Trimmed?                         */
@@ -148,7 +150,10 @@ struct queue_entry {
       is_ascii;                         /* Is the input just ascii text?    */
 
   u32 bitmap_size,                      /* Number of bits set in bitmap     */
-      fuzz_level;                       /* Number of fuzzing iterations     */
+      fuzz_level,                       /* Number of fuzzing iterations     */
+      taint_bytes_all,                  /* Number of tainted bytes          */
+      taint_bytes_new,                  /* Number of new tainted bytes      */
+      taint_bytes_highest;              /* highest offset in input          */
 
   u64 exec_us,                          /* Execution time (us)              */
       handicap,                         /* Number of queue cycles behind    */
@@ -380,6 +385,8 @@ typedef struct afl_state {
 
   char **argv;                                            /* argv if needed */
 
+  char **argv_taint;                                 /* argv for taint mode */
+
   /* MOpt:
     Lots of globals, but mostly for the status UI and other things where it
     really makes no sense to haul them around as function parameters. */
@@ -431,7 +438,9 @@ typedef struct afl_state {
       *in_bitmap,                       /* Input bitmap                     */
       *file_extension,                  /* File extension                   */
       *orig_cmdline,                    /* Original command line            */
-      *infoexec;                       /* Command to execute on a new crash */
+      *infoexec,                       /* Command to execute on a new crash */
+      *taint_input_file,                /* fuzz_input_one input file        */
+      *taint_src, *taint_map;
 
   u32 hang_tmout;                       /* Timeout used for hang det (ms)   */
 
@@ -442,7 +451,9 @@ typedef struct afl_state {
       custom_only,                      /* Custom mutator only mode         */
       python_only,                      /* Python-only mode                 */
       is_main_node,                     /* if this is the main node         */
-      is_secondary_node;                /* if this is a secondary instance  */
+      is_secondary_node,                /* if this is a secondary instance  */
+      taint_needs_splode,               /* explode fuzz input               */
+      taint_mode;
 
   u32 stats_update_freq;                /* Stats update frequency (execs)   */
 
@@ -503,7 +514,8 @@ typedef struct afl_state {
       useless_at_start,                 /* Number of useless starting paths */
       var_byte_count,                   /* Bitmap bytes with var behavior   */
       current_entry,                    /* Current queue entry ID           */
-      havoc_div;                        /* Cycle count divisor for havoc    */
+      havoc_div,                        /* Cycle count divisor for havoc    */
+      taint_len, taint_count;
 
   u64 total_crashes,                    /* Total number of crashes          */
       unique_crashes,                   /* Crashes with unique signatures   */
@@ -590,6 +602,9 @@ typedef struct afl_state {
   char *           cmplog_binary;
   afl_forkserver_t cmplog_fsrv;     /* cmplog has its own little forkserver */
 
+  /* Taint mode */
+  afl_forkserver_t taint_fsrv;  /* taint mode has its own little forkserver */
+
   /* Custom mutators */
   struct custom_mutator *mutator;
 
@@ -841,7 +856,8 @@ struct custom_mutator {
 
 };
 
-void afl_state_init(afl_state_t *, uint32_t map_size);
+void afl_state_init_1(afl_state_t *, uint32_t map_size);
+void afl_state_init_2(afl_state_t *, uint32_t map_size);
 void afl_state_deinit(afl_state_t *);
 
 /* Set stop_soon flag on all childs, kill all childs */
@@ -887,7 +903,7 @@ void   deinit_py(void *);
 void mark_as_det_done(afl_state_t *, struct queue_entry *);
 void mark_as_variable(afl_state_t *, struct queue_entry *);
 void mark_as_redundant(afl_state_t *, struct queue_entry *, u8);
-void add_to_queue(afl_state_t *, u8 *, u32, u8);
+void add_to_queue(afl_state_t *, u8 *, u8 *, u32, struct queue_entry *, u8);
 void destroy_queue(afl_state_t *);
 void update_bitmap_score(afl_state_t *, struct queue_entry *);
 void cull_queue(afl_state_t *);
@@ -897,7 +913,9 @@ u32  calculate_score(afl_state_t *, struct queue_entry *);
 
 void write_bitmap(afl_state_t *);
 u32  count_bits(afl_state_t *, u8 *);
+u32  count_bits_len(afl_state_t *, u8 *, u32);
 u32  count_bytes(afl_state_t *, u8 *);
+u32  count_bytes_len(afl_state_t *, u8 *, u32);
 u32  count_non_255_bytes(afl_state_t *, u8 *);
 #ifdef WORD_SIZE_64
 void simplify_trace(afl_state_t *, u64 *);
@@ -975,6 +993,8 @@ void   check_if_tty(afl_state_t *);
 void   setup_signal_handlers(void);
 void   save_cmdline(afl_state_t *, u32, char **);
 void   read_foreign_testcases(afl_state_t *, int);
+void   perform_taint_run(afl_state_t *afl, struct queue_entry *q, u8 *fname,
+                         u8 *mem, u32 len);
 
 /* CmpLog */
 
diff --git a/include/common.h b/include/common.h
index 87a7425b..c7d57e07 100644
--- a/include/common.h
+++ b/include/common.h
@@ -55,6 +55,7 @@ extern u8 *doc_path;                    /* path to documentation dir        */
    @returns the path, allocating the string */
 
 u8 *find_binary(u8 *fname);
+u8 *find_afl_binary(u8 *fname, u8 *own_loc);
 
 /* Read a bitmap from file fname to memory
    This is for the -B option again. */
diff --git a/include/envs.h b/include/envs.h
index 96ae91ba..bd97b9cd 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -123,6 +123,7 @@ static char *afl_environment_variables[] = {
     "AFL_SKIP_BIN_CHECK",
     "AFL_SKIP_CPUFREQ",
     "AFL_SKIP_CRASHES",
+    "AFL_TAINT_INPUT",
     "AFL_TMIN_EXACT",
     "AFL_TMPDIR",
     "AFL_TOKEN_FILE",
diff --git a/include/forkserver.h b/include/forkserver.h
index 0a7390ed..59a9f150 100644
--- a/include/forkserver.h
+++ b/include/forkserver.h
@@ -80,6 +80,8 @@ typedef struct afl_forkserver {
 
   u8 qemu_mode;                         /* if running in qemu mode or not   */
 
+  u8 taint_mode;                        /* if running taint analysis or not */
+
   u32 *shmem_fuzz_len;                  /* length of the fuzzing test case  */
 
   u8 *shmem_fuzz;                       /* allocated memory for fuzzing     */
author	van Hauser <vh@thc.org>	2020-08-14 13:23:14 +0200
committer	GitHub <noreply@github.com>	2020-08-14 13:23:14 +0200
commit	a7537b5511ad767d2240cf2dc6d3e261daa676f9 (patch)
tree	2cd8418efff844e634425e050ef716301adfd84b /include
parent	15e799f7ae666418e75c6a79db833c5316b21f97 (diff)
parent	83281503b3f1d4109c6f7a6af62a2133d55f1150 (diff)
download	AFLplusplus-a7537b5511ad767d2240cf2dc6d3e261daa676f9.tar.gz