From 454d861d2e25ce5b6445fc13e4600a9151a743a4 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 26 Sep 2020 13:08:41 +0200 Subject: [PATCH] clear seed cov from virgin map --- examples/libaflfuzzer.c | 10 ++++++---- include/stage.h | 1 + src/stage.c | 25 +++++++++++++++++-------- 3 files changed, 24 insertions(+), 12 deletions(-) diff --git a/examples/libaflfuzzer.c b/examples/libaflfuzzer.c index 5b1effa..0f69f11 100644 --- a/examples/libaflfuzzer.c +++ b/examples/libaflfuzzer.c @@ -118,19 +118,21 @@ static afl_ret_t in_memory_fuzzer_initialize(afl_executor_t *executor) { if (calibration_idx > 0) { - fprintf(stderr, "\nCalibrations to check: %ld\n", calibration_idx); + if (debug) fprintf(stderr, "\nCalibrations to check: %ld\n", calibration_idx); while (calibration_idx > 0) { --calibration_idx; - fprintf(stderr, "Seed %ld\n", calibration_idx); + if (debug) fprintf(stderr, "Seed %ld\n", calibration_idx); afl_entry_t *queue_entry = in_memory_fuzzer->global_queue->base.funcs.get_queue_entry( (afl_queue_t *)in_memory_fuzzer->global_queue, calibration_idx); if (queue_entry && !queue_entry->info->skip_entry) { - fprintf(stderr, "Seed %ld testing ...\n", calibration_idx); + if (debug) fprintf(stderr, "Seed %ld testing ...\n", calibration_idx); queue_entry->info->skip_entry = 1; if (afl_stage_run(in_memory_fuzzer->stage, queue_entry->input, false) == AFL_RET_SUCCESS) { + // We want to clear from the virgin bits what is already in the seeds + afl_stage_is_interesting(in_memory_fuzzer->stage); queue_entry->info->skip_entry = 0; } else { @@ -147,9 +149,9 @@ static afl_ret_t in_memory_fuzzer_initialize(afl_executor_t *executor) { if (calibration_idx == 0) { - fprintf(stderr, "Calibration checks done.\n"); if (debug) { + fprintf(stderr, "Calibration checks done.\n"); u32 i; fprintf(stderr, "%u seeds:\n", (u32)((afl_queue_t *)in_memory_fuzzer->global_queue)->entries_count); for (i = 0; i < (u32)((afl_queue_t *)in_memory_fuzzer->global_queue)->entries_count; i++) { diff --git a/include/stage.h b/include/stage.h index e6e6b4e..bd7d0ec 100644 --- a/include/stage.h +++ b/include/stage.h @@ -47,6 +47,7 @@ struct afl_stage { }; afl_ret_t afl_stage_run(afl_stage_t *, afl_input_t *, bool); +float afl_stage_is_interesting(afl_stage_t *); afl_ret_t afl_stage_perform(afl_stage_t *, afl_input_t *); size_t afl_stage_get_iters(afl_stage_t *); afl_ret_t afl_stage_init(afl_stage_t *, afl_engine_t *); diff --git a/src/stage.c b/src/stage.c index 5746ad1..95b8364 100644 --- a/src/stage.c +++ b/src/stage.c @@ -101,6 +101,22 @@ afl_ret_t afl_stage_run(afl_stage_t *stage, afl_input_t *input, bool overwrite) } +float afl_stage_is_interesting(afl_stage_t *stage) { + + float interestingness = 0.0f; + + afl_feedback_t **feedbacks = stage->engine->feedbacks; + size_t j; + for (j = 0; j < stage->engine->feedbacks_count; ++j) { + + interestingness += feedbacks[j]->funcs.is_interesting(feedbacks[j], stage->engine->executor); + + } + + return interestingness; + +} + /* Perform default for fuzzing stage */ afl_ret_t afl_stage_perform(afl_stage_t *stage, afl_input_t *input) { @@ -145,14 +161,7 @@ afl_ret_t afl_stage_perform(afl_stage_t *stage, afl_input_t *input) { afl_ret_t ret = afl_stage_run(stage, copy, true); /* Let's collect some feedback on the input now */ - bool interestingness = 0.0f; - - afl_feedback_t **feedbacks = stage->engine->feedbacks; - for (j = 0; j < stage->engine->feedbacks_count; ++j) { - - interestingness += feedbacks[j]->funcs.is_interesting(feedbacks[j], stage->engine->executor); - - } + float interestingness = afl_stage_is_interesting(stage); if (interestingness >= 0.5) {