8000 Merge pull request #2433 from kcwu/not-sync-known-case · AFLplusplus/AFLplusplus@45a7d65 · GitHub
Skip to content

Commit 45a7d65

Browse files
Merge pull request #2433 from kcwu/not-sync-known-case
skip known case if the file is actually coming from us
2 parents b8d1f16 + c699aa2 commit 45a7d65

File tree

3 files changed

+62
-15
lines changed

3 files changed

+62
-15
lines changed

include/config.h

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -339,6 +339,10 @@
339339

340340
#define AVG_SMOOTHING 16
341341

342+
/* Max length of sync id (the id after -M and -S) */
343+
344+
#define SYNC_ID_MAX_LEN 50
345+
342346
/* Sync interval (every n havoc cycles): */
343347

344348
#define SYNC_INTERVAL 8

src/afl-fuzz-init.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2791,9 +2791,9 @@ void fix_up_sync(afl_state_t *afl) {
27912791

27922792
}
27932793

2794-
if (strlen(afl->sync_id) > 50) {
2794+
if (strlen(afl->sync_id) > SYNC_ID_MAX_LEN) {
27952795

2796-
FATAL("sync_id max length is 50 characters");
2796+
FATAL("sync_id max length is %d characters", SYNC_ID_MAX_LEN);
27972797

27982798
}
27992799

src/afl-fuzz-run.c

Lines changed: 56 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -699,6 +699,45 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
699699

700700
}
701701

702+
bool is_known_case(afl_state_t *afl, u8 *name, void *mem, u32 len) {
703+
704+
static char coming_from_me_str[16 + SYNC_ID_MAX_LEN];
705+
static int coming_from_me_len = 0;
706+
if (!coming_from_me_len) {
707+
708+
snprintf(coming_from_me_str, sizeof(coming_from_me_str),
709+
",sync:%s,src:", afl->sync_id);
710+
coming_from_me_len = strlen(coming_from_me_str);
711+
712+
}
713+
714+
// 9 = strlen("id:000000"), 6 = strlen("000000")
715+
if (strlen(name) < 9 + coming_from_me_len + 6) return false;
716+
char *p = name + 9;
717+
while ('0' <= *p && *p <= '9')
718+
p++;
719+
720+
if (strncmp(p, coming_from_me_str, coming_from_me_len) != 0) return false;
721+
722+
int src_id = atoi(p + coming_from_me_len);
723+
if (src_id < 0 || src_id >= afl->queued_items) return false;
724+
725+
struct queue_entry *q = afl->queue_buf[src_id];
726+
if (q->len != len) return false;
727+
728+
if (q->testcase_buf) return memcmp(q->testcase_buf, mem, len) == 0;
729+
730+
int fd = open((char *)q->fname, O_RDONLY);
731+
if (fd < 0) return false;
732+
u8 *buf = malloc(len);
733+
ck_read(fd, buf, len, q->fname);
734+
close(fd);
735+
bool result = (memcmp(buf, mem, len) == 0);
736+
free(buf);
737+
return result;
738+
739+
}
740+
702741
/* Grab interesting test cases from other fuzzers. */
703742

704743
void sync_fuzzers(afl_state_t *afl) {
@@ -896,26 +935,30 @@ void sync_fuzzers(afl_state_t *afl) {
896935

897936
if (mem == MAP_FAILED) { PFATAL("Unable to mmap '%s'", path); }
898937

899-
/* See what happens. We rely on save_if_interesting() to catch major
900-
errors and save the test case. */
938+
if (!is_known_case(afl, namelist[o]->d_name, mem, st.st_size)) {
901939

902-
u32 new_len = write_to_testcase(afl, (void **)&mem, st.st_size, 1);
940+
/* See what happens. We rely on save_if_interesting() to catch major
941+
errors and save the test case. */
903942

904-
fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
943+
u32 new_len = write_to_testcase(afl, (void **)&mem, st.st_size, 1);
905944

906-
if (afl->stop_soon) {
945+
fault = fuzz_run_target(afl, &afl->fsrv, afl->fsrv.exec_tmout);
907946

908-
munmap(mem, st.st_size);
909-
close(fd);
947+
if (afl->stop_soon) {
910948

911-
goto close_sync;
949+
munmap(mem, st.st_size);
950+
close(fd);
912951

913-
}
952+
goto close_sync;
914953

915-
afl->syncing_party = sd_ent->d_name;
916-
afl->queued_imported += save_if_interesting(afl, mem, new_len, fault);
917-
show_stats(afl);
918-
afl->syncing_party = 0;
954+
}
955+
956+
afl->syncing_party = sd_ent->d_name;
957+
afl->queued_imported += save_if_interesting(afl, mem, new_len, fault);
958+
show_stats(afl);
959+
afl->syncing_party = 0;
960+
961+
}
919962

920963
munmap(mem, st.st_size);
921964

0 commit comments

Comments
 (0)
0