8000 feat: add AFL_QEMU_EXITPOINT for controlled exit via env var by rajanarahul93 · Pull Request #2435 · AFLplusplus/AFLplusplus · GitHub
[go: up one dir, main page]
Skip to content

feat: add AFL_QEMU_EXITPOINT for controlled exit via env var #2435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

feat: add AFL_QEMU_EXITPOINT for controlled exit via env var #2435

wants to merge 1 commit into from

Conversation

rajanarahul93
Copy link

Feature: QEMU Mode - Exit Fuzzing at a Specific Address

This PR adds support for stopping fuzzing when execution reaches a specified address in QEMU mode, as proposed in issue #1932.

🔧 Implementation Details:

  • Introduced environment variable AFL_QEMU_EXITPOINT to set the exit address.
  • On reaching the specified address during fuzzing, AFL++ logs the hit and gracefully exits.
  • Added setup_afl_qemu_exitpoint() in patch_init().
  • Hooked address check added in patch_block_trans_cb().

This feature is useful for focusing fuzzing between entry point and a custom-defined region of interest in large binaries.

Closes: #1932

@vanhauser-thc
Copy link
Member
vanhauser-thc commented May 18, 2025
edited
Loading

Hi!
thanks for your PR, however several things:

  1. this PR patches the hooking bridge - something that is not default and therefore of limited value
  2. (not so important) we only accept PRs to dev - not to stable directly
  3. (not so important) please code format with make code-format

so IMHO accepting this PR is not helpful.

What you need to do (and I think this will be equally easy to implement) is to modify the code at https://github.com/aflplusplus/qemuafl instead - just look for the implementation of AFL_ENTRYPOINT and do something similar for AFL_EXITPOINT.

advanced implementation: support multiple exit point implementations (addresses, separated with a comma).
and a hint: _exit() is faster than exit()

@rajanarahul93
Copy link
Author

Hi!
Thanks a lot for the feedback and suggestions. I see your point about the hooking bridge and understand why this PR isn’t the best fit. I’ll shift my focus to modifying qemuafl as you recommended and will follow the approach used for AFL_ENTRYPOINT to implement AFL_EXITPOINT. I’ll also make sure to use the dev branch and format the code properly next time. Appreciate the helpful tips—especially the one about _exit()!

@vanhauser-thc
Copy link
Member

if you need any help just create an issue in the unicornafl repo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

QEMU Mode: Stop Fuzzing at a Specific Address
2 participants
@rajanarahul93 @vanhauser-thc
0