Showing preview only (2,094K chars total). Download the full file or copy to clipboard to get everything.
Repository: grimm-co/killerbeez
Branch: trunk
Commit: 2f327b0c86a6
Files: 406
Total size: 1.9 MB
Directory structure:
gitextract_drfsjm0i/
├── .gitattributes
├── .gitignore
├── .gitlab-ci.yml
├── .gitmodules
├── APLv2
├── CMakeLists.txt
├── LICENSE
├── Makefile
├── README.md
├── afl_progs/
│ ├── Makefile
│ ├── afl-as.c
│ ├── afl-as.h
│ ├── afl-gcc.c
│ ├── afl-showmap.c
│ ├── alloc-inl.h
│ ├── config.h
│ ├── debug.h
│ ├── hash.h
│ ├── llvm_mode/
│ │ ├── Makefile
│ │ ├── README.llvm
│ │ ├── afl-clang-fast.c
│ │ ├── afl-llvm-pass.so.cc
│ │ └── afl-llvm-rt.o.c
│ ├── qemu_mode/
│ │ ├── README.qemu
│ │ ├── build_qemu_support.sh
│ │ └── patches/
│ │ ├── afl-qemu-cpu-inl.h
│ │ ├── afl-qemu-translate-inl.h
│ │ ├── afl_qemu_optimize_entrypoint.diff
│ │ ├── configure.diff
│ │ ├── cpu-exec.diff
│ │ ├── elfload.diff
│ │ ├── memfd.diff
│ │ ├── syscall.diff
│ │ └── translate-all.diff
│ ├── test-instr.c
│ └── types.h
├── corpus/
│ ├── CMakeLists.txt
│ ├── afl_test/
│ │ ├── Makefile
│ │ └── test.c
│ ├── cgc/
│ │ ├── REMATCH_2--Mail_Server--Crackaddr/
│ │ │ ├── README.md
│ │ │ ├── inputs/
│ │ │ │ ├── ADDRESSBOOK.txt
│ │ │ │ ├── LIST.txt
│ │ │ │ ├── LISTALL.txt
│ │ │ │ ├── POST.txt
│ │ │ │ ├── READ.txt
│ │ │ │ └── crash.txt
│ │ │ ├── lib/
│ │ │ │ ├── cgc_ctype.h
│ │ │ │ ├── cgc_libc.h
│ │ │ │ ├── cgc_malloc.h
│ │ │ │ ├── cgc_math.h
│ │ │ │ ├── cgc_prng.h
│ │ │ │ ├── cgc_shell.h
│ │ │ │ ├── cgc_stdarg.h
│ │ │ │ ├── cgc_stdint.h
│ │ │ │ ├── cgc_stdio.h
│ │ │ │ ├── cgc_stdlib.h
│ │ │ │ ├── cgc_string.h
│ │ │ │ ├── ctype.c
│ │ │ │ ├── libc.c
│ │ │ │ ├── malloc.c
│ │ │ │ ├── math.c
│ │ │ │ ├── prng.c
│ │ │ │ ├── shell.c
│ │ │ │ ├── stdio.c
│ │ │ │ ├── stdlib.c
│ │ │ │ └── string.c
│ │ │ ├── notes.txt
│ │ │ └── src/
│ │ │ ├── cgc_crackaddr.h
│ │ │ ├── cgc_sendmail.h
│ │ │ ├── crackaddr.c
│ │ │ └── sendmail.c
│ │ ├── SOLFEDGE/
│ │ │ ├── README.md
│ │ │ ├── inputs/
│ │ │ │ ├── crash.txt
│ │ │ │ ├── crash2.txt
│ │ │ │ └── input.txt
│ │ │ ├── lib/
│ │ │ │ ├── cgc_libc.h
│ │ │ │ └── libc.c
│ │ │ ├── notes.txt
│ │ │ └── src/
│ │ │ ├── cgc_operation.h
│ │ │ ├── cgc_service.h
│ │ │ ├── operation.c
│ │ │ └── service.c
│ │ ├── String_Storage_and_Retrieval/
│ │ │ ├── README.md
│ │ │ ├── inputs/
│ │ │ │ ├── crash.txt
│ │ │ │ └── input.txt
│ │ │ ├── lib/
│ │ │ │ ├── cgc_mymath.h
│ │ │ │ ├── cgc_stdarg.h
│ │ │ │ ├── cgc_stdint.h
│ │ │ │ ├── cgc_stdlib.h
│ │ │ │ ├── malloc.c
│ │ │ │ ├── mymath.c
│ │ │ │ ├── new_printf.c
│ │ │ │ └── stdlib.c
│ │ │ ├── notes.txt
│ │ │ └── src/
│ │ │ ├── bst.c
│ │ │ ├── delete_matches.c
│ │ │ ├── find_matches.c
│ │ │ ├── parse.c
│ │ │ ├── service.c
│ │ │ └── string_token.c
│ │ ├── UTF-late/
│ │ │ ├── README.md
│ │ │ ├── inputs/
│ │ │ │ ├── crash.txt
│ │ │ │ └── input.txt
│ │ │ ├── lib/
│ │ │ │ ├── cgc_libc.h
│ │ │ │ ├── cgc_list.h
│ │ │ │ ├── cgc_utf8.h
│ │ │ │ ├── cgc_vfs.h
│ │ │ │ ├── libc.c
│ │ │ │ ├── malloc.c
│ │ │ │ ├── utf8.c
│ │ │ │ └── vfs.c
│ │ │ ├── notes.txt
│ │ │ └── src/
│ │ │ └── service.c
│ │ └── cotton_swab_arithmetic/
│ │ ├── README.md
│ │ ├── inputs/
│ │ │ ├── crash.txt
│ │ │ ├── crash2.txt
│ │ │ └── input.txt
│ │ ├── lib/
│ │ │ ├── cgc_libc.h
│ │ │ └── libc.c
│ │ ├── notes.txt
│ │ └── src/
│ │ ├── cgc_service.h
│ │ └── service.c
│ ├── google/
│ │ ├── README.md
│ │ └── vorbis/
│ │ ├── build.sh
│ │ ├── decode_fuzzer.cc
│ │ ├── decode_fuzzer.exe.stackdump
│ │ ├── inputs/
│ │ │ ├── crash-23c2d78e497bf4aebe5859e3092657cb0af4c299
│ │ │ ├── crash-8c5dea6410b0fb0b21ff968a9966a0bd7956405f
│ │ │ ├── crash-e86e0482b8d66f924e50e62f5d7cc36a0acb03a7
│ │ │ └── sound.ogg
│ │ └── notes.txt
│ ├── hang/
│ │ ├── CMakeLists.txt
│ │ └── hang.c
│ ├── libtest/
│ │ ├── CMakeLists.txt
│ │ ├── lib1.c
│ │ ├── lib2.c
│ │ ├── libs.h
│ │ └── test.c
│ ├── network/
│ │ ├── CMakeLists.txt
│ │ ├── client/
│ │ │ ├── client.cpp
│ │ │ ├── client.vcxproj
│ │ │ └── client.vcxproj.filters
│ │ ├── close.txt
│ │ ├── multipart.txt
│ │ ├── network.sln
│ │ └── server/
│ │ ├── server.cpp
│ │ ├── server.vcxproj
│ │ └── server.vcxproj.filters
│ ├── persist/
│ │ ├── CMakeLists.txt
│ │ └── test.c
│ └── test/
│ ├── CMakeLists.txt
│ ├── inputs/
│ │ ├── close.txt
│ │ ├── crash.txt
│ │ ├── input.txt
│ │ ├── multipart.txt
│ │ └── telnet_multipart.txt
│ ├── notes.txt
│ └── test.c
├── docs/
│ ├── AFL.md
│ ├── BUILD.md
│ ├── CI.md
│ ├── DynamoRIO.md
│ ├── IPT.md
│ ├── Server.md
│ ├── api/
│ │ ├── Makefile
│ │ ├── README.txt
│ │ ├── api.tex
│ │ ├── api_driver.tex
│ │ ├── api_instrumentation.tex
│ │ ├── api_mutator.tex
│ │ ├── api_structures.tex
│ │ ├── coverpage.tex
│ │ ├── defines.tex
│ │ ├── files/
│ │ │ ├── driver_t.c
│ │ │ ├── instrumentation_edge_t.c
│ │ │ ├── instrumentation_t.c
│ │ │ └── mutator_t.c
│ │ ├── helpers.tex
│ │ └── packages.tex
│ └── paper/
│ ├── Makefile
│ ├── abstract.tex
│ ├── acknowledgments.tex
│ ├── background.tex
│ ├── conclusion.tex
│ ├── data/
│ │ ├── Makefile
│ │ └── picker.gnuplot
│ ├── future_work.tex
│ ├── implementation.tex
│ ├── introduction.tex
│ ├── killerbeez.tex
│ ├── overview.tex
│ ├── packages.tex
│ ├── references.tex
│ └── related_work.tex
├── driver/
│ ├── CMakeLists.txt
│ ├── driver.c
│ ├── driver.h
│ ├── driver_factory.c
│ ├── driver_factory.h
│ ├── file_driver.c
│ ├── file_driver.h
│ ├── network_client_driver.c
│ ├── network_client_driver.h
│ ├── network_server_driver.c
│ ├── network_server_driver.h
│ ├── stdin_driver.c
│ ├── stdin_driver.h
│ ├── wmp_driver.cpp
│ └── wmp_driver.h
├── fuzzer/
│ ├── CMakeLists.txt
│ └── main.c
├── instrumentation/
│ ├── CMakeLists.txt
│ ├── afl_instrumentation.c
│ ├── afl_instrumentation.h
│ ├── debug_instrumentation.c
│ ├── debug_instrumentation.h
│ ├── dynamorio_instrumentation.c
│ ├── dynamorio_instrumentation.h
│ ├── forkserver.c
│ ├── forkserver.h
│ ├── forkserver_config.h
│ ├── forkserver_hooking.c
│ ├── forkserver_internal.h
│ ├── instrumentation.c
│ ├── instrumentation.h
│ ├── instrumentation_factory.c
│ ├── instrumentation_factory.h
│ ├── linux_ipt_instrumentation.c
│ ├── linux_ipt_instrumentation.h
│ ├── return_code_instrumentation.c
│ ├── return_code_instrumentation.h
│ ├── uthash.h
│ ├── winafl_alloc_inl.h
│ ├── winafl_config.h
│ ├── winafl_debug.h
│ ├── winafl_hash.h
│ ├── winafl_types.h
│ ├── wingui.c
│ ├── wingui.h
│ ├── xxhash.c
│ └── xxhash.h
├── jansson/
│ ├── CMakeLists.txt
│ ├── dump.c
│ ├── error.c
│ ├── hashtable.c
│ ├── hashtable.h
│ ├── hashtable_seed.c
│ ├── jansson.h
│ ├── jansson_config.h
│ ├── jansson_helper.c
│ ├── jansson_helper.h
│ ├── jansson_private.h
│ ├── jansson_private_config.h
│ ├── load.c
│ ├── lookup3.h
│ ├── memory.c
│ ├── pack_unpack.c
│ ├── strbuffer.c
│ ├── strbuffer.h
│ ├── strconv.c
│ ├── utf.c
│ ├── utf.h
│ └── value.c
├── merger/
│ ├── CMakeLists.txt
│ └── merger.c
├── mutators/
│ ├── APLv2
│ ├── CMakeLists.txt
│ ├── LICENSE
│ ├── afl_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── afl_mutator.c
│ │ └── afl_mutator.h
│ ├── arithmetic_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── arithmetic_mutator.c
│ │ └── arithmetic_mutator.h
│ ├── bit_flip_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── bit_flip_mutator.c
│ │ └── bit_flip_mutator.h
│ ├── dictionary_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── dictionary_mutator.c
│ │ └── dictionary_mutator.h
│ ├── havoc_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── havoc_mutator.c
│ │ └── havoc_mutator.h
│ ├── honggfuzz_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── honggfuzz_mutator.c
│ │ └── honggfuzz_mutator.h
│ ├── interesting_value_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── interesting_value_mutator.c
│ │ └── interesting_value_mutator.h
│ ├── multipart_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── multipart_mutator.c
│ │ └── multipart_mutator.h
│ ├── mutator_tester/
│ │ ├── CMakeLists.txt
│ │ ├── mutator_tester.c
│ │ └── mutator_tester.h
│ ├── mutators/
│ │ ├── CMakeLists.txt
│ │ ├── afl_config.h
│ │ ├── afl_debug.h
│ │ ├── afl_helpers.c
│ │ ├── afl_helpers.h
│ │ ├── afl_types.h
│ │ ├── mutators.c
│ │ └── mutators.h
│ ├── ni_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── ni_mutator.c
│ │ └── ni_mutator.h
│ ├── nop_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── nop_mutator.c
│ │ └── nop_mutator.h
│ ├── radamsa_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── radamsa_mutator.c
│ │ └── radamsa_mutator.h
│ ├── splice_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── splice_mutator.c
│ │ └── splice_mutator.h
│ └── zzuf_mutator/
│ ├── CMakeLists.txt
│ ├── zzuf_mutator.c
│ └── zzuf_mutator.h
├── picker/
│ ├── CMakeLists.txt
│ └── main.c
├── python/
│ └── manager/
│ ├── app/
│ │ ├── __init__.py
│ │ ├── config.py
│ │ └── encoder.py
│ ├── controller/
│ │ ├── Config.py
│ │ ├── File.py
│ │ ├── Hello.py
│ │ ├── Job.py
│ │ ├── Log.py
│ │ ├── Minimize.py
│ │ ├── Results.py
│ │ ├── Status.py
│ │ ├── Target.py
│ │ ├── Update.py
│ │ └── __init__.py
│ ├── lib/
│ │ ├── __init__.py
│ │ ├── boinc.py
│ │ ├── errors.py
│ │ └── fuzzer.py
│ ├── model/
│ │ ├── Config.py
│ │ ├── FuzzingJob.py
│ │ ├── FuzzingResults.py
│ │ ├── FuzzingTarget.py
│ │ ├── __init__.py
│ │ ├── instrumentation_state.py
│ │ ├── job_inputs.py
│ │ └── tracer_info.py
│ ├── requirements.txt
│ ├── server.py
│ └── tests/
│ ├── job_query_test.py
│ ├── minimizer_test.py
│ └── seeds.py
├── server/
│ ├── add_target.py
│ ├── boinc_submit.py
│ ├── killerbeez_assimilator.py
│ └── skel/
│ ├── templates/
│ │ ├── windows_x86_64_in
│ │ ├── windows_x86_64_out
│ │ ├── x86_64-pc-linux-gnu_in
│ │ └── x86_64-pc-linux-gnu_out
│ ├── windows_x86_64/
│ │ ├── flatten_results.ps1
│ │ ├── job.xml
│ │ ├── unpack_killerbeez.ps1
│ │ └── version.xml
│ └── x86_64-pc-linux-gnu/
│ ├── flatten_results.sh
│ ├── job.xml
│ ├── unpack_killerbeez.sh
│ └── version.xml
├── tests/
│ ├── build.bat
│ ├── smoke_test.sh
│ └── test-fuzzer.sh
├── tools/
│ ├── README.md
│ ├── release_excludes.txt
│ ├── release_vs2017.bat
│ ├── release_vs2019.bat
│ └── setup_build_env.ps1
├── tracer/
│ ├── CMakeLists.txt
│ └── main.c
├── utils/
│ ├── XGetopt.c
│ ├── XGetopt.h
│ ├── global_types.h
│ ├── mutator_factory.c
│ ├── mutator_factory.h
│ ├── utils.c
│ └── utils.h
├── vagrant/
│ ├── README.md
│ ├── ci_runner/
│ │ ├── Dockerfile
│ │ ├── Vagrantfile
│ │ ├── register_docker_runner.sh
│ │ ├── runner.ps1
│ │ ├── runner.sh
│ │ └── runner_vars.example
│ ├── debian/
│ │ ├── buster/
│ │ │ └── Vagrantfile
│ │ ├── jessie/
│ │ │ └── Vagrantfile
│ │ └── stretch/
│ │ └── Vagrantfile
│ ├── dependencies.sh
│ ├── fedora/
│ │ ├── 29/
│ │ │ └── Vagrantfile
│ │ └── 30/
│ │ └── Vagrantfile
│ ├── setup.sh
│ └── ubuntu/
│ ├── bionic/
│ │ └── Vagrantfile
│ ├── disco/
│ │ └── Vagrantfile
│ ├── trusty/
│ │ └── Vagrantfile
│ └── xenial/
│ └── Vagrantfile
└── winafl/
├── CMakeLists.txt
├── modules.c
├── modules.h
├── utils.h
└── winafl.c
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
###############################################################################
# Set default behavior to automatically normalize line endings.
###############################################################################
* text=auto
###############################################################################
# Set default behavior for command prompt diff.
#
# This is need for earlier builds of msysgit that does not have it on by
# default for csharp files.
# Note: This is only used by command line
###############################################################################
#*.cs diff=csharp
###############################################################################
# Set the merge driver for project and solution files
#
# Merging from the command prompt will add diff markers to the files if there
# are conflicts (Merging from VS is not affected by the settings below, in VS
# the diff markers are never inserted). Diff markers may cause the following
# file extensions to fail to load in VS. An alternative would be to treat
# these files as binary and thus will always conflict and require user
# intervention with every merge. To do so, just uncomment the entries below
###############################################################################
#*.sln merge=binary
#*.csproj merge=binary
#*.vbproj merge=binary
#*.vcxproj merge=binary
#*.vcproj merge=binary
#*.dbproj merge=binary
#*.fsproj merge=binary
#*.lsproj merge=binary
#*.wixproj merge=binary
#*.modelproj merge=binary
#*.sqlproj merge=binary
#*.wwaproj merge=binary
###############################################################################
# behavior for image files
#
# image files are treated as binary by default.
###############################################################################
#*.jpg binary
#*.png binary
#*.gif binary
###############################################################################
# diff behavior for common document formats
#
# Convert binary document formats to text before diffing them. This feature
# is only available from the command line. Turn it on by uncommenting the
# entries below.
###############################################################################
#*.doc diff=astextplain
#*.DOC diff=astextplain
#*.docx diff=astextplain
#*.DOCX diff=astextplain
#*.dot diff=astextplain
#*.DOT diff=astextplain
#*.pdf diff=astextplain
#*.PDF diff=astextplain
#*.rtf diff=astextplain
#*.RTF diff=astextplain
================================================
FILE: .gitignore
================================================
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
# Test program builds
corpus/persist/deferred
corpus/persist/deferred_nohook
corpus/persist/nopersist
corpus/persist/persist
corpus/persist/persist_hang
corpus/libtest/libtest1.so
corpus/libtest/libtest2.so
corpus/libtest/test
corpus/libtest/pie
corpus/afl_test/test
corpus/afl_test/test32
corpus/afl_test/test-qemu
corpus/afl_test/test-fast
corpus/afl_test/test-fast-deferred
corpus/afl_test/test-fast-persist
corpus/afl_test/test-fast-persist-deferred
corpus/afl_test/test-fast-persist-hang
# Visual Studio 2015 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUNIT
*.VisualState.xml
TestResult.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# DNX
project.lock.json
project.fragment.lock.json
artifacts/
*_i.c
*_p.c
*_i.h
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# JustCode is a .NET coding add-in
.JustCode
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# TODO: Comment the next line if you want to checkin your web deploy settings
# but database connection strings (with potential passwords) will be unencrypted
#*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# The packages folder can be ignored because of Package Restore
**/packages/*
# except build/, which is used as an MSBuild target.
!**/packages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/packages/repositories.config
# NuGet v3's project.json files produces more ignoreable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
node_modules/
orleans.codegen.cs
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
*.mdf
*.ldf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# JetBrains Rider
.idea/
*.sln.iml
# CodeRush
.cr/
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
# VIM files
*.swp
*.swo
# LaTeX files
*.toc
*.aux
*.pdf
*.out
# sqlite database files
*.db
# CMake directory
build/
# AFL program files
afl_progs/afl-as
afl_progs/afl-clang
afl_progs/afl-clang++
afl_progs/afl-g++
afl_progs/afl-gcc
afl_progs/afl-qemu-trace
afl_progs/afl-showmap
afl_progs/as
afl_progs/qemu_mode/qemu-2.10.0.tar.xz
afl_progs/qemu_mode/qemu-2.10.0/
afl_progs/afl-clang-fast
afl_progs/afl-clang-fast++
afl_progs/afl-llvm-pass.so
afl_progs/afl-llvm-rt-64.o
afl_progs/afl-llvm-rt-32.o
afl_progs/afl-llvm-rt.o
================================================
FILE: .gitlab-ci.yml
================================================
stages:
- test
- release
build-windows-vs2017:
script:
- call tools\release_vs2017.bat
variables:
GIT_STRATEGY: clone
GIT_SUBMODULE_STRATEGY: recursive
tags:
- windows
- vs2017
only:
- web
artifacts:
paths:
- release\killerbeez-*.zip
expire_in: 1 week
stage: release
build-windows-vs2019:
script:
- call tools\release_vs2019.bat
variables:
GIT_STRATEGY: clone
GIT_SUBMODULE_STRATEGY: recursive
tags:
- windows
- vs2019
only:
- web
artifacts:
paths:
- release\killerbeez-*.zip
expire_in: 1 week
stage: release
release-linux:
script:
- mkdir build
- cd build
- cmake ..
- make release
image: killerbeez-builder:latest
variables:
GIT_STRATEGY: clone
GIT_SUBMODULE_STRATEGY: recursive
tags:
- ubuntu-16.04
only:
- web
artifacts:
paths:
- build/killerbeez-*.zip
expire_in: 1 week
stage: release
# Smoke tests on all platforms
.smoketest-linux: &smoketest-linux
script:
- cd ..
- killerbeez/tests/smoke_test.sh
variables:
GIT_STRATEGY: clone
GIT_SUBMODULE_STRATEGY: recursive
only:
- web
stage: test
# The build is broken on most of the platforms
allow_failure: true
smoketest-ubuntu-14.04:
<<: *smoketest-linux
tags:
- ubuntu-14.04
smoketest-ubuntu-16.04:
<<: *smoketest-linux
tags:
- ubuntu-16.04
# This platform is supposed to be working
allow_failure: false
smoketest-ubuntu-18.04:
<<: *smoketest-linux
tags:
- ubuntu-18.04
smoketest-ubuntu-19.04:
<<: *smoketest-linux
tags:
- ubuntu-19.04
smoketest-fedora-29:
<<: *smoketest-linux
tags:
- fedora-29
smoketest-fedora-30:
<<: *smoketest-linux
tags:
- fedora-30
smoketest-debian-8:
<<: *smoketest-linux
tags:
- debian-8
smoketest-debian-9:
<<: *smoketest-linux
tags:
- debian-9
smoketest-debian-10:
<<: *smoketest-linux
tags:
- debian-10
================================================
FILE: .gitmodules
================================================
[submodule "server/boinc"]
path = server/boinc
url = https://github.com/BOINC/boinc.git
================================================
FILE: APLv2
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: CMakeLists.txt
================================================
cmake_minimum_required (VERSION 2.8.8)
project (killerbeez)
include(ExternalProject)
set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -D_DEBUG") # for _DEBUG ifdefs in utils.h
set(CMAKE_POSITION_INDEPENDENT_CODE ON)
if (UNIX)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wfatal-errors") # quit after first error
endif (UNIX)
if (APPLE)
set(CMAKE_MACOSX_RPATH 1) # https://github.com/liballeg/allegro5/issues/532#issuecomment-170338164
endif (APPLE)
if(NOT CMAKE_BUILD_TYPE)
set(CMAKE_BUILD_TYPE Debug) # for gcc -g
message("WARNING: Building with debug options; performance will be impacted. Try cmake -DCMAKE_BUILD_TYPE=Release ..")
endif()
if (WIN32)
# windows/visual studio build convention eg build/X86/Debug
SET ( BUILD_DIRECTORY ${CMAKE_SOURCE_DIR}/build/${CMAKE_C_COMPILER_ARCHITECTURE_ID}/${CMAKE_BUILD_TYPE} )
add_definitions(-D_CRT_SECURE_NO_WARNINGS -D_DEPRECATION_DISABLE -D_CRT_NONSTDC_NO_DEPRECATE)
else (WIN32)
SET ( BUILD_DIRECTORY ${CMAKE_BINARY_DIR} )
endif (WIN32)
SET( CMAKE_RUNTIME_OUTPUT_DIRECTORY ${BUILD_DIRECTORY}/killerbeez/ )
SET( CMAKE_LIBRARY_OUTPUT_DIRECTORY ${BUILD_DIRECTORY}/killerbeez/ )
SET( CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${BUILD_DIRECTORY}/killerbeez/ )
# Make linux builds relocatable
SET(CMAKE_BUILD_WITH_INSTALL_RPATH 1)
SET(CMAKE_INSTALL_RPATH "$ORIGIN")
# add headers for utils from utils source folder/repo
include_directories (jansson/)
include_directories (utils/)
# IWYU. Pass -DNO_IWYU=1 to disable, -DNO_IWYU= to re-enable (or regenerate cache)
if (UNIX AND NOT NO_IWYU)
find_program(iwyu_path NAMES include-what-you-use iwyu)
if(NOT iwyu_path)
# can be installed with sudo apt install iwyu -y
message(STATUS "Could not find include-what-you-use, continuing without it")
else()
message(STATUS "Found include-what-you-use, displaying its suggestions")
set(CMAKE_C_INCLUDE_WHAT_YOU_USE ${iwyu_path})
set(CMAKE_CXX_INCLUDE_WHAT_YOU_USE ${iwyu_path})
endif()
else()
message(STATUS "include-what-you-use disabled")
endif()
add_subdirectory(jansson/)
# The general mutator library with the common functionality
add_subdirectory(mutators)
add_subdirectory(corpus) # test programs
add_subdirectory(fuzzer) # instantiates & coordinates other parts
add_subdirectory(driver) # starts program, feeds input, determines when program is done
add_subdirectory(instrumentation) # inserts instructions to program to tell whether an input makes the binary take a new path
add_subdirectory(merger) # merges instrumentation data between fuzzer nodes
add_subdirectory(tracer) # runs through program and records basic block edges
if (WIN32)
add_subdirectory(picker) # picks which libraries of a target program are being used, and worth fuzzing
add_subdirectory(winafl) # parts ripped from winafl for dynamorio
endif (WIN32)
### RELEASE ZIP CONFIG ###
# Choose what to install into the release zip
install(DIRECTORY ${BUILD_DIRECTORY}/killerbeez DESTINATION . USE_SOURCE_PERMISSIONS)
install(DIRECTORY ${BUILD_DIRECTORY}/mutators DESTINATION . USE_SOURCE_PERMISSIONS)
### BOINC wrapper ###
# If on Windows, include prebuilt BOINC wrapper
if (WIN32)
SET(BOINC_WRAPPER C:/killerbeez/wrapper_26014_windows_x86_64.exe)
endif ()
# If on Linux, we can build our own BOINC wrapper
if (UNIX AND (NOT APPLE))
SET(BOINC_WRAPPER ${CMAKE_SOURCE_DIR}/server/boinc/samples/wrapper/wrapper)
ExternalProject_Add(boinc-wrapper
SOURCE_DIR ${CMAKE_SOURCE_DIR}/server/boinc
DOWNLOAD_COMMAND cd ${CMAKE_SOURCE_DIR} && git submodule update --init server/boinc
BUILD_IN_SOURCE true
CONFIGURE_COMMAND ./_autosetup
COMMAND ./configure --disable-server --disable-client --disable-manager --enable-boinczip
BUILD_COMMAND ${CMAKE_MAKE_PROGRAM}
COMMAND ${CMAKE_MAKE_PROGRAM} -C samples/wrapper
INSTALL_COMMAND ""
)
endif ()
install(PROGRAMS ${BOINC_WRAPPER} DESTINATION server/skel)
### radamsa ###
set(RADAMSA_URL https://gitlab.com/akihe/radamsa.git)
ExternalProject_Add(radamsa
GIT_REPOSITORY ${RADAMSA_URL}
GIT_TAG develop
BUILD_IN_SOURCE true
CONFIGURE_COMMAND ""
BUILD_COMMAND ${CMAKE_MAKE_PROGRAM}
INSTALL_COMMAND ""
EXCLUDE_FROM_ALL true
)
ExternalProject_Get_Property(radamsa SOURCE_DIR)
install(DIRECTORY ${SOURCE_DIR}/bin DESTINATION radamsa USE_SOURCE_PERMISSIONS)
install(FILES ${SOURCE_DIR}/LICENCE DESTINATION radamsa)
# Set up CPack to generate the release zip
SET(CPACK_GENERATOR "ZIP")
# TODO: might want some kind of versioning or architecture in this name
SET(CPACK_PACKAGE_FILE_NAME "killerbeez-${CMAKE_SYSTEM_NAME}")
SET(CPACK_SOURCE_GENERATOR "ZIP")
SET(CPACK_SOURCE_IGNORE_FILES "/build/;/server/boinc/")
SET(CPACK_SOURCE_INSTALLED_DIRECTORIES "${CMAKE_SOURCE_DIR};killerbeez")
include (CPack)
# Special `release` target to ensure boinc-wrapper is built before package
add_custom_target(release
${CMAKE_MAKE_PROGRAM} package)
if (UNIX)
if (APPLE)
# macOS can't build the boinc wrapper right now, maybe we can patch
# things up in the future to make this possible, but for now we're
# just not building it.
add_dependencies(release radamsa)
else ()
add_dependencies(release radamsa boinc-wrapper)
endif ()
endif ()
================================================
FILE: LICENSE
================================================
Unless otherwise marked, this license applies to all code in this repository.
University of Illinois/NCSA Open Source License (UIUC license)
Copyright (c) 2018 Grimm. All rights reserved.
Developed by: Software Security Group
Grimm
https://grimm-co.com
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal with
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
- Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimers.
- Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimers in the documentation
and/or other materials provided with the distribution.
- Neither the names of Grimm, nor the names of its contributors may be used to
endorse or promote products derived from this Software without specific prior
written permission.
SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE CONTRIBUTORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE SOFTWARE.
================================================
FILE: Makefile
================================================
.PHONY=all clean docs
all: docs
docs:
# Defer to the Makefile in the docs directory
make -C docs
================================================
FILE: README.md
================================================
# Killerbeez
Killerbeez is a modular fuzzing framework that aims to bring awesome tools
together into a standard format.
## Table of Contents
* [Motivation](#motivation)
* [Getting Started](#getting-started)
* [Windows](#windows)
* [Linux and Mac](#linux-and-mac)
* [Documentation](#documentation)
* [Troubleshooting](#troubleshooting)
## Motivation
Many fuzzing tools are "research-quality" code, which means they're difficult to
incorporate with each other or make changes to short of forking. Killerbeez
seeks to reduce the engineering effort required to bring these tools together.
By writing things to a common API, we hope to encourage clean interfaces, which
should discourage spaghetti code and make writing cross-platform tools easier.
## Getting Started
We provide build instructions for Windows and Linux, and binaries for Windows.
For instructions building Killerbeez from source, see the [BUILD
instructions](docs/BUILD.md). Currently only the standalone client is available,
server coming soon!
### Windows
#### [Binary Releases](https://github.com/grimm-co/killerbeez/releases)
If you don't want to build the project from source, you can try the [binary
releases](https://github.com/grimm-co/killerbeez/releases) (though be
warned they are likely out of date). They have been tested on the
following operating systems.
| Windows Version| 64-Bit | 32-Bit |
| -------------- | ------------ | --------------- |
| Windows 7 | Not Working [1] | Not Working [1] |
| Windows 8 | Working | Experimental [2] |
| Windows 8.1 | Working | Experimental [2] |
| Windows 10 | Experimental [2] | Experimental [2] |
You will also need to install the 2017 Microsoft Visual C++
Redistributable. Please note that if you are running Killerbeez on a 64-bit
host, you will need to install both the 64-bit and the 32-bit versions of
the redistributable.
- [64-Bit Redistributable Download](https://aka.ms/vs/15/release/vc_redist.x64.exe)
- [32-Bit Redistributable Download](https://aka.ms/vs/15/release/vc_redist.x86.exe)
[1] This is due to a compatibility problem with Windows 7 and DynamoRIO see
[this issue](https://github.com/DynamoRIO/dynamorio/issues/2658) for more
info.
[2] Experimental status means that most of the features are working as
expected, and a few are not.
#### Quickstart and Examples
##### Fuzzing a simple test program:
```
REM Paste this into cmd.exe.
REM Assuming you: set WORKDIR=C:/killerbeez
REM Note: if using backslashes, they need to be escaped to be proper JSON.
cd %WORKDIR%/killerbeez/build/x64/Debug/killerbeez
echo {"path":"%WORKDIR%/killerbeez/corpus/test/test.exe","arguments":"@@"} > driver.json
fuzzer.exe -n 9 -s "%WORKDIR%/killerbeez/corpus/test/inputs/close.txt" ^
-d driver.json file debug bit_flip
```
Successful output should look like
```
Wed Aug 8 18:27:08 2018 - INFO - Logging Started
Wed Aug 8 18:27:09 2018 - CRITICAL - Found crashes
Wed Aug 8 18:27:09 2018 - INFO - Ran 9 iterations in 1 seconds
```
##### Fuzzing Windows Media Player
Download a small video file you would like to use as a seed file (e.g.
`youtube-dl --format mp4 --output test.mp4 your-favorite-video`).
Be sure to replace the seed file argument `-s` with the path to the video file
you just downloaded.
Note that because `wmplayer.exe` is a 32-bit executable you'll either need
to use the 32-bit `fuzzer.exe`, or manually specify the path to the 32-bit
`winafl.dll` with the instrumentation's `winafl_dir` option. Additionally,
the `-target_offset` argument that is passed to the instrumentation will
need to be updated depending on your Windows version. In this case we are
just using the entry point of `wmplayer.exe`, below there is a table to use
as reference but it is best to verify the entry point of your binary.
| WMP Version | Offset |
| --------------- | ------ |
| 12.0.7601 | 0x176D |
| 12.0.9200 | 0x1BAD |
| 12.0.9600 | 0x1F00 |
| 12.0.17134 | 0x1F20 |
```
echo {"timeout":20} > driver.json
echo {"timeout":5000,"coverage_modules":["wmp.DLL"],"target_path":"C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe"} > instrumentation.json
fuzzer.exe -n 3 -s "C:\Users\user\Desktop\test.mp4" -d driver.json -i instrumentation.json wmp dynamorio nop
```
You may need to modify these parameters to match your environment. In
order to speed up fuzzing, it may be useful to enable persistence mode.
See [PersistenceMode.md](docs/PersistenceMode.md) for instructions.
### Linux and Mac
Once you've built Killerbeez following the [BUILD
instructions](docs/BUILD.md#linux-and-mac), you should be ready to change
into the right directory and run the fuzzer. Here's an example of running
it on a test program from our corpus.
```
# assuming that you're in $WORKDIR/build/killerbeez
cd ../build/killerbeez/
echo '{"path":"corpus/test-linux","arguments":"@@"}' > driver.json
./fuzzer -n 20 -s /bin/bash -d driver.json file return_code honggfuzz
```
If it ran correctly, you should see something like this:
```
Thu Jul 19 09:40:46 2018 - INFO - Logging Started
Thu Jul 19 09:40:46 2018 - INFO - Ran 20 iterations in 0 seconds
```
In the example above, we're using the **file** driver, the **return\_code**
instrumentation, and the **honggfuzz** mutator module. We are only going to do 20
executions and our seed file is /bin/bash, because why not?
The -d option are for the driver. We need to give it the path to our executable
and the command line arguments, which in our case is just the filename,
represented by "@@" here.
We don't need to specify any options for the mutator or the instrumentation, so
we'll rely on default values instead. To see the options available, you can use
the `-h` help flag. Some examples:
```
./fuzzer -h
./fuzzer -hd
./fuzzer -hi
```
Looking at the results in the "output" directory, we see that it didn't find
any crashes, hangs or new paths. At first glance, it might seem like it didn't
work. However, we were using the return\_code instrumentation, which does not
actually track code coverage, so it can not determine the execution path, thus
it can't determine if a new path was hit. Instead, it just looks at the return
code to determine if the process crashed or not. It's very efficient, however
this is effectively dumb fuzzing. In order to track coverage on Linux,
Killerbeez has support for Intel Processor Trace. See [IPT.md](docs/IPT.md) for
more details.
To see a crash, we can just change our seed file to be close to the file which
will cause a crash. It's cheating, but it works well to demonstrate the
importance of seed files as well as illustrating what the output of finding a
crash looks like. The following commands assume you are still in the directory
containing ./fuzzer.
```
# assuming that you're in $WORKDIR/build/killerbeez
echo "ABC@" > test1 # ABC@ is one bit different than ABCD, the crashing input
echo '{"path":"corpus/test-linux","arguments":"@@"}' > driver.json
./fuzzer -n 2000 -s ./test1 -d driver.json file return_code honggfuzz
```
Which should yield output similar to this:
```
Thu Jul 19 12:03:11 2018 - INFO - Logging Started
Thu Jul 19 12:03:13 2018 - CRITICAL - Found crashes
Thu Jul 19 12:03:13 2018 - CRITICAL - Found crashes
Thu Jul 19 12:03:19 2018 - CRITICAL - Found crashes
Thu Jul 19 12:03:22 2018 - CRITICAL - Found crashes
Thu Jul 19 12:03:22 2018 - INFO - Ran 2000 iterations in 11 seconds
```
Looking in the output/crashes folder, we can see the inputs which were found to
crash this target and reproduce the crash manually.
```
$ ls output/crashes/
2B81D0C867F76051FD33D8690AA2AC68 5220E572A6F9DAAF522EF5C5698EAF4C 59F885D0289BE9A83E711C5E7CFCBE4D ED5D34C74E59D16BD6D5B3683DB655C3
$ cat output/crashes/59F885D0289BE9A83E711C5E7CFCBE4D ; echo
ABCD
$ corpus/test-linux output/crashes/59F885D0289BE9A83E711C5E7CFCBE4D
Segmentation fault (core dumped)
```
## Documentation
Documentation of the API can be found in the [docs](docs) folder. It's written in
LaTeX which can be used to generate a PDF, HTML, or various other formats.
PDFs are also included so the documentation is easy to read for those who
do not have a LaTeX typesetting environment set up.
## Troubleshooting
Q: The target program doesn't start
A: Windows Media Player won't automatically play media the first time is run.
There's a pop-up which requires you to configure some settings. Just run it
manually once and you should be good to go after that.
Q: I'm getting an error about a pipe timing out
A: This is related to the instrumentation and the target taking too long to
start up. If running it again doesn't work, try increasing the "timeout" on
the -i argument and that should take care of it.
## Still Having a Problem?
Please create an issue on GitHub and we will address it as soon as possible.
## Have questions? Wanna chat?
Feel free to join the mailing list! Send a request to join to
`killerbeez-join@lists.grimm-co.com` then post your questions to
`killerbeez@lists.grimm-co.com`! We've also got #killerbeez on freenode,
but it's pretty quiet.
## License
This project is licensed under the UIUC License - see the
[LICENSE](LICENSE) file for details. Some parts of this project have been
included from other software and will be under different licenses, where
marked.
================================================
FILE: afl_progs/Makefile
================================================
#
# american fuzzy lop - makefile
# -----------------------------
#
# Originally written and maintained by Michal Zalewski <lcamtuf@google.com>
#
# Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Modified by GRIMM
COMM_HDR = alloc-inl.h config.h debug.h types.h
PROGS = afl-gcc
PREFIX ?= /usr/local
BIN_PATH = $(PREFIX)/bin
HELPER_PATH = $(PREFIX)/lib/afl
DOC_PATH = $(PREFIX)/share/doc/afl
CFLAGS ?= -O3 -funroll-loops
CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
-DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
-DBIN_PATH=\"$(BIN_PATH)\"
ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
TEST_CC = afl-gcc
else
TEST_CC = afl-clang
endif
all: test_x86 $(PROGS) afl-as test_build all_done
ifndef AFL_NO_X86
test_x86:
@echo "[*] Checking for the ability to compile x86 code..."
@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
@rm -f .test
@echo "[+] Everything seems to be working, ready to compile."
else
test_x86:
@echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)."
endif
afl-gcc: afl-gcc.c $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done
ln -sf afl-gcc afl-clang
ln -sf afl-gcc afl-clang++
ln -sf afl-gcc afl-g++
afl-as: afl-as.c afl-as.h $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
ln -sf afl-as as
afl-showmap: afl-showmap.c hash.h $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
ifndef AFL_NO_X86
test_build: test-instr.c afl-gcc afl-as afl-showmap
@echo "[*] Testing the CC wrapper and instrumentation output..."
unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS)
echo 0 | ./afl-showmap -m none -q -o .test-instr0 ./test-instr
echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr
@rm -f test-instr
@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping <lcamtuf@google.com> to troubleshoot the issue."; echo; exit 1; fi
@echo "[+] All right, the instrumentation seems to be working!"
else
test_build: afl-gcc afl-as afl-showmap
@echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
endif
all_done: test_build
@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi
@echo "[+] All done! Be sure to review README - it's pretty short and useful."
@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null
================================================
FILE: afl_progs/afl-as.c
================================================
/*
american fuzzy lop - wrapper for GNU as
---------------------------------------
Written and maintained by Michal Zalewski <lcamtuf@google.com>
Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
The sole purpose of this wrapper is to preprocess assembly files generated
by GCC / clang and inject the instrumentation bits included from afl-as.h. It
is automatically invoked by the toolchain when compiling programs using
afl-gcc / afl-clang.
Note that it's an explicit non-goal to instrument hand-written assembly,
be it in separate .s files or in __asm__ blocks. The only aspiration this
utility has right now is to be able to skip them gracefully and allow the
compilation process to continue.
That said, see experimental/clang_asm_normalize/ for a solution that may
allow clang users to make things work even with hand-crafted assembly. Just
note that there is no equivalent for GCC.
*/
#define AFL_MAIN
#include "config.h"
#include "types.h"
#include "debug.h"
#include "alloc-inl.h"
#include "afl-as.h"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <ctype.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <sys/time.h>
static u8** as_params; /* Parameters passed to the real 'as' */
static u8* input_file; /* Originally specified input file */
static u8* modified_file; /* Instrumented file for the real 'as' */
static u8 be_quiet, /* Quiet mode (no stderr output) */
clang_mode, /* Running in clang mode? */
pass_thru, /* Just pass data through? */
just_version, /* Just show version? */
sanitizer; /* Using ASAN / MSAN */
static u32 inst_ratio = 100, /* Instrumentation probability (%) */
as_par_cnt = 1; /* Number of params to 'as' */
/* If we don't find --32 or --64 in the command line, default to
instrumentation for whichever mode we were compiled with. This is not
perfect, but should do the trick for almost all use cases. */
#ifdef __x86_64__
static u8 use_64bit = 1;
#else
static u8 use_64bit = 0;
#ifdef __APPLE__
# error "Sorry, 32-bit Apple platforms are not supported."
#endif /* __APPLE__ */
#endif /* ^__x86_64__ */
/* Examine and modify parameters to pass to 'as'. Note that the file name
is always the last parameter passed by GCC, so we exploit this property
to keep the code simple. */
static void edit_params(int argc, char** argv) {
u8 *tmp_dir = getenv("TMPDIR"), *afl_as = getenv("AFL_AS");
u32 i;
#ifdef __APPLE__
u8 use_clang_as = 0;
/* On MacOS X, the Xcode cctool 'as' driver is a bit stale and does not work
with the code generated by newer versions of clang that are hand-built
by the user. See the thread here: http://goo.gl/HBWDtn.
To work around this, when using clang and running without AFL_AS
specified, we will actually call 'clang -c' instead of 'as -q' to
compile the assembly file.
The tools aren't cmdline-compatible, but at least for now, we can
seemingly get away with this by making only very minor tweaks. Thanks
to Nico Weber for the idea. */
if (clang_mode && !afl_as) {
use_clang_as = 1;
afl_as = getenv("AFL_CC");
if (!afl_as) afl_as = getenv("AFL_CXX");
if (!afl_as) afl_as = "clang";
}
#endif /* __APPLE__ */
/* Although this is not documented, GCC also uses TEMP and TMP when TMPDIR
is not set. We need to check these non-standard variables to properly
handle the pass_thru logic later on. */
if (!tmp_dir) tmp_dir = getenv("TEMP");
if (!tmp_dir) tmp_dir = getenv("TMP");
if (!tmp_dir) tmp_dir = "/tmp";
as_params = ck_alloc((argc + 32) * sizeof(u8*));
as_params[0] = afl_as ? afl_as : (u8*)"as";
as_params[argc] = 0;
for (i = 1; i < argc - 1; i++) {
if (!strcmp(argv[i], "--64")) use_64bit = 1;
else if (!strcmp(argv[i], "--32")) use_64bit = 0;
#ifdef __APPLE__
/* The Apple case is a bit different... */
if (!strcmp(argv[i], "-arch") && i + 1 < argc) {
if (!strcmp(argv[i + 1], "x86_64")) use_64bit = 1;
else if (!strcmp(argv[i + 1], "i386"))
FATAL("Sorry, 32-bit Apple platforms are not supported.");
}
/* Strip options that set the preference for a particular upstream
assembler in Xcode. */
if (clang_mode && (!strcmp(argv[i], "-q") || !strcmp(argv[i], "-Q")))
continue;
#endif /* __APPLE__ */
as_params[as_par_cnt++] = argv[i];
}
#ifdef __APPLE__
/* When calling clang as the upstream assembler, append -c -x assembler
and hope for the best. */
if (use_clang_as) {
as_params[as_par_cnt++] = "-c";
as_params[as_par_cnt++] = "-x";
as_params[as_par_cnt++] = "assembler";
}
#endif /* __APPLE__ */
input_file = argv[argc - 1];
if (input_file[0] == '-') {
if (!strcmp(input_file + 1, "-version")) {
just_version = 1;
modified_file = input_file;
goto wrap_things_up;
}
if (input_file[1]) FATAL("Incorrect use (not called through afl-gcc?)");
else input_file = NULL;
} else {
/* Check if this looks like a standard invocation as a part of an attempt
to compile a program, rather than using gcc on an ad-hoc .s file in
a format we may not understand. This works around an issue compiling
NSS. */
if (strncmp(input_file, tmp_dir, strlen(tmp_dir)) &&
strncmp(input_file, "/var/tmp/", 9) &&
strncmp(input_file, "/tmp/", 5)) pass_thru = 1;
}
modified_file = alloc_printf("%s/.afl-%u-%u.s", tmp_dir, getpid(),
(u32)time(NULL));
wrap_things_up:
as_params[as_par_cnt++] = modified_file;
as_params[as_par_cnt] = NULL;
}
/* Process input file, generate modified_file. Insert instrumentation in all
the appropriate places. */
static void add_instrumentation(void) {
static u8 line[MAX_LINE];
FILE* inf;
FILE* outf;
s32 outfd;
u32 ins_lines = 0;
u8 instr_ok = 0, skip_csect = 0, skip_next_label = 0,
skip_intel = 0, skip_app = 0, instrument_next = 0;
#ifdef __APPLE__
u8* colon_pos;
#endif /* __APPLE__ */
if (input_file) {
inf = fopen(input_file, "r");
if (!inf) PFATAL("Unable to read '%s'", input_file);
} else inf = stdin;
outfd = open(modified_file, O_WRONLY | O_EXCL | O_CREAT, 0600);
if (outfd < 0) PFATAL("Unable to write to '%s'", modified_file);
outf = fdopen(outfd, "w");
if (!outf) PFATAL("fdopen() failed");
while (fgets(line, MAX_LINE, inf)) {
/* In some cases, we want to defer writing the instrumentation trampoline
until after all the labels, macros, comments, etc. If we're in this
mode, and if the line starts with a tab followed by a character, dump
the trampoline now. */
if (!pass_thru && !skip_intel && !skip_app && !skip_csect && instr_ok &&
instrument_next && line[0] == '\t' && isalpha(line[1])) {
fprintf(outf, use_64bit ? trampoline_fmt_64 : trampoline_fmt_32,
R(MAP_SIZE));
instrument_next = 0;
ins_lines++;
}
/* Output the actual line, call it a day in pass-thru mode. */
fputs(line, outf);
if (pass_thru) continue;
/* All right, this is where the actual fun begins. For one, we only want to
instrument the .text section. So, let's keep track of that in processed
files - and let's set instr_ok accordingly. */
if (line[0] == '\t' && line[1] == '.') {
/* OpenBSD puts jump tables directly inline with the code, which is
a bit annoying. They use a specific format of p2align directives
around them, so we use that as a signal. */
if (!clang_mode && instr_ok && !strncmp(line + 2, "p2align ", 8) &&
isdigit(line[10]) && line[11] == '\n') skip_next_label = 1;
if (!strncmp(line + 2, "text\n", 5) ||
!strncmp(line + 2, "section\t.text", 13) ||
!strncmp(line + 2, "section\t__TEXT,__text", 21) ||
!strncmp(line + 2, "section __TEXT,__text", 21)) {
instr_ok = 1;
continue;
}
if (!strncmp(line + 2, "section\t", 8) ||
!strncmp(line + 2, "section ", 8) ||
!strncmp(line + 2, "bss\n", 4) ||
!strncmp(line + 2, "data\n", 5)) {
instr_ok = 0;
continue;
}
}
/* Detect off-flavor assembly (rare, happens in gdb). When this is
encountered, we set skip_csect until the opposite directive is
seen, and we do not instrument. */
if (strstr(line, ".code")) {
if (strstr(line, ".code32")) skip_csect = use_64bit;
if (strstr(line, ".code64")) skip_csect = !use_64bit;
}
/* Detect syntax changes, as could happen with hand-written assembly.
Skip Intel blocks, resume instrumentation when back to AT&T. */
if (strstr(line, ".intel_syntax")) skip_intel = 1;
if (strstr(line, ".att_syntax")) skip_intel = 0;
/* Detect and skip ad-hoc __asm__ blocks, likewise skipping them. */
if (line[0] == '#' || line[1] == '#') {
if (strstr(line, "#APP")) skip_app = 1;
if (strstr(line, "#NO_APP")) skip_app = 0;
}
/* If we're in the right mood for instrumenting, check for function
names or conditional labels. This is a bit messy, but in essence,
we want to catch:
^main: - function entry point (always instrumented)
^.L0: - GCC branch label
^.LBB0_0: - clang branch label (but only in clang mode)
^\tjnz foo - conditional branches
...but not:
^# BB#0: - clang comments
^ # BB#0: - ditto
^.Ltmp0: - clang non-branch labels
^.LC0 - GCC non-branch labels
^.LBB0_0: - ditto (when in GCC mode)
^\tjmp foo - non-conditional jumps
Additionally, clang and GCC on MacOS X follow a different convention
with no leading dots on labels, hence the weird maze of #ifdefs
later on.
*/
if (skip_intel || skip_app || skip_csect || !instr_ok ||
line[0] == '#' || line[0] == ' ') continue;
/* Conditional branch instruction (jnz, etc). We append the instrumentation
right after the branch (to instrument the not-taken path) and at the
branch destination label (handled later on). */
if (line[0] == '\t') {
if (line[1] == 'j' && line[2] != 'm' && R(100) < inst_ratio) {
fprintf(outf, use_64bit ? trampoline_fmt_64 : trampoline_fmt_32,
R(MAP_SIZE));
ins_lines++;
}
continue;
}
/* Label of some sort. This may be a branch destination, but we need to
tread carefully and account for several different formatting
conventions. */
#ifdef __APPLE__
/* Apple: L<whatever><digit>: */
if ((colon_pos = strstr(line, ":"))) {
if (line[0] == 'L' && isdigit(*(colon_pos - 1))) {
#else
/* Everybody else: .L<whatever>: */
if (strstr(line, ":")) {
if (line[0] == '.') {
#endif /* __APPLE__ */
/* .L0: or LBB0_0: style jump destination */
#ifdef __APPLE__
/* Apple: L<num> / LBB<num> */
if ((isdigit(line[1]) || (clang_mode && !strncmp(line, "LBB", 3)))
&& R(100) < inst_ratio) {
#else
/* Apple: .L<num> / .LBB<num> */
if ((isdigit(line[2]) || (clang_mode && !strncmp(line + 1, "LBB", 3)))
&& R(100) < inst_ratio) {
#endif /* __APPLE__ */
/* An optimization is possible here by adding the code only if the
label is mentioned in the code in contexts other than call / jmp.
That said, this complicates the code by requiring two-pass
processing (messy with stdin), and results in a speed gain
typically under 10%, because compilers are generally pretty good
about not generating spurious intra-function jumps.
We use deferred output chiefly to avoid disrupting
.Lfunc_begin0-style exception handling calculations (a problem on
MacOS X). */
if (!skip_next_label) instrument_next = 1; else skip_next_label = 0;
}
} else {
/* Function label (always instrumented, deferred mode). */
instrument_next = 1;
}
}
}
if (ins_lines)
fputs(use_64bit ? main_payload_64 : main_payload_32, outf);
if (input_file) fclose(inf);
fclose(outf);
if (!be_quiet) {
if (!ins_lines) WARNF("No instrumentation targets found%s.",
pass_thru ? " (pass-thru mode)" : "");
else OKF("Instrumented %u locations (%s-bit, %s mode, ratio %u%%).",
ins_lines, use_64bit ? "64" : "32",
getenv("AFL_HARDEN") ? "hardened" :
(sanitizer ? "ASAN/MSAN" : "non-hardened"),
inst_ratio);
}
}
/* Main entry point */
int main(int argc, char** argv) {
s32 pid;
u32 rand_seed;
int status;
u8* inst_ratio_str = getenv("AFL_INST_RATIO");
struct timeval tv;
struct timezone tz;
clang_mode = !!getenv(CLANG_ENV_VAR);
if (isatty(2) && !getenv("AFL_QUIET")) {
SAYF(cCYA "afl-as " cBRI VERSION cRST " by <lcamtuf@google.com>\n");
} else be_quiet = 1;
if (argc < 2) {
SAYF("\n"
"This is a helper application for afl-fuzz. It is a wrapper around GNU 'as',\n"
"executed by the toolchain whenever using afl-gcc or afl-clang. You probably\n"
"don't want to run this program directly.\n\n"
"Rarely, when dealing with extremely complex projects, it may be advisable to\n"
"set AFL_INST_RATIO to a value less than 100 in order to reduce the odds of\n"
"instrumenting every discovered branch.\n\n");
exit(1);
}
gettimeofday(&tv, &tz);
rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid();
srandom(rand_seed);
edit_params(argc, argv);
if (inst_ratio_str) {
if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || inst_ratio > 100)
FATAL("Bad value of AFL_INST_RATIO (must be between 0 and 100)");
}
if (getenv(AS_LOOP_ENV_VAR))
FATAL("Endless loop when calling 'as' (remove '.' from your PATH)");
setenv(AS_LOOP_ENV_VAR, "1", 1);
/* When compiling with ASAN, we don't have a particularly elegant way to skip
ASAN-specific branches. But we can probabilistically compensate for
that... */
if (getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) {
sanitizer = 1;
inst_ratio /= 3;
}
if (!just_version) add_instrumentation();
if (!(pid = fork())) {
execvp(as_params[0], (char**)as_params);
FATAL("Oops, failed to execute '%s' - check your PATH", as_params[0]);
}
if (pid < 0) PFATAL("fork() failed");
if (waitpid(pid, &status, 0) <= 0) PFATAL("waitpid() failed");
if (!getenv("AFL_KEEP_ASSEMBLY")) unlink(modified_file);
exit(WEXITSTATUS(status));
}
================================================
FILE: afl_progs/afl-as.h
================================================
/*
american fuzzy lop - injectable parts
-------------------------------------
Written and maintained by Michal Zalewski <lcamtuf@google.com>
Forkserver design by Jann Horn <jannhorn@googlemail.com>
Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
This file houses the assembly-level instrumentation injected into fuzzed
programs. The instrumentation stores XORed pairs of data: identifiers of the
currently executing branch and the one that executed immediately before.
TL;DR: the instrumentation does shm_trace_map[cur_loc ^ prev_loc]++
The code is designed for 32-bit and 64-bit x86 systems. Both modes should
work everywhere except for Apple systems. Apple does relocations differently
from everybody else, so since their OSes have been 64-bit for a longer while,
I didn't go through the mental effort of porting the 32-bit code.
In principle, similar code should be easy to inject into any well-behaved
binary-only code (e.g., using DynamoRIO). Conditional jumps offer natural
targets for instrumentation, and should offer comparable probe density.
*/
/*
This file has been modified from the original AFL version to incorporate into
Killerbeez. Specifically, the injected fork server has been modified to match
the Killerbeez fork server protocol.
*/
#ifndef _HAVE_AFL_AS_H
#define _HAVE_AFL_AS_H
#include "config.h"
#include "types.h"
#include "../instrumentation/forkserver_internal.h"
/*
------------------
Performances notes
------------------
Contributions to make this code faster are appreciated! Here are some
rough notes that may help with the task:
- Only the trampoline_fmt and the non-setup __afl_maybe_log code paths are
really worth optimizing; the setup / fork server stuff matters a lot less
and should be mostly just kept readable.
- We're aiming for modern CPUs with out-of-order execution and large
pipelines; the code is mostly follows intuitive, human-readable
instruction ordering, because "textbook" manual reorderings make no
substantial difference.
- Interestingly, instrumented execution isn't a lot faster if we store a
variable pointer to the setup, log, or return routine and then do a reg
call from within trampoline_fmt. It does speed up non-instrumented
execution quite a bit, though, since that path just becomes
push-call-ret-pop.
- There is also not a whole lot to be gained by doing SHM attach at a
fixed address instead of retrieving __afl_area_ptr. Although it allows us
to have a shorter log routine inserted for conditional jumps and jump
labels (for a ~10% perf gain), there is a risk of bumping into other
allocations created by the program or by tools such as ASAN.
- popf is *awfully* slow, which is why we're doing the lahf / sahf +
overflow test trick. Unfortunately, this forces us to taint eax / rax, but
this dependency on a commonly-used register still beats the alternative of
using pushf / popf.
One possible optimization is to avoid touching flags by using a circular
buffer that stores just a sequence of current locations, with the XOR stuff
happening offline. Alas, this doesn't seem to have a huge impact:
https://groups.google.com/d/msg/afl-users/MsajVf4fRLo/2u6t88ntUBIJ
- Preforking one child a bit sooner, and then waiting for the "go" command
from within the child, doesn't offer major performance gains; fork() seems
to be relatively inexpensive these days. Preforking multiple children does
help, but badly breaks the "~1 core per fuzzer" design, making it harder to
scale up. Maybe there is some middle ground.
Perhaps of note: in the 64-bit version for all platforms except for Apple,
the instrumentation is done slightly differently than on 32-bit, with
__afl_prev_loc and __afl_area_ptr being local to the object file (.lcomm),
rather than global (.comm). This is to avoid GOTRELPC lookups in the critical
code path, which AFAICT, are otherwise unavoidable if we want gcc -shared to
work; simple relocations between .bss and .text won't work on most 64-bit
platforms in such a case.
(Fun fact: on Apple systems, .lcomm can segfault the linker.)
The side effect is that state transitions are measured in a somewhat
different way, with previous tuple being recorded separately within the scope
of every .c file. This should have no impact in any practical sense.
Another side effect of this design is that getenv() will be called once per
every .o file when running in non-instrumented mode; and since getenv() tends
to be optimized in funny ways, we need to be very careful to save every
oddball register it may touch.
*/
static const u8* trampoline_fmt_32 =
"\n"
"/* --- AFL TRAMPOLINE (32-BIT) --- */\n"
"\n"
".align 4\n"
"\n"
"leal -16(%%esp), %%esp\n"
"movl %%edi, 0(%%esp)\n"
"movl %%edx, 4(%%esp)\n"
"movl %%ecx, 8(%%esp)\n"
"movl %%eax, 12(%%esp)\n"
"movl $0x%08x, %%ecx\n"
"call __afl_maybe_log\n"
"movl 12(%%esp), %%eax\n"
"movl 8(%%esp), %%ecx\n"
"movl 4(%%esp), %%edx\n"
"movl 0(%%esp), %%edi\n"
"leal 16(%%esp), %%esp\n"
"\n"
"/* --- END --- */\n"
"\n";
static const u8* trampoline_fmt_64 =
"\n"
"/* --- AFL TRAMPOLINE (64-BIT) --- */\n"
"\n"
".align 4\n"
"\n"
"leaq -(128+24)(%%rsp), %%rsp\n"
"movq %%rdx, 0(%%rsp)\n"
"movq %%rcx, 8(%%rsp)\n"
"movq %%rax, 16(%%rsp)\n"
"movq $0x%08x, %%rcx\n"
"call __afl_maybe_log\n"
"movq 16(%%rsp), %%rax\n"
"movq 8(%%rsp), %%rcx\n"
"movq 0(%%rsp), %%rdx\n"
"leaq (128+24)(%%rsp), %%rsp\n"
"\n"
"/* --- END --- */\n"
"\n";
static const u8* main_payload_32 =
"\n"
"/* --- AFL MAIN PAYLOAD (32-BIT) --- */\n"
"\n"
".text\n"
".att_syntax\n"
".code32\n"
".align 8\n"
"\n"
"__afl_maybe_log:\n"
"\n"
" lahf\n"
" seto %al\n"
"\n"
" /* Check if SHM region is already mapped. */\n"
"\n"
" movl __afl_area_ptr, %edx\n"
" testl %edx, %edx\n"
" je __afl_setup\n"
"\n"
"__afl_store:\n"
"\n"
" /* Calculate and store hit for the code location specified in ecx. There\n"
" is a double-XOR way of doing this without tainting another register,\n"
" and we use it on 64-bit systems; but it's slower for 32-bit ones. */\n"
"\n"
#ifndef COVERAGE_ONLY
" movl __afl_prev_loc, %edi\n"
" xorl %ecx, %edi\n"
" shrl $1, %ecx\n"
" movl %ecx, __afl_prev_loc\n"
#else
" movl %ecx, %edi\n"
#endif /* ^!COVERAGE_ONLY */
"\n"
#ifdef SKIP_COUNTS
" orb $1, (%edx, %edi, 1)\n"
#else
" incb (%edx, %edi, 1)\n"
#endif /* ^SKIP_COUNTS */
"\n"
"__afl_return:\n"
"\n"
" addb $127, %al\n"
" sahf\n"
" ret\n"
"\n"
".align 8\n"
"\n"
"__afl_setup:\n"
"\n"
" /* Do not retry setup if we had previous failures. */\n"
"\n"
" cmpb $0, __afl_setup_failure\n"
" jne __afl_return\n"
"\n"
" /* Map SHM, jumping to __afl_setup_abort if something goes wrong.\n"
" We do not save FPU/MMX/SSE registers here, but hopefully, nobody\n"
" will notice this early in the game. */\n"
"\n"
" pushl %eax\n"
" pushl %ecx\n"
"\n"
" pushl $.AFL_SHM_ENV\n"
" call getenv\n"
" addl $4, %esp\n"
"\n"
" testl %eax, %eax\n"
" je __afl_setup_abort\n"
"\n"
" pushl %eax\n"
" call atoi\n"
" addl $4, %esp\n"
"\n"
" pushl $0 /* shmat flags */\n"
" pushl $0 /* requested addr */\n"
" pushl %eax /* SHM ID */\n"
" call shmat\n"
" addl $12, %esp\n"
"\n"
" cmpl $-1, %eax\n"
" je __afl_setup_abort\n"
"\n"
" /* Store the address of the SHM region. */\n"
"\n"
" movl %eax, __afl_area_ptr\n"
" movl %eax, %edx\n"
"\n"
" popl %ecx\n"
" popl %eax\n"
"\n"
"__afl_forkserver:\n"
"\n"
" /* Enter the fork server mode to avoid the overhead of execve() calls. */\n"
"\n"
" pushl %eax\n"
" pushl %ecx\n"
" pushl %edx\n"
"\n"
" /* Phone home and tell the parent that we're OK. (Note that signals with\n"
" no SA_RESTART will mess it up). If this fails, assume that the fd is\n"
" closed because we were execve()d from an instrumented binary, or because\n"
" the parent doesn't want to use the fork server. */\n"
"\n"
" pushl $4 /* length */\n"
" pushl $__afl_temp /* data */\n"
" pushl $" STRINGIFY(FORKSRV_TO_FUZZER) " /* file desc */\n"
" call write\n"
" addl $12, %esp\n"
"\n"
" cmpl $4, %eax\n"
" jne __afl_fork_resume\n"
"\n"
"__afl_fork_wait_loop:\n"
"\n"
" /* Wait for parent FORK_RUN command by reading from the pipe. Abort if read fails. */\n"
"\n"
" pushl $1 /* length */\n"
" pushl $__afl_temp /* data */\n"
" pushl $" STRINGIFY(FUZZER_TO_FORKSRV) " /* file desc */\n"
" call read\n"
" addl $12, %esp\n"
"\n"
" cmpl $1, %eax\n"
" jne __afl_die\n"
" movb __afl_temp, %al\n"
" cmpb $" STRINGIFY(FORK_RUN) ", %al\n"
" jne __afl_die\n"
"\n"
" /* Once woken up, create a clone of our process. This is an excellent use\n"
" case for syscall(__NR_clone, 0, CLONE_PARENT), but glibc boneheadedly\n"
" caches getpid() results and offers no way to update the value, breaking\n"
" abort(), raise(), and a bunch of other things :-( */\n"
"\n"
" call fork\n"
"\n"
" cmpl $0, %eax\n"
" jl __afl_die\n"
" je __afl_fork_resume\n"
"\n"
" /* In parent process: write PID to pipe, then wait for child. */\n"
"\n"
" movl %eax, __afl_fork_pid\n"
"\n"
" pushl $4 /* length */\n"
" pushl $__afl_fork_pid /* data */\n"
" pushl $" STRINGIFY(FORKSRV_TO_FUZZER) " /* file desc */\n"
" call write\n"
" addl $12, %esp\n"
"\n"
" /* Wait for the GET_STATUS command by reading from the pipe. Abort if read fails. */\n"
"\n"
" pushl $1 /* length */\n"
" pushl $__afl_temp /* data */\n"
" pushl $" STRINGIFY(FUZZER_TO_FORKSRV) " /* file desc */\n"
" call read\n"
" addl $12, %esp\n"
"\n"
" cmpl $1, %eax\n"
" jne __afl_die\n"
" movb __afl_temp, %al\n"
" cmpb $" STRINGIFY(GET_STATUS) ", %al\n"
" jne __afl_die\n"
"\n"
" pushl $0 /* no flags */\n"
" pushl $__afl_temp /* status */\n"
" pushl __afl_fork_pid /* PID */\n"
" call waitpid\n"
" addl $12, %esp\n"
"\n"
" cmpl $0, %eax\n"
" jle __afl_die\n"
"\n"
" /* Relay wait status to pipe, then loop back. */\n"
"\n"
" pushl $4 /* length */\n"
" pushl $__afl_temp /* data */\n"
" pushl $" STRINGIFY(FORKSRV_TO_FUZZER) " /* file desc */\n"
" call write\n"
" addl $12, %esp\n"
"\n"
" jmp __afl_fork_wait_loop\n"
"\n"
"__afl_fork_resume:\n"
"\n"
" /* In child process: close fds, resume execution. */\n"
"\n"
" pushl $" STRINGIFY(FUZZER_TO_FORKSRV) "\n"
" call close\n"
"\n"
" pushl $" STRINGIFY(FORKSRV_TO_FUZZER) "\n"
" call close\n"
"\n"
" addl $8, %esp\n"
"\n"
" popl %edx\n"
" popl %ecx\n"
" popl %eax\n"
" jmp __afl_store\n"
"\n"
"__afl_die:\n"
"\n"
" xorl %eax, %eax\n"
" call _exit\n"
"\n"
"__afl_setup_abort:\n"
"\n"
" /* Record setup failure so that we don't keep calling\n"
" shmget() / shmat() over and over again. */\n"
"\n"
" incb __afl_setup_failure\n"
" popl %ecx\n"
" popl %eax\n"
" jmp __afl_return\n"
"\n"
".AFL_VARS:\n"
"\n"
" .comm __afl_area_ptr, 4, 32\n"
" .comm __afl_setup_failure, 1, 32\n"
#ifndef COVERAGE_ONLY
" .comm __afl_prev_loc, 4, 32\n"
#endif /* !COVERAGE_ONLY */
" .comm __afl_fork_pid, 4, 32\n"
" .comm __afl_temp, 4, 32\n"
"\n"
".AFL_SHM_ENV:\n"
" .asciz \"" SHM_ENV_VAR "\"\n"
"\n"
"/* --- END --- */\n"
"\n";
/* The OpenBSD hack is due to lahf and sahf not being recognized by some
versions of binutils: http://marc.info/?l=openbsd-cvs&m=141636589924400
The Apple code is a bit different when calling libc functions because
they are doing relocations differently from everybody else. We also need
to work around the crash issue with .lcomm and the fact that they don't
recognize .string. */
#ifdef __APPLE__
# define CALL_L64(str) "call _" str "\n"
#else
# define CALL_L64(str) "call " str "@PLT\n"
#endif /* ^__APPLE__ */
static const u8* main_payload_64 =
"\n"
"/* --- AFL MAIN PAYLOAD (64-BIT) --- */\n"
"\n"
".text\n"
".att_syntax\n"
".code64\n"
".align 8\n"
"\n"
"__afl_maybe_log:\n"
"\n"
#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9))
" .byte 0x9f /* lahf */\n"
#else
" lahf\n"
#endif /* ^__OpenBSD__, etc */
" seto %al\n"
"\n"
" /* Check if SHM region is already mapped. */\n"
"\n"
" movq __afl_area_ptr(%rip), %rdx\n"
" testq %rdx, %rdx\n"
" je __afl_setup\n"
"\n"
"__afl_store:\n"
"\n"
" /* Calculate and store hit for the code location specified in rcx. */\n"
"\n"
#ifndef COVERAGE_ONLY
" xorq __afl_prev_loc(%rip), %rcx\n"
" xorq %rcx, __afl_prev_loc(%rip)\n"
" shrq $1, __afl_prev_loc(%rip)\n"
#endif /* ^!COVERAGE_ONLY */
"\n"
#ifdef SKIP_COUNTS
" orb $1, (%rdx, %rcx, 1)\n"
#else
" incb (%rdx, %rcx, 1)\n"
#endif /* ^SKIP_COUNTS */
"\n"
"__afl_return:\n"
"\n"
" addb $127, %al\n"
#if defined(__OpenBSD__) || (defined(__FreeBSD__) && (__FreeBSD__ < 9))
" .byte 0x9e /* sahf */\n"
#else
" sahf\n"
#endif /* ^__OpenBSD__, etc */
" ret\n"
"\n"
".align 8\n"
"\n"
"__afl_setup:\n"
"\n"
" /* Do not retry setup if we had previous failures. */\n"
"\n"
" cmpb $0, __afl_setup_failure(%rip)\n"
" jne __afl_return\n"
"\n"
" /* Check out if we have a global pointer on file. */\n"
"\n"
#ifndef __APPLE__
" movq __afl_global_area_ptr@GOTPCREL(%rip), %rdx\n"
" movq (%rdx), %rdx\n"
#else
" movq __afl_global_area_ptr(%rip), %rdx\n"
#endif /* !^__APPLE__ */
" testq %rdx, %rdx\n"
" je __afl_setup_first\n"
"\n"
" movq %rdx, __afl_area_ptr(%rip)\n"
" jmp __afl_store\n"
"\n"
"__afl_setup_first:\n"
"\n"
" /* Save everything that is not yet saved and that may be touched by\n"
" getenv() and several other libcalls we'll be relying on. */\n"
"\n"
" leaq -352(%rsp), %rsp\n"
"\n"
" movq %rax, 0(%rsp)\n"
" movq %rcx, 8(%rsp)\n"
" movq %rdi, 16(%rsp)\n"
" movq %rsi, 32(%rsp)\n"
" movq %r8, 40(%rsp)\n"
" movq %r9, 48(%rsp)\n"
" movq %r10, 56(%rsp)\n"
" movq %r11, 64(%rsp)\n"
"\n"
" movq %xmm0, 96(%rsp)\n"
" movq %xmm1, 112(%rsp)\n"
" movq %xmm2, 128(%rsp)\n"
" movq %xmm3, 144(%rsp)\n"
" movq %xmm4, 160(%rsp)\n"
" movq %xmm5, 176(%rsp)\n"
" movq %xmm6, 192(%rsp)\n"
" movq %xmm7, 208(%rsp)\n"
" movq %xmm8, 224(%rsp)\n"
" movq %xmm9, 240(%rsp)\n"
" movq %xmm10, 256(%rsp)\n"
" movq %xmm11, 272(%rsp)\n"
" movq %xmm12, 288(%rsp)\n"
" movq %xmm13, 304(%rsp)\n"
" movq %xmm14, 320(%rsp)\n"
" movq %xmm15, 336(%rsp)\n"
"\n"
" /* Map SHM, jumping to __afl_setup_abort if something goes wrong. */\n"
"\n"
" /* The 64-bit ABI requires 16-byte stack alignment. We'll keep the\n"
" original stack ptr in the callee-saved r12. */\n"
"\n"
" pushq %r12\n"
" movq %rsp, %r12\n"
" subq $16, %rsp\n"
" andq $0xfffffffffffffff0, %rsp\n"
"\n"
" leaq .AFL_SHM_ENV(%rip), %rdi\n"
CALL_L64("getenv")
"\n"
" testq %rax, %rax\n"
" je __afl_setup_abort\n"
"\n"
" movq %rax, %rdi\n"
CALL_L64("atoi")
"\n"
" xorq %rdx, %rdx /* shmat flags */\n"
" xorq %rsi, %rsi /* requested addr */\n"
" movq %rax, %rdi /* SHM ID */\n"
CALL_L64("shmat")
"\n"
" cmpq $-1, %rax\n"
" je __afl_setup_abort\n"
"\n"
" /* Store the address of the SHM region. */\n"
"\n"
" movq %rax, %rdx\n"
" movq %rax, __afl_area_ptr(%rip)\n"
"\n"
#ifdef __APPLE__
" movq %rax, __afl_global_area_ptr(%rip)\n"
#else
" movq __afl_global_area_ptr@GOTPCREL(%rip), %rdx\n"
" movq %rax, (%rdx)\n"
#endif /* ^__APPLE__ */
" movq %rax, %rdx\n"
"\n"
"__afl_forkserver:\n"
"\n"
" /* Enter the fork server mode to avoid the overhead of execve() calls. We\n"
" push rdx (area ptr) twice to keep stack alignment neat. */\n"
"\n"
" pushq %rdx\n"
" pushq %rdx\n"
"\n"
" /* Phone home and tell the parent that we're OK. (Note that signals with\n"
" no SA_RESTART will mess it up). If this fails, assume that the fd is\n"
" closed because we were execve()d from an instrumented binary, or because\n"
" the parent doesn't want to use the fork server. */\n"
"\n"
" movq $4, %rdx /* length */\n"
" leaq __afl_temp(%rip), %rsi /* data */\n"
" movq $" STRINGIFY(FORKSRV_TO_FUZZER) ", %rdi /* file desc */\n"
CALL_L64("write")
"\n"
" cmpq $4, %rax\n"
" jne __afl_fork_resume\n"
"\n"
"__afl_fork_wait_loop:\n"
"\n"
" /* Wait for parent FORK_RUN command by reading from the pipe. Abort if read fails. */\n"
"\n"
" movq $1, %rdx /* length */\n"
" leaq __afl_temp(%rip), %rsi /* data */\n"
" movq $" STRINGIFY(FUZZER_TO_FORKSRV) ", %rdi /* file desc */\n"
CALL_L64("read")
" cmpq $1, %rax\n"
" jne __afl_die\n"
" movb __afl_temp(%rip), %al\n"
" cmpb $" STRINGIFY(FORK_RUN) ", %al\n"
" jne __afl_die\n"
"\n"
" /* Once woken up, create a clone of our process. This is an excellent use\n"
" case for syscall(__NR_clone, 0, CLONE_PARENT), but glibc boneheadedly\n"
" caches getpid() results and offers no way to update the value, breaking\n"
" abort(), raise(), and a bunch of other things :-( */\n"
"\n"
CALL_L64("fork")
" cmpq $0, %rax\n"
" jl __afl_die\n"
" je __afl_fork_resume\n"
"\n"
" /* In parent process: write PID to pipe, then wait for child. */\n"
"\n"
" movl %eax, __afl_fork_pid(%rip)\n"
"\n"
" movq $4, %rdx /* length */\n"
" leaq __afl_fork_pid(%rip), %rsi /* data */\n"
" movq $" STRINGIFY(FORKSRV_TO_FUZZER) ", %rdi /* file desc */\n"
CALL_L64("write")
"\n"
" /* Wait for the GET_STATUS command by reading from the pipe. Abort if read fails. */\n"
"\n"
" movq $1, %rdx /* length */\n"
" leaq __afl_temp(%rip), %rsi /* data */\n"
" movq $" STRINGIFY(FUZZER_TO_FORKSRV) ", %rdi /* file desc */\n"
CALL_L64("read")
" cmpq $1, %rax\n"
" jne __afl_die\n"
" movb __afl_temp(%rip), %al\n"
" cmpb $" STRINGIFY(GET_STATUS) ", %al\n"
" jne __afl_die\n"
"\n"
" movq $0, %rdx /* no flags */\n"
" leaq __afl_temp(%rip), %rsi /* status */\n"
" movq __afl_fork_pid(%rip), %rdi /* PID */\n"
CALL_L64("waitpid")
" cmpq $0, %rax\n"
" jle __afl_die\n"
"\n"
" /* Relay wait status to pipe, then loop back. */\n"
"\n"
" movq $4, %rdx /* length */\n"
" leaq __afl_temp(%rip), %rsi /* data */\n"
" movq $" STRINGIFY(FORKSRV_TO_FUZZER) ", %rdi /* file desc */\n"
CALL_L64("write")
"\n"
" jmp __afl_fork_wait_loop\n"
"\n"
"__afl_fork_resume:\n"
"\n"
" /* In child process: close fds, resume execution. */\n"
"\n"
" movq $" STRINGIFY(FUZZER_TO_FORKSRV) ", %rdi\n"
CALL_L64("close")
"\n"
" movq $" STRINGIFY(FORKSRV_TO_FUZZER) ", %rdi\n"
CALL_L64("close")
"\n"
" popq %rdx\n"
" popq %rdx\n"
"\n"
" movq %r12, %rsp\n"
" popq %r12\n"
"\n"
" movq 0(%rsp), %rax\n"
" movq 8(%rsp), %rcx\n"
" movq 16(%rsp), %rdi\n"
" movq 32(%rsp), %rsi\n"
" movq 40(%rsp), %r8\n"
" movq 48(%rsp), %r9\n"
" movq 56(%rsp), %r10\n"
" movq 64(%rsp), %r11\n"
"\n"
" movq 96(%rsp), %xmm0\n"
" movq 112(%rsp), %xmm1\n"
" movq 128(%rsp), %xmm2\n"
" movq 144(%rsp), %xmm3\n"
" movq 160(%rsp), %xmm4\n"
" movq 176(%rsp), %xmm5\n"
" movq 192(%rsp), %xmm6\n"
" movq 208(%rsp), %xmm7\n"
" movq 224(%rsp), %xmm8\n"
" movq 240(%rsp), %xmm9\n"
" movq 256(%rsp), %xmm10\n"
" movq 272(%rsp), %xmm11\n"
" movq 288(%rsp), %xmm12\n"
" movq 304(%rsp), %xmm13\n"
" movq 320(%rsp), %xmm14\n"
" movq 336(%rsp), %xmm15\n"
"\n"
" leaq 352(%rsp), %rsp\n"
"\n"
" jmp __afl_store\n"
"\n"
"__afl_die:\n"
"\n"
" xorq %rax, %rax\n"
CALL_L64("_exit")
"\n"
"__afl_setup_abort:\n"
"\n"
" /* Record setup failure so that we don't keep calling\n"
" shmget() / shmat() over and over again. */\n"
"\n"
" incb __afl_setup_failure(%rip)\n"
"\n"
" movq %r12, %rsp\n"
" popq %r12\n"
"\n"
" movq 0(%rsp), %rax\n"
" movq 8(%rsp), %rcx\n"
" movq 16(%rsp), %rdi\n"
" movq 32(%rsp), %rsi\n"
" movq 40(%rsp), %r8\n"
" movq 48(%rsp), %r9\n"
" movq 56(%rsp), %r10\n"
" movq 64(%rsp), %r11\n"
"\n"
" movq 96(%rsp), %xmm0\n"
" movq 112(%rsp), %xmm1\n"
" movq 128(%rsp), %xmm2\n"
" movq 144(%rsp), %xmm3\n"
" movq 160(%rsp), %xmm4\n"
" movq 176(%rsp), %xmm5\n"
" movq 192(%rsp), %xmm6\n"
" movq 208(%rsp), %xmm7\n"
" movq 224(%rsp), %xmm8\n"
" movq 240(%rsp), %xmm9\n"
" movq 256(%rsp), %xmm10\n"
" movq 272(%rsp), %xmm11\n"
" movq 288(%rsp), %xmm12\n"
" movq 304(%rsp), %xmm13\n"
" movq 320(%rsp), %xmm14\n"
" movq 336(%rsp), %xmm15\n"
"\n"
" leaq 352(%rsp), %rsp\n"
"\n"
" jmp __afl_return\n"
"\n"
".AFL_VARS:\n"
"\n"
#ifdef __APPLE__
" .comm __afl_area_ptr, 8\n"
#ifndef COVERAGE_ONLY
" .comm __afl_prev_loc, 8\n"
#endif /* !COVERAGE_ONLY */
" .comm __afl_fork_pid, 4\n"
" .comm __afl_temp, 4\n"
" .comm __afl_setup_failure, 1\n"
#else
" .lcomm __afl_area_ptr, 8\n"
#ifndef COVERAGE_ONLY
" .lcomm __afl_prev_loc, 8\n"
#endif /* !COVERAGE_ONLY */
" .lcomm __afl_fork_pid, 4\n"
" .lcomm __afl_temp, 4\n"
" .lcomm __afl_setup_failure, 1\n"
#endif /* ^__APPLE__ */
" .comm __afl_global_area_ptr, 8, 8\n"
"\n"
".AFL_SHM_ENV:\n"
" .asciz \"" SHM_ENV_VAR "\"\n"
"\n"
"/* --- END --- */\n"
"\n";
#endif /* !_HAVE_AFL_AS_H */
================================================
FILE: afl_progs/afl-gcc.c
================================================
/*
american fuzzy lop - wrapper for GCC and clang
----------------------------------------------
Written and maintained by Michal Zalewski <lcamtuf@google.com>
Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
This program is a drop-in replacement for GCC or clang. The most common way
of using it is to pass the path to afl-gcc or afl-clang via CC when invoking
./configure.
(Of course, use CXX and point it to afl-g++ / afl-clang++ for C++ code.)
The wrapper needs to know the path to afl-as (renamed to 'as'). The default
is /usr/local/lib/afl/. A convenient way to specify alternative directories
would be to set AFL_PATH.
If AFL_HARDEN is set, the wrapper will compile the target app with various
hardening options that may help detect memory management issues more
reliably. You can also specify AFL_USE_ASAN to enable ASAN.
If you want to call a non-default compiler as a next step of the chain,
specify its location via AFL_CC or AFL_CXX.
*/
#define AFL_MAIN
#include "config.h"
#include "types.h"
#include "debug.h"
#include "alloc-inl.h"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
static u8* as_path; /* Path to the AFL 'as' wrapper */
static u8** cc_params; /* Parameters passed to the real CC */
static u32 cc_par_cnt = 1; /* Param count, including argv0 */
static u8 be_quiet, /* Quiet mode */
clang_mode; /* Invoked as afl-clang*? */
/* Try to find our "fake" GNU assembler in AFL_PATH or at the location derived
from argv[0]. If that fails, abort. */
static void find_as(u8* argv0) {
u8 *afl_path = getenv("AFL_PATH");
u8 *slash, *tmp;
if (afl_path) {
tmp = alloc_printf("%s/as", afl_path);
if (!access(tmp, X_OK)) {
as_path = afl_path;
ck_free(tmp);
return;
}
ck_free(tmp);
}
slash = strrchr(argv0, '/');
if (slash) {
u8 *dir;
*slash = 0;
dir = ck_strdup(argv0);
*slash = '/';
tmp = alloc_printf("%s/afl-as", dir);
if (!access(tmp, X_OK)) {
as_path = dir;
ck_free(tmp);
return;
}
ck_free(tmp);
ck_free(dir);
}
if (!access(AFL_PATH "/as", X_OK)) {
as_path = AFL_PATH;
return;
}
FATAL("Unable to find AFL wrapper binary for 'as'. Please set AFL_PATH");
}
/* Copy argv to cc_params, making the necessary edits. */
static void edit_params(u32 argc, char** argv) {
u8 fortify_set = 0, asan_set = 0;
u8 *name;
#if defined(__FreeBSD__) && defined(__x86_64__)
u8 m32_set = 0;
#endif
cc_params = ck_alloc((argc + 128) * sizeof(u8*));
name = strrchr(argv[0], '/');
if (!name) name = argv[0]; else name++;
if (!strncmp(name, "afl-clang", 9)) {
clang_mode = 1;
setenv(CLANG_ENV_VAR, "1", 1);
if (!strcmp(name, "afl-clang++")) {
u8* alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++";
} else {
u8* alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";
}
} else {
/* With GCJ and Eclipse installed, you can actually compile Java! The
instrumentation will work (amazingly). Alas, unhandled exceptions do
not call abort(), so afl-fuzz would need to be modified to equate
non-zero exit codes with crash conditions when working with Java
binaries. Meh. */
#ifdef __APPLE__
if (!strcmp(name, "afl-g++")) cc_params[0] = getenv("AFL_CXX");
else if (!strcmp(name, "afl-gcj")) cc_params[0] = getenv("AFL_GCJ");
else cc_params[0] = getenv("AFL_CC");
if (!cc_params[0]) {
SAYF("\n" cLRD "[-] " cRST
"On Apple systems, 'gcc' is usually just a wrapper for clang. Please use the\n"
" 'afl-clang' utility instead of 'afl-gcc'. If you really have GCC installed,\n"
" set AFL_CC or AFL_CXX to specify the correct path to that compiler.\n");
FATAL("AFL_CC or AFL_CXX required on MacOS X");
}
#else
if (!strcmp(name, "afl-g++")) {
u8* alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx ? alt_cxx : (u8*)"g++";
} else if (!strcmp(name, "afl-gcj")) {
u8* alt_cc = getenv("AFL_GCJ");
cc_params[0] = alt_cc ? alt_cc : (u8*)"gcj";
} else {
u8* alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc ? alt_cc : (u8*)"gcc";
}
#endif /* __APPLE__ */
}
while (--argc) {
u8* cur = *(++argv);
if (!strncmp(cur, "-B", 2)) {
if (!be_quiet) WARNF("-B is already set, overriding");
if (!cur[2] && argc > 1) { argc--; argv++; }
continue;
}
if (!strcmp(cur, "-integrated-as")) continue;
if (!strcmp(cur, "-pipe")) continue;
#if defined(__FreeBSD__) && defined(__x86_64__)
if (!strcmp(cur, "-m32")) m32_set = 1;
#endif
if (!strcmp(cur, "-fsanitize=address") ||
!strcmp(cur, "-fsanitize=memory")) asan_set = 1;
if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;
cc_params[cc_par_cnt++] = cur;
}
cc_params[cc_par_cnt++] = "-B";
cc_params[cc_par_cnt++] = as_path;
if (clang_mode)
cc_params[cc_par_cnt++] = "-no-integrated-as";
if (getenv("AFL_HARDEN")) {
cc_params[cc_par_cnt++] = "-fstack-protector-all";
if (!fortify_set)
cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2";
}
if (asan_set) {
/* Pass this on to afl-as to adjust map density. */
setenv("AFL_USE_ASAN", "1", 1);
} else if (getenv("AFL_USE_ASAN")) {
if (getenv("AFL_USE_MSAN"))
FATAL("ASAN and MSAN are mutually exclusive");
if (getenv("AFL_HARDEN"))
FATAL("ASAN and AFL_HARDEN are mutually exclusive");
cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
cc_params[cc_par_cnt++] = "-fsanitize=address";
} else if (getenv("AFL_USE_MSAN")) {
if (getenv("AFL_USE_ASAN"))
FATAL("ASAN and MSAN are mutually exclusive");
if (getenv("AFL_HARDEN"))
FATAL("MSAN and AFL_HARDEN are mutually exclusive");
cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
cc_params[cc_par_cnt++] = "-fsanitize=memory";
}
if (!getenv("AFL_DONT_OPTIMIZE")) {
#if defined(__FreeBSD__) && defined(__x86_64__)
/* On 64-bit FreeBSD systems, clang -g -m32 is broken, but -m32 itself
works OK. This has nothing to do with us, but let's avoid triggering
that bug. */
if (!clang_mode || !m32_set)
cc_params[cc_par_cnt++] = "-g";
#else
cc_params[cc_par_cnt++] = "-g";
#endif
cc_params[cc_par_cnt++] = "-O3";
cc_params[cc_par_cnt++] = "-funroll-loops";
/* Two indicators that you're building for fuzzing; one of them is
AFL-specific, the other is shared with libfuzzer. */
cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1";
cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1";
}
if (getenv("AFL_NO_BUILTIN")) {
cc_params[cc_par_cnt++] = "-fno-builtin-strcmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strncmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp";
cc_params[cc_par_cnt++] = "-fno-builtin-memcmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strstr";
cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr";
}
cc_params[cc_par_cnt] = NULL;
}
/* Main entry point */
int main(int argc, char** argv) {
if (isatty(2) && !getenv("AFL_QUIET")) {
SAYF(cCYA "afl-cc " cBRI VERSION cRST " by <lcamtuf@google.com>\n");
} else be_quiet = 1;
if (argc < 2) {
SAYF("\n"
"This is a helper application for afl-fuzz. It serves as a drop-in replacement\n"
"for gcc or clang, letting you recompile third-party code with the required\n"
"runtime instrumentation. A common use pattern would be one of the following:\n\n"
" CC=%s/afl-gcc ./configure\n"
" CXX=%s/afl-g++ ./configure\n\n"
"You can specify custom next-stage toolchain via AFL_CC, AFL_CXX, and AFL_AS.\n"
"Setting AFL_HARDEN enables hardening optimizations in the compiled code.\n\n",
BIN_PATH, BIN_PATH);
exit(1);
}
find_as(argv[0]);
edit_params(argc, argv);
execvp(cc_params[0], (char**)cc_params);
FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);
return 0;
}
================================================
FILE: afl_progs/afl-showmap.c
================================================
/*
american fuzzy lop - map display utility
----------------------------------------
Written and maintained by Michal Zalewski <lcamtuf@google.com>
Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
A very simple tool that runs the targeted binary and displays
the contents of the trace bitmap in a human-readable form. Useful in
scripts to eliminate redundant inputs and perform other checks.
Exit code is 2 if the target program crashes; 1 if it times out or
there is a problem executing it; or 0 if execution is successful.
*/
#define AFL_MAIN
#include "config.h"
#include "types.h"
#include "debug.h"
#include "alloc-inl.h"
#include "hash.h"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <errno.h>
#include <signal.h>
#include <dirent.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <sys/time.h>
#include <sys/shm.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/resource.h>
static s32 child_pid; /* PID of the tested program */
static u8* trace_bits; /* SHM with instrumentation bitmap */
static u8 *out_file, /* Trace output file */
*doc_path, /* Path to docs */
*target_path, /* Path to target binary */
*at_file; /* Substitution string for @@ */
static u32 exec_tmout; /* Exec timeout (ms) */
static u64 mem_limit = MEM_LIMIT; /* Memory limit (MB) */
static s32 shm_id; /* ID of the SHM region */
static u8 quiet_mode, /* Hide non-essential messages? */
edges_only, /* Ignore hit counts? */
cmin_mode, /* Generate output in afl-cmin mode? */
binary_mode, /* Write output as a binary map */
keep_cores; /* Allow coredumps? */
static volatile u8
stop_soon, /* Ctrl-C pressed? */
child_timed_out, /* Child timed out? */
child_crashed; /* Child crashed? */
/* Classify tuple counts. Instead of mapping to individual bits, as in
afl-fuzz.c, we map to more user-friendly numbers between 1 and 8. */
static const u8 count_class_human[256] = {
[0] = 0,
[1] = 1,
[2] = 2,
[3] = 3,
[4 ... 7] = 4,
[8 ... 15] = 5,
[16 ... 31] = 6,
[32 ... 127] = 7,
[128 ... 255] = 8
};
static const u8 count_class_binary[256] = {
[0] = 0,
[1] = 1,
[2] = 2,
[3] = 4,
[4 ... 7] = 8,
[8 ... 15] = 16,
[16 ... 31] = 32,
[32 ... 127] = 64,
[128 ... 255] = 128
};
static void classify_counts(u8* mem, const u8* map) {
u32 i = MAP_SIZE;
if (edges_only) {
while (i--) {
if (*mem) *mem = 1;
mem++;
}
} else {
while (i--) {
*mem = map[*mem];
mem++;
}
}
}
/* Get rid of shared memory (atexit handler). */
static void remove_shm(void) {
shmctl(shm_id, IPC_RMID, NULL);
}
/* Configure shared memory. */
static void setup_shm(void) {
u8* shm_str;
shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600);
if (shm_id < 0) PFATAL("shmget() failed");
atexit(remove_shm);
shm_str = alloc_printf("%d", shm_id);
setenv(SHM_ENV_VAR, shm_str, 1);
ck_free(shm_str);
trace_bits = shmat(shm_id, NULL, 0);
if (!trace_bits) PFATAL("shmat() failed");
}
/* Write results. */
static u32 write_results(void) {
s32 fd;
u32 i, ret = 0;
u8 cco = !!getenv("AFL_CMIN_CRASHES_ONLY"),
caa = !!getenv("AFL_CMIN_ALLOW_ANY");
if (!strncmp(out_file, "/dev/", 5)) {
fd = open(out_file, O_WRONLY, 0600);
if (fd < 0) PFATAL("Unable to open '%s'", out_file);
} else if (!strcmp(out_file, "-")) {
fd = dup(1);
if (fd < 0) PFATAL("Unable to open stdout");
} else {
unlink(out_file); /* Ignore errors */
fd = open(out_file, O_WRONLY | O_CREAT | O_EXCL, 0600);
if (fd < 0) PFATAL("Unable to create '%s'", out_file);
}
if (binary_mode) {
for (i = 0; i < MAP_SIZE; i++)
if (trace_bits[i]) ret++;
ck_write(fd, trace_bits, MAP_SIZE, out_file);
close(fd);
} else {
FILE* f = fdopen(fd, "w");
if (!f) PFATAL("fdopen() failed");
for (i = 0; i < MAP_SIZE; i++) {
if (!trace_bits[i]) continue;
ret++;
if (cmin_mode) {
if (child_timed_out) break;
if (!caa && child_crashed != cco) break;
fprintf(f, "%u%u\n", trace_bits[i], i);
} else fprintf(f, "%06u:%u\n", i, trace_bits[i]);
}
fclose(f);
}
return ret;
}
/* Handle timeout signal. */
static void handle_timeout(int sig) {
child_timed_out = 1;
if (child_pid > 0) kill(child_pid, SIGKILL);
}
/* Execute target application. */
static void run_target(char** argv) {
static struct itimerval it;
int status = 0;
if (!quiet_mode)
SAYF("-- Program output begins --\n" cRST);
MEM_BARRIER();
child_pid = fork();
if (child_pid < 0) PFATAL("fork() failed");
if (!child_pid) {
struct rlimit r;
if (quiet_mode) {
s32 fd = open("/dev/null", O_RDWR);
if (fd < 0 || dup2(fd, 1) < 0 || dup2(fd, 2) < 0) {
*(u32*)trace_bits = EXEC_FAIL_SIG;
PFATAL("Descriptor initialization failed");
}
close(fd);
}
if (mem_limit) {
r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20;
#ifdef RLIMIT_AS
setrlimit(RLIMIT_AS, &r); /* Ignore errors */
#else
setrlimit(RLIMIT_DATA, &r); /* Ignore errors */
#endif /* ^RLIMIT_AS */
}
if (!keep_cores) r.rlim_max = r.rlim_cur = 0;
else r.rlim_max = r.rlim_cur = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &r); /* Ignore errors */
if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0);
setsid();
execv(target_path, argv);
*(u32*)trace_bits = EXEC_FAIL_SIG;
exit(0);
}
/* Configure timeout, wait for child, cancel timeout. */
if (exec_tmout) {
child_timed_out = 0;
it.it_value.tv_sec = (exec_tmout / 1000);
it.it_value.tv_usec = (exec_tmout % 1000) * 1000;
}
setitimer(ITIMER_REAL, &it, NULL);
if (waitpid(child_pid, &status, 0) <= 0) FATAL("waitpid() failed");
child_pid = 0;
it.it_value.tv_sec = 0;
it.it_value.tv_usec = 0;
setitimer(ITIMER_REAL, &it, NULL);
MEM_BARRIER();
/* Clean up bitmap, analyze exit condition, etc. */
if (*(u32*)trace_bits == EXEC_FAIL_SIG)
FATAL("Unable to execute '%s'", argv[0]);
classify_counts(trace_bits, binary_mode ?
count_class_binary : count_class_human);
if (!quiet_mode)
SAYF(cRST "-- Program output ends --\n");
if (!child_timed_out && !stop_soon && WIFSIGNALED(status))
child_crashed = 1;
if (!quiet_mode) {
if (child_timed_out)
SAYF(cLRD "\n+++ Program timed off +++\n" cRST);
else if (stop_soon)
SAYF(cLRD "\n+++ Program aborted by user +++\n" cRST);
else if (child_crashed)
SAYF(cLRD "\n+++ Program killed by signal %u +++\n" cRST, WTERMSIG(status));
}
}
/* Handle Ctrl-C and the like. */
static void handle_stop_sig(int sig) {
stop_soon = 1;
if (child_pid > 0) kill(child_pid, SIGKILL);
}
/* Do basic preparations - persistent fds, filenames, etc. */
static void set_up_environment(void) {
setenv("ASAN_OPTIONS", "abort_on_error=1:"
"detect_leaks=0:"
"symbolize=0:"
"allocator_may_return_null=1", 0);
setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":"
"symbolize=0:"
"abort_on_error=1:"
"allocator_may_return_null=1:"
"msan_track_origins=0", 0);
if (getenv("AFL_PRELOAD")) {
setenv("LD_PRELOAD", getenv("AFL_PRELOAD"), 1);
setenv("DYLD_INSERT_LIBRARIES", getenv("AFL_PRELOAD"), 1);
}
}
/* Setup signal handlers, duh. */
static void setup_signal_handlers(void) {
struct sigaction sa;
sa.sa_handler = NULL;
sa.sa_flags = SA_RESTART;
sa.sa_sigaction = NULL;
sigemptyset(&sa.sa_mask);
/* Various ways of saying "stop". */
sa.sa_handler = handle_stop_sig;
sigaction(SIGHUP, &sa, NULL);
sigaction(SIGINT, &sa, NULL);
sigaction(SIGTERM, &sa, NULL);
/* Exec timeout notifications. */
sa.sa_handler = handle_timeout;
sigaction(SIGALRM, &sa, NULL);
}
/* Detect @@ in args. */
static void detect_file_args(char** argv) {
u32 i = 0;
u8* cwd = getcwd(NULL, 0);
if (!cwd) PFATAL("getcwd() failed");
while (argv[i]) {
u8* aa_loc = strstr(argv[i], "@@");
if (aa_loc) {
u8 *aa_subst, *n_arg;
if (!at_file) FATAL("@@ syntax is not supported by this tool.");
/* Be sure that we're always using fully-qualified paths. */
if (at_file[0] == '/') aa_subst = at_file;
else aa_subst = alloc_printf("%s/%s", cwd, at_file);
/* Construct a replacement argv value. */
*aa_loc = 0;
n_arg = alloc_printf("%s%s%s", argv[i], aa_subst, aa_loc + 2);
argv[i] = n_arg;
*aa_loc = '@';
if (at_file[0] != '/') ck_free(aa_subst);
}
i++;
}
free(cwd); /* not tracked */
}
/* Show banner. */
static void show_banner(void) {
SAYF(cCYA "afl-showmap " cBRI VERSION cRST " by <lcamtuf@google.com>\n");
}
/* Display usage hints. */
static void usage(u8* argv0) {
show_banner();
SAYF("\n%s [ options ] -- /path/to/target_app [ ... ]\n\n"
"Required parameters:\n\n"
" -o file - file to write the trace data to\n\n"
"Execution control settings:\n\n"
" -t msec - timeout for each run (none)\n"
" -m megs - memory limit for child process (%u MB)\n"
" -Q - use binary-only instrumentation (QEMU mode)\n\n"
"Other settings:\n\n"
" -q - sink program's output and don't show messages\n"
" -e - show edge coverage only, ignore hit counts\n"
" -c - allow core dumps\n\n"
"This tool displays raw tuple data captured by AFL instrumentation.\n"
"For additional help, consult %s/README.\n\n" cRST,
argv0, MEM_LIMIT, doc_path);
exit(1);
}
/* Find binary. */
static void find_binary(u8* fname) {
u8* env_path = 0;
struct stat st;
if (strchr(fname, '/') || !(env_path = getenv("PATH"))) {
target_path = ck_strdup(fname);
if (stat(target_path, &st) || !S_ISREG(st.st_mode) ||
!(st.st_mode & 0111) || st.st_size < 4)
FATAL("Program '%s' not found or not executable", fname);
} else {
while (env_path) {
u8 *cur_elem, *delim = strchr(env_path, ':');
if (delim) {
cur_elem = ck_alloc(delim - env_path + 1);
memcpy(cur_elem, env_path, delim - env_path);
delim++;
} else cur_elem = ck_strdup(env_path);
env_path = delim;
if (cur_elem[0])
target_path = alloc_printf("%s/%s", cur_elem, fname);
else
target_path = ck_strdup(fname);
ck_free(cur_elem);
if (!stat(target_path, &st) && S_ISREG(st.st_mode) &&
(st.st_mode & 0111) && st.st_size >= 4) break;
ck_free(target_path);
target_path = 0;
}
if (!target_path) FATAL("Program '%s' not found or not executable", fname);
}
}
/* Fix up argv for QEMU. */
static char** get_qemu_argv(u8* own_loc, char** argv, int argc) {
char** new_argv = ck_alloc(sizeof(char*) * (argc + 4));
u8 *tmp, *cp, *rsl, *own_copy;
/* Workaround for a QEMU stability glitch. */
setenv("QEMU_LOG", "nochain", 1);
memcpy(new_argv + 3, argv + 1, sizeof(char*) * argc);
new_argv[2] = target_path;
new_argv[1] = "--";
/* Now we need to actually find qemu for argv[0]. */
tmp = getenv("AFL_PATH");
if (tmp) {
cp = alloc_printf("%s/afl-qemu-trace", tmp);
if (access(cp, X_OK))
FATAL("Unable to find '%s'", tmp);
target_path = new_argv[0] = cp;
return new_argv;
}
own_copy = ck_strdup(own_loc);
rsl = strrchr(own_copy, '/');
if (rsl) {
*rsl = 0;
cp = alloc_printf("%s/afl-qemu-trace", own_copy);
ck_free(own_copy);
if (!access(cp, X_OK)) {
target_path = new_argv[0] = cp;
return new_argv;
}
} else ck_free(own_copy);
if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) {
target_path = new_argv[0] = BIN_PATH "/afl-qemu-trace";
return new_argv;
}
FATAL("Unable to find 'afl-qemu-trace'.");
}
/* Main entry point */
int main(int argc, char** argv) {
s32 opt;
u8 mem_limit_given = 0, timeout_given = 0, qemu_mode = 0;
u32 tcnt;
char** use_argv;
doc_path = access(DOC_PATH, F_OK) ? "docs" : DOC_PATH;
while ((opt = getopt(argc,argv,"+o:m:t:A:eqZQbc")) > 0)
switch (opt) {
case 'o':
if (out_file) FATAL("Multiple -o options not supported");
out_file = optarg;
break;
case 'm': {
u8 suffix = 'M';
if (mem_limit_given) FATAL("Multiple -m options not supported");
mem_limit_given = 1;
if (!strcmp(optarg, "none")) {
mem_limit = 0;
break;
}
if (sscanf(optarg, "%llu%c", &mem_limit, &suffix) < 1 ||
optarg[0] == '-') FATAL("Bad syntax used for -m");
switch (suffix) {
case 'T': mem_limit *= 1024 * 1024; break;
case 'G': mem_limit *= 1024; break;
case 'k': mem_limit /= 1024; break;
case 'M': break;
default: FATAL("Unsupported suffix or bad syntax for -m");
}
if (mem_limit < 5) FATAL("Dangerously low value of -m");
if (sizeof(rlim_t) == 4 && mem_limit > 2000)
FATAL("Value of -m out of range on 32-bit systems");
}
break;
case 't':
if (timeout_given) FATAL("Multiple -t options not supported");
timeout_given = 1;
if (strcmp(optarg, "none")) {
exec_tmout = atoi(optarg);
if (exec_tmout < 20 || optarg[0] == '-')
FATAL("Dangerously low value of -t");
}
break;
case 'e':
if (edges_only) FATAL("Multiple -e options not supported");
edges_only = 1;
break;
case 'q':
if (quiet_mode) FATAL("Multiple -q options not supported");
quiet_mode = 1;
break;
case 'Z':
/* This is an undocumented option to write data in the syntax expected
by afl-cmin. Nobody else should have any use for this. */
cmin_mode = 1;
quiet_mode = 1;
break;
case 'A':
/* Another afl-cmin specific feature. */
at_file = optarg;
break;
case 'Q':
if (qemu_mode) FATAL("Multiple -Q options not supported");
if (!mem_limit_given) mem_limit = MEM_LIMIT_QEMU;
qemu_mode = 1;
break;
case 'b':
/* Secret undocumented mode. Writes output in raw binary format
similar to that dumped by afl-fuzz in <out_dir/queue/fuzz_bitmap. */
binary_mode = 1;
break;
case 'c':
if (keep_cores) FATAL("Multiple -c options not supported");
keep_cores = 1;
break;
default:
usage(argv[0]);
}
if (optind == argc || !out_file) usage(argv[0]);
setup_shm();
setup_signal_handlers();
set_up_environment();
find_binary(argv[optind]);
if (!quiet_mode) {
show_banner();
ACTF("Executing '%s'...\n", target_path);
}
detect_file_args(argv + optind);
if (qemu_mode)
use_argv = get_qemu_argv(argv[0], argv + optind, argc - optind);
else
use_argv = argv + optind;
run_target(use_argv);
tcnt = write_results();
if (!quiet_mode) {
if (!tcnt) FATAL("No instrumentation detected" cRST);
OKF("Captured %u tuples in '%s'." cRST, tcnt, out_file);
}
exit(child_crashed * 2 + child_timed_out);
}
================================================
FILE: afl_progs/alloc-inl.h
================================================
/*
american fuzzy lop - error-checking, memory-zeroing alloc routines
------------------------------------------------------------------
Written and maintained by Michal Zalewski <lcamtuf@google.com>
Copyright 2013, 2014, 2015 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
This allocator is not designed to resist malicious attackers (the canaries
are small and predictable), but provides a robust and portable way to detect
use-after-free, off-by-one writes, stale pointers, and so on.
*/
#ifndef _HAVE_ALLOC_INL_H
#define _HAVE_ALLOC_INL_H
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "config.h"
#include "types.h"
#include "debug.h"
/* User-facing macro to sprintf() to a dynamically allocated buffer. */
#define alloc_printf(_str...) ({ \
u8* _tmp; \
s32 _len = snprintf(NULL, 0, _str); \
if (_len < 0) FATAL("Whoa, snprintf() fails?!"); \
_tmp = ck_alloc(_len + 1); \
snprintf((char*)_tmp, _len + 1, _str); \
_tmp; \
})
/* Macro to enforce allocation limits as a last-resort defense against
integer overflows. */
#define ALLOC_CHECK_SIZE(_s) do { \
if ((_s) > MAX_ALLOC) \
ABORT("Bad alloc request: %u bytes", (_s)); \
} while (0)
/* Macro to check malloc() failures and the like. */
#define ALLOC_CHECK_RESULT(_r, _s) do { \
if (!(_r)) \
ABORT("Out of memory: can't allocate %u bytes", (_s)); \
} while (0)
/* Magic tokens used to mark used / freed chunks. */
#define ALLOC_MAGIC_C1 0xFF00FF00 /* Used head (dword) */
#define ALLOC_MAGIC_F 0xFE00FE00 /* Freed head (dword) */
#define ALLOC_MAGIC_C2 0xF0 /* Used tail (byte) */
/* Positions of guard tokens in relation to the user-visible pointer. */
#define ALLOC_C1(_ptr) (((u32*)(_ptr))[-2])
#define ALLOC_S(_ptr) (((u32*)(_ptr))[-1])
#define ALLOC_C2(_ptr) (((u8*)(_ptr))[ALLOC_S(_ptr)])
#define ALLOC_OFF_HEAD 8
#define ALLOC_OFF_TOTAL (ALLOC_OFF_HEAD + 1)
/* Allocator increments for ck_realloc_block(). */
#define ALLOC_BLK_INC 256
/* Sanity-checking macros for pointers. */
#define CHECK_PTR(_p) do { \
if (_p) { \
if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\
if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \
ABORT("Use after free."); \
else ABORT("Corrupted head alloc canary."); \
} \
if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \
ABORT("Corrupted tail alloc canary."); \
} \
} while (0)
#define CHECK_PTR_EXPR(_p) ({ \
typeof (_p) _tmp = (_p); \
CHECK_PTR(_tmp); \
_tmp; \
})
/* Allocate a buffer, explicitly not zeroing it. Returns NULL for zero-sized
requests. */
static inline void* DFL_ck_alloc_nozero(u32 size) {
void* ret;
if (!size) return NULL;
ALLOC_CHECK_SIZE(size);
ret = malloc(size + ALLOC_OFF_TOTAL);
ALLOC_CHECK_RESULT(ret, size);
ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1;
ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2;
return ret;
}
/* Allocate a buffer, returning zeroed memory. */
static inline void* DFL_ck_alloc(u32 size) {
void* mem;
if (!size) return NULL;
mem = DFL_ck_alloc_nozero(size);
return memset(mem, 0, size);
}
/* Free memory, checking for double free and corrupted heap. When DEBUG_BUILD
is set, the old memory will be also clobbered with 0xFF. */
static inline void DFL_ck_free(void* mem) {
if (!mem) return;
CHECK_PTR(mem);
#ifdef DEBUG_BUILD
/* Catch pointer issues sooner. */
memset(mem, 0xFF, ALLOC_S(mem));
#endif /* DEBUG_BUILD */
ALLOC_C1(mem) = ALLOC_MAGIC_F;
free(mem - ALLOC_OFF_HEAD);
}
/* Re-allocate a buffer, checking for issues and zeroing any newly-added tail.
With DEBUG_BUILD, the buffer is always reallocated to a new addresses and the
old memory is clobbered with 0xFF. */
static inline void* DFL_ck_realloc(void* orig, u32 size) {
void* ret;
u32 old_size = 0;
if (!size) {
DFL_ck_free(orig);
return NULL;
}
if (orig) {
CHECK_PTR(orig);
#ifndef DEBUG_BUILD
ALLOC_C1(orig) = ALLOC_MAGIC_F;
#endif /* !DEBUG_BUILD */
old_size = ALLOC_S(orig);
orig -= ALLOC_OFF_HEAD;
ALLOC_CHECK_SIZE(old_size);
}
ALLOC_CHECK_SIZE(size);
#ifndef DEBUG_BUILD
ret = realloc(orig, size + ALLOC_OFF_TOTAL);
ALLOC_CHECK_RESULT(ret, size);
#else
/* Catch pointer issues sooner: force relocation and make sure that the
original buffer is wiped. */
ret = malloc(size + ALLOC_OFF_TOTAL);
ALLOC_CHECK_RESULT(ret, size);
if (orig) {
memcpy(ret + ALLOC_OFF_HEAD, orig + ALLOC_OFF_HEAD, MIN(size, old_size));
memset(orig + ALLOC_OFF_HEAD, 0xFF, old_size);
ALLOC_C1(orig + ALLOC_OFF_HEAD) = ALLOC_MAGIC_F;
free(orig);
}
#endif /* ^!DEBUG_BUILD */
ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1;
ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2;
if (size > old_size)
memset(ret + old_size, 0, size - old_size);
return ret;
}
/* Re-allocate a buffer with ALLOC_BLK_INC increments (used to speed up
repeated small reallocs without complicating the user code). */
static inline void* DFL_ck_realloc_block(void* orig, u32 size) {
#ifndef DEBUG_BUILD
if (orig) {
CHECK_PTR(orig);
if (ALLOC_S(orig) >= size) return orig;
size += ALLOC_BLK_INC;
}
#endif /* !DEBUG_BUILD */
return DFL_ck_realloc(orig, size);
}
/* Create a buffer with a copy of a string. Returns NULL for NULL inputs. */
static inline u8* DFL_ck_strdup(u8* str) {
void* ret;
u32 size;
if (!str) return NULL;
size = strlen((char*)str) + 1;
ALLOC_CHECK_SIZE(size);
ret = malloc(size + ALLOC_OFF_TOTAL);
ALLOC_CHECK_RESULT(ret, size);
ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1;
ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2;
return memcpy(ret, str, size);
}
/* Create a buffer with a copy of a memory block. Returns NULL for zero-sized
or NULL inputs. */
static inline void* DFL_ck_memdup(void* mem, u32 size) {
void* ret;
if (!mem || !size) return NULL;
ALLOC_CHECK_SIZE(size);
ret = malloc(size + ALLOC_OFF_TOTAL);
ALLOC_CHECK_RESULT(ret, size);
ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1;
ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2;
return memcpy(ret, mem, size);
}
/* Create a buffer with a block of text, appending a NUL terminator at the end.
Returns NULL for zero-sized or NULL inputs. */
static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
u8* ret;
if (!mem || !size) return NULL;
ALLOC_CHECK_SIZE(size);
ret = malloc(size + ALLOC_OFF_TOTAL + 1);
ALLOC_CHECK_RESULT(ret, size);
ret += ALLOC_OFF_HEAD;
ALLOC_C1(ret) = ALLOC_MAGIC_C1;
ALLOC_S(ret) = size;
ALLOC_C2(ret) = ALLOC_MAGIC_C2;
memcpy(ret, mem, size);
ret[size] = 0;
return ret;
}
#ifndef DEBUG_BUILD
/* In non-debug mode, we just do straightforward aliasing of the above functions
to user-visible names such as ck_alloc(). */
#define ck_alloc DFL_ck_alloc
#define ck_alloc_nozero DFL_ck_alloc_nozero
#define ck_realloc DFL_ck_realloc
#define ck_realloc_block DFL_ck_realloc_block
#define ck_strdup DFL_ck_strdup
#define ck_memdup DFL_ck_memdup
#define ck_memdup_str DFL_ck_memdup_str
#define ck_free DFL_ck_free
#define alloc_report()
#else
/* In debugging mode, we also track allocations to detect memory leaks, and the
flow goes through one more layer of indirection. */
/* Alloc tracking data structures: */
#define ALLOC_BUCKETS 4096
struct TRK_obj {
void *ptr;
char *file, *func;
u32 line;
};
#ifdef AFL_MAIN
struct TRK_obj* TRK[ALLOC_BUCKETS];
u32 TRK_cnt[ALLOC_BUCKETS];
# define alloc_report() TRK_report()
#else
extern struct TRK_obj* TRK[ALLOC_BUCKETS];
extern u32 TRK_cnt[ALLOC_BUCKETS];
# define alloc_report()
#endif /* ^AFL_MAIN */
/* Bucket-assigning function for a given pointer: */
#define TRKH(_ptr) (((((u32)(_ptr)) >> 16) ^ ((u32)(_ptr))) % ALLOC_BUCKETS)
/* Add a new entry to the list of allocated objects. */
static inline void TRK_alloc_buf(void* ptr, const char* file, const char* func,
u32 line) {
u32 i, bucket;
if (!ptr) return;
bucket = TRKH(ptr);
/* Find a free slot in the list of entries for that bucket. */
for (i = 0; i < TRK_cnt[bucket]; i++)
if (!TRK[bucket][i].ptr) {
TRK[bucket][i].ptr = ptr;
TRK[bucket][i].file = (char*)file;
TRK[bucket][i].func = (char*)func;
TRK[bucket][i].line = line;
return;
}
/* No space available - allocate more. */
TRK[bucket] = DFL_ck_realloc_block(TRK[bucket],
(TRK_cnt[bucket] + 1) * sizeof(struct TRK_obj));
TRK[bucket][i].ptr = ptr;
TRK[bucket][i].file = (char*)file;
TRK[bucket][i].func = (char*)func;
TRK[bucket][i].line = line;
TRK_cnt[bucket]++;
}
/* Remove entry from the list of allocated objects. */
static inline void TRK_free_buf(void* ptr, const char* file, const char* func,
u32 line) {
u32 i, bucket;
if (!ptr) return;
bucket = TRKH(ptr);
/* Find the element on the list... */
for (i = 0; i < TRK_cnt[bucket]; i++)
if (TRK[bucket][i].ptr == ptr) {
TRK[bucket][i].ptr = 0;
return;
}
WARNF("ALLOC: Attempt to free non-allocated memory in %s (%s:%u)",
func, file, line);
}
/* Do a final report on all non-deallocated objects. */
static inline void TRK_report(void) {
u32 i, bucket;
fflush(0);
for (bucket = 0; bucket < ALLOC_BUCKETS; bucket++)
for (i = 0; i < TRK_cnt[bucket]; i++)
if (TRK[bucket][i].ptr)
WARNF("ALLOC: Memory never freed, created in %s (%s:%u)",
TRK[bucket][i].func, TRK[bucket][i].file, TRK[bucket][i].line);
}
/* Simple wrappers for non-debugging functions: */
static inline void* TRK_ck_alloc(u32 size, const char* file, const char* func,
u32 line) {
void* ret = DFL_ck_alloc(size);
TRK_alloc_buf(ret, file, func, line);
return ret;
}
static inline void* TRK_ck_realloc(void* orig, u32 size, const char* file,
const char* func, u32 line) {
void* ret = DFL_ck_realloc(orig, size);
TRK_free_buf(orig, file, func, line);
TRK_alloc_buf(ret, file, func, line);
return ret;
}
static inline void* TRK_ck_realloc_block(void* orig, u32 size, const char* file,
const char* func, u32 line) {
void* ret = DFL_ck_realloc_block(orig, size);
TRK_free_buf(orig, file, func, line);
TRK_alloc_buf(ret, file, func, line);
return ret;
}
static inline void* TRK_ck_strdup(u8* str, const char* file, const char* func,
u32 line) {
void* ret = DFL_ck_strdup(str);
TRK_alloc_buf(ret, file, func, line);
return ret;
}
static inline void* TRK_ck_memdup(void* mem, u32 size, const char* file,
const char* func, u32 line) {
void* ret = DFL_ck_memdup(mem, size);
TRK_alloc_buf(ret, file, func, line);
return ret;
}
static inline void* TRK_ck_memdup_str(void* mem, u32 size, const char* file,
const char* func, u32 line) {
void* ret = DFL_ck_memdup_str(mem, size);
TRK_alloc_buf(ret, file, func, line);
return ret;
}
static inline void TRK_ck_free(void* ptr, const char* file,
const char* func, u32 line) {
TRK_free_buf(ptr, file, func, line);
DFL_ck_free(ptr);
}
/* Aliasing user-facing names to tracking functions: */
#define ck_alloc(_p1) \
TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
#define ck_alloc_nozero(_p1) \
TRK_ck_alloc(_p1, __FILE__, __FUNCTION__, __LINE__)
#define ck_realloc(_p1, _p2) \
TRK_ck_realloc(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
#define ck_realloc_block(_p1, _p2) \
TRK_ck_realloc_block(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
#define ck_strdup(_p1) \
TRK_ck_strdup(_p1, __FILE__, __FUNCTION__, __LINE__)
#define ck_memdup(_p1, _p2) \
TRK_ck_memdup(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
#define ck_memdup_str(_p1, _p2) \
TRK_ck_memdup_str(_p1, _p2, __FILE__, __FUNCTION__, __LINE__)
#define ck_free(_p1) \
TRK_ck_free(_p1, __FILE__, __FUNCTION__, __LINE__)
#endif /* ^!DEBUG_BUILD */
#endif /* ! _HAVE_ALLOC_INL_H */
================================================
FILE: afl_progs/config.h
================================================
/*
american fuzzy lop - vaguely configurable bits
----------------------------------------------
Written and maintained by Michal Zalewski <lcamtuf@google.com>
Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
*/
#ifndef _HAVE_CONFIG_H
#define _HAVE_CONFIG_H
#include "types.h"
/* Version string: */
#define VERSION "2.52b"
/******************************************************
* *
* Settings that may be of interest to power users: *
* *
******************************************************/
/* Comment out to disable terminal colors (note that this makes afl-analyze
a lot less nice): */
#define USE_COLOR
/* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */
#define FANCY_BOXES
/* Default timeout for fuzzed code (milliseconds). This is the upper bound,
also used for detecting hangs; the actual value is auto-scaled: */
#define EXEC_TIMEOUT 1000
/* Timeout rounding factor when auto-scaling (milliseconds): */
#define EXEC_TM_ROUND 20
/* Default memory limit for child process (MB): */
#ifndef __x86_64__
# define MEM_LIMIT 25
#else
# define MEM_LIMIT 50
#endif /* ^!__x86_64__ */
/* Default memory limit when running in QEMU mode (MB): */
#define MEM_LIMIT_QEMU 200
/* Number of calibration cycles per every new test case (and for test
cases that show variable behavior): */
#define CAL_CYCLES 8
#define CAL_CYCLES_LONG 40
/* Number of subsequent timeouts before abandoning an input file: */
#define TMOUT_LIMIT 250
/* Maximum number of unique hangs or crashes to record: */
#define KEEP_UNIQUE_HANG 500
#define KEEP_UNIQUE_CRASH 5000
/* Baseline number of random tweaks during a single 'havoc' stage: */
#define HAVOC_CYCLES 256
#define HAVOC_CYCLES_INIT 1024
/* Maximum multiplier for the above (should be a power of two, beware
of 32-bit int overflows): */
#define HAVOC_MAX_MULT 16
/* Absolute minimum number of havoc cycles (after all adjustments): */
#define HAVOC_MIN 16
/* Maximum stacking for havoc-stage tweaks. The actual value is calculated
like this:
n = random between 1 and HAVOC_STACK_POW2
stacking = 2^n
In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or
128 stacked tweaks: */
#define HAVOC_STACK_POW2 7
/* Caps on block sizes for cloning and deletion operations. Each of these
ranges has a 33% probability of getting picked, except for the first
two cycles where smaller blocks are favored: */
#define HAVOC_BLK_SMALL 32
#define HAVOC_BLK_MEDIUM 128
#define HAVOC_BLK_LARGE 1500
/* Extra-large blocks, selected very rarely (<5% of the time): */
#define HAVOC_BLK_XL 32768
/* Probabilities of skipping non-favored entries in the queue, expressed as
percentages: */
#define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */
#define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */
#define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */
/* Splicing cycle count: */
#define SPLICE_CYCLES 15
/* Nominal per-splice havoc cycle length: */
#define SPLICE_HAVOC 32
/* Maximum offset for integer addition / subtraction stages: */
#define ARITH_MAX 35
/* Limits for the test case trimmer. The absolute minimum chunk size; and
the starting and ending divisors for chopping up the input file: */
#define TRIM_MIN_BYTES 4
#define TRIM_START_STEPS 16
#define TRIM_END_STEPS 1024
/* Maximum size of input file, in bytes (keep under 100MB): */
#define MAX_FILE (1 * 1024 * 1024)
/* The same, for the test case minimizer: */
#define TMIN_MAX_FILE (10 * 1024 * 1024)
/* Block normalization steps for afl-tmin: */
#define TMIN_SET_MIN_SIZE 4
#define TMIN_SET_STEPS 128
/* Maximum dictionary token size (-x), in bytes: */
#define MAX_DICT_FILE 128
/* Length limits for auto-detected dictionary tokens: */
#define MIN_AUTO_EXTRA 3
#define MAX_AUTO_EXTRA 32
/* Maximum number of user-specified dictionary tokens to use in deterministic
steps; past this point, the "extras/user" step will be still carried out,
but with proportionally lower odds: */
#define MAX_DET_EXTRAS 200
/* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing
(first value), and to keep in memory as candidates. The latter should be much
higher than the former. */
#define USE_AUTO_EXTRAS 50
#define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10)
/* Scaling factor for the effector map used to skip some of the more
expensive deterministic steps. The actual divisor is set to
2^EFF_MAP_SCALE2 bytes: */
#define EFF_MAP_SCALE2 3
/* Minimum input file length at which the effector logic kicks in: */
#define EFF_MIN_LEN 128
/* Maximum effector density past which everything is just fuzzed
unconditionally (%): */
#define EFF_MAX_PERC 90
/* UI refresh frequency (Hz): */
#define UI_TARGET_HZ 5
/* Fuzzer stats file and plot update intervals (sec): */
#define STATS_UPDATE_SEC 60
#define PLOT_UPDATE_SEC 5
/* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */
#define AVG_SMOOTHING 16
/* Sync interval (every n havoc cycles): */
#define SYNC_INTERVAL 5
/* Output directory reuse grace period (minutes): */
#define OUTPUT_GRACE 25
/* Uncomment to use simple file names (id_NNNNNN): */
// #define SIMPLE_FILES
/* List of interesting values to use in fuzzing. */
#define INTERESTING_8 \
-128, /* Overflow signed 8-bit when decremented */ \
-1, /* */ \
0, /* */ \
1, /* */ \
16, /* One-off with common buffer size */ \
32, /* One-off with common buffer size */ \
64, /* One-off with common buffer size */ \
100, /* One-off with common buffer size */ \
127 /* Overflow signed 8-bit when incremented */
#define INTERESTING_16 \
-32768, /* Overflow signed 16-bit when decremented */ \
-129, /* Overflow signed 8-bit */ \
128, /* Overflow signed 8-bit */ \
255, /* Overflow unsig 8-bit when incremented */ \
256, /* Overflow unsig 8-bit */ \
512, /* One-off with common buffer size */ \
1000, /* One-off with common buffer size */ \
1024, /* One-off with common buffer size */ \
4096, /* One-off with common buffer size */ \
32767 /* Overflow signed 16-bit when incremented */
#define INTERESTING_32 \
-2147483648LL, /* Overflow signed 32-bit when decremented */ \
-100663046, /* Large negative number (endian-agnostic) */ \
-32769, /* Overflow signed 16-bit */ \
32768, /* Overflow signed 16-bit */ \
65535, /* Overflow unsig 16-bit when incremented */ \
65536, /* Overflow unsig 16 bit */ \
100663045, /* Large positive number (endian-agnostic) */ \
2147483647 /* Overflow signed 32-bit when incremented */
/***********************************************************
* *
* Really exotic stuff you probably don't want to touch: *
* *
***********************************************************/
/* Call count interval between reseeding the libc PRNG from /dev/urandom: */
#define RESEED_RNG 10000
/* Maximum line length passed from GCC to 'as' and used for parsing
configuration files: */
#define MAX_LINE 8192
/* Environment variable used to pass SHM ID to the called program. */
#define SHM_ENV_VAR "__AFL_SHM_ID"
/* Other less interesting, internal-only variables. */
#define CLANG_ENV_VAR "__AFL_CLANG_MODE"
#define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK"
/* In-code signatures for deferred and persistent mode. */
#define PERSIST_SIG "##SIG_AFL_PERSISTENT##"
#define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##"
/* Distinctive bitmap signature used to indicate failed execution: */
#define EXEC_FAIL_SIG 0xfee1dead
/* Distinctive exit code used to indicate MSAN trip condition: */
#define MSAN_ERROR 86
/* Designated file descriptors for forkserver commands (the application will
use FORKSRV_FD and FORKSRV_FD + 1): */
#define FORKSRV_FD 198
/* Fork server init timeout multiplier: we'll wait the user-selected
timeout plus this much for the fork server to spin up. */
#define FORK_WAIT_MULT 10
/* Calibration timeout adjustments, to be a bit more generous when resuming
fuzzing sessions or trying to calibrate already-added internal finds.
The first value is a percentage, the other is in milliseconds: */
#define CAL_TMOUT_PERC 125
#define CAL_TMOUT_ADD 50
/* Number of chances to calibrate a case before giving up: */
#define CAL_CHANCES 3
/* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than
2; you probably want to keep it under 18 or so for performance reasons
(adjusting AFL_INST_RATIO when compiling is probably a better way to solve
problems with complex programs). You need to recompile the target binary
after changing this - otherwise, SEGVs may ensue. */
#define MAP_SIZE_POW2 16
#define MAP_SIZE (1 << MAP_SIZE_POW2)
/* Maximum allocator request size (keep well under INT_MAX): */
#define MAX_ALLOC 0x40000000
/* A made-up hashing seed: */
#define HASH_CONST 0xa5b35705
/* Constants for afl-gotcpu to control busy loop timing: */
#define CTEST_TARGET_MS 5000
#define CTEST_CORE_TRG_MS 1000
#define CTEST_BUSY_CYCLES (10 * 1000 * 1000)
/* Uncomment this to use inferior block-coverage-based instrumentation. Note
that you need to recompile the target binary for this to have any effect: */
// #define COVERAGE_ONLY
/* Uncomment this to ignore hit counts and output just one bit per tuple.
As with the previous setting, you will need to recompile the target
binary: */
// #define SKIP_COUNTS
/* Uncomment this to use instrumentation data to record newly discovered paths,
but do not use them as seeds for fuzzing. This is useful for conveniently
measuring coverage that could be attained by a "dumb" fuzzing algorithm: */
// #define IGNORE_FINDS
#endif /* ! _HAVE_CONFIG_H */
================================================
FILE: afl_progs/debug.h
================================================
/*
american fuzzy lop - debug / error handling macros
--------------------------------------------------
Written and maintained by Michal Zalewski <lcamtuf@google.com>
Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
*/
#ifndef _HAVE_DEBUG_H
#define _HAVE_DEBUG_H
#include <errno.h>
#include "types.h"
#include "config.h"
/*******************
* Terminal colors *
*******************/
#ifdef USE_COLOR
# define cBLK "\x1b[0;30m"
# define cRED "\x1b[0;31m"
# define cGRN "\x1b[0;32m"
# define cBRN "\x1b[0;33m"
# define cBLU "\x1b[0;34m"
# define cMGN "\x1b[0;35m"
# define cCYA "\x1b[0;36m"
# define cLGR "\x1b[0;37m"
# define cGRA "\x1b[1;90m"
# define cLRD "\x1b[1;91m"
# define cLGN "\x1b[1;92m"
# define cYEL "\x1b[1;93m"
# define cLBL "\x1b[1;94m"
# define cPIN "\x1b[1;95m"
# define cLCY "\x1b[1;96m"
# define cBRI "\x1b[1;97m"
# define cRST "\x1b[0m"
# define bgBLK "\x1b[40m"
# define bgRED "\x1b[41m"
# define bgGRN "\x1b[42m"
# define bgBRN "\x1b[43m"
# define bgBLU "\x1b[44m"
# define bgMGN "\x1b[45m"
# define bgCYA "\x1b[46m"
# define bgLGR "\x1b[47m"
# define bgGRA "\x1b[100m"
# define bgLRD "\x1b[101m"
# define bgLGN "\x1b[102m"
# define bgYEL "\x1b[103m"
# define bgLBL "\x1b[104m"
# define bgPIN "\x1b[105m"
# define bgLCY "\x1b[106m"
# define bgBRI "\x1b[107m"
#else
# define cBLK ""
# define cRED ""
# define cGRN ""
# define cBRN ""
# define cBLU ""
# define cMGN ""
# define cCYA ""
# define cLGR ""
# define cGRA ""
# define cLRD ""
# define cLGN ""
# define cYEL ""
# define cLBL ""
# define cPIN ""
# define cLCY ""
# define cBRI ""
# define cRST ""
# define bgBLK ""
# define bgRED ""
# define bgGRN ""
# define bgBRN ""
# define bgBLU ""
# define bgMGN ""
# define bgCYA ""
# define bgLGR ""
# define bgGRA ""
# define bgLRD ""
# define bgLGN ""
# define bgYEL ""
# define bgLBL ""
# define bgPIN ""
# define bgLCY ""
# define bgBRI ""
#endif /* ^USE_COLOR */
/*************************
* Box drawing sequences *
*************************/
#ifdef FANCY_BOXES
# define SET_G1 "\x1b)0" /* Set G1 for box drawing */
# define RESET_G1 "\x1b)B" /* Reset G1 to ASCII */
# define bSTART "\x0e" /* Enter G1 drawing mode */
# define bSTOP "\x0f" /* Leave G1 drawing mode */
# define bH "q" /* Horizontal line */
# define bV "x" /* Vertical line */
# define bLT "l" /* Left top corner */
# define bRT "k" /* Right top corner */
# define bLB "m" /* Left bottom corner */
# define bRB "j" /* Right bottom corner */
# define bX "n" /* Cross */
# define bVR "t" /* Vertical, branch right */
# define bVL "u" /* Vertical, branch left */
# define bHT "v" /* Horizontal, branch top */
# define bHB "w" /* Horizontal, branch bottom */
#else
# define SET_G1 ""
# define RESET_G1 ""
# define bSTART ""
# define bSTOP ""
# define bH "-"
# define bV "|"
# define bLT "+"
# define bRT "+"
# define bLB "+"
# define bRB "+"
# define bX "+"
# define bVR "+"
# define bVL "+"
# define bHT "+"
# define bHB "+"
#endif /* ^FANCY_BOXES */
/***********************
* Misc terminal codes *
***********************/
#define TERM_HOME "\x1b[H"
#define TERM_CLEAR TERM_HOME "\x1b[2J"
#define cEOL "\x1b[0K"
#define CURSOR_HIDE "\x1b[?25l"
#define CURSOR_SHOW "\x1b[?25h"
/************************
* Debug & error macros *
************************/
/* Just print stuff to the appropriate stream. */
#ifdef MESSAGES_TO_STDOUT
# define SAYF(x...) printf(x)
#else
# define SAYF(x...) fprintf(stderr, x)
#endif /* ^MESSAGES_TO_STDOUT */
/* Show a prefixed warning. */
#define WARNF(x...) do { \
SAYF(cYEL "[!] " cBRI "WARNING: " cRST x); \
SAYF(cRST "\n"); \
} while (0)
/* Show a prefixed "doing something" message. */
#define ACTF(x...) do { \
SAYF(cLBL "[*] " cRST x); \
SAYF(cRST "\n"); \
} while (0)
/* Show a prefixed "success" message. */
#define OKF(x...) do { \
SAYF(cLGN "[+] " cRST x); \
SAYF(cRST "\n"); \
} while (0)
/* Show a prefixed fatal error message (not used in afl). */
#define BADF(x...) do { \
SAYF(cLRD "\n[-] " cRST x); \
SAYF(cRST "\n"); \
} while (0)
/* Die with a verbose non-OS fatal error message. */
#define FATAL(x...) do { \
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
cBRI x); \
SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", \
__FUNCTION__, __FILE__, __LINE__); \
exit(1); \
} while (0)
/* Die by calling abort() to provide a core dump. */
#define ABORT(x...) do { \
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] PROGRAM ABORT : " \
cBRI x); \
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", \
__FUNCTION__, __FILE__, __LINE__); \
abort(); \
} while (0)
/* Die while also including the output of perror(). */
#define PFATAL(x...) do { \
fflush(stdout); \
SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD "\n[-] SYSTEM ERROR : " \
cBRI x); \
SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", \
__FUNCTION__, __FILE__, __LINE__); \
SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \
exit(1); \
} while (0)
/* Die with FAULT() or PFAULT() depending on the value of res (used to
interpret different failure modes for read(), write(), etc). */
#define RPFATAL(res, x...) do { \
if (res < 0) PFATAL(x); else FATAL(x); \
} while (0)
/* Error-checking versions of read() and write() that call RPFATAL() as
appropriate. */
#define ck_write(fd, buf, len, fn) do { \
u32 _len = (len); \
s32 _res = write(fd, buf, _len); \
if (_res != _len) RPFATAL(_res, "Short write to %s", fn); \
} while (0)
#define ck_read(fd, buf, len, fn) do { \
u32 _len = (len); \
s32 _res = read(fd, buf, _len); \
if (_res != _len) RPFATAL(_res, "Short read from %s", fn); \
} while (0)
#endif /* ! _HAVE_DEBUG_H */
================================================
FILE: afl_progs/hash.h
================================================
/*
american fuzzy lop - hashing function
-------------------------------------
The hash32() function is a variant of MurmurHash3, a good
non-cryptosafe hashing function developed by Austin Appleby.
For simplicity, this variant does *NOT* accept buffer lengths
that are not divisible by 8 bytes. The 32-bit version is otherwise
similar to the original; the 64-bit one is a custom hack with
mostly-unproven properties.
Austin's original code is public domain.
Other code written and maintained by Michal Zalewski <lcamtuf@google.com>
Copyright 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
*/
#ifndef _HAVE_HASH_H
#define _HAVE_HASH_H
#include "types.h"
#ifdef __x86_64__
#define ROL64(_x, _r) ((((u64)(_x)) << (_r)) | (((u64)(_x)) >> (64 - (_r))))
static inline u32 hash32(const void* key, u32 len, u32 seed) {
const u64* data = (u64*)key;
u64 h1 = seed ^ len;
len >>= 3;
while (len--) {
u64 k1 = *data++;
k1 *= 0x87c37b91114253d5ULL;
k1 = ROL64(k1, 31);
k1 *= 0x4cf5ad432745937fULL;
h1 ^= k1;
h1 = ROL64(h1, 27);
h1 = h1 * 5 + 0x52dce729;
}
h1 ^= h1 >> 33;
h1 *= 0xff51afd7ed558ccdULL;
h1 ^= h1 >> 33;
h1 *= 0xc4ceb9fe1a85ec53ULL;
h1 ^= h1 >> 33;
return h1;
}
#else
#define ROL32(_x, _r) ((((u32)(_x)) << (_r)) | (((u32)(_x)) >> (32 - (_r))))
static inline u32 hash32(const void* key, u32 len, u32 seed) {
const u32* data = (u32*)key;
u32 h1 = seed ^ len;
len >>= 2;
while (len--) {
u32 k1 = *data++;
k1 *= 0xcc9e2d51;
k1 = ROL32(k1, 15);
k1 *= 0x1b873593;
h1 ^= k1;
h1 = ROL32(h1, 13);
h1 = h1 * 5 + 0xe6546b64;
}
h1 ^= h1 >> 16;
h1 *= 0x85ebca6b;
h1 ^= h1 >> 13;
h1 *= 0xc2b2ae35;
h1 ^= h1 >> 16;
return h1;
}
#endif /* ^__x86_64__ */
#endif /* !_HAVE_HASH_H */
================================================
FILE: afl_progs/llvm_mode/Makefile
================================================
#
# american fuzzy lop - LLVM instrumentation
# -----------------------------------------
#
# Written by Laszlo Szekeres <lszekeres@google.com> and
# Michal Zalewski <lcamtuf@google.com>
#
# LLVM integration design comes from Laszlo Szekeres.
#
# Copyright 2015, 2016 Google Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
PREFIX ?= /usr/local
HELPER_PATH = $(PREFIX)/lib/afl
BIN_PATH = $(PREFIX)/bin
VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
LLVM_CONFIG ?= llvm-config
CFLAGS ?= -O3 -funroll-loops
CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
-DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
-DVERSION=\"$(VERSION)\"
ifdef AFL_TRACE_PC
CFLAGS += -DUSE_TRACE_PC=1
endif
CXXFLAGS ?= -O3 -funroll-loops
CXXFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
-DVERSION=\"$(VERSION)\" -Wno-variadic-macros
CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fpic $(CXXFLAGS)
CLANG_LFL = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS)
# User teor2345 reports that this is required to make things work on MacOS X.
ifeq "$(shell uname)" "Darwin"
CLANG_LFL += -Wl,-flat_namespace -Wl,-undefined,suppress
endif
# We were using llvm-config --bindir to get the location of clang, but
# this seems to be busted on some distros, so using the one in $PATH is
# probably better.
ifeq "$(origin CC)" "default"
CC = clang
CXX = clang++
endif
ifndef AFL_TRACE_PC
PROGS = ../afl-clang-fast ../afl-llvm-pass.so ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o
else
PROGS = ../afl-clang-fast ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o
endif
all: test_deps $(PROGS) test_build all_done
test_deps:
ifndef AFL_TRACE_PC
@echo "[*] Checking for working 'llvm-config'..."
@which $(LLVM_CONFIG) >/dev/null 2>&1 || ( echo "[-] Oops, can't find 'llvm-config'. Install clang or set \$$LLVM_CONFIG or \$$PATH beforehand."; echo " (Sometimes, the binary will be named llvm-config-3.5 or something like that.)"; exit 1 )
else
@echo "[!] Note: using -fsanitize=trace-pc mode (this will fail with older LLVM)."
endif
@echo "[*] Checking for working '$(CC)'..."
@which $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 )
@echo "[*] Checking for '../afl-showmap'..."
@test -f ../afl-showmap || ( echo "[-] Oops, can't find '../afl-showmap'. Be sure to compile AFL first."; exit 1 )
@echo "[+] All set and ready to build."
../afl-clang-fast: afl-clang-fast.c | test_deps
$(CC) $(CFLAGS) $< -o $@ $(LDFLAGS)
ln -sf afl-clang-fast ../afl-clang-fast++
../afl-llvm-pass.so: afl-llvm-pass.so.cc | test_deps
$(CXX) $(CLANG_CFL) -shared $< -o $@ $(CLANG_LFL)
../afl-llvm-rt.o: afl-llvm-rt.o.c | test_deps
$(CC) $(CFLAGS) -fPIC -c $< -o $@
../afl-llvm-rt-32.o: afl-llvm-rt.o.c | test_deps
@printf "[*] Building 32-bit variant of the runtime (-m32)... "
@$(CC) $(CFLAGS) -m32 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi
../afl-llvm-rt-64.o: afl-llvm-rt.o.c | test_deps
@printf "[*] Building 64-bit variant of the runtime (-m64)... "
@$(CC) $(CFLAGS) -m64 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi
test_build: $(PROGS)
@echo "[*] Testing the CC wrapper and instrumentation output..."
unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; AFL_QUIET=1 AFL_PATH=. AFL_CC=$(CC) ../afl-clang-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS)
echo 0 | ../afl-showmap -m none -q -o .test-instr0 ./test-instr
echo 1 | ../afl-showmap -m none -q -o .test-instr1 ./test-instr
@rm -f test-instr
@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping <lcamtuf@google.com> to troubleshoot the issue."; echo; exit 1; fi
@echo "[+] All right, the instrumentation seems to be working!"
all_done: test_build
@echo "[+] All done! You can now use '../afl-clang-fast' to compile programs."
.NOTPARALLEL: clean
clean:
rm -f *.o *.so *~ a.out core core.[1-9][0-9]* test-instr .test-instr0 .test-instr1
rm -f $(PROGS) ../afl-clang-fast++
================================================
FILE: afl_progs/llvm_mode/README.llvm
================================================
============================================
Fast LLVM-based instrumentation for afl-fuzz
============================================
1) Introduction
---------------
The code in this directory allows you to instrument programs for AFL using
true compiler-level instrumentation, instead of the more crude
assembly-level rewriting approach taken by afl-gcc and afl-clang. This has
several interesting properties:
- The compiler can make many optimizations that are hard to pull off when
manually inserting assembly. As a result, some slow, CPU-bound programs will
run up to around 2x faster.
The gains are less pronounced for fast binaries, where the speed is limited
chiefly by the cost of creating new processes. In such cases, the gain will
probably stay within 10%.
- The instrumentation is CPU-independent. At least in principle, you should
be able to rely on it to fuzz programs on non-x86 architectures (after
building afl-fuzz with AFL_NO_X86=1).
- The instrumentation can cope a bit better with multi-threaded targets.
- Because the feature relies on the internals of LLVM, it is clang-specific
and will *not* work with GCC.
Once this implementation is shown to be sufficiently robust and portable, it
will probably replace afl-clang. For now, it can be built separately and
co-exists with the original code.
The idea and much of the implementation comes from Laszlo Szekeres.
2) How to use
-------------
In order to leverage this mechanism, you need to have clang installed on your
system. You should also make sure that the llvm-config tool is in your path
(or pointed to via LLVM_CONFIG in the environment).
Unfortunately, some systems that do have clang come without llvm-config or the
LLVM development headers; one example of this is FreeBSD. FreeBSD users will
also run into problems with clang being built statically and not being able to
load modules (you'll see "Service unavailable" when loading afl-llvm-pass.so).
To solve all your problems, you can grab pre-built binaries for your OS from:
http://llvm.org/releases/download.html
...and then put the bin/ directory from the tarball at the beginning of your
$PATH when compiling the feature and building packages later on. You don't need
to be root for that.
To build the instrumentation itself, type 'make'. This will generate binaries
called afl-clang-fast and afl-clang-fast++ in the parent directory. Once this
is done, you can instrument third-party code in a way similar to the standard
operating mode of AFL, e.g.:
CC=/path/to/afl/afl-clang-fast ./configure [...options...]
make
Be sure to also include CXX set to afl-clang-fast++ for C++ code.
The tool honors roughly the same environmental variables as afl-gcc (see
../docs/env_variables.txt). This includes AFL_INST_RATIO, AFL_USE_ASAN,
AFL_HARDEN, and AFL_DONT_OPTIMIZE.
Note: if you want the LLVM helper to be installed on your system for all
users, you need to build it before issuing 'make install' in the parent
directory.
3) Gotchas, feedback, bugs
--------------------------
This is an early-stage mechanism, so field reports are welcome. You can send bug
reports to <afl-users@googlegroups.com>.
4) Bonus feature #1: deferred instrumentation
---------------------------------------------
AFL tries to optimize performance by executing the targeted binary just once,
stopping it just before main(), and then cloning this "master" process to get
a steady supply of targets to fuzz.
Although this approach eliminates much of the OS-, linker- and libc-level
costs of executing the program, it does not always help with binaries that
perform other time-consuming initialization steps - say, parsing a large config
file before getting to the fuzzed data.
In such cases, it's beneficial to initialize the forkserver a bit later, once
most of the initialization work is already done, but before the binary attempts
to read the fuzzed input and parse it; in some cases, this can offer a 10x+
performance gain. You can implement delayed initialization in LLVM mode in a
fairly simple way.
First, find a suitable location in the code where the delayed cloning can
take place. This needs to be done with *extreme* care to avoid breaking the
binary. In particular, the program will probably malfunction if you select
a location after:
- The creation of any vital threads or child processes - since the forkserver
can't clone them easily.
- The initialization of timers via setitimer() or equivalent calls.
- The creation of temporary files, network sockets, offset-sensitive file
descriptors, and similar shared-state resources - but only provided that
their state meaningfully influences the behavior of the program later on.
- Any access to the fuzzed input, including reading the metadata about its
size.
With the location selected, add this code in the appropriate spot:
#ifdef __AFL_HAVE_MANUAL_CONTROL
__AFL_INIT();
#endif
You don't need the #ifdef guards, but including them ensures that the program
will keep working normally when compiled with a tool other than afl-clang-fast.
Finally, recompile the program with afl-clang-fast (afl-gcc or afl-clang will
*not* generate a deferred-initialization binary) - and you should be all set!
5) Bonus feature #2: persistent mode
------------------------------------
Some libraries provide APIs that are stateless, or whose state can be reset in
between processing different input files. When such a reset is performed, a
single long-lived process can be reused to try out multiple test cases,
eliminating the need for repeated fork() calls and the associated OS overhead.
The basic structure of the program that does this would be:
while (__AFL_LOOP()) {
/* Read input data. */
/* Call library code to be fuzzed. */
/* Reset state. */
}
/* Exit normally */
The numerical value specified within the loop controls the maximum number
of iterations before AFL will restart the process from scratch. This minimizes
the impact of memory leaks and similar glitches; 1000 is a good starting point,
and going much higher increases the likelihood of hiccups without giving you
any real performance benefits.
A more detailed template is shown in ../experimental/persistent_demo/.
Similarly to the previous mode, the feature works only with afl-clang-fast;
#ifdef guards can be used to suppress it when using other compilers.
Note that as with the previous mode, the feature is easy to misuse; if you
do not fully reset the critical state, you may end up with false positives or
waste a whole lot of CPU power doing nothing useful at all. Be particularly
wary of memory leaks and of the state of file descriptors.
PS. Because there are task switches still involved, the mode isn't as fast as
"pure" in-process fuzzing offered, say, by LLVM's LibFuzzer; but it is a lot
faster than the normal fork() model, and compared to in-process fuzzing,
should be a lot more robust.
6) Bonus feature #3: new 'trace-pc-guard' mode
----------------------------------------------
Recent versions of LLVM are shipping with a built-in execution tracing feature
that provides AFL with the necessary tracing data without the need to
post-process the assembly or install any compiler plugins. See:
http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards
As of this writing, the feature is only available on SVN trunk, and is yet to
make it to an official release of LLVM. Nevertheless, if you have a
sufficiently recent compiler and want to give it a try, build afl-clang-fast
this way:
AFL_TRACE_PC=1 make clean all
Note that this mode is currently about 20% slower than "vanilla" afl-clang-fast,
and about 5-10% slower than afl-clang. This is likely because the
instrumentation is not inlined, and instead involves a function call. On systems
that support it, compiling your target with -flto should help.
================================================
FILE: afl_progs/llvm_mode/afl-clang-fast.c
================================================
/*
american fuzzy lop - LLVM-mode wrapper for clang
------------------------------------------------
Written by Laszlo Szekeres <lszekeres@google.com> and
Michal Zalewski <lcamtuf@google.com>
LLVM integration design comes from Laszlo Szekeres.
Copyright 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
This program is a drop-in replacement for clang, similar in most respects
to ../afl-gcc. It tries to figure out compilation mode, adds a bunch
of flags, and then calls the real compiler.
*/
#define AFL_MAIN
#include "../config.h"
#include "../types.h"
#include "../debug.h"
#include "../alloc-inl.h"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
static u8* obj_path; /* Path to runtime libraries */
static u8** cc_params; /* Parameters passed to the real CC */
static u32 cc_par_cnt = 1; /* Param count, including argv0 */
/* Try to find the runtime libraries. If that fails, abort. */
static void find_obj(u8* argv0) {
u8 *afl_path = getenv("AFL_PATH");
u8 *slash, *tmp;
if (afl_path) {
tmp = alloc_printf("%s/afl-llvm-rt.o", afl_path);
if (!access(tmp, R_OK)) {
obj_path = afl_path;
ck_free(tmp);
return;
}
ck_free(tmp);
}
slash = strrchr(argv0, '/');
if (slash) {
u8 *dir;
*slash = 0;
dir = ck_strdup(argv0);
*slash = '/';
tmp = alloc_printf("%s/afl-llvm-rt.o", dir);
if (!access(tmp, R_OK)) {
obj_path = dir;
ck_free(tmp);
return;
}
ck_free(tmp);
ck_free(dir);
}
if (!access(AFL_PATH "/afl-llvm-rt.o", R_OK)) {
obj_path = AFL_PATH;
return;
}
FATAL("Unable to find 'afl-llvm-rt.o' or 'afl-llvm-pass.so'. Please set AFL_PATH");
}
/* Copy argv to cc_params, making the necessary edits. */
static void edit_params(u32 argc, char** argv) {
u8 fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1, bit_mode = 0;
u8 *name;
cc_params = ck_alloc((argc + 128) * sizeof(u8*));
name = strrchr(argv[0], '/');
if (!name) name = argv[0]; else name++;
if (!strcmp(name, "afl-clang-fast++")) {
u8* alt_cxx = getenv("AFL_CXX");
cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++";
} else {
u8* alt_cc = getenv("AFL_CC");
cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";
}
/* There are two ways to compile afl-clang-fast. In the traditional mode, we
use afl-llvm-pass.so to inject instrumentation. In the experimental
'trace-pc-guard' mode, we use native LLVM instrumentation callbacks
instead. The latter is a very recent addition - see:
http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards */
#ifdef USE_TRACE_PC
cc_params[cc_par_cnt++] = "-fsanitize-coverage=trace-pc-guard";
cc_params[cc_par_cnt++] = "-mllvm";
cc_params[cc_par_cnt++] = "-sanitizer-coverage-block-threshold=0";
#else
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = "-load";
cc_params[cc_par_cnt++] = "-Xclang";
cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-pass.so", obj_path);
#endif /* ^USE_TRACE_PC */
cc_params[cc_par_cnt++] = "-Qunused-arguments";
/* Detect stray -v calls from ./configure scripts. */
if (argc == 1 && !strcmp(argv[1], "-v")) maybe_linking = 0;
while (--argc) {
u8* cur = *(++argv);
if (!strcmp(cur, "-m32")) bit_mode = 32;
if (!strcmp(cur, "-m64")) bit_mode = 64;
if (!strcmp(cur, "-x")) x_set = 1;
if (!strcmp(cur, "-c") || !strcmp(cur, "-S") || !strcmp(cur, "-E"))
maybe_linking = 0;
if (!strcmp(cur, "-fsanitize=address") ||
!strcmp(cur, "-fsanitize=memory")) asan_set = 1;
if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;
if (!strcmp(cur, "-shared")) maybe_linking = 0;
if (!strcmp(cur, "-Wl,-z,defs") ||
!strcmp(cur, "-Wl,--no-undefined")) continue;
cc_params[cc_par_cnt++] = cur;
}
if (getenv("AFL_HARDEN")) {
cc_params[cc_par_cnt++] = "-fstack-protector-all";
if (!fortify_set)
cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2";
}
if (!asan_set) {
if (getenv("AFL_USE_ASAN")) {
if (getenv("AFL_USE_MSAN"))
FATAL("ASAN and MSAN are mutually exclusive");
if (getenv("AFL_HARDEN"))
FATAL("ASAN and AFL_HARDEN are mutually exclusive");
cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
cc_params[cc_par_cnt++] = "-fsanitize=address";
} else if (getenv("AFL_USE_MSAN")) {
if (getenv("AFL_USE_ASAN"))
FATAL("ASAN and MSAN are mutually exclusive");
if (getenv("AFL_HARDEN"))
FATAL("MSAN and AFL_HARDEN are mutually exclusive");
cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
cc_params[cc_par_cnt++] = "-fsanitize=memory";
}
}
#ifdef USE_TRACE_PC
if (getenv("AFL_INST_RATIO"))
FATAL("AFL_INST_RATIO not available at compile time with 'trace-pc'.");
#endif /* USE_TRACE_PC */
if (!getenv("AFL_DONT_OPTIMIZE")) {
cc_params[cc_par_cnt++] = "-g";
cc_params[cc_par_cnt++] = "-O3";
cc_params[cc_par_cnt++] = "-funroll-loops";
}
if (getenv("AFL_NO_BUILTIN")) {
cc_params[cc_par_cnt++] = "-fno-builtin-strcmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strncmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp";
cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp";
cc_params[cc_par_cnt++] = "-fno-builtin-memcmp";
}
cc_params[cc_par_cnt++] = "-D__AFL_HAVE_MANUAL_CONTROL=1";
cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1";
cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1";
/* When the user tries to use persistent or deferred forkserver modes by
appending a single line to the program, we want to reliably inject a
signature into the binary (to be picked up by afl-fuzz) and we want
to call a function from the runtime .o file. This is unnecessarily
painful for three reasons:
1) We need to convince the compiler not to optimize out the signature.
This is done with __attribute__((used)).
2) We need to convince the linker, when called with -Wl,--gc-sections,
not to do the same. This is done by forcing an assignment to a
'volatile' pointer.
3) We need to declare __afl_persistent_loop() in the global namespace,
but doing this within a method in a class is hard - :: and extern "C"
are forbidden and __attribute__((alias(...))) doesn't work. Hence the
__asm__ aliasing trick.
*/
cc_params[cc_par_cnt++] = "-D__AFL_LOOP()="
"({ static volatile char *_B __attribute__((used)); "
" _B = (char*)\"" PERSIST_SIG "\"; "
#ifdef __APPLE__
"__attribute__((visibility(\"default\"))) "
"int _L(void) __asm__(\"___afl_persistent_loop\"); "
#else
"__attribute__((visibility(\"default\"))) "
"int _L(void) __asm__(\"__afl_persistent_loop\"); "
#endif /* ^__APPLE__ */
"_L(); })";
cc_params[cc_par_cnt++] = "-D__AFL_INIT()="
"do { static volatile char *_A __attribute__((used)); "
" _A = (char*)\"" DEFER_SIG "\"; "
#ifdef __APPLE__
"__attribute__((visibility(\"default\"))) "
"void _I(void) __asm__(\"___afl_manual_init\"); "
#else
"__attribute__((visibility(\"default\"))) "
"void _I(void) __asm__(\"__afl_manual_init\"); "
#endif /* ^__APPLE__ */
"_I(); } while (0)";
if (maybe_linking) {
if (x_set) {
cc_params[cc_par_cnt++] = "-x";
cc_params[cc_par_cnt++] = "none";
}
switch (bit_mode) {
case 0:
cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt.o", obj_path);
break;
case 32:
cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-32.o", obj_path);
if (access(cc_params[cc_par_cnt - 1], R_OK))
FATAL("-m32 is not supported by your compiler");
break;
case 64:
cc_params[cc_par_cnt++] = alloc_printf("%s/afl-llvm-rt-64.o", obj_path);
if (access(cc_params[cc_par_cnt - 1], R_OK))
FATAL("-m64 is not supported by your compiler");
break;
}
}
cc_params[cc_par_cnt] = NULL;
}
/* Main entry point */
int main(int argc, char** argv) {
if (isatty(2) && !getenv("AFL_QUIET")) {
#ifdef USE_TRACE_PC
SAYF(cCYA "afl-clang-fast [tpcg] " cBRI VERSION cRST " by <lszekeres@google.com>\n");
#else
SAYF(cCYA "afl-clang-fast " cBRI VERSION cRST " by <lszekeres@google.com>\n");
#endif /* ^USE_TRACE_PC */
}
if (argc < 2) {
SAYF("\n"
"This is a helper application for afl-fuzz. It serves as a drop-in replacement\n"
"for clang, letting you recompile third-party code with the required runtime\n"
"instrumentation. A common use pattern would be one of the following:\n\n"
" CC=%s/afl-clang-fast ./configure\n"
" CXX=%s/afl-clang-fast++ ./configure\n\n"
"In contrast to the traditional afl-clang tool, this version is implemented as\n"
"an LLVM pass and tends to offer improved performance with slow programs.\n\n"
"You can specify custom next-stage toolchain via AFL_CC and AFL_CXX. Setting\n"
"AFL_HARDEN enables hardening optimizations in the compiled code.\n\n",
BIN_PATH, BIN_PATH);
exit(1);
}
find_obj(argv[0]);
edit_params(argc, argv);
execvp(cc_params[0], (char**)cc_params);
FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);
return 0;
}
================================================
FILE: afl_progs/llvm_mode/afl-llvm-pass.so.cc
================================================
/*
american fuzzy lop - LLVM-mode instrumentation pass
---------------------------------------------------
Written by Laszlo Szekeres <lszekeres@google.com> and
Michal Zalewski <lcamtuf@google.com>
LLVM integration design comes from Laszlo Szekeres. C bits copied-and-pasted
from afl-as.c are Michal's fault.
Copyright 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
This library is plugged into LLVM when invoking clang through afl-clang-fast.
It tells the compiler to add code roughly equivalent to the bits discussed
in ../afl-as.h.
*/
#define AFL_LLVM_PASS
#include "../config.h"
#include "../debug.h"
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include "llvm/ADT/Statistic.h"
#include "llvm/IR/IRBuilder.h"
#include "llvm/IR/LegacyPassManager.h"
#include "llvm/IR/Module.h"
#include "llvm/Support/Debug.h"
#include "llvm/Transforms/IPO/PassManagerBuilder.h"
using namespace llvm;
namespace {
class AFLCoverage : public ModulePass {
public:
static char ID;
AFLCoverage() : ModulePass(ID) { }
bool runOnModule(Module &M) override;
// StringRef getPassName() const override {
// return "American Fuzzy Lop Instrumentation";
// }
};
}
char AFLCoverage::ID = 0;
bool AFLCoverage::runOnModule(Module &M) {
LLVMContext &C = M.getContext();
IntegerType *Int8Ty = IntegerType::getInt8Ty(C);
IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
/* Show a banner */
char be_quiet = 0;
if (isatty(2) && !getenv("AFL_QUIET")) {
SAYF(cCYA "afl-llvm-pass " cBRI VERSION cRST " by <lszekeres@google.com>\n");
} else be_quiet = 1;
/* Decide instrumentation ratio */
char* inst_ratio_str = getenv("AFL_INST_RATIO");
unsigned int inst_ratio = 100;
if (inst_ratio_str) {
if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio ||
inst_ratio > 100)
FATAL("Bad value of AFL_INST_RATIO (must be between 1 and 100)");
}
/* Get globals for the SHM region and the previous location. Note that
__afl_prev_loc is thread-local. */
GlobalVariable *AFLMapPtr =
new GlobalVariable(M, PointerType::get(Int8Ty, 0), false,
GlobalValue::ExternalLinkage, 0, "__afl_area_ptr");
GlobalVariable *AFLPrevLoc = new GlobalVariable(
M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc",
0, GlobalVariable::GeneralDynamicTLSModel, 0, false);
/* Instrument all the things! */
int inst_blocks = 0;
for (auto &F : M)
for (auto &BB : F) {
BasicBlock::iterator IP = BB.getFirstInsertionPt();
IRBuilder<> IRB(&(*IP));
if (AFL_R(100) >= inst_ratio) continue;
/* Make up cur_loc */
unsigned int cur_loc = AFL_R(MAP_SIZE);
ConstantInt *CurLoc = ConstantInt::get(Int32Ty, cur_loc);
/* Load prev_loc */
LoadInst *PrevLoc = IRB.CreateLoad(AFLPrevLoc);
PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
Value *PrevLocCasted = IRB.CreateZExt(PrevLoc, IRB.getInt32Ty());
/* Load SHM pointer */
LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr);
MapPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
Value *MapPtrIdx =
IRB.CreateGEP(MapPtr, IRB.CreateXor(PrevLocCasted, CurLoc));
/* Update bitmap */
LoadInst *Counter = IRB.CreateLoad(MapPtrIdx);
Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
Value *Incr = IRB.CreateAdd(Counter, ConstantInt::get(Int8Ty, 1));
IRB.CreateStore(Incr, MapPtrIdx)
->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
/* Set prev_loc to cur_loc >> 1 */
StoreInst *Store =
IRB.CreateStore(ConstantInt::get(Int32Ty, cur_loc >> 1), AFLPrevLoc);
Store->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
inst_blocks++;
}
/* Say something nice. */
if (!be_quiet) {
if (!inst_blocks) WARNF("No instrumentation targets found.");
else OKF("Instrumented %u locations (%s mode, ratio %u%%).",
inst_blocks, getenv("AFL_HARDEN") ? "hardened" :
((getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) ?
"ASAN/MSAN" : "non-hardened"), inst_ratio);
}
return true;
}
static void registerAFLPass(const PassManagerBuilder &,
legacy::PassManagerBase &PM) {
PM.add(new AFLCoverage());
}
static RegisterStandardPasses RegisterAFLPass(
PassManagerBuilder::EP_OptimizerLast, registerAFLPass);
static RegisterStandardPasses RegisterAFLPass0(
PassManagerBuilder::EP_EnabledOnOptLevel0, registerAFLPass);
================================================
FILE: afl_progs/llvm_mode/afl-llvm-rt.o.c
================================================
/*
american fuzzy lop - LLVM instrumentation bootstrap
---------------------------------------------------
Written by Laszlo Szekeres <lszekeres@google.com> and
Michal Zalewski <lcamtuf@google.com>
LLVM integration design comes from Laszlo Szekeres.
Copyright 2015, 2016 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
This code is the rewrite of afl-as.h's main_payload.
*/
/*
This file has been modified from the original AFL version to incorporate into
Killerbeez. Specifically, the fork server has been modified to match the
Killerbeez fork server protocol.
*/
#include "../config.h"
#include "../types.h"
#include "../../instrumentation/forkserver_internal.h"
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <string.h>
#include <assert.h>
#include <sys/mman.h>
#include <sys/shm.h>
#include <sys/wait.h>
#include <sys/types.h>
/* This is a somewhat ugly hack for the experimental 'trace-pc-guard' mode.
Basically, we need to make sure that the forkserver is initialized after
the LLVM-generated runtime initialization pass, not before. */
#ifdef USE_TRACE_PC
# define CONST_PRIO 5
#else
# define CONST_PRIO 0
#endif /* ^USE_TRACE_PC */
/* Globals needed by the injected instrumentation. The __afl_area_initial region
is used for instrumentation output before __afl_map_shm() has a chance to run.
It will end up as .comm, so it shouldn't be too wasteful. */
u8 __afl_area_initial[MAP_SIZE];
u8* __afl_area_ptr = __afl_area_initial;
__thread u32 __afl_prev_loc;
/* Running in persistent mode? */
static u8 is_persistent;
/* SHM setup. */
static void __afl_map_shm(void) {
u8 *id_str = getenv(SHM_ENV_VAR);
/* If we're running under AFL, attach to the appropriate region, replacing the
early-stage __afl_area_initial region that is needed to allow some really
hacky .init code to work correctly in projects such as OpenSSL. */
if (id_str) {
u32 shm_id = atoi(id_str);
__afl_area_ptr = shmat(shm_id, NULL, 0);
/* Whooooops. */
if (__afl_area_ptr == (void *)-1) _exit(1);
}
}
/* Fork server logic. */
static void __afl_start_forkserver_persistence(void);
static int max_cnt = 0;
static int forkserver_cycle_cnt = 0;
static int cycle_cnt = 0;
static void __afl_start_forkserver(void) {
static int response = 0x41414141;
char command;
s32 child_pid;
/* Phone home and tell the parent that we're OK. If parent isn't there,
assume we're not running in forkserver mode and just execute program. */
if(write(FORKSRV_TO_FUZZER, &response, sizeof(int)) != sizeof(int))
return;
if(getenv(PERSIST_MAX_VAR)) {
__afl_start_forkserver_persistence();
return;
}
while (1) {
// Wait for parent by reading from the pipe. Exit if read fails.
if(read(FUZZER_TO_FORKSRV, &command, sizeof(command)) != sizeof(command))
_exit(1);
switch(command) {
case EXIT:
case RUN: //LLVM doesn't do the single RUN/FORK commands
case FORK: //but instead only implements FORK_RUN
_exit(0);
break;
case FORK_RUN:
child_pid = fork();
if(child_pid < 0)
_exit(1);
//In child process: close fds, resume execution.
if(!child_pid) {
close(FUZZER_TO_FORKSRV);
close(FORKSRV_TO_FUZZER);
//Reset the afl bitmap to a clean state
memset(__afl_area_ptr, 0, MAP_SIZE);
__afl_prev_loc = 0;
return;
}
response = child_pid;
break;
case GET_STATUS:
if(waitpid(child_pid, &response, 0) < 0)
_exit(1);
break;
}
if(write(FORKSRV_TO_FUZZER, &response, sizeof(int)) != sizeof(int))
_exit(1);
}
}
static void __afl_start_forkserver_persistence(void) {
int response = 0x41414141;
char command;
int child_pid = -1;
//Get the maximum number of persistent executions
max_cnt = atoi(getenv(PERSIST_MAX_VAR));
if(!max_cnt)
_exit(1);
while (1) {
// Wait for parent by reading from the pipe. Exit if read fails.
if(read(FUZZER_TO_FORKSRV, &command, sizeof(command)) != sizeof(command))
_exit(1);
switch(command) {
case FORK:
case RUN:
case EXIT:
if(child_pid != -1)
kill(child_pid, SIGKILL);
_exit(0);
break;
case FORK_RUN:
if(child_pid == -1 || forkserver_cycle_cnt == max_cnt) {
//If we need to (re)start the persistent child, do so
if(child_pid != -1 && forkserver_cycle_cnt == max_cnt) {
//if we've hit the maximum cycle count, continue the child, so it may exit
//and clean up. We do this now, rather than in GET_STATUS commands, to ensure that
//the exit portion of the target process does not get traced.
kill(child_pid, SIGCONT);
if(waitpid(child_pid, &response, 0) < 0)
_exit(1);
forkserver_cycle_cnt = 0;
}
child_pid = fork();
if(child_pid < 0)
_exit(1);
//In child process: close fds, resume execution.
if(!child_pid) {
close(FUZZER_TO_FORKSRV);
close(FORKSRV_TO_FUZZER);
return;
}
} else {
//Otherwise, just tell it to continue
kill(child_pid, SIGCONT);
}
//Tell the target process to go
response = child_pid;
if(child_pid == -1) {
response = FORKSERVER_ERROR;
break;
}
forkserver_cycle_cnt++;
break;
case GET_STATUS:
if(waitpid(child_pid, &response, WUNTRACED) < 0)
_exit(1);
if(WIFEXITED(response) || WIFSIGNALED(response)) { //The process ended, either
child_pid = -1; //by hitting the max_cnt count and exiting, or by crashing
forkserver_cycle_cnt = 0;
}
else if(WIFSTOPPED(response)) //If we hit a SIGSTOP, then the child didn't
response = 0; //die, just return 0 to the parent
break;
}
if(write(FORKSRV_TO_FUZZER, &response, sizeof(response)) != sizeof(response))
_exit(1);
}
}
/* A simplified persistent mode handler, used as explained in README.llvm. */
int __afl_persistent_loop(void) {
static u8 first_pass = 1;
if (first_pass) {
if (is_persistent) {
memset(__afl_area_ptr, 0, MAP_SIZE);
__afl_prev_loc = 0;
}
cycle_cnt = 0;
first_pass = 0;
return 1;
}
if (is_persistent) {
if(++cycle_cnt != max_cnt) {
raise(SIGSTOP);
memset(__afl_area_ptr, 0, MAP_SIZE);
__afl_prev_loc = 0;
return 1;
} else {
/* When exiting __AFL_LOOP(), make sure that the subsequent code that
follows the loop is not traced. We do that by pivoting back to the
dummy output region. */
__afl_area_ptr = __afl_area_initial;
}
}
return 0;
}
/* This one can be called from user code when deferred forkserver mode
is enabled. */
void __afl_manual_init(void) {
static u8 init_done;
if (!init_done) {
__afl_map_shm();
__afl_start_forkserver();
init_done = 1;
}
}
/* Proper initialization routine. */
__attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) {
is_persistent = !!getenv(PERSIST_MAX_VAR);
if (getenv(DEFER_ENV_VAR)) return;
__afl_manual_init();
}
/* The following stuff deals with supporting -fsanitize-coverage=trace-pc-guard.
It remains non-operational in the traditional, plugin-backed LLVM mode.
For more info about 'trace-pc-guard', see README.llvm.
The first function (__sanitizer_cov_trace_pc_guard) is called back on every
edge (as opposed to every basic block). */
void __sanitizer_cov_trace_pc_guard(uint32_t* guard) {
__afl_area_ptr[*guard]++;
}
/* Init callback. Populates instrumentation IDs. Note that we're using
ID of 0 as a special value to indicate non-instrumented bits. That may
still touch the bitmap, but in a fairly harmless way. */
void __sanitizer_cov_trace_pc_guard_init(uint32_t* start, uint32_t* stop) {
u32 inst_ratio = 100;
u8* x;
if (start == stop || *start) return;
x = getenv("AFL_INST_RATIO");
if (x) inst_ratio = atoi(x);
if (!inst_ratio || inst_ratio > 100) {
fprintf(stderr, "[-] ERROR: Invalid AFL_INST_RATIO (must be 1-100).\n");
abort();
}
/* Make sure that the first element in the range is always set - we use that
to avoid duplicate calls (which can happen as an artifact of the underlying
implementation in LLVM). */
*(start++) = R(MAP_SIZE - 1) + 1;
while (start < stop) {
if (R(100) < inst_ratio) *start = R(MAP_SIZE - 1) + 1;
else *start = 0;
start++;
}
}
================================================
FILE: afl_progs/qemu_mode/README.qemu
================================================
This directory contains the build script and patches for the QEMU-based
instrumentation. This instrumentation is copied from AFL with minor changes to
fit into the killerbeez fork server framework (see
http://lcamtuf.coredump.cx/afl/ for the original version). Additionally this
version of the QEMU instrumentation has been patched with the following patches
from vanhauser-thc's github repository (available at
https://github.com/vanhauser-thc/afl-patches/):
* afl-qemu-speed.diff
* afl-qemu-ppc64.diff
* afl_qemu_optimize_map.diff
* afl_qemu_optimize_entrypoint.diff
The original AFL QEMU Readme is listed below:
=========================================================
High-performance binary-only instrumentation for afl-fuzz
=========================================================
(See ../docs/README for the general instruction manual.)
1) Introduction
---------------
The code in this directory allows you to build a standalone feature that
leverages the QEMU "user emulation" mode and allows callers to obtain
instrumentation output for black-box, closed-source binaries. This mechanism
can be then used by afl-fuzz to stress-test targets that couldn't be built
with afl-gcc.
The usual performance cost is 2-5x, which is considerably better than
seen so far in experiments with tools such as DynamoRIO and PIN.
The idea and much of the implementation comes from Andrew Griffiths.
2) How to use
-------------
The feature is implemented with a fairly simple patch to QEMU 2.10.0. The
simplest way to build it is to run ./build_qemu_support.sh. The script will
download, configure, and compile the QEMU binary for you.
QEMU is a big project, so this will take a while, and you may have to
resolve a couple of dependencies (most notably, you will definitely need
libtool and glib2-devel).
Once the binaries are compiled, you can leverage the QEMU tool by calling
afl-fuzz and all the related utilities with -Q in the command line.
Note that QEMU requires a generous memory limit to run; somewhere around
200 MB is a good starting point, but considerably more may be needed for
more complex programs. The default -m limit will be automatically bumped up
to 200 MB when specifying -Q to afl-fuzz; be careful when overriding this.
In principle, if you set CPU_TARGET before calling ./build_qemu_support.sh,
you should get a build capable of running non-native binaries (say, you
can try CPU_TARGET=arm). This is also necessary for running 32-bit binaries
on a 64-bit system (CPU_TARGET=i386).
Note: if you want the QEMU helper to be installed on your system for all
users, you need to build it before issuing 'make install' in the parent
directory.
3) Notes on linking
-------------------
The feature is supported only on Linux. Supporting BSD may amount to porting
the changes made to linux-user/elfload.c and applying them to
bsd-user/elfload.c, but I have not looked into this yet.
The instrumentation follows only the .text section of the first ELF binary
encountered in the linking process. It does not trace shared libraries. In
practice, this means two things:
- Any libraries you want to analyze *must* be linked statically into the
executed ELF file (this will usually be the case for closed-source
apps).
- Standard C libraries and other stuff that is wasteful to instrument
should be linked dynamically - otherwise, AFL will have no way to avoid
peeking into them.
Setting AFL_INST_LIBS=1 can be used to circumvent the .text detection logic
and instrument every basic block encountered.
4) Benchmarking
---------------
If you want to compare the performance of the QEMU instrumentation with that of
afl-gcc compiled code against the same target, you need to build the
non-instrumented binary with the same optimization flags that are normally
injected by afl-gcc, and make sure that the bits to be tested are statically
linked into the binary. A common way to do this would be:
$ CFLAGS="-O3 -funroll-loops" ./configure --disable-shared
$ make clean all
Comparative measurements of execution speed or instrumentation coverage will be
fairly meaningless if the optimization levels or instrumentation scopes don't
match.
5) Gotchas, feedback, bugs
--------------------------
If you need to fix up checksums or do other cleanup on mutated test cases, see
experimental/post_library/ for a viable solution.
Do not mix QEMU mode with ASAN, MSAN, or the likes; QEMU doesn't appreciate
the "shadow VM" trick employed by the sanitizers and will probably just
run out of memory.
Compared to fully-fledged virtualization, the user emulation mode is *NOT* a
security boundary. The binaries can freely interact with the host OS. If you
somehow need to fuzz an untrusted binary, put everything in a sandbox first.
QEMU does not necessarily support all CPU or hardware features that your
target program may be utilizing. In particular, it does not appear to have
full support for AVX2 / FMA3. Using binaries for older CPUs, or recompiling them
with -march=core2, can help.
Beyond that, this is an early-stage mechanism, so fields reports are welcome.
You can send them to <afl-users@googlegroups.com>.
6) Alternatives: static rewriting
---------------------------------
Statically rewriting binaries just once, instead of attempting to translate
them at run time, can be a faster alternative. That said, static rewriting is
fraught with peril, because it depends on being able to properly and fully model
program control flow without actually executing each and every code path.
If you want to experiment with this mode of operation, there is a module
contributed by Aleksandar Nikolich:
https://github.com/vrtadmin/moflow/tree/master/afl-dyninst
https://groups.google.com/forum/#!topic/afl-users/HlSQdbOTlpg
At this point, the author reports the possibility of hiccups with stripped
binaries. That said, if we can get it to be comparably reliable to QEMU, we may
decide to switch to this mode, but I had no time to play with it yet.
================================================
FILE: afl_progs/qemu_mode/build_qemu_support.sh
================================================
#!/bin/sh
#
# american fuzzy lop - QEMU build script
# --------------------------------------
#
# Written by Andrew Griffiths <agriffiths@google.com> and
# Michal Zalewski <lcamtuf@google.com>
#
# Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# This script downloads, patches, and builds a version of QEMU with
# minor tweaks to allow non-instrumented binaries to be run under
# afl-fuzz.
#
# The modifications reside in patches/*. The standalone QEMU binary
# will be written to ../afl-qemu-trace.
#
VERSION="2.10.0"
QEMU_URL="http://download.qemu-project.org/qemu-${VERSION}.tar.xz"
QEMU_SHA384="68216c935487bc8c0596ac309e1e3ee75c2c4ce898aab796faa321db5740609ced365fedda025678d072d09ac8928105"
echo "================================================="
echo "AFL binary-only instrumentation QEMU build script"
echo "================================================="
echo
echo "[*] Performing basic sanity checks..."
if [ ! "`uname -s`" = "Linux" ]; then
echo "[-] Error: QEMU instrumentation is supported only on Linux."
exit 1
fi
if [ ! -f "patches/afl-qemu-cpu-inl.h" -o ! -f "../config.h" ]; then
echo "[-] Error: key files not found - wrong working directory?"
exit 1
fi
for i in libtool wget python automake autoconf sha384sum bison iconv; do
T=`which "$i" 2>/dev/null`
if [ "$T" = "" ]; then
echo "[-] Error: '$i' not found, please install first."
exit 1
fi
done
if [ ! -d "/usr/include/glib-2.0/" -a ! -d "/usr/local/include/glib-2.0/" ]; then
echo "[-] Error: devel version of 'glib2' not found, please install first."
exit 1
fi
if echo "$CC" | grep -qF /afl-; then
echo "[-] Error: do not use afl-gcc or afl-clang to compile this tool."
exit 1
fi
echo "[+] All checks passed!"
ARCHIVE="`basename -- "$QEMU_URL"`"
CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1`
if [ ! "$CKSUM" = "$QEMU_SHA384" ]; then
echo "[*] Downloading QEMU ${VERSION} from the web..."
rm -f "$ARCHIVE"
wget -O "$ARCHIVE" -- "$QEMU_URL" || exit 1
CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1`
fi
if [ "$CKSUM" = "$QEMU_SHA384" ]; then
echo "[+] Cryptographic signature on $ARCHIVE checks out."
else
echo "[-] Error: signature mismatch on $ARCHIVE (perhaps download error?)."
exit 1
fi
echo "[*] Uncompressing archive (this will take a while)..."
rm -rf "qemu-${VERSION}" || exit 1
tar xf "$ARCHIVE" || exit 1
echo "[+] Unpacking successful."
echo "[*] Configuring QEMU for $CPU_TARGET..."
ORIG_CPU_TARGET="$CPU_TARGET"
test "$CPU_TARGET" = "" && CPU_TARGET="`uname -m`"
test "$CPU_TARGET" = "i686" && CPU_TARGET="i386"
cd qemu-$VERSION || exit 1
echo "[*] Applying patches..."
patch -p1 <../patches/elfload.diff || exit 1
patch -p1 <../patches/cpu-exec.diff || exit 1
patch -p1 <../patches/syscall.diff || exit 1
patch -p1 <../patches/configure.diff || exit 1
patch -p1 <../patches/memfd.diff || exit 1
patch -p1 <../patches/translate-all.diff || exit 1
patch -p1 <../patches/afl_qemu_optimize_entrypoint.diff || exit 1
echo "[+] Patching done."
# --enable-pie seems to give a couple of exec's a second performance
# improvement, much to my surprise. Not sure how universal this is..
CFLAGS="-O3 -ggdb" ./configure --disable-system \
--enable-linux-user --disable-gtk --disable-sdl --disable-vnc \
--target-list="${CPU_TARGET}-linux-user" --enable-pie --enable-kvm || exit 1
echo "[+] Configuration complete."
echo "[*] Attempting to build QEMU (fingers crossed!)..."
make || exit 1
echo "[+] Build process successful!"
echo "[*] Copying binary..."
cp -f "${CPU_TARGET}-linux-user/qemu-${CPU_TARGET}" "../../afl-qemu-trace" || exit 1
cd ..
ls -l ../afl-qemu-trace || exit 1
echo "[+] Successfully created '../afl-qemu-trace'."
echo "[+] All set, you can now use the qemu mode in killerbeez!"
exit 0
================================================
FILE: afl_progs/qemu_mode/patches/afl-qemu-cpu-inl.h
================================================
/*
american fuzzy lop - high-performance binary-only instrumentation
-----------------------------------------------------------------
Written by Andrew Griffiths <agriffiths@google.com> and
Michal Zalewski <lcamtuf@google.com>
Idea & design very much by Andrew Griffiths.
TCG instrumentation and block chaining support by Andrea Biondo
<andrea.biondo965@gmail.com>
Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
This code is a shim patched into the separately-distributed source
code of QEMU 2.10.0. It leverages the built-in QEMU tracing functionality
to implement AFL-style instrumentation and to take care of the remaining
parts of the AFL fork server logic.
The resulting QEMU binary is essentially a standalone instrumentation
tool; for an example of how to leverage it for other purposes, you can
have a look at afl-showmap.c.
*/
/*
This file has been modified from the original AFL version to incorporate into
Killerbeez. Specifically, the fork server has been modified to match the
Killerbeez fork server protocol.
*/
#include <sys/shm.h>
#include "../../config.h"
#include "../../../instrumentation/forkserver_internal.h"
/***************************
* VARIOUS AUXILIARY STUFF *
***************************/
/* This snippet kicks in when the instruction pointer is positioned at
_start and does the usual forkserver stuff, not very different from
regular instrumentation injected via afl-as.h. */
#define AFL_QEMU_CPU_SNIPPET2 do { \
if(itb->pc == afl_entry_point) { \
afl_setup(); \
afl_forkserver(cpu); \
} \
} while (0)
/* We use one additional file descriptor to relay "needs translation"
messages between the child and the fork server. */
#define TSL_FD QEMU_TSL_FD //import it from forkserver_internal.h
/* This is equivalent to afl-as.h: */
unsigned char dummy[65536];
unsigned char *afl_area_ptr = dummy; /* Exported for afl_gen_trace */
/* Exported variables populated by the code patched into elfload.c: */
abi_ulong afl_entry_point, /* ELF entry point (_start) */
afl_start_code, /* .text start pointer */
afl_end_code; /* .text end pointer */
/* Set in the child process in forkserver mode: */
static unsigned char afl_fork_child;
unsigned int afl_forksrv_pid;
/* Instrumentation ratio: */
unsigned int afl_inst_rms = MAP_SIZE; /* Exported for afl_gen_trace */
/* Function declarations. */
static void afl_setup(void);
static void afl_forkserver(CPUState*);
static void afl_wait_tsl(CPUState*, int);
static void afl_request_tsl(target_ulong, target_ulong, uint32_t, TranslationBlock*, int);
/* Data structures passed around by the translate handlers: */
struct afl_tb {
target_ulong pc;
target_ulong cs_base;
uint32_t flags;
};
struct afl_tsl {
struct afl_tb tb;
char is_chain;
};
struct afl_chain {
struct afl_tb last_tb;
int tb_exit;
};
/* Some forward decls: */
TranslationBlock *tb_htable_lookup(CPUState*, target_ulong, target_ulong, uint32_t);
static inline TranslationBlock *tb_find(CPUState*, TranslationBlock*, int);
/*************************
* ACTUAL IMPLEMENTATION *
*************************/
/* Set up SHM region and initialize other stuff. */
static void afl_setup(void) {
char *id_str = getenv(SHM_ENV_VAR),
*inst_r = getenv("AFL_INST_RATIO");
int shm_id;
if (inst_r) {
unsigned int r;
r = atoi(inst_r);
if (r > 100) r = 100;
if (!r) r = 1;
afl_inst_rms = MAP_SIZE * r / 100;
}
if (id_str) {
shm_id = atoi(id_str);
afl_area_ptr = shmat(shm_id, NULL, 0);
if (afl_area_ptr == (void*)-1) exit(1);
/* With AFL_INST_RATIO set to a low value, we want to touch the bitmap
so that the parent doesn't give up on us. */
if (inst_r) afl_area_ptr[0] = 1;
}
if (getenv("AFL_INST_LIBS")) {
afl_start_code = 0;
afl_end_code = (abi_ulong)-1;
}
/* pthread_atfork() seems somewhat broken in util/rcu.c, and I'm
not entirely sure what is the cause. This disables that
behaviour, and seems to work alright? */
rcu_disable_atfork();
}
/* Fork server logic, invoked once we hit _start. */
static int forkserver_installed = 0;
static void afl_forkserver(CPUState *cpu) {
static int response = 0x41414141;
char command;
int child_pid = -1;
int t_fd[2];
if (forkserver_installed == 1)
return;
forkserver_installed = 1;
//if (!afl_area_ptr) return;
/* Tell the parent that we're alive. If the parent doesn't want
to talk, assume that we're not running in forkserver mode. */
if(write(FORKSRV_TO_FUZZER, &response, sizeof(int)) != sizeof(int))
return;
afl_forksrv_pid = getpid();
/* All right, let's await orders... */
while (1) {
// Wait for parent by reading from the pipe. Exit if read fails.
if(read(FUZZER_TO_FORKSRV, &command, sizeof(command)) != sizeof(command))
_exit(1);
switch(command) {
case EXIT:
case RUN: //QEMU doesn't do the single RUN/FORK commands
case FORK: //but instead only implements FORK_RUN
_exit(0);
break;
case FORK_RUN:
/* Establish a channel with child to grab translation commands. We'll
read from t_fd[0], child will write to TSL_FD. */
if (pipe(t_fd) || dup2(t_fd[1], TSL_FD) < 0) exit(3);
close(t_fd[1]);
child_pid = fork();
if (child_pid < 0) exit(4);
if (!child_pid) {
/* Child process. Close descriptors and run free. */
afl_fork_child = 1;
close(FUZZER_TO_FORKSRV);
close(FORKSRV_TO_FUZZER);
close(t_fd[0]);
return;
}
/* Parent. */
response = child_pid;
if(write(FORKSRV_TO_FUZZER, &response, sizeof(int)) != sizeof(int))
_exit(1);
close(TSL_FD);
/* Collect translation requests until child dies and closes the pipe. */
afl_wait_tsl(cpu, t_fd[0]);
break;
case GET_STATUS:
/* Get and relay exit status to parent. */
if(waitpid(child_pid, &response, 0) < 0)
_exit(1);
if(write(FORKSRV_TO_FUZZER, &response, sizeof(int)) != sizeof(int))
_exit(1);
break;
}
}
}
/* This code is invoked whenever QEMU decides that it doesn't have a
translation of a particular block and needs to compute it, or when it
decides to chain two TBs together. When this happens, we tell the parent to
mirror the operation, so that the next fork() has a cached copy. */
static void afl_request_tsl(target_ulong pc, target_ulong cb, uint32_t flags,
TranslationBlock *last_tb, int tb_exit) {
struct afl_tsl t;
struct afl_chain c;
if (!afl_fork_child) return;
t.tb.pc = pc;
t.tb.cs_base = cb;
t.tb.flags = flags;
t.is_chain = (last_tb != NULL);
if (write(TSL_FD, &t, sizeof(struct afl_tsl)) != sizeof(struct afl_tsl))
return;
if (t.is_chain) {
c.last_tb.pc = last_tb->pc;
c.last_tb.cs_base = last_tb->cs_base;
c.last_tb.flags = last_tb->flags;
c.tb_exit = tb_exit;
if (write(TSL_FD, &c, sizeof(struct afl_chain)) != sizeof(struct afl_chain))
return;
}
}
/* This is the other side of the same channel. Since timeouts are handled by
afl-fuzz simply killing the child, we can just wait until the pipe breaks. */
static void afl_wait_tsl(CPUState *cpu, int fd) {
struct afl_tsl t;
struct afl_chain c;
TranslationBlock *tb, *last_tb;
while (1) {
/* Broken pipe means it's time to return to the fork server routine. */
if (read(fd, &t, sizeof(struct afl_tsl)) != sizeof(struct afl_tsl))
break;
tb = tb_htable_lookup(cpu, t.tb.pc, t.tb.cs_base, t.tb.flags);
if(!tb) {
mmap_lock();
tb_lock();
tb = tb_gen_code(cpu, t.tb.pc, t.tb.cs_base, t.tb.flags, 0);
mmap_unlock();
tb_unlock();
}
if (t.is_chain) {
if (read(fd, &c, sizeof(struct afl_chain)) != sizeof(struct afl_chain))
break;
last_tb = tb_htable_lookup(cpu, c.last_tb.pc, c.last_tb.cs_base,
c.last_tb.flags);
if (last_tb) {
tb_lock();
if (!tb->invalid) {
tb_add_jump(last_tb, c.tb_exit, tb);
}
tb_unlock();
}
}
}
close(fd);
}
================================================
FILE: afl_progs/qemu_mode/patches/afl-qemu-translate-inl.h
================================================
/*
american fuzzy lop - high-performance binary-only instrumentation
-----------------------------------------------------------------
Written by Andrew Griffiths <agriffiths@google.com> and
Michal Zalewski <lcamtuf@google.com>
Idea & design very much by Andrew Griffiths.
TCG instrumentation and block chaining support by Andrea Biondo
<andrea.biondo965@gmail.com>
Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
This code is a shim patched into the separately-distributed source
code of QEMU 2.10.0. It leverages the built-in QEMU tracing functionality
to implement AFL-style instrumentation and to take care of the remaining
parts of the AFL fork server logic.
The resulting QEMU binary is essentially a standalone instrumentation
tool; for an example of how to leverage it for other purposes, you can
have a look at afl-showmap.c.
*/
#include "../../config.h"
#include "tcg-op.h"
/* Declared in afl-qemu-cpu-inl.h */
extern unsigned char *afl_area_ptr;
extern unsigned int afl_inst_rms;
extern abi_ulong afl_start_code, afl_end_code;
/* Generates TCG code for AFL's tracing instrumentation. */
static void afl_gen_trace(target_ulong cur_loc)
{
static __thread target_ulong prev_loc;
TCGv index, count, new_prev_loc;
TCGv_ptr prev_loc_ptr, count_ptr;
/* Optimize for cur_loc > afl_end_code, which is the most likely case on
Linux systems. */
if (cur_loc > afl_end_code || cur_loc < afl_start_code /*|| !afl_area_ptr*/)
return;
/* Looks like QEMU always maps to fixed locations, so ASAN is not a
concern. Phew. But instruction addresses may be aligned. Let's mangle
the value to get something quasi-uniform. */
cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
cur_loc &= MAP_SIZE - 1;
/* Implement probabilistic instrumentation by looking at scrambled block
address. This keeps the instrumented locations stable across runs. */
if (cur_loc >= afl_inst_rms) return;
/* index = prev_loc ^ cur_loc */
prev_loc_ptr = tcg_const_ptr(&prev_loc);
index = tcg_temp_new();
tcg_gen_ld_tl(index, prev_loc_ptr, 0);
tcg_gen_xori_tl(index, index, cur_loc);
/* afl_area_ptr[index]++ */
count_ptr = tcg_const_ptr(afl_area_ptr);
tcg_gen_add_ptr(count_ptr, count_ptr, TCGV_NAT_TO_PTR(index));
count = tcg_temp_new();
tcg_gen_ld8u_tl(count, count_ptr, 0);
tcg_gen_addi_tl(count, count, 1);
tcg_gen_st8_tl(count, count_ptr, 0);
/* prev_loc = cur_loc >> 1 */
new_prev_loc = tcg_const_tl(cur_loc >> 1);
tcg_gen_st_tl(new_prev_loc, prev_loc_ptr, 0);
}
================================================
FILE: afl_progs/qemu_mode/patches/afl_qemu_optimize_entrypoint.diff
================================================
--- qemu-2.10.0/linux-user/elfload.c.orig 2018-03-16 11:43:21.000000000 +0100
+++ qemu-2.10.0/linux-user/elfload.c 2018-04-04 05:25:47.535020053 +0200
@@ -2086,8 +2086,21 @@
info->end_data = 0;
info->brk = 0;
info->elf_flags = ehdr->e_flags;
-
- if (!afl_entry_point) afl_entry_point = info->entry;
+
+ if (!afl_entry_point) {
+ char *ptr;
+ if ((ptr = getenv("AFL_ENTRYPOINT")) != NULL) {
+ afl_entry_point = strtoul(ptr, NULL, 16);
+ } else {
+ if (!afl_entry_point) afl_entry_point = info->entry;
+ }
+#ifdef TARGET_ARM
+ /* The least significant bit indicates Thumb mode. */
+ afl_entry_point = afl_entry_point & ~(target_ulong)1;
+#endif
+ if (getenv("AFL_DEBUG") != NULL)
+ fprintf(stderr, "AFL forkserver entrypoint: %p\n", (void*)afl_entry_point);
+ } while(0);
for (i = 0; i < ehdr->e_phnum; i++) {
struct elf_phdr *eppnt = phdr + i;
================================================
FILE: afl_progs/qemu_mode/patches/configure.diff
================================================
--- a/configure
+++ b/configure
@@ -3855,7 +3855,7 @@ fi
# check if memfd is supported
memfd=no
cat > $TMPC << EOF
-#include <sys/memfd.h>
+#include <sys/mman.h>
int main(void)
{
================================================
FILE: afl_progs/qemu_mode/patches/cpu-exec.diff
================================================
--- qemu-2.10.0-clean/accel/tcg/cpu-exec.c 2017-08-30 18:50:40.000000000 +0200
+++ qemu-2.10.0/accel/tcg/cpu-exec.c 2018-09-22 13:21:23.612068407 +0200
@@ -36,6 +36,8 @@
#include "sysemu/cpus.h"
#include "sysemu/replay.h"
+#include "../patches/afl-qemu-cpu-inl.h"
+
/* -icount align implementation. */
typedef struct SyncClocks {
@@ -144,6 +146,8 @@
int tb_exit;
uint8_t *tb_ptr = itb->tc_ptr;
+ AFL_QEMU_CPU_SNIPPET2;
+
qemu_log_mask_and_addr(CPU_LOG_EXEC, itb->pc,
"Trace %p [%d: " TARGET_FMT_lx "] %s\n",
itb->tc_ptr, cpu->cpu_index, itb->pc,
@@ -337,7 +341,7 @@
TranslationBlock *tb;
target_ulong cs_base, pc;
u
gitextract_drfsjm0i/
├── .gitattributes
├── .gitignore
├── .gitlab-ci.yml
├── .gitmodules
├── APLv2
├── CMakeLists.txt
├── LICENSE
├── Makefile
├── README.md
├── afl_progs/
│ ├── Makefile
│ ├── afl-as.c
│ ├── afl-as.h
│ ├── afl-gcc.c
│ ├── afl-showmap.c
│ ├── alloc-inl.h
│ ├── config.h
│ ├── debug.h
│ ├── hash.h
│ ├── llvm_mode/
│ │ ├── Makefile
│ │ ├── README.llvm
│ │ ├── afl-clang-fast.c
│ │ ├── afl-llvm-pass.so.cc
│ │ └── afl-llvm-rt.o.c
│ ├── qemu_mode/
│ │ ├── README.qemu
│ │ ├── build_qemu_support.sh
│ │ └── patches/
│ │ ├── afl-qemu-cpu-inl.h
│ │ ├── afl-qemu-translate-inl.h
│ │ ├── afl_qemu_optimize_entrypoint.diff
│ │ ├── configure.diff
│ │ ├── cpu-exec.diff
│ │ ├── elfload.diff
│ │ ├── memfd.diff
│ │ ├── syscall.diff
│ │ └── translate-all.diff
│ ├── test-instr.c
│ └── types.h
├── corpus/
│ ├── CMakeLists.txt
│ ├── afl_test/
│ │ ├── Makefile
│ │ └── test.c
│ ├── cgc/
│ │ ├── REMATCH_2--Mail_Server--Crackaddr/
│ │ │ ├── README.md
│ │ │ ├── inputs/
│ │ │ │ ├── ADDRESSBOOK.txt
│ │ │ │ ├── LIST.txt
│ │ │ │ ├── LISTALL.txt
│ │ │ │ ├── POST.txt
│ │ │ │ ├── READ.txt
│ │ │ │ └── crash.txt
│ │ │ ├── lib/
│ │ │ │ ├── cgc_ctype.h
│ │ │ │ ├── cgc_libc.h
│ │ │ │ ├── cgc_malloc.h
│ │ │ │ ├── cgc_math.h
│ │ │ │ ├── cgc_prng.h
│ │ │ │ ├── cgc_shell.h
│ │ │ │ ├── cgc_stdarg.h
│ │ │ │ ├── cgc_stdint.h
│ │ │ │ ├── cgc_stdio.h
│ │ │ │ ├── cgc_stdlib.h
│ │ │ │ ├── cgc_string.h
│ │ │ │ ├── ctype.c
│ │ │ │ ├── libc.c
│ │ │ │ ├── malloc.c
│ │ │ │ ├── math.c
│ │ │ │ ├── prng.c
│ │ │ │ ├── shell.c
│ │ │ │ ├── stdio.c
│ │ │ │ ├── stdlib.c
│ │ │ │ └── string.c
│ │ │ ├── notes.txt
│ │ │ └── src/
│ │ │ ├── cgc_crackaddr.h
│ │ │ ├── cgc_sendmail.h
│ │ │ ├── crackaddr.c
│ │ │ └── sendmail.c
│ │ ├── SOLFEDGE/
│ │ │ ├── README.md
│ │ │ ├── inputs/
│ │ │ │ ├── crash.txt
│ │ │ │ ├── crash2.txt
│ │ │ │ └── input.txt
│ │ │ ├── lib/
│ │ │ │ ├── cgc_libc.h
│ │ │ │ └── libc.c
│ │ │ ├── notes.txt
│ │ │ └── src/
│ │ │ ├── cgc_operation.h
│ │ │ ├── cgc_service.h
│ │ │ ├── operation.c
│ │ │ └── service.c
│ │ ├── String_Storage_and_Retrieval/
│ │ │ ├── README.md
│ │ │ ├── inputs/
│ │ │ │ ├── crash.txt
│ │ │ │ └── input.txt
│ │ │ ├── lib/
│ │ │ │ ├── cgc_mymath.h
│ │ │ │ ├── cgc_stdarg.h
│ │ │ │ ├── cgc_stdint.h
│ │ │ │ ├── cgc_stdlib.h
│ │ │ │ ├── malloc.c
│ │ │ │ ├── mymath.c
│ │ │ │ ├── new_printf.c
│ │ │ │ └── stdlib.c
│ │ │ ├── notes.txt
│ │ │ └── src/
│ │ │ ├── bst.c
│ │ │ ├── delete_matches.c
│ │ │ ├── find_matches.c
│ │ │ ├── parse.c
│ │ │ ├── service.c
│ │ │ └── string_token.c
│ │ ├── UTF-late/
│ │ │ ├── README.md
│ │ │ ├── inputs/
│ │ │ │ ├── crash.txt
│ │ │ │ └── input.txt
│ │ │ ├── lib/
│ │ │ │ ├── cgc_libc.h
│ │ │ │ ├── cgc_list.h
│ │ │ │ ├── cgc_utf8.h
│ │ │ │ ├── cgc_vfs.h
│ │ │ │ ├── libc.c
│ │ │ │ ├── malloc.c
│ │ │ │ ├── utf8.c
│ │ │ │ └── vfs.c
│ │ │ ├── notes.txt
│ │ │ └── src/
│ │ │ └── service.c
│ │ └── cotton_swab_arithmetic/
│ │ ├── README.md
│ │ ├── inputs/
│ │ │ ├── crash.txt
│ │ │ ├── crash2.txt
│ │ │ └── input.txt
│ │ ├── lib/
│ │ │ ├── cgc_libc.h
│ │ │ └── libc.c
│ │ ├── notes.txt
│ │ └── src/
│ │ ├── cgc_service.h
│ │ └── service.c
│ ├── google/
│ │ ├── README.md
│ │ └── vorbis/
│ │ ├── build.sh
│ │ ├── decode_fuzzer.cc
│ │ ├── decode_fuzzer.exe.stackdump
│ │ ├── inputs/
│ │ │ ├── crash-23c2d78e497bf4aebe5859e3092657cb0af4c299
│ │ │ ├── crash-8c5dea6410b0fb0b21ff968a9966a0bd7956405f
│ │ │ ├── crash-e86e0482b8d66f924e50e62f5d7cc36a0acb03a7
│ │ │ └── sound.ogg
│ │ └── notes.txt
│ ├── hang/
│ │ ├── CMakeLists.txt
│ │ └── hang.c
│ ├── libtest/
│ │ ├── CMakeLists.txt
│ │ ├── lib1.c
│ │ ├── lib2.c
│ │ ├── libs.h
│ │ └── test.c
│ ├── network/
│ │ ├── CMakeLists.txt
│ │ ├── client/
│ │ │ ├── client.cpp
│ │ │ ├── client.vcxproj
│ │ │ └── client.vcxproj.filters
│ │ ├── close.txt
│ │ ├── multipart.txt
│ │ ├── network.sln
│ │ └── server/
│ │ ├── server.cpp
│ │ ├── server.vcxproj
│ │ └── server.vcxproj.filters
│ ├── persist/
│ │ ├── CMakeLists.txt
│ │ └── test.c
│ └── test/
│ ├── CMakeLists.txt
│ ├── inputs/
│ │ ├── close.txt
│ │ ├── crash.txt
│ │ ├── input.txt
│ │ ├── multipart.txt
│ │ └── telnet_multipart.txt
│ ├── notes.txt
│ └── test.c
├── docs/
│ ├── AFL.md
│ ├── BUILD.md
│ ├── CI.md
│ ├── DynamoRIO.md
│ ├── IPT.md
│ ├── Server.md
│ ├── api/
│ │ ├── Makefile
│ │ ├── README.txt
│ │ ├── api.tex
│ │ ├── api_driver.tex
│ │ ├── api_instrumentation.tex
│ │ ├── api_mutator.tex
│ │ ├── api_structures.tex
│ │ ├── coverpage.tex
│ │ ├── defines.tex
│ │ ├── files/
│ │ │ ├── driver_t.c
│ │ │ ├── instrumentation_edge_t.c
│ │ │ ├── instrumentation_t.c
│ │ │ └── mutator_t.c
│ │ ├── helpers.tex
│ │ └── packages.tex
│ └── paper/
│ ├── Makefile
│ ├── abstract.tex
│ ├── acknowledgments.tex
│ ├── background.tex
│ ├── conclusion.tex
│ ├── data/
│ │ ├── Makefile
│ │ └── picker.gnuplot
│ ├── future_work.tex
│ ├── implementation.tex
│ ├── introduction.tex
│ ├── killerbeez.tex
│ ├── overview.tex
│ ├── packages.tex
│ ├── references.tex
│ └── related_work.tex
├── driver/
│ ├── CMakeLists.txt
│ ├── driver.c
│ ├── driver.h
│ ├── driver_factory.c
│ ├── driver_factory.h
│ ├── file_driver.c
│ ├── file_driver.h
│ ├── network_client_driver.c
│ ├── network_client_driver.h
│ ├── network_server_driver.c
│ ├── network_server_driver.h
│ ├── stdin_driver.c
│ ├── stdin_driver.h
│ ├── wmp_driver.cpp
│ └── wmp_driver.h
├── fuzzer/
│ ├── CMakeLists.txt
│ └── main.c
├── instrumentation/
│ ├── CMakeLists.txt
│ ├── afl_instrumentation.c
│ ├── afl_instrumentation.h
│ ├── debug_instrumentation.c
│ ├── debug_instrumentation.h
│ ├── dynamorio_instrumentation.c
│ ├── dynamorio_instrumentation.h
│ ├── forkserver.c
│ ├── forkserver.h
│ ├── forkserver_config.h
│ ├── forkserver_hooking.c
│ ├── forkserver_internal.h
│ ├── instrumentation.c
│ ├── instrumentation.h
│ ├── instrumentation_factory.c
│ ├── instrumentation_factory.h
│ ├── linux_ipt_instrumentation.c
│ ├── linux_ipt_instrumentation.h
│ ├── return_code_instrumentation.c
│ ├── return_code_instrumentation.h
│ ├── uthash.h
│ ├── winafl_alloc_inl.h
│ ├── winafl_config.h
│ ├── winafl_debug.h
│ ├── winafl_hash.h
│ ├── winafl_types.h
│ ├── wingui.c
│ ├── wingui.h
│ ├── xxhash.c
│ └── xxhash.h
├── jansson/
│ ├── CMakeLists.txt
│ ├── dump.c
│ ├── error.c
│ ├── hashtable.c
│ ├── hashtable.h
│ ├── hashtable_seed.c
│ ├── jansson.h
│ ├── jansson_config.h
│ ├── jansson_helper.c
│ ├── jansson_helper.h
│ ├── jansson_private.h
│ ├── jansson_private_config.h
│ ├── load.c
│ ├── lookup3.h
│ ├── memory.c
│ ├── pack_unpack.c
│ ├── strbuffer.c
│ ├── strbuffer.h
│ ├── strconv.c
│ ├── utf.c
│ ├── utf.h
│ └── value.c
├── merger/
│ ├── CMakeLists.txt
│ └── merger.c
├── mutators/
│ ├── APLv2
│ ├── CMakeLists.txt
│ ├── LICENSE
│ ├── afl_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── afl_mutator.c
│ │ └── afl_mutator.h
│ ├── arithmetic_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── arithmetic_mutator.c
│ │ └── arithmetic_mutator.h
│ ├── bit_flip_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── bit_flip_mutator.c
│ │ └── bit_flip_mutator.h
│ ├── dictionary_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── dictionary_mutator.c
│ │ └── dictionary_mutator.h
│ ├── havoc_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── havoc_mutator.c
│ │ └── havoc_mutator.h
│ ├── honggfuzz_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── honggfuzz_mutator.c
│ │ └── honggfuzz_mutator.h
│ ├── interesting_value_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── interesting_value_mutator.c
│ │ └── interesting_value_mutator.h
│ ├── multipart_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── multipart_mutator.c
│ │ └── multipart_mutator.h
│ ├── mutator_tester/
│ │ ├── CMakeLists.txt
│ │ ├── mutator_tester.c
│ │ └── mutator_tester.h
│ ├── mutators/
│ │ ├── CMakeLists.txt
│ │ ├── afl_config.h
│ │ ├── afl_debug.h
│ │ ├── afl_helpers.c
│ │ ├── afl_helpers.h
│ │ ├── afl_types.h
│ │ ├── mutators.c
│ │ └── mutators.h
│ ├── ni_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── ni_mutator.c
│ │ └── ni_mutator.h
│ ├── nop_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── nop_mutator.c
│ │ └── nop_mutator.h
│ ├── radamsa_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── radamsa_mutator.c
│ │ └── radamsa_mutator.h
│ ├── splice_mutator/
│ │ ├── CMakeLists.txt
│ │ ├── splice_mutator.c
│ │ └── splice_mutator.h
│ └── zzuf_mutator/
│ ├── CMakeLists.txt
│ ├── zzuf_mutator.c
│ └── zzuf_mutator.h
├── picker/
│ ├── CMakeLists.txt
│ └── main.c
├── python/
│ └── manager/
│ ├── app/
│ │ ├── __init__.py
│ │ ├── config.py
│ │ └── encoder.py
│ ├── controller/
│ │ ├── Config.py
│ │ ├── File.py
│ │ ├── Hello.py
│ │ ├── Job.py
│ │ ├── Log.py
│ │ ├── Minimize.py
│ │ ├── Results.py
│ │ ├── Status.py
│ │ ├── Target.py
│ │ ├── Update.py
│ │ └── __init__.py
│ ├── lib/
│ │ ├── __init__.py
│ │ ├── boinc.py
│ │ ├── errors.py
│ │ └── fuzzer.py
│ ├── model/
│ │ ├── Config.py
│ │ ├── FuzzingJob.py
│ │ ├── FuzzingResults.py
│ │ ├── FuzzingTarget.py
│ │ ├── __init__.py
│ │ ├── instrumentation_state.py
│ │ ├── job_inputs.py
│ │ └── tracer_info.py
│ ├── requirements.txt
│ ├── server.py
│ └── tests/
│ ├── job_query_test.py
│ ├── minimizer_test.py
│ └── seeds.py
├── server/
│ ├── add_target.py
│ ├── boinc_submit.py
│ ├── killerbeez_assimilator.py
│ └── skel/
│ ├── templates/
│ │ ├── windows_x86_64_in
│ │ ├── windows_x86_64_out
│ │ ├── x86_64-pc-linux-gnu_in
│ │ └── x86_64-pc-linux-gnu_out
│ ├── windows_x86_64/
│ │ ├── flatten_results.ps1
│ │ ├── job.xml
│ │ ├── unpack_killerbeez.ps1
│ │ └── version.xml
│ └── x86_64-pc-linux-gnu/
│ ├── flatten_results.sh
│ ├── job.xml
│ ├── unpack_killerbeez.sh
│ └── version.xml
├── tests/
│ ├── build.bat
│ ├── smoke_test.sh
│ └── test-fuzzer.sh
├── tools/
│ ├── README.md
│ ├── release_excludes.txt
│ ├── release_vs2017.bat
│ ├── release_vs2019.bat
│ └── setup_build_env.ps1
├── tracer/
│ ├── CMakeLists.txt
│ └── main.c
├── utils/
│ ├── XGetopt.c
│ ├── XGetopt.h
│ ├── global_types.h
│ ├── mutator_factory.c
│ ├── mutator_factory.h
│ ├── utils.c
│ └── utils.h
├── vagrant/
│ ├── README.md
│ ├── ci_runner/
│ │ ├── Dockerfile
│ │ ├── Vagrantfile
│ │ ├── register_docker_runner.sh
│ │ ├── runner.ps1
│ │ ├── runner.sh
│ │ └── runner_vars.example
│ ├── debian/
│ │ ├── buster/
│ │ │ └── Vagrantfile
│ │ ├── jessie/
│ │ │ └── Vagrantfile
│ │ └── stretch/
│ │ └── Vagrantfile
│ ├── dependencies.sh
│ ├── fedora/
│ │ ├── 29/
│ │ │ └── Vagrantfile
│ │ └── 30/
│ │ └── Vagrantfile
│ ├── setup.sh
│ └── ubuntu/
│ ├── bionic/
│ │ └── Vagrantfile
│ ├── disco/
│ │ └── Vagrantfile
│ ├── trusty/
│ │ └── Vagrantfile
│ └── xenial/
│ └── Vagrantfile
└── winafl/
├── CMakeLists.txt
├── modules.c
├── modules.h
├── utils.h
└── winafl.c
SYMBOL INDEX (1463 symbols across 175 files)
FILE: afl_progs/afl-as.c
function edit_params (line 88) | static void edit_params(int argc, char** argv) {
function main (line 469) | int main(int argc, char** argv) {
FILE: afl_progs/afl-gcc.c
function find_as (line 56) | static void find_as(u8* argv0) {
function edit_params (line 110) | static void edit_params(u32 argc, char** argv) {
function main (line 302) | int main(int argc, char** argv) {
FILE: afl_progs/afl-showmap.c
function classify_counts (line 106) | static void classify_counts(u8* mem, const u8* map) {
function remove_shm (line 131) | static void remove_shm(void) {
function setup_shm (line 140) | static void setup_shm(void) {
function u32 (line 164) | static u32 write_results(void) {
function handle_timeout (line 232) | static void handle_timeout(int sig) {
function run_target (line 242) | static void run_target(char** argv) {
function handle_stop_sig (line 357) | static void handle_stop_sig(int sig) {
function set_up_environment (line 368) | static void set_up_environment(void) {
function setup_signal_handlers (line 391) | static void setup_signal_handlers(void) {
function detect_file_args (line 418) | static void detect_file_args(char** argv) {
function show_banner (line 462) | static void show_banner(void) {
function usage (line 470) | static void usage(u8* argv0) {
function find_binary (line 504) | static void find_binary(u8* fname) {
function main (line 620) | int main(int argc, char** argv) {
FILE: afl_progs/alloc-inl.h
function DFL_ck_free (line 139) | static inline void DFL_ck_free(void* mem) {
function u8 (line 258) | static inline u8* DFL_ck_strdup(u8* str) {
function u8 (line 309) | static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
type TRK_obj (line 358) | struct TRK_obj {
type TRK_obj (line 366) | struct TRK_obj
type TRK_obj (line 373) | struct TRK_obj
function TRK_alloc_buf (line 387) | static inline void TRK_alloc_buf(void* ptr, const char* file, const char...
function TRK_free_buf (line 427) | static inline void TRK_free_buf(void* ptr, const char* file, const char*...
function TRK_report (line 455) | static inline void TRK_report(void) {
function TRK_ck_free (line 534) | static inline void TRK_ck_free(void* ptr, const char* file,
FILE: afl_progs/hash.h
function u32 (line 36) | static inline u32 hash32(const void* key, u32 len, u32 seed) {
function u32 (line 71) | static inline u32 hash32(const void* key, u32 len, u32 seed) {
FILE: afl_progs/llvm_mode/afl-clang-fast.c
function find_obj (line 43) | static void find_obj(u8* argv0) {
function edit_params (line 97) | static void edit_params(u32 argc, char** argv) {
function main (line 314) | int main(int argc, char** argv) {
FILE: afl_progs/llvm_mode/afl-llvm-pass.so.cc
class AFLCoverage (line 45) | class AFLCoverage : public ModulePass {
method AFLCoverage (line 50) | AFLCoverage() : ModulePass(ID) { }
function registerAFLPass (line 173) | static void registerAFLPass(const PassManagerBuilder &,
FILE: afl_progs/llvm_mode/afl-llvm-rt.o.c
function __afl_map_shm (line 73) | static void __afl_map_shm(void) {
function __afl_start_forkserver (line 103) | static void __afl_start_forkserver(void) {
function __afl_start_forkserver_persistence (line 162) | static void __afl_start_forkserver_persistence(void) {
function __afl_persistent_loop (line 253) | int __afl_persistent_loop(void) {
function __afl_manual_init (line 292) | void __afl_manual_init(void) {
function __afl_auto_init (line 309) | __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) {
function __sanitizer_cov_trace_pc_guard (line 327) | void __sanitizer_cov_trace_pc_guard(uint32_t* guard) {
function __sanitizer_cov_trace_pc_guard_init (line 336) | void __sanitizer_cov_trace_pc_guard_init(uint32_t* start, uint32_t* stop) {
FILE: afl_progs/qemu_mode/patches/afl-qemu-cpu-inl.h
type afl_tb (line 92) | struct afl_tb {
type afl_tsl (line 98) | struct afl_tsl {
type afl_chain (line 103) | struct afl_chain {
function afl_setup (line 119) | static void afl_setup(void) {
function afl_forkserver (line 172) | static void afl_forkserver(CPUState *cpu) {
function afl_request_tsl (line 253) | static void afl_request_tsl(target_ulong pc, target_ulong cb, uint32_t f...
function afl_wait_tsl (line 284) | static void afl_wait_tsl(CPUState *cpu, int fd) {
FILE: afl_progs/qemu_mode/patches/afl-qemu-translate-inl.h
function afl_gen_trace (line 41) | static void afl_gen_trace(target_ulong cur_loc)
FILE: afl_progs/test-instr.c
function main (line 21) | int main(int argc, char** argv) {
FILE: afl_progs/types.h
type u8 (line 23) | typedef uint8_t u8;
type u16 (line 24) | typedef uint16_t u16;
type u32 (line 25) | typedef uint32_t u32;
type u64 (line 44) | typedef unsigned long long u64;
type u64 (line 46) | typedef uint64_t u64;
type s8 (line 49) | typedef int8_t s8;
type s16 (line 50) | typedef int16_t s16;
type s32 (line 51) | typedef int32_t s32;
type s64 (line 52) | typedef int64_t s64;
FILE: corpus/afl_test/test.c
function test_func (line 5) | int test_func()
function main (line 49) | int main()
FILE: corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/cgc_stdarg.h
type __builtin_va_list (line 32) | typedef __builtin_va_list va_list;
FILE: corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/ctype.c
function cgc_isdigit (line 37) | int cgc_isdigit( int c )
function cgc_isupper (line 45) | int cgc_isupper( int c )
function cgc_islower (line 53) | int cgc_islower( int c )
function cgc_isalpha (line 61) | int cgc_isalpha( int c )
function cgc_isalnum (line 69) | int cgc_isalnum( int c )
function cgc_isprint (line 77) | int cgc_isprint( int c )
function cgc_toupper (line 86) | int cgc_toupper( int c )
function cgc_tolower (line 94) | int cgc_tolower( int c )
function cgc_isspace (line 102) | int cgc_isspace( int c )
FILE: corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/libc.c
function cgc_receive_all (line 33) | int cgc_receive_all(char *buf, int length) {
function cgc_receive_all_fd (line 38) | int cgc_receive_all_fd(int fd, char *buf, int length) {
function cgc_receive_str_until_fd (line 63) | int cgc_receive_str_until_fd(int fd, char *buf, int length, char delim) {
function cgc_receive_until_fd (line 94) | int cgc_receive_until_fd(int fd, char *buf, int length, char delim) {
function cgc_buffered_receive (line 128) | int cgc_buffered_receive(char *buf, int length)
function cgc_receive_until (line 158) | int cgc_receive_until(char *buf, int length, char delim) {
function cgc_buffered_receive_until (line 162) | int cgc_buffered_receive_until(char *buf, int length, char delim)
function cgc_send_all (line 206) | int cgc_send_all(char *buf, int length) {
function cgc_send_all_fd (line 210) | int cgc_send_all_fd(int fd, char *buf, int length) {
function cgc_equals (line 230) | int cgc_equals(char *d, char *s) {
function cgc_replace (line 243) | int cgc_replace(char *s, char find, char replace, int num) {
function cgc_force_newline (line 266) | int cgc_force_newline(char *s, int size, int bytes) {
function cgc_getopt (line 281) | int cgc_getopt(int argc, char **argv, char *optstring, int *opt_index) {
function cgc_bcopy (line 303) | void cgc_bcopy(char *s, char *d, cgc_size_t size) {
function cgc_exit (line 311) | void cgc_exit(int e) {
FILE: corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/malloc.c
type meta (line 32) | typedef struct meta {
function cgc_link (line 45) | void cgc_link( pmeta linkme )
function cgc_add_freelist_block (line 81) | void cgc_add_freelist_block( cgc_size_t length )
function cgc_free (line 112) | void cgc_free( void *block )
function cgc_init_freelist (line 124) | void cgc_init_freelist( void )
function cgc_unlink (line 154) | void cgc_unlink( pmeta block )
FILE: corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/math.c
function cgc_round (line 29) | double cgc_round( double val )
function cgc_floor (line 40) | double cgc_floor( double val )
FILE: corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/prng.c
function cgc_seed_prng_array (line 39) | void cgc_seed_prng_array( uint32_t *pSeedArray, uint32_t arrayLen )
function cgc_seed_prng (line 64) | void cgc_seed_prng( uint32_t seedValue )
function cgc_prng (line 69) | uint32_t cgc_prng( void )
function cgc_random_in_range (line 93) | uint32_t cgc_random_in_range( uint32_t min, uint32_t max )
FILE: corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/shell.c
function cgc_runshellcommand (line 34) | void cgc_runshellcommand(char *cmd) {
function cgc_shell (line 59) | void cgc_shell() {
FILE: corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/stdio.c
function cgc_WRAPPER_PUTC (line 49) | int cgc_WRAPPER_PUTC( void *ctx, int c, cgc_size_t pos )
function cgc_WRAPPER_OUTC (line 59) | int cgc_WRAPPER_OUTC( void *ctx, int c, cgc_size_t pos )
type BUFFER_PUTC_DATA (line 67) | struct BUFFER_PUTC_DATA
type tBufferPutcData (line 73) | typedef struct BUFFER_PUTC_DATA tBufferPutcData;
function cgc_WRAPPER_BUFFER_PUTC (line 77) | int cgc_WRAPPER_BUFFER_PUTC( void *ctx, int c, cgc_size_t pos )
function cgc_putchar (line 105) | int cgc_putchar( int c )
function cgc_puts (line 115) | int cgc_puts( const char *s )
function cgc_vprintf_buffered (line 138) | int cgc_vprintf_buffered( const char *format, va_list args )
function cgc_printf (line 169) | int cgc_printf( const char *format, ... )
function vprintf (line 182) | int vprintf( const char *format, va_list args )
function cgc_sprintf (line 192) | int cgc_sprintf( char *buf, const char *format, ... )
function cgc_vsprintf (line 204) | int cgc_vsprintf( char *buf, const char *format, va_list args )
function cgc_size_t (line 218) | cgc_size_t cgc_printf_int_to_string( uint32_t val, uint32_t base, char *...
function cgc_size_t (line 253) | cgc_size_t cgc_printf_helper_int( void *ctx, tPrintfWrapperFP fpOut, cgc...
function cgc_size_t (line 325) | cgc_size_t cgc_printf_float_to_string( double val, uint8_t fraction_prec...
function cgc_size_t (line 538) | cgc_size_t cgc_printf_helper_float( void *ctx, tPrintfWrapperFP fpOut, c...
function cgc_size_t (line 602) | cgc_size_t cgc_printf_helper_string( void *ctx, tPrintfWrapperFP fpOut, ...
function cgc_wrapper_output (line 655) | int cgc_wrapper_output( void *ctx, tPrintfWrapperFP fpOut, cgc_size_t po...
FILE: corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/stdlib.c
function cgc_rand (line 35) | int cgc_rand( void )
function cgc_srand (line 40) | void cgc_srand( unsigned int seed )
function cgc_atoi (line 45) | int cgc_atoi( const char *pStr )
function cgc_atof (line 72) | double cgc_atof( char *pStr )
function cgc_strtol (line 164) | long int cgc_strtol( const char *str, char **endptr, int base )
FILE: corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/string.c
function cgc_size_t (line 29) | cgc_size_t cgc_strlen( const char *str )
function cgc_bzero (line 38) | void cgc_bzero(void *s, cgc_size_t n) {
function cgc_strcmp (line 138) | int cgc_strcmp(const char *s1, const char *s2) {
function cgc_strncmp (line 145) | int cgc_strncmp(const char *s1, const char *s2, cgc_size_t n) {
FILE: corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/src/cgc_sendmail.h
type address (line 29) | typedef struct address_s {
type message (line 36) | typedef struct message_s {
type address_book (line 46) | typedef struct address_book_s {
type mail_queue (line 51) | typedef struct mail_queue_s {
FILE: corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/src/sendmail.c
function address (line 56) | address *cgc_add_random_addressbook_entry() {
function cgc_initialize_address_book (line 77) | void cgc_initialize_address_book() {
function address (line 85) | address *cgc_pick_address() {
function address (line 101) | address *cgc_lookup_name(char *name) {
function mail_queue (line 112) | mail_queue *cgc_add_random_queue() {
function message (line 129) | message *cgc_add_random_message(mail_queue *mq) {
function cgc_initialize_mail_queues (line 147) | void cgc_initialize_mail_queues() {
function cgc_print_address_book (line 155) | void cgc_print_address_book() {
function cgc_sendmail_post (line 176) | void cgc_sendmail_post(char *line) {
function mail_queue (line 268) | mail_queue *cgc_locate_queue(char *name) {
function cgc_list_queue (line 279) | void cgc_list_queue(char *line) {
function cgc_list_all_queues (line 300) | void cgc_list_all_queues() {
function cgc_read_message (line 320) | void cgc_read_message(char *line) {
function main (line 342) | int main(int cgc_argc, char *cgc_argv[]) {
FILE: corpus/cgc/SOLFEDGE/lib/libc.c
function cgc_send (line 30) | int cgc_send(const char *buf, const cgc_size_t size) {
function cgc_transmit_all (line 38) | int cgc_transmit_all(int fd, const char *buf, const cgc_size_t size) {
function cgc_recv_all (line 61) | unsigned int cgc_recv_all(char *res_buf, cgc_size_t res_buf_size) {
function cgc_read_all (line 65) | unsigned int cgc_read_all(int fd, char *buf, unsigned int size) {
FILE: corpus/cgc/SOLFEDGE/src/operation.c
function cgc_get_syllable_for_note_id (line 34) | int cgc_get_syllable_for_note_id(int note_id, char *syllable_buf) {
function cgc_get_note_for_syllable_id (line 81) | int cgc_get_note_for_syllable_id(int syllable_id, char *note_buf) {
function cgc_get_next_note_id (line 119) | int cgc_get_next_note_id(const char *str) {
function cgc_get_next_syllable_id (line 155) | int cgc_get_next_syllable_id(const char *str, char *bytes_read) {
function cgc_write_note_to_buf (line 193) | int cgc_write_note_to_buf(int syllable_id, char *notes_buf) {
function cgc_write_syllable_to_buf (line 213) | int cgc_write_syllable_to_buf(int note_id, char *syllable_buf) {
function cgc_process_syllables (line 240) | int cgc_process_syllables(uint32_t bytes_count, char *syllables_buf, cha...
function cgc_send_syllables (line 324) | void cgc_send_syllables(uint32_t bytes_count, char *syllable_buf) {
function cgc_send_notes (line 331) | void cgc_send_notes(uint32_t bytes_count, char *notes_buf) {
function cgc_recv_bytes_count (line 341) | uint32_t cgc_recv_bytes_count() {
function cgc_to_syllables (line 356) | int cgc_to_syllables(char *syllables_buf, char *notes_buf) {
function cgc_to_notes (line 396) | int cgc_to_notes(char *syllables_buf, char *notes_buf) {
FILE: corpus/cgc/SOLFEDGE/src/service.c
function main (line 32) | int main(int cgc_argc, char *cgc_argv[]) {
FILE: corpus/cgc/String_Storage_and_Retrieval/lib/cgc_stdarg.h
type __builtin_va_list (line 32) | typedef __builtin_va_list __gnuc_va_list;
type __gnuc_va_list (line 39) | typedef __gnuc_va_list va_list;
FILE: corpus/cgc/String_Storage_and_Retrieval/lib/cgc_stdlib.h
type heap_block_header (line 36) | typedef struct _heap_block_header {
type heap_header (line 43) | typedef struct _heap_header {
type heap_metadata (line 48) | typedef struct _heap_metadata {
FILE: corpus/cgc/String_Storage_and_Retrieval/lib/malloc.c
function cgc_free (line 199) | void cgc_free( void *pItem )
FILE: corpus/cgc/String_Storage_and_Retrieval/lib/mymath.c
function cgc_floor (line 30) | double cgc_floor( double val )
function cgc_round_away_from_zero (line 40) | double cgc_round_away_from_zero( double val )
function cgc_round (line 50) | double cgc_round( double val, double n )
FILE: corpus/cgc/String_Storage_and_Retrieval/lib/new_printf.c
function cgc_putc (line 35) | int cgc_putc( int c )
function cgc_int_to_str (line 45) | void cgc_int_to_str( int val, char *buf )
function cgc_uint_to_str (line 82) | void cgc_uint_to_str( unsigned int val, char *buf )
function cgc_int_to_hex (line 111) | void cgc_int_to_hex( unsigned int val, char *buf )
function cgc_float_to_str (line 142) | void cgc_float_to_str( double val, char *buf, int precision )
function cgc_vprintf (line 224) | int cgc_vprintf( const char *fmt, va_list arg )
function cgc_vsprintf (line 593) | int cgc_vsprintf( char *str, const char *fmt, va_list arg )
function cgc_printf (line 893) | int cgc_printf( const char *fmt, ... )
function cgc_sprintf (line 911) | int cgc_sprintf( char *str, const char *fmt, ... )
FILE: corpus/cgc/String_Storage_and_Retrieval/lib/stdlib.c
function cgc_memcpy (line 30) | int cgc_memcpy( void *dest, void *src, cgc_size_t n )
function cgc_islower (line 42) | int cgc_islower( int c )
function cgc_isupper (line 50) | int cgc_isupper( int c )
function cgc_isalpha (line 58) | int cgc_isalpha( int c )
function cgc_isalnum (line 63) | int cgc_isalnum( int c )
function cgc_isspace (line 68) | int cgc_isspace( int c )
function cgc_isdigit (line 81) | int cgc_isdigit( int c )
function cgc_isnan (line 89) | int cgc_isnan( double val )
function cgc_isinf (line 94) | int cgc_isinf( double val )
function cgc_atof (line 99) | double cgc_atof(const char* str)
function cgc_atoi (line 168) | int cgc_atoi(const char* str)
function cgc_bzero (line 257) | void cgc_bzero( void *buff, cgc_size_t len )
function cgc_strcmp (line 287) | int cgc_strcmp( const char *s1, const char *s2 )
function cgc_flush_input (line 314) | int cgc_flush_input(int fd) {
function cgc_size_t (line 345) | cgc_size_t cgc_getline( char *buffer, cgc_size_t len) {
function cgc_size_t (line 359) | cgc_size_t cgc_receive_until( char *dst, char delim, cgc_size_t max )
function cgc_receive_bytes (line 389) | int cgc_receive_bytes (unsigned char *buffer, cgc_size_t size)
function cgc_size_t (line 417) | cgc_size_t cgc_strcat( char *dest, char* src )
function cgc_size_t (line 437) | cgc_size_t cgc_strlen( char * str )
function cgc_size_t (line 451) | cgc_size_t cgc_itoa( char *out, cgc_size_t val, cgc_size_t max )
function cgc_puts (line 489) | void cgc_puts( char *t )
function cgc_size_t (line 587) | cgc_size_t cgc_write( const void *buf, cgc_size_t count )
FILE: corpus/cgc/String_Storage_and_Retrieval/src/bst.c
function cgc_insert_node (line 34) | int cgc_insert_node(bst_node_type **head, data_item_type *data, unsigned...
function cgc_delete_node (line 157) | int cgc_delete_node(bst_node_type **head, char *str, unsigned long key) {
function cgc_walk_tree (line 372) | int cgc_walk_tree(bst_node_type *node) {
function cgc_make_key_from_name (line 405) | unsigned long cgc_make_key_from_name(void *data_item) {
function cgc_count_bst_stats (line 422) | int cgc_count_bst_stats(bst_node_type *head, bst_stats_type *stats) {
function cgc_count_nodes (line 484) | int cgc_count_nodes(bst_node_type *node, bst_stats_type *stats) {
FILE: corpus/cgc/String_Storage_and_Retrieval/src/delete_matches.c
function cgc_delete_matches (line 31) | void cgc_delete_matches(bst_node_type **head, int arg_count, char **args...
FILE: corpus/cgc/String_Storage_and_Retrieval/src/find_matches.c
function cgc_find_matches (line 30) | void cgc_find_matches(bst_node_type *head, int arg_count, char **args) {
FILE: corpus/cgc/String_Storage_and_Retrieval/src/parse.c
function cgc_parse_command (line 30) | int cgc_parse_command(char *buffer, char separator, char ***args) {
FILE: corpus/cgc/String_Storage_and_Retrieval/src/service.c
function main (line 33) | int main(int cgc_argc, char *cgc_argv[]) {
FILE: corpus/cgc/String_Storage_and_Retrieval/src/string_token.c
function cgc_str_token (line 29) | unsigned long cgc_str_token( char *str) {
FILE: corpus/cgc/UTF-late/lib/cgc_libc.h
type FILE (line 231) | typedef struct _FILE {
FILE: corpus/cgc/UTF-late/lib/cgc_list.h
type list_node (line 34) | struct list_node {
type list (line 38) | struct list {
function list_length (line 166) | static inline unsigned int
function cgc_list_insert_before (line 185) | static inline void
function cgc_list_insert_after (line 237) | static inline void
function cgc_list_push_front (line 266) | static inline void
function cgc_list_push_back (line 289) | static inline void
function cgc_list_insert_in_order (line 313) | static inline void
type list_node (line 350) | struct list_node
type list (line 351) | struct list
type list_node (line 351) | struct list_node
type list_node (line 354) | struct list_node
function cgc_list_remove (line 384) | static inline void
type list_node (line 420) | struct list_node
type list (line 421) | struct list
type list_node (line 423) | struct list_node
type list_node (line 445) | struct list_node
type list (line 446) | struct list
type list_node (line 448) | struct list_node
FILE: corpus/cgc/UTF-late/lib/cgc_utf8.h
type utf8_decode_state (line 33) | enum utf8_decode_state {
type utf8char (line 41) | typedef unsigned char utf8char;
type ucscodepoint (line 42) | typedef unsigned int ucscodepoint;
type utf8_decode_state (line 44) | enum utf8_decode_state
type utf8_decode_state (line 44) | enum utf8_decode_state
FILE: corpus/cgc/UTF-late/lib/cgc_vfs.h
type directory (line 37) | struct directory {
type file (line 45) | struct file {
type vfs (line 53) | struct vfs {
type vfs (line 57) | struct vfs
type vfs (line 58) | struct vfs
type directory (line 60) | struct directory
type vfs (line 60) | struct vfs
type file (line 61) | struct file
type vfs (line 61) | struct vfs
type directory (line 63) | struct directory
type vfs (line 63) | struct vfs
type directory (line 64) | struct directory
type vfs (line 64) | struct vfs
type directory (line 64) | struct directory
type file (line 65) | struct file
type vfs (line 65) | struct vfs
type file (line 66) | struct file
type vfs (line 66) | struct vfs
type directory (line 66) | struct directory
type vfs (line 68) | struct vfs
type file (line 68) | struct file
type vfs (line 71) | struct vfs
FILE: corpus/cgc/UTF-late/lib/libc.c
function cgc_ssize_t (line 26) | cgc_ssize_t
function cgc_ssize_t (line 43) | cgc_ssize_t
function cgc_size_t (line 79) | cgc_size_t
function cgc_strcmp (line 87) | int
function cgc_strncmp (line 95) | int
type __builtin_va_list (line 170) | typedef __builtin_va_list va_list;
function isalpha (line 221) | int isalpha(int c) {
function isdigit (line 225) | int isdigit(int c) {
function isxdigit (line 229) | int isxdigit(int c) {
function toupper (line 233) | int toupper(int c) {
function vfprintf (line 240) | int vfprintf(FILE * stream, const char *format, va_list ap) {
function fprintf (line 244) | int fprintf(FILE * stream, const char *format, ...) {
function cgc_printf (line 250) | int cgc_printf(const char *format, ...) {
type _fd_printer (line 256) | struct _fd_printer {
function fd_printer (line 263) | static unsigned int fd_printer(char ch, void *_fp, int flag) {
function hex_value_of (line 353) | static int hex_value_of(char ch) {
function printf_core (line 365) | static void printf_core(unsigned int (*func)(char, void *, int), void *u...
function vdprintf (line 1191) | int vdprintf(int fd, const char *format, va_list ap) {
FILE: corpus/cgc/UTF-late/lib/malloc.c
type chunk (line 28) | struct chunk {
type list (line 39) | struct list
function cgc_log_base_two (line 55) | static inline unsigned int
type chunk (line 65) | struct chunk
type chunk (line 70) | struct chunk
function cgc_mark_allocated (line 76) | static void
function cgc_mark_free (line 83) | static void
function cgc_find_fit (line 90) | static int
function cgc_size_cmp (line 99) | static int
type chunk (line 111) | struct chunk
type chunk (line 122) | struct chunk
type chunk (line 125) | struct chunk
type chunk (line 136) | struct chunk
type chunk (line 137) | struct chunk
type chunk (line 139) | struct chunk
type chunk (line 139) | struct chunk
type chunk (line 155) | struct chunk
type chunk (line 156) | struct chunk
type chunk (line 158) | struct chunk
type chunk (line 170) | struct chunk
type chunk (line 181) | struct chunk
type chunk (line 193) | struct chunk
function cgc_free (line 227) | void
FILE: corpus/cgc/UTF-late/lib/utf8.c
type utf8_decode_state (line 27) | enum utf8_decode_state
type utf8_decode_state (line 28) | enum utf8_decode_state
function cgc_ssize_t (line 87) | cgc_ssize_t
function cgc_size_t (line 128) | cgc_size_t
FILE: corpus/cgc/UTF-late/lib/vfs.c
function cgc_vfs_init (line 28) | int
function cgc_directory_destroy (line 34) | static void
function cgc_vfs_destroy (line 51) | void
function cgc_dir_eq (line 57) | static int
function cgc_file_eq (line 66) | static int
type directory (line 75) | struct directory
type vfs (line 76) | struct vfs
type directory (line 78) | struct directory
type directory (line 79) | struct directory
type file (line 119) | struct file
type vfs (line 120) | struct vfs
type file (line 122) | struct file
type directory (line 123) | struct directory
type directory (line 150) | struct directory
type vfs (line 151) | struct vfs
type directory (line 153) | struct directory
type directory (line 154) | struct directory
type directory (line 180) | struct directory
type vfs (line 181) | struct vfs
type directory (line 181) | struct directory
type directory (line 183) | struct directory
type directory (line 198) | struct directory
type directory (line 201) | struct directory
type file (line 207) | struct file
type vfs (line 208) | struct vfs
type file (line 210) | struct file
type directory (line 211) | struct directory
type file (line 237) | struct file
type vfs (line 238) | struct vfs
type directory (line 238) | struct directory
type file (line 240) | struct file
type file (line 255) | struct file
type file (line 258) | struct file
function cgc_delete_file (line 264) | void
function dump_directory (line 276) | static void
function dump_vfs (line 297) | void
FILE: corpus/cgc/UTF-late/src/service.c
type vfs (line 29) | struct vfs
type directory (line 30) | struct directory
type directory (line 31) | struct directory
type fileserver_ops (line 36) | enum fileserver_ops {
function cgc_canonicalize_path (line 42) | static int
function cgc_read_file (line 62) | static int
function cgc_write_file (line 85) | static int
function cgc_list_files (line 132) | static int
function main (line 144) | int
FILE: corpus/cgc/cotton_swab_arithmetic/lib/cgc_libc.h
type FILE (line 55) | typedef struct _FILE {
FILE: corpus/cgc/cotton_swab_arithmetic/lib/libc.c
function cgc_receive_all (line 28) | int cgc_receive_all(int fd, void *buf, cgc_size_t count, cgc_size_t *rx_...
function cgc_transmit_all (line 64) | int cgc_transmit_all(int fd, const void *buf, cgc_size_t count, cgc_size...
type __builtin_va_list (line 107) | typedef __builtin_va_list va_list;
function isalpha (line 158) | int isalpha(int c) {
function isdigit (line 162) | int isdigit(int c) {
function isxdigit (line 166) | int isxdigit(int c) {
function toupper (line 170) | int toupper(int c) {
function cgc_size_t (line 177) | cgc_size_t cgc_strlen(const char *str) {
function vfprintf (line 183) | int vfprintf(FILE * stream, const char *format, va_list ap) {
function fprintf (line 187) | int fprintf(FILE * stream, const char *format, ...) {
type _fd_printer (line 193) | struct _fd_printer {
function fd_printer (line 200) | static unsigned int fd_printer(char ch, void *_fp, int flag) {
function hex_value_of (line 290) | static int hex_value_of(char ch) {
function printf_core (line 302) | static void printf_core(unsigned int (*func)(char, void *, int), void *u...
function vdprintf (line 1129) | int vdprintf(int fd, const char *format, va_list ap) {
FILE: corpus/cgc/cotton_swab_arithmetic/src/cgc_service.h
type inst_t (line 35) | typedef struct instruction {
FILE: corpus/cgc/cotton_swab_arithmetic/src/service.c
function cgc_inst_decode (line 33) | int cgc_inst_decode(uint8_t *bytes, uint16_t len, inst_t *inst) {
function cgc_bytecode_exec (line 188) | int cgc_bytecode_exec(uint8_t *bytes, uint16_t len, uint8_t *scratch, ui...
function main (line 349) | int main(int cgc_argc, char *cgc_argv[]) {
FILE: corpus/google/vorbis/decode_fuzzer.cc
type vorbis_data (line 8) | struct vorbis_data {
function read_func (line 14) | size_t read_func(void *ptr, size_t size1, size_t size2, void *datasource) {
function LLVMFuzzerTestOneInput (line 26) | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
function main (line 52) | int main(int argc, char ** argv)
FILE: corpus/hang/hang.c
function main (line 1) | int main()
FILE: corpus/libtest/lib1.c
function test_func1 (line 3) | int test_func1(char * buffer)
FILE: corpus/libtest/lib2.c
function test_func2 (line 3) | int test_func2(char * buffer)
FILE: corpus/libtest/test.c
function main (line 5) | int main()
FILE: corpus/network/client/client.cpp
function process_data (line 30) | void process_data(char * buffer)
function main (line 65) | int main(int argc, char ** argv)
FILE: corpus/network/server/server.cpp
function process_data (line 33) | void process_data(char * buffer)
function tcp_listen (line 70) | int tcp_listen(int * sock)
function udp_listen (line 119) | int udp_listen(int * sock)
function main (line 155) | int main(int argc, char ** argv)
FILE: corpus/persist/test.c
function test_func (line 9) | int test_func()
function main (line 51) | int main()
FILE: corpus/test/test.c
function main (line 4) | int main(int argc, char ** argv)
FILE: docs/api/files/driver_t.c
type driver (line 1) | struct driver
type driver_t (line 9) | typedef struct driver driver_t;
FILE: docs/api/files/instrumentation_edge_t.c
type instrumentation_edge (line 1) | struct instrumentation_edge
type instrumentation_edge_t (line 11) | typedef struct instrumentation_edge instrumentation_edge_t;
FILE: docs/api/files/instrumentation_t.c
type instrumentation (line 1) | struct instrumentation
type instrumentation_t (line 20) | typedef struct instrumentation instrumentation_t;
FILE: docs/api/files/mutator_t.c
type mutator_t (line 1) | typedef struct mutator
FILE: driver/driver.c
function generic_wait_for_process_completion (line 29) | int generic_wait_for_process_completion(pid_t process, int timeout, inst...
function generic_test_next_input (line 75) | int generic_test_next_input(void * state, mutator_t * mutator, void * mu...
function setup_mutate_buffer (line 100) | int setup_mutate_buffer(double ratio, size_t input_length, char ** buffe...
function send_tcp_input (line 128) | int send_tcp_input(int * sock, char * buffer, size_t length)
FILE: driver/driver.h
type driver (line 26) | struct driver
type driver_t (line 34) | typedef struct driver driver_t;
FILE: driver/driver_factory.c
function DRIVER_API (line 26) | DRIVER_API driver_t * driver_factory(char * driver_type, char * options)
function DRIVER_API (line 40) | DRIVER_API driver_t * driver_instrumentation_factory(char * driver_type,...
function DRIVER_API (line 55) | DRIVER_API driver_t * driver_mutator_factory(char * driver_type, char * ...
function DRIVER_API (line 72) | DRIVER_API driver_t * driver_all_factory(char * driver_type, char * opti...
function DRIVER_API (line 147) | DRIVER_API char * driver_help(void)
FILE: driver/file_driver.c
function file_state_t (line 26) | static file_state_t * setup_options(char * options)
function file_cleanup (line 168) | void file_cleanup(void * driver_state)
function file_test_input (line 194) | int file_test_input(void * driver_state, char * input, size_t length)
function file_test_next_input (line 218) | int file_test_next_input(void * driver_state)
function file_help (line 249) | int file_help(char ** help_str)
FILE: driver/file_driver.h
type file_state (line 14) | struct file_state
type file_state_t (line 46) | typedef struct file_state file_state_t;
FILE: driver/network_client_driver.c
function network_client_state_t (line 40) | static network_client_state_t * setup_options(char * options)
function network_client_cleanup (line 171) | void network_client_cleanup(void * driver_state)
function start_listener (line 203) | static int start_listener(network_client_state_t * state, int * sock)
function network_client_run (line 275) | static int network_client_run(network_client_state_t * state, char ** in...
function network_client_test_input (line 354) | int network_client_test_input(void * driver_state, char * input, size_t ...
function network_client_test_next_input (line 384) | int network_client_test_next_input(void * driver_state)
function network_client_help (line 442) | int network_client_help(char ** help_str)
FILE: driver/network_client_driver.h
type network_client_state (line 18) | struct network_client_state
type network_client_state_t (line 56) | typedef struct network_client_state network_client_state_t;
FILE: driver/network_server_driver.c
function network_server_state_t (line 39) | static network_server_state_t * setup_options(char * options)
function network_server_cleanup (line 83) | void network_server_cleanup(void * driver_state)
type sockaddr_in (line 189) | struct sockaddr_in
type sockaddr (line 208) | struct sockaddr
type sockaddr (line 211) | struct sockaddr
function send_udp_input (line 232) | static int send_udp_input(network_server_state_t * state, int * sock, ch...
function is_port_listening (line 254) | static int is_port_listening(int port, int udp)
function network_server_run (line 384) | static int network_server_run(network_server_state_t * state, char ** in...
function network_server_test_input_cleanup (line 444) | static void network_server_test_input_cleanup(char ** inputs, size_t inp...
function network_server_test_input (line 460) | int network_server_test_input(void * driver_state, char * input, size_t ...
function network_server_test_next_input (line 491) | int network_server_test_next_input(void * driver_state)
function network_server_help (line 553) | int network_server_help(char ** help_str)
FILE: driver/network_server_driver.h
type network_server_state (line 18) | struct network_server_state
type network_server_state_t (line 59) | typedef struct network_server_state network_server_state_t;
FILE: driver/stdin_driver.c
function stdin_state_t (line 27) | static stdin_state_t * setup_options(char * options)
function stdin_cleanup (line 111) | void stdin_cleanup(void * driver_state)
function stdin_test_input (line 130) | int stdin_test_input(void * driver_state, char * input, size_t length)
function stdin_test_next_input (line 149) | int stdin_test_next_input(void * driver_state)
function stdin_help (line 180) | int stdin_help(char ** help_str)
FILE: driver/stdin_driver.h
type stdin_state (line 15) | struct stdin_state
type stdin_state_t (line 45) | typedef struct stdin_state stdin_state_t;
FILE: driver/wmp_driver.cpp
function wmp_state_t (line 28) | static wmp_state_t * setup_options(char * options)
function wmp_cleanup (line 115) | void wmp_cleanup(void * driver_state)
function wmp_test_input (line 140) | int wmp_test_input(void * driver_state, char * input, size_t length)
function wmp_test_next_input (line 200) | int wmp_test_next_input(void * driver_state)
function is_playing_sound (line 236) | static int is_playing_sound()
function wmp_help (line 275) | int wmp_help(char ** help_str)
FILE: driver/wmp_driver.h
type wmp_state (line 20) | struct wmp_state
type wmp_state_t (line 47) | typedef struct wmp_state wmp_state_t;
FILE: fuzzer/main.c
function usage (line 33) | void usage(char * program_name, char * mutator_directory)
function cleanup_modules (line 76) | static void cleanup_modules(void)
function sigint_handler (line 89) | static void sigint_handler(int sig)
function main (line 102) | int main(int argc, char ** argv)
FILE: instrumentation/afl_instrumentation.c
function afl_cleanup (line 43) | void afl_cleanup(void *instrumentation_state) {
function afl_free_state (line 85) | void afl_free_state(char *state) {
function afl_set_state (line 95) | int afl_set_state(void *instrumentation_state, char *state) {
function merge_bitmaps (line 116) | void merge_bitmaps(u8 * dest, const u8 * src)
function afl_enable (line 153) | int afl_enable(void *instrumentation_state, pid_t *process, char *cmd_line,
function afl_is_new_path (line 189) | int afl_is_new_path(void *instrumentation_state) {
function afl_get_fuzz_result (line 208) | int afl_get_fuzz_result(void *instrumentation_state) {
function finish_fuzz_round (line 231) | static int finish_fuzz_round(afl_state_t *state) {
function afl_is_process_done (line 291) | int afl_is_process_done(void *instrumentation_state) {
function afl_help (line 330) | int afl_help(char **help_str) {
function afl_state_t (line 355) | static afl_state_t * setup_options(char *options) {
function create_target_process (line 442) | static int create_target_process(afl_state_t * state, char* cmd_line,
function destroy_target_process (line 512) | static void destroy_target_process(afl_state_t * state, int force) {
function setup_shm (line 533) | int setup_shm(void *instrumentation_state) {
function has_new_bits (line 608) | static inline uint8_t has_new_bits(uint8_t* virgin_map, uint8_t *trace_b...
function simplify_trace (line 682) | static void simplify_trace(uint64_t* mem) {
function simplify_trace (line 701) | static void simplify_trace(uint32_t* mem) {
FILE: instrumentation/afl_instrumentation.h
type afl_state (line 12) | struct afl_state {
type afl_state_t (line 34) | typedef struct afl_state afl_state_t;
FILE: instrumentation/debug_instrumentation.c
function debugging_thread (line 19) | static int debugging_thread(debug_state_t * state)
function destroy_target_process (line 93) | static void destroy_target_process(debug_state_t * state) {
function create_target_process (line 120) | static int create_target_process(debug_state_t * state, char* cmd_line, ...
function finish_fuzz_round (line 144) | static int finish_fuzz_round(debug_state_t * state) {
function debug_cleanup (line 212) | void debug_cleanup(void * instrumentation_state)
function debug_free_state (line 268) | void debug_free_state(char * state)
function debug_set_state (line 279) | int debug_set_state(void * instrumentation_state, char * state)
function debug_enable (line 304) | int debug_enable(void * instrumentation_state, HANDLE * process, char * ...
function debug_is_new_path (line 322) | int debug_is_new_path(void * instrumentation_state)
function debug_get_fuzz_result (line 336) | int debug_get_fuzz_result(void * instrumentation_state)
function debug_is_process_done (line 353) | int debug_is_process_done(void * instrumentation_state)
function debug_help (line 372) | int debug_help(char ** help_str)
FILE: instrumentation/debug_instrumentation.h
type thread_args_t (line 28) | typedef struct
type debug_state (line 35) | struct debug_state
type debug_state_t (line 69) | typedef struct debug_state debug_state_t;
FILE: instrumentation/dynamorio_instrumentation.c
function u8 (line 95) | static inline u8 has_new_bits(u8*trace_bits, u8* virgin_map) {
function u8 (line 197) | static inline u8 has_new_bits_with_ignore(u8*trace_bits, u8* virgin_map,...
function classify_counts (line 265) | static inline void classify_counts(u64* mem) {
function classify_counts (line 302) | static inline void classify_counts(u32* mem) {
function merge_bitmaps (line 334) | void merge_bitmaps(u8 * dest, const u8 * src)
function remove_shm (line 350) | static void remove_shm(u8 * trace_bits, HANDLE shm_handle)
function HANDLE (line 368) | static HANDLE setup_shm_region(char * fuzzer_id, int index, u8 ** out_tr...
function generate_fuzzer_id (line 418) | void generate_fuzzer_id(dynamorio_state_t * state)
function setup_shm_and_pick_fuzzer_id (line 438) | static void setup_shm_and_pick_fuzzer_id(dynamorio_state_t * state, int ...
function BOOL (line 509) | BOOL TerminateProcessByPid(DWORD dwProcessId, UINT uExitCode)
function HANDLE (line 530) | static HANDLE create_pipe(char * pipe_name, DWORD timeout)
function BOOL (line 557) | static BOOL connect_to_pipe(HANDLE pipe, char * pipe_name, DWORD timeout)
function cleanup_pipe (line 600) | static void cleanup_pipe(HANDLE * pipe)
function destroy_target_process (line 614) | static void destroy_target_process(dynamorio_state_t * state, int wait_e...
function create_target_process (line 656) | static void create_target_process(dynamorio_state_t * state, char* cmd_l...
function finish_fuzz_round (line 702) | static int finish_fuzz_round(dynamorio_state_t * state) {
function dynamorio_is_process_done (line 765) | int dynamorio_is_process_done(void * instrumentation_state)
function load_ignore_bytes (line 788) | static void load_ignore_bytes(dynamorio_state_t * state)
function generate_client_params (line 820) | static void generate_client_params(dynamorio_state_t * state)
function pick_default_dynamorio_dir (line 911) | static void pick_default_dynamorio_dir(dynamorio_state_t * state, char *...
function dynamorio_state_t (line 946) | static dynamorio_state_t * copy_state(dynamorio_state_t * original)
function dynamorio_state_t (line 1027) | static dynamorio_state_t * setup_options(char * options)
function dynamorio_cleanup (line 1138) | void dynamorio_cleanup(void * instrumentation_state)
function dynamorio_free_state (line 1287) | void dynamorio_free_state(char * state)
function dynamorio_set_state (line 1311) | int dynamorio_set_state(void * instrumentation_state, char * state)
function dynamorio_enable (line 1374) | int dynamorio_enable(void * instrumentation_state, HANDLE * process, cha...
function has_new_coverage (line 1428) | static int has_new_coverage(u8 * trace_bits, u8 * virgin_bits, u8 * igno...
function has_new_coverage_per_module (line 1477) | static int has_new_coverage_per_module(dynamorio_state_t * state)
function dynamorio_is_new_path (line 1501) | int dynamorio_is_new_path(void * instrumentation_state)
function dynamorio_get_fuzz_result (line 1515) | int dynamorio_get_fuzz_result(void * instrumentation_state)
function dynamorio_get_module_info (line 1541) | int dynamorio_get_module_info(void * instrumentation_state, int index, i...
function instrumentation_edges_t (line 1582) | instrumentation_edges_t * dynamorio_get_edges(void * instrumentation_sta...
function dynamorio_help (line 1614) | int dynamorio_help(char ** help_str)
function dynamorio_print_state (line 1651) | void dynamorio_print_state(void * instrumentation_state)
FILE: instrumentation/dynamorio_instrumentation.h
type target_module (line 26) | struct target_module
type target_module_t (line 40) | typedef struct target_module target_module_t;
type dynamorio_state (line 43) | struct dynamorio_state
type dynamorio_state_t (line 87) | typedef struct dynamorio_state dynamorio_state_t;
FILE: instrumentation/forkserver.c
function __forkserver_init (line 22) | void __forkserver_init(void)
function forkserver_persistence_init (line 109) | static void forkserver_persistence_init(void)
function __killerbeez_loop (line 204) | int __killerbeez_loop(void) {
FILE: instrumentation/forkserver_internal.h
type forkserver (line 24) | struct forkserver {
type forkserver_t (line 32) | typedef struct forkserver forkserver_t;
FILE: instrumentation/instrumentation.c
function find_fork_server_library (line 47) | static void find_fork_server_library(char * buffer, size_t buffer_len)
function pid_t (line 82) | static pid_t run_target(int needs_stdin_fd, char *target_path, char **argv,
function fork_server_init (line 253) | void fork_server_init(forkserver_t * fs, char * target_path, char ** arg...
function send_command (line 466) | static int send_command(forkserver_t * fs, char command)
function read_response (line 478) | static int read_response(forkserver_t * fs)
function fork_server_exit (line 491) | int fork_server_exit(forkserver_t * fs)
function send_fork (line 508) | static int send_fork(forkserver_t * fs, char command)
function fork_server_fork (line 521) | int fork_server_fork(forkserver_t * fs)
function fork_server_fork_run (line 531) | int fork_server_fork_run(forkserver_t * fs)
function fork_server_run (line 541) | int fork_server_run(forkserver_t * fs)
function fork_server_get_pending_status (line 557) | int fork_server_get_pending_status(forkserver_t * fs, int wait)
function fork_server_get_status (line 584) | int fork_server_get_status(forkserver_t * fs, int wait)
FILE: instrumentation/instrumentation.h
type instrumentation_edge (line 17) | struct instrumentation_edge
type instrumentation_edge_t (line 27) | typedef struct instrumentation_edge instrumentation_edge_t;
type instrumentation_edges (line 29) | struct instrumentation_edges
type instrumentation_edges_t (line 38) | typedef struct instrumentation_edges instrumentation_edges_t;
type instrumentation (line 40) | struct instrumentation
type instrumentation_t (line 63) | typedef struct instrumentation instrumentation_t;
FILE: instrumentation/instrumentation_factory.c
function instrumentation_t (line 25) | instrumentation_t * instrumentation_factory(char * instrumentation_type)
FILE: instrumentation/linux_ipt_instrumentation.c
function sign_extend (line 51) | static uint64_t sign_extend(uint64_t num, uint8_t sign_bit)
function handle_ip_packet (line 66) | static uint64_t handle_ip_packet(unsigned char ** outp, unsigned char *e...
function finish_tnt_hash (line 115) | static void finish_tnt_hash(struct ipt_hash_state * ipt_hashes)
function add_tnt_to_hash (line 132) | static void add_tnt_to_hash(struct ipt_hash_state * ipt_hashes, unsigned...
function add_tip_to_hash (line 163) | static void add_tip_to_hash(linux_ipt_state_t * state, uint64_t tip)
function get_tnt_num_bits (line 196) | static int get_tnt_num_bits(unsigned char * packet, int max_bits)
function analyze_ipt (line 212) | static int analyze_ipt(linux_ipt_state_t * state)
function perf_event_open (line 435) | static long perf_event_open(struct perf_event_attr* hw_event, pid_t pid,...
function cleanup_ipt (line 444) | static void cleanup_ipt(linux_ipt_state_t * state)
function get_file_filter_size (line 462) | static size_t get_file_filter_size(char * filename)
function setup_ipt (line 510) | static int setup_ipt(linux_ipt_state_t * state, pid_t pid)
function record_fork_server_address_info (line 560) | static void record_fork_server_address_info(linux_ipt_state_t * state)
function destroy_target_process (line 646) | static void destroy_target_process(linux_ipt_state_t * state, int force)
function create_target_process (line 665) | static int create_target_process(linux_ipt_state_t * state, char* cmd_li...
function get_file_int (line 730) | static int get_file_int(char * filename)
function get_ipt_system_info (line 754) | static int get_ipt_system_info(linux_ipt_state_t * state)
function linux_ipt_state_t (line 802) | static linux_ipt_state_t * setup_options(char * options)
function linux_ipt_cleanup (line 895) | void linux_ipt_cleanup(void * instrumentation_state)
type ipt_hashtable_entry (line 947) | struct ipt_hashtable_entry
type ipt_hashtable_entry (line 958) | struct ipt_hashtable_entry
type ipt_hashtable_key (line 962) | struct ipt_hashtable_key
type ipt_hashtable_entry (line 968) | struct ipt_hashtable_entry
type ipt_hashtable_key (line 972) | struct ipt_hashtable_key
type ipt_hashtable_key (line 974) | struct ipt_hashtable_key
type ipt_hashtable_entry (line 990) | struct ipt_hashtable_entry
type ipt_hashtable_key (line 1008) | struct ipt_hashtable_key
function linux_ipt_free_state (line 1024) | void linux_ipt_free_state(char * state)
function linux_ipt_set_state (line 1035) | int linux_ipt_set_state(void * instrumentation_state, char * state)
function linux_ipt_enable (line 1091) | int linux_ipt_enable(void * instrumentation_state, pid_t * process, char...
function finish_fuzz_round (line 1109) | static int finish_fuzz_round(linux_ipt_state_t * state)
function linux_ipt_is_new_path (line 1135) | int linux_ipt_is_new_path(void * instrumentation_state)
function linux_ipt_get_fuzz_result (line 1155) | int linux_ipt_get_fuzz_result(void * instrumentation_state)
function linux_ipt_is_process_done (line 1165) | int linux_ipt_is_process_done(void * instrumentation_state)
function linux_ipt_help (line 1187) | int linux_ipt_help(char ** help_str)
FILE: instrumentation/linux_ipt_instrumentation.h
type ipt_hashtable_key (line 19) | struct ipt_hashtable_key {
type ipt_hashtable_entry (line 24) | struct ipt_hashtable_entry {
type ipt_hash_state (line 29) | struct ipt_hash_state
type linux_ipt_state (line 38) | struct linux_ipt_state
type linux_ipt_state_t (line 75) | typedef struct linux_ipt_state linux_ipt_state_t;
FILE: instrumentation/return_code_instrumentation.c
function destroy_target_process (line 26) | static void destroy_target_process(return_code_state_t * state)
function create_target_process (line 48) | static int create_target_process(return_code_state_t * state, char* cmd_...
function return_code_state_t (line 111) | static return_code_state_t * setup_options(char *options) {
function return_code_cleanup (line 156) | void return_code_cleanup(void * instrumentation_state)
function return_code_free_state (line 201) | void return_code_free_state(char * state)
function return_code_set_state (line 212) | int return_code_set_state(void * instrumentation_state, char * state)
function return_code_enable (line 232) | int return_code_enable(void * instrumentation_state, pid_t * process, ch...
function return_code_is_new_path (line 250) | int return_code_is_new_path(void * instrumentation_state)
function return_code_get_fuzz_result (line 265) | int return_code_get_fuzz_result(void * instrumentation_state)
function return_code_is_process_done (line 280) | int return_code_is_process_done(void * instrumentation_state)
function return_code_help (line 335) | int return_code_help(char ** help_str)
FILE: instrumentation/return_code_instrumentation.h
type return_code_state (line 16) | struct return_code_state
type return_code_state_t (line 28) | typedef struct return_code_state return_code_state_t;
FILE: instrumentation/uthash.h
type UT_hash_bucket (line 1149) | typedef struct UT_hash_bucket {
type UT_hash_table (line 1173) | typedef struct UT_hash_table {
type UT_hash_handle (line 1206) | typedef struct UT_hash_handle {
FILE: instrumentation/winafl_alloc_inl.h
function DFL_ck_free (line 146) | static inline void DFL_ck_free(char* mem) {
function u8 (line 265) | static inline u8* DFL_ck_strdup(u8* str) {
function u8 (line 316) | static inline u8* DFL_ck_memdup_str(u8* mem, u32 size) {
type TRK_obj (line 365) | struct TRK_obj {
type TRK_obj (line 373) | struct TRK_obj
type TRK_obj (line 380) | struct TRK_obj
function TRK_alloc_buf (line 394) | static inline void TRK_alloc_buf(void* ptr, const char* file, const char...
function TRK_free_buf (line 434) | static inline void TRK_free_buf(void* ptr, const char* file, const char*...
function TRK_report (line 462) | static inline void TRK_report(void) {
function TRK_ck_free (line 541) | static inline void TRK_ck_free(void* ptr, const char* file,
FILE: instrumentation/winafl_hash.h
function u32 (line 49) | static inline u32 hash32(const void* key, u32 len, u32 seed) {
function u32 (line 80) | static inline u32 hash32_with_ignore(const void* key, const void * ignor...
function u32 (line 118) | static inline u32 hash32(const void* key, u32 len, u32 seed) {
function u32 (line 150) | static inline u32 hash32_with_ignore(const void* key, const void * ignor...
FILE: instrumentation/winafl_types.h
type u8 (line 33) | typedef uint8_t u8;
type u16 (line 34) | typedef uint16_t u16;
type u32 (line 35) | typedef uint32_t u32;
type u64 (line 54) | typedef unsigned long long u64;
type u64 (line 56) | typedef uint64_t u64;
type s8 (line 59) | typedef int8_t s8;
type s16 (line 60) | typedef int16_t s16;
type s32 (line 61) | typedef int32_t s32;
type s64 (line 62) | typedef int64_t s64;
FILE: instrumentation/wingui.c
function BOOL (line 9) | BOOL IsProcessInModalDialog(
FILE: instrumentation/xxhash.c
function XXH_free (line 109) | static void XXH_free (void* p) { free(p); }
type BYTE (line 147) | typedef uint8_t BYTE;
type U16 (line 148) | typedef uint16_t U16;
type U32 (line 149) | typedef uint32_t U32;
type BYTE (line 151) | typedef unsigned char BYTE;
type U16 (line 152) | typedef unsigned short U16;
type U32 (line 153) | typedef unsigned int U32;
function U32 (line 160) | static U32 XXH_read32(const void* memPtr) { return *(const U32*) memPtr; }
type unalign (line 166) | typedef union { U32 u32; } __attribute__((packed)) unalign;
function U32 (line 167) | static U32 XXH_read32(const void* ptr) { return ((const unalign*)ptr)->u...
function U32 (line 174) | static U32 XXH_read32(const void* memPtr)
function U32 (line 203) | static U32 XXH_swap32 (U32 x)
type XXH_endianess (line 216) | typedef enum { XXH_bigEndian=0, XXH_littleEndian=1 } XXH_endianess;
function XXH_isLittleEndian (line 220) | static int XXH_isLittleEndian(void)
type XXH_alignment (line 232) | typedef enum { XXH_aligned, XXH_unaligned } XXH_alignment;
function FORCE_INLINE (line 234) | FORCE_INLINE U32 XXH_readLE32_align(const void* ptr, XXH_endianess endia...
function FORCE_INLINE (line 242) | FORCE_INLINE U32 XXH_readLE32(const void* ptr, XXH_endianess endian)
function U32 (line 247) | static U32 XXH_readBE32(const void* ptr)
function XXH_versionNumber (line 257) | XXH_PUBLIC_API unsigned XXH_versionNumber (void) { return XXH_VERSION_NU...
function U32 (line 269) | static U32 XXH32_round(U32 seed, U32 input)
function U32 (line 278) | static U32 XXH32_avalanche(U32 h32)
function U32 (line 290) | static U32
function FORCE_INLINE (line 351) | FORCE_INLINE U32
function XXH32 (line 392) | XXH_PUBLIC_API unsigned int XXH32 (const void* input, size_t len, unsign...
function XXH_PUBLIC_API (line 422) | XXH_PUBLIC_API XXH32_state_t* XXH32_createState(void)
function XXH_PUBLIC_API (line 426) | XXH_PUBLIC_API XXH_errorcode XXH32_freeState(XXH32_state_t* statePtr)
function XXH_PUBLIC_API (line 432) | XXH_PUBLIC_API void XXH32_copyState(XXH32_state_t* dstState, const XXH32...
function XXH_PUBLIC_API (line 437) | XXH_PUBLIC_API XXH_errorcode XXH32_reset(XXH32_state_t* statePtr, unsign...
function FORCE_INLINE (line 451) | FORCE_INLINE
function XXH_PUBLIC_API (line 514) | XXH_PUBLIC_API XXH_errorcode XXH32_update (XXH32_state_t* state_in, cons...
function FORCE_INLINE (line 525) | FORCE_INLINE U32
function XXH32_digest (line 545) | XXH_PUBLIC_API unsigned int XXH32_digest (const XXH32_state_t* state_in)
function XXH_PUBLIC_API (line 564) | XXH_PUBLIC_API void XXH32_canonicalFromHash(XXH32_canonical_t* dst, XXH3...
function XXH_PUBLIC_API (line 571) | XXH_PUBLIC_API XXH32_hash_t XXH32_hashFromCanonical(const XXH32_canonica...
type U64 (line 591) | typedef uint64_t U64;
type U64 (line 594) | typedef unsigned long long U64;
function U64 (line 602) | static U64 XXH_read64(const void* memPtr) { return *(const U64*) memPtr; }
type unalign64 (line 608) | typedef union { U32 u32; U64 u64; } __attribute__((packed)) unalign64;
function U64 (line 609) | static U64 XXH_read64(const void* ptr) { return ((const unalign64*)ptr)-...
function U64 (line 617) | static U64 XXH_read64(const void* memPtr)
function U64 (line 631) | static U64 XXH_swap64 (U64 x)
function FORCE_INLINE (line 644) | FORCE_INLINE U64 XXH_readLE64_align(const void* ptr, XXH_endianess endia...
function FORCE_INLINE (line 652) | FORCE_INLINE U64 XXH_readLE64(const void* ptr, XXH_endianess endian)
function U64 (line 657) | static U64 XXH_readBE64(const void* ptr)
function U64 (line 671) | static U64 XXH64_round(U64 acc, U64 input)
function U64 (line 679) | static U64 XXH64_mergeRound(U64 acc, U64 val)
function U64 (line 687) | static U64 XXH64_avalanche(U64 h64)
function U64 (line 700) | static U64
function FORCE_INLINE (line 810) | FORCE_INLINE U64
function XXH64 (line 855) | XXH_PUBLIC_API unsigned long long XXH64 (const void* input, size_t len, ...
function XXH_PUBLIC_API (line 883) | XXH_PUBLIC_API XXH64_state_t* XXH64_createState(void)
function XXH_PUBLIC_API (line 887) | XXH_PUBLIC_API XXH_errorcode XXH64_freeState(XXH64_state_t* statePtr)
function XXH_PUBLIC_API (line 893) | XXH_PUBLIC_API void XXH64_copyState(XXH64_state_t* dstState, const XXH64...
function XXH_PUBLIC_API (line 898) | XXH_PUBLIC_API XXH_errorcode XXH64_reset(XXH64_state_t* statePtr, unsign...
function FORCE_INLINE (line 911) | FORCE_INLINE
function XXH_PUBLIC_API (line 970) | XXH_PUBLIC_API XXH_errorcode XXH64_update (XXH64_state_t* state_in, cons...
function FORCE_INLINE (line 980) | FORCE_INLINE U64 XXH64_digest_endian (const XXH64_state_t* state, XXH_en...
function XXH64_digest (line 1004) | XXH_PUBLIC_API unsigned long long XXH64_digest (const XXH64_state_t* sta...
function XXH_PUBLIC_API (line 1017) | XXH_PUBLIC_API void XXH64_canonicalFromHash(XXH64_canonical_t* dst, XXH6...
function XXH_PUBLIC_API (line 1024) | XXH_PUBLIC_API XXH64_hash_t XXH64_hashFromCanonical(const XXH64_canonica...
FILE: instrumentation/xxhash.h
type XXH_errorcode (line 79) | typedef enum { XXH_OK=0, XXH_ERROR } XXH_errorcode;
type XXH32_hash_t (line 165) | typedef unsigned int XXH32_hash_t;
type XXH32_state_t (line 175) | typedef struct XXH32_state_s XXH32_state_t;
type XXH32_canonical_t (line 207) | typedef struct { unsigned char digest[4]; } XXH32_canonical_t;
type XXH64_hash_t (line 222) | typedef unsigned long long XXH64_hash_t;
type XXH64_state_t (line 232) | typedef struct XXH64_state_s XXH64_state_t;
type XXH64_canonical_t (line 242) | typedef struct { unsigned char digest[8]; } XXH64_canonical_t;
type XXH32_state_s (line 267) | struct XXH32_state_s {
type XXH64_state_s (line 279) | struct XXH64_state_s {
type XXH32_state_s (line 292) | struct XXH32_state_s {
type XXH64_state_s (line 305) | struct XXH64_state_s {
FILE: jansson/dump.c
type buffer (line 32) | struct buffer {
function dump_to_strbuffer (line 38) | static int dump_to_strbuffer(const char *buffer, size_t size, void *data)
function dump_to_buffer (line 43) | static int dump_to_buffer(const char *buffer, size_t size, void *data)
function dump_to_file (line 54) | static int dump_to_file(const char *buffer, size_t size, void *data)
function dump_to_fd (line 62) | static int dump_to_fd(const char *buffer, size_t size, void *data)
function dump_indent (line 75) | static int dump_indent(size_t flags, int depth, int space, json_dump_cal...
function dump_mem (line 101) | static int dump_mem(const char *mem, size_t len, json_dump_callback_t du...
function dump_string (line 131) | static int dump_string(const char *str, size_t len, json_dump_callback_t...
function compare_keys (line 224) | static int compare_keys(const void *key1, const void *key2)
function do_dump (line 229) | static int do_dump(const json_t *json, size_t flags, int depth,
function json_dumpb (line 487) | size_t json_dumpb(const json_t *json, char *buffer, size_t size, size_t ...
function json_dumpf (line 497) | int json_dumpf(const json_t *json, FILE *output, size_t flags)
function json_dumpfd (line 502) | int json_dumpfd(const json_t *json, int output, size_t flags)
function json_dump_file (line 507) | int json_dump_file(const json_t *json, const char *path, size_t flags)
function json_dump_callback (line 521) | int json_dump_callback(const json_t *json, json_dump_callback_t callback...
FILE: jansson/error.c
function jsonp_error_init (line 11) | void jsonp_error_init(json_error_t *error, const char *source)
function jsonp_error_set_source (line 26) | void jsonp_error_set_source(json_error_t *error, const char *source)
function jsonp_error_set (line 43) | void jsonp_error_set(json_error_t *error, int line, int column,
function jsonp_error_vset (line 53) | void jsonp_error_vset(json_error_t *error, int line, int column,
FILE: jansson/hashtable.c
type list_t (line 27) | typedef struct hashtable_list list_t;
type pair_t (line 28) | typedef struct hashtable_pair pair_t;
type bucket_t (line 29) | typedef struct hashtable_bucket bucket_t;
function JSON_INLINE (line 40) | static JSON_INLINE void list_init(list_t *list)
function JSON_INLINE (line 46) | static JSON_INLINE void list_insert(list_t *list, list_t *node)
function JSON_INLINE (line 54) | static JSON_INLINE void list_remove(list_t *list)
function JSON_INLINE (line 60) | static JSON_INLINE int bucket_is_empty(hashtable_t *hashtable, bucket_t ...
function insert_to_bucket (line 65) | static void insert_to_bucket(hashtable_t *hashtable, bucket_t *bucket,
function pair_t (line 80) | static pair_t *hashtable_find_pair(hashtable_t *hashtable, bucket_t *buc...
function hashtable_do_del (line 106) | static int hashtable_do_del(hashtable_t *hashtable,
function hashtable_do_clear (line 139) | static void hashtable_do_clear(hashtable_t *hashtable)
function hashtable_do_rehash (line 153) | static int hashtable_do_rehash(hashtable_t *hashtable)
function hashtable_init (line 191) | int hashtable_init(hashtable_t *hashtable)
function hashtable_close (line 213) | void hashtable_close(hashtable_t *hashtable)
function hashtable_set (line 219) | int hashtable_set(hashtable_t *hashtable, const char *key, json_t *value)
function hashtable_del (line 286) | int hashtable_del(hashtable_t *hashtable, const char *key)
function hashtable_clear (line 292) | void hashtable_clear(hashtable_t *hashtable)
function hashtable_iter_set (line 350) | void hashtable_iter_set(void *iter, json_t *value)
FILE: jansson/hashtable.h
type hashtable_list (line 14) | struct hashtable_list {
type hashtable_pair (line 22) | struct hashtable_pair {
type hashtable_bucket (line 30) | struct hashtable_bucket {
type hashtable_t (line 35) | typedef struct hashtable {
FILE: jansson/hashtable_seed.c
function buf_to_uint32 (line 55) | static uint32_t buf_to_uint32(char *data) {
function seed_from_urandom (line 69) | static int seed_from_urandom(uint32_t *seed) {
function seed_from_windows_cryptoapi (line 111) | static int seed_from_windows_cryptoapi(uint32_t *seed)
function seed_from_timestamp_and_pid (line 152) | static int seed_from_timestamp_and_pid(uint32_t *seed) {
function generate_seed (line 173) | static uint32_t generate_seed() {
function json_object_seed (line 206) | void json_object_seed(size_t seed) {
function json_object_seed (line 227) | void json_object_seed(size_t seed) {
function json_object_seed (line 254) | void json_object_seed(size_t seed) {
function json_object_seed (line 274) | void json_object_seed(size_t seed) {
FILE: jansson/jansson.h
type json_type (line 53) | typedef enum {
type json_t (line 65) | typedef struct json_t {
type json_int_t (line 77) | typedef long long json_int_t;
type json_int_t (line 80) | typedef long json_int_t;
function JSON_INLINE (line 114) | static JSON_INLINE
function JSON_INLINE (line 125) | static JSON_INLINE
function JSON_INLINE (line 133) | static JSON_INLINE
type json_error_t (line 151) | typedef struct json_error_t {
function JSON_INLINE (line 197) | static JSON_INLINE
function JSON_INLINE (line 203) | static JSON_INLINE
function JSON_INLINE (line 209) | static JSON_INLINE
function JSON_INLINE (line 224) | static JSON_INLINE
function JSON_INLINE (line 230) | static JSON_INLINE
function JSON_INLINE (line 236) | static JSON_INLINE
FILE: jansson/jansson_helper.c
function json_t (line 13) | json_t * get_root_option_json_object(const char * json_string)
function get_int_options_inner (line 217) | static long long get_int_options_inner(json_t * root, const char * optio...
function get_int_options (line 260) | int get_int_options(const char * json_string, const char * option_name, ...
function get_int_options_from_json (line 283) | int get_int_options_from_json(json_t * root, const char * option_name, i...
function get_uint64t_options (line 301) | uint64_t get_uint64t_options(const char * json_string, const char * opti...
function get_uint64t_options_from_json (line 324) | uint64_t get_uint64t_options_from_json(json_t * root, const char * optio...
function get_double_options_inner (line 343) | static double get_double_options_inner(json_t * root, const char * optio...
function get_double_options (line 386) | double get_double_options(const char * json_string, const char * option_...
function get_double_options_from_json (line 409) | double get_double_options_from_json(json_t * root, const char * option_n...
function get_array_options_inner (line 414) | static int get_array_options_inner(const char * json_string, const char ...
function decode_mem_array (line 590) | int decode_mem_array(const char *json_string, char *** items, size_t ** ...
FILE: jansson/jansson_private.h
type json_object_t (line 38) | typedef struct {
type json_array_t (line 44) | typedef struct {
type json_string_t (line 52) | typedef struct {
type json_mem_t (line 58) | typedef struct {
type json_real_t (line 64) | typedef struct {
type json_integer_t (line 69) | typedef struct {
FILE: jansson/load.c
type stream_t (line 54) | typedef struct {
type lex_t (line 65) | typedef struct {
function error_set (line 86) | static void error_set(json_error_t *error, const lex_t *lex,
function stream_init (line 143) | static void
function stream_get (line 157) | static int stream_get(stream_t *stream, json_error_t *error)
function stream_unget (line 220) | static void stream_unget(stream_t *stream, int c)
function lex_get (line 239) | static int lex_get(lex_t *lex, json_error_t *error)
function lex_save (line 244) | static void lex_save(lex_t *lex, int c)
function lex_get_save (line 249) | static int lex_get_save(lex_t *lex, json_error_t *error)
function lex_unget (line 257) | static void lex_unget(lex_t *lex, int c)
function lex_unget_unsave (line 262) | static void lex_unget_unsave(lex_t *lex, int c)
function lex_save_cached (line 281) | static void lex_save_cached(lex_t *lex)
function lex_free_string (line 291) | static void lex_free_string(lex_t *lex)
function decode_unicode_escape (line 299) | static int32_t decode_unicode_escape(const char *str)
function lex_scan_string (line 322) | static void lex_scan_string(lex_t *lex, json_error_t *error)
function lex_scan_number (line 488) | static int lex_scan_number(lex_t *lex, int c, json_error_t *error)
function lex_scan (line 585) | static int lex_scan(lex_t *lex, json_error_t *error)
function lex_init (line 665) | static int lex_init(lex_t *lex, get_func get, size_t flags, void *data)
function lex_close (line 676) | static void lex_close(lex_t *lex)
function json_t (line 688) | static json_t *parse_object(lex_t *lex, size_t flags, json_error_t *error)
function json_t (line 767) | static json_t *parse_array(lex_t *lex, size_t flags, json_error_t *error)
function json_t (line 807) | static json_t *parse_value(lex_t *lex, size_t flags, json_error_t *error)
function json_t (line 919) | static json_t *parse_json(lex_t *lex, size_t flags, json_error_t *error)
type string_data_t (line 954) | typedef struct
function string_get (line 960) | static int string_get(void *data)
function json_t (line 974) | json_t *json_loads(const char *string, size_t flags, json_error_t *error)
type buffer_data_t (line 999) | typedef struct
function buffer_get (line 1006) | static int buffer_get(void *data)
function json_t (line 1018) | json_t *json_loadb(const char *buffer, size_t buflen, size_t flags, json...
function json_t (line 1044) | json_t *json_loadf(FILE *input, size_t flags, json_error_t *error)
function fd_get_func (line 1071) | static int fd_get_func(int *fd)
function json_t (line 1081) | json_t *json_loadfd(int input, size_t flags, json_error_t *error)
function json_t (line 1110) | json_t *json_load_file(const char *path, size_t flags, json_error_t *error)
type callback_data_t (line 1138) | typedef struct
function callback_get (line 1147) | static int callback_get(void *data)
function json_t (line 1164) | json_t *json_load_callback(json_load_callback_t callback, void *arg, siz...
FILE: jansson/lookup3.h
function hashlittle (line 196) | static uint32_t hashlittle(const void *key, size_t length, uint32_t init...
FILE: jansson/memory.c
function jsonp_free (line 31) | void jsonp_free(void *ptr)
function json_set_alloc_funcs (line 57) | void json_set_alloc_funcs(json_malloc_t malloc_fn, json_free_t free_fn)
function json_get_alloc_funcs (line 63) | void json_get_alloc_funcs(json_malloc_t *malloc_fn, json_free_t *free_fn)
FILE: jansson/pack_unpack.c
type token_t (line 14) | typedef struct {
type scanner_t (line 21) | typedef struct {
function scanner_init (line 52) | static void scanner_init(scanner_t *s, json_error_t *error,
function next_token (line 66) | static void next_token(scanner_t *s)
function prev_token (line 103) | static void prev_token(scanner_t *s)
function set_error (line 109) | static void set_error(scanner_t *s, const char *source, const char *fmt,...
function json_t (line 207) | static json_t *pack_object(scanner_t *s, va_list *ap)
function json_t (line 271) | static json_t *pack_array(scanner_t *s, va_list *ap)
function json_t (line 311) | static json_t *pack_string(scanner_t *s, va_list *ap)
function json_t (line 333) | static json_t *pack(scanner_t *s, va_list *ap)
function unpack_object (line 405) | static int unpack_object(scanner_t *s, json_t *root, va_list *ap)
function unpack_array (line 549) | static int unpack_array(scanner_t *s, json_t *root, va_list *ap)
function unpack (line 619) | static int unpack(scanner_t *s, json_t *root, va_list *ap)
function json_t (line 771) | json_t *json_vpack_ex(json_error_t *error, size_t flags,
function json_t (line 805) | json_t *json_pack_ex(json_error_t *error, size_t flags, const char *fmt,...
function json_t (line 817) | json_t *json_pack(const char *fmt, ...)
function json_vunpack_ex (line 829) | int json_vunpack_ex(json_t *root, json_error_t *error, size_t flags,
function json_unpack_ex (line 867) | int json_unpack_ex(json_t *root, json_error_t *error, size_t flags, cons...
function json_unpack (line 879) | int json_unpack(json_t *root, const char *fmt, ...)
FILE: jansson/strbuffer.c
function strbuffer_init (line 21) | int strbuffer_init(strbuffer_t *strbuff)
function strbuffer_close (line 35) | void strbuffer_close(strbuffer_t *strbuff)
function strbuffer_clear (line 45) | void strbuffer_clear(strbuffer_t *strbuff)
function strbuffer_append_byte (line 63) | int strbuffer_append_byte(strbuffer_t *strbuff, char byte)
function strbuffer_append_bytes (line 68) | int strbuffer_append_bytes(strbuffer_t *strbuff, const char *data, size_...
function strbuffer_pop (line 102) | char strbuffer_pop(strbuffer_t *strbuff)
FILE: jansson/strbuffer.h
type strbuffer_t (line 13) | typedef struct {
FILE: jansson/strconv.c
function to_locale (line 41) | static void to_locale(strbuffer_t *strbuffer)
function from_locale (line 57) | static void from_locale(char *buffer)
function jsonp_strtod (line 74) | int jsonp_strtod(strbuffer_t *strbuffer, double *out)
function jsonp_dtostr (line 96) | int jsonp_dtostr(char *buffer, size_t size, double value, int precision)
FILE: jansson/utf.c
function utf8_encode (line 11) | int utf8_encode(int32_t codepoint, char *buffer, size_t *size)
function utf8_check_first (line 47) | size_t utf8_check_first(char byte)
function utf8_check_full (line 83) | size_t utf8_check_full(const char *buffer, size_t size, int32_t *codepoint)
function utf8_check_string (line 165) | int utf8_check_string(const char *string, size_t length)
FILE: jansson/value.c
function JSON_INLINE (line 33) | static JSON_INLINE int isnan(double x) { return x != x; }
function JSON_INLINE (line 37) | static JSON_INLINE int isinf(double x) { return !isnan(x) && isnan(x - x...
function JSON_INLINE (line 40) | static JSON_INLINE void json_init(json_t *json, json_type type)
function json_t (line 51) | json_t *json_object(void)
function json_delete_object (line 75) | static void json_delete_object(json_object_t *object)
function json_object_size (line 81) | size_t json_object_size(const json_t *json)
function json_t (line 92) | json_t *json_object_get(const json_t *json, const char *key)
function json_object_set_new_nocheck (line 103) | int json_object_set_new_nocheck(json_t *json, const char *key, json_t *v...
function json_object_set_new (line 126) | int json_object_set_new(json_t *json, const char *key, json_t *value)
function json_object_del (line 137) | int json_object_del(json_t *json, const char *key)
function json_object_clear (line 148) | int json_object_clear(json_t *json)
function json_object_update (line 161) | int json_object_update(json_t *object, json_t *other)
function json_object_update_existing (line 177) | int json_object_update_existing(json_t *object, json_t *other)
function json_object_update_missing (line 193) | int json_object_update_missing(json_t *object, json_t *other)
function json_t (line 250) | json_t *json_object_iter_value(void *iter)
function json_object_iter_set_new (line 258) | int json_object_iter_set_new(json_t *json, void *iter, json_t *value)
function json_object_equal (line 275) | static int json_object_equal(json_t *object1, json_t *object2)
function json_t (line 293) | static json_t *json_object_copy(json_t *object)
function json_t (line 310) | static json_t *json_object_deep_copy(const json_t *object)
function json_t (line 338) | json_t *json_array(void)
function json_delete_array (line 359) | static void json_delete_array(json_array_t *array)
function json_array_size (line 370) | size_t json_array_size(const json_t *json)
function json_t (line 378) | json_t *json_array_get(const json_t *json, size_t index)
function json_array_set_new (line 391) | int json_array_set_new(json_t *json, size_t index, json_t *value)
function array_move (line 417) | static void array_move(json_array_t *array, size_t dest,
function array_copy (line 423) | static void array_copy(json_t **dest, size_t dpos,
function json_t (line 430) | static json_t **json_array_grow(json_array_t *array,
function json_array_append_new (line 459) | int json_array_append_new(json_t *json, json_t *value)
function json_array_insert_new (line 484) | int json_array_insert_new(json_t *json, size_t index, json_t *value)
function json_array_remove (line 524) | int json_array_remove(json_t *json, size_t index)
function json_array_clear (line 546) | int json_array_clear(json_t *json)
function json_array_extend (line 562) | int json_array_extend(json_t *json, json_t *other_json)
function json_array_equal (line 584) | static int json_array_equal(json_t *array1, json_t *array2)
function json_t (line 606) | static json_t *json_array_copy(json_t *array)
function json_t (line 621) | static json_t *json_array_deep_copy(const json_t *array)
function json_t (line 638) | static json_t *string_create(const char *value, size_t len, int own)
function json_t (line 667) | json_t *json_string_nocheck(const char *value)
function json_t (line 675) | json_t *json_stringn_nocheck(const char *value, size_t len)
function json_t (line 681) | json_t *jsonp_stringn_nocheck_own(const char *value, size_t len)
function json_t (line 686) | json_t *json_string(const char *value)
function json_t (line 695) | json_t *json_stringn(const char *value, size_t len)
function json_string_length (line 711) | size_t json_string_length(const json_t *json)
function json_t (line 721) | static json_t *mem_create(const char *value, size_t len, int own)
function json_t (line 751) | json_t *json_mem(const char *value, size_t len)
function json_t (line 756) | json_t *json_mem_own(const char *value, size_t len)
function json_mem_length (line 769) | size_t json_mem_length(const json_t *json)
function json_string_set_nocheck (line 777) | int json_string_set_nocheck(json_t *json, const char *value)
function json_string_setn_nocheck (line 785) | int json_string_setn_nocheck(json_t *json, const char *value, size_t len)
function json_string_set (line 805) | int json_string_set(json_t *json, const char *value)
function json_string_setn (line 813) | int json_string_setn(json_t *json, const char *value, size_t len)
function json_delete_string (line 821) | static void json_delete_string(json_string_t *string)
function json_string_equal (line 827) | static int json_string_equal(json_t *string1, json_t *string2)
function json_t (line 839) | static json_t *json_string_copy(const json_t *string)
function json_t (line 853) | json_t *json_integer(json_int_t value)
function json_int_t (line 864) | json_int_t json_integer_value(const json_t *json)
function json_integer_set (line 872) | int json_integer_set(json_t *json, json_int_t value)
function json_delete_integer (line 882) | static void json_delete_integer(json_integer_t *integer)
function json_integer_equal (line 887) | static int json_integer_equal(json_t *integer1, json_t *integer2)
function json_t (line 892) | static json_t *json_integer_copy(const json_t *integer)
function json_t (line 900) | json_t *json_real(double value)
function json_real_value (line 916) | double json_real_value(const json_t *json)
function json_real_set (line 924) | int json_real_set(json_t *json, double value)
function json_delete_real (line 934) | static void json_delete_real(json_real_t *real)
function json_real_equal (line 939) | static int json_real_equal(json_t *real1, json_t *real2)
function json_t (line 944) | static json_t *json_real_copy(const json_t *real)
function json_number_value (line 952) | double json_number_value(const json_t *json)
function json_t (line 965) | json_t *json_true(void)
function json_t (line 972) | json_t *json_false(void)
function json_t (line 979) | json_t *json_null(void)
function json_delete (line 988) | void json_delete(json_t *json)
function json_equal (line 1019) | int json_equal(json_t *json1, json_t *json2)
function json_t (line 1050) | json_t *json_copy(json_t *json)
function json_t (line 1077) | json_t *json_deep_copy(const json_t *json)
FILE: merger/merger.c
function usage (line 20) | void usage(char * program_name)
function main (line 46) | int main(int argc, char ** argv)
FILE: mutators/afl_mutator/afl_mutator.c
type afl_state (line 13) | struct afl_state
type afl_state_t (line 23) | typedef struct afl_state afl_state_t;
function afl_havoc (line 40) | static int afl_havoc(mutate_info_t * info, mutate_buffer_t * buf)
function afl_splice (line 47) | static int afl_splice(mutate_info_t * info, mutate_buffer_t * buf)
function AFL_MUTATOR_API (line 105) | AFL_MUTATOR_API void init(mutator_t * m)
function afl_state_t (line 117) | static afl_state_t * setup_options(char * options)
function AFL_MUTATOR_API (line 151) | AFL_MUTATOR_API void * FUNCNAME(create)(char * options, char * state, ch...
function AFL_MUTATOR_API (line 162) | AFL_MUTATOR_API void FUNCNAME(cleanup)(void * mutator_state)
function mutate_inner (line 168) | static int mutate_inner(void * mutator_state, char * buffer, size_t buff...
function AFL_MUTATOR_API (line 208) | AFL_MUTATOR_API int FUNCNAME(mutate)(void * mutator_state, char * buffer...
function AFL_MUTATOR_API (line 224) | AFL_MUTATOR_API int FUNCNAME(mutate_extended)(void * mutator_state, char...
function AFL_MUTATOR_API (line 236) | AFL_MUTATOR_API char * FUNCNAME(get_state)(void * mutator_state)
function AFL_MUTATOR_API (line 259) | AFL_MUTATOR_API int FUNCNAME(set_state)(void * mutator_state, char * state)
function AFL_MUTATOR_API (line 278) | AFL_MUTATOR_API int FUNCNAME(get_current_iteration)(void * mutator_state)
function AFL_MUTATOR_API (line 290) | AFL_MUTATOR_API int FUNCNAME(set_input)(void * mutator_state, char * new...
function AFL_MUTATOR_API (line 303) | AFL_MUTATOR_API void FUNCNAME(get_input_info)(void * mutator_state, int ...
function AFL_MUTATOR_API (line 313) | AFL_MUTATOR_API int FUNCNAME(help)(char ** help_str)
FILE: mutators/arithmetic_mutator/arithmetic_mutator.c
type arithmetic_state (line 13) | struct arithmetic_state
type arithmetic_state_t (line 23) | typedef struct arithmetic_state arithmetic_state_t;
function ARITHMETIC_MUTATOR_API (line 52) | ARITHMETIC_MUTATOR_API void init(mutator_t * m)
function arithmetic_state_t (line 58) | static arithmetic_state_t * setup_options(char * options)
function ARITHMETIC_MUTATOR_API (line 109) | ARITHMETIC_MUTATOR_API void * FUNCNAME(create)(char * options, char * st...
function ARITHMETIC_MUTATOR_API (line 120) | ARITHMETIC_MUTATOR_API void FUNCNAME(cleanup)(void * mutator_state)
function mutate_inner (line 126) | static int mutate_inner(void * mutator_state, char * buffer, size_t buff...
function ARITHMETIC_MUTATOR_API (line 156) | ARITHMETIC_MUTATOR_API int FUNCNAME(mutate)(void * mutator_state, char *...
function ARITHMETIC_MUTATOR_API (line 172) | ARITHMETIC_MUTATOR_API int FUNCNAME(mutate_extended)(void * mutator_stat...
function ARITHMETIC_MUTATOR_API (line 184) | ARITHMETIC_MUTATOR_API char * FUNCNAME(get_state)(void * mutator_state)
function ARITHMETIC_MUTATOR_API (line 207) | ARITHMETIC_MUTATOR_API int FUNCNAME(set_state)(void * mutator_state, cha...
function ARITHMETIC_MUTATOR_API (line 225) | ARITHMETIC_MUTATOR_API int FUNCNAME(get_current_iteration)(void * mutato...
function ARITHMETIC_MUTATOR_API (line 237) | ARITHMETIC_MUTATOR_API int FUNCNAME(set_input)(void * mutator_state, cha...
function ARITHMETIC_MUTATOR_API (line 250) | ARITHMETIC_MUTATOR_API void FUNCNAME(get_input_info)(void * mutator_stat...
function ARITHMETIC_MUTATOR_API (line 260) | ARITHMETIC_MUTATOR_API int FUNCNAME(help)(char **help_str)
FILE: mutators/bit_flip_mutator/bit_flip_mutator.c
type bit_flip_state (line 13) | struct bit_flip_state
type bit_flip_state_t (line 23) | typedef struct bit_flip_state bit_flip_state_t;
function BF_MUTATOR_API (line 55) | BF_MUTATOR_API void init(mutator_t * m)
function bit_flip_state_t (line 61) | static bit_flip_state_t * setup_options(char * options)
function BF_MUTATOR_API (line 112) | BF_MUTATOR_API void * FUNCNAME(create)(char * options, char * state, cha...
function BF_MUTATOR_API (line 123) | BF_MUTATOR_API void FUNCNAME(cleanup)(void * mutator_state)
function mutate_inner (line 129) | static int mutate_inner(void * mutator_state, char * buffer, size_t buff...
function BF_MUTATOR_API (line 159) | BF_MUTATOR_API int FUNCNAME(mutate)(void * mutator_state, char * buffer,...
function BF_MUTATOR_API (line 175) | BF_MUTATOR_API int FUNCNAME(mutate_extended)(void * mutator_state, char ...
function BF_MUTATOR_API (line 187) | BF_MUTATOR_API char * FUNCNAME(get_state)(void * mutator_state)
function BF_MUTATOR_API (line 211) | BF_MUTATOR_API int FUNCNAME(set_state)(void * mutator_state, char * state)
function BF_MUTATOR_API (line 230) | BF_MUTATOR_API int FUNCNAME(get_current_iteration)(void * mutator_state)
function BF_MUTATOR_API (line 241) | BF_MUTATOR_API int FUNCNAME(get_total_iteration_count)(void * mutator_st...
function BF_MUTATOR_API (line 267) | BF_MUTATOR_API void FUNCNAME(get_input_info)(void * mutator_state, int *...
function BF_MUTATOR_API (line 279) | BF_MUTATOR_API int FUNCNAME(set_input)(void * mutator_state, char * new_...
function BF_MUTATOR_API (line 289) | BF_MUTATOR_API int FUNCNAME(help)(char **help_str)
FILE: mutators/dictionary_mutator/dictionary_mutator.c
type dictionary_state (line 13) | struct dictionary_state
type dictionary_state_t (line 23) | typedef struct dictionary_state dictionary_state_t;
function DICTIONARY_MUTATOR_API (line 51) | DICTIONARY_MUTATOR_API void init(mutator_t * m)
function dictionary_state_t (line 57) | static dictionary_state_t * setup_options(char * options)
function DICTIONARY_MUTATOR_API (line 107) | DICTIONARY_MUTATOR_API void * FUNCNAME(create)(char * options, char * st...
function DICTIONARY_MUTATOR_API (line 118) | DICTIONARY_MUTATOR_API void FUNCNAME(cleanup)(void * mutator_state)
function mutate_inner (line 124) | static int mutate_inner(void * mutator_state, char * buffer, size_t buff...
function DICTIONARY_MUTATOR_API (line 154) | DICTIONARY_MUTATOR_API int FUNCNAME(mutate)(void * mutator_state, char *...
function DICTIONARY_MUTATOR_API (line 170) | DICTIONARY_MUTATOR_API int FUNCNAME(mutate_extended)(void * mutator_stat...
function DICTIONARY_MUTATOR_API (line 182) | DICTIONARY_MUTATOR_API char * FUNCNAME(get_state)(void * mutator_state)
function DICTIONARY_MUTATOR_API (line 204) | DICTIONARY_MUTATOR_API int FUNCNAME(set_state)(void * mutator_state, cha...
function DICTIONARY_MUTATOR_API (line 222) | DICTIONARY_MUTATOR_API int FUNCNAME(get_current_iteration)(void * mutato...
function DICTIONARY_MUTATOR_API (line 234) | DICTIONARY_MUTATOR_API int FUNCNAME(set_input)(void * mutator_state, cha...
function DICTIONARY_MUTATOR_API (line 247) | DICTIONARY_MUTATOR_API void FUNCNAME(get_input_info)(void * mutator_stat...
function DICTIONARY_MUTATOR_API (line 257) | DICTIONARY_MUTATOR_API int FUNCNAME(help)(char **help_str)
FILE: mutators/havoc_mutator/havoc_mutator.c
type havoc_state (line 14) | struct havoc_state
type havoc_state_t (line 22) | typedef struct havoc_state havoc_state_t;
function HAVOC_MUTATOR_API (line 49) | HAVOC_MUTATOR_API void init(mutator_t * m)
function havoc_state_t (line 55) | static havoc_state_t * setup_options(char * options)
function HAVOC_MUTATOR_API (line 84) | HAVOC_MUTATOR_API void * FUNCNAME(create)(char * options, char * state, ...
function HAVOC_MUTATOR_API (line 95) | HAVOC_MUTATOR_API void FUNCNAME(cleanup)(void * mutator_state)
function mutate_inner (line 101) | static int mutate_inner(void * mutator_state, char * buffer, size_t buff...
function HAVOC_MUTATOR_API (line 137) | HAVOC_MUTATOR_API int FUNCNAME(mutate)(void * mutator_state, char * buff...
function HAVOC_MUTATOR_API (line 153) | HAVOC_MUTATOR_API int FUNCNAME(mutate_extended)(void * mutator_state, ch...
function HAVOC_MUTATOR_API (line 165) | HAVOC_MUTATOR_API char * FUNCNAME(get_state)(void * mutator_state)
function HAVOC_MUTATOR_API (line 187) | HAVOC_MUTATOR_API int FUNCNAME(set_state)(void * mutator_state, char * s...
function HAVOC_MUTATOR_API (line 205) | HAVOC_MUTATOR_API int FUNCNAME(get_current_iteration)(void * mutator_state)
function HAVOC_MUTATOR_API (line 217) | HAVOC_MUTATOR_API int FUNCNAME(set_input)(void * mutator_state, char * n...
function HAVOC_MUTATOR_API (line 230) | HAVOC_MUTATOR_API void FUNCNAME(get_input_info)(void * mutator_state, in...
function HAVOC_MUTATOR_API (line 240) | HAVOC_MUTATOR_API int FUNCNAME(help)(char **help_str)
FILE: mutators/honggfuzz_mutator/honggfuzz_mutator.c
type string_t (line 20) | typedef struct {
type honggfuzz_state (line 25) | struct honggfuzz_state
type honggfuzz_state_t (line 44) | typedef struct honggfuzz_state honggfuzz_state_t;
function util_RotL (line 100) | static inline uint64_t util_RotL(const uint64_t x, int k)
function util_InternalRnd64 (line 105) | static inline uint64_t util_InternalRnd64(honggfuzz_state_t * state) {
function util_rnd64 (line 115) | uint64_t util_rnd64(honggfuzz_state_t * state) {
function util_rndGet (line 119) | uint64_t util_rndGet(honggfuzz_state_t * state, uint64_t min, uint64_t m...
function util_rndBuf (line 128) | void util_rndBuf(honggfuzz_state_t * state, uint8_t* buf, uint64_t sz) {
function mangle_Overwrite (line 137) | static inline void mangle_Overwrite(honggfuzz_state_t * state, const uin...
function mangle_Move (line 146) | static inline void mangle_Move(honggfuzz_state_t * state, uint64_t off_f...
function mangle_Inflate (line 167) | static void mangle_Inflate(honggfuzz_state_t * state, uint64_t off, uint...
function mangle_MemMove (line 179) | static void mangle_MemMove(honggfuzz_state_t * state) {
function mangle_Byte (line 187) | static void mangle_Byte(honggfuzz_state_t * state) {
function mangle_Bytes (line 192) | static void mangle_Bytes(honggfuzz_state_t * state) {
function mangle_Bit (line 201) | static void mangle_Bit(honggfuzz_state_t * state) {
function mangle_DictionaryInsert (line 206) | static void mangle_DictionaryInsert(honggfuzz_state_t * state) {
function mangle_Dictionary (line 220) | static void mangle_Dictionary(honggfuzz_state_t * state) {
function mangle_Magic (line 232) | static void mangle_Magic(honggfuzz_state_t * state) {
function mangle_MemSet (line 478) | static void mangle_MemSet(honggfuzz_state_t * state) {
function mangle_Random (line 486) | static void mangle_Random(honggfuzz_state_t * state) {
function mangle_AddSub (line 492) | static void mangle_AddSub(honggfuzz_state_t * state) {
function mangle_IncByte (line 558) | static void mangle_IncByte(honggfuzz_state_t * state) {
function mangle_DecByte (line 563) | static void mangle_DecByte(honggfuzz_state_t * state) {
function mangle_NegByte (line 568) | static void mangle_NegByte(honggfuzz_state_t * state) {
function mangle_CloneByte (line 573) | static void mangle_CloneByte(honggfuzz_state_t * state) {
function mangle_Resize (line 582) | static void mangle_Resize(honggfuzz_state_t * state) {
function mangle_Expand (line 586) | static void mangle_Expand(honggfuzz_state_t * state) {
function mangle_Shrink (line 594) | static void mangle_Shrink(honggfuzz_state_t * state) {
function mangle_InsertRnd (line 606) | static void mangle_InsertRnd(honggfuzz_state_t * state) {
function mangle_ASCIIVal (line 615) | static void mangle_ASCIIVal(honggfuzz_state_t * state) {
function mangle_mangleContent (line 623) | static void mangle_mangleContent(honggfuzz_state_t* state) {
function util_decodeCString (line 663) | static size_t util_decodeCString(char* s) {
function input_parseDictionary (line 715) | static int input_parseDictionary(honggfuzz_state_t * state) {
function HONGGFUZZ_MUTATOR_API (line 800) | HONGGFUZZ_MUTATOR_API void init(mutator_t * m)
function honggfuzz_state_t (line 811) | static honggfuzz_state_t * setup_options(char * options)
function HONGGFUZZ_MUTATOR_API (line 856) | HONGGFUZZ_MUTATOR_API void * FUNCNAME(create)(char * options, char * sta...
function clear_dictionary (line 881) | static void clear_dictionary(honggfuzz_state_t * honggfuzz_state)
function HONGGFUZZ_MUTATOR_API (line 903) | HONGGFUZZ_MUTATOR_API void FUNCNAME(cleanup)(void * mutator_state)
function HONGGFUZZ_MUTATOR_API (line 920) | HONGGFUZZ_MUTATOR_API int FUNCNAME(mutate)(void * mutator_state, char * ...
function HONGGFUZZ_MUTATOR_API (line 950) | HONGGFUZZ_MUTATOR_API int FUNCNAME(mutate_extended)(void * mutator_state...
function HONGGFUZZ_MUTATOR_API (line 962) | HONGGFUZZ_MUTATOR_API char * FUNCNAME(get_state)(void * mutator_state)
function HONGGFUZZ_MUTATOR_API (line 1008) | HONGGFUZZ_MUTATOR_API int FUNCNAME(set_state)(void * mutator_state, char...
function HONGGFUZZ_MUTATOR_API (line 1056) | HONGGFUZZ_MUTATOR_API int FUNCNAME(get_current_iteration)(void * mutator...
function HONGGFUZZ_MUTATOR_API (line 1069) | HONGGFUZZ_MUTATOR_API void FUNCNAME(get_input_info)(void * mutator_state...
function HONGGFUZZ_MUTATOR_API (line 1082) | HONGGFUZZ_MUTATOR_API int FUNCNAME(set_input)(void * mutator_state, char...
function HONGGFUZZ_MUTATOR_API (line 1092) | HONGGFUZZ_MUTATOR_API int FUNCNAME(help)(char ** help_str)
FILE: mutators/interesting_value_mutator/interesting_value_mutator.c
type interesting_value_state (line 13) | struct interesting_value_state
type interesting_value_state_t (line 23) | typedef struct interesting_value_state interesting_value_state_t;
function INTERESTING_VALUE_MUTATOR_API (line 52) | INTERESTING_VALUE_MUTATOR_API void init(mutator_t * m)
function interesting_value_state_t (line 58) | static interesting_value_state_t * setup_options(char * options)
function INTERESTING_VALUE_MUTATOR_API (line 108) | INTERESTING_VALUE_MUTATOR_API void * FUNCNAME(create)(char * options, ch...
function INTERESTING_VALUE_MUTATOR_API (line 119) | INTERESTING_VALUE_MUTATOR_API void FUNCNAME(cleanup)(void * mutator_state)
function mutate_inner (line 125) | static int mutate_inner(void * mutator_state, char * buffer, size_t buff...
function INTERESTING_VALUE_MUTATOR_API (line 155) | INTERESTING_VALUE_MUTATOR_API int FUNCNAME(mutate)(void * mutator_state,...
function INTERESTING_VALUE_MUTATOR_API (line 171) | INTERESTING_VALUE_MUTATOR_API int FUNCNAME(mutate_extended)(void * mutat...
function INTERESTING_VALUE_MUTATOR_API (line 183) | INTERESTING_VALUE_MUTATOR_API char * FUNCNAME(get_state)(void * mutator_...
function INTERESTING_VALUE_MUTATOR_API (line 206) | INTERESTING_VALUE_MUTATOR_API int FUNCNAME(set_state)(void * mutator_sta...
function INTERESTING_VALUE_MUTATOR_API (line 224) | INTERESTING_VALUE_MUTATOR_API int FUNCNAME(get_current_iteration)(void *...
function INTERESTING_VALUE_MUTATOR_API (line 236) | INTERESTING_VALUE_MUTATOR_API int FUNCNAME(set_input)(void * mutator_sta...
function INTERESTING_VALUE_MUTATOR_API (line 249) | INTERESTING_VALUE_MUTATOR_API void FUNCNAME(get_input_info)(void * mutat...
function INTERESTING_VALUE_MUTATOR_API (line 259) | INTERESTING_VALUE_MUTATOR_API int FUNCNAME(help)(char **help_str)
FILE: mutators/multipart_mutator/multipart_mutator.c
type multipart_state_t (line 20) | typedef struct
function get_json_items (line 34) | static int get_json_items(char * json_text, char * attribute_name, char ...
function free_mutator_arrays (line 91) | static void free_mutator_arrays(char ** inputs, size_t * input_lengths, ...
function setup_mutators (line 107) | static int setup_mutators(multipart_state_t * multipart_state, char * mu...
function MULTIPART_MUTATOR_API (line 207) | MULTIPART_MUTATOR_API void init(mutator_t * m)
function multipart_state_t (line 280) | static multipart_state_t * setup_options(char * options, char * input, s...
function MULTIPART_MUTATOR_API (line 317) | MULTIPART_MUTATOR_API void * FUNCNAME(create)(char * options, char * sta...
function MULTIPART_MUTATOR_API (line 339) | MULTIPART_MUTATOR_API void FUNCNAME(cleanup)(void * mutator_state)
function MULTIPART_MUTATOR_API (line 365) | MULTIPART_MUTATOR_API int FUNCNAME(mutate)(void * mutator_state, char * ...
function MULTIPART_MUTATOR_API (line 382) | MULTIPART_MUTATOR_API int FUNCNAME(mutate_extended)(void * mutator_state...
function MULTIPART_MUTATOR_API (line 401) | MULTIPART_MUTATOR_API char * FUNCNAME(get_state)(void * mutator_state)
function MULTIPART_MUTATOR_API (line 430) | MULTIPART_MUTATOR_API int FUNCNAME(set_state)(void * mutator_state, char...
function MULTIPART_MUTATOR_API (line 466) | MULTIPART_MUTATOR_API int FUNCNAME(get_current_iteration)(void * mutator...
function MULTIPART_MUTATOR_API (line 487) | MULTIPART_MUTATOR_API int FUNCNAME(get_total_iteration_count)(void * mut...
function MULTIPART_MUTATOR_API (line 508) | MULTIPART_MUTATOR_API void FUNCNAME(get_input_info)(void * mutator_state...
function MULTIPART_MUTATOR_API (line 533) | MULTIPART_MUTATOR_API int FUNCNAME(set_input)(void * mutator_state, char...
function MULTIPART_MUTATOR_API (line 559) | MULTIPART_MUTATOR_API int FUNCNAME(help)(char **help_str)
FILE: mutators/mutator_tester/mutator_tester.c
function main (line 49) | int main(int argc, char *argv[])
function print_usage (line 161) | void print_usage(char *executable_name)
function test_all (line 183) | int test_all(mutator_t * mutator, void * mutator_state, char * mutator_o...
function test_mutate (line 218) | int test_mutate(mutator_t * mutator, void * mutator_state, char * mutato...
function test_state (line 288) | int test_state(mutator_t * mutator, void * mutator_state, char * mutator...
function test_thread_mutate (line 471) | int test_thread_mutate(mutator_t * mutator, void * mutator_state, char *...
function test_run_forever (line 546) | int test_run_forever(mutator_t * mutator, void * mutator_state, char * m...
function test_mutate_parts (line 575) | int test_mutate_parts(mutator_t * mutator, void * mutator_state, char * ...
function test_mutate_once (line 609) | int test_mutate_once(mutator_t * mutator, void * mutator_state, char * m...
FILE: mutators/mutator_tester/mutator_tester.h
type test_info_t (line 20) | typedef struct test_info
FILE: mutators/mutators/afl_helpers.c
function rotl (line 25) | static inline uint64_t rotl(const uint64_t x, int k) {
function rnd64 (line 34) | static inline uint64_t rnd64(mutate_info_t * info) {
function MUTATORS_API (line 45) | MUTATORS_API u32 UR(mutate_info_t * info, u32 limit) {
function MUTATORS_API (line 51) | MUTATORS_API int mutate_one(mutate_info_t * info, mutate_buffer_t * buf,...
function clear_splice_files (line 74) | static void clear_splice_files(mutate_info_t * info)
function MUTATORS_API (line 94) | MUTATORS_API int load_splice_files(mutate_info_t * info, char ** splice_...
function clear_dictionary_files (line 130) | static void clear_dictionary_files(mutate_info_t * info)
function MUTATORS_API (line 145) | MUTATORS_API void cleanup_mutate_info(mutate_info_t * info)
function MUTATORS_API (line 159) | MUTATORS_API int reset_mutate_info(mutate_info_t * info)
function MUTATORS_API (line 173) | MUTATORS_API int add_mutate_info_to_json(json_t * obj, mutate_info_t * i...
function MUTATORS_API (line 227) | MUTATORS_API int get_mutate_info_from_json(char * state, mutate_info_t *...
function u32 (line 316) | static u32 choose_block_len(mutate_info_t * info, u32 limit) {
function locate_diffs (line 352) | static void locate_diffs(u8* ptr1, u8* ptr2, u32 len, s32* first, s32* l...
function u8 (line 381) | static u8 could_be_bitflip(u32 xor_val) {
function u8 (line 409) | static u8 could_be_arith(u32 old_val, u32 new_val, u8 blen) {
function u8 (line 492) | static u8* DMS(u64 val) {
function u8 (line 544) | static u8 could_be_interest(u32 old_val, u32 new_val, u8 blen, u8 check_...
function load_dictionary_file (line 612) | static int load_dictionary_file(mutate_info_t * info, char * fname, u32*...
function MUTATORS_API (line 762) | MUTATORS_API int load_dictionary(mutate_info_t * info, char * path) {
function MUTATORS_API (line 925) | MUTATORS_API int single_walking_bit(mutate_info_t * info, mutate_buffer_...
function MUTATORS_API (line 933) | MUTATORS_API int two_walking_bit(mutate_info_t * info, mutate_buffer_t *...
function MUTATORS_API (line 942) | MUTATORS_API int four_walking_bit(mutate_info_t * info, mutate_buffer_t ...
function MUTATORS_API (line 953) | MUTATORS_API int walking_byte(mutate_info_t * info, mutate_buffer_t * buf)
function MUTATORS_API (line 961) | MUTATORS_API int two_walking_byte(mutate_info_t * info, mutate_buffer_t ...
function MUTATORS_API (line 969) | MUTATORS_API int four_walking_byte(mutate_info_t * info, mutate_buffer_t...
function MUTATORS_API (line 977) | MUTATORS_API int one_byte_arithmetics(mutate_info_t * info, mutate_buffe...
function MUTATORS_API (line 1004) | MUTATORS_API int two_byte_arithmetics(mutate_info_t * info, mutate_buffe...
function MUTATORS_API (line 1040) | MUTATORS_API int four_byte_arithmetics(mutate_info_t * info, mutate_buff...
function MUTATORS_API (line 1075) | MUTATORS_API int interesting_one_byte(mutate_info_t * info, mutate_buffe...
function MUTATORS_API (line 1095) | MUTATORS_API int interesting_two_byte(mutate_info_t * info, mutate_buffe...
function MUTATORS_API (line 1124) | MUTATORS_API int interesting_four_byte(mutate_info_t * info, mutate_buff...
function MUTATORS_API (line 1153) | MUTATORS_API int dictionary_overwrite(mutate_info_t * info, mutate_buffe...
function MUTATORS_API (line 1176) | MUTATORS_API int dictionary_insert(mutate_info_t * info, mutate_buffer_t...
function MUTATORS_API (line 1201) | MUTATORS_API int havoc(mutate_info_t * info, mutate_buffer_t * buf)
function MUTATORS_API (line 1401) | MUTATORS_API int splice_buffers(mutate_info_t * info, mutate_buffer_t * ...
FILE: mutators/mutators/afl_helpers.h
type string_t (line 9) | typedef struct {
type mutate_buffer_t (line 14) | typedef struct {
type mutate_info_t (line 20) | typedef struct {
FILE: mutators/mutators/afl_types.h
type u8 (line 33) | typedef uint8_t u8;
type u16 (line 34) | typedef uint16_t u16;
type u32 (line 35) | typedef uint32_t u32;
type u64 (line 54) | typedef unsigned long long u64;
type u64 (line 56) | typedef uint64_t u64;
type s8 (line 59) | typedef int8_t s8;
type s16 (line 60) | typedef int16_t s16;
type s32 (line 61) | typedef int32_t s32;
type s64 (line 62) | typedef int64_t s64;
FILE: mutators/mutators/mutators.c
function MUTATORS_API (line 6) | MUTATORS_API void default_free_state(char * state)
function MUTATORS_API (line 11) | MUTATORS_API int return_unknown_or_infinite_total_iterations(void * muta...
FILE: mutators/ni_mutator/ni_mutator.c
type sample_t (line 19) | typedef struct sample {
type ni_state (line 24) | struct ni_state
type ni_state_t (line 42) | typedef struct ni_state ni_state_t;
function util_RotL (line 68) | static inline uint64_t util_RotL(const uint64_t x, int k)
function rnd64 (line 73) | static inline uint64_t rnd64(ni_state_t * state) {
function rnd (line 88) | static inline long long rnd(ni_state_t * state) {
function write_all (line 180) | static void write_all(ni_state_t * state, const char *data, size_t n) {
function output_num (line 188) | static void output_num(ni_state_t * state, char *buff, size_t buflen, lo...
function sufscore (line 210) | static int sufscore(const char *a, size_t al, const char *b, size_t bl) {
function aim (line 223) | static void aim(ni_state_t * state, const char *from, size_t fend, const...
function delim_of (line 255) | static int delim_of(char c) {
function drange_start (line 271) | static int drange_start(ni_state_t * state, const char *pos, size_t end,...
function drange_start_of (line 292) | static int drange_start_of(ni_state_t * state, const char *pos, size_t e...
function drange_end (line 313) | static size_t drange_end(ni_state_t * state, const char *data, size_t en...
function drange (line 337) | static int drange(ni_state_t * state, const char *data, size_t end, size...
function other_drange (line 351) | static int other_drange(ni_state_t * state, const char *data, size_t end...
function seek_num (line 371) | static void seek_num(ni_state_t * state, const char *pos, size_t end, si...
function read_num (line 387) | static int read_num(const char *pos, size_t end, long long *res) {
function twiddle (line 399) | static long long twiddle(ni_state_t * state, long long val) {
function mutate_area (line 416) | static void mutate_area(ni_state_t * state, const char *data, size_t end) {
function ni_area (line 614) | static void ni_area(ni_state_t * state, const char *data, size_t end, in...
function ni (line 634) | static void ni(ni_state_t* state) {
function NI_MUTATOR_API (line 671) | NI_MUTATOR_API void init(mutator_t * m)
function ni_state_t (line 682) | static ni_state_t * setup_options(char * options)
function NI_MUTATOR_API (line 742) | NI_MUTATOR_API void * FUNCNAME(create)(char * options, char * state, cha...
function NI_MUTATOR_API (line 769) | NI_MUTATOR_API void FUNCNAME(cleanup)(void * mutator_state)
function NI_MUTATOR_API (line 796) | NI_MUTATOR_API int FUNCNAME(mutate)(void * mutator_state, char * buffer,...
function NI_MUTATOR_API (line 830) | NI_MUTATOR_API int FUNCNAME(mutate_extended)(void * mutator_state, char ...
function NI_MUTATOR_API (line 842) | NI_MUTATOR_API char * FUNCNAME(get_state)(void * mutator_state)
function NI_MUTATOR_API (line 864) | NI_MUTATOR_API int FUNCNAME(set_state)(void * mutator_state, char * state)
function NI_MUTATOR_API (line 885) | NI_MUTATOR_API int FUNCNAME(get_current_iteration)(void * mutator_state)
function NI_MUTATOR_API (line 898) | NI_MUTATOR_API void FUNCNAME(get_input_info)(void * mutator_state, int *...
function NI_MUTATOR_API (line 911) | NI_MUTATOR_API int FUNCNAME(set_input)(void * mutator_state, char * new_...
function NI_MUTATOR_API (line 921) | NI_MUTATOR_API int FUNCNAME(help)(char ** help_str)
FILE: mutators/nop_mutator/nop_mutator.c
type nop_state (line 12) | struct nop_state
type nop_state_t (line 18) | typedef struct nop_state nop_state_t;
function NOP_MUTATOR_API (line 36) | NOP_MUTATOR_API void init(mutator_t * m)
function NOP_MUTATOR_API (line 42) | NOP_MUTATOR_API void * FUNCNAME(create)(char * options, char * state, ch...
function NOP_MUTATOR_API (line 61) | NOP_MUTATOR_API void FUNCNAME(cleanup)(void * mutator_state)
function NOP_MUTATOR_API (line 68) | NOP_MUTATOR_API int FUNCNAME(mutate)(void * mutator_state, char * buffer...
function NOP_MUTATOR_API (line 91) | NOP_MUTATOR_API int FUNCNAME(mutate_extended)(void * mutator_state, char...
function NOP_MUTATOR_API (line 98) | NOP_MUTATOR_API char * FUNCNAME(get_state)(void * mutator_state)
function NOP_MUTATOR_API (line 103) | NOP_MUTATOR_API void FUNCNAME(free_state)(char * mutator_state)
function NOP_MUTATOR_API (line 107) | NOP_MUTATOR_API int FUNCNAME(set_state)(void * mutator_state, char * state)
function NOP_MUTATOR_API (line 112) | NOP_MUTATOR_API int FUNCNAME(get_current_iteration)(void * mutator_state)
function NOP_MUTATOR_API (line 125) | NOP_MUTATOR_API void FUNCNAME(get_input_info)(void * mutator_state, int ...
function NOP_MUTATOR_API (line 138) | NOP_MUTATOR_API int FUNCNAME(set_input)(void * mutator_state, char * new...
function NOP_MUTATOR_API (line 149) | NOP_MUTATOR_API int FUNCNAME(help)(char** help_str)
FILE: mutators/radamsa_mutator/radamsa_mutator.c
type radamsa_state_t (line 27) | typedef struct radamsa_state
function RADAMSA_MUTATOR_API (line 84) | RADAMSA_MUTATOR_API void init(mutator_t * m)
function RADAMSA_MUTATOR_API (line 100) | RADAMSA_MUTATOR_API radamsa_state_t * setup_options(char * options)
function RADAMSA_MUTATOR_API (line 143) | RADAMSA_MUTATOR_API void * FUNCNAME(create)(char * options, char * state...
function RADAMSA_MUTATOR_API (line 174) | RADAMSA_MUTATOR_API void FUNCNAME(cleanup)(void * mutator_state)
function mutate_inner (line 184) | static int mutate_inner(radamsa_state_t * state, char * buffer, size_t b...
function RADAMSA_MUTATOR_API (line 259) | RADAMSA_MUTATOR_API int FUNCNAME(mutate)(void * mutator_state, char * bu...
function RADAMSA_MUTATOR_API (line 277) | RADAMSA_MUTATOR_API int FUNCNAME(mutate_extended)(void * mutator_state, ...
function RADAMSA_MUTATOR_API (line 282) | RADAMSA_MUTATOR_API char * FUNCNAME(get_state)(void * mutator_state)
function RADAMSA_MUTATOR_API (line 299) | RADAMSA_MUTATOR_API int FUNCNAME(set_state)(void * mutator_state, char *...
function RADAMSA_MUTATOR_API (line 313) | RADAMSA_MUTATOR_API int FUNCNAME(get_current_iteration)(void * mutator_s...
function RADAMSA_MUTATOR_API (line 326) | RADAMSA_MUTATOR_API void FUNCNAME(get_input_info)(void * mutator_state, ...
function RADAMSA_MUTATOR_API (line 339) | RADAMSA_MUTATOR_API int FUNCNAME(set_input)(void * mutator_state, char *...
function RADAMSA_MUTATOR_API (line 362) | RADAMSA_MUTATOR_API int FUNCNAME(help)(char** help_str)
function cleanup_process (line 376) | static void cleanup_process(radamsa_state_t * state)
function start_process (line 394) | static int start_process(radamsa_state_t * state)
FILE: mutators/splice_mutator/splice_mutator.c
type splice_state (line 14) | struct splice_state
type splice_state_t (line 22) | typedef struct splice_state splice_state_t;
function SPLICE_MUTATOR_API (line 49) | SPLICE_MUTATOR_API void init(mutator_t * m)
function splice_state_t (line 55) | static splice_state_t * setup_options(char * options)
function SPLICE_MUTATOR_API (line 85) | SPLICE_MUTATOR_API void * FUNCNAME(create)(char * options, char * state,...
function SPLICE_MUTATOR_API (line 96) | SPLICE_MUTATOR_API void FUNCNAME(cleanup)(void * mutator_state)
function mutate_inner (line 102) | static int mutate_inner(void * mutator_state, char * buffer, size_t buff...
function SPLICE_MUTATOR_API (line 138) | SPLICE_MUTATOR_API int FUNCNAME(mutate)(void * mutator_state, char * buf...
function SPLICE_MUTATOR_API (line 154) | SPLICE_MUTATOR_API int FUNCNAME(mutate_extended)(void * mutator_state, c...
function SPLICE_MUTATOR_API (line 166) | SPLICE_MUTATOR_API char * FUNCNAME(get_state)(void * mutator_state)
function SPLICE_MUTATOR_API (line 188) | SPLICE_MUTATOR_API int FUNCNAME(set_state)(void * mutator_state, char * ...
function SPLICE_MUTATOR_API (line 206) | SPLICE_MUTATOR_API int FUNCNAME(get_current_iteration)(void * mutator_st...
function SPLICE_MUTATOR_API (line 219) | SPLICE_MUTATOR_API void FUNCNAME(get_input_info)(void * mutator_state, i...
function SPLICE_MUTATOR_API (line 231) | SPLICE_MUTATOR_API int FUNCNAME(set_input)(void * mutator_state, char * ...
function SPLICE_MUTATOR_API (line 241) | SPLICE_MUTATOR_API int FUNCNAME(help)(char **help_str)
FILE: mutators/zzuf_mutator/zzuf_mutator.c
type fuzzing_mode (line 14) | enum fuzzing_mode {
type zzuf_state (line 30) | struct zzuf_state
type zzuf_state_t (line 57) | typedef struct zzuf_state zzuf_state_t;
function zzuf_srand (line 99) | void zzuf_srand(zzuf_state_t * state, uint32_t seed)
function zzuf_rand (line 104) | uint32_t zzuf_rand(zzuf_state_t * state, uint32_t max)
function _zz_isinrange (line 151) | int _zz_isinrange(int64_t value, int64_t const *ranges)
function add_char_range (line 165) | static void add_char_range(unsigned char *table, char const *list)
function _zz_fuzzing (line 231) | static enum fuzzing_mode _zz_fuzzing(char const *mode)
function _zz_fuzz (line 242) | void _zz_fuzz(zzuf_state_t * state, char * buf, int64_t len)
function ZZUF_MUTATOR_API (line 328) | ZZUF_MUTATOR_API void init(mutator_t * m)
function setup_state_from_strings (line 340) | static void setup_state_from_strings(zzuf_state_t * state)
function free_ranges (line 357) | static void free_ranges(zzuf_state_t * state)
function zzuf_state_t (line 375) | static zzuf_state_t * setup_options(char * options)
function ZZUF_MUTATOR_API (line 425) | ZZUF_MUTATOR_API void * FUNCNAME(create)(char * options, char * state, c...
function ZZUF_MUTATOR_API (line 452) | ZZUF_MUTATOR_API void FUNCNAME(cleanup)(void * mutator_state)
function ZZUF_MUTATOR_API (line 470) | ZZUF_MUTATOR_API int FUNCNAME(mutate)(void * mutator_state, char * buffe...
function ZZUF_MUTATOR_API (line 495) | ZZUF_MUTATOR_API int FUNCNAME(mutate_extended)(void * mutator_state, cha...
function ZZUF_MUTATOR_API (line 507) | ZZUF_MUTATOR_API char * FUNCNAME(get_state)(void * mutator_state)
function ZZUF_MUTATOR_API (line 533) | ZZUF_MUTATOR_API int FUNCNAME(set_state)(void * mutator_state, char * st...
function ZZUF_MUTATOR_API (line 564) | ZZUF_MUTATOR_API int FUNCNAME(get_current_iteration)(void * mutator_state)
function ZZUF_MUTATOR_API (line 577) | ZZUF_MUTATOR_API void FUNCNAME(get_input_info)(void * mutator_state, int...
function ZZUF_MUTATOR_API (line 590) | ZZUF_MUTATOR_API int FUNCNAME(set_input)(void * mutator_state, char * ne...
function ZZUF_MUTATOR_API (line 600) | ZZUF_MUTATOR_API int FUNCNAME(help)(char ** help_str)
FILE: picker/main.c
function usage (line 23) | void usage(char * program_name)
function main (line 52) | int main(int argc, char ** argv)
FILE: python/manager/app/encoder.py
class JSONEncoder (line 3) | class JSONEncoder(json.JSONEncoder):
method default (line 4) | def default(self, o):
FILE: python/manager/controller/Config.py
class ConfigCtrl (line 18) | class ConfigCtrl(Resource):
method create (line 19) | def create(self, target_id, job_id, name, value):
method read (line 25) | def read(self, id):
method post (line 30) | def post(self):
method get (line 63) | def get(self):
FILE: python/manager/controller/File.py
class FileCtrl (line 25) | class FileCtrl(Resource):
method create (line 26) | def create(self, contents):
method _get_hash (line 37) | def _get_hash(self, content):
method search (line 41) | def search(self, hash=None, content=None):
method _content_decode (line 61) | def _content_decode(self, args):
method post (line 80) | def post(self):
method get (line 90) | def get(self):
FILE: python/manager/controller/Hello.py
class HelloCtrl (line 4) | class HelloCtrl(Resource):
method get (line 5) | def get(self):
FILE: python/manager/controller/Job.py
class JobCtrl (line 33) | class JobCtrl(Resource):
method read (line 34) | def read(self, id=None, boinc_id=None):
method readAll (line 51) | def readAll(self, target_id):
method create (line 64) | def create(self, data):
method update (line 120) | def update(self, data, id=None, boinc_id=None):
method get (line 138) | def get(self, id=None, boinc_id=None):
method post (line 160) | def post(self):
method put (line 179) | def put(self, id=None, boinc_id=None):
FILE: python/manager/controller/Log.py
class LogCtrl (line 8) | class LogCtrl(Resource):
method post (line 9) | def post(self):
method get (line 18) | def get(self):
FILE: python/manager/controller/Minimize.py
function minimize (line 10) | def minimize(target_id, num_files_per_edge = None):
class MinimizeCtrl (line 42) | class MinimizeCtrl(Resource):
method get (line 43) | def get(self):
FILE: python/manager/controller/Results.py
class ResultsCtrl (line 16) | class ResultsCtrl(Resource):
method create (line 17) | def create(self, data, job_id=None, boinc_id=None):
method read (line 38) | def read(self, job_id=None):
method update (line 49) | def update(self, id, data):
method delete (line 76) | def delete(self, id):
method list (line 88) | def list(self, offset=None, limit=None, job_id=None, boinc_id=None, re...
method get (line 108) | def get(self, job_id=None, boinc_id=None):
method post (line 117) | def post(self, job_id=None, boinc_id=None):
FILE: python/manager/controller/Status.py
class StatusCtrl (line 8) | class StatusCtrl(Resource):
method get (line 9) | def get(self):
FILE: python/manager/controller/Target.py
class TargetCtrl (line 21) | class TargetCtrl(Resource):
method create (line 22) | def create(self, data):
method read (line 33) | def read(self, id):
method update (line 39) | def update(self, id, data):
method list (line 53) | def list(self, offset=0, limit=10000):
method get (line 58) | def get(self, id=None):
method post (line 72) | def post(self):
method put (line 79) | def put(self, id):
method delete (line 85) | def delete(self, id):
FILE: python/manager/controller/Update.py
class UpdateCtrl (line 6) | class UpdateCtrl(Resource):
method get (line 7) | def get(self, hash):
FILE: python/manager/lib/boinc.py
function clean_download_path (line 10) | def clean_download_path(path):
function dir_hier_path (line 20) | def dir_hier_path(filename):
function filename_to_download_path (line 32) | def filename_to_download_path(filename):
function stage_file (line 42) | def stage_file(prefix, contents):
function get_filename (line 56) | def get_filename(prefix, hash):
function _filename_for_contents (line 59) | def _filename_for_contents(prefix, contents):
function submit_job (line 64) | def submit_job(appname, cmdline, seed_file=None, seed_contents=None):
FILE: python/manager/lib/errors.py
class Error (line 1) | class Error(Exception):
class InternalError (line 4) | class InternalError(Error):
class BoincError (line 7) | class BoincError(Error):
class InputError (line 10) | class InputError(Error):
FILE: python/manager/lib/fuzzer.py
function _create_state_file (line 6) | def _create_state_file(state):
function bat_escape (line 15) | def bat_escape(args):
function sh_escape (line 48) | def sh_escape(args):
function format_cmdline (line 55) | def format_cmdline(
FILE: python/manager/model/Config.py
class FuzzingConfig (line 6) | class FuzzingConfig(db.Model):
method __init__ (line 16) | def __init__(self, config_name, config_value, config_id=None, target=0...
method as_dict (line 25) | def as_dict(self):
FILE: python/manager/model/FuzzingJob.py
class fuzz_jobs (line 9) | class fuzz_jobs(db.Model):
method __init__ (line 29) | def __init__(self,
method lookup_config (line 51) | def lookup_config(self, config_type, config_name):
method as_dict (line 75) | def as_dict(self):
FILE: python/manager/model/FuzzingResults.py
class results (line 13) | class results(db.Model):
method __init__ (line 19) | def __init__(self, job_id, repro, type='crash'):
method as_dict (line 24) | def as_dict(self):
FILE: python/manager/model/FuzzingTarget.py
class targets (line 7) | class targets(db.Model):
method __init__ (line 15) | def __init__(self, platform, exe):
method __str__ (line 19) | def __str__(self):
method as_dict (line 22) | def as_dict(self):
FILE: python/manager/model/instrumentation_state.py
class instrumentation_state (line 5) | class instrumentation_state(db.Model):
method __init__ (line 11) | def __init__(self, instrumentation_type, state, target_id):
method as_dict (line 16) | def as_dict(self):
FILE: python/manager/model/job_inputs.py
class job_inputs (line 5) | class job_inputs(db.Model):
method as_dict (line 10) | def as_dict(self):
FILE: python/manager/model/tracer_info.py
class tracer_info (line 5) | class tracer_info(db.Model):
method __init__ (line 12) | def __init__(self, target_id, input_file, from_edge, to_edge):
method as_dict (line 18) | def as_dict(self):
FILE: python/manager/tests/seeds.py
function listseeds (line 11) | def listseeds():
function seed (line 21) | def seed(db, forwhich):
function client_request (line 27) | def client_request(db):
FILE: server/add_target.py
function parse_args (line 31) | def parse_args():
function add_app (line 37) | def add_app(project_file, name, platform):
function create_app_dir (line 48) | def create_app_dir(name, platform):
function create_app_templates (line 71) | def create_app_templates(name, platform):
function add_daemons (line 85) | def add_daemons(config_file, name, platform):
function lock_file (line 106) | def lock_file(filename):
function main (line 112) | def main():
FILE: server/boinc_submit.py
function main (line 12) | def main():
FILE: server/killerbeez_assimilator.py
function clean_download_path (line 21) | def clean_download_path(path):
function filename_to_download_path (line 31) | def filename_to_download_path(path):
function dirname_to_result_type (line 37) | def dirname_to_result_type(dirname):
class KillerbeezAssimilator (line 42) | class KillerbeezAssimilator(assimilator.Assimilator):
method __init__ (line 43) | def __init__(self):
method _stage_file (line 46) | def _stage_file(self, filename):
method _record_job (line 68) | def _record_job(self, wu):
method _record_result (line 80) | def _record_result(self, file_path, result_type, job_id):
method _process_zipfile (line 85) | def _process_zipfile(self, job_id, output_file):
method assimilate_handler (line 105) | def assimilate_handler(self, wu, results, canonical_result):
FILE: tracer/main.c
function usage (line 12) | void usage(char * program_name)
type edge_counts (line 47) | struct edge_counts
function record_edges (line 53) | void record_edges(instrumentation_edges_t * edges, struct edge_counts **...
function main (line 109) | int main(int argc, char ** argv)
FILE: utils/XGetopt.c
function getopt (line 158) | int getopt(int argc, char *argv[], char *optstring)
FILE: utils/global_types.h
type mutator_t (line 22) | typedef struct mutator
FILE: utils/mutator_factory.c
type dirent (line 62) | struct dirent
type stat (line 64) | struct stat
function UTILS_API (line 92) | UTILS_API mutator_t * mutator_factory(char * mutator_filename)
function generate_mutator_filename (line 125) | static void generate_mutator_filename(char * mutator_directory, char * m...
function UTILS_API (line 155) | UTILS_API mutator_t * mutator_factory_directory(char * mutator_directory...
function UTILS_API (line 175) | UTILS_API char * mutator_help(char * mutator_directory)
FILE: utils/utils.c
function UTILS_API (line 48) | UTILS_API wchar_t * convert_char_array_to_wchar(char * string, wchar_t *...
function UTILS_API (line 71) | UTILS_API char * convert_wchar_array_to_char(wchar_t * string, char * ou...
function start_process_and_write_to_stdin_inner (line 95) | static int start_process_and_write_to_stdin_inner(char * cmd_line, char ...
function UTILS_API (line 162) | UTILS_API int start_process_and_write_to_stdin_and_save_pipes_timeout(ch...
function UTILS_API (line 175) | UTILS_API int start_process_and_write_to_stdin(char * cmd_line, char * i...
function UTILS_API (line 189) | UTILS_API int start_process_and_write_to_stdin_flags(char * cmd_line, ch...
function CreateChildProcess (line 203) | static int CreateChildProcess(char * cmd_line, HANDLE read_pipe, HANDLE ...
function UTILS_API (line 265) | UTILS_API int WriteToPipe(HANDLE process, HANDLE pipe_wr, HANDLE pipe_rd...
function UTILS_API (line 303) | UTILS_API int FlushPipe(HANDLE pipe_rd)
function UTILS_API (line 330) | UTILS_API int get_process_status(HANDLE process)
function UTILS_API (line 347) | UTILS_API int get_process_status(pid_t pid)
function UTILS_API (line 382) | UTILS_API char * get_temp_filename(char * suffix)
function UTILS_API (line 449) | UTILS_API int file_exists(char * path)
function UTILS_API (line 461) | UTILS_API int write_buffer_to_file(char * filename, char * buffer, size_...
function UTILS_API (line 504) | UTILS_API char * filename_relative_to_binary_dir(char * relative_path) {
function md5 (line 549) | void md5(uint8_t *buffer, size_t buffer_length, char * output, size_t ou...
type logging_info (line 674) | struct logging_info {
function UTILS_API (line 695) | UTILS_API char * logging_help(void)
function UTILS_API (line 723) | UTILS_API int setup_logging(const char * log_options)
function UTILS_API (line 771) | UTILS_API int log_msg(enum LOG_LEVEL level, const char * msg, ...)
function UTILS_API (line 830) | UTILS_API int read_file(char * filename, char **buffer)
function UTILS_API (line 871) | UTILS_API void print_hex(char * data, size_t size) {
function UTILS_API (line 886) | UTILS_API void * memdup(void * src, size_t length)
function UTILS_API (line 898) | UTILS_API mutex_t create_mutex(void)
function UTILS_API (line 915) | UTILS_API int take_mutex(mutex_t mutex)
function UTILS_API (line 929) | UTILS_API int release_mutex(mutex_t mutex)
function UTILS_API (line 942) | UTILS_API void destroy_mutex(mutex_t mutex)
function UTILS_API (line 961) | UTILS_API semaphore_t create_semaphore(int initial, int max)
function UTILS_API (line 980) | UTILS_API int take_semaphore(semaphore_t semaphore)
function UTILS_API (line 1002) | UTILS_API int release_semaphore(semaphore_t semaphore)
function UTILS_API (line 1015) | UTILS_API void destroy_semaphore(semaphore_t semaphore)
function UTILS_API (line 1039) | UTILS_API int split_command_line(char * cmd_line, char ** executable, ch...
function UTILS_API (line 1088) | UTILS_API int start_process_and_write_to_stdin(char * cmd_line, char * i...
FILE: utils/utils.h
type HANDLE (line 44) | typedef HANDLE mutex_t;
type HANDLE (line 45) | typedef HANDLE semaphore_t;
type pthread_mutex_t (line 47) | typedef pthread_mutex_t * mutex_t;
type sem_t (line 48) | typedef sem_t * semaphore_t;
type LOG_LEVEL (line 88) | enum LOG_LEVEL {
type LOG_LEVEL (line 112) | enum LOG_LEVEL
FILE: winafl/modules.c
function global_module_cache_add (line 47) | static inline void
function thread_module_cache_adjust (line 57) | static inline void
function thread_module_cache_add (line 70) | static inline void
function module_table_entry_free (line 77) | static void
function module_table_load (line 84) | void
function pc_is_in_module (line 135) | static inline bool
function module_entry_t (line 146) | module_entry_t *
function module_table_unload (line 192) | void
function module_table_entry_print (line 204) | void
function module_table_print (line 230) | void
function module_table_t (line 261) | module_table_t *
function module_table_destroy (line 270) | void
FILE: winafl/modules.h
type module_entry_t (line 49) | typedef struct _module_entry_t {
type module_table_t (line 55) | typedef struct _module_table_t {
FILE: winafl/utils.h
function generic_func_t (line 75) | static inline generic_func_t
FILE: winafl/winafl.c
type target_module_t (line 62) | typedef struct _target_module_t {
type winafl_option_t (line 69) | typedef struct _winafl_option_t {
type winafl_data_t (line 93) | typedef struct _winafl_data_t {
type debug_data_t (line 109) | typedef struct _debug_data_t {
type fuzz_target_t (line 114) | typedef struct _fuzz_target_t {
function get_target_modules_length (line 167) | static int get_target_modules_length(target_module_t * target_module)
function event_nudge (line 184) | static void event_nudge(void *drcontext, uint64 argument)
function event_soft_kill (line 216) | static bool event_soft_kill(process_id_t pid, int exit_code)
function dump_winafl_data (line 237) | static void dump_winafl_data()
function onexception (line 250) | static bool onexception(void *drcontext, dr_exception_t *excpt) {
function event_thread_init (line 279) | static void event_thread_init(void *drcontext)
function event_thread_exit (line 318) | static void event_thread_exit(void *drcontext)
function target_module_t (line 338) | static target_module_t * find_target_module(const char * module_name)
function add_target_module (line 353) | static void add_target_module(const char * name)
function dr_emit_flags_t (line 380) | static dr_emit_flags_t instrument_bb_coverage(void *drcontext, void *tag...
function dr_emit_flags_t (line 466) | static dr_emit_flags_t instrument_edge_coverage(void *drcontext, void *t...
function dr_emit_flags_t (line 561) | static dr_emit_flags_t
function pre_fuzz_handler (line 708) | static void pre_fuzz_handler(void *wrapcxt, INOUT void **user_data)
function read_start_fuzz_command (line 746) | static void read_start_fuzz_command()
function setup_shm_and_tls_regions_for_coverage (line 773) | static void setup_shm_and_tls_regions_for_coverage(void *drcontext)
function post_fuzz_handler (line 817) | static void post_fuzz_handler(void *wrapcxt, void *user_data)
function createfilew_interceptor (line 856) | static void createfilew_interceptor(void *wrapcxt, INOUT void **user_data)
function createfilea_interceptor (line 871) | static void createfilea_interceptor(void *wrapcxt, INOUT void **user_data)
function verfierstopmessage_interceptor_pre (line 879) | static void
function event_module_unload (line 898) | static void event_module_unload(void *drcontext, const module_data_t *info)
function event_module_load (line 911) | static void event_module_load(void *drcontext, const module_data_t *info...
function event_exit (line 963) | static void event_exit(void)
function event_init (line 997) | static void event_init(void)
function HANDLE (line 1043) | static HANDLE setup_pipe(const char * pipe_name, DWORD access)
function setup_comms_pipe (line 1069) | static void setup_comms_pipe()
function setup_per_module_shmem (line 1122) | static void setup_per_module_shmem() {
function setup_shmem (line 1138) | static void
function read_module_file (line 1147) | static void read_module_file(const char * filename)
function options_init (line 1173) | static void options_init(client_id_t id, int argc, const char *argv[])
function DR_EXPORT (line 1319) | DR_EXPORT void dr_client_main(client_id_t id, int argc, const char *argv[])
Condensed preview — 406 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (2,151K chars).
[
{
"path": ".gitattributes",
"chars": 2518,
"preview": "###############################################################################\n# Set default behavior to automatically "
},
{
"path": ".gitignore",
"chars": 5326,
"preview": "## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n\n# User"
},
{
"path": ".gitlab-ci.yml",
"chars": 1969,
"preview": "stages:\n - test\n - release\n\nbuild-windows-vs2017:\n script:\n - call tools\\release_vs2017.bat\n variables:\n GIT_S"
},
{
"path": ".gitmodules",
"chars": 90,
"preview": "[submodule \"server/boinc\"]\n\tpath = server/boinc\n\turl = https://github.com/BOINC/boinc.git\n"
},
{
"path": "APLv2",
"chars": 11358,
"preview": "\n Apache License\n Version 2.0, January 2004\n "
},
{
"path": "CMakeLists.txt",
"chars": 5149,
"preview": "cmake_minimum_required (VERSION 2.8.8)\nproject (killerbeez)\ninclude(ExternalProject)\n\nset(CMAKE_C_FLAGS_DEBUG \"${CMAKE_C"
},
{
"path": "LICENSE",
"chars": 1680,
"preview": "Unless otherwise marked, this license applies to all code in this repository.\n\nUniversity of Illinois/NCSA Open Source L"
},
{
"path": "Makefile",
"chars": 101,
"preview": ".PHONY=all clean docs\n\nall: docs\n\ndocs:\n\t# Defer to the Makefile in the docs directory\n\tmake -C docs\n"
},
{
"path": "README.md",
"chars": 9366,
"preview": "# Killerbeez\n\nKillerbeez is a modular fuzzing framework that aims to bring awesome tools\ntogether into a standard format"
},
{
"path": "afl_progs/Makefile",
"chars": 3691,
"preview": "#\n# american fuzzy lop - makefile\n# -----------------------------\n#\n# Originally written and maintained by Michal Zalews"
},
{
"path": "afl_progs/afl-as.c",
"chars": 15273,
"preview": "/*\n american fuzzy lop - wrapper for GNU as\n ---------------------------------------\n\n Written and maintained by M"
},
{
"path": "afl_progs/afl-as.h",
"chars": 22522,
"preview": "/*\n american fuzzy lop - injectable parts\n -------------------------------------\n\n Written and maintained by Micha"
},
{
"path": "afl_progs/afl-gcc.c",
"chars": 8597,
"preview": "/*\n american fuzzy lop - wrapper for GCC and clang\n ----------------------------------------------\n\n Written and m"
},
{
"path": "afl_progs/afl-showmap.c",
"chars": 16527,
"preview": "/*\n american fuzzy lop - map display utility\n ----------------------------------------\n\n Written and maintained by"
},
{
"path": "afl_progs/alloc-inl.h",
"chars": 12565,
"preview": "/*\n american fuzzy lop - error-checking, memory-zeroing alloc routines\n --------------------------------------------"
},
{
"path": "afl_progs/config.h",
"chars": 11119,
"preview": "/*\n american fuzzy lop - vaguely configurable bits\n ----------------------------------------------\n\n Written and m"
},
{
"path": "afl_progs/debug.h",
"chars": 6574,
"preview": "/*\n american fuzzy lop - debug / error handling macros\n --------------------------------------------------\n\n Writt"
},
{
"path": "afl_progs/hash.h",
"chars": 2065,
"preview": "/*\n american fuzzy lop - hashing function\n -------------------------------------\n\n The hash32() function is a vari"
},
{
"path": "afl_progs/llvm_mode/Makefile",
"chars": 4603,
"preview": "#\n# american fuzzy lop - LLVM instrumentation\n# -----------------------------------------\n#\n# Written by Laszlo Szekeres"
},
{
"path": "afl_progs/llvm_mode/README.llvm",
"chars": 7918,
"preview": "============================================\nFast LLVM-based instrumentation for afl-fuzz\n=============================="
},
{
"path": "afl_progs/llvm_mode/afl-clang-fast.c",
"chars": 9685,
"preview": "/*\n american fuzzy lop - LLVM-mode wrapper for clang\n ------------------------------------------------\n\n Written b"
},
{
"path": "afl_progs/llvm_mode/afl-llvm-pass.so.cc",
"chars": 4933,
"preview": "/*\n american fuzzy lop - LLVM-mode instrumentation pass\n ---------------------------------------------------\n\n Wri"
},
{
"path": "afl_progs/llvm_mode/afl-llvm-rt.o.c",
"chars": 9011,
"preview": "/*\n american fuzzy lop - LLVM instrumentation bootstrap\n ---------------------------------------------------\n\n Wri"
},
{
"path": "afl_progs/qemu_mode/README.qemu",
"chars": 5997,
"preview": "\nThis directory contains the build script and patches for the QEMU-based\ninstrumentation. This instrumentation is copied"
},
{
"path": "afl_progs/qemu_mode/build_qemu_support.sh",
"chars": 4066,
"preview": "#!/bin/sh\n#\n# american fuzzy lop - QEMU build script\n# --------------------------------------\n#\n# Written by Andrew Grif"
},
{
"path": "afl_progs/qemu_mode/patches/afl-qemu-cpu-inl.h",
"chars": 8652,
"preview": "/*\n american fuzzy lop - high-performance binary-only instrumentation\n ---------------------------------------------"
},
{
"path": "afl_progs/qemu_mode/patches/afl-qemu-translate-inl.h",
"chars": 2851,
"preview": "/*\n american fuzzy lop - high-performance binary-only instrumentation\n ---------------------------------------------"
},
{
"path": "afl_progs/qemu_mode/patches/afl_qemu_optimize_entrypoint.diff",
"chars": 943,
"preview": "--- qemu-2.10.0/linux-user/elfload.c.orig\t2018-03-16 11:43:21.000000000 +0100\n+++ qemu-2.10.0/linux-user/elfload.c\t2018-"
},
{
"path": "afl_progs/qemu_mode/patches/configure.diff",
"chars": 186,
"preview": "--- a/configure\n+++ b/configure\n@@ -3855,7 +3855,7 @@ fi\n # check if memfd is supported\n memfd=no\n cat > $TMPC << EOF\n-#"
},
{
"path": "afl_progs/qemu_mode/patches/cpu-exec.diff",
"chars": 1617,
"preview": "--- qemu-2.10.0-clean/accel/tcg/cpu-exec.c\t2017-08-30 18:50:40.000000000 +0200\n+++ qemu-2.10.0/accel/tcg/cpu-exec.c\t2018"
},
{
"path": "afl_progs/qemu_mode/patches/elfload.diff",
"chars": 2088,
"preview": "--- qemu-2.10.0.orig/linux-user/elfload.c\t2017-08-30 18:50:41.000000000 +0200\n+++ qemu-2.10.0/linux-user/elfload.c\t2018-"
},
{
"path": "afl_progs/qemu_mode/patches/memfd.diff",
"chars": 260,
"preview": "--- a/util/memfd.c\n+++ b/util/memfd.c\n@@ -31,9 +31,7 @@\n \n #include \"qemu/memfd.h\"\n \n-#ifdef CONFIG_MEMFD\n-#include <sys"
},
{
"path": "afl_progs/qemu_mode/patches/syscall.diff",
"chars": 987,
"preview": "--- qemu-2.10.0-rc3-clean/linux-user/syscall.c\t2017-08-15 11:39:41.000000000 -0700\n+++ qemu-2.10.0-rc3/linux-user/syscal"
},
{
"path": "afl_progs/qemu_mode/patches/translate-all.diff",
"chars": 542,
"preview": "--- a/accel/tcg/translate-all.c\t2017-08-30 18:50:40.000000000 +0200\n+++ b/accel/tcg/translate-all.c\t2018-09-21 10:19:42."
},
{
"path": "afl_progs/test-instr.c",
"chars": 789,
"preview": "/*\n american fuzzy lop - a trivial program to test the build\n ------------------------------------------------------"
},
{
"path": "afl_progs/types.h",
"chars": 2292,
"preview": "/*\n american fuzzy lop - type definitions and minor macros\n ------------------------------------------------------\n\n"
},
{
"path": "corpus/CMakeLists.txt",
"chars": 751,
"preview": "cmake_minimum_required (VERSION 2.8.8)\nproject (corpus)\n\n# All of the Windows test programs have precompiled versions, a"
},
{
"path": "corpus/afl_test/Makefile",
"chars": 1816,
"preview": "\n\nall: test test32 test-qemu test-fast test-fast-persist test-fast-persist-hang test-fast-deferred test-fast-persist-def"
},
{
"path": "corpus/afl_test/test.c",
"chars": 807,
"preview": "#include <string.h>\n#include <stdio.h>\n#include <unistd.h>\n\nint test_func()\n{\n char buffer[4];\n char * nil = NULL;\n m"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/README.md",
"chars": 2496,
"preview": "# REMATCH_2--Mail_Server--Crackaddr\n\n## Author Information\n\ndebbie@cromulence.com\n\n### DARPA performer group\nCromulence "
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/inputs/ADDRESSBOOK.txt",
"chars": 17,
"preview": "ADDRESSBOOK\nQUIT\n"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/inputs/LIST.txt",
"chars": 10,
"preview": "LIST\nQUIT\n"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/inputs/LISTALL.txt",
"chars": 13,
"preview": "LISTALL\nQUIT\n"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/inputs/POST.txt",
"chars": 10,
"preview": "POST\nQUIT\n"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/inputs/READ.txt",
"chars": 10,
"preview": "READ\nQUIT\n"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/inputs/crash.txt",
"chars": 1111,
"preview": "POST sender:sender!recipient:+BCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcCcJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/cgc_ctype.h",
"chars": 1407,
"preview": "/*\n\nCopyright (c) 2015 Cromulence LLC\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/cgc_libc.h",
"chars": 1860,
"preview": "/*\n\nAuthor: Debbie Nuttall <debbie@cromulence.com>\n\nCopyright (c) 2015 Cromulence LLC\n\nPermission is hereby granted, fre"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/cgc_malloc.h",
"chars": 1269,
"preview": "/*\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nCopyright (c) 2015 Cromulence LLC\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/cgc_math.h",
"chars": 1324,
"preview": "/*\n\nCopyright (c) 2015 Cromulence LLC\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/cgc_prng.h",
"chars": 1395,
"preview": "/*\n\nCopyright (c) 2015 Cromulence LLC\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/cgc_shell.h",
"chars": 1252,
"preview": "/*\n\nAuthor: Debbie Nuttall <debbie@cromulence.com>\n\nCopyright (c) 2015 Cromulence LLC\n\nPermission is hereby granted, fre"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/cgc_stdarg.h",
"chars": 1388,
"preview": "/*\n\nCopyright (c) 2015 Cromulence LLC\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/cgc_stdint.h",
"chars": 1428,
"preview": "/*\n\nCopyright (c) 2015 Cromulence LLC\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/cgc_stdio.h",
"chars": 1543,
"preview": "/*\n\nCopyright (c) 2015 Cromulence LLC\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/cgc_stdlib.h",
"chars": 1592,
"preview": "/*\n\nCopyright (c) 2015 Cromulence LLC\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/cgc_string.h",
"chars": 1664,
"preview": "/*\n\nCopyright (c) 2015 Cromulence LLC\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/ctype.c",
"chars": 2190,
"preview": "/*\n\nCopyright (c) 2015 Cromulence LLC\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/libc.c",
"chars": 7300,
"preview": "/*\n\nAuthor: Debbie Nuttall <debbie@cromulence.com>\n\nCopyright (c) 2015 Cromulence LLC\n\nPermission is hereby granted, fre"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/malloc.c",
"chars": 6258,
"preview": "/*\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nCopyright (c) 2015 Cromulence LLC\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/math.c",
"chars": 1560,
"preview": "/*\n\nCopyright (c) 2015 Cromulence LLC\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/prng.c",
"chars": 3210,
"preview": "/*\n\nCopyright (c) 2015 Cromulence LLC\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/shell.c",
"chars": 2170,
"preview": "/*\n\nAuthor: Debbie Nuttall <debbie@cromulence.com>\n\nCopyright (c) 2015 Cromulence LLC\n\nPermission is hereby granted, fre"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/stdio.c",
"chars": 16755,
"preview": "/*\n\nCopyright (c) 2015 Cromulence LLC\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/stdlib.c",
"chars": 4525,
"preview": "/*\n\nCopyright (c) 2015 Cromulence LLC\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/lib/string.c",
"chars": 3936,
"preview": "/*\n\nCopyright (c) 2015 Cromulence LLC\n\nAuthors: Cromulence <cgc@cromulence.com>\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/notes.txt",
"chars": 229,
"preview": "In the compiled REMATCH_2--Mail_Server--Crackaddr.exe executable, the main\nfunction is at offset 0x8340 (0x408340 addres"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/src/cgc_crackaddr.h",
"chars": 173,
"preview": "#ifndef CRACKADDR_H\n#define CRACKADDR_H\n\n#define MAX_LINE 2500\n#define MAX_NAME 1024\n\n#define TRUE 1\n#define FALSE 0\n\nch"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/src/cgc_sendmail.h",
"chars": 2171,
"preview": "/*\n\nAuthor: Debbie Nuttall <debbie@cromulence.com>\n\nCopyright (c) 2015 Cromulence LLC\n\nPermission is hereby granted, fre"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/src/crackaddr.c",
"chars": 3062,
"preview": " /*\n\nAuthor: Debbie Nuttall <debbie@cromulence.com>\n\nCopyright (c) 2015 Cromulence LLC\n\nPermission is hereby granted, fr"
},
{
"path": "corpus/cgc/REMATCH_2--Mail_Server--Crackaddr/src/sendmail.c",
"chars": 10228,
"preview": "/*\n\nAuthor: Debbie Nuttall <debbie@cromulence.com>\n\nCopyright (c) 2015 Cromulence LLC\n\nPermission is hereby granted, fre"
},
{
"path": "corpus/cgc/SOLFEDGE/README.md",
"chars": 3574,
"preview": "# CGC Challenge Binary Template\n\n## Author Information\n\n\"Nick Davis\" <info@narfindustries.com>\n\n### DARPA performer grou"
},
{
"path": "corpus/cgc/SOLFEDGE/lib/cgc_libc.h",
"chars": 1722,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/SOLFEDGE/lib/libc.c",
"chars": 2446,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/SOLFEDGE/notes.txt",
"chars": 99,
"preview": "In the compiled SOLFEDGE.exe executable, the main function is at offset 0x23E0\n(0x4023E0 address).\n"
},
{
"path": "corpus/cgc/SOLFEDGE/src/cgc_operation.h",
"chars": 2429,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/SOLFEDGE/src/cgc_service.h",
"chars": 1191,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/SOLFEDGE/src/operation.c",
"chars": 9618,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/SOLFEDGE/src/service.c",
"chars": 2182,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/README.md",
"chars": 2457,
"preview": "# CGC Challenge Binary 00024 - String Storage and Retrieval\n\n## Author Information\n\nSteve Wood <swood@cromulence.co>\n\n##"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/inputs/crash.txt",
"chars": 36,
"preview": "a/\u0001aaaaaaaa\na/gaaaaaaaa\nd/gaaaaaaaa\n"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/inputs/input.txt",
"chars": 38,
"preview": "a/one\na/two\na/three\nf/two\nd/two\nw\ns\nx\n"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/lib/cgc_mymath.h",
"chars": 1244,
"preview": "/*\n\nAuthor: Jason Williams <jdw@cromulence.com>\n\nCopyright (c) 2014 Cromulence LLC\n\nPermission is hereby granted, free o"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/lib/cgc_stdarg.h",
"chars": 1437,
"preview": "/*\n\nAuthor: Jason Williams <jdw@cromulence.com>\n\nCopyright (c) 2014 Cromulence LLC\n\nPermission is hereby granted, free o"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/lib/cgc_stdint.h",
"chars": 1426,
"preview": "/*\n\nAuthor: Jason Williams <jdw@cromulence.com>\n\nCopyright (c) 2014 Cromulence LLC\n\nPermission is hereby granted, free o"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/lib/cgc_stdlib.h",
"chars": 2978,
"preview": "/*\n\nAuthor: Jason Williams <jdw@cromulence.com>\n\nCopyright (c) 2014 Cromulence LLC\n\nPermission is hereby granted, free o"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/lib/malloc.c",
"chars": 9510,
"preview": "/*\n\nAuthor: Jason Williams <jdw@cromulence.com>\n\nCopyright (c) 2014 Cromulence LLC\n\nPermission is hereby granted, free o"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/lib/mymath.c",
"chars": 1833,
"preview": "/*\n\nAuthor: Jason Williams <jdw@cromulence.com>\n\nCopyright (c) 2014 Cromulence LLC\n\nPermission is hereby granted, free o"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/lib/new_printf.c",
"chars": 22652,
"preview": "/*\n\nAuthor: Jason Williams <jdw@cromulence.co>\n\nCopyright (c) 2014 Cromulence LLC\n\nPermission is hereby granted, free of"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/lib/stdlib.c",
"chars": 11613,
"preview": "/*\n\nAuthor: Jason Williams <jdw@cromulence.com>\n\nCopyright (c) 2014 Cromulence LLC\n\nPermission is hereby granted, free o"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/notes.txt",
"chars": 119,
"preview": "In the compiled String_Storage_and_Retrieval.exe executable, the main function\nis at offset 0x6ac0 (0x406ac0 address).\n"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/src/bst.c",
"chars": 9668,
"preview": "/*\n\nAuthor: Steve Wood <swood@cromulence.co>\n\nCopyright (c) 2014 Cromulence LLC\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/src/delete_matches.c",
"chars": 1312,
"preview": "/*\n\nAuthor: Steve Wood <swood@cromulence.co>\n\nCopyright (c) 2014 Cromulence LLC\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/src/find_matches.c",
"chars": 1683,
"preview": "/*\n\nAuthor: Steve Wood <swood@cromulence.co>\n\nCopyright (c) 2014 Cromulence LLC\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/src/parse.c",
"chars": 2126,
"preview": "/*\n\nAuthor: Steve Wood <swood@cromulence.co>\n\nCopyright (c) 2014 Cromulence LLC\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/src/service.c",
"chars": 3460,
"preview": "/*\n\nAuthor: Steve Wood <swood@cromulence.co>\n\nCopyright (c) 2014 Cromulence LLC\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/String_Storage_and_Retrieval/src/string_token.c",
"chars": 1393,
"preview": "/*\n\nAuthor: Steve Wood <swood@cromulence.co>\n\nCopyright (c) 2014 Cromulence LLC\n\nPermission is hereby granted, free of c"
},
{
"path": "corpus/cgc/UTF-late/README.md",
"chars": 2306,
"preview": "# CGC Challenge Binary Template\n\n## Author Information\n\n\"Maxwell Koo\" <info@narfindustries.com>\n\n### DARPA performer gro"
},
{
"path": "corpus/cgc/UTF-late/lib/cgc_libc.h",
"chars": 7113,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/UTF-late/lib/cgc_list.h",
"chars": 14388,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/UTF-late/lib/cgc_utf8.h",
"chars": 1719,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/UTF-late/lib/cgc_vfs.h",
"chars": 2434,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/UTF-late/lib/libc.c",
"chars": 38412,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/UTF-late/lib/malloc.c",
"chars": 7525,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/UTF-late/lib/utf8.c",
"chars": 4245,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/UTF-late/lib/vfs.c",
"chars": 8201,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/UTF-late/notes.txt",
"chars": 99,
"preview": "In the compiled UTF-late.exe executable, the main function is at offset 0x4540\n(0x404540 address).\n"
},
{
"path": "corpus/cgc/UTF-late/src/service.c",
"chars": 4844,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/cotton_swab_arithmetic/README.md",
"chars": 3623,
"preview": "# INTERPRETTHIS Challenge Binary\n\n## Author Information\n\n\"Narf Industries\" <info@narfindustries.com>\n\n### DARPA performe"
},
{
"path": "corpus/cgc/cotton_swab_arithmetic/lib/cgc_libc.h",
"chars": 2201,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/cotton_swab_arithmetic/lib/libc.c",
"chars": 37828,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/cotton_swab_arithmetic/notes.txt",
"chars": 113,
"preview": "In the compiled cotton_swab_arithmetic.exe executable, the main function is at\noffset 0x1D30 (0x401D30 address).\n"
},
{
"path": "corpus/cgc/cotton_swab_arithmetic/src/cgc_service.h",
"chars": 3676,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/cgc/cotton_swab_arithmetic/src/service.c",
"chars": 13586,
"preview": "/*\n * Copyright (C) Narf Industries <info@narfindustries.com>\n *\n * Permission is hereby granted, free of charge, to any"
},
{
"path": "corpus/google/README.md",
"chars": 151,
"preview": "The fuzzing test corpus in this directory is taken from google's fuzzer test\nsuite, which can be found at https://github"
},
{
"path": "corpus/google/vorbis/build.sh",
"chars": 1341,
"preview": "#!/bin/bash\n# Copyright 2017 Google Inc. All Rights Reserved.\n# Licensed under the Apache License, Version 2.0 (the \"Lic"
},
{
"path": "corpus/google/vorbis/decode_fuzzer.cc",
"chars": 1871,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/stat.h>\n#include <cstdint>\n#include <vorbis/vor"
},
{
"path": "corpus/google/vorbis/decode_fuzzer.exe.stackdump",
"chars": 1383,
"preview": "Exception: STATUS_ACCESS_VIOLATION at rip=001004283AA\nrax=4200000042000000 rbx=0000000000000000 rcx=000006FFFFCD0010\nrdx"
},
{
"path": "corpus/google/vorbis/notes.txt",
"chars": 701,
"preview": "See https://github.com/google/fuzzer-test-suite/tree/master/vorbis-2017-12-11\nfor more information.\n\nFuzzing benchmark f"
},
{
"path": "corpus/hang/CMakeLists.txt",
"chars": 117,
"preview": "cmake_minimum_required (VERSION 2.8.8)\nproject (hang-linux)\n\nadd_executable(hang-linux ${PROJECT_SOURCE_DIR}/hang.c)\n"
},
{
"path": "corpus/hang/hang.c",
"chars": 26,
"preview": "int main()\n{\n\twhile(1);\n}\n"
},
{
"path": "corpus/libtest/CMakeLists.txt",
"chars": 443,
"preview": "cmake_minimum_required (VERSION 2.8.8)\nproject (libtest)\n\nadd_executable(libtest ${PROJECT_SOURCE_DIR}/test.c)\nadd_"
},
{
"path": "corpus/libtest/lib1.c",
"chars": 486,
"preview": "#include <stdio.h>\n\nint test_func1(char * buffer)\n{\n char * nil = NULL;\n\n if (buffer[0] == 'A')\n {\n if (buffer[1] "
},
{
"path": "corpus/libtest/lib2.c",
"chars": 486,
"preview": "#include <stdio.h>\n\nint test_func2(char * buffer)\n{\n char * nil = NULL;\n\n if (buffer[0] == 'E')\n {\n if (buffer[1] "
},
{
"path": "corpus/libtest/libs.h",
"chars": 75,
"preview": "#pragma once\nint test_func1(char * buffer);\nint test_func2(char * buffer);\n"
},
{
"path": "corpus/libtest/test.c",
"chars": 208,
"preview": "#include \"libs.h\"\n#include <string.h>\n#include <unistd.h>\n\nint main()\n{\n char buffer[4];\n memset(buffer, 0, 4);\n read"
},
{
"path": "corpus/network/CMakeLists.txt",
"chars": 202,
"preview": "cmake_minimum_required (VERSION 2.8.8)\nproject (network-linux)\n\nadd_executable(server-linux ${PROJECT_SOURCE_DIR}/server"
},
{
"path": "corpus/network/client/client.cpp",
"chars": 2210,
"preview": "#ifdef _WIN32\n#define _WINSOCK_DEPRECATED_NO_WARNINGS\n#include <Winsock2.h>\n#include <Windows.h>\n#else\n#include <sys/typ"
},
{
"path": "corpus/network/client/client.vcxproj",
"chars": 8450,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"15.0\" xmlns=\"http://schemas.microso"
},
{
"path": "corpus/network/client/client.vcxproj.filters",
"chars": 939,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "corpus/network/close.txt",
"chars": 5,
"preview": "@BCD\n"
},
{
"path": "corpus/network/multipart.txt",
"chars": 38,
"preview": "[\"::MEM::40424344\",\"::MEM::BBBBBBBB\"]\n"
},
{
"path": "corpus/network/network.sln",
"chars": 2138,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio 15\nVisualStudioVersion = 15.0.27428.2002\nM"
},
{
"path": "corpus/network/server/server.cpp",
"chars": 5008,
"preview": "// linux: compile with gcc -o server-linux server.cpp\n// windows: compile w/ visual studio\n#ifdef _WIN32\n#define _WINSOC"
},
{
"path": "corpus/network/server/server.vcxproj",
"chars": 8397,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"15.0\" xmlns=\"http://schemas.microso"
},
{
"path": "corpus/network/server/server.vcxproj.filters",
"chars": 939,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "corpus/persist/CMakeLists.txt",
"chars": 890,
"preview": "cmake_minimum_required (VERSION 2.8.8)\nproject (persist)\n\nset(PERSIST_SRC ${PROJECT_SOURCE_DIR}/test.c)\n\nadd_executable("
},
{
"path": "corpus/persist/test.c",
"chars": 923,
"preview": "#include <string.h>\n#include <stdio.h>\n#include <unistd.h>\n\n#if defined(PERSIST) || defined(DEFERRED_NOHOOK)\n#include <f"
},
{
"path": "corpus/test/CMakeLists.txt",
"chars": 117,
"preview": "cmake_minimum_required (VERSION 2.8.8)\nproject (test-linux)\n\nadd_executable(test-linux ${PROJECT_SOURCE_DIR}/test.c)\n"
},
{
"path": "corpus/test/inputs/close.txt",
"chars": 4,
"preview": "@BCD"
},
{
"path": "corpus/test/inputs/crash.txt",
"chars": 4,
"preview": "ABCD"
},
{
"path": "corpus/test/inputs/input.txt",
"chars": 4,
"preview": "AAAA"
},
{
"path": "corpus/test/inputs/multipart.txt",
"chars": 85,
"preview": "[\"::MEM::41414141414141414141414141414141\",\"::MEM::42424242424242424242424242424242\"]"
},
{
"path": "corpus/test/inputs/telnet_multipart.txt",
"chars": 93,
"preview": "[\"::MEM::fffb01fffb01fffb01\",\"::MEM::fffb03fffd18fffd1f\",\"::MEM::68656c6c6f20776f726c640a0d\"]"
},
{
"path": "corpus/test/notes.txt",
"chars": 388,
"preview": "test.c is just a very simple testcase to make sure our instrumentation is\nworking as expected. It looks at the first 4 "
},
{
"path": "corpus/test/test.c",
"chars": 693,
"preview": "#include <string.h>\n#include <stdio.h>\n\nint main(int argc, char ** argv)\n{\n\tchar buffer[4];\n\tchar * nil = NULL;\n\tFILE * "
},
{
"path": "docs/AFL.md",
"chars": 10732,
"preview": "# AFL based Instrumentation\n\nThe AFL instrumentation module provides coverage information for the target\nprogram. The AF"
},
{
"path": "docs/BUILD.md",
"chars": 5881,
"preview": "# Build Instructions\n\nThis document describes the process of compiling Killerbeez on Linux and\nWindows.\n\n## Windows\n\n###"
},
{
"path": "docs/CI.md",
"chars": 2391,
"preview": "# Setting Up GitLab CI Runners for Killerbeez\n\nWe use GitLab to develop Killerbeez internally; these are the instruction"
},
{
"path": "docs/DynamoRIO.md",
"chars": 5032,
"preview": "# DynamoRIO Persistence Mode\n\nThe DynamoRIO instrumentation module provides coverage information for the\ntarget program."
},
{
"path": "docs/IPT.md",
"chars": 16397,
"preview": "# Intel Processor Trace Instrumentation\n\nThe Intel Processor Trace (IPT) instrumentation module provides coverage\ninform"
},
{
"path": "docs/Server.md",
"chars": 14562,
"preview": "# Client/Server Operation using BOINC\n\n## Installation\n\n### Server (Tested on Ubuntu 16.04)\n1. Install required software"
},
{
"path": "docs/api/Makefile",
"chars": 308,
"preview": ".PHONY=all clean\nTYPESETTER=pdflatex\n\nall: api.pdf\n\nclean:\n\trm -f *.out *.aux *.toc *.out *.log *.pdf\n\napi.pdf: api.tex "
},
{
"path": "docs/api/README.txt",
"chars": 1003,
"preview": "# API Documentation\n\nThis directory contains all the documentation for the KILLERBEEZ API. This \nmeans it includes the "
},
{
"path": "docs/api/api.tex",
"chars": 1890,
"preview": "\\documentclass{article}\n\\input{defines}\n\\input{packages}\n\\input{coverpage}\n\n\\title{\\killerbeez{} API}\n\\author{GRIMM}\n\\da"
},
{
"path": "docs/api/api_driver.tex",
"chars": 4889,
"preview": "The driver will be the component that runs the program being fuzzed. The driver\nshould start the program, feed in the i"
},
{
"path": "docs/api/api_instrumentation.tex",
"chars": 11811,
"preview": "The instrumentation modules are what track the state of a process and\ndetermine if a path through the process is new. T"
},
{
"path": "docs/api/api_mutator.tex",
"chars": 9733,
"preview": "The mutator modules are what actually mutate the seed buffers. These would\ninclude things like a bit flipper, byte mung"
},
{
"path": "docs/api/api_structures.tex",
"chars": 2252,
"preview": "This section describes the structures used throughout the API. For each of the\ntop level components, there is a structu"
},
{
"path": "docs/api/coverpage.tex",
"chars": 267,
"preview": "\\makeatletter \n\\def\\@maketitle{\n \\begin{center}\n {\\Huge \\bfseries \\sffamily \\@title }\\\\[3ex]\n {"
},
{
"path": "docs/api/defines.tex",
"chars": 277,
"preview": "% 1 = definition, 2 = description, 3 = args/return value\n\\def\\api#1#2#3{\n\\bigskip\n% Can't make \\texttt bold...\n% Maybe u"
},
{
"path": "docs/api/files/driver_t.c",
"chars": 287,
"preview": "struct driver\n{\n void (*cleanup)(void * driver_state);\n int (*test_input)(void * driver_state, char * buffer, size_t l"
},
{
"path": "docs/api/files/instrumentation_edge_t.c",
"chars": 184,
"preview": "struct instrumentation_edge\n{\n#ifdef _M_X64\n uint64_t from;\n uint64_t to;\n#else\n uint32_t from;\n uint32_t to;\n#endif"
},
{
"path": "docs/api/files/instrumentation_t.c",
"chars": 838,
"preview": "struct instrumentation\n{\n void *(*create)(char * options, char * state);\n void(*cleanup)(void * instrumentation_state)"
},
{
"path": "docs/api/files/mutator_t.c",
"chars": 805,
"preview": "typedef struct mutator\n{\n void * (*create)(char * options, char * state, char * input,\n size_t input_length);\n void"
},
{
"path": "docs/api/helpers.tex",
"chars": 1434,
"preview": "In addition to the fuzzer, a few other utilities have been created that help\nwith the fuzzing process. This section des"
},
{
"path": "docs/api/packages.tex",
"chars": 138,
"preview": "\\usepackage{textcomp}\n\\usepackage{listings}\n\\lstset{basicstyle=\\ttfamily\\small,showstringspaces=false,upquote=true}\n\\use"
},
{
"path": "docs/paper/Makefile",
"chars": 370,
"preview": ".PHONY=all clean\nTYPESETTER=pdflatex\n\nall: killerbeez.pdf\n\nclean:\n\trm -f *.out *.aux *.toc *.out *.log *.pdf\n\nkillerbeez"
},
{
"path": "docs/paper/abstract.tex",
"chars": 1182,
"preview": "\\textbf{\\textit{Abstract}}:\nThe trend of people increasingly relying on software has continued for\nseveral decades and s"
},
{
"path": "docs/paper/acknowledgments.tex",
"chars": 362,
"preview": "This research was started through an internal research program funded at GRIMM.\nThe authors would like to thank Brian Sc"
},
{
"path": "docs/paper/background.tex",
"chars": 3021,
"preview": "There are a huge number of fuzzing tools\\cite{afl,aflosx,winafl,peach22,syzkaller,ossfuzz,driller,radamsa,ni,zzuf,synfuz"
},
{
"path": "docs/paper/conclusion.tex",
"chars": 735,
"preview": "In this paper, we present Killerbeez, a fuzzing framework that integrates many\ndisparate research projects so that they "
},
{
"path": "docs/paper/data/Makefile",
"chars": 72,
"preview": "\nall: image\n\nimage:\n\tgnuplot < picker.gnuplot\n\nclean:\n\trm -f picker.svg\n"
},
{
"path": "docs/paper/data/picker.gnuplot",
"chars": 841,
"preview": "set terminal pngcairo background \"#ffffff\" enhanced fontscale 1.0 dashlength 2\nset output '../picker.png'\n\nset title \"D"
},
{
"path": "docs/paper/future_work.tex",
"chars": 7152,
"preview": "The short-term focus will be to incorporate existing technologies from other\nprojects and get them integrated with Kille"
},
{
"path": "docs/paper/implementation.tex",
"chars": 31197,
"preview": "Killerbeez is an interoperable fuzzing architecture that is\nenvironment- and platform-independent. It consists of driver"
},
{
"path": "docs/paper/introduction.tex",
"chars": 3584,
"preview": "Over the past few years, coverage-guided fuzzing has become a popular way to\nfind software and hardware vulnerabilities "
},
{
"path": "docs/paper/killerbeez.tex",
"chars": 3019,
"preview": "\\documentclass[twocolumn]{article}\n\\input{packages}\n\n\\title{Killerbeez: Fuzzing Framework to Bring Together the State of"
},
{
"path": "docs/paper/overview.tex",
"chars": 19550,
"preview": "The core components of Killerbeez can be split into two logical categories\nof orchestration and handling interactions wi"
},
{
"path": "docs/paper/packages.tex",
"chars": 244,
"preview": "\\usepackage{enumitem}\n\\usepackage[margin=0.75in]{geometry}\n\\usepackage{graphicx}\n% Allow breaking urls at hyphens (https"
},
{
"path": "docs/paper/references.tex",
"chars": 9737,
"preview": "\\begin{thebibliography}{99} % two-digit numbers, max\n\n\\bibitem{afl}\n Michal Zalewski. % Author\n \\textit{American Fuzzy"
},
{
"path": "docs/paper/related_work.tex",
"chars": 4923,
"preview": "There are projects which have addressed some of the aspects covered by Killerbeez\nsuch as platform independence, distrib"
},
{
"path": "driver/CMakeLists.txt",
"chars": 653,
"preview": "cmake_minimum_required (VERSION 2.8.8)\nproject (driver)\n\nSET(DRIVER_SRC\n\t${PROJECT_SOURCE_DIR}/driver.c\n\t${PROJECT_SOURC"
},
{
"path": "driver/driver.c",
"chars": 5863,
"preview": "#include <jansson.h>\n#include <jansson_helper.h>\n#include <global_types.h>\n#include <utils.h>\n#include <instrumentation."
},
{
"path": "driver/driver.h",
"chars": 1529,
"preview": "#pragma once\n\n#ifdef _WIN32\n#include <Windows.h>\n#else\n#include <sys/types.h> // pid_t\n#endif\n\n#include <global_types.h>"
},
{
"path": "driver/driver_factory.c",
"chars": 6792,
"preview": "#include <string.h>\n#include <stdlib.h>\n#include <stdio.h>\n\n#include \"instrumentation.h\"\n#include \"driver_factory.h\"\n#in"
},
{
"path": "driver/driver_factory.h",
"chars": 672,
"preview": "#pragma once\n#include \"driver.h\"\n#include <instrumentation.h>\n#include <global_types.h>\n\nDRIVER_API driver_t * driver_fa"
},
{
"path": "driver/file_driver.c",
"chars": 9587,
"preview": "#include \"file_driver.h\"\n\n#include <utils.h>\n#include <jansson_helper.h>\n#include <instrumentation.h>\n#include \"driver.h"
},
{
"path": "driver/file_driver.h",
"chars": 1453,
"preview": "#pragma once\n#include \"instrumentation.h\"\n#include <sys/types.h> // for pid_t\n#include \"global_types.h\" // fo"
},
{
"path": "driver/network_client_driver.c",
"chars": 15012,
"preview": "#include \"network_client_driver.h\"\n\n#include <utils.h>\n#include <jansson_helper.h>\n#include <instrumentation.h>\n#include"
},
{
"path": "driver/network_client_driver.h",
"chars": 1796,
"preview": "#pragma once\n#include \"driver.h\"\n#include \"instrumentation.h\"\n#include <global_types.h>\n\n#ifndef _WIN32 // Linux\n#includ"
},
{
"path": "driver/network_server_driver.c",
"chars": 18510,
"preview": "#include \"network_server_driver.h\"\n\n#include <utils.h>\n#include <jansson_helper.h>\n#include <instrumentation.h>\n#include"
},
{
"path": "driver/network_server_driver.h",
"chars": 1956,
"preview": "#pragma once\n#include \"driver.h\"\n#include <instrumentation.h>\n#include <global_types.h>\n\n#ifndef _WIN32 // Linux\n#includ"
},
{
"path": "driver/stdin_driver.c",
"chars": 7261,
"preview": "#include \"stdin_driver.h\"\n\n#include <global_types.h> // for mutator_t\n#include <utils.h>\n#include <jansson_helper.h>"
},
{
"path": "driver/stdin_driver.h",
"chars": 1271,
"preview": "#pragma once\n#include \"instrumentation.h\"\n#include <global_types.h>\n#include <sys/types.h> // for pid_t\n\n\nvoid * "
},
{
"path": "driver/wmp_driver.cpp",
"chars": 9868,
"preview": "#include \"wmp_driver.h\"\n\n#include <jansson_helper.h>\n#include <utils.h>\n#include <instrumentation.h>\n#include \"driver.h\""
},
{
"path": "driver/wmp_driver.h",
"chars": 1412,
"preview": "#pragma once\n#include \"driver.h\"\n\n#include <instrumentation.h>\n\n#ifdef __cplusplus\n#define FUNC_PREFIX extern \"C\"\n#else\n"
},
{
"path": "fuzzer/CMakeLists.txt",
"chars": 1660,
"preview": "cmake_minimum_required (VERSION 2.8.8)\nproject (fuzzer)\n\ninclude_directories (${CMAKE_SOURCE_DIR}/driver/)\ninclude_direc"
},
{
"path": "fuzzer/main.c",
"chars": 16239,
"preview": "#include <global_types.h>\n#include <driver.h>\n#include <driver_factory.h>\n#include <mutator_factory.h>\n#include <instrum"
},
{
"path": "instrumentation/CMakeLists.txt",
"chars": 1086,
"preview": "cmake_minimum_required (VERSION 2.8.8)\nproject (instrumentation)\n\nset(INSTRUMENTATION_SRC\n\t${PROJECT_SOURCE_DIR}/instrum"
}
]
// ... and 206 more files (download for full content)
About this extraction
This page contains the full source code of the grimm-co/killerbeez GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 406 files (1.9 MB), approximately 537.1k tokens, and a symbol index with 1463 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.