"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "fuzz.c" between
honggfuzz-2.1.tar.gz and honggfuzz-2.2.tar.gz

About: honggfuzz is a security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with powerful analysis options.

fuzz.c  (honggfuzz-2.1):fuzz.c  (honggfuzz-2.2)
skipping to change at line 130 skipping to change at line 130
LOG_I("Entering phase 3/3: Corpus Minimization"); LOG_I("Entering phase 3/3: Corpus Minimization");
ATOMIC_SET(run->global->feedback.state, _HF_STATE_DYNAMIC_MINIMIZE); ATOMIC_SET(run->global->feedback.state, _HF_STATE_DYNAMIC_MINIMIZE);
return; return;
} }
/* /*
* If the initial fuzzing yielded no useful coverage, just add a single empt y file to the * If the initial fuzzing yielded no useful coverage, just add a single empt y file to the
* dynamic corpus, so the dynamic phase doesn't fail because of lack of usef ul inputs * dynamic corpus, so the dynamic phase doesn't fail because of lack of usef ul inputs
*/ */
if (run->global->io.dynfileqCnt == 0) { if (run->global->io.dynfileqCnt == 0) {
input_addDynamicInput(run->global, (const uint8_t*)"", /* size= */ 0U, dynfile_t dynfile = {
/* cov */ (uint64_t[4]){0, 0, 0, 0}, /* path= */ "[DYNAMIC]"); .size = 0,
.cov = {},
.idx = 0,
.fd = -1,
.timeExecUSecs = 1,
.path = "[DYNAMIC-0-SIZE]",
.data = (uint8_t*)"",
};
dynfile_t* tmp_dynfile = run->dynfile;
run->dynfile = &dynfile;
input_addDynamicInput(run);
run->dynfile = tmp_dynfile;
}
snprintf(run->dynfile->path, sizeof(run->dynfile->path), "[DYNAMIC]");
if (run->global->io.maxFileSz == 0 && run->global->mutate.maxInputSz > _HF_I
NPUT_DEFAULT_SIZE) {
size_t newsz = (run->global->io.dynfileqMaxSz >= _HF_INPUT_DEFAULT_SIZE)
? run->global->io.dynfileqMaxSz
: _HF_INPUT_DEFAULT_SIZE;
newsz = (newsz + newsz / 4); /* Add 25% overhead for growth */
if (newsz > run->global->mutate.maxInputSz) {
newsz = run->global->mutate.maxInputSz;
}
LOG_I("Setting maximum input size to %zu bytes (previously %zu bytes)",
newsz,
run->global->mutate.maxInputSz);
run->global->mutate.maxInputSz = newsz;
} }
snprintf(run->origFileName, sizeof(run->origFileName), "[DYNAMIC]");
LOG_I("Entering phase 3/3: Dynamic Main (Feedback Driven Mode)"); LOG_I("Entering phase 3/3: Dynamic Main (Feedback Driven Mode)");
ATOMIC_SET(run->global->feedback.state, _HF_STATE_DYNAMIC_MAIN); ATOMIC_SET(run->global->feedback.state, _HF_STATE_DYNAMIC_MAIN);
} }
static void fuzz_perfFeedbackForMinimization(run_t* run) { static void fuzz_minimizeRemoveFiles(run_t* run) {
uint64_t softCntPc = if (run->global->io.outputDir) {
ATOMIC_GET(run->global->feedback.covFeedbackMap->pidFeedbackPc[run->fuzz LOG_I("Minimized files were copied to '%s'", run->global->io.outputDir);
No]); return;
uint64_t softCntEdge = }
ATOMIC_GET(run->global->feedback.covFeedbackMap->pidFeedbackEdge[run->fu if (!input_getDirStatsAndRewind(run->global)) {
zzNo]); return;
uint64_t softCntCmp = }
ATOMIC_GET(run->global->feedback.covFeedbackMap->pidFeedbackCmp[run->fuz for (;;) {
zNo]); char fname[PATH_MAX];
uint64_t cpuInstr = run->linux.hwCnts.cpuInstrCnt; if (!input_getNext(run, fname, /* rewind= */ false)) {
uint64_t cpuBranch = run->linux.hwCnts.cpuBranchCnt; break;
}
uint64_t cov[4] = { if (!input_inDynamicCorpus(run, fname)) {
[0] = softCntEdge + softCntPc, if (input_removeStaticFile(run->global->io.inputDir, fname)) {
[1] = run->dynamicFileSz ? (64 - (uint64_t)log2(run->dynamicFileSz)) LOG_I("Removed unnecessary '%s'", fname);
: 64, /* The smaller input size, the better */ }
[2] = cpuInstr + cpuBranch, }
[3] = softCntCmp, }
}; LOG_I("Corpus minimization done");
LOG_I("Corpus Minimization: len:%zu, cov:%" PRIu64 "/%" PRIu64 "/%" PRIu64 "
/%" PRIu64,
run->dynamicFileSz, cov[0], cov[1], cov[2], cov[3]);
input_addDynamicInput(
run->global, run->dynamicFile, run->dynamicFileSz, cov, run->origFileNam
e);
ATOMIC_SET(run->global->feedback.covFeedbackMap->pidFeedbackPc[run->fuzzNo],
0);
memset(run->global->feedback.covFeedbackMap->bbMapPc, '\0',
sizeof(run->global->feedback.covFeedbackMap->bbMapPc));
ATOMIC_SET(run->global->feedback.covFeedbackMap->pidFeedbackEdge[run->fuzzNo
], 0);
memset(run->global->feedback.covFeedbackMap->pcGuardMap, '\0',
sizeof(run->global->feedback.covFeedbackMap->pcGuardMap));
ATOMIC_SET(run->global->feedback.covFeedbackMap->pidFeedbackCmp[run->fuzzNo]
, 0);
memset(run->global->feedback.covFeedbackMap->bbMapCmp, '\0',
sizeof(run->global->feedback.covFeedbackMap->bbMapCmp));
memset(&run->global->linux.hwCnts, '\0', sizeof(run->global->linux.hwCnts));
} }
static void fuzz_perfFeedback(run_t* run) { static void fuzz_perfFeedback(run_t* run) {
if (run->global->feedback.skipFeedbackOnTimeout && run->tmOutSignaled) { if (run->global->feedback.skipFeedbackOnTimeout && run->tmOutSignaled) {
return; return;
} }
MX_SCOPED_LOCK(&run->global->feedback.covFeedback_mutex); MX_SCOPED_LOCK(&run->global->feedback.covFeedback_mutex);
defer { defer {
wmb(); wmb();
}; };
if (run->global->cfg.minimize && fuzz_getState(run->global) == _HF_STATE_DYN uint64_t softNewPC = ATOMIC_GET(run->global->feedback.covFeedbackMap->pidNew
AMIC_DRY_RUN) { PC[run->fuzzNo]);
fuzz_perfFeedbackForMinimization(run); ATOMIC_CLEAR(run->global->feedback.covFeedbackMap->pidNewPC[run->fuzzNo]);
return; uint64_t softCurPC = ATOMIC_GET(run->global->feedback.covFeedbackMap->pidTot
} alPC[run->fuzzNo]);
ATOMIC_CLEAR(run->global->feedback.covFeedbackMap->pidTotalPC[run->fuzzNo]);
uint64_t softNewEdge =
ATOMIC_GET(run->global->feedback.covFeedbackMap->pidNewEdge[run->fuzzNo]
);
ATOMIC_CLEAR(run->global->feedback.covFeedbackMap->pidNewEdge[run->fuzzNo]);
uint64_t softCurEdge =
ATOMIC_GET(run->global->feedback.covFeedbackMap->pidTotalEdge[run->fuzzN
o]);
ATOMIC_CLEAR(run->global->feedback.covFeedbackMap->pidTotalEdge[run->fuzzNo]
);
uint64_t softNewCmp = ATOMIC_GET(run->global->feedback.covFeedbackMap->pidNe
wCmp[run->fuzzNo]);
ATOMIC_CLEAR(run->global->feedback.covFeedbackMap->pidNewCmp[run->fuzzNo]);
uint64_t softCurCmp =
ATOMIC_GET(run->global->feedback.covFeedbackMap->pidTotalCmp[run->fuzzNo
]);
ATOMIC_CLEAR(run->global->feedback.covFeedbackMap->pidTotalCmp[run->fuzzNo])
;
uint64_t softCntPc = rmb();
ATOMIC_GET(run->global->feedback.covFeedbackMap->pidFeedbackPc[run->fuzz
No]);
ATOMIC_CLEAR(run->global->feedback.covFeedbackMap->pidFeedbackPc[run->fuzzNo
]);
uint64_t softCntEdge =
ATOMIC_GET(run->global->feedback.covFeedbackMap->pidFeedbackEdge[run->fu
zzNo]);
ATOMIC_CLEAR(run->global->feedback.covFeedbackMap->pidFeedbackEdge[run->fuzz
No]);
uint64_t softCntCmp =
ATOMIC_GET(run->global->feedback.covFeedbackMap->pidFeedbackCmp[run->fuz
zNo]);
ATOMIC_CLEAR(run->global->feedback.covFeedbackMap->pidFeedbackCmp[run->fuzzN
o]);
int64_t diff0 = run->global->linux.hwCnts.cpuInstrCnt - run->linux.hwCnts.cp int64_t diff0 = (int64_t)run->global->feedback.hwCnts.cpuInstrCnt - run->hwC
uInstrCnt; nts.cpuInstrCnt;
int64_t diff1 = run->global->linux.hwCnts.cpuBranchCnt - run->linux.hwCnts.c int64_t diff1 = (int64_t)run->global->feedback.hwCnts.cpuBranchCnt - run->hw
puBranchCnt; Cnts.cpuBranchCnt;
/* Any increase in coverage (edge, pc, cmp, hw) counters forces adding input to the corpus */ /* Any increase in coverage (edge, pc, cmp, hw) counters forces adding input to the corpus */
if (run->linux.hwCnts.newBBCnt > 0 || softCntPc > 0 || softCntEdge > 0 || so ftCntCmp > 0 || if (run->hwCnts.newBBCnt > 0 || softNewPC > 0 || softNewEdge > 0 || softNewC mp > 0 ||
diff0 < 0 || diff1 < 0) { diff0 < 0 || diff1 < 0) {
if (diff0 < 0) { if (diff0 < 0) {
run->global->linux.hwCnts.cpuInstrCnt = run->linux.hwCnts.cpuInstrCn t; run->global->feedback.hwCnts.cpuInstrCnt = run->hwCnts.cpuInstrCnt;
} }
if (diff1 < 0) { if (diff1 < 0) {
run->global->linux.hwCnts.cpuBranchCnt = run->linux.hwCnts.cpuBranch run->global->feedback.hwCnts.cpuBranchCnt = run->hwCnts.cpuBranchCnt
Cnt; ;
}
run->global->linux.hwCnts.bbCnt += run->linux.hwCnts.newBBCnt;
run->global->linux.hwCnts.softCntPc += softCntPc;
run->global->linux.hwCnts.softCntEdge += softCntEdge;
run->global->linux.hwCnts.softCntCmp += softCntCmp;
if (run->global->cfg.minimize) {
LOG_I("Keeping '%s' in '%s'", run->origFileName,
run->global->io.outputDir ? run->global->io.outputDir : run->glo
bal->io.inputDir);
if (run->global->io.outputDir && !input_writeCovFile(run->global->io
.outputDir,
run->dynamicFile, run->dynamicF
ileSz)) {
LOG_E("Couldn't save the coverage data to '%s'", run->global->io
.outputDir);
}
} else {
LOG_I("Size:%zu (i,b,hw,ed,ip,cmp): %" PRIu64 "/%" PRIu64 "/%" PRIu6
4 "/%" PRIu64
"/%" PRIu64 "/%" PRIu64 ", Tot:%" PRIu64 "/%" PRIu64 "/%" PRIu
64 "/%" PRIu64
"/%" PRIu64 "/%" PRIu64,
run->dynamicFileSz, run->linux.hwCnts.cpuInstrCnt, run->linux.hw
Cnts.cpuBranchCnt,
run->linux.hwCnts.newBBCnt, softCntEdge, softCntPc, softCntCmp,
run->global->linux.hwCnts.cpuInstrCnt, run->global->linux.hwCnts
.cpuBranchCnt,
run->global->linux.hwCnts.bbCnt, run->global->linux.hwCnts.softC
ntEdge,
run->global->linux.hwCnts.softCntPc, run->global->linux.hwCnts.s
oftCntCmp);
input_addDynamicInput(run->global, run->dynamicFile, run->dynamicFil
eSz,
(uint64_t[4]){0, 0, 0, 0}, "[DYNAMIC]");
} }
run->global->feedback.hwCnts.bbCnt += run->hwCnts.newBBCnt;
run->global->feedback.hwCnts.softCntPc += softNewPC;
run->global->feedback.hwCnts.softCntEdge += softNewEdge;
run->global->feedback.hwCnts.softCntCmp += softNewCmp;
LOG_I("Sz:%zu Tm:%" _HF_NONMON_SEP PRIu64 "us (i/b/h/e/p/c) New:%" PRIu6
4 "/%" PRIu64
"/%" PRIu64 "/%" PRIu64 "/%" PRIu64 "/%" PRIu64 ", Cur:%" PRIu64 "
/%" PRIu64
"/%" PRIu64 "/%" PRIu64 "/%" PRIu64 "/%" PRIu64,
run->dynfile->size, util_timeNowUSecs() - run->timeStartedUSecs,
run->hwCnts.cpuInstrCnt, run->hwCnts.cpuBranchCnt, run->hwCnts.newBB
Cnt, softNewEdge,
softNewPC, softNewCmp, run->hwCnts.cpuInstrCnt, run->hwCnts.cpuBranc
hCnt,
run->hwCnts.bbCnt, softCurEdge, softCurPC, softCurCmp);
/* Update per-input coverage metrics */
run->dynfile->cov[0] = softCurEdge + softCurPC + run->hwCnts.bbCnt;
run->dynfile->cov[1] = softCurCmp;
run->dynfile->cov[2] = run->hwCnts.cpuInstrCnt + run->hwCnts.cpuBranchCn
t;
run->dynfile->cov[3] = run->dynfile->size ? (64 - util_Log2(run->dynfile
->size)) : 64;
input_addDynamicInput(run);
if (run->global->socketFuzzer.enabled) { if (run->global->socketFuzzer.enabled) {
LOG_D("SocketFuzzer: fuzz: new BB (perf)"); LOG_D("SocketFuzzer: fuzz: new BB (perf)");
fuzz_notifySocketFuzzerNewCov(run->global); fuzz_notifySocketFuzzerNewCov(run->global);
} }
} else if (fuzz_getState(run->global) == _HF_STATE_DYNAMIC_MINIMIZE) {
if (run->global->io.outputDir == NULL) {
LOG_I("Removing '%s' from '%s'", run->origFileName, run->global->io.
inputDir);
input_removeStaticFile(run->global->io.inputDir, run->origFileName);
}
} }
} }
/* Return value indicates whether report file should be updated with the current verified crash */ /* Return value indicates whether report file should be updated with the current verified crash */
static bool fuzz_runVerifier(run_t* run) { static bool fuzz_runVerifier(run_t* run) {
if (!run->crashFileName[0] || !run->backtrace) { if (!run->crashFileName[0] || !run->backtrace) {
return false; return false;
} }
uint64_t backtrace = run->backtrace; uint64_t backtrace = run->backtrace;
skipping to change at line 273 skipping to change at line 276
snprintf(verFile, sizeof(verFile), "%s.verified", origCrashPath); snprintf(verFile, sizeof(verFile), "%s.verified", origCrashPath);
if (files_exists(verFile)) { if (files_exists(verFile)) {
LOG_D("Crash file to verify '%s' is already verified as '%s'", origCrash Path, verFile); LOG_D("Crash file to verify '%s' is already verified as '%s'", origCrash Path, verFile);
return false; return false;
} }
for (int i = 0; i < _HF_VERIFIER_ITER; i++) { for (int i = 0; i < _HF_VERIFIER_ITER; i++) {
LOG_I("Launching verifier for HASH: %" PRIx64 " (iteration: %d out of %d )", run->backtrace, LOG_I("Launching verifier for HASH: %" PRIx64 " (iteration: %d out of %d )", run->backtrace,
i + 1, _HF_VERIFIER_ITER); i + 1, _HF_VERIFIER_ITER);
run->timeStartedMillis = 0; run->timeStartedUSecs = util_timeNowUSecs();
run->backtrace = 0; run->backtrace = 0;
run->access = 0; run->access = 0;
run->exception = 0; run->exception = 0;
run->mainWorker = false; run->mainWorker = false;
if (!subproc_Run(run)) { if (!subproc_Run(run)) {
LOG_F("subproc_Run()"); LOG_F("subproc_Run()");
} }
/* If stack hash doesn't match skip name tag and exit */ /* If stack hash doesn't match skip name tag and exit */
skipping to change at line 308 skipping to change at line 311
LOG_I("It seems that '%s' already exists, skipping", verFile); LOG_I("It seems that '%s' already exists, skipping", verFile);
return false; return false;
} }
if (fd == -1) { if (fd == -1) {
PLOG_E("Couldn't create '%s'", verFile); PLOG_E("Couldn't create '%s'", verFile);
return true; return true;
} }
defer { defer {
close(fd); close(fd);
}; };
if (!files_writeToFd(fd, run->dynamicFile, run->dynamicFileSz)) { if (!files_writeToFd(fd, run->dynfile->data, run->dynfile->size)) {
LOG_E("Couldn't save verified file as '%s'", verFile); LOG_E("Couldn't save verified file as '%s'", verFile);
unlink(verFile); unlink(verFile);
return true; return true;
} }
LOG_I("Verified crash for HASH: %" PRIx64 " and saved it as '%s'", backtrace , verFile); LOG_I("Verified crash for HASH: %" PRIx64 " and saved it as '%s'", backtrace , verFile);
ATOMIC_PRE_INC(run->global->cnts.verifiedCrashesCnt); ATOMIC_PRE_INC(run->global->cnts.verifiedCrashesCnt);
return true; return true;
} }
skipping to change at line 334 skipping to change at line 337
run->mutationsPerRun = 0U; run->mutationsPerRun = 0U;
if (input_prepareStaticFile(run, /* rewind= */ false, true)) { if (input_prepareStaticFile(run, /* rewind= */ false, true)) {
return true; return true;
} }
fuzz_setDynamicMainState(run); fuzz_setDynamicMainState(run);
run->mutationsPerRun = run->global->mutate.mutationsPerRun; run->mutationsPerRun = run->global->mutate.mutationsPerRun;
} }
} }
if (fuzz_getState(run->global) == _HF_STATE_DYNAMIC_MINIMIZE) { if (fuzz_getState(run->global) == _HF_STATE_DYNAMIC_MINIMIZE) {
return input_prepareDynamicFileForMinimization(run); fuzz_minimizeRemoveFiles(run);
return false;
} }
if (fuzz_getState(run->global) == _HF_STATE_DYNAMIC_MAIN) { if (fuzz_getState(run->global) == _HF_STATE_DYNAMIC_MAIN) {
if (run->global->exe.externalCommand) { if (run->global->exe.externalCommand) {
if (!input_prepareExternalFile(run)) { if (!input_prepareExternalFile(run)) {
LOG_E("input_prepareExternalFile() failed"); LOG_E("input_prepareExternalFile() failed");
return false; return false;
} }
} else if (run->global->exe.feedbackMutateCommand) { } else if (run->global->exe.feedbackMutateCommand) {
if (!input_prepareDynamicInput(run, false)) { if (!input_prepareDynamicInput(run, false)) {
skipping to change at line 387 skipping to change at line 391
if (run->global->exe.feedbackMutateCommand && if (run->global->exe.feedbackMutateCommand &&
!input_postProcessFile(run, run->global->exe.feedbackMutateCommand)) { !input_postProcessFile(run, run->global->exe.feedbackMutateCommand)) {
LOG_E("input_postProcessFile('%s') failed", run->global->exe.feedbackMut ateCommand); LOG_E("input_postProcessFile('%s') failed", run->global->exe.feedbackMut ateCommand);
return false; return false;
} }
return true; return true;
} }
static void fuzz_fuzzLoop(run_t* run) { static void fuzz_fuzzLoop(run_t* run) {
run->timeStartedMillis = 0; run->timeStartedUSecs = util_timeNowUSecs();
run->crashFileName[0] = '\0'; run->crashFileName[0] = '\0';
run->pc = 0; run->pc = 0;
run->backtrace = 0; run->backtrace = 0;
run->access = 0; run->access = 0;
run->exception = 0; run->exception = 0;
run->report[0] = '\0'; run->report[0] = '\0';
run->mainWorker = true; run->mainWorker = true;
run->mutationsPerRun = run->global->mutate.mutationsPerRun; run->mutationsPerRun = run->global->mutate.mutationsPerRun;
run->tmOutSignaled = false; run->tmOutSignaled = false;
run->linux.hwCnts.cpuInstrCnt = 0; run->hwCnts.cpuInstrCnt = 0;
run->linux.hwCnts.cpuBranchCnt = 0; run->hwCnts.cpuBranchCnt = 0;
run->linux.hwCnts.bbCnt = 0; run->hwCnts.bbCnt = 0;
run->linux.hwCnts.newBBCnt = 0; run->hwCnts.newBBCnt = 0;
if (!fuzz_fetchInput(run)) { if (!fuzz_fetchInput(run)) {
if (run->global->cfg.minimize && fuzz_getState(run->global) == _HF_STATE _DYNAMIC_MINIMIZE) { if (run->global->cfg.minimize && fuzz_getState(run->global) == _HF_STATE _DYNAMIC_MINIMIZE) {
fuzz_setTerminating(); fuzz_setTerminating();
LOG_I("Corpus minimization done!");
return; return;
} }
LOG_F("Cound't prepare input for fuzzing"); LOG_F("Cound't prepare input for fuzzing");
} }
if (!subproc_Run(run)) { if (!subproc_Run(run)) {
LOG_F("Couldn't run fuzzed command"); LOG_F("Couldn't run fuzzed command");
} }
if (run->global->feedback.dynFileMethod != _HF_DYNFILE_NONE) { if (run->global->feedback.dynFileMethod != _HF_DYNFILE_NONE) {
fuzz_perfFeedback(run); fuzz_perfFeedback(run);
} }
if (run->global->cfg.useVerifier && !fuzz_runVerifier(run)) { if (run->global->cfg.useVerifier && !fuzz_runVerifier(run)) {
return; return;
} }
report_saveReport(run); report_saveReport(run);
} }
static void fuzz_fuzzLoopSocket(run_t* run) { static void fuzz_fuzzLoopSocket(run_t* run) {
run->timeStartedMillis = 0; run->timeStartedUSecs = util_timeNowUSecs();
run->crashFileName[0] = '\0'; run->crashFileName[0] = '\0';
run->pc = 0; run->pc = 0;
run->backtrace = 0; run->backtrace = 0;
run->access = 0; run->access = 0;
run->exception = 0; run->exception = 0;
run->report[0] = '\0'; run->report[0] = '\0';
run->mainWorker = true; run->mainWorker = true;
run->mutationsPerRun = run->global->mutate.mutationsPerRun; run->mutationsPerRun = run->global->mutate.mutationsPerRun;
run->tmOutSignaled = false; run->tmOutSignaled = false;
run->linux.hwCnts.cpuInstrCnt = 0; run->hwCnts.cpuInstrCnt = 0;
run->linux.hwCnts.cpuBranchCnt = 0; run->hwCnts.cpuBranchCnt = 0;
run->linux.hwCnts.bbCnt = 0; run->hwCnts.bbCnt = 0;
run->linux.hwCnts.newBBCnt = 0; run->hwCnts.newBBCnt = 0;
LOG_I("------------------------------------------------------"); LOG_I("------------------------------------------------------");
/* First iteration: Start target /* First iteration: Start target
Other iterations: re-start target, if necessary Other iterations: re-start target, if necessary
subproc_Run() will decide by itself if a restart is necessary, via subproc_Run() will decide by itself if a restart is necessary, via
subproc_New() subproc_New()
*/ */
LOG_D("------[ 1: subproc_run"); LOG_D("------[ 1: subproc_run");
if (!subproc_Run(run)) { if (!subproc_Run(run)) {
skipping to change at line 481 skipping to change at line 484
if (run->global->cfg.useVerifier && !fuzz_runVerifier(run)) { if (run->global->cfg.useVerifier && !fuzz_runVerifier(run)) {
return; return;
} }
report_saveReport(run); report_saveReport(run);
} }
static void* fuzz_threadNew(void* arg) { static void* fuzz_threadNew(void* arg) {
honggfuzz_t* hfuzz = (honggfuzz_t*)arg; honggfuzz_t* hfuzz = (honggfuzz_t*)arg;
unsigned int fuzzNo = ATOMIC_POST_INC(hfuzz->threads.threadsActiveCnt); unsigned int fuzzNo = ATOMIC_POST_INC(hfuzz->threads.threadsActiveCnt);
LOG_I("Launched new fuzzing thread, no. #%" PRId32, fuzzNo); LOG_I("Launched new fuzzing thread, no. #%u", fuzzNo);
run_t run = { run_t run = {
.global = hfuzz, .global = hfuzz,
.pid = 0, .pid = 0,
.dynamicFile = NULL, .dynfile = (dynfile_t*)util_Malloc(sizeof(dynfile_t) + hfuzz->io.maxFile
.dynamicFileFd = -1, Sz),
.fuzzNo = fuzzNo, .fuzzNo = fuzzNo,
.persistentSock = -1, .persistentSock = -1,
.tmOutSignaled = false, .tmOutSignaled = false,
.origFileName = "[DYNAMIC]",
}; };
/* Do not try to handle input files with socketfuzzer */ /* Do not try to handle input files with socketfuzzer */
char mapname[32];
snprintf(mapname, sizeof(mapname), "hf-%u-input", fuzzNo);
if (!hfuzz->socketFuzzer.enabled) { if (!hfuzz->socketFuzzer.enabled) {
if (!(run.dynamicFile = files_mapSharedMem(hfuzz->mutate.maxFileSz, &run if (!(run.dynfile->data = files_mapSharedMem(hfuzz->mutate.maxInputSz, &
.dynamicFileFd, (run.dynfile->fd),
"hf-input", /* nocore= */ true, /* export= */ false))) { mapname, /* nocore= */ true, /* exportmap= */ false))) {
LOG_F("Couldn't create an input file of size: %zu", hfuzz->mutate.ma LOG_F("Couldn't create an input file of size: %zu, name:'%s'", hfuzz
xFileSz); ->mutate.maxInputSz,
mapname);
}
}
defer {
if (run.dynfile->fd != -1) {
close(run.dynfile->fd);
} }
};
snprintf(mapname, sizeof(mapname), "hf-%u-perthreadmap", fuzzNo);
if ((run.perThreadCovFeedbackFd = files_createSharedMem(sizeof(feedback_t),
mapname,
/* exportmap= */ run.global->io.exportFeedback)) == -1) {
LOG_F("files_createSharedMem(name='%s', sz=%zu, dir='%s') failed", mapna
me,
sizeof(feedback_t), run.global->io.workDir);
} }
defer { defer {
if (run.dynamicFileFd != -1) { if (run.perThreadCovFeedbackFd != -1) {
close(run.dynamicFileFd); close(run.perThreadCovFeedbackFd);
} }
}; };
if (!arch_archThreadInit(&run)) { if (!arch_archThreadInit(&run)) {
LOG_F("Could not initialize the thread"); LOG_F("Could not initialize the thread");
} }
for (;;) { for (;;) {
/* Check if dry run mode with verifier enabled */ /* Check if dry run mode with verifier enabled */
if (run.global->mutate.mutationsPerRun == 0U && run.global->cfg.useVerif ier && if (run.global->mutate.mutationsPerRun == 0U && run.global->cfg.useVerif ier &&
 End of changes. 26 change blocks. 
142 lines changed or deleted 150 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)