-
Notifications
You must be signed in to change notification settings - Fork 18
/
afl_patches.diff
109 lines (81 loc) · 3.44 KB
/
afl_patches.diff
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
diff --git a/afl-fuzz.c b/afl-fuzz.c
index 01b4afe..082d511 100644
--- a/afl-fuzz.c
+++ b/afl-fuzz.c
@@ -3821,7 +3821,7 @@ static void maybe_delete_out_dir(void) {
/* And now, for some finishing touches. */
- fn = alloc_printf("%s/.cur_input", out_dir);
+ fn = alloc_printf("%s/cur_input.bsp", out_dir);
if (unlink(fn) && errno != ENOENT) goto dir_cleanup_failed;
ck_free(fn);
@@ -7204,7 +7204,7 @@ EXP_ST void setup_dirs_fds(void) {
EXP_ST void setup_stdio_file(void) {
- u8* fn = alloc_printf("%s/.cur_input", out_dir);
+ u8* fn = alloc_printf("%s/cur_input.bsp", out_dir);
unlink(fn); /* Ignore errors */
@@ -7526,7 +7526,7 @@ EXP_ST void detect_file_args(char** argv) {
/* If we don't have a file name chosen yet, use a safe default. */
if (!out_file)
- out_file = alloc_printf("%s/.cur_input", out_dir);
+ out_file = alloc_printf("%s/cur_input.bsp", out_dir);
/* Be sure that we're always using fully-qualified paths. */
diff --git a/config.h b/config.h
index e74b3b3..84f8f5b 100644
--- a/config.h
+++ b/config.h
@@ -139,11 +139,11 @@
/* Maximum size of input file, in bytes (keep under 100MB): */
-#define MAX_FILE (1 * 1024 * 1024)
+#define MAX_FILE (100 * 1024 * 1024)
/* The same, for the test case minimizer: */
-#define TMIN_MAX_FILE (10 * 1024 * 1024)
+#define TMIN_MAX_FILE (100 * 1024 * 1024)
/* Block normalization steps for afl-tmin: */
@@ -294,7 +294,7 @@
/* Fork server init timeout multiplier: we'll wait the user-selected
timeout plus this much for the fork server to spin up. */
-#define FORK_WAIT_MULT 10
+#define FORK_WAIT_MULT 1000
/* Calibration timeout adjustments, to be a bit more generous when resuming
fuzzing sessions or trying to calibrate already-added internal finds.
diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh
index 827c93d..fe454b1 100755
--- a/qemu_mode/build_qemu_support.sh
+++ b/qemu_mode/build_qemu_support.sh
@@ -145,7 +145,7 @@ echo "[+] Configuration complete."
echo "[*] Attempting to build QEMU (fingers crossed!)..."
-make || exit 1
+make -j12 || exit 1
echo "[+] Build process successful!"
@@ -164,7 +164,7 @@ if [ "$ORIG_CPU_TARGET" = "" ]; then
cd ..
- make >/dev/null || exit 1
+ make -j12 >/dev/null || exit 1
gcc test-instr.c -o test-instr || exit 1
diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h
index 8d3133a..bfc39d0 100644
--- a/qemu_mode/patches/afl-qemu-cpu-inl.h
+++ b/qemu_mode/patches/afl-qemu-cpu-inl.h
@@ -48,6 +48,7 @@
#define AFL_QEMU_CPU_SNIPPET2 do { \
if(itb->pc == afl_entry_point) { \
+ fprintf(stderr, "STARTING FORK SERVER\n"); \
afl_setup(); \
afl_forkserver(cpu); \
} \
diff --git a/qemu_mode/qemu-2.10.0/linux-user/elfload.c b/qemu_mode/qemu-2.10.0/linux-user/elfload.c
index 7906288..6d8ffc6 100644
--- a/qemu_mode/qemu-2.10.0/linux-user/elfload.c
+++ b/qemu_mode/qemu-2.10.0/linux-user/elfload.c
@@ -2085,6 +2085,12 @@ static void load_elf_image(const char *image_name, int image_fd,
info->brk = 0;
info->elf_flags = ehdr->e_flags;
+ const char* entry = getenv("AFL_ENTRY_POINT");
+ if (entry) {
+ afl_entry_point = strtol(entry, NULL, 16);
+ }
+ if (!afl_entry_point) afl_entry_point = info->entry;
+
for (i = 0; i < ehdr->e_phnum; i++) {
struct elf_phdr *eppnt = phdr + i;
if (eppnt->p_type == PT_LOAD) {