| OLD | NEW |
|---|
| (Empty) | |
| 1 /* |
| 2 american fuzzy lop - postprocessor library example |
| 3 -------------------------------------------------- |
| 4 |
| 5 Written and maintained by Michal Zalewski <lcamtuf@google.com> |
| 6 |
| 7 Copyright 2015 Google Inc. All rights reserved. |
| 8 |
| 9 Licensed under the Apache License, Version 2.0 (the "License"); |
| 10 you may not use this file except in compliance with the License. |
| 11 You may obtain a copy of the License at: |
| 12 |
| 13 http://www.apache.org/licenses/LICENSE-2.0 |
| 14 |
| 15 Postprocessor libraries can be passed to afl-fuzz to perform final cleanup |
| 16 of any mutated test cases - for example, to fix up checksums in PNG files. |
| 17 |
| 18 Please heed the following warnings: |
| 19 |
| 20 1) In almost all cases, it is more productive to comment out checksum logic |
| 21 in the targeted binary (as shown in ../libpng_no_checksum/). One possible |
| 22 exception is the process of fuzzing binary-only software in QEMU mode. |
| 23 |
| 24 2) Use of postprocessors for anything other than checksums is questionable |
| 25 and may cause more harm than good. AFL is normally pretty good about |
| 26 dealing with length fields, magic values, etc. |
| 27 |
| 28 3) Post-processors that do anything non-trivial must be extremely robust to |
| 29 gracefully handle malformed data and other error conditions - otherwise, |
| 30 they will crash and take afl-fuzz down with them. Be wary of reading past |
| 31 *len and of integer overflows when calculating file offsets. |
| 32 |
| 33 In other words, THIS IS PROBABLY NOT WHAT YOU WANT - unless you really, |
| 34 honestly know what you're doing =) |
| 35 |
| 36 With that out of the way: the postprocessor library is passed to afl-fuzz |
| 37 via AFL_POST_LIBRARY. The library must be compiled with: |
| 38 |
| 39 gcc -shared -Wall -O3 post_library.so.c -o post_library.so |
| 40 |
| 41 AFL will call the afl_postprocess() function for every mutated output buffer. |
| 42 From there, you have three choices: |
| 43 |
| 44 1) If you don't want to modify the test case, simply return the original |
| 45 buffer pointer ('in_buf'). |
| 46 |
| 47 2) If you want to skip this test case altogether and have AFL generate a |
| 48 new one, return NULL. Use this sparingly - it's faster than running |
| 49 the target program with patently useless inputs, but still wastes CPU |
| 50 time. |
| 51 |
| 52 3) If you want to modify the test case, allocate an appropriately-sized |
| 53 buffer, move the data into that buffer, make the necessary changes, and |
| 54 then return the new pointer. You can update *len if necessary, too. |
| 55 |
| 56 Note that the buffer will *not* be freed for you. To avoid memory leaks, |
| 57 you need to free it or reuse it on subsequent calls (as shown below). |
| 58 |
| 59 *** DO NOT MODIFY THE ORIGINAL 'in_buf' BUFFER. *** |
| 60 |
| 61 Aight. The example below shows a simple postprocessor that tries to make |
| 62 sure that all input files start with "GIF89a". |
| 63 |
| 64 PS. If you don't like C, you can try out the unix-based wrapper from |
| 65 Ben Nagy instead: https://github.com/bnagy/aflfix |
| 66 |
| 67 */ |
| 68 |
| 69 #include <stdio.h> |
| 70 #include <stdlib.h> |
| 71 #include <string.h> |
| 72 |
| 73 /* Header that must be present at the beginning of every test case: */ |
| 74 |
| 75 #define HEADER "GIF89a" |
| 76 |
| 77 /* The actual postprocessor routine called by afl-fuzz: */ |
| 78 |
| 79 const unsigned char* afl_postprocess(const unsigned char* in_buf, |
| 80 unsigned int* len) { |
| 81 |
| 82 static unsigned char* saved_buf; |
| 83 unsigned char* new_buf; |
| 84 |
| 85 /* Skip execution altogether for buffers shorter than 6 bytes (just to |
| 86 show how it's done). We can trust *len to be sane. */ |
| 87 |
| 88 if (*len < strlen(HEADER)) return NULL; |
| 89 |
| 90 /* Do nothing for buffers that already start with the expected header. */ |
| 91 |
| 92 if (!memcmp(in_buf, HEADER, strlen(HEADER))) return in_buf; |
| 93 |
| 94 /* Allocate memory for new buffer, reusing previous allocation if |
| 95 possible. */ |
| 96 |
| 97 new_buf = realloc(saved_buf, *len); |
| 98 |
| 99 /* If we're out of memory, the most graceful thing to do is to return the |
| 100 original buffer and give up on modifying it. Let AFL handle OOM on its |
| 101 own later on. */ |
| 102 |
| 103 if (!new_buf) return in_buf; |
| 104 saved_buf = new_buf; |
| 105 |
| 106 /* Copy the original data to the new location. */ |
| 107 |
| 108 memcpy(new_buf, in_buf, *len); |
| 109 |
| 110 /* Insert the new header. */ |
| 111 |
| 112 memcpy(new_buf, HEADER, strlen(HEADER)); |
| 113 |
| 114 /* Return modified buffer. No need to update *len in this particular case, |
| 115 as we're not changing it. */ |
| 116 |
| 117 return new_buf; |
| 118 |
| 119 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2075883002:
Add American Fuzzy Lop (afl) to third_party/afl/ (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master