cmplog runs with observer- no crashes

2021-06-06 13:03:11 +03:00 · 2021-06-06 13:03:11 +03:00 · 0a5aa77cd6
commit 0a5aa77cd6
parent ea5aba220c
4 changed files with 27 additions and 7 deletions
--- a/fuzzers/frida_libpng/src/fuzzer.rs
+++ b/fuzzers/frida_libpng/src/fuzzer.rs
@ -32,7 +32,8 @@ use libafl::{
        token_mutations::Tokens,
    },
    observers::{HitcountsMapObserver, ObserversTuple, StdMapObserver, TimeObserver},
-    stages::mutational::StdMutationalStage,
+    //stages::mutational::StdMutationalStage,
+    stages::{StdMutationalStage, TracingStage},
    state::{HasCorpus, HasMetadata, StdState},
    stats::MultiStats,
    Error,
@ -302,7 +303,7 @@ unsafe fn fuzz(
            unsafe extern "C" fn(data: *const u8, size: usize) -> i32,
        > = lib.get(symbol_name.as_bytes()).unwrap();

-        let mut frida_harness = move |input: &BytesInput| {
+        let mut frida_harness = |input: &BytesInput| {
            let target = input.target_bytes();
            let buf = target.as_slice();
            (target_func)(buf.as_ptr(), buf.len());
@ -383,7 +384,6 @@ unsafe fn fuzz(

        // Setup a basic mutator with a mutational stage
        let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations()));
-        let mut stages = tuple_list!(StdMutationalStage::new(mutator));

        // A minimization+queue policy to get testcasess from the corpus
        let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
@ -400,7 +400,6 @@ unsafe fn fuzz(
                tuple_list!(
                    edges_observer,
                    time_observer,
-                    cmplog_observer,
                    AsanErrorsObserver::new(&ASAN_ERRORS)
                ),
                &mut fuzzer,
@ -419,6 +418,25 @@ unsafe fn fuzz(
            println!("We imported {} inputs from disk.", state.corpus().count());
        }

+        // Secondary harness due to mut ownership
+        let mut frida_harness = |input: &BytesInput| {
+            let target = input.target_bytes();
+            let buf = target.as_slice();
+            (target_func)(buf.as_ptr(), buf.len());
+            ExitKind::Ok
+        };
+
+        // Setup a tracing stage in which we log comparisons
+        let tracing = TracingStage::new(InProcessExecutor::new(
+            &mut frida_harness,
+            tuple_list!(cmplog_observer),
+            &mut fuzzer,
+            &mut state,
+            &mut mgr,
+        )?);
+
+        let mut stages = tuple_list!(tracing, StdMutationalStage::new(mutator));
+
        fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?;
        Ok(())
    };
--- a/fuzzers/libfuzzer_stb_image/src/main.rs
+++ b/fuzzers/libfuzzer_stb_image/src/main.rs
@ -155,7 +155,9 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
    }

    // Secondary harness due to mut ownership
-    let mut harness = |buf: &[u8]| {
+    let mut harness = |input: &BytesInput| {
+        let target = input.target_bytes();
+        let buf = target.as_slice();
        libfuzzer_test_one_input(buf);
        ExitKind::Ok
    };
--- a/libafl_targets/src/cmplog.h
+++ b/libafl_targets/src/cmplog.h
@ -33,7 +33,7 @@ extern uint8_t libafl_cmplog_enabled;
 static void __libafl_targets_cmplog(uintptr_t k, uint8_t shape, uint64_t arg1, uint64_t arg2) {


-  if (!libafl_cmplog_enabled) return;
+    //if (!libafl_cmplog_enabled) return;

  uint16_t hits;
  if (libafl_cmplog_map.headers[k].kind != CMPLOG_KIND_INS) {
--- a/libafl_targets/src/cmplog.rs
+++ b/libafl_targets/src/cmplog.rs
@ -140,7 +140,7 @@ pub use libafl_cmplog_map as CMPLOG_MAP;

 /// Value indicating if cmplog is enabled.
 #[no_mangle]
-pub static mut libafl_cmplog_enabled: u8 = 0;
+pub static mut libafl_cmplog_enabled: u8 = 1;

 pub use libafl_cmplog_enabled as CMPLOG_ENABLED;